@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (594) hide show
  1. package/.well-known/ai-compliance.json +16 -0
  2. package/COMPLIANCE.md +64 -0
  3. package/data/data-integrity.test.ts +75 -0
  4. package/data/eval/eval-mappings.json +33 -0
  5. package/data/llm/model-pricing.json +15 -0
  6. package/data/llm/model-routing.json +36 -0
  7. package/data/onboarding/risk-profile.json +17 -0
  8. package/data/regulations/eu-ai-act/README.md +245 -0
  9. package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
  10. package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
  11. package/data/regulations/eu-ai-act/localization.json +186 -0
  12. package/data/regulations/eu-ai-act/obligations.json +3981 -0
  13. package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
  14. package/data/regulations/eu-ai-act/scoring.json +342 -0
  15. package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
  16. package/data/regulations/eu-ai-act/timeline.json +160 -0
  17. package/data/regulations/jurisdictions/at.json +15 -0
  18. package/data/regulations/jurisdictions/be.json +15 -0
  19. package/data/regulations/jurisdictions/bg.json +15 -0
  20. package/data/regulations/jurisdictions/cy.json +15 -0
  21. package/data/regulations/jurisdictions/cz.json +15 -0
  22. package/data/regulations/jurisdictions/de.json +15 -0
  23. package/data/regulations/jurisdictions/dk.json +15 -0
  24. package/data/regulations/jurisdictions/ee.json +15 -0
  25. package/data/regulations/jurisdictions/es.json +15 -0
  26. package/data/regulations/jurisdictions/fi.json +15 -0
  27. package/data/regulations/jurisdictions/fr.json +15 -0
  28. package/data/regulations/jurisdictions/gr.json +15 -0
  29. package/data/regulations/jurisdictions/hr.json +15 -0
  30. package/data/regulations/jurisdictions/hu.json +15 -0
  31. package/data/regulations/jurisdictions/ie.json +15 -0
  32. package/data/regulations/jurisdictions/is.json +15 -0
  33. package/data/regulations/jurisdictions/it.json +15 -0
  34. package/data/regulations/jurisdictions/li.json +15 -0
  35. package/data/regulations/jurisdictions/lt.json +15 -0
  36. package/data/regulations/jurisdictions/lu.json +15 -0
  37. package/data/regulations/jurisdictions/lv.json +15 -0
  38. package/data/regulations/jurisdictions/mt.json +15 -0
  39. package/data/regulations/jurisdictions/nl.json +15 -0
  40. package/data/regulations/jurisdictions/no.json +15 -0
  41. package/data/regulations/jurisdictions/pl.json +15 -0
  42. package/data/regulations/jurisdictions/pt.json +15 -0
  43. package/data/regulations/jurisdictions/ro.json +15 -0
  44. package/data/regulations/jurisdictions/se.json +15 -0
  45. package/data/regulations/jurisdictions/si.json +15 -0
  46. package/data/regulations/jurisdictions/sk.json +15 -0
  47. package/data/scanner/check-id-categories.json +81 -0
  48. package/data/scanner/confidence-params.json +16 -0
  49. package/data/scanner/limits.json +4 -0
  50. package/data/schemas/http-contract-sample.json +79 -0
  51. package/data/schemas/http-contract.json +144 -0
  52. package/data/semgrep-rules/bare-call.yaml +37 -0
  53. package/data/semgrep-rules/injection.yaml +73 -0
  54. package/data/semgrep-rules/missing-error-handling.yaml +58 -0
  55. package/data/semgrep-rules/unsafe-deser.yaml +65 -0
  56. package/data/templates/eu-ai-act/ai-literacy.md +184 -0
  57. package/data/templates/eu-ai-act/art5-screening.md +131 -0
  58. package/data/templates/eu-ai-act/data-governance.md +145 -0
  59. package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
  60. package/data/templates/eu-ai-act/fria.md +127 -0
  61. package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
  62. package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
  63. package/data/templates/eu-ai-act/incident-report.md +188 -0
  64. package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
  65. package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
  66. package/data/templates/eu-ai-act/qms.md +180 -0
  67. package/data/templates/eu-ai-act/risk-management-system.md +123 -0
  68. package/data/templates/eu-ai-act/technical-documentation.md +287 -0
  69. package/data/templates/eu-ai-act/worker-notification.md +143 -0
  70. package/data/templates/policies/biometrics-ai-policy.md +214 -0
  71. package/data/templates/policies/critical-infra-ai-policy.md +228 -0
  72. package/data/templates/policies/education-ai-policy.md +184 -0
  73. package/data/templates/policies/finance-ai-policy.md +191 -0
  74. package/data/templates/policies/healthcare-ai-policy.md +197 -0
  75. package/data/templates/policies/hr-ai-policy.md +178 -0
  76. package/data/templates/policies/legal-ai-policy.md +189 -0
  77. package/data/templates/policies/migration-ai-policy.md +239 -0
  78. package/engine.log +7 -0
  79. package/package.json +74 -0
  80. package/src/composition-root.ts +791 -0
  81. package/src/data/eval/conformity-tests.test.ts +122 -0
  82. package/src/data/eval/ct-1-transparency.ts +106 -0
  83. package/src/data/eval/ct-10-gpai.ts +25 -0
  84. package/src/data/eval/ct-11-industry.ts +42 -0
  85. package/src/data/eval/ct-2-oversight.ts +41 -0
  86. package/src/data/eval/ct-3-explanation.ts +14 -0
  87. package/src/data/eval/ct-4-bias.ts +83 -0
  88. package/src/data/eval/ct-5-accuracy.ts +41 -0
  89. package/src/data/eval/ct-6-robustness.ts +81 -0
  90. package/src/data/eval/ct-7-prohibited.ts +52 -0
  91. package/src/data/eval/ct-8-logging.ts +68 -0
  92. package/src/data/eval/ct-9-risk-awareness.ts +33 -0
  93. package/src/data/eval/deterministic-evaluator.ts +120 -0
  94. package/src/data/eval/index.ts +55 -0
  95. package/src/data/eval/judge-prompts.ts +146 -0
  96. package/src/data/eval/llm-judged-tests.ts +279 -0
  97. package/src/data/eval/llm-tests.test.ts +83 -0
  98. package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
  99. package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
  100. package/src/data/eval/remediation/ct-11-industry.ts +94 -0
  101. package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
  102. package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
  103. package/src/data/eval/remediation/ct-4-bias.ts +70 -0
  104. package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
  105. package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
  106. package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
  107. package/src/data/eval/remediation/ct-8-logging.ts +94 -0
  108. package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
  109. package/src/data/eval/remediation/index.ts +89 -0
  110. package/src/data/eval/remediation/owasp-art5.ts +15 -0
  111. package/src/data/eval/remediation/owasp-llm01.ts +72 -0
  112. package/src/data/eval/remediation/owasp-llm02.ts +72 -0
  113. package/src/data/eval/remediation/owasp-llm03.ts +15 -0
  114. package/src/data/eval/remediation/owasp-llm04.ts +15 -0
  115. package/src/data/eval/remediation/owasp-llm05.ts +15 -0
  116. package/src/data/eval/remediation/owasp-llm06.ts +15 -0
  117. package/src/data/eval/remediation/owasp-llm07.ts +15 -0
  118. package/src/data/eval/remediation/owasp-llm08.ts +15 -0
  119. package/src/data/eval/remediation/owasp-llm09.ts +15 -0
  120. package/src/data/eval/remediation/owasp-llm10.ts +15 -0
  121. package/src/data/eval/remediation/remediation.test.ts +229 -0
  122. package/src/data/eval/remediation/test-mapping.ts +290 -0
  123. package/src/data/eval/security-rubrics.ts +381 -0
  124. package/src/data/finding-explanations.json +453 -0
  125. package/src/data/industry-patterns.ts +161 -0
  126. package/src/data/registry-cards.ts +368 -0
  127. package/src/data/regulation/index.ts +5 -0
  128. package/src/data/regulation/jurisdiction-data.test.ts +73 -0
  129. package/src/data/regulation/jurisdiction-data.ts +65 -0
  130. package/src/data/regulation/regulation-data.ts +19 -0
  131. package/src/data/regulation/regulation-loader.test.ts +107 -0
  132. package/src/data/regulation/regulation-loader.ts +56 -0
  133. package/src/data/scanner-constants.ts +46 -0
  134. package/src/data/schemas/schemas-core.ts +140 -0
  135. package/src/data/schemas/schemas-supplementary.ts +211 -0
  136. package/src/data/schemas/schemas.ts +28 -0
  137. package/src/data/security/attack-probes.test.ts +62 -0
  138. package/src/data/security/attack-probes.ts +496 -0
  139. package/src/data/security/eu-ai-act-security.ts +40 -0
  140. package/src/data/security/index.ts +19 -0
  141. package/src/data/security/mitre-atlas.test.ts +43 -0
  142. package/src/data/security/mitre-atlas.ts +93 -0
  143. package/src/data/security/nist-ai-rmf.ts +43 -0
  144. package/src/data/security/owasp-llm-top10.test.ts +60 -0
  145. package/src/data/security/owasp-llm-top10.ts +138 -0
  146. package/src/data/template-registry.ts +53 -0
  147. package/src/data/tool-versions.json +22 -0
  148. package/src/domain/audit/audit-package.test.ts +152 -0
  149. package/src/domain/audit/audit-package.ts +166 -0
  150. package/src/domain/audit/audit-trail.test.ts +121 -0
