npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/certification/test-runner.ts ADDED Viewed

@@ -0,0 +1,289 @@
+/**
+ * Adversarial Test Runner — Art.9(6)-(8) testing, Art.15(4) robustness.
+ *
+ * Sends adversarial prompts to the configured LLM (system under test),
+ * evaluates responses deterministically via pattern matching.
+ * The LLM is the subject, NOT the evaluator.
+ */
+import { mkdir, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import type { EvaluationResult } from './adversarial/evaluators.js';
+import type { EvidenceStore } from '../scanner/evidence-store.js';
+import type { AuditStore } from '../audit/audit-trail.js';
+import { createEvidence } from '../scanner/evidence.js';
+import { PROMPT_INJECTION_SCENARIOS } from './adversarial/prompt-injection.js';
+import { BIAS_TEST_PAIRS } from './adversarial/bias-tests.js';
+import { SAFETY_BOUNDARY_SCENARIOS } from './adversarial/safety-boundary.js';
+// ── Constants ────────────────────────────────────────────────────
+export const ADVERSARIAL_OBLIGATIONS = ['OBL-003c', 'OBL-009b'] as const;
+/** Max chars to store for bias pair prompt/response previews. */
+const BIAS_PROMPT_PREVIEW_LEN = 100;
+const BIAS_RESPONSE_PREVIEW_LEN = 500;
+// ── Types ────────────────────────────────────────────────────────
+export type TestCategory = 'prompt_injection' | 'bias_detection' | 'safety_boundary';
+export type TestVerdict = 'pass' | 'fail' | 'inconclusive';
+export interface TestScenario {
+  readonly id: string;
+  readonly category: TestCategory;
+  readonly name: string;
+  readonly description: string;
+  readonly articleRef: string;
+  readonly prompt: string;
+  readonly systemPrompt?: string;
+  readonly evaluate: (response: string) => EvaluationResult;
+}
+export interface BiasTestPair {
+  readonly id: string;
+  readonly category: 'bias_detection';
+  readonly name: string;
+  readonly description: string;
+  readonly articleRef: string;
+  readonly promptA: string;
+  readonly promptB: string;
+  readonly characteristicA: string;
+  readonly characteristicB: string;
+  readonly systemPrompt?: string;
+  readonly evaluate: (responseA: string, responseB: string) => EvaluationResult;
+}
+export interface TestResult {
+  readonly scenarioId: string;
+  readonly category: TestCategory;
+  readonly name: string;
+  readonly verdict: TestVerdict;
+  readonly confidence: number;
+  readonly prompt: string;
+  readonly response: string;
+  readonly matchedPatterns: readonly string[];
+  readonly reasoning: string;
+  readonly durationMs: number;
+  readonly articleRef: string;
+}
+export interface CategorySummary {
+  readonly total: number;
+  readonly passed: number;
+  readonly failed: number;
+  readonly inconclusive: number;
+  readonly score: number;
+}
+export interface AdversarialReport {
+  readonly agentName: string;
+  readonly timestamp: string;
+  readonly duration: number;
+  readonly categories: Record<TestCategory, CategorySummary>;
+  readonly results: readonly TestResult[];
+  readonly overallScore: number;
+  readonly passCount: number;
+  readonly failCount: number;
+  readonly inconclusiveCount: number;
+  readonly totalTests: number;
+  readonly obligationRefs: readonly string[];
+}
+export interface TestRunnerDeps {
+  readonly callLlm: (prompt: string, systemPrompt?: string) => Promise<string>;
+  readonly evidenceStore?: EvidenceStore;
+  readonly auditStore?: AuditStore;
+  readonly getProjectPath: () => string;
+}
+// ── Pure helpers ─────────────────────────────────────────────────
+/** Format current timestamp for safe use in filenames. */
+const fileTimestamp = (): string => new Date().toISOString().replace(/[:.]/g, '-');
+interface VerdictCounts {
+  readonly total: number;
+  readonly passed: number;
+  readonly failed: number;
+  readonly inconclusive: number;
+}
+/** Count verdicts in a result set, optionally filtered by category. */
+const countVerdicts = (results: readonly TestResult[], category?: TestCategory): VerdictCounts => {
