@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (594) hide show
  1. package/.well-known/ai-compliance.json +16 -0
  2. package/COMPLIANCE.md +64 -0
  3. package/data/data-integrity.test.ts +75 -0
  4. package/data/eval/eval-mappings.json +33 -0
  5. package/data/llm/model-pricing.json +15 -0
  6. package/data/llm/model-routing.json +36 -0
  7. package/data/onboarding/risk-profile.json +17 -0
  8. package/data/regulations/eu-ai-act/README.md +245 -0
  9. package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
  10. package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
  11. package/data/regulations/eu-ai-act/localization.json +186 -0
  12. package/data/regulations/eu-ai-act/obligations.json +3981 -0
  13. package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
  14. package/data/regulations/eu-ai-act/scoring.json +342 -0
  15. package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
  16. package/data/regulations/eu-ai-act/timeline.json +160 -0
  17. package/data/regulations/jurisdictions/at.json +15 -0
  18. package/data/regulations/jurisdictions/be.json +15 -0
  19. package/data/regulations/jurisdictions/bg.json +15 -0
  20. package/data/regulations/jurisdictions/cy.json +15 -0
  21. package/data/regulations/jurisdictions/cz.json +15 -0
  22. package/data/regulations/jurisdictions/de.json +15 -0
  23. package/data/regulations/jurisdictions/dk.json +15 -0
  24. package/data/regulations/jurisdictions/ee.json +15 -0
  25. package/data/regulations/jurisdictions/es.json +15 -0
  26. package/data/regulations/jurisdictions/fi.json +15 -0
  27. package/data/regulations/jurisdictions/fr.json +15 -0
  28. package/data/regulations/jurisdictions/gr.json +15 -0
  29. package/data/regulations/jurisdictions/hr.json +15 -0
  30. package/data/regulations/jurisdictions/hu.json +15 -0
  31. package/data/regulations/jurisdictions/ie.json +15 -0
  32. package/data/regulations/jurisdictions/is.json +15 -0
  33. package/data/regulations/jurisdictions/it.json +15 -0
  34. package/data/regulations/jurisdictions/li.json +15 -0
  35. package/data/regulations/jurisdictions/lt.json +15 -0
  36. package/data/regulations/jurisdictions/lu.json +15 -0
  37. package/data/regulations/jurisdictions/lv.json +15 -0
  38. package/data/regulations/jurisdictions/mt.json +15 -0
  39. package/data/regulations/jurisdictions/nl.json +15 -0
  40. package/data/regulations/jurisdictions/no.json +15 -0
  41. package/data/regulations/jurisdictions/pl.json +15 -0
  42. package/data/regulations/jurisdictions/pt.json +15 -0
  43. package/data/regulations/jurisdictions/ro.json +15 -0
  44. package/data/regulations/jurisdictions/se.json +15 -0
  45. package/data/regulations/jurisdictions/si.json +15 -0
  46. package/data/regulations/jurisdictions/sk.json +15 -0
  47. package/data/scanner/check-id-categories.json +81 -0
  48. package/data/scanner/confidence-params.json +16 -0
  49. package/data/scanner/limits.json +4 -0
  50. package/data/schemas/http-contract-sample.json +79 -0
  51. package/data/schemas/http-contract.json +144 -0
  52. package/data/semgrep-rules/bare-call.yaml +37 -0
  53. package/data/semgrep-rules/injection.yaml +73 -0
  54. package/data/semgrep-rules/missing-error-handling.yaml +58 -0
  55. package/data/semgrep-rules/unsafe-deser.yaml +65 -0
  56. package/data/templates/eu-ai-act/ai-literacy.md +184 -0
  57. package/data/templates/eu-ai-act/art5-screening.md +131 -0
  58. package/data/templates/eu-ai-act/data-governance.md +145 -0
  59. package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
  60. package/data/templates/eu-ai-act/fria.md +127 -0
  61. package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
  62. package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
  63. package/data/templates/eu-ai-act/incident-report.md +188 -0
  64. package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
  65. package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
  66. package/data/templates/eu-ai-act/qms.md +180 -0
  67. package/data/templates/eu-ai-act/risk-management-system.md +123 -0
  68. package/data/templates/eu-ai-act/technical-documentation.md +287 -0
  69. package/data/templates/eu-ai-act/worker-notification.md +143 -0
  70. package/data/templates/policies/biometrics-ai-policy.md +214 -0