  151. package/src/domain/audit/audit-trail.ts +174 -0
  152. package/src/domain/audit/index.ts +8 -0
  153. package/src/domain/audit/permissions-matrix.test.ts +136 -0
  154. package/src/domain/audit/permissions-matrix.ts +121 -0
  155. package/src/domain/certification/adversarial/bias-tests.ts +95 -0
  156. package/src/domain/certification/adversarial/evaluators.ts +304 -0
  157. package/src/domain/certification/adversarial/index.ts +11 -0
  158. package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
  159. package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
  160. package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
  161. package/src/domain/certification/aiuc1-readiness.ts +298 -0
  162. package/src/domain/certification/aiuc1-requirements.ts +235 -0
  163. package/src/domain/certification/index.ts +10 -0
  164. package/src/domain/certification/redteam-runner.test.ts +97 -0
  165. package/src/domain/certification/redteam-runner.ts +205 -0
  166. package/src/domain/certification/test-runner.test.ts +232 -0
  167. package/src/domain/certification/test-runner.ts +289 -0
  168. package/src/domain/cost/cost-estimator.test.ts +187 -0
  169. package/src/domain/cost/cost-estimator.ts +133 -0
  170. package/src/domain/disclaimer.test.ts +52 -0
  171. package/src/domain/disclaimer.ts +39 -0
  172. package/src/domain/documents/ai-enricher.test.ts +120 -0
  173. package/src/domain/documents/ai-enricher.ts +159 -0
  174. package/src/domain/documents/document-generator.test.ts +318 -0
  175. package/src/domain/documents/document-generator.ts +239 -0
  176. package/src/domain/documents/index.ts +9 -0
  177. package/src/domain/documents/passport-helpers.ts +25 -0
  178. package/src/domain/documents/policy-generator.test.ts +252 -0
  179. package/src/domain/documents/policy-generator.ts +94 -0
  180. package/src/domain/documents/worker-notification-generator.test.ts +162 -0
  181. package/src/domain/documents/worker-notification-generator.ts +141 -0
  182. package/src/domain/eval/adapters/adapter-port.ts +94 -0
  183. package/src/domain/eval/adapters/adapters.test.ts +303 -0
  184. package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
  185. package/src/domain/eval/adapters/auto-detect.ts +104 -0
  186. package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
  187. package/src/domain/eval/adapters/custom-adapter.ts +74 -0
  188. package/src/domain/eval/adapters/http-adapter.ts +66 -0
  189. package/src/domain/eval/adapters/index.ts +7 -0
  190. package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
  191. package/src/domain/eval/adapters/openai-adapter.ts +58 -0
  192. package/src/domain/eval/adapters/with-timeout.ts +25 -0
  193. package/src/domain/eval/conformity-score.test.ts +161 -0
  194. package/src/domain/eval/conformity-score.ts +135 -0
  195. package/src/domain/eval/eval-constants.ts +55 -0
  196. package/src/domain/eval/eval-evidence.test.ts +85 -0
  197. package/src/domain/eval/eval-evidence.ts +103 -0
  198. package/src/domain/eval/eval-fix-generator.test.ts +421 -0
  199. package/src/domain/eval/eval-fix-generator.ts +205 -0
  200. package/src/domain/eval/eval-passport.test.ts +82 -0
  201. package/src/domain/eval/eval-passport.ts +89 -0
  202. package/src/domain/eval/eval-remediation-report.test.ts +682 -0
  203. package/src/domain/eval/eval-remediation-report.ts +170 -0
  204. package/src/domain/eval/eval-report.ts +108 -0
  205. package/src/domain/eval/eval-runner.test.ts +609 -0
  206. package/src/domain/eval/eval-runner.ts +593 -0
  207. package/src/domain/eval/eval-to-findings.test.ts +293 -0
  208. package/src/domain/eval/eval-to-findings.ts +83 -0
  209. package/src/domain/eval/index.ts +31 -0
  210. package/src/domain/eval/llm-judge.test.ts +139 -0
  211. package/src/domain/eval/llm-judge.ts +168 -0
  212. package/src/domain/eval/remediation-types.ts +90 -0
  213. package/src/domain/eval/security-integration.test.ts +196 -0
  214. package/src/domain/eval/security-integration.ts +136 -0
  215. package/src/domain/eval/types.test.ts +173 -0
  216. package/src/domain/eval/types.ts +244 -0
  217. package/src/domain/eval/verdict-utils.ts +45 -0
  218. package/src/domain/fixer/create-fixer.ts +101 -0
  219. package/src/domain/fixer/diff.ts +70 -0
  220. package/src/domain/fixer/fix-history.ts +23 -0
  221. package/src/domain/fixer/fixer.test.ts +306 -0
  222. package/src/domain/fixer/index.ts +9 -0
  223. package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
  224. package/src/domain/fixer/strategies/bias-testing.ts +49 -0
  225. package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
  226. package/src/domain/fixer/strategies/content-marking.ts +45 -0
  227. package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
  228. package/src/domain/fixer/strategies/data-governance.ts +65 -0
  229. package/src/domain/fixer/strategies/disclosure.ts +69 -0
  230. package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
  231. package/src/domain/fixer/strategies/documentation.ts +59 -0
  232. package/src/domain/fixer/strategies/error-handler.ts +63 -0
  233. package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
  234. package/src/domain/fixer/strategies/index.ts +61 -0
  235. package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
  236. package/src/domain/fixer/strategies/kill-switch.ts +53 -0
  237. package/src/domain/fixer/strategies/license-fix.ts +57 -0
  238. package/src/domain/fixer/strategies/log-retention.ts +40 -0
  239. package/src/domain/fixer/strategies/logging.ts +59 -0
  240. package/src/domain/fixer/strategies/metadata.ts +45 -0
  241. package/src/domain/fixer/strategies/permission-guard.ts +84 -0
  242. package/src/domain/fixer/strategies/record-keeping.ts +69 -0
  243. package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
  244. package/src/domain/fixer/strategies.test.ts +341 -0
  245. package/src/domain/fixer/template-engine.test.ts +64 -0
  246. package/src/domain/fixer/template-engine.ts +38 -0
  247. package/src/domain/fixer/types.ts +88 -0
  248. package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
  249. package/src/domain/frameworks/aiuc1-framework.ts +126 -0
  250. package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
  251. package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
  252. package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
  253. package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
  254. package/src/domain/frameworks/framework-registry.test.ts +91 -0
  255. package/src/domain/frameworks/framework-registry.ts +38 -0
  256. package/src/domain/frameworks/index.ts +8 -0
  257. package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
  258. package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
  259. package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
  260. package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
  261. package/src/domain/frameworks/score-plugin-framework.ts +117 -0
  262. package/src/domain/fria/fria-generator.test.ts +273 -0
  263. package/src/domain/fria/fria-generator.ts +366 -0
  264. package/src/domain/import/promptfoo-importer.test.ts +103 -0
  265. package/src/domain/import/promptfoo-importer.ts +151 -0
  266. package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
  267. package/src/domain/onboarding/guided-onboarding.ts +135 -0
  268. package/src/domain/passport/builder/domain-mapper.ts +9 -0
  269. package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
  270. package/src/domain/passport/builder/manifest-builder.ts +535 -0
  271. package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
  272. package/src/domain/passport/builder/manifest-diff.ts +89 -0
  273. package/src/domain/passport/builder/manifest-files.ts +17 -0
  274. package/src/domain/passport/crypto-signer.test.ts +93 -0
  275. package/src/domain/passport/crypto-signer.ts +157 -0
  276. package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
  277. package/src/domain/passport/discovery/agent-discovery.ts +325 -0
  278. package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
  279. package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
  280. package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
  281. package/src/domain/passport/discovery/permission-scanner.ts +414 -0
  282. package/src/domain/passport/export/a2a-mapper.ts +75 -0
  283. package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
  284. package/src/domain/passport/export/export.test.ts +207 -0
  285. package/src/domain/passport/export/index.ts +41 -0
  286. package/src/domain/passport/export/nist-mapper.ts +227 -0
  287. package/src/domain/passport/import/a2a-importer.test.ts +133 -0
  288. package/src/domain/passport/import/a2a-importer.ts +156 -0
  289. package/src/domain/passport/import/index.ts +2 -0
  290. package/src/domain/passport/index.ts +32 -0
  291. package/src/domain/passport/obligation-field-map.test.ts +113 -0
  292. package/src/domain/passport/obligation-field-map.ts +117 -0
  293. package/src/domain/passport/passport-validator.test.ts +156 -0