+  const filtered = category ? results.filter(r => r.category === category) : results;
+  let passed = 0, failed = 0, inconclusive = 0;
+  for (const r of filtered) {
+    if (r.verdict === 'pass') passed++;
+    else if (r.verdict === 'fail') failed++;
+    else inconclusive++;
+  }
+  return { total: filtered.length, passed, failed, inconclusive };
+};
+const toCategorySummary = (counts: VerdictCounts): CategorySummary => ({
+  ...counts,
+  score: counts.total > 0 ? Math.round((counts.passed / counts.total) * 100) : 0,
+});
+type ScenarioMeta = Pick<TestScenario, 'id' | 'category' | 'name' | 'articleRef'>;
+/** Build a TestResult from scenario metadata + evaluation + timing. */
+const toTestResult = (
+  meta: ScenarioMeta,
+  evaluation: EvaluationResult,
+  prompt: string,
+  response: string,
+  durationMs: number,
+): TestResult => ({
+  scenarioId: meta.id,
+  category: meta.category,
+  name: meta.name,
+  verdict: evaluation.verdict,
+  confidence: evaluation.confidence,
+  prompt,
+  response,
+  matchedPatterns: evaluation.matchedPatterns,
+  reasoning: evaluation.reasoning,
+  durationMs,
+  articleRef: meta.articleRef,
+});
+/** Build the final report from collected results. Pure function. */
+export const buildReport = (
+  agentName: string,
+  results: readonly TestResult[],
+  duration: number,
+): AdversarialReport => {
+  const overall = countVerdicts(results);
+  return {
+    agentName,
+    timestamp: new Date().toISOString(),
+    duration,
+    categories: {
+      prompt_injection: toCategorySummary(countVerdicts(results, 'prompt_injection')),
+      bias_detection: toCategorySummary(countVerdicts(results, 'bias_detection')),
+      safety_boundary: toCategorySummary(countVerdicts(results, 'safety_boundary')),
+    },
+    results,
+    overallScore: overall.total > 0 ? Math.round((overall.passed / overall.total) * 100) : 0,
+    passCount: overall.passed,
+    failCount: overall.failed,
+    inconclusiveCount: overall.inconclusive,
+    totalTests: overall.total,
+    obligationRefs: ADVERSARIAL_OBLIGATIONS,
+  };
+};
+// ── I/O helpers (separated from domain logic) ────────────────────
+const saveReport = async (report: AdversarialReport, projectPath: string): Promise<void> => {
+  const reportsDir = join(projectPath, '.complior', 'reports');
+  await mkdir(reportsDir, { recursive: true });
+  const path = join(reportsDir, `adversarial-${report.agentName}-${fileTimestamp()}.json`);
+  await writeFile(path, JSON.stringify(report, null, 2));
+};
+const recordEvidence = async (
+  results: readonly TestResult[],
+  evidenceStore: EvidenceStore,
+): Promise<void> => {
+  const items = results.map(r =>
+    createEvidence(
+      `adversarial-${r.scenarioId}`,
+      'adversarial',
+      'adversarial-test',
+      { snippet: `${r.verdict}: ${r.reasoning}` },
+    ),
+  );
+  await evidenceStore.append(items, `adversarial-${fileTimestamp()}`);
+};
+const recordAudit = async (
+  report: AdversarialReport,
+  auditStore: AuditStore,
+): Promise<void> => {
+  await auditStore.append('adversarial.completed', {
+    totalTests: report.totalTests,
+    passCount: report.passCount,
+    failCount: report.failCount,
+    inconclusiveCount: report.inconclusiveCount,
+    overallScore: report.overallScore,
+    categories: Object.fromEntries(
+      Object.entries(report.categories).map(([k, v]) => [k, v.score]),
+    ),
+  }, report.agentName);
+};
+// ── Factory ──────────────────────────────────────────────────────
+export const createTestRunner = (deps: TestRunnerDeps) => {
+  const { callLlm, evidenceStore, auditStore, getProjectPath } = deps;
+  /** Call LLM with error isolation — never throws. */
+  const callLlmSafely = async (prompt: string, systemPrompt?: string): Promise<string> => {
+    try {
+      return await callLlm(prompt, systemPrompt);
+    } catch (err) {
+      return `[ERROR] LLM call failed: ${err instanceof Error ? err.message : String(err)}`;
+    }
+  };
+  const runScenario = async (scenario: TestScenario): Promise<TestResult> => {
+    const start = Date.now();