  71. package/data/templates/policies/critical-infra-ai-policy.md +228 -0
  72. package/data/templates/policies/education-ai-policy.md +184 -0
  73. package/data/templates/policies/finance-ai-policy.md +191 -0
  74. package/data/templates/policies/healthcare-ai-policy.md +197 -0
  75. package/data/templates/policies/hr-ai-policy.md +178 -0
  76. package/data/templates/policies/legal-ai-policy.md +189 -0
  77. package/data/templates/policies/migration-ai-policy.md +239 -0
  78. package/engine.log +7 -0
  79. package/package.json +74 -0
  80. package/src/composition-root.ts +791 -0
  81. package/src/data/eval/conformity-tests.test.ts +122 -0
  82. package/src/data/eval/ct-1-transparency.ts +106 -0
  83. package/src/data/eval/ct-10-gpai.ts +25 -0
  84. package/src/data/eval/ct-11-industry.ts +42 -0
  85. package/src/data/eval/ct-2-oversight.ts +41 -0
  86. package/src/data/eval/ct-3-explanation.ts +14 -0
  87. package/src/data/eval/ct-4-bias.ts +83 -0
  88. package/src/data/eval/ct-5-accuracy.ts +41 -0
  89. package/src/data/eval/ct-6-robustness.ts +81 -0
  90. package/src/data/eval/ct-7-prohibited.ts +52 -0
  91. package/src/data/eval/ct-8-logging.ts +68 -0
  92. package/src/data/eval/ct-9-risk-awareness.ts +33 -0
  93. package/src/data/eval/deterministic-evaluator.ts +120 -0
  94. package/src/data/eval/index.ts +55 -0
  95. package/src/data/eval/judge-prompts.ts +146 -0
  96. package/src/data/eval/llm-judged-tests.ts +279 -0
  97. package/src/data/eval/llm-tests.test.ts +83 -0
  98. package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
  99. package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
  100. package/src/data/eval/remediation/ct-11-industry.ts +94 -0
  101. package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
  102. package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
  103. package/src/data/eval/remediation/ct-4-bias.ts +70 -0
  104. package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
  105. package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
  106. package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
  107. package/src/data/eval/remediation/ct-8-logging.ts +94 -0
  108. package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
  109. package/src/data/eval/remediation/index.ts +89 -0
  110. package/src/data/eval/remediation/owasp-art5.ts +15 -0
  111. package/src/data/eval/remediation/owasp-llm01.ts +72 -0
  112. package/src/data/eval/remediation/owasp-llm02.ts +72 -0
  113. package/src/data/eval/remediation/owasp-llm03.ts +15 -0
  114. package/src/data/eval/remediation/owasp-llm04.ts +15 -0
  115. package/src/data/eval/remediation/owasp-llm05.ts +15 -0
  116. package/src/data/eval/remediation/owasp-llm06.ts +15 -0
  117. package/src/data/eval/remediation/owasp-llm07.ts +15 -0
  118. package/src/data/eval/remediation/owasp-llm08.ts +15 -0
  119. package/src/data/eval/remediation/owasp-llm09.ts +15 -0
  120. package/src/data/eval/remediation/owasp-llm10.ts +15 -0
  121. package/src/data/eval/remediation/remediation.test.ts +229 -0
  122. package/src/data/eval/remediation/test-mapping.ts +290 -0
  123. package/src/data/eval/security-rubrics.ts +381 -0
  124. package/src/data/finding-explanations.json +453 -0
  125. package/src/data/industry-patterns.ts +161 -0
  126. package/src/data/registry-cards.ts +368 -0
  127. package/src/data/regulation/index.ts +5 -0
  128. package/src/data/regulation/jurisdiction-data.test.ts +73 -0
  129. package/src/data/regulation/jurisdiction-data.ts +65 -0
  130. package/src/data/regulation/regulation-data.ts +19 -0
  131. package/src/data/regulation/regulation-loader.test.ts +107 -0
  132. package/src/data/regulation/regulation-loader.ts +56 -0
  133. package/src/data/scanner-constants.ts +46 -0
  134. package/src/data/schemas/schemas-core.ts +140 -0
  135. package/src/data/schemas/schemas-supplementary.ts +211 -0
  136. package/src/data/schemas/schemas.ts +28 -0
  137. package/src/data/security/attack-probes.test.ts +62 -0
  138. package/src/data/security/attack-probes.ts +496 -0
  139. package/src/data/security/eu-ai-act-security.ts +40 -0
  140. package/src/data/security/index.ts +19 -0
  141. package/src/data/security/mitre-atlas.test.ts +43 -0
  142. package/src/data/security/mitre-atlas.ts +93 -0
  143. package/src/data/security/nist-ai-rmf.ts +43 -0
