npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/documents/ai-enricher.test.ts ADDED Viewed

@@ -0,0 +1,120 @@
+/**
+ * Tests for detectWeakSections() and buildL2Feedback() pure functions.
+ */
+import { describe, it, expect } from 'vitest';
+import { detectWeakSections, buildL2Feedback } from './ai-enricher.js';
+const STRONG_DOC = `## Risk Identification
+We have identified 15 key risks through our systematic risk assessment process conducted in Q1 2026.
+Each risk was evaluated using the ISO 31000:2018 framework, with probability scores assigned on a 1-5 scale.
+The top 3 risks relate to bias (P=0.4, I=High), data quality (P=0.3, I=Medium), and model drift (P=0.25, I=High).
+Under Art. 9 of the EU AI Act (Regulation 2024/1689), providers must maintain a risk management system.
+## Mitigation Measures
+For each identified risk, we implement specific mitigation controls:
+- Bias: Monthly fairness audits using Aequitas toolkit, targeting <2% demographic parity gap
+- Data quality: Automated data validation pipeline with 99.5% accuracy threshold
+- Model drift: Weekly model monitoring with KL-divergence alerts at >0.05
+## Monitoring Plan
+Continuous monitoring via Prometheus dashboards with the following KPIs:
+1. False positive rate: target <5% (current: 3.2%)
+2. Latency p99: target <200ms (current: 145ms)
+3. Drift score: target <0.05 (current: 0.02)
+Reviews conducted quarterly per Art. 9(8) requirements.
+`;
+const WEAK_DOC = `## Risk Identification
+We assess risks.
+## Mitigation Measures
+[TODO: Add mitigation measures]
+## Monitoring Plan
+Monitoring will be done.
+`;
+const MIXED_DOC = `## System Description
+Our AI system processes customer support tickets using a fine-tuned GPT-4 model.
+It classifies tickets into 12 categories with 94.2% accuracy (validated on 10,000 test samples).
+The system handles approximately 50,000 tickets per day with p99 latency of 180ms.
+Deployed on AWS eu-west-1 region per Art. 11 requirements.
+## Intended Purpose
+This system helps with customer support.
+## Performance Metrics
+[TODO: Fill in performance benchmarks]
+`;
+describe('detectWeakSections', () => {
+  it('returns empty array for fully-populated document', () => {
+    const weak = detectWeakSections(STRONG_DOC);
+    expect(weak).toEqual([]);
+  });
+  it('detects weak sections in placeholder-heavy document', () => {
+    const weak = detectWeakSections(WEAK_DOC);
+    expect(weak.length).toBeGreaterThan(0);
+    // Should detect sections with placeholders or very short content
+    expect(weak.some(s => s.toLowerCase().includes('mitigation'))).toBe(true);
+  });
+  it('detects mix of strong and weak sections', () => {
+    const weak = detectWeakSections(MIXED_DOC);
+    // System Description is strong, others are weak
+    expect(weak.some(s => s.toLowerCase().includes('intended purpose') || s.toLowerCase().includes('performance'))).toBe(true);
+    // System Description should NOT be in weak list
+    expect(weak.some(s => s.toLowerCase() === 'system description')).toBe(false);
+  });
+  it('returns empty for empty content', () => {
+    const weak = detectWeakSections('');
+    expect(weak).toEqual([]);
+  });
+  it('returns empty for content with no headings', () => {
+    const weak = detectWeakSections('Just a paragraph with no markdown headings at all.');
+    expect(weak).toEqual([]);
+  });
+});
+describe('buildL2Feedback', () => {
+  it('returns "All sections appear adequate" for strong document', () => {
+    const feedback = buildL2Feedback(STRONG_DOC);
+    expect(feedback).toBe('All sections appear adequate.');
+  });
+  it('lists specific issues for weak document', () => {
+    const feedback = buildL2Feedback(WEAK_DOC);
+    expect(feedback).not.toBe('All sections appear adequate.');
+    // Should contain bullet points with section names
+    expect(feedback).toContain('-');
+    expect(feedback).toContain('"');
+  });
+  it('mentions placeholder count for sections with TODOs', () => {
+    const feedback = buildL2Feedback(WEAK_DOC);
+    expect(feedback).toMatch(/placeholder/i);
+  });
+  it('mentions word count for very short sections', () => {
+    const feedback = buildL2Feedback(WEAK_DOC);
+    expect(feedback).toMatch(/words/i);
+  });
+  it('returns feedback only for weak sections in mixed doc', () => {
+    const feedback = buildL2Feedback(MIXED_DOC);
+    // Should have feedback for weak sections but not System Description
+    expect(feedback).not.toBe('All sections appear adequate.');
+  });
+});

package/src/domain/documents/ai-enricher.ts ADDED Viewed

@@ -0,0 +1,159 @@
+/**
+ * LLM-enriched document generation.