  294. package/src/domain/passport/passport-validator.ts +126 -0
  295. package/src/domain/passport/scan-to-compliance.test.ts +336 -0
  296. package/src/domain/passport/scan-to-compliance.ts +166 -0
  297. package/src/domain/passport/test-generator.test.ts +93 -0
  298. package/src/domain/passport/test-generator.ts +136 -0
  299. package/src/domain/proxy/index.ts +11 -0
  300. package/src/domain/proxy/json-rpc.test.ts +72 -0
  301. package/src/domain/proxy/json-rpc.ts +53 -0
  302. package/src/domain/proxy/policy-engine.test.ts +259 -0
  303. package/src/domain/proxy/policy-engine.ts +137 -0
  304. package/src/domain/proxy/proxy-bridge.ts +125 -0
  305. package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
  306. package/src/domain/proxy/proxy-interceptor.ts +120 -0
  307. package/src/domain/proxy/proxy-types.ts +35 -0
  308. package/src/domain/registry/compute-agent-score.test.ts +279 -0
  309. package/src/domain/registry/compute-agent-score.ts +162 -0
  310. package/src/domain/reporter/audit-report.test.ts +87 -0
  311. package/src/domain/reporter/audit-report.ts +116 -0
  312. package/src/domain/reporter/badge-generator.test.ts +54 -0
  313. package/src/domain/reporter/badge-generator.ts +40 -0
  314. package/src/domain/reporter/compliance-md.ts +45 -0
  315. package/src/domain/reporter/index.ts +7 -0
  316. package/src/domain/reporter/pdf-renderer.ts +282 -0
  317. package/src/domain/reporter/share.test.ts +92 -0
  318. package/src/domain/reporter/share.ts +80 -0
  319. package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
  320. package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
  321. package/src/domain/scanner/attestations.ts +97 -0
  322. package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
  323. package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
  324. package/src/domain/scanner/checks/ai-literacy.ts +163 -0
  325. package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
  326. package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
  327. package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
  328. package/src/domain/scanner/checks/content-marking.ts +74 -0
  329. package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
  330. package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
  331. package/src/domain/scanner/checks/documentation.test.ts +88 -0
  332. package/src/domain/scanner/checks/documentation.ts +79 -0
  333. package/src/domain/scanner/checks/git-history.test.ts +120 -0
  334. package/src/domain/scanner/checks/git-history.ts +163 -0
  335. package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
  336. package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
  337. package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
  338. package/src/domain/scanner/checks/index.ts +28 -0
  339. package/src/domain/scanner/checks/industry/index.ts +40 -0
  340. package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
  341. package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
  342. package/src/domain/scanner/checks/interaction-logging.ts +142 -0
  343. package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
  344. package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
  345. package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
  346. package/src/domain/scanner/checks/passport-completeness.ts +82 -0
  347. package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
  348. package/src/domain/scanner/checks/passport-presence.ts +78 -0
  349. package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
  350. package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
  351. package/src/domain/scanner/checks/permission-scanner.ts +90 -0
  352. package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
  353. package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
  354. package/src/domain/scanner/compliance-diff.test.ts +165 -0
  355. package/src/domain/scanner/compliance-diff.ts +138 -0
  356. package/src/domain/scanner/confidence.test.ts +235 -0
  357. package/src/domain/scanner/confidence.ts +156 -0
  358. package/src/domain/scanner/constants.ts +13 -0
  359. package/src/domain/scanner/create-scanner.ts +573 -0
  360. package/src/domain/scanner/cross-layer.test.ts +372 -0
  361. package/src/domain/scanner/cross-layer.ts +232 -0
  362. package/src/domain/scanner/data/ai-packages.ts +82 -0
  363. package/src/domain/scanner/debt-calculator.test.ts +89 -0
  364. package/src/domain/scanner/debt-calculator.ts +111 -0
  365. package/src/domain/scanner/drift.test.ts +191 -0
  366. package/src/domain/scanner/drift.ts +73 -0
  367. package/src/domain/scanner/evidence-store.test.ts +207 -0
  368. package/src/domain/scanner/evidence-store.ts +195 -0
  369. package/src/domain/scanner/evidence.test.ts +104 -0
  370. package/src/domain/scanner/evidence.ts +71 -0
  371. package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
  372. package/src/domain/scanner/external/bandit-runner.ts +90 -0
  373. package/src/domain/scanner/external/checks.ts +321 -0
  374. package/src/domain/scanner/external/dedup.test.ts +79 -0
  375. package/src/domain/scanner/external/dedup.ts +94 -0
  376. package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
  377. package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
  378. package/src/domain/scanner/external/external-scanner.test.ts +221 -0
  379. package/src/domain/scanner/external/external-scanner.ts +36 -0
  380. package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
  381. package/src/domain/scanner/external/finding-mapper.ts +138 -0
  382. package/src/domain/scanner/external/index.ts +15 -0
  383. package/src/domain/scanner/external/mappings.ts +93 -0
  384. package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
  385. package/src/domain/scanner/external/modelscan-runner.ts +101 -0
  386. package/src/domain/scanner/external/path-utils.ts +8 -0
  387. package/src/domain/scanner/external/runner-port.ts +45 -0
  388. package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
  389. package/src/domain/scanner/external/semgrep-runner.ts +94 -0
  390. package/src/domain/scanner/external/types.ts +32 -0
  391. package/src/domain/scanner/finding-attribution.test.ts +444 -0
  392. package/src/domain/scanner/finding-attribution.ts +195 -0
  393. package/src/domain/scanner/finding-explainer.test.ts +157 -0
  394. package/src/domain/scanner/finding-explainer.ts +73 -0
  395. package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
  396. package/src/domain/scanner/fix-diff-builder.ts +477 -0
  397. package/src/domain/scanner/import-graph.test.ts +162 -0
  398. package/src/domain/scanner/import-graph.ts +198 -0
  399. package/src/domain/scanner/languages/adapter.test.ts +105 -0
  400. package/src/domain/scanner/languages/adapter.ts +239 -0
  401. package/src/domain/scanner/layers/index.ts +24 -0
  402. package/src/domain/scanner/layers/layer1-files.ts +54 -0
  403. package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
  404. package/src/domain/scanner/layers/layer2-docs.ts +297 -0
  405. package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
  406. package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
  407. package/src/domain/scanner/layers/layer3-config.ts +279 -0
  408. package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
  409. package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
  410. package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
  411. package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
  412. package/src/domain/scanner/layers/layer5-docs.ts +250 -0
  413. package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
  414. package/src/domain/scanner/layers/layer5-llm.ts +262 -0
  415. package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
  416. package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
  417. package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
  418. package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
  419. package/src/domain/scanner/regulation-version.test.ts +54 -0
  420. package/src/domain/scanner/regulation-version.ts +23 -0
  421. package/src/domain/scanner/role-filter.test.ts +116 -0
  422. package/src/domain/scanner/role-filter.ts +51 -0
  423. package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
  424. package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
  425. package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
  426. package/src/domain/scanner/rules/banned-packages.ts +55 -0
  427. package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
  428. package/src/domain/scanner/rules/comment-filter.ts +297 -0
  429. package/src/domain/scanner/rules/index.ts +9 -0
  430. package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
  431. package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
  432. package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
  433. package/src/domain/scanner/sbom.test.ts +136 -0
  434. package/src/domain/scanner/sbom.ts +103 -0
