@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (594) hide show
  1. package/.well-known/ai-compliance.json +16 -0
  2. package/COMPLIANCE.md +64 -0
  3. package/data/data-integrity.test.ts +75 -0
  4. package/data/eval/eval-mappings.json +33 -0
  5. package/data/llm/model-pricing.json +15 -0
  6. package/data/llm/model-routing.json +36 -0
  7. package/data/onboarding/risk-profile.json +17 -0
  8. package/data/regulations/eu-ai-act/README.md +245 -0
  9. package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
  10. package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
  11. package/data/regulations/eu-ai-act/localization.json +186 -0
  12. package/data/regulations/eu-ai-act/obligations.json +3981 -0
  13. package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
  14. package/data/regulations/eu-ai-act/scoring.json +342 -0
  15. package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
  16. package/data/regulations/eu-ai-act/timeline.json +160 -0
  17. package/data/regulations/jurisdictions/at.json +15 -0
  18. package/data/regulations/jurisdictions/be.json +15 -0
  19. package/data/regulations/jurisdictions/bg.json +15 -0
  20. package/data/regulations/jurisdictions/cy.json +15 -0
  21. package/data/regulations/jurisdictions/cz.json +15 -0
  22. package/data/regulations/jurisdictions/de.json +15 -0
  23. package/data/regulations/jurisdictions/dk.json +15 -0
  24. package/data/regulations/jurisdictions/ee.json +15 -0
  25. package/data/regulations/jurisdictions/es.json +15 -0
  26. package/data/regulations/jurisdictions/fi.json +15 -0
  27. package/data/regulations/jurisdictions/fr.json +15 -0
  28. package/data/regulations/jurisdictions/gr.json +15 -0
  29. package/data/regulations/jurisdictions/hr.json +15 -0
  30. package/data/regulations/jurisdictions/hu.json +15 -0
  31. package/data/regulations/jurisdictions/ie.json +15 -0
  32. package/data/regulations/jurisdictions/is.json +15 -0
  33. package/data/regulations/jurisdictions/it.json +15 -0
  34. package/data/regulations/jurisdictions/li.json +15 -0
  35. package/data/regulations/jurisdictions/lt.json +15 -0
  36. package/data/regulations/jurisdictions/lu.json +15 -0
  37. package/data/regulations/jurisdictions/lv.json +15 -0
  38. package/data/regulations/jurisdictions/mt.json +15 -0
  39. package/data/regulations/jurisdictions/nl.json +15 -0
  40. package/data/regulations/jurisdictions/no.json +15 -0
  41. package/data/regulations/jurisdictions/pl.json +15 -0
  42. package/data/regulations/jurisdictions/pt.json +15 -0
  43. package/data/regulations/jurisdictions/ro.json +15 -0
  44. package/data/regulations/jurisdictions/se.json +15 -0
  45. package/data/regulations/jurisdictions/si.json +15 -0
  46. package/data/regulations/jurisdictions/sk.json +15 -0
  47. package/data/scanner/check-id-categories.json +81 -0
  48. package/data/scanner/confidence-params.json +16 -0
  49. package/data/scanner/limits.json +4 -0
  50. package/data/schemas/http-contract-sample.json +79 -0
  51. package/data/schemas/http-contract.json +144 -0
  52. package/data/semgrep-rules/bare-call.yaml +37 -0
  53. package/data/semgrep-rules/injection.yaml +73 -0
  54. package/data/semgrep-rules/missing-error-handling.yaml +58 -0
  55. package/data/semgrep-rules/unsafe-deser.yaml +65 -0
  56. package/data/templates/eu-ai-act/ai-literacy.md +184 -0
  57. package/data/templates/eu-ai-act/art5-screening.md +131 -0
  58. package/data/templates/eu-ai-act/data-governance.md +145 -0
  59. package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
  60. package/data/templates/eu-ai-act/fria.md +127 -0
  61. package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
  62. package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
  63. package/data/templates/eu-ai-act/incident-report.md +188 -0
  64. package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
  65. package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
  66. package/data/templates/eu-ai-act/qms.md +180 -0
  67. package/data/templates/eu-ai-act/risk-management-system.md +123 -0
  68. package/data/templates/eu-ai-act/technical-documentation.md +287 -0
  69. package/data/templates/eu-ai-act/worker-notification.md +143 -0
  70. package/data/templates/policies/biometrics-ai-policy.md +214 -0
  71. package/data/templates/policies/critical-infra-ai-policy.md +228 -0
  72. package/data/templates/policies/education-ai-policy.md +184 -0
  73. package/data/templates/policies/finance-ai-policy.md +191 -0
  74. package/data/templates/policies/healthcare-ai-policy.md +197 -0
  75. package/data/templates/policies/hr-ai-policy.md +178 -0
  76. package/data/templates/policies/legal-ai-policy.md +189 -0
  77. package/data/templates/policies/migration-ai-policy.md +239 -0
  78. package/engine.log +7 -0
  79. package/package.json +74 -0
  80. package/src/composition-root.ts +791 -0
  81. package/src/data/eval/conformity-tests.test.ts +122 -0
  82. package/src/data/eval/ct-1-transparency.ts +106 -0
  83. package/src/data/eval/ct-10-gpai.ts +25 -0
  84. package/src/data/eval/ct-11-industry.ts +42 -0
  85. package/src/data/eval/ct-2-oversight.ts +41 -0
  86. package/src/data/eval/ct-3-explanation.ts +14 -0
  87. package/src/data/eval/ct-4-bias.ts +83 -0
  88. package/src/data/eval/ct-5-accuracy.ts +41 -0
  89. package/src/data/eval/ct-6-robustness.ts +81 -0
  90. package/src/data/eval/ct-7-prohibited.ts +52 -0
  91. package/src/data/eval/ct-8-logging.ts +68 -0
  92. package/src/data/eval/ct-9-risk-awareness.ts +33 -0
  93. package/src/data/eval/deterministic-evaluator.ts +120 -0
  94. package/src/data/eval/index.ts +55 -0
  95. package/src/data/eval/judge-prompts.ts +146 -0
  96. package/src/data/eval/llm-judged-tests.ts +279 -0
  97. package/src/data/eval/llm-tests.test.ts +83 -0
  98. package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
  99. package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
  100. package/src/data/eval/remediation/ct-11-industry.ts +94 -0
  101. package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
  102. package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
  103. package/src/data/eval/remediation/ct-4-bias.ts +70 -0
  104. package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
  105. package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
  106. package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
  107. package/src/data/eval/remediation/ct-8-logging.ts +94 -0
  108. package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
  109. package/src/data/eval/remediation/index.ts +89 -0
  110. package/src/data/eval/remediation/owasp-art5.ts +15 -0
  111. package/src/data/eval/remediation/owasp-llm01.ts +72 -0
  112. package/src/data/eval/remediation/owasp-llm02.ts +72 -0
  113. package/src/data/eval/remediation/owasp-llm03.ts +15 -0
  114. package/src/data/eval/remediation/owasp-llm04.ts +15 -0
  115. package/src/data/eval/remediation/owasp-llm05.ts +15 -0
  116. package/src/data/eval/remediation/owasp-llm06.ts +15 -0
  117. package/src/data/eval/remediation/owasp-llm07.ts +15 -0
  118. package/src/data/eval/remediation/owasp-llm08.ts +15 -0
  119. package/src/data/eval/remediation/owasp-llm09.ts +15 -0
  120. package/src/data/eval/remediation/owasp-llm10.ts +15 -0