+ * Two modes:
+ *   1. Scaffold enrichment — fill [TODO] placeholders in freshly generated docs
+ *   2. Draft enhancement — improve existing user-edited docs using L2 quality feedback
+ * Extracted from document-generator.ts for SRP compliance.
+ */
+import type { LanguageModel } from 'ai';
+import type { AgentPassport } from '../../types/passport.types.js';
+import type { DocResult } from './document-generator.js';
+import { extractSectionContents, measureSemanticDepth } from '../scanner/layers/layer2-parsing.js';
+export interface AiEnrichInput {
+  readonly baseResult: DocResult;
+  readonly manifest: AgentPassport;
+  readonly model: LanguageModel;
+}
+export interface AiEnrichedResult extends DocResult {
+  readonly aiEnriched: true;
+  readonly aiFieldsCount: number;
+}
+/**
+ * Analyze existing document content to find weak sections via L2 semantic depth.
+ * Returns section names + actionable feedback for sections scoring below threshold.
+ */
+export const detectWeakSections = (content: string): readonly string[] => {
+  const sections = extractSectionContents(content);
+  const weak: string[] = [];
+  for (const [heading, body] of sections) {
+    const depth = measureSemanticDepth(body, heading);
+    if (depth.isShallow || depth.placeholderCount > 0) {
+      weak.push(heading);
+    }
+  }
+  return weak;
+};
+/**
+ * Build L2-informed feedback for the LLM prompt.
+ * Tells the LLM exactly which sections need improvement and why.
+ */
+export const buildL2Feedback = (content: string): string => {
+  const sections = extractSectionContents(content);
+  const feedback: string[] = [];
+  for (const [heading, body] of sections) {
+    const depth = measureSemanticDepth(body, heading);
+    if (depth.isShallow || depth.placeholderCount > 0) {
+      const reasons: string[] = [];
+      if (depth.placeholderCount > 0) reasons.push(`${depth.placeholderCount} placeholder(s) to fill`);
+      if (depth.wordCount < 50) reasons.push(`only ${depth.wordCount} words (min 50)`);
+      if (!depth.hasNumericMetrics) reasons.push('no numeric metrics');
+      if (!depth.hasLegalReferences) reasons.push('no legal references');
+      if (!depth.hasMeasurableTargets) reasons.push('no measurable targets');
+      feedback.push(`- "${heading}": ${reasons.join(', ')}`);
+    }
+  }
+  return feedback.length > 0 ? feedback.join('\n') : 'All sections appear adequate.';
+};
+const buildPassportContext = (manifest: AgentPassport): string =>
+  [
+    `System: ${manifest.display_name}`,
+    `Description: ${manifest.description}`,
+    `Risk class: ${manifest.compliance?.eu_ai_act?.risk_class ?? 'unknown'}`,
+    `Autonomy: ${manifest.autonomy_level}`,
+    `Provider: ${manifest.model?.provider ?? 'unknown'}`,
+    `Model: ${manifest.model?.model_id ?? 'unknown'}`,
+    manifest.owner?.team ? `Organization: ${manifest.owner.team}` : '',
+    manifest.oversight?.responsible_person ? `Oversight: ${manifest.oversight.responsible_person} (${manifest.oversight.role})` : '',
+    manifest.permissions?.tools ? `Tools: ${(manifest.permissions.tools as readonly string[]).join(', ')}` : '',
+    manifest.constraints?.prohibited_actions ? `Prohibited: ${(manifest.constraints.prohibited_actions as readonly string[]).join(', ')}` : '',
+  ].filter(Boolean).join('\n');
+const buildSystemPrompt = (docType: string, mode: 'scaffold' | 'enhance'): string => {
+  const modeRules = mode === 'scaffold'
+    ? `- Fill in placeholder sections (marked with <!-- GUIDANCE --> comments or containing generic "[...]" placeholders) with specific content based on the passport data
+- Keep all existing filled content intact — do NOT modify already pre-filled fields`
+    : `- The document has been partially filled by the user — preserve ALL existing content
+- Strengthen weak sections identified in the quality feedback below
+- Add numeric metrics, legal references (Art. numbers), measurable targets, and specific details
+- Expand thin sections with concrete, actionable content based on the passport data`;
+  return `You are a compliance document specialist for the EU AI Act (Regulation 2024/1689).