  435. package/src/domain/scanner/scan-cache.test.ts +136 -0
  436. package/src/domain/scanner/scan-cache.ts +115 -0
  437. package/src/domain/scanner/scanner.test.ts +125 -0
  438. package/src/domain/scanner/score-calculator.test.ts +363 -0
  439. package/src/domain/scanner/score-calculator.ts +189 -0
  440. package/src/domain/scanner/security-score.test.ts +107 -0
  441. package/src/domain/scanner/security-score.ts +116 -0
  442. package/src/domain/scanner/source-filter.ts +24 -0
  443. package/src/domain/scanner/validators.ts +223 -0
  444. package/src/domain/shared/compliance-constants.ts +48 -0
  445. package/src/domain/shared/disclosure-patterns.ts +16 -0
  446. package/src/domain/shared/index.ts +6 -0
  447. package/src/domain/shared/parse-dependencies.ts +21 -0
  448. package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
  449. package/src/domain/supply-chain/index.ts +3 -0
  450. package/src/domain/supply-chain/supply-chain.test.ts +211 -0
  451. package/src/domain/supply-chain/types.ts +32 -0
  452. package/src/domain/whatif/config-fixer.ts +187 -0
  453. package/src/domain/whatif/index.ts +6 -0
  454. package/src/domain/whatif/scenario-engine.ts +121 -0
  455. package/src/domain/whatif/simulate-actions.test.ts +161 -0
  456. package/src/domain/whatif/simulate-actions.ts +114 -0
  457. package/src/domain/whatif/whatif.test.ts +135 -0
  458. package/src/e2e/gaps-e2e.test.ts +259 -0
  459. package/src/e2e/smoke.test.ts +101 -0
  460. package/src/hooks/hooks-export.test.ts +81 -0
  461. package/src/hooks/installer.ts +113 -0
  462. package/src/http/cors.test.ts +38 -0
  463. package/src/http/create-router.ts +259 -0
  464. package/src/http/routes/agent.route.ts +380 -0
  465. package/src/http/routes/audit.route.ts +66 -0
  466. package/src/http/routes/badge.route.ts +23 -0
  467. package/src/http/routes/cert.route.ts +66 -0
  468. package/src/http/routes/chat.route.ts +228 -0
  469. package/src/http/routes/cost.route.ts +33 -0
  470. package/src/http/routes/debt.route.ts +29 -0
  471. package/src/http/routes/disclaimer.route.ts +64 -0
  472. package/src/http/routes/eval.route.ts +161 -0
  473. package/src/http/routes/events.route.test.ts +108 -0
  474. package/src/http/routes/events.route.ts +71 -0
  475. package/src/http/routes/external-scan.route.ts +24 -0
  476. package/src/http/routes/file.route.ts +54 -0
  477. package/src/http/routes/fix.route.ts +219 -0
  478. package/src/http/routes/frameworks.route.test.ts +66 -0
  479. package/src/http/routes/frameworks.route.ts +36 -0
  480. package/src/http/routes/git.route.ts +27 -0
  481. package/src/http/routes/guided-onboarding.route.ts +65 -0
  482. package/src/http/routes/import.route.ts +64 -0
  483. package/src/http/routes/jurisdiction.route.ts +22 -0
  484. package/src/http/routes/obligations.route.test.ts +122 -0
  485. package/src/http/routes/obligations.route.ts +110 -0
  486. package/src/http/routes/onboarding.route.ts +53 -0
  487. package/src/http/routes/provider.route.ts +42 -0
  488. package/src/http/routes/proxy.route.ts +40 -0
  489. package/src/http/routes/redteam.route.ts +84 -0
  490. package/src/http/routes/report.route.ts +29 -0
  491. package/src/http/routes/scan.route.ts +104 -0
  492. package/src/http/routes/share.route.ts +44 -0
  493. package/src/http/routes/shell.route.ts +27 -0
  494. package/src/http/routes/status.route.ts +66 -0
  495. package/src/http/routes/supply-chain.route.ts +121 -0
  496. package/src/http/routes/sync.route.ts +328 -0
  497. package/src/http/routes/tools.route.ts +29 -0
  498. package/src/http/routes/whatif.route.ts +96 -0
  499. package/src/http/utils/validation.ts +31 -0
  500. package/src/index.ts +1 -0
  501. package/src/infra/bundle-fetcher.ts +77 -0
  502. package/src/infra/cache-storage.ts +34 -0
  503. package/src/infra/event-bus.ts +31 -0
  504. package/src/infra/file-collector.ts +61 -0
  505. package/src/infra/file-ops-adapter.ts +95 -0
  506. package/src/infra/file-watcher.test.ts +90 -0
  507. package/src/infra/file-watcher.ts +106 -0
  508. package/src/infra/git-adapter.ts +93 -0
  509. package/src/infra/git-history-adapter.ts +41 -0
  510. package/src/infra/headless-browser.ts +178 -0
  511. package/src/infra/llm-adapter.test.ts +83 -0
  512. package/src/infra/llm-adapter.ts +86 -0
  513. package/src/infra/logger.ts +27 -0
  514. package/src/infra/project-config.test.ts +74 -0
  515. package/src/infra/project-config.ts +35 -0
  516. package/src/infra/rate-limiter.test.ts +36 -0
  517. package/src/infra/rate-limiter.ts +34 -0
  518. package/src/infra/retry.ts +46 -0
  519. package/src/infra/saas-client.ts +123 -0
  520. package/src/infra/search-adapter.ts +113 -0
  521. package/src/infra/shell-adapter.ts +68 -0
  522. package/src/infra/tool-manager.test.ts +99 -0
  523. package/src/infra/tool-manager.ts +197 -0
  524. package/src/llm/agents/agent-modes.test.ts +44 -0
  525. package/src/llm/agents/modes.ts +68 -0
  526. package/src/llm/routing/cost-routing.test.ts +37 -0
  527. package/src/llm/routing/cost-tracker.ts +74 -0
  528. package/src/llm/routing/model-routing.test.ts +79 -0
  529. package/src/llm/routing/model-routing.ts +38 -0
  530. package/src/llm/routing/pricing.ts +19 -0
  531. package/src/llm/sse-protocol.ts +77 -0
  532. package/src/llm/tool-definitions.ts +83 -0
  533. package/src/llm/tool-executors.ts +80 -0
  534. package/src/llm/tools/types.ts +13 -0
  535. package/src/mcp/create-mcp-stack.ts +82 -0
  536. package/src/mcp/handlers.ts +245 -0
  537. package/src/mcp/index.ts +28 -0
  538. package/src/mcp/mcp-server.test.ts +80 -0
  539. package/src/mcp/server.ts +79 -0
  540. package/src/mcp/tools.ts +48 -0
  541. package/src/onboarding/auto-detect.ts +164 -0
  542. package/src/onboarding/onboarding.test.ts +89 -0
  543. package/src/onboarding/profile.ts +169 -0
  544. package/src/onboarding/questions.ts +112 -0
  545. package/src/onboarding/wizard.ts +66 -0
  546. package/src/output/github-issue.ts +32 -0
  547. package/src/output/json-output.ts +67 -0
  548. package/src/ports/browser.port.ts +23 -0
  549. package/src/ports/events.port.ts +28 -0
  550. package/src/ports/llm.port.ts +23 -0
  551. package/src/ports/logger.port.ts +6 -0
  552. package/src/ports/process.port.ts +6 -0
  553. package/src/ports/scanner.port.ts +15 -0
  554. package/src/server.ts +134 -0
  555. package/src/services/badge-service.ts +67 -0
  556. package/src/services/chat-service.test.ts +162 -0
  557. package/src/services/chat-service.ts +152 -0
  558. package/src/services/cost-service.ts +52 -0
  559. package/src/services/debt-service.ts +65 -0
  560. package/src/services/eval-integration.test.ts +132 -0
  561. package/src/services/eval-service.test.ts +373 -0
  562. package/src/services/eval-service.ts +463 -0
  563. package/src/services/external-scan-service.ts +60 -0
  564. package/src/services/file-service.ts +37 -0
  565. package/src/services/fix-service.test.ts +470 -0
  566. package/src/services/fix-service.ts +648 -0
  567. package/src/services/framework-service.test.ts +159 -0
  568. package/src/services/framework-service.ts +67 -0
  569. package/src/services/onboarding-service.ts +165 -0
  570. package/src/services/passport-audit.ts +244 -0
  571. package/src/services/passport-documents.ts +258 -0
  572. package/src/services/passport-service-utils.ts +72 -0
  573. package/src/services/passport-service.test.ts +251 -0
  574. package/src/services/passport-service.ts +339 -0
  575. package/src/services/proxy-service.ts +81 -0
  576. package/src/services/report-service.ts +72 -0
  577. package/src/services/scan-service.test.ts +470 -0
  578. package/src/services/scan-service.ts +335 -0
  579. package/src/services/share-service.ts +108 -0
  580. package/src/services/shared/backup.ts +23 -0
  581. package/src/services/status-service.ts +38 -0
  582. package/src/services/undo-service.test.ts +190 -0
  583. package/src/services/undo-service.ts +144 -0
  584. package/src/test-helpers/factories.ts +116 -0
  585. package/src/types/common.schemas.ts +147 -0
  586. package/src/types/common.types.ts +292 -0
  587. package/src/types/contract.test.ts +217 -0
  588. package/src/types/errors.ts +52 -0
  589. package/src/types/framework.types.ts +87 -0
  590. package/src/types/passport-schemas.ts +241 -0
  591. package/src/types/passport.types.ts +296 -0
  592. package/src/version.ts +1 -0
  593. package/tsconfig.json +20 -0
  594. package/vitest.config.ts +9 -0
package/src/data/finding-explanations.json ADDED
@@ -0,0 +1,453 @@
1
+ {
2
+ "$schema": "finding-explanations-schema",
3
+ "$comment": "US-S05-07: Static mapping check_id → explanation (article, penalty, deadline, business_impact)",
4
+
5
+ "passport-presence": {
6
+ "article": "Art. 26(4)",
7
+ "penalty": "€15M or 3% of annual global turnover",
8
+ "deadline": "2026-08-02",
9
+ "business_impact": "Agent Passport is the core identity document for your AI system. Without it, you cannot demonstrate compliance to regulators, and deployers cannot verify the system's risk classification or intended use."