  144. package/src/data/security/owasp-llm-top10.test.ts +60 -0
  145. package/src/data/security/owasp-llm-top10.ts +138 -0
  146. package/src/data/template-registry.ts +53 -0
  147. package/src/data/tool-versions.json +22 -0
  148. package/src/domain/audit/audit-package.test.ts +152 -0
  149. package/src/domain/audit/audit-package.ts +166 -0
  150. package/src/domain/audit/audit-trail.test.ts +121 -0
  151. package/src/domain/audit/audit-trail.ts +174 -0
  152. package/src/domain/audit/index.ts +8 -0
  153. package/src/domain/audit/permissions-matrix.test.ts +136 -0
  154. package/src/domain/audit/permissions-matrix.ts +121 -0
  155. package/src/domain/certification/adversarial/bias-tests.ts +95 -0
  156. package/src/domain/certification/adversarial/evaluators.ts +304 -0
  157. package/src/domain/certification/adversarial/index.ts +11 -0
  158. package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
  159. package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
  160. package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
  161. package/src/domain/certification/aiuc1-readiness.ts +298 -0
  162. package/src/domain/certification/aiuc1-requirements.ts +235 -0
  163. package/src/domain/certification/index.ts +10 -0
  164. package/src/domain/certification/redteam-runner.test.ts +97 -0
  165. package/src/domain/certification/redteam-runner.ts +205 -0
  166. package/src/domain/certification/test-runner.test.ts +232 -0
  167. package/src/domain/certification/test-runner.ts +289 -0
  168. package/src/domain/cost/cost-estimator.test.ts +187 -0
  169. package/src/domain/cost/cost-estimator.ts +133 -0
  170. package/src/domain/disclaimer.test.ts +52 -0
  171. package/src/domain/disclaimer.ts +39 -0
  172. package/src/domain/documents/ai-enricher.test.ts +120 -0
  173. package/src/domain/documents/ai-enricher.ts +159 -0
  174. package/src/domain/documents/document-generator.test.ts +318 -0
  175. package/src/domain/documents/document-generator.ts +239 -0
  176. package/src/domain/documents/index.ts +9 -0
  177. package/src/domain/documents/passport-helpers.ts +25 -0
  178. package/src/domain/documents/policy-generator.test.ts +252 -0
  179. package/src/domain/documents/policy-generator.ts +94 -0
  180. package/src/domain/documents/worker-notification-generator.test.ts +162 -0
  181. package/src/domain/documents/worker-notification-generator.ts +141 -0
  182. package/src/domain/eval/adapters/adapter-port.ts +94 -0
  183. package/src/domain/eval/adapters/adapters.test.ts +303 -0
  184. package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
  185. package/src/domain/eval/adapters/auto-detect.ts +104 -0
  186. package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
  187. package/src/domain/eval/adapters/custom-adapter.ts +74 -0
  188. package/src/domain/eval/adapters/http-adapter.ts +66 -0
  189. package/src/domain/eval/adapters/index.ts +7 -0
  190. package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
  191. package/src/domain/eval/adapters/openai-adapter.ts +58 -0
  192. package/src/domain/eval/adapters/with-timeout.ts +25 -0
  193. package/src/domain/eval/conformity-score.test.ts +161 -0
  194. package/src/domain/eval/conformity-score.ts +135 -0
  195. package/src/domain/eval/eval-constants.ts +55 -0
  196. package/src/domain/eval/eval-evidence.test.ts +85 -0
  197. package/src/domain/eval/eval-evidence.ts +103 -0
  198. package/src/domain/eval/eval-fix-generator.test.ts +421 -0
  199. package/src/domain/eval/eval-fix-generator.ts +205 -0
  200. package/src/domain/eval/eval-passport.test.ts +82 -0
  201. package/src/domain/eval/eval-passport.ts +89 -0
  202. package/src/domain/eval/eval-remediation-report.test.ts +682 -0
  203. package/src/domain/eval/eval-remediation-report.ts +170 -0
  204. package/src/domain/eval/eval-report.ts +108 -0
  205. package/src/domain/eval/eval-runner.test.ts +609 -0
  206. package/src/domain/eval/eval-runner.ts +593 -0
  207. package/src/domain/eval/eval-to-findings.test.ts +293 -0
  208. package/src/domain/eval/eval-to-findings.ts +83 -0
  209. package/src/domain/eval/index.ts +31 -0
  210. package/src/domain/eval/llm-judge.test.ts +139 -0
  211. package/src/domain/eval/llm-judge.ts +168 -0
  212. package/src/domain/eval/remediation-types.ts +90 -0