+    const response = await callLlmSafely(scenario.prompt, scenario.systemPrompt);
+    const evaluation = scenario.evaluate(response);
+    return toTestResult(scenario, evaluation, scenario.prompt, response, Date.now() - start);
+  };
+  const runBiasPair = async (pair: BiasTestPair): Promise<TestResult> => {
+    const start = Date.now();
+    const responseA = await callLlmSafely(pair.promptA, pair.systemPrompt);
+    const responseB = await callLlmSafely(pair.promptB, pair.systemPrompt);
+    const evaluation = pair.evaluate(responseA, responseB);
+    const prompt = `A: ${pair.promptA.slice(0, BIAS_PROMPT_PREVIEW_LEN)}... | B: ${pair.promptB.slice(0, BIAS_PROMPT_PREVIEW_LEN)}...`;
+    const response = `A: ${responseA.slice(0, BIAS_RESPONSE_PREVIEW_LEN)} | B: ${responseB.slice(0, BIAS_RESPONSE_PREVIEW_LEN)}`;
+    return toTestResult(pair, evaluation, prompt, response, Date.now() - start);
+  };
+  const runAdversarialTests = async (
+    agentName: string,
+    categories?: readonly TestCategory[],
+  ): Promise<AdversarialReport> => {
+    const startTime = Date.now();
+    const results: TestResult[] = [];
+    const selected = categories ?? (['prompt_injection', 'bias_detection', 'safety_boundary'] as const);
+    // Sequential execution to avoid rate limits
+    if (selected.includes('prompt_injection')) {
+      for (const scenario of PROMPT_INJECTION_SCENARIOS) {
+        results.push(await runScenario(scenario));
+      }
+    }
+    if (selected.includes('bias_detection')) {
+      for (const pair of BIAS_TEST_PAIRS) {
+        results.push(await runBiasPair(pair));
+      }
+    }
+    if (selected.includes('safety_boundary')) {
+      for (const scenario of SAFETY_BOUNDARY_SCENARIOS) {
+        results.push(await runScenario(scenario));
+      }
+    }
+    const report = buildReport(agentName, results, Date.now() - startTime);
+    // I/O: persist results (fire-and-forget-safe; errors logged, not thrown)
+    await saveReport(report, getProjectPath());
+    if (evidenceStore) await recordEvidence(results, evidenceStore);
+    if (auditStore) await recordAudit(report, auditStore);
+    return Object.freeze(report);
+  };
+  return Object.freeze({ runAdversarialTests });
+};

package/src/domain/cost/cost-estimator.test.ts ADDED Viewed

@@ -0,0 +1,187 @@
+import { describe, it, expect } from 'vitest';
+import { computeCostEstimate } from './cost-estimator.js';
+describe('computeCostEstimate', () => {
+  it('returns zero costs when no issues', () => {
+    const result = computeCostEstimate({
+      findings: [],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 150,
+    });
+    expect(result.totalCost).toBe(0);
+    expect(result.remediationCost).toBe(0);
+    expect(result.documentationCost).toBe(0);
+    expect(result.roi).toBe(0);
+    expect(result.currency).toBe('EUR');
+  });
+  it('calculates remediation cost by severity', () => {
+    const result = computeCostEstimate({
+      findings: [
+        { severity: 'critical', checkId: 'c1', status: 'fail' },
+        { severity: 'high', checkId: 'h1', status: 'fail' },
+        { severity: 'medium', checkId: 'm1', status: 'fail' },
+        { severity: 'low', checkId: 'l1', status: 'fail' },
+      ],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 100,
+    });
+    // 8 + 4 + 2 + 1 = 15 hours x EUR 100 = EUR 1,500
+    expect(result.remediationCost).toBe(1500);
+  });
+  it('adds FRIA cost when not completed', () => {
+    const result = computeCostEstimate({
+      findings: [],
+      passportCompleteness: 100,
+      friaCompleted: false,
+      evidenceValid: true,
+      hourlyRate: 150,
+    });
+    expect(result.documentationCost).toBe(16 * 150); // FRIA: 16h
+  });
+  it('adds passport completion cost', () => {
+    const result = computeCostEstimate({
+      findings: [],
+      passportCompleteness: 50,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 150,
+    });
+    // 50% missing -> ceil(50/10)*2 = 10h x EUR 150 = EUR 1,500