10
+ },
11
+ "passport-completeness": {
12
+ "article": "Art. 26(4)",
13
+ "penalty": "€15M or 3% of annual global turnover",
14
+ "deadline": "2026-08-02",
15
+ "business_impact": "An incomplete passport means gaps in your compliance record. Regulators require full documentation of AI system capabilities, limitations, and risk management measures."
16
+ },
17
+ "ai-disclosure": {
18
+ "article": "Art. 50(1)",
19
+ "penalty": "€7.5M or 1.5% of annual global turnover",
20
+ "deadline": "2025-08-02",
21
+ "business_impact": "Users must be informed they are interacting with AI. Failure to disclose AI involvement erodes trust and violates transparency obligations that are already enforceable."
22
+ },
23
+ "content-marking": {
24
+ "article": "Art. 50(2)",
25
+ "penalty": "€7.5M or 1.5% of annual global turnover",
26
+ "deadline": "2025-08-02",
27
+ "business_impact": "AI-generated content must be machine-detectable. Without marking (C2PA, watermarks, metadata), downstream systems cannot verify content provenance."
28
+ },
29
+ "interaction-logging": {
30
+ "article": "Art. 12",
31
+ "penalty": "€15M or 3% of annual global turnover",
32
+ "deadline": "2026-08-02",
33
+ "business_impact": "Structured logging of AI interactions is required for audit trails, incident investigation, and demonstrating human oversight. Without logs, you cannot prove compliant operation."
34
+ },
35
+ "ai-literacy": {
36
+ "article": "Art. 4",
37
+ "penalty": "€7.5M or 1.5% of annual global turnover",
38
+ "deadline": "2025-02-02",
39
+ "business_impact": "All personnel working with AI must have sufficient AI literacy. Undocumented training programs expose your organization to liability if operators misuse AI systems."
40
+ },
41
+ "gpai-transparency": {
42
+ "article": "Art. 53",
43
+ "penalty": "€7.5M or 1.5% of annual global turnover",
44
+ "deadline": "2025-08-02",
45
+ "business_impact": "General-purpose AI models require model cards documenting capabilities, limitations, and training data. This enables downstream providers to assess risks."
46
+ },
47
+ "compliance-metadata": {
48
+ "article": "Art. 11",
49
+ "penalty": "€15M or 3% of annual global turnover",
50
+ "deadline": "2026-08-02",
51
+ "business_impact": "Machine-readable compliance metadata enables automated verification. Without it, integration partners and regulators cannot programmatically assess your compliance status."
52
+ },
53
+ "documentation": {
54
+ "article": "Art. 11",
55
+ "penalty": "€15M or 3% of annual global turnover",
56
+ "deadline": "2026-08-02",
57
+ "business_impact": "Technical documentation is a foundational requirement. It must be maintained throughout the AI system lifecycle and made available to competent authorities upon request."
58
+ },
59
+
60
+ "l2-ai-literacy": {
61
+ "article": "Art. 4",
62
+ "penalty": "€7.5M or 1.5% of annual global turnover",
63
+ "deadline": "2025-02-02",
64
+ "business_impact": "Your AI literacy document exists but lacks required sections. Incomplete training documentation fails the minimum standard for demonstrating organizational AI competence."
65
+ },
66
+ "l2-art5-screening": {
67
+ "article": "Art. 5",
68
+ "penalty": "€35M or 7% of annual global turnover",
69
+ "deadline": "2025-02-02",
70
+ "business_impact": "Art. 5 prohibited practices screening is the highest-penalty obligation. Your screening document must demonstrate systematic assessment of all 8 prohibited categories."
71
+ },
72
+ "l2-tech-documentation": {
73
+ "article": "Art. 11",
74
+ "penalty": "€15M or 3% of annual global turnover",
75
+ "deadline": "2026-08-02",
76
+ "business_impact": "Technical documentation must include system architecture, data sources, training methodology, and performance metrics. Incomplete docs block conformity assessment."
77
+ },
78
+ "l2-monitoring-policy": {
79
+ "article": "Art. 26",
80
+ "penalty": "€15M or 3% of annual global turnover",
81
+ "deadline": "2026-08-02",
82
+ "business_impact": "Monitoring policy must define scope, frequency, metrics, and escalation procedures. Without it, you cannot demonstrate ongoing post-market surveillance."
83
+ },
84
+ "l2-worker-notification": {
85
+ "article": "Art. 26(7)",
86
+ "penalty": "€15M or 3% of annual global turnover",
87
+ "deadline": "2026-08-02",
88
+ "business_impact": "Workers and their representatives must be notified before AI deployment affects them. Missing notification is a direct violation of worker protection obligations."
89
+ },
90
+ "l2-fria": {
91
+ "article": "Art. 27",
92
+ "penalty": "€15M or 3% of annual global turnover",
93
+ "deadline": "2026-08-02",
94
+ "business_impact": "Fundamental Rights Impact Assessment is mandatory for high-risk AI in public sector and certain private uses. It must analyze impacts on health, safety, and fundamental rights."
95
+ },
96
+ "l2-declaration-conformity": {
97
+ "article": "Art. 47",
98
+ "penalty": "€15M or 3% of annual global turnover",
99
+ "deadline": "2026-08-02",
100
+ "business_impact": "The EU Declaration of Conformity is a legally binding statement. Without it, your AI system cannot be placed on the EU market or put into service."
101
+ },
102
+ "l2-incident-report": {
103
+ "article": "Art. 73",
104
+ "penalty": "€7.5M or 1.5% of annual global turnover",
105
+ "deadline": "2026-08-02",
106
+ "business_impact": "Incident reporting is required for serious incidents. A template must exist before incidents occur to ensure timely reporting within the mandatory timeframe."
107
+ },
108
+
109
+ "l3-missing-bias-testing": {
110
+ "article": "Art. 10",
111
+ "penalty": "€15M or 3% of annual global turnover",
112
+ "deadline": "2026-08-02",
113
+ "business_impact": "Bias testing tools are absent from your dependencies. Without them, you cannot demonstrate that your AI system has been tested for discriminatory outcomes across protected characteristics."
114
+ },
115
+ "l3-log-retention": {
116
+ "article": "Art. 12",
117
+ "penalty": "€15M or 3% of annual global turnover",
118
+ "deadline": "2026-08-02",
119
+ "business_impact": "Log retention configuration is missing. AI system logs must be retained for a period appropriate to the system's risk level and purpose, typically 6-12 months minimum."
120
+ },
121
+ "l3-env-config": {
122
+ "article": "Art. 12",
123
+ "penalty": "€15M or 3% of annual global turnover",
124
+ "deadline": "2026-08-02",
125
+ "business_impact": "Environment configuration lacks compliance-relevant settings. Proper configuration ensures logging, monitoring, and safety features are consistently enabled across deployments."
126
+ },
127
+ "l3-ci-compliance": {
128
+ "article": "Art. 9",
129
+ "penalty": "€15M or 3% of annual global turnover",
130
+ "deadline": "2026-08-02",
131
+ "business_impact": "CI/CD pipeline lacks compliance checks. Automated compliance gates prevent non-compliant code from reaching production, reducing risk of regulatory violations."