  121. package/src/data/eval/remediation/remediation.test.ts +229 -0
  122. package/src/data/eval/remediation/test-mapping.ts +290 -0
  123. package/src/data/eval/security-rubrics.ts +381 -0
  124. package/src/data/finding-explanations.json +453 -0
  125. package/src/data/industry-patterns.ts +161 -0
  126. package/src/data/registry-cards.ts +368 -0
  127. package/src/data/regulation/index.ts +5 -0
  128. package/src/data/regulation/jurisdiction-data.test.ts +73 -0
  129. package/src/data/regulation/jurisdiction-data.ts +65 -0
  130. package/src/data/regulation/regulation-data.ts +19 -0
  131. package/src/data/regulation/regulation-loader.test.ts +107 -0
  132. package/src/data/regulation/regulation-loader.ts +56 -0
  133. package/src/data/scanner-constants.ts +46 -0
  134. package/src/data/schemas/schemas-core.ts +140 -0
  135. package/src/data/schemas/schemas-supplementary.ts +211 -0
  136. package/src/data/schemas/schemas.ts +28 -0
  137. package/src/data/security/attack-probes.test.ts +62 -0
  138. package/src/data/security/attack-probes.ts +496 -0
  139. package/src/data/security/eu-ai-act-security.ts +40 -0
  140. package/src/data/security/index.ts +19 -0
  141. package/src/data/security/mitre-atlas.test.ts +43 -0
  142. package/src/data/security/mitre-atlas.ts +93 -0
  143. package/src/data/security/nist-ai-rmf.ts +43 -0
  144. package/src/data/security/owasp-llm-top10.test.ts +60 -0
  145. package/src/data/security/owasp-llm-top10.ts +138 -0
  146. package/src/data/template-registry.ts +53 -0
  147. package/src/data/tool-versions.json +22 -0
  148. package/src/domain/audit/audit-package.test.ts +152 -0
  149. package/src/domain/audit/audit-package.ts +166 -0
  150. package/src/domain/audit/audit-trail.test.ts +121 -0
  151. package/src/domain/audit/audit-trail.ts +174 -0
  152. package/src/domain/audit/index.ts +8 -0
  153. package/src/domain/audit/permissions-matrix.test.ts +136 -0
  154. package/src/domain/audit/permissions-matrix.ts +121 -0
  155. package/src/domain/certification/adversarial/bias-tests.ts +95 -0
  156. package/src/domain/certification/adversarial/evaluators.ts +304 -0
  157. package/src/domain/certification/adversarial/index.ts +11 -0
  158. package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
  159. package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
  160. package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
  161. package/src/domain/certification/aiuc1-readiness.ts +298 -0
  162. package/src/domain/certification/aiuc1-requirements.ts +235 -0
  163. package/src/domain/certification/index.ts +10 -0
  164. package/src/domain/certification/redteam-runner.test.ts +97 -0
  165. package/src/domain/certification/redteam-runner.ts +205 -0
  166. package/src/domain/certification/test-runner.test.ts +232 -0
  167. package/src/domain/certification/test-runner.ts +289 -0
  168. package/src/domain/cost/cost-estimator.test.ts +187 -0
  169. package/src/domain/cost/cost-estimator.ts +133 -0
  170. package/src/domain/disclaimer.test.ts +52 -0
  171. package/src/domain/disclaimer.ts +39 -0
  172. package/src/domain/documents/ai-enricher.test.ts +120 -0
  173. package/src/domain/documents/ai-enricher.ts +159 -0
  174. package/src/domain/documents/document-generator.test.ts +318 -0
  175. package/src/domain/documents/document-generator.ts +239 -0
  176. package/src/domain/documents/index.ts +9 -0
  177. package/src/domain/documents/passport-helpers.ts +25 -0
  178. package/src/domain/documents/policy-generator.test.ts +252 -0
  179. package/src/domain/documents/policy-generator.ts +94 -0
  180. package/src/domain/documents/worker-notification-generator.test.ts +162 -0
  181. package/src/domain/documents/worker-notification-generator.ts +141 -0
  182. package/src/domain/eval/adapters/adapter-port.ts +94 -0
  183. package/src/domain/eval/adapters/adapters.test.ts +303 -0
  184. package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
  185. package/src/domain/eval/adapters/auto-detect.ts +104 -0
  186. package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
  187. package/src/domain/eval/adapters/custom-adapter.ts +74 -0
  188. package/src/domain/eval/adapters/http-adapter.ts +66 -0
  189. package/src/domain/eval/adapters/index.ts +7 -0
  190. package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
  191. package/src/domain/eval/adapters/openai-adapter.ts +58 -0
  192. package/src/domain/eval/adapters/with-timeout.ts +25 -0
  193. package/src/domain/eval/conformity-score.test.ts +161 -0
  194. package/src/domain/eval/conformity-score.ts +135 -0
  195. package/src/domain/eval/eval-constants.ts +55 -0
  196. package/src/domain/eval/eval-evidence.test.ts +85 -0
  197. package/src/domain/eval/eval-evidence.ts +103 -0
  198. package/src/domain/eval/eval-fix-generator.test.ts +421 -0
  199. package/src/domain/eval/eval-fix-generator.ts +205 -0
  200. package/src/domain/eval/eval-passport.test.ts +82 -0
  201. package/src/domain/eval/eval-passport.ts +89 -0
  202. package/src/domain/eval/eval-remediation-report.test.ts +682 -0
  203. package/src/domain/eval/eval-remediation-report.ts +170 -0
  204. package/src/domain/eval/eval-report.ts +108 -0
  205. package/src/domain/eval/eval-runner.test.ts +609 -0
  206. package/src/domain/eval/eval-runner.ts +593 -0
  207. package/src/domain/eval/eval-to-findings.test.ts +293 -0
  208. package/src/domain/eval/eval-to-findings.ts +83 -0
  209. package/src/domain/eval/index.ts +31 -0
  210. package/src/domain/eval/llm-judge.test.ts +139 -0
  211. package/src/domain/eval/llm-judge.ts +168 -0
  212. package/src/domain/eval/remediation-types.ts +90 -0
  213. package/src/domain/eval/security-integration.test.ts +196 -0
  214. package/src/domain/eval/security-integration.ts +136 -0
  215. package/src/domain/eval/types.test.ts +173 -0
  216. package/src/domain/eval/types.ts +244 -0
  217. package/src/domain/eval/verdict-utils.ts +45 -0
  218. package/src/domain/fixer/create-fixer.ts +101 -0
  219. package/src/domain/fixer/diff.ts +70 -0
  220. package/src/domain/fixer/fix-history.ts +23 -0
  221. package/src/domain/fixer/fixer.test.ts +306 -0
  222. package/src/domain/fixer/index.ts +9 -0
  223. package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
  224. package/src/domain/fixer/strategies/bias-testing.ts +49 -0
  225. package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
  226. package/src/domain/fixer/strategies/content-marking.ts +45 -0
  227. package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
  228. package/src/domain/fixer/strategies/data-governance.ts +65 -0
  229. package/src/domain/fixer/strategies/disclosure.ts +69 -0
  230. package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
  231. package/src/domain/fixer/strategies/documentation.ts +59 -0
  232. package/src/domain/fixer/strategies/error-handler.ts +63 -0
  233. package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
  234. package/src/domain/fixer/strategies/index.ts +61 -0
  235. package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
  236. package/src/domain/fixer/strategies/kill-switch.ts +53 -0
  237. package/src/domain/fixer/strategies/license-fix.ts +57 -0
  238. package/src/domain/fixer/strategies/log-retention.ts +40 -0