+    expect(result.breakdown.some((b) => b.item === 'Passport completion')).toBe(
+      true,
+    );
+    const passportItem = result.breakdown.find(
+      (b) => b.item === 'Passport completion',
+    );
+    expect(passportItem?.effortHours).toBe(10);
+    expect(passportItem?.cost).toBe(1500);
+  });
+  it('adds evidence chain setup cost', () => {
+    const result = computeCostEstimate({
+      findings: [],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: false,
+      hourlyRate: 150,
+    });
+    expect(
+      result.breakdown.some((b) => b.item === 'Evidence chain setup'),
+    ).toBe(true);
+    expect(result.documentationCost).toBe(4 * 150);
+  });
+  it('skips pass findings', () => {
+    const result = computeCostEstimate({
+      findings: [{ severity: 'critical', checkId: 'c1', status: 'pass' }],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 150,
+    });
+    expect(result.remediationCost).toBe(0);
+  });
+  it('calculates ROI correctly', () => {
+    const result = computeCostEstimate({
+      findings: [{ severity: 'critical', checkId: 'c1', status: 'fail' }],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 100,
+    });
+    expect(result.totalCost).toBe(800); // 8h x EUR 100
+    expect(result.potentialFine).toBeGreaterThan(0);
+    expect(result.roi).toBeGreaterThan(0);
+  });
+  it('returns frozen result', () => {
+    const result = computeCostEstimate({
+      findings: [],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 150,
+    });
+    expect(Object.isFrozen(result)).toBe(true);
+  });
+  it('returns frozen breakdown array', () => {
+    const result = computeCostEstimate({
+      findings: [{ severity: 'high', checkId: 'h1', status: 'fail' }],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 100,
+    });
+    expect(Object.isFrozen(result.breakdown)).toBe(true);
+  });
+  it('uses default 2h for unknown severity', () => {
+    const result = computeCostEstimate({
+      findings: [
+        { severity: 'unknown-severity', checkId: 'x1', status: 'fail' },
+      ],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 100,
+    });
+    expect(result.remediationCost).toBe(200); // 2h x EUR 100
+  });
+  it('caps potential fine risk factor at 1.0', () => {
+    // 5 critical findings -> 5 * 0.3 = 1.5, capped at 1.0
+    const result = computeCostEstimate({
+      findings: Array.from({ length: 5 }, (_, i) => ({
+        severity: 'critical',
+        checkId: `c${i}`,
+        status: 'fail',
+      })),
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 100,
+    });
+    expect(result.potentialFine).toBe(35_000_000);
+  });
+  it('calculates combined costs with all gap types', () => {
+    const result = computeCostEstimate({
+      findings: [
+        { severity: 'critical', checkId: 'c1', status: 'fail' },
+        { severity: 'low', checkId: 'l1', status: 'fail' },
+      ],
+      passportCompleteness: 70,
+      friaCompleted: false,
+      evidenceValid: false,
+      hourlyRate: 200,
+    });
+    // Remediation: (8+1)*200 = 1800
+    expect(result.remediationCost).toBe(1800);
+    // Documentation: FRIA 16*200=3200, passport ceil(30/10)*2=6h*200=1200,
+    //   evidence 4*200=800 => 5200
+    expect(result.documentationCost).toBe(3200 + 1200 + 800);
+    expect(result.totalCost).toBe(1800 + 5200);
+  });
+  it('handles empty findings array gracefully', () => {
+    const result = computeCostEstimate({
+      findings: [],
+      passportCompleteness: 100,
+      friaCompleted: true,
+      evidenceValid: true,
+      hourlyRate: 0,
+    });
+    expect(result.totalCost).toBe(0);
+    expect(result.breakdown).toHaveLength(0);
+    expect(result.potentialFine).toBe(0);
+  });
+});

package/src/domain/cost/cost-estimator.ts ADDED Viewed

@@ -0,0 +1,133 @@
+/**
+ * US-S05-27: Compliance Cost Estimator
+ *
+ * Pure domain function that computes remediation costs, documentation costs,
+ * potential fines, and ROI based on scan findings and passport state.
+ *
+ * EU AI Act reference: Art. 99 (fines up to EUR 35M or 7% of global turnover).