132
+ },
133
+ "l3-banned-package": {
134
+ "article": "Art. 15(4)",
135
+ "penalty": "€15M or 3% of annual global turnover",
136
+ "deadline": "2026-08-02",
137
+ "business_impact": "A banned or high-risk dependency was detected. Using packages with known security vulnerabilities or prohibited licenses undermines your system's cybersecurity and legal standing."
138
+ },
139
+
140
+ "l4-bare-llm": {
141
+ "article": "Art. 50(1)",
142
+ "penalty": "€7.5M or 1.5% of annual global turnover",
143
+ "deadline": "2025-08-02",
144
+ "business_impact": "Bare LLM API calls detected. Consider @complior/sdk for runtime compliance enforcement (disclosure, logging, content marking). This is informational — bare calls are not a violation; compliance is enforced via separate disclosure, logging, and oversight checks."
145
+ },
146
+ "l4-disclosure": {
147
+ "article": "Art. 50(1)",
148
+ "penalty": "€7.5M or 1.5% of annual global turnover",
149
+ "deadline": "2025-08-02",
150
+ "business_impact": "AI disclosure patterns found — this is positive. Ensure disclosure components are visible in all user-facing interfaces where AI is involved."
151
+ },
152
+ "l4-human-oversight": {
153
+ "article": "Art. 14",
154
+ "penalty": "€15M or 3% of annual global turnover",
155
+ "deadline": "2026-08-02",
156
+ "business_impact": "Human oversight mechanisms enable operators to monitor, intervene, and override AI decisions. Without them, you cannot meet the human-in-the-loop requirement for high-risk systems."
157
+ },
158
+ "l4-kill-switch": {
159
+ "article": "Art. 14",
160
+ "penalty": "€15M or 3% of annual global turnover",
161
+ "deadline": "2026-08-02",
162
+ "business_impact": "A kill switch or feature flag allows immediate shutdown of AI functionality. This is essential for incident response and required for human oversight of high-risk systems."
163
+ },
164
+ "l4-content-marking": {
165
+ "article": "Art. 50(2)",
166
+ "penalty": "€7.5M or 1.5% of annual global turnover",
167
+ "deadline": "2025-08-02",
168
+ "business_impact": "Content marking code patterns detected. Verify that AI-generated content is marked in a machine-readable format (C2PA, IPTC, custom metadata) across all output channels."
169
+ },
170
+ "l4-logging": {
171
+ "article": "Art. 12",
172
+ "penalty": "€15M or 3% of annual global turnover",
173
+ "deadline": "2026-08-02",
174
+ "business_impact": "Structured logging patterns are present in your codebase. Ensure logs capture: input/output hashes, model version, latency, token usage, and compliance check results."
175
+ },
176
+ "l4-data-governance": {
177
+ "article": "Art. 10",
178
+ "penalty": "€15M or 3% of annual global turnover",
179
+ "deadline": "2026-08-02",
180
+ "business_impact": "Data governance patterns control data quality, lineage, and consent. Without them, you cannot demonstrate that training and input data meet EU AI Act standards."
181
+ },
182
+ "l4-record-keeping": {
183
+ "article": "Art. 12",
184
+ "penalty": "€15M or 3% of annual global turnover",
185
+ "deadline": "2026-08-02",
186
+ "business_impact": "Record-keeping enables traceability throughout the AI system lifecycle. Audit trails must capture compliance events, configuration changes, and incident responses."
187
+ },
188
+ "l4-accuracy-robustness": {
189
+ "article": "Art. 15",
190
+ "penalty": "€15M or 3% of annual global turnover",
191
+ "deadline": "2026-08-02",
192
+ "business_impact": "Accuracy and robustness validation ensures your AI system performs reliably. Without testing, you cannot demonstrate the system meets performance benchmarks required by Art. 15."
193
+ },
194
+ "l4-cybersecurity": {
195
+ "article": "Art. 15(4)",
196
+ "penalty": "€15M or 3% of annual global turnover",
197
+ "deadline": "2026-08-02",
198
+ "business_impact": "Cybersecurity measures (rate limiting, input sanitization, access control) protect against adversarial attacks and data manipulation. Essential for system resilience."
199
+ },
200
+ "l4-deployer-monitoring": {
201
+ "article": "Art. 26(5)",
202
+ "penalty": "€15M or 3% of annual global turnover",
203
+ "deadline": "2026-08-02",
204
+ "business_impact": "Deployer monitoring patterns track model drift, performance degradation, and anomalies. Required for post-market surveillance and incident detection."
205
+ },
206
+ "l4-gpai-transparency": {
207
+ "article": "Art. 53",
208
+ "penalty": "€7.5M or 1.5% of annual global turnover",
209
+ "deadline": "2025-08-02",
210
+ "business_impact": "GPAI transparency code patterns document model capabilities. Ensure model cards, training data documentation, and capability descriptions are complete and accessible."
211
+ },
212
+ "l4-conformity-assessment": {
213
+ "article": "Art. 43",
214
+ "penalty": "€15M or 3% of annual global turnover",
215
+ "deadline": "2026-08-02",
216
+ "business_impact": "Conformity assessment patterns support the formal evaluation process. High-risk AI systems must undergo conformity assessment before market placement."
217
+ },
218
+ "l4-security-risk": {
219
+ "article": "Art. 15(4)",
220
+ "penalty": "€15M or 3% of annual global turnover",
221
+ "deadline": "2026-08-02",
222
+ "business_impact": "Unsafe code patterns (eval, pickle, command injection) create exploitable vulnerabilities. These undermine your system's cybersecurity posture required by Art. 15(4)."
223
+ },
224
+
225
+ "behavioral-constraints": {
226
+ "article": "Art. 9 / Art. 14",
227
+ "penalty": "€15M or 3% of annual global turnover",
228
+ "deadline": "2026-08-02",
229
+ "business_impact": "Behavioral constraints define how your AI agent escalates decisions and handles PII. High-risk agents without structured escalation rules lack the human oversight required by Art. 14. Missing data boundaries indicate gaps in the risk management system required by Art. 9."
230
+ },
231
+
232
+ "cross-doc-code-mismatch": {
233
+ "article": "Art. 11",
234
+ "penalty": "€15M or 3% of annual global turnover",
235
+ "deadline": "2026-08-02",
236
+ "business_impact": "Your documentation claims capabilities that are not implemented in code (or vice versa). Regulators will verify documentation against actual system behavior — mismatches indicate governance failures."
237
+ },
238
+ "cross-sdk-no-disclosure": {
239
+ "article": "Art. 50(1)",
240
+ "penalty": "€7.5M or 1.5% of annual global turnover",
241
+ "deadline": "2025-08-02",
242
+ "business_impact": "AI SDK is used in your project but no disclosure is shown to users. This is a direct Art. 50(1) violation — users interacting with your AI must be explicitly informed."
243
+ },
244
+ "cross-logging-no-retention": {
245
+ "article": "Art. 12",
246
+ "penalty": "€15M or 3% of annual global turnover",
247
+ "deadline": "2026-08-02",
248
+ "business_impact": "Logging exists but without retention policy. Logs without defined retention can be deleted prematurely (losing audit trail) or retained too long (GDPR violation)."
249
+ },
250
+ "cross-kill-switch-no-test": {
251
+ "article": "Art. 14",
252
+ "penalty": "€15M or 3% of annual global turnover",
253
+ "deadline": "2026-08-02",
254
+ "business_impact": "Kill switch exists but has no tests. An untested kill switch may fail during an incident, leaving you unable to shut down a malfunctioning AI system when it matters most."
255
+ },
256
+
257
+ "undeclared-permission": {
258
+ "article": "Art. 26(4)",
259
+ "penalty": "€15M or 3% of annual global turnover",
260
+ "deadline": "2026-08-02",
261
+ "business_impact": "Tool permissions used in code but not declared in Agent Passport. Undeclared permissions indicate governance gaps — regulators require full transparency about AI agent capabilities."
262
+ },
263
+ "unused-declared-permission": {
264
+ "article": "Art. 26(4)",
265
+ "penalty": "€15M or 3% of annual global turnover",
266
+ "deadline": "2026-08-02",
267
+ "business_impact": "Passport declares tool permissions not found in code. Stale declarations reduce trust in passport accuracy and may indicate outdated documentation."
268
+ },
269
+ "cross-permission-passport-mismatch": {
270
+ "article": "Art. 26(4)",
271
+ "penalty": "€15M or 3% of annual global turnover",
272
+ "deadline": "2026-08-02",
273
+ "business_impact": "Undeclared permissions combined with unwrapped LLM calls indicate a compounding governance failure. The AI system operates outside its declared boundaries without compliance safeguards."