  239. package/src/domain/fixer/strategies/logging.ts +59 -0
  240. package/src/domain/fixer/strategies/metadata.ts +45 -0
  241. package/src/domain/fixer/strategies/permission-guard.ts +84 -0
  242. package/src/domain/fixer/strategies/record-keeping.ts +69 -0
  243. package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
  244. package/src/domain/fixer/strategies.test.ts +341 -0
  245. package/src/domain/fixer/template-engine.test.ts +64 -0
  246. package/src/domain/fixer/template-engine.ts +38 -0
  247. package/src/domain/fixer/types.ts +88 -0
  248. package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
  249. package/src/domain/frameworks/aiuc1-framework.ts +126 -0
  250. package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
  251. package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
  252. package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
  253. package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
  254. package/src/domain/frameworks/framework-registry.test.ts +91 -0
  255. package/src/domain/frameworks/framework-registry.ts +38 -0
  256. package/src/domain/frameworks/index.ts +8 -0
  257. package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
  258. package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
  259. package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
  260. package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
  261. package/src/domain/frameworks/score-plugin-framework.ts +117 -0
  262. package/src/domain/fria/fria-generator.test.ts +273 -0
  263. package/src/domain/fria/fria-generator.ts +366 -0
  264. package/src/domain/import/promptfoo-importer.test.ts +103 -0
  265. package/src/domain/import/promptfoo-importer.ts +151 -0
  266. package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
  267. package/src/domain/onboarding/guided-onboarding.ts +135 -0
  268. package/src/domain/passport/builder/domain-mapper.ts +9 -0
  269. package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
  270. package/src/domain/passport/builder/manifest-builder.ts +535 -0
  271. package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
  272. package/src/domain/passport/builder/manifest-diff.ts +89 -0
  273. package/src/domain/passport/builder/manifest-files.ts +17 -0
  274. package/src/domain/passport/crypto-signer.test.ts +93 -0
  275. package/src/domain/passport/crypto-signer.ts +157 -0
  276. package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
  277. package/src/domain/passport/discovery/agent-discovery.ts +325 -0
  278. package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
  279. package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
  280. package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
  281. package/src/domain/passport/discovery/permission-scanner.ts +414 -0
  282. package/src/domain/passport/export/a2a-mapper.ts +75 -0
  283. package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
  284. package/src/domain/passport/export/export.test.ts +207 -0
  285. package/src/domain/passport/export/index.ts +41 -0
  286. package/src/domain/passport/export/nist-mapper.ts +227 -0
  287. package/src/domain/passport/import/a2a-importer.test.ts +133 -0
  288. package/src/domain/passport/import/a2a-importer.ts +156 -0
  289. package/src/domain/passport/import/index.ts +2 -0
  290. package/src/domain/passport/index.ts +32 -0
  291. package/src/domain/passport/obligation-field-map.test.ts +113 -0
  292. package/src/domain/passport/obligation-field-map.ts +117 -0
  293. package/src/domain/passport/passport-validator.test.ts +156 -0
  294. package/src/domain/passport/passport-validator.ts +126 -0
  295. package/src/domain/passport/scan-to-compliance.test.ts +336 -0
  296. package/src/domain/passport/scan-to-compliance.ts +166 -0
  297. package/src/domain/passport/test-generator.test.ts +93 -0
  298. package/src/domain/passport/test-generator.ts +136 -0
  299. package/src/domain/proxy/index.ts +11 -0
  300. package/src/domain/proxy/json-rpc.test.ts +72 -0
  301. package/src/domain/proxy/json-rpc.ts +53 -0
  302. package/src/domain/proxy/policy-engine.test.ts +259 -0
  303. package/src/domain/proxy/policy-engine.ts +137 -0
  304. package/src/domain/proxy/proxy-bridge.ts +125 -0
  305. package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
  306. package/src/domain/proxy/proxy-interceptor.ts +120 -0
  307. package/src/domain/proxy/proxy-types.ts +35 -0
  308. package/src/domain/registry/compute-agent-score.test.ts +279 -0
  309. package/src/domain/registry/compute-agent-score.ts +162 -0
  310. package/src/domain/reporter/audit-report.test.ts +87 -0
  311. package/src/domain/reporter/audit-report.ts +116 -0
  312. package/src/domain/reporter/badge-generator.test.ts +54 -0
  313. package/src/domain/reporter/badge-generator.ts +40 -0
  314. package/src/domain/reporter/compliance-md.ts +45 -0
  315. package/src/domain/reporter/index.ts +7 -0
  316. package/src/domain/reporter/pdf-renderer.ts +282 -0
  317. package/src/domain/reporter/share.test.ts +92 -0
  318. package/src/domain/reporter/share.ts +80 -0
  319. package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
  320. package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
  321. package/src/domain/scanner/attestations.ts +97 -0
  322. package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
  323. package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
  324. package/src/domain/scanner/checks/ai-literacy.ts +163 -0
  325. package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
  326. package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
  327. package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
  328. package/src/domain/scanner/checks/content-marking.ts +74 -0
  329. package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
  330. package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
  331. package/src/domain/scanner/checks/documentation.test.ts +88 -0
  332. package/src/domain/scanner/checks/documentation.ts +79 -0
  333. package/src/domain/scanner/checks/git-history.test.ts +120 -0
  334. package/src/domain/scanner/checks/git-history.ts +163 -0
  335. package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
  336. package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
  337. package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
  338. package/src/domain/scanner/checks/index.ts +28 -0
  339. package/src/domain/scanner/checks/industry/index.ts +40 -0
  340. package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
  341. package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
  342. package/src/domain/scanner/checks/interaction-logging.ts +142 -0
  343. package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
  344. package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
  345. package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
  346. package/src/domain/scanner/checks/passport-completeness.ts +82 -0
  347. package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
  348. package/src/domain/scanner/checks/passport-presence.ts +78 -0
  349. package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
  350. package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