+You are ${mode === 'scaffold' ? 'enriching' : 'strengthening'} a ${docType} document based on the AI system's passport data.
+Rules:
+${modeRules}
+- For legal assertions that require human sign-off (signatures, legal declarations, notified body details), replace with [REVIEW REQUIRED: brief description of what's needed]
+- Use professional regulatory language appropriate for EU AI Act compliance documentation
+- Be specific and actionable — reference the actual system name, risk class, and capabilities
+- Do NOT invent data that isn't in the passport (dates, test results, metrics) — use [TO BE COMPLETED: description] for those
+- Keep the exact Markdown structure and heading hierarchy`;
+};
+/**
+ * Enriches a compliance document via LLM.
+ * Two modes detected automatically:
+ *   - Scaffold: document has [TODO]/placeholder brackets → fill them
+ *   - Enhance: document has real content but weak sections → strengthen with specifics
+ * Human-required legal assertions are left with [REVIEW REQUIRED].
+ */
+export const enrichDocumentWithAI = async (input: AiEnrichInput): Promise<AiEnrichedResult> => {
+  const { baseResult, manifest, model } = input;
+  const { generateText } = await import('ai');
+  const passportContext = buildPassportContext(manifest);
+  // Auto-detect mode: scaffold (has placeholders) vs enhance (user-edited, no placeholders)
+  const hasPlaceholders = /\[[^\]]{2,60}\](?!\()/.test(baseResult.markdown);
+  const mode: 'scaffold' | 'enhance' = hasPlaceholders ? 'scaffold' : 'enhance';
+  const systemPrompt = buildSystemPrompt(baseResult.docType, mode);
+  const l2Feedback = buildL2Feedback(baseResult.markdown);
+  const prompt = mode === 'scaffold'
+    ? `Here is the AI system passport data:
+${passportContext}
+Here are the manual fields that need enrichment: ${baseResult.manualFields.join(', ')}
+Here is the document to enrich:
+${baseResult.markdown}
+Return the complete enriched document (full Markdown). Keep all existing content, enrich unfilled sections.`
+    : `Here is the AI system passport data:
+${passportContext}
+Quality analysis of weak sections that need strengthening:
+${l2Feedback}
+Here is the document to improve:
+${baseResult.markdown}
+Return the complete improved document (full Markdown). Preserve all existing content. Strengthen the weak sections identified above with specific details, metrics, and legal references.`;
+  try {
+    const result = await generateText({ model, system: systemPrompt, prompt });
+    const marker = `\n\n<!-- complior:reviewed ${new Date().toISOString()} -->`;
+    const enrichedMarkdown = result.text.trim() + marker;
+    // Count how many fields were likely addressed
+    const remainingPlaceholders = (enrichedMarkdown.match(/\[(?:TO BE COMPLETED|REVIEW REQUIRED)[^\]]*\]/g) ?? []).length;
+    const aiFieldsCount = Math.max(0, baseResult.manualFields.length - remainingPlaceholders);
+    return Object.freeze({
+      markdown: enrichedMarkdown,
+      docType: baseResult.docType,
+      prefilledFields: Object.freeze([...baseResult.prefilledFields]),
+      manualFields: Object.freeze([...baseResult.manualFields]),
+      aiEnriched: true as const,
+      aiFieldsCount,
+    });
+  } catch (err) {
+    // Re-throw so caller (fix-service) can handle and log the error
+    throw new Error(`AI enrichment failed: ${err instanceof Error ? err.message : String(err)}`);
+  }
+};

package/src/domain/documents/document-generator.test.ts ADDED Viewed

@@ -0,0 +1,318 @@
+import { describe, it, expect } from 'vitest';
+import { generateDocument, ALL_DOC_TYPES, TEMPLATE_FILE_MAP } from './document-generator.js';
+import type { DocType } from './document-generator.js';
+import type { AgentPassport } from '../../types/passport.types.js';
+const createMockPassport = (overrides?: Partial<AgentPassport>): AgentPassport =>
+  ({
+    agent_id: 'test-agent-001',
+    name: 'test-agent',
+    display_name: 'Test AI Agent',
+    version: '1.0.0',
+    description: 'A test AI agent for compliance scanning',
+    type: 'assistant',
+    framework: 'openai',
+    autonomy_level: 'L2',
+    model: {
+      provider: 'OpenAI',