274
+ },
275
+
276
+ "industry-hr": {
277
+ "article": "Art. 6(2), Annex III §6(a)",
278
+ "penalty": "€15M or 3% of annual global turnover",
279
+ "deadline": "2026-08-02",
280
+ "business_impact": "HR/recruitment AI is classified as high-risk under Annex III. Systems used for recruitment, CV screening, or employee evaluation require FRIA, conformity assessment, and enhanced human oversight."
281
+ },
282
+ "industry-finance": {
283
+ "article": "Art. 6(2), Annex III §5(b)",
284
+ "penalty": "€15M or 3% of annual global turnover",
285
+ "deadline": "2026-08-02",
286
+ "business_impact": "Financial AI for credit scoring, insurance, or fraud detection is high-risk under Annex III. Access to essential services like credit and insurance is a fundamental right requiring strict compliance."
287
+ },
288
+ "industry-healthcare": {
289
+ "article": "Art. 6(2), Annex III §5(a)",
290
+ "penalty": "€15M or 3% of annual global turnover",
291
+ "deadline": "2026-08-02",
292
+ "business_impact": "Healthcare AI for diagnosis, treatment, or patient monitoring is high-risk under Annex III. Medical AI directly impacts health and safety, requiring the highest level of compliance rigor."
293
+ },
294
+ "industry-education": {
295
+ "article": "Art. 6(2), Annex III §6(b)",
296
+ "penalty": "€15M or 3% of annual global turnover",
297
+ "deadline": "2026-08-02",
298
+ "business_impact": "Education AI for admissions, grading, or student assessment is high-risk under Annex III. AI determining access to education affects fundamental rights and life opportunities."
299
+ },
300
+
301
+ "fria": {
302
+ "article": "Art. 27",
303
+ "penalty": "€15M or 3% of annual global turnover",
304
+ "deadline": "2026-08-02",
305
+ "business_impact": "Fundamental Rights Impact Assessment is mandatory for deployers of high-risk AI in public services and certain private-sector uses. Without a FRIA, deployment may be unlawful."
306
+ },
307
+ "art5-screening": {
308
+ "article": "Art. 5",
309
+ "penalty": "€35M or 7% of annual global turnover",
310
+ "deadline": "2025-02-02",
311
+ "business_impact": "Prohibited practices carry the highest penalty tier. You must demonstrate systematic screening against all 8 Art. 5 categories before deploying any AI system in the EU."
312
+ },
313
+ "technical-documentation": {
314
+ "article": "Art. 11",
315
+ "penalty": "€15M or 3% of annual global turnover",
316
+ "deadline": "2026-08-02",
317
+ "business_impact": "Technical documentation covering system design, data, and performance is required before market placement. Without it, conformity assessment cannot proceed."
318
+ },
319
+ "incident-report": {
320
+ "article": "Art. 73",
321
+ "penalty": "€7.5M or 1.5% of annual global turnover",
322
+ "deadline": "2026-08-02",
323
+ "business_impact": "An incident report template must exist before incidents occur. Timely reporting of serious incidents to authorities is mandatory — delays compound liability."
324
+ },
325
+ "declaration-of-conformity": {
326
+ "article": "Art. 47",
327
+ "penalty": "€15M or 3% of annual global turnover",
328
+ "deadline": "2026-08-02",
329
+ "business_impact": "The EU Declaration of Conformity is a legally binding prerequisite for placing an AI system on the EU market. Missing it blocks market access entirely."
330
+ },
331
+ "monitoring-policy": {
332
+ "article": "Art. 26",
333
+ "penalty": "€15M or 3% of annual global turnover",
334
+ "deadline": "2026-08-02",
335
+ "business_impact": "Post-market monitoring policy is required to detect and respond to risks after deployment. Without it, you cannot demonstrate ongoing surveillance obligations."
336
+ },
337
+ "worker-notification": {
338
+ "article": "Art. 26(7)",
339
+ "penalty": "€15M or 3% of annual global turnover",
340
+ "deadline": "2026-08-02",
341
+ "business_impact": "Workers and their representatives must be informed before AI is deployed in the workplace. Missing notification is a direct worker protection violation."
342
+ },
343
+ "risk-management": {
344
+ "article": "Art. 9",
345
+ "penalty": "€15M or 3% of annual global turnover",
346
+ "deadline": "2026-08-02",
347
+ "business_impact": "A risk management system must be established, maintained, and documented throughout the AI lifecycle. It is the foundation for all high-risk AI compliance."
348
+ },
349
+ "data-governance": {
350
+ "article": "Art. 10",
351
+ "penalty": "€15M or 3% of annual global turnover",
352
+ "deadline": "2026-08-02",
353
+ "business_impact": "Data governance measures must ensure training data quality, relevance, and representativeness. Without a policy, bias and data quality issues go unmanaged."
354
+ },
355
+ "qms": {
356
+ "article": "Art. 17",
357
+ "penalty": "€15M or 3% of annual global turnover",
358
+ "deadline": "2026-08-02",
359
+ "business_impact": "A quality management system ensures systematic compliance across the AI lifecycle. Without QMS documentation, you cannot demonstrate organizational compliance maturity."
360
+ },
361
+ "instructions-for-use": {
362
+ "article": "Art. 13",
363
+ "penalty": "€15M or 3% of annual global turnover",
364
+ "deadline": "2026-08-02",
365
+ "business_impact": "Instructions for use must accompany every high-risk AI system, enabling deployers to understand capabilities, limitations, and required human oversight measures."
366
+ },
367
+
368
+ "l2-risk-management": {
369
+ "article": "Art. 9",
370
+ "penalty": "€15M or 3% of annual global turnover",
371
+ "deadline": "2026-08-02",
372
+ "business_impact": "Your risk management document exists but lacks required structure. It must cover risk identification, estimation, evaluation, and mitigation across the full AI lifecycle."
373
+ },
374
+ "l2-data-governance": {
375
+ "article": "Art. 10",
376
+ "penalty": "€15M or 3% of annual global turnover",
377
+ "deadline": "2026-08-02",
378
+ "business_impact": "Your data governance document exists but is structurally incomplete. It must detail data collection, labeling, quality checks, and bias mitigation procedures."
379
+ },
380
+ "l2-qms": {
381
+ "article": "Art. 17",
382
+ "penalty": "€15M or 3% of annual global turnover",
383
+ "deadline": "2026-08-02",
384
+ "business_impact": "Your QMS document exists but missing key sections. A complete QMS must cover design, development, testing, and post-market processes with defined responsibilities."
385
+ },
386
+ "l2-instructions-for-use": {
387
+ "article": "Art. 13",
388
+ "penalty": "€15M or 3% of annual global turnover",
389
+ "deadline": "2026-08-02",
390
+ "business_impact": "Your instructions for use document exists but is structurally incomplete. Deployers rely on these instructions to operate the AI system safely and compliantly."
391
+ },
392
+
393
+ "gpai-systemic-risk": {
394
+ "article": "Art. 55",
395
+ "penalty": "€15M or 3% of annual global turnover",
396
+ "deadline": "2025-08-02",
397
+ "business_impact": "GPAI models with systemic risk require additional obligations: adversarial testing, incident reporting to the AI Office, and cybersecurity protections beyond standard GPAI requirements."
398
+ },
399
+ "industry-legal": {
400
+ "article": "Art. 6(2), Annex III",
401
+ "penalty": "€15M or 3% of annual global turnover",
402
+ "deadline": "2026-08-02",
403
+ "business_impact": "AI used in legal interpretation or judicial assistance is high-risk under Annex III. Legal AI affecting access to justice requires enhanced oversight, transparency, and conformity assessment."
404
+ },
405
+ "industry-biometrics": {
406
+ "article": "Art. 6(2), Annex III",
407
+ "penalty": "€15M or 3% of annual global turnover",
408
+ "deadline": "2026-08-02",
409
+ "business_impact": "Biometric AI (identification, categorization, emotion recognition) is high-risk under Annex III. Some biometric uses are outright prohibited under Art. 5."
410
+ },
411
+ "industry-critical-infra": {
412
+ "article": "Art. 6(2), Annex III",
413
+ "penalty": "€15M or 3% of annual global turnover",
414
+ "deadline": "2026-08-02",
415
+ "business_impact": "AI in critical infrastructure (energy, transport, water, digital) is high-risk under Annex III. Failures can directly endanger public safety and essential services."
416
+ },
417
+ "industry-migration": {
418
+ "article": "Art. 6(2), Annex III",
419
+ "penalty": "€15M or 3% of annual global turnover",
420
+ "deadline": "2026-08-02",
421
+ "business_impact": "AI used in migration, asylum, or border control is high-risk under Annex III. These systems directly affect fundamental rights and require the highest compliance standards."