  351. package/src/domain/scanner/checks/permission-scanner.ts +90 -0
  352. package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
  353. package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
  354. package/src/domain/scanner/compliance-diff.test.ts +165 -0
  355. package/src/domain/scanner/compliance-diff.ts +138 -0
  356. package/src/domain/scanner/confidence.test.ts +235 -0
  357. package/src/domain/scanner/confidence.ts +156 -0
  358. package/src/domain/scanner/constants.ts +13 -0
  359. package/src/domain/scanner/create-scanner.ts +573 -0
  360. package/src/domain/scanner/cross-layer.test.ts +372 -0
  361. package/src/domain/scanner/cross-layer.ts +232 -0
  362. package/src/domain/scanner/data/ai-packages.ts +82 -0
  363. package/src/domain/scanner/debt-calculator.test.ts +89 -0
  364. package/src/domain/scanner/debt-calculator.ts +111 -0
  365. package/src/domain/scanner/drift.test.ts +191 -0
  366. package/src/domain/scanner/drift.ts +73 -0
  367. package/src/domain/scanner/evidence-store.test.ts +207 -0
  368. package/src/domain/scanner/evidence-store.ts +195 -0
  369. package/src/domain/scanner/evidence.test.ts +104 -0
  370. package/src/domain/scanner/evidence.ts +71 -0
  371. package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
  372. package/src/domain/scanner/external/bandit-runner.ts +90 -0
  373. package/src/domain/scanner/external/checks.ts +321 -0
  374. package/src/domain/scanner/external/dedup.test.ts +79 -0
  375. package/src/domain/scanner/external/dedup.ts +94 -0
  376. package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
  377. package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
  378. package/src/domain/scanner/external/external-scanner.test.ts +221 -0
  379. package/src/domain/scanner/external/external-scanner.ts +36 -0
  380. package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
  381. package/src/domain/scanner/external/finding-mapper.ts +138 -0
  382. package/src/domain/scanner/external/index.ts +15 -0
  383. package/src/domain/scanner/external/mappings.ts +93 -0
  384. package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
  385. package/src/domain/scanner/external/modelscan-runner.ts +101 -0
  386. package/src/domain/scanner/external/path-utils.ts +8 -0
  387. package/src/domain/scanner/external/runner-port.ts +45 -0
  388. package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
  389. package/src/domain/scanner/external/semgrep-runner.ts +94 -0
  390. package/src/domain/scanner/external/types.ts +32 -0
  391. package/src/domain/scanner/finding-attribution.test.ts +444 -0
  392. package/src/domain/scanner/finding-attribution.ts +195 -0
  393. package/src/domain/scanner/finding-explainer.test.ts +157 -0
  394. package/src/domain/scanner/finding-explainer.ts +73 -0
  395. package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
  396. package/src/domain/scanner/fix-diff-builder.ts +477 -0
  397. package/src/domain/scanner/import-graph.test.ts +162 -0
  398. package/src/domain/scanner/import-graph.ts +198 -0
  399. package/src/domain/scanner/languages/adapter.test.ts +105 -0
  400. package/src/domain/scanner/languages/adapter.ts +239 -0
  401. package/src/domain/scanner/layers/index.ts +24 -0
  402. package/src/domain/scanner/layers/layer1-files.ts +54 -0
  403. package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
  404. package/src/domain/scanner/layers/layer2-docs.ts +297 -0
  405. package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
  406. package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
  407. package/src/domain/scanner/layers/layer3-config.ts +279 -0
  408. package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
  409. package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
  410. package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
  411. package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
  412. package/src/domain/scanner/layers/layer5-docs.ts +250 -0
  413. package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
  414. package/src/domain/scanner/layers/layer5-llm.ts +262 -0
  415. package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
  416. package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
  417. package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
  418. package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
  419. package/src/domain/scanner/regulation-version.test.ts +54 -0
  420. package/src/domain/scanner/regulation-version.ts +23 -0
  421. package/src/domain/scanner/role-filter.test.ts +116 -0
  422. package/src/domain/scanner/role-filter.ts +51 -0
  423. package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
  424. package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
  425. package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
  426. package/src/domain/scanner/rules/banned-packages.ts +55 -0
  427. package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
  428. package/src/domain/scanner/rules/comment-filter.ts +297 -0
  429. package/src/domain/scanner/rules/index.ts +9 -0
  430. package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
  431. package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
  432. package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
  433. package/src/domain/scanner/sbom.test.ts +136 -0
  434. package/src/domain/scanner/sbom.ts +103 -0
  435. package/src/domain/scanner/scan-cache.test.ts +136 -0
  436. package/src/domain/scanner/scan-cache.ts +115 -0
  437. package/src/domain/scanner/scanner.test.ts +125 -0
  438. package/src/domain/scanner/score-calculator.test.ts +363 -0
  439. package/src/domain/scanner/score-calculator.ts +189 -0
  440. package/src/domain/scanner/security-score.test.ts +107 -0
  441. package/src/domain/scanner/security-score.ts +116 -0
  442. package/src/domain/scanner/source-filter.ts +24 -0
  443. package/src/domain/scanner/validators.ts +223 -0
  444. package/src/domain/shared/compliance-constants.ts +48 -0
  445. package/src/domain/shared/disclosure-patterns.ts +16 -0
  446. package/src/domain/shared/index.ts +6 -0
  447. package/src/domain/shared/parse-dependencies.ts +21 -0
  448. package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
  449. package/src/domain/supply-chain/index.ts +3 -0
  450. package/src/domain/supply-chain/supply-chain.test.ts +211 -0
  451. package/src/domain/supply-chain/types.ts +32 -0
  452. package/src/domain/whatif/config-fixer.ts +187 -0
  453. package/src/domain/whatif/index.ts +6 -0
  454. package/src/domain/whatif/scenario-engine.ts +121 -0
  455. package/src/domain/whatif/simulate-actions.test.ts +161 -0
  456. package/src/domain/whatif/simulate-actions.ts +114 -0
  457. package/src/domain/whatif/whatif.test.ts +135 -0
  458. package/src/e2e/gaps-e2e.test.ts +259 -0
  459. package/src/e2e/smoke.test.ts +101 -0
  460. package/src/hooks/hooks-export.test.ts +81 -0
  461. package/src/hooks/installer.ts +113 -0
  462. package/src/http/cors.test.ts +38 -0
  463. package/src/http/create-router.ts +259 -0
  464. package/src/http/routes/agent.route.ts +380 -0
  465. package/src/http/routes/audit.route.ts +66 -0
  466. package/src/http/routes/badge.route.ts +23 -0
  467. package/src/http/routes/cert.route.ts +66 -0