+ */
+import type { SeverityLevel, ComplianceDocType } from '../shared/compliance-constants.js';
+export interface CostEstimateInput {
+  readonly findings: readonly { severity: string; checkId: string; status: string }[];
+  readonly passportCompleteness: number; // 0-100
+  readonly friaCompleted: boolean;
+  readonly evidenceValid: boolean;
+  readonly hourlyRate: number; // default EUR 150
+}
+export interface CostEstimateResult {
+  readonly remediationCost: number;
+  readonly documentationCost: number;
+  readonly totalCost: number;
+  readonly potentialFine: number;
+  readonly roi: number;
+  readonly breakdown: readonly CostLineItem[];
+  readonly currency: string;
+}
+export interface CostLineItem {
+  readonly category: string;
+  readonly item: string;
+  readonly effortHours: number;
+  readonly cost: number;
+}
+/** Estimated remediation hours per severity level. */
+const SEVERITY_HOURS: Record<SeverityLevel, number> = {
+  critical: 8,
+  high: 4,
+  medium: 2,
+  low: 1,
+};
+/** Estimated documentation effort hours per compliance doc type. */
+const DOC_HOURS: Record<ComplianceDocType, number> = {
+  fria: 16,
+  'technical-documentation': 8,
+  'worker-notification': 4,
+  'monitoring-policy': 4,
+  'ai-literacy': 4,
+  'declaration-of-conformity': 8,
+  'incident-report': 2,
+};
+/** EU AI Act max fine: EUR 35M or 7% of global turnover (Art. 99) */
+const MAX_FINE_EUR = 35_000_000;
+export const computeCostEstimate = (input: CostEstimateInput): CostEstimateResult => {
+  const { findings, passportCompleteness, friaCompleted, evidenceValid, hourlyRate } = input;
+  const breakdown: CostLineItem[] = [];
+  // 1. Remediation cost per finding (only failed checks)
+  const failFindings = findings.filter(f => f.status === 'fail');
+  for (const finding of failFindings) {
+    const hours = SEVERITY_HOURS[finding.severity] ?? 2;
+    breakdown.push({
+      category: 'remediation',
+      item: finding.checkId,
+      effortHours: hours,
+      cost: hours * hourlyRate,
+    });
+  }
+  // 2. Documentation cost — FRIA (Art. 27)
+  if (!friaCompleted) {
+    breakdown.push({
+      category: 'documentation',
+      item: 'FRIA (Art. 27)',
+      effortHours: DOC_HOURS['fria']!,
+      cost: DOC_HOURS['fria']! * hourlyRate,
+    });
+  }
+  // 3. Passport completion cost
+  if (passportCompleteness < 100) {
+    const missingPct = 100 - passportCompleteness;
+    const hours = Math.ceil(missingPct / 10) * 2; // ~2h per 10% missing
+    breakdown.push({
+      category: 'documentation',
+      item: 'Passport completion',
+      effortHours: hours,
+      cost: hours * hourlyRate,
+    });
+  }
+  // 4. Evidence chain setup
+  if (!evidenceValid) {
+    breakdown.push({
+      category: 'infrastructure',
+      item: 'Evidence chain setup',
+      effortHours: 4,
+      cost: 4 * hourlyRate,
+    });
+  }
+  const remediationCost = breakdown
+    .filter(b => b.category === 'remediation')
+    .reduce((sum, b) => sum + b.cost, 0);
+  const documentationCost = breakdown
+    .filter(b => b.category !== 'remediation')
+    .reduce((sum, b) => sum + b.cost, 0);
+  const totalCost = remediationCost + documentationCost;
+  // Potential fine estimate based on severity distribution
+  const criticalCount = failFindings.filter(f => f.severity === 'critical').length;
+  const highCount = failFindings.filter(f => f.severity === 'high').length;
+  const riskFactor = Math.min(1.0, (criticalCount * 0.3 + highCount * 0.1));
+  const potentialFine = Math.round(MAX_FINE_EUR * riskFactor);
+  // ROI as multiplier: how many times the compliance cost is recovered in avoided fines
+  const roi = totalCost > 0 ? Math.round((potentialFine / totalCost) * 10) / 10 : 0;
+  return Object.freeze({
+    remediationCost,
+    documentationCost,
+    totalCost,
+    potentialFine,
+    roi,
+    breakdown: Object.freeze(breakdown),
+    currency: 'EUR',
+  });
+};

package/src/domain/disclaimer.test.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import { describe, it, expect } from 'vitest';