+      model_id: 'gpt-4o',
+    },
+    owner: {
+      team: 'Acme Corp',
+      responsible_person: 'Jane Doe',
+    },
+    compliance: {
+      eu_ai_act: {
+        risk_class: 'high',
+      },
+      complior_score: 72,
+    },
+    constraints: {
+      human_approval_required: ['deploy', 'delete'],
+      escalation_rules: [],
+    },
+    autonomy_evidence: {
+      human_approval_gates: 3,
+      unsupervised_actions: 1,
+      no_logging_actions: 0,
+      auto_rated: false,
+    },
+    permissions: {
+      tools: ['read_file', 'write_file'],
+      denied: ['execute_shell'],
+    },
+    source_files: [],
+    signature: { value: '', publicKey: '', algorithm: 'ed25519' },
+    created: '2026-01-01T00:00:00Z',
+    updated: '2026-01-01T00:00:00Z',
+    ...overrides,
+  }) as unknown as AgentPassport;
+const SIMPLE_TEMPLATE = `# Test Document
+| Company | [Company Name] |
+| Date | [Date] |
+| System | [AI System Name] |
+| Provider | [Provider] |
+| Version | [X.Y] |
+| Risk | [Risk Class] |
+`;
+describe('document-generator', () => {
+  describe('ALL_DOC_TYPES', () => {
+    it('contains exactly 14 document types', () => {
+      expect(ALL_DOC_TYPES).toHaveLength(14);
+    });
+    it('maps each type to a template file', () => {
+      for (const dt of ALL_DOC_TYPES) {
+        expect(TEMPLATE_FILE_MAP[dt]).toBeDefined();
+        expect(TEMPLATE_FILE_MAP[dt]).toMatch(/\.md$/);
+      }
+    });
+  });
+  describe('generateDocument — common placeholders', () => {
+    it('replaces [Company Name] with organization override', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+        organization: 'Override Corp',
+      });
+      expect(result.markdown).toContain('Override Corp');
+      expect(result.markdown).not.toContain('[Company Name]');
+      expect(result.prefilledFields).toContain('Company Name');
+    });
+    it('replaces [Company Name] with manifest.owner.team when no organization', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toContain('Acme Corp');
+    });
+    it('marks Company Name as manual when missing', () => {
+      const passport = createMockPassport({ owner: { team: '' } } as any);
+      const result = generateDocument({
+        manifest: passport,
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.manualFields).toContain('Company Name');
+    });
+    it('replaces [Date] with today ISO', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      const today = new Date().toISOString().slice(0, 10);
+      expect(result.markdown).toContain(today);
+      expect(result.markdown).not.toContain('[Date]');
+    });
+    it('replaces [AI System Name]', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toContain('Test AI Agent');
+    });
+    it('replaces [Provider]', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toContain('OpenAI');
+      expect(result.markdown).not.toContain('| Provider | [Provider] |');
+    });
+    it('replaces [X.Y] with version', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toContain('1.0.0');
+    });
+    it('replaces [Risk Class]', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toContain('high');
+      expect(result.markdown).not.toContain('[Risk Class]');
+    });
+  });
+  describe('generateDocument — document ID replacement', () => {
+    it('replaces ALP-[YYYY]-[NNN] for ai-literacy', () => {
+      const template = '| Document ID | ALP-[YYYY]-[NNN] |';
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toMatch(/ALP-\d{4}-\d{3}/);
+      expect(result.markdown).not.toContain('[YYYY]');
+      expect(result.prefilledFields).toContain('Document ID');
+    });
+    it('replaces ART5-[YYYY]-[NNN] for art5-screening', () => {
+      const template = '| Report ID | ART5-[YYYY]-[NNN] |';
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template,
+        docType: 'art5-screening',
+      });
+      expect(result.markdown).toMatch(/ART5-\d{4}-\d{3}/);
+    });
+    it('does not add Document ID to prefilled if pattern not in template', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'technical-documentation',
+      });
+      expect(result.prefilledFields).not.toContain('Document ID');