  468. package/src/http/routes/chat.route.ts +228 -0
  469. package/src/http/routes/cost.route.ts +33 -0
  470. package/src/http/routes/debt.route.ts +29 -0
  471. package/src/http/routes/disclaimer.route.ts +64 -0
  472. package/src/http/routes/eval.route.ts +161 -0
  473. package/src/http/routes/events.route.test.ts +108 -0
  474. package/src/http/routes/events.route.ts +71 -0
  475. package/src/http/routes/external-scan.route.ts +24 -0
  476. package/src/http/routes/file.route.ts +54 -0
  477. package/src/http/routes/fix.route.ts +219 -0
  478. package/src/http/routes/frameworks.route.test.ts +66 -0
  479. package/src/http/routes/frameworks.route.ts +36 -0
  480. package/src/http/routes/git.route.ts +27 -0
  481. package/src/http/routes/guided-onboarding.route.ts +65 -0
  482. package/src/http/routes/import.route.ts +64 -0
  483. package/src/http/routes/jurisdiction.route.ts +22 -0
  484. package/src/http/routes/obligations.route.test.ts +122 -0
  485. package/src/http/routes/obligations.route.ts +110 -0
  486. package/src/http/routes/onboarding.route.ts +53 -0
  487. package/src/http/routes/provider.route.ts +42 -0
  488. package/src/http/routes/proxy.route.ts +40 -0
  489. package/src/http/routes/redteam.route.ts +84 -0
  490. package/src/http/routes/report.route.ts +29 -0
  491. package/src/http/routes/scan.route.ts +104 -0
  492. package/src/http/routes/share.route.ts +44 -0
  493. package/src/http/routes/shell.route.ts +27 -0
  494. package/src/http/routes/status.route.ts +66 -0
  495. package/src/http/routes/supply-chain.route.ts +121 -0
  496. package/src/http/routes/sync.route.ts +328 -0
  497. package/src/http/routes/tools.route.ts +29 -0
  498. package/src/http/routes/whatif.route.ts +96 -0
  499. package/src/http/utils/validation.ts +31 -0
  500. package/src/index.ts +1 -0
  501. package/src/infra/bundle-fetcher.ts +77 -0
  502. package/src/infra/cache-storage.ts +34 -0
  503. package/src/infra/event-bus.ts +31 -0
  504. package/src/infra/file-collector.ts +61 -0
  505. package/src/infra/file-ops-adapter.ts +95 -0
  506. package/src/infra/file-watcher.test.ts +90 -0
  507. package/src/infra/file-watcher.ts +106 -0
  508. package/src/infra/git-adapter.ts +93 -0
  509. package/src/infra/git-history-adapter.ts +41 -0
  510. package/src/infra/headless-browser.ts +178 -0
  511. package/src/infra/llm-adapter.test.ts +83 -0
  512. package/src/infra/llm-adapter.ts +86 -0
  513. package/src/infra/logger.ts +27 -0
  514. package/src/infra/project-config.test.ts +74 -0
  515. package/src/infra/project-config.ts +35 -0
  516. package/src/infra/rate-limiter.test.ts +36 -0
  517. package/src/infra/rate-limiter.ts +34 -0
  518. package/src/infra/retry.ts +46 -0
  519. package/src/infra/saas-client.ts +123 -0
  520. package/src/infra/search-adapter.ts +113 -0
  521. package/src/infra/shell-adapter.ts +68 -0
  522. package/src/infra/tool-manager.test.ts +99 -0
  523. package/src/infra/tool-manager.ts +197 -0
  524. package/src/llm/agents/agent-modes.test.ts +44 -0
  525. package/src/llm/agents/modes.ts +68 -0
  526. package/src/llm/routing/cost-routing.test.ts +37 -0
  527. package/src/llm/routing/cost-tracker.ts +74 -0
  528. package/src/llm/routing/model-routing.test.ts +79 -0
  529. package/src/llm/routing/model-routing.ts +38 -0
  530. package/src/llm/routing/pricing.ts +19 -0
  531. package/src/llm/sse-protocol.ts +77 -0
  532. package/src/llm/tool-definitions.ts +83 -0
  533. package/src/llm/tool-executors.ts +80 -0
  534. package/src/llm/tools/types.ts +13 -0
  535. package/src/mcp/create-mcp-stack.ts +82 -0
  536. package/src/mcp/handlers.ts +245 -0
  537. package/src/mcp/index.ts +28 -0
  538. package/src/mcp/mcp-server.test.ts +80 -0
  539. package/src/mcp/server.ts +79 -0
  540. package/src/mcp/tools.ts +48 -0
  541. package/src/onboarding/auto-detect.ts +164 -0
  542. package/src/onboarding/onboarding.test.ts +89 -0
  543. package/src/onboarding/profile.ts +169 -0
  544. package/src/onboarding/questions.ts +112 -0
  545. package/src/onboarding/wizard.ts +66 -0
  546. package/src/output/github-issue.ts +32 -0
  547. package/src/output/json-output.ts +67 -0
  548. package/src/ports/browser.port.ts +23 -0
  549. package/src/ports/events.port.ts +28 -0
  550. package/src/ports/llm.port.ts +23 -0
  551. package/src/ports/logger.port.ts +6 -0
  552. package/src/ports/process.port.ts +6 -0
  553. package/src/ports/scanner.port.ts +15 -0
  554. package/src/server.ts +134 -0
  555. package/src/services/badge-service.ts +67 -0
  556. package/src/services/chat-service.test.ts +162 -0
  557. package/src/services/chat-service.ts +152 -0
  558. package/src/services/cost-service.ts +52 -0
  559. package/src/services/debt-service.ts +65 -0
  560. package/src/services/eval-integration.test.ts +132 -0
  561. package/src/services/eval-service.test.ts +373 -0
  562. package/src/services/eval-service.ts +463 -0
  563. package/src/services/external-scan-service.ts +60 -0
  564. package/src/services/file-service.ts +37 -0
  565. package/src/services/fix-service.test.ts +470 -0
  566. package/src/services/fix-service.ts +648 -0
  567. package/src/services/framework-service.test.ts +159 -0
  568. package/src/services/framework-service.ts +67 -0
  569. package/src/services/onboarding-service.ts +165 -0
  570. package/src/services/passport-audit.ts +244 -0
  571. package/src/services/passport-documents.ts +258 -0
  572. package/src/services/passport-service-utils.ts +72 -0
  573. package/src/services/passport-service.test.ts +251 -0
  574. package/src/services/passport-service.ts +339 -0
  575. package/src/services/proxy-service.ts +81 -0
  576. package/src/services/report-service.ts +72 -0
  577. package/src/services/scan-service.test.ts +470 -0
  578. package/src/services/scan-service.ts +335 -0
  579. package/src/services/share-service.ts +108 -0
  580. package/src/services/shared/backup.ts +23 -0
  581. package/src/services/status-service.ts +38 -0
  582. package/src/services/undo-service.test.ts +190 -0
  583. package/src/services/undo-service.ts +144 -0
  584. package/src/test-helpers/factories.ts +116 -0
  585. package/src/types/common.schemas.ts +147 -0
  586. package/src/types/common.types.ts +292 -0
  587. package/src/types/contract.test.ts +217 -0
  588. package/src/types/errors.ts +52 -0
  589. package/src/types/framework.types.ts +87 -0
  590. package/src/types/passport-schemas.ts +241 -0
  591. package/src/types/passport.types.ts +296 -0
  592. package/src/version.ts +1 -0
  593. package/tsconfig.json +20 -0
  594. package/vitest.config.ts +9 -0
package/data/templates/policies/migration-ai-policy.md ADDED
@@ -0,0 +1,239 @@
1
+ # AI Usage Policy — Migration / Border Control
2
+
3
+ | Field | Value |
4
+ |-------|-------|
5
+ | Policy Title | AI Usage Policy — Migration / Border Control |
6
+ | Organization | [Organization] |
7
+ | Date | [Date] |
8
+ | Version | [Version] |
9
+ | AI System Name | [AI System Name] |
10
+ | Risk Class | [Risk Class] |
11
+
12
+ ## 1. Purpose and Scope
13
+ <!-- GUIDANCE: Migration/border AI is high-risk under Annex III §7. Covers:
14
+ polygraphs/emotion detection at borders, asylum application assessment, visa
15
+ assessment, travel document verification, irregular migration detection.