+import { getDisclaimer, appendDisclaimer, getReportFooter, containsBannedPhrase } from './disclaimer.js';
+import { ENGINE_VERSION } from '../version.js';
+describe('Disclaimer Framework', () => {
+  it('system prompt contains legal advisor warning', () => {
+    const disclaimer = getDisclaimer('system_prompt');
+    expect(disclaimer).toContain('not a legal advisor');
+    expect(disclaimer).toContain('NEVER');
+    expect(disclaimer).toContain('automated scanning');
+  });
+  it('report footer contains disclaimer', () => {
+    const footer = getDisclaimer('report_footer');
+    expect(footer).toContain('does NOT constitute legal advice');
+  });
+  it('compliance_md contains disclaimer', () => {
+    const md = getDisclaimer('compliance_md');
+    expect(md).toContain('NOT a legal certification');
+  });
+  it('commit message contains review warning', () => {
+    const msg = getDisclaimer('commit_message');
+    expect(msg).toContain('Review before merging');
+  });
+  it('appendDisclaimer adds footer', () => {
+    const result = appendDisclaimer('Report content', 'report_footer');
+    expect(result).toContain('Report content');
+    expect(result).toContain('does NOT constitute');
+  });
+  it('getReportFooter includes version and date', () => {
+    const footer = getReportFooter(ENGINE_VERSION);
+    expect(footer).toContain(`complior v${ENGINE_VERSION}`);
+    expect(footer).toMatch(/\d{4}-\d{2}-\d{2}/);
+  });
+});
+describe('Banned Phrases', () => {
+  it('detects banned phrases', () => {
+    expect(containsBannedPhrase('You are compliant')).toBe(true);
+    expect(containsBannedPhrase('Your project is compliant with EU AI Act')).toBe(true);
+    expect(containsBannedPhrase('I guarantee compliance')).toBe(true);
+  });
+  it('allows safe phrases', () => {
+    expect(containsBannedPhrase('Based on automated scanning: score 72/100')).toBe(false);
+    expect(containsBannedPhrase('Scanner detected 8 violations')).toBe(false);
+  });
+});

package/src/domain/disclaimer.ts ADDED Viewed

@@ -0,0 +1,39 @@
+export type DisclaimerContext = 'system_prompt' | 'report_footer' | 'compliance_md' | 'commit_message' | 'chat_response';
+const DISCLAIMERS: Record<DisclaimerContext, string> = {
+  system_prompt: 'You are Complior, a compliance ASSISTANT — not a legal advisor. You NEVER state that a project "is compliant" or "meets all requirements". You ALWAYS frame results as "based on automated scanning" and recommend professional legal review for definitive compliance assessment.',
+  report_footer: `---
+**Disclaimer:** This report was generated by Complior automated scanning tool. It does NOT constitute legal advice. For definitive compliance assessment, consult a qualified legal professional specializing in EU AI Act.`,
+  compliance_md: `## Disclaimer
+This compliance status is based on automated scanning by Complior. It is NOT a legal certification. Professional legal review is recommended before making compliance claims.`,
+  commit_message: 'Auto-generated by Complior. Review before merging. Automated fix — not legal advice.',
+  chat_response: 'Disclaimer: Complior — automated scanning tool, not a legal advisor. Professional review recommended.',
+};
+export const getDisclaimer = (context: DisclaimerContext): string => DISCLAIMERS[context];
+export const appendDisclaimer = (content: string, context: DisclaimerContext): string =>
+  `${content}\n\n${DISCLAIMERS[context]}`;
+export const getReportFooter = (version: string): string =>
+  `${DISCLAIMERS.report_footer}\nGenerated: ${new Date().toISOString().slice(0, 10)} | Scanner: complior v${version}`;
+// Banned phrases that LLM should never output
+export const BANNED_PHRASES = [
+  'you are compliant',
+  'your project is compliant',
+  'meets all requirements',
+  'fully compliant',
+  'no violations found', // when score < 100
+  'I guarantee compliance',
+] as const;
+export const containsBannedPhrase = (text: string): boolean => {
+  const lower = text.toLowerCase();
+  return BANNED_PHRASES.some((phrase) => lower.includes(phrase.toLowerCase()));
+};