  213. package/src/domain/eval/security-integration.test.ts +196 -0
  214. package/src/domain/eval/security-integration.ts +136 -0
  215. package/src/domain/eval/types.test.ts +173 -0
  216. package/src/domain/eval/types.ts +244 -0
  217. package/src/domain/eval/verdict-utils.ts +45 -0
  218. package/src/domain/fixer/create-fixer.ts +101 -0
  219. package/src/domain/fixer/diff.ts +70 -0
  220. package/src/domain/fixer/fix-history.ts +23 -0
  221. package/src/domain/fixer/fixer.test.ts +306 -0
  222. package/src/domain/fixer/index.ts +9 -0
  223. package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
  224. package/src/domain/fixer/strategies/bias-testing.ts +49 -0
  225. package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
  226. package/src/domain/fixer/strategies/content-marking.ts +45 -0
  227. package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
  228. package/src/domain/fixer/strategies/data-governance.ts +65 -0
  229. package/src/domain/fixer/strategies/disclosure.ts +69 -0
  230. package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
  231. package/src/domain/fixer/strategies/documentation.ts +59 -0
  232. package/src/domain/fixer/strategies/error-handler.ts +63 -0
  233. package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
  234. package/src/domain/fixer/strategies/index.ts +61 -0
  235. package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
  236. package/src/domain/fixer/strategies/kill-switch.ts +53 -0
  237. package/src/domain/fixer/strategies/license-fix.ts +57 -0
  238. package/src/domain/fixer/strategies/log-retention.ts +40 -0
  239. package/src/domain/fixer/strategies/logging.ts +59 -0
  240. package/src/domain/fixer/strategies/metadata.ts +45 -0
  241. package/src/domain/fixer/strategies/permission-guard.ts +84 -0
  242. package/src/domain/fixer/strategies/record-keeping.ts +69 -0
  243. package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
  244. package/src/domain/fixer/strategies.test.ts +341 -0
  245. package/src/domain/fixer/template-engine.test.ts +64 -0
  246. package/src/domain/fixer/template-engine.ts +38 -0
  247. package/src/domain/fixer/types.ts +88 -0
  248. package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
  249. package/src/domain/frameworks/aiuc1-framework.ts +126 -0
  250. package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
  251. package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
  252. package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
  253. package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
  254. package/src/domain/frameworks/framework-registry.test.ts +91 -0
  255. package/src/domain/frameworks/framework-registry.ts +38 -0
  256. package/src/domain/frameworks/index.ts +8 -0
  257. package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
  258. package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
  259. package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
  260. package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
  261. package/src/domain/frameworks/score-plugin-framework.ts +117 -0
  262. package/src/domain/fria/fria-generator.test.ts +273 -0
  263. package/src/domain/fria/fria-generator.ts +366 -0
  264. package/src/domain/import/promptfoo-importer.test.ts +103 -0
  265. package/src/domain/import/promptfoo-importer.ts +151 -0
  266. package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
  267. package/src/domain/onboarding/guided-onboarding.ts +135 -0
  268. package/src/domain/passport/builder/domain-mapper.ts +9 -0
  269. package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
  270. package/src/domain/passport/builder/manifest-builder.ts +535 -0
  271. package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
  272. package/src/domain/passport/builder/manifest-diff.ts +89 -0
  273. package/src/domain/passport/builder/manifest-files.ts +17 -0
  274. package/src/domain/passport/crypto-signer.test.ts +93 -0
  275. package/src/domain/passport/crypto-signer.ts +157 -0
  276. package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
  277. package/src/domain/passport/discovery/agent-discovery.ts +325 -0
  278. package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
  279. package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