16
+ These systems affect fundamental rights (asylum, non-refoulement). Example:
17
+ "Covers: AI-assisted visa risk assessment (Annex III §7(b)), automated travel
18
+ document verification (Annex III §7(d)), excludes passenger counting and
19
+ non-security queue management." -->
20
+
21
+ This policy governs the use of [AI System Name] within [Organization]'s migration, asylum, or border control operations. It establishes requirements for lawful, fair and rights-respecting use of AI in processing that affects the migration status, freedom of movement, or asylum rights of individuals, in accordance with the EU AI Act (Regulation 2024/1689).
22
+
23
+ This policy applies to all personnel involved in deploying, operating, supervising, or making decisions informed by AI systems in migration and border management contexts, including border officers, asylum caseworkers, visa processing staff, and supervisory authorities.
24
+
25
+ ## 2. Applicable Legislation
26
+ <!-- GUIDANCE: Migration AI intersects with AI Act, GDPR/Law Enforcement
27
+ Directive, Asylum Procedures Directive, Schengen Borders Code, and the EU
28
+ Charter. Non-refoulement principle (Art. 19 Charter) is paramount.
29
+ Example: "Primary: AI Act Annex III §7; Asylum Procedures Directive
30
+ (2013/32/EU); Schengen Borders Code (EU 2016/399); GDPR Art. 22 (automated
31
+ decisions); Law Enforcement Directive 2016/680; EU Charter Art. 18 (asylum),
32
+ Art. 19 (non-refoulement), Art. 47 (effective remedy)." -->
33
+
34
+ - **EU AI Act** — Annex III §7: AI systems intended to be used by public authorities or on behalf of public authorities in migration, asylum and border control management
35
+ - **Art. 6(2)** — High-risk AI system classification
36
+ - **Art. 9** — Risk management system requirements
37
+ - **Art. 10** — Data governance (representativeness across nationalities and demographics)
38
+ - **Art. 14** — Human oversight measures
39
+ - **Art. 26** — Obligations of deployers of high-risk AI systems
40
+ - **Schengen Borders Code** (EU 2016/399) — border check procedures
41
+ - **Asylum Procedures Directive** (2013/32/EU) — procedural guarantees
42
+ - **Qualification Directive** (2011/95/EU) — refugee status determination
43
+ - **GDPR** — Art. 22 (automated individual decision-making)
44
+ - **Law Enforcement Directive** (2016/680) — where processing for law enforcement
45
+ - **EU Charter of Fundamental Rights** — Art. 18 (right to asylum), Art. 19 (non-refoulement), Art. 21 (non-discrimination), Art. 47 (right to effective remedy)
46
+
47
+ ## 3. AI System Description
48
+ <!-- GUIDANCE: Specify what migration decision the AI supports/automates.
49
+ State whether it's decision support only or has autonomous decision capability.
50
+ Clearly define the role: screening, assessment, verification, risk scoring.
51
+ Example: "AI-assisted visa application risk scoring. Input: application form
52
+ data, travel history, country-of-origin risk indicators. Output: risk score
53
+ (low/medium/high) + recommended action. Decision support only — final visa
54
+ decision by trained consular officer." -->
55
+
56
+ - System name: [AI System Name]
57
+ - Description: [Description]
58
+ - Provider: [Provider]
59
+ - Model ID: [Model ID]
60
+ - Migration function: [visa assessment / asylum processing / document verification / border screening / irregular migration detection]
61
+ - Autonomy level: [Autonomy Level]
62
+
63
+ ## 4. Risk Classification
64
+ <!-- GUIDANCE: All migration/border AI systems listed in Annex III §7 are
65
+ high-risk. Sub-categories: (a) polygraphs/emotion detection at borders,
66
+ (b) visa/residence permit risk assessment, (c) asylum application assessment,
67
+ (d) irregular migration detection. Example: "High-risk under Annex III §7(b):
68
+ AI-assisted visa application risk assessment. Affects: right to enter EU
69
+ territory, family reunification, economic migration." -->
70
+
71
+ This AI system is classified as **[Risk Class]** under the EU AI Act. AI systems used in migration, asylum, and border control are classified as high-risk under Annex III §7.