+    });
+  });
+  describe('generateDocument — type-specific manual fields', () => {
+    it('ai-literacy has training-related manual fields', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.manualFields).toContain('Training levels configuration');
+      expect(result.manualFields).toContain('Sign-off signatures');
+    });
+    it('art5-screening has prohibited practice manual fields', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'art5-screening',
+      });
+      expect(result.manualFields).toContain('Prohibited practice details');
+      expect(result.manualFields).toContain('Decision and justification');
+    });
+    it('technical-documentation has architecture manual fields', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'technical-documentation',
+      });
+      expect(result.manualFields).toContain('System architecture details');
+      expect(result.manualFields).toContain('Performance metrics');
+    });
+    it('incident-report has incident manual fields', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'incident-report',
+      });
+      expect(result.manualFields).toContain('Incident description');
+      expect(result.manualFields).toContain('Root cause analysis');
+    });
+    it('declaration-of-conformity has conformity manual fields', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'declaration-of-conformity',
+      });
+      expect(result.manualFields).toContain('Harmonised standards used');
+      expect(result.manualFields).toContain('Signatory');
+    });
+    it('monitoring-policy has monitoring manual fields', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'monitoring-policy',
+      });
+      expect(result.manualFields).toContain('Human oversight assignments');
+      expect(result.manualFields).toContain('Log retention schedule');
+    });
+  });
+  describe('generateDocument — all 6 types produce valid results', () => {
+    for (const docType of ALL_DOC_TYPES) {
+      it(`generates valid result for ${docType}`, () => {
+        const result = generateDocument({
+          manifest: createMockPassport(),
+          template: SIMPLE_TEMPLATE,
+          docType,
+          organization: 'Test Corp',
+        });
+        expect(result.docType).toBe(docType);
+        expect(result.markdown).toBeTruthy();
+        expect(result.prefilledFields.length).toBeGreaterThan(0);
+        expect(result.manualFields.length).toBeGreaterThan(0);
+      });
+    }
+  });
+  describe('generateDocument — result is frozen', () => {
+    it('returns a frozen object', () => {
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(Object.isFrozen(result)).toBe(true);
+      expect(Object.isFrozen(result.prefilledFields)).toBe(true);
+      expect(Object.isFrozen(result.manualFields)).toBe(true);
+    });
+  });
+  describe('generateDocument — edge cases', () => {
+    it('handles passport with minimal fields gracefully', () => {
+      const minimal = createMockPassport({
+        model: { provider: '', model_id: '' } as any,
+        compliance: { eu_ai_act: { risk_class: '' } } as any,
+      });
+      const result = generateDocument({
+        manifest: minimal,
+        template: SIMPLE_TEMPLATE,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toBeTruthy();
+      expect(result.manualFields).toContain('Provider');
+      expect(result.manualFields).toContain('Risk Class');
+    });
+    it('replaces multiple occurrences of same placeholder', () => {
+      const template = '[Company Name] is great. [Company Name] is the best.';
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template,
+        docType: 'ai-literacy',
+        organization: 'Multi Corp',
+      });
+      expect(result.markdown).toBe('Multi Corp is great. Multi Corp is the best.');
+    });
+    it('preserves GUIDANCE comments in output', () => {
+      const template = '<!-- GUIDANCE: This is guidance -->\n[Company Name]';
+      const result = generateDocument({
+        manifest: createMockPassport(),
+        template,
+        docType: 'ai-literacy',
+      });
+      expect(result.markdown).toContain('<!-- GUIDANCE:');
+    });
+  });
+});