  280. package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
  281. package/src/domain/passport/discovery/permission-scanner.ts +414 -0
  282. package/src/domain/passport/export/a2a-mapper.ts +75 -0
  283. package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
  284. package/src/domain/passport/export/export.test.ts +207 -0
  285. package/src/domain/passport/export/index.ts +41 -0
  286. package/src/domain/passport/export/nist-mapper.ts +227 -0
  287. package/src/domain/passport/import/a2a-importer.test.ts +133 -0
  288. package/src/domain/passport/import/a2a-importer.ts +156 -0
  289. package/src/domain/passport/import/index.ts +2 -0
  290. package/src/domain/passport/index.ts +32 -0
  291. package/src/domain/passport/obligation-field-map.test.ts +113 -0
  292. package/src/domain/passport/obligation-field-map.ts +117 -0
  293. package/src/domain/passport/passport-validator.test.ts +156 -0
  294. package/src/domain/passport/passport-validator.ts +126 -0
  295. package/src/domain/passport/scan-to-compliance.test.ts +336 -0
  296. package/src/domain/passport/scan-to-compliance.ts +166 -0
  297. package/src/domain/passport/test-generator.test.ts +93 -0
  298. package/src/domain/passport/test-generator.ts +136 -0
  299. package/src/domain/proxy/index.ts +11 -0
  300. package/src/domain/proxy/json-rpc.test.ts +72 -0
  301. package/src/domain/proxy/json-rpc.ts +53 -0
  302. package/src/domain/proxy/policy-engine.test.ts +259 -0
  303. package/src/domain/proxy/policy-engine.ts +137 -0
  304. package/src/domain/proxy/proxy-bridge.ts +125 -0
  305. package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
  306. package/src/domain/proxy/proxy-interceptor.ts +120 -0
  307. package/src/domain/proxy/proxy-types.ts +35 -0
  308. package/src/domain/registry/compute-agent-score.test.ts +279 -0
  309. package/src/domain/registry/compute-agent-score.ts +162 -0
  310. package/src/domain/reporter/audit-report.test.ts +87 -0
  311. package/src/domain/reporter/audit-report.ts +116 -0
  312. package/src/domain/reporter/badge-generator.test.ts +54 -0
  313. package/src/domain/reporter/badge-generator.ts +40 -0
  314. package/src/domain/reporter/compliance-md.ts +45 -0
  315. package/src/domain/reporter/index.ts +7 -0
  316. package/src/domain/reporter/pdf-renderer.ts +282 -0
  317. package/src/domain/reporter/share.test.ts +92 -0
  318. package/src/domain/reporter/share.ts +80 -0
  319. package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
  320. package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
  321. package/src/domain/scanner/attestations.ts +97 -0
  322. package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
  323. package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
  324. package/src/domain/scanner/checks/ai-literacy.ts +163 -0
  325. package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
  326. package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
  327. package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
  328. package/src/domain/scanner/checks/content-marking.ts +74 -0
  329. package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
  330. package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
  331. package/src/domain/scanner/checks/documentation.test.ts +88 -0
  332. package/src/domain/scanner/checks/documentation.ts +79 -0
  333. package/src/domain/scanner/checks/git-history.test.ts +120 -0
  334. package/src/domain/scanner/checks/git-history.ts +163 -0
  335. package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
  336. package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
  337. package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
  338. package/src/domain/scanner/checks/index.ts +28 -0
  339. package/src/domain/scanner/checks/industry/index.ts +40 -0
  340. package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
  341. package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
  342. package/src/domain/scanner/checks/interaction-logging.ts +142 -0
  343. package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
  344. package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
  345. package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
  346. package/src/domain/scanner/checks/passport-completeness.ts +82 -0