72
+
73
+ **Annex III §7 Sub-classification:**
74
+ - [ ] §7(a) — Polygraphs or similar tools (emotion detection at border)
75
+ - [ ] §7(b) — Risk assessment for visa or residence permit applications
76
+ - [ ] §7(c) — Examination of asylum applications (eligibility assessment)
77
+ - [ ] §7(d) — Detection of irregular migration (including document verification)
78
+
79
+ ## 5. Data Governance
80
+ <!-- GUIDANCE: Migration data is inherently sensitive — nationality, ethnicity,
81
+ religion, political opinion may be inferred. GDPR Art. 9 special categories
82
+ likely processed. Training data must not encode discrimination against
83
+ specific nationalities. Country-of-origin information must be from authoritative
84
+ sources (EASO/EUAA COI reports). Example: "Training data: 500K historical visa
85
+ decisions, reviewed for nationality bias. Country-of-origin data: EUAA COI
86
+ reports only. Statistical parity checked across top-20 nationalities. Proxy
87
+ discrimination audit: verified name/nationality correlation not used as
88
+ predictive feature." -->
89
+
90
+ - Training data must be representative across nationalities, ethnicities, and demographic groups
91
+ - Historical decision data must be audited for systematic bias before use in training
92
+ - Country-of-origin information must be sourced from authoritative reports (EUAA/EASO COI)
93
+ - Proxy discrimination must be tested (names, nationalities, languages as proxy for protected characteristics)
94
+ - GDPR Art. 9 special category data (religion, ethnicity, political opinion) must not be used as direct features
95
+ - Data quality controls must ensure accuracy of identity documents and biographical data
96
+ - Data retention must comply with sector-specific requirements and GDPR minimisation
97
+
98
+ ## 6. Human Oversight
99
+ <!-- GUIDANCE: Migration decisions affect fundamental rights. Art. 14 human
100
+ oversight is critical. No fully automated decision on asylum or visa that
101
+ produces legal effects (GDPR Art. 22). Caseworkers must have meaningful
102
+ review capability, not rubber-stamping. Example: "All AI risk assessments
103
+ reviewed by trained caseworker before decision. Caseworker sees: application
104
+ data, AI risk score, contributing factors, similar historical cases, COI
105
+ summary. Minimum review time: 15 minutes per case. Caseworker can override
106
+ in any direction with documented reasoning." -->
107
+
108
+ - Autonomy level: [Autonomy Level]
109
+ - [Human Oversight Description]
110
+ - No migration or asylum decision with legal effects may be made solely by AI (GDPR Art. 22)
111
+ - Trained caseworkers must review all AI-generated assessments before decisions
112
+ - Caseworkers must have access to the factors contributing to the AI assessment
113
+ - Override procedures must be documented; caseworkers must not be pressured to follow AI recommendations
114
+ - Processing time must allow for meaningful human review, not rubber-stamping
115
+
116
+ ## 7. Transparency and Disclosure
117
+ <!-- GUIDANCE: Applicants have the right to know AI is used in their case
118
+ (Art. 50). For asylum seekers, information must be in a language they understand.
119
+ Right to explanation under GDPR Art. 22(3). Right to challenge under
120
+ Art. 47 Charter. Example: "All visa applicants informed via application form
121
+ in 24 EU languages + Arabic, Farsi, Dari, Tigrinya, Somali: 'AI-assisted risk
122
+ assessment is used. You have the right to human review of any decision and
123
+ to challenge the decision. Contact: [appeals office].' Asylum seekers: oral
124
+ explanation via interpreter at interview." -->
125
+
126
+ - Applicants must be informed that AI is used in processing their application
127
+ - Information must be provided in a language the applicant understands
128
+ - The right to human review and to challenge AI-informed decisions must be clearly communicated
129
+ - Asylum seekers must receive oral explanation during their interview if AI was used
130
+ - AI-generated risk assessments in case files must be clearly marked as AI-produced
131
+ - Annual public transparency report on AI system performance and decision statistics
132
+
133
+ ## 8. Fundamental Rights Impact Assessment
134
+ <!-- GUIDANCE: Migration AI directly affects fundamental rights (asylum,
135
+ non-refoulement, non-discrimination, liberty, family life). Mandatory FRIA
136
+ per Art. 27. Must assess: discriminatory impact by nationality/ethnicity,
137
+ impact on right to asylum (Art. 18 Charter), risk of refoulement (Art. 19),
138
+ impact on children (best interests principle). Example: "FRIA conducted
139
+ 2026-01-15. Key risks: (1) nationality bias in risk scoring — mitigated by
140
+ statistical parity constraints, (2) asylum application rejection bias —
141
+ mitigated by mandatory human review, (3) unaccompanied minors — separate
142
+ processing pathway without AI." -->
143
+
144
+ - Fundamental Rights Impact Assessment (FRIA) must be conducted before deployment (Art. 27)
145
+ - Assessment must cover: non-discrimination, right to asylum, non-refoulement, right to remedy, children's rights
146
+ - Discriminatory impact must be measured across nationalities, ethnicities, and vulnerable groups
147
+ - Special provisions must exist for vulnerable persons: unaccompanied minors, victims of trafficking, persons with disabilities
148
+ - FRIA must be reviewed annually and upon significant system changes
149
+
150
+ ## 9. Non-Discrimination and Fairness
151
+ <!-- GUIDANCE: Migration AI has extreme bias risk — historical data may encode
152
+ institutional discrimination. Must test for both direct and proxy discrimination.
153
+ Key metrics: approval/denial rates by nationality, demographic parity, equalized
154
+ odds. Example: "Statistical parity: visa denial rate differential <5% between
155
+ comparable nationality groups (controlling for application quality metrics).
156
+ Quarterly audit of approval rates by nationality with disparity reporting
157
+ to equality body." -->
158
+
159
+ - AI system must be tested for discriminatory impact across nationalities and demographic groups
160
+ - Statistical parity must be monitored: decision rate differentials across comparable groups
161
+ - Proxy discrimination must be prevented: language, name, or nationality must not serve as proxy for protected characteristics
162
+ - Regular fairness audits must be conducted and results shared with oversight authority
163
+ - Corrective measures must be implemented immediately if discriminatory patterns are detected
164
+
165
+ ## 10. Monitoring and Logging
166
+ <!-- GUIDANCE: All AI-informed migration decisions must be auditable for
167
+ potential legal challenge. Log completeness is critical for right to remedy.
168
+ Decision factors must be retained for appeal periods. Example: "Full decision
169
+ log: timestamp, applicant ID, input features, AI risk score, contributing
170
+ factors, caseworker decision, reasoning for override (if applicable). Retained
171
+ for appeal period + 5 years. Monthly: approval rate by nationality dashboard.