422
+ },
423
+ "cross-banned-with-wrapper": {
424
+ "article": "Art. 5",
425
+ "penalty": "€35M or 7% of annual global turnover",
426
+ "deadline": "2025-02-02",
427
+ "business_impact": "A prohibited package is present but wrapped with compliance controls. While controls mitigate risk, the underlying package may still constitute a prohibited practice violation."
428
+ },
429
+ "cross-passport-code-mismatch": {
430
+ "article": "Art. 26(4)",
431
+ "penalty": "€15M or 3% of annual global turnover",
432
+ "deadline": "2026-08-02",
433
+ "business_impact": "Agent Passport declarations do not match actual code behavior. Passport accuracy is essential for deployer obligations — mismatches indicate governance failures."
434
+ },
435
+ "l4-nhi-secret": {
436
+ "article": "Art. 15(4)",
437
+ "penalty": "€15M or 3% of annual global turnover",
438
+ "deadline": "2026-08-02",
439
+ "business_impact": "Hardcoded secrets or credentials found in source code. Exposed credentials undermine the cybersecurity measures required by Art. 15(4) and create exploitable attack vectors."
440
+ },
441
+ "l3-dep-vuln": {
442
+ "article": "Art. 15(4)",
443
+ "penalty": "€15M or 3% of annual global turnover",
444
+ "deadline": "2026-08-02",
445
+ "business_impact": "Dependencies with known vulnerabilities compromise your system's cybersecurity posture. Art. 15(4) requires resilience against unauthorized access and data manipulation."
446
+ },
447
+ "l3-dep-license": {
448
+ "article": "Art. 11",
449
+ "penalty": "€15M or 3% of annual global turnover",
450
+ "deadline": "2026-08-02",
451
+ "business_impact": "Dependency license incompatibilities may prevent lawful distribution of your AI system. Technical documentation must account for all third-party component licensing."
452
+ }
453
+ }
package/src/data/industry-patterns.ts ADDED
@@ -0,0 +1,161 @@
1
+ export type IndustryId = 'hr' | 'finance' | 'healthcare' | 'education' | 'legal' | 'biometrics' | 'critical-infra' | 'migration';
2
+
3
+ export interface IndustryPattern {
4
+ readonly id: IndustryId;
5
+ readonly label: string;
6
+ readonly annexRef: string;
7
+ readonly articleRef: string;
8
+ readonly obligationId: string;
9
+ readonly patterns: readonly RegExp[];
10
+ }
11
+
12
+ export const INDUSTRY_PATTERNS: readonly IndustryPattern[] = [
13
+ {
14
+ id: 'hr',
15
+ label: 'HR / Employment',
16
+ annexRef: 'Annex III §6(a)',
17
+ articleRef: 'Art. 6(2)',
18
+ obligationId: 'eu-ai-act-OBL-006',
19
+ patterns: [
20
+ /resume[_.]parser/i,
21
+ /cv[_.]screen/i,
22
+ /candidate[_.]score/i,
23
+ /hiring[_.]decision/i,
24
+ /recruitment[_.]ai/i,
25
+ /employee[_.]monitoring/i,
26
+ /performance[_.]review/i,
27
+ /applicant[_.]tracking/i,
28
+ ],
29
+ },
30
+ {
31
+ id: 'finance',
32
+ label: 'Finance / Credit',
33
+ annexRef: 'Annex III §5(b)',
34
+ articleRef: 'Art. 6(2)',
35
+ obligationId: 'eu-ai-act-OBL-005',
36
+ patterns: [
37
+ /credit[_.]score/i,
38
+ /loan[_.]approval/i,
39
+ /insurance[_.]underwriting/i,
40
+ /fraud[_.]detection/i,
41
+ /aml[_.]check/i,
42
+ /kyc[_.]verification/i,
43
+ /creditworthiness/i,
44
+ /trading[_.]algo/i,
45
+ ],
46
+ },
47
+ {
48
+ id: 'healthcare',
49
+ label: 'Healthcare / Medical',
50
+ annexRef: 'Annex III §5(a)',
51
+ articleRef: 'Art. 6(2)',
52
+ obligationId: 'eu-ai-act-OBL-005',
53
+ patterns: [
54
+ /medical[_.]device/i,
55
+ /diagnosis[_.]ai/i,
56
+ /patient[_.]data/i,
57
+ /health[_.]record/i,
58
+ /clinical[_.]decision/i,
59
+ /drug[_.]discovery/i,
60
+ /patient[_.]monitoring/i,
61
+ /medical[_.]imaging/i,
62
+ ],
63
+ },
64
+ {
65
+ id: 'education',
66
+ label: 'Education / Academic',
67
+ annexRef: 'Annex III §3',
68
+ articleRef: 'Art. 6(2)',
69
+ obligationId: 'eu-ai-act-OBL-006',
70
+ patterns: [
71
+ /admission[_.]ai/i,
72
+ /grading[_.]system/i,
73
+ /student[_.]monitoring/i,
74
+ /learning[_.]analytics/i,
75
+ /exam[_.]proctoring/i,
76
+ /plagiarism[_.]detection/i,
77
+ /enrollment[_.]decision/i,
78
+ ],
79
+ },
80
+ {
81
+ id: 'legal',
82
+ label: 'Legal / Justice',
83
+ annexRef: 'Annex III §8(a)',
84
+ articleRef: 'Art. 6(2)',
85
+ obligationId: 'eu-ai-act-OBL-008',
86
+ patterns: [
87
+ /legal[_.]analysis/i,
88
+ /case[_.]prediction/i,
89
+ /contract[_.]review/i,
90
+ /sentencing[_.]assist/i,
91
+ /evidence[_.]analysis/i,
92
+ /judicial[_.]decision/i,
93
+ /legal[_.]research/i,
94
+ /dispute[_.]resolution/i,
95
+ ],
96
+ },
97
+ {
98
+ id: 'biometrics',
99
+ label: 'Biometrics / Identification',
100
+ annexRef: 'Annex III §1',
101
+ articleRef: 'Art. 6(2)',
102
+ obligationId: 'eu-ai-act-OBL-003',
103
+ patterns: [
104
+ /biometric[_.]identification/i,
105
+ /facial[_.]recognition/i,
106
+ /face[_.]detect/i,
107
+ /fingerprint[_.]match/i,
108
+ /iris[_.]scan/i,
109
+ /voice[_.]biometric/i,
110
+ /emotion[_.]recognition/i,
111
+ /gait[_.]analysis/i,
112
+ /remote[_.]biometric/i,
113
+ ],
114
+ },
115
+ {
116
+ id: 'critical-infra',
117
+ label: 'Critical Infrastructure',
118
+ annexRef: 'Annex III §2',
119
+ articleRef: 'Art. 6(2)',
120
+ obligationId: 'eu-ai-act-OBL-003',
121
+ patterns: [
122
+ /scada[_.]control/i,
123
+ /power[_.]grid/i,
124
+ /water[_.]treatment/i,
125
+ /traffic[_.]control/i,
126
+ /infrastructure[_.]monitor/i,
127
+ /smart[_.]grid/i,
128
+ /energy[_.]management/i,
129
+ /pipeline[_.]control/i,
130
+ /network[_.]routing.*critical/i,
131
+ ],
132
+ },
133
+ {
134
+ id: 'migration',
135
+ label: 'Migration / Border Control',
136
+ annexRef: 'Annex III §7',
137
+ articleRef: 'Art. 6(2)',
138
+ obligationId: 'eu-ai-act-OBL-008',
139
+ patterns: [
140
+ /border[_.]control/i,
141
+ /visa[_.]assessment/i,
142
+ /asylum[_.]application/i,
143
+ /immigration[_.]screening/i,
144
+ /travel[_.]document/i,
145
+ /migration[_.]risk/i,
146
+ /entry[_.]exit[_.]system/i,
147
+ /refugee[_.]screening/i,
148
+ ],
149
+ },
150
+ ];
151
+
152
+ export const INDUSTRY_TEMPLATE_MAP: Record<IndustryId, string> = {
153
+ hr: 'hr-ai-policy.md',
154
+ finance: 'finance-ai-policy.md',
155
+ healthcare: 'healthcare-ai-policy.md',
156
+ education: 'education-ai-policy.md',
157
+ legal: 'legal-ai-policy.md',
158
+ biometrics: 'biometrics-ai-policy.md',
159
+ 'critical-infra': 'critical-infra-ai-policy.md',
160
+ migration: 'migration-ai-policy.md',
161
+ };