172
+ Quarterly: full bias audit. Accessible to: supervisory authority, judicial
173
+ review, EUAA audit." -->
174
+
175
+ - All AI-informed decisions must be logged with: timestamp, input data, AI assessment, contributing factors, human decision, reasoning
176
+ - Decision logs must be retained for the applicable appeal period plus 5 years minimum
177
+ - System performance must be monitored for decision quality and bias indicators
178
+ - Monitoring frequency: monthly statistical analysis, quarterly comprehensive audit
179
+ - Logs must be accessible to supervisory authorities, judicial review, and audit bodies
180
+
181
+ ## 11. Incident Response
182
+ <!-- GUIDANCE: Migration AI incidents include: wrongful deportation/removal
183
+ informed by AI, asylum denial leading to refoulement, systematic nationality
184
+ bias discovery. These are fundamental rights violations requiring immediate
185
+ action. Example: "Wrongful removal informed by AI: immediate investigation,
186
+ case review for all similar decisions in last 6 months, notification to
187
+ affected individual, EU AI Act Art. 73 report within 2 days. Systematic
188
+ bias discovery: immediate system suspension, full audit, notification to
189
+ FRA and EUAA." -->
190
+
191
+ - Wrongful decisions informed by AI must trigger immediate case review and remediation
192
+ - Systematic bias or discrimination discovery must trigger immediate system suspension
193
+ - EU AI Act Art. 73 reporting: 2 days (serious harm to fundamental rights), 15 days (other)
194
+ - All similar decisions must be reviewed when systematic error is discovered (batch review)
195
+ - Affected individuals must be notified and provided with remedy
196
+ - Fundamental Rights Agency (FRA) and relevant supervisory authority must be informed
197
+
198
+ ## 12. Training and Awareness
199
+ <!-- GUIDANCE: Border/migration officers must understand AI limitations in
200
+ cross-cultural context. Include: cultural bias awareness, asylum law, vulnerable
201
+ persons identification, override confidence. Example: "12-hour training:
202
+ AI system operation (3h), asylum law and non-refoulement (3h), cultural
203
+ bias and proxy discrimination (2h), vulnerable persons identification (2h),
204
+ override procedures and documentation (2h). Annual recertification with
205
+ case study exercises." -->
206
+
207
+ - All officers and caseworkers must receive training on AI system operation and limitations
208
+ - Training must cover: asylum law, non-refoulement, cultural bias awareness, vulnerable persons identification
209
+ - Officers must understand AI assessment factors and limitations for different nationalities
210
+ - Override procedures and documentation requirements must be practiced
211
+ - Refresher training must be provided at least annually and upon significant system changes
212
+
213
+ ## 13. Review Schedule
214
+ <!-- GUIDANCE: Migration context changes rapidly (new conflicts, routes,
215
+ document types). Frequent review needed. Include geopolitical monitoring.
216
+ Example: "Monthly: decision statistics by nationality. Quarterly: bias
217
+ audit + geopolitical context review. Semi-annually: full system evaluation
218
+ with updated COI data. Annually: FRIA update. Immediate: upon new conflict,
219
+ mass displacement event, or relevant CJEU ruling." -->
220
+
221
+ - This policy shall be reviewed at least quarterly and upon significant geopolitical changes
222
+ - Review must incorporate decision statistics, bias audit results, incident reports, and updated COI data
223
+ - FRIA must be updated annually and upon new displacement events or conflicts
224
+ - Updates must be approved by the Head of Operations and Legal/Compliance Lead
225
+
226
+ ## 14. Approval and Sign-off
227
+ <!-- GUIDANCE: Migration AI policy requires sign-off from operational leadership,
228
+ legal authority, and fundamental rights officer. Example: "Head of Border
229
+ Management confirms operational suitability; Legal Director confirms
230
+ compliance with asylum acquis; Fundamental Rights Officer confirms FRIA
231
+ completion and Art. 14 oversight adequacy." -->
232
+
233
+ | Role | Name | Date |
234
+ |------|------|------|
235
+ | Policy Owner | [Approver Name] | [Date] |
236
+ | Head of Operations | _________________ | _________ |
237
+ | Legal Director | _________________ | _________ |
238
+ | Fundamental Rights Officer | _________________ | _________ |
239
+ | DPO | _________________ | _________ |
package/engine.log ADDED
@@ -0,0 +1,7 @@
1
+ [server] Loading regulation data...
2
+ [app] Loaded 108 obligations
3
+ [app] Loaded persisted scan result from disk
4
+ [server] Complior Engine v1.0.0 running on http://127.0.0.1:3099
5
+ [file-watcher] Watching /home/openclaw/complior/engine/core for compliance-relevant changes
6
+ [server] Graceful shutdown...
7
+ [server] Server closed
package/package.json ADDED
@@ -0,0 +1,74 @@
1
+ {
2
+ "name": "@complior/engine",
3
+ "version": "0.9.0",
4
+ "type": "module",
5
+ "main": "src/index.ts",
6
+ "description": "AI Act Compliance Engine — deterministic scanner, auto-fixer, reporter, and MCP server for EU AI Act. Powers the Complior CLI daemon.",
7
+ "license": "AGPL-3.0-only",
8
+ "author": {
9
+ "name": "Complior",
10
+ "url": "https://complior.ai"
11
+ },
12
+ "homepage": "https://complior.ai",
13
+ "repository": {
14
+ "type": "git",
15
+ "url": "https://github.com/complior/complior",
16
+ "directory": "engine/core"
17
+ },
18
+ "bugs": {
19
+ "url": "https://github.com/complior/complior/issues"
20
+ },
21
+ "funding": {
22
+ "type": "individual",
23
+ "url": "https://complior.ai"
24
+ },
25
+ "keywords": [
26
+ "ai",
27
+ "compliance",
28
+ "eu-ai-act",
29
+ "ai-act",
30
+ "scanner",
31
+ "fixer",
32
+ "mcp",
33
+ "hono",
34
+ "gdpr",
35
+ "audit",
36
+ "governance",
37
+ "risk-assessment",
38
+ "ai-safety",
39
+ "regulation",
40
+ "agent-passport"
41
+ ],
42
+ "engines": {
43
+ "node": ">=22"
44
+ },
45
+ "scripts": {
46
+ "dev": "tsx src/server.ts",
47
+ "build": "tsc --noCheck",
48
+ "test": "vitest run",
49
+ "typecheck": "tsc --noEmit"
50
+ },
51
+ "dependencies": {
52
+ "@ai-sdk/anthropic": "^2.0.65",
53
+ "@ai-sdk/openai": "^2.0.91",
54
+ "@hono/node-server": "^1.19.10",
55
+ "@modelcontextprotocol/sdk": "^1.26.0",
56
+ "ai": "^5.0.135",
57
+ "better-sqlite3": "^11.0.0",
58
+ "chokidar": "^4.0.0",
59
+ "cosmiconfig": "^9.0.0",
60
+ "hono": "^4.12.7",
61
+ "p-queue": "^8.0.0",
62
+ "pdfkit": "^0.17.2",
63
+ "simple-git": "^3.27.0",
64
+ "tsx": "^4.21.0",
65
+ "zod": "^3.23.0"
66
+ },
67
+ "devDependencies": {
68
+ "@types/better-sqlite3": "^7.6.0",
69
+ "@types/node": "^22.0.0",
70
+ "@types/pdfkit": "^0.17.5",
71
+ "typescript": "^5.7.0",
72
+ "vitest": "^3.0.0"
73
+ }
74
+ }