  347. package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
  348. package/src/domain/scanner/checks/passport-presence.ts +78 -0
  349. package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
  350. package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
  351. package/src/domain/scanner/checks/permission-scanner.ts +90 -0
  352. package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
  353. package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
  354. package/src/domain/scanner/compliance-diff.test.ts +165 -0
  355. package/src/domain/scanner/compliance-diff.ts +138 -0
  356. package/src/domain/scanner/confidence.test.ts +235 -0
  357. package/src/domain/scanner/confidence.ts +156 -0
  358. package/src/domain/scanner/constants.ts +13 -0
  359. package/src/domain/scanner/create-scanner.ts +573 -0
  360. package/src/domain/scanner/cross-layer.test.ts +372 -0
  361. package/src/domain/scanner/cross-layer.ts +232 -0
  362. package/src/domain/scanner/data/ai-packages.ts +82 -0
  363. package/src/domain/scanner/debt-calculator.test.ts +89 -0
  364. package/src/domain/scanner/debt-calculator.ts +111 -0
  365. package/src/domain/scanner/drift.test.ts +191 -0
  366. package/src/domain/scanner/drift.ts +73 -0
  367. package/src/domain/scanner/evidence-store.test.ts +207 -0
  368. package/src/domain/scanner/evidence-store.ts +195 -0
  369. package/src/domain/scanner/evidence.test.ts +104 -0
  370. package/src/domain/scanner/evidence.ts +71 -0
  371. package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
  372. package/src/domain/scanner/external/bandit-runner.ts +90 -0
  373. package/src/domain/scanner/external/checks.ts +321 -0
  374. package/src/domain/scanner/external/dedup.test.ts +79 -0
  375. package/src/domain/scanner/external/dedup.ts +94 -0
  376. package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
  377. package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
  378. package/src/domain/scanner/external/external-scanner.test.ts +221 -0
  379. package/src/domain/scanner/external/external-scanner.ts +36 -0
  380. package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
  381. package/src/domain/scanner/external/finding-mapper.ts +138 -0
  382. package/src/domain/scanner/external/index.ts +15 -0
  383. package/src/domain/scanner/external/mappings.ts +93 -0
  384. package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
  385. package/src/domain/scanner/external/modelscan-runner.ts +101 -0
  386. package/src/domain/scanner/external/path-utils.ts +8 -0
  387. package/src/domain/scanner/external/runner-port.ts +45 -0
  388. package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
  389. package/src/domain/scanner/external/semgrep-runner.ts +94 -0
  390. package/src/domain/scanner/external/types.ts +32 -0
  391. package/src/domain/scanner/finding-attribution.test.ts +444 -0
  392. package/src/domain/scanner/finding-attribution.ts +195 -0
  393. package/src/domain/scanner/finding-explainer.test.ts +157 -0
  394. package/src/domain/scanner/finding-explainer.ts +73 -0
  395. package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
  396. package/src/domain/scanner/fix-diff-builder.ts +477 -0
  397. package/src/domain/scanner/import-graph.test.ts +162 -0
  398. package/src/domain/scanner/import-graph.ts +198 -0
  399. package/src/domain/scanner/languages/adapter.test.ts +105 -0
  400. package/src/domain/scanner/languages/adapter.ts +239 -0
  401. package/src/domain/scanner/layers/index.ts +24 -0
  402. package/src/domain/scanner/layers/layer1-files.ts +54 -0
  403. package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
  404. package/src/domain/scanner/layers/layer2-docs.ts +297 -0
  405. package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
  406. package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
  407. package/src/domain/scanner/layers/layer3-config.ts +279 -0
  408. package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
  409. package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
  410. package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
  411. package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
  412. package/src/domain/scanner/layers/layer5-docs.ts +250 -0
  413. package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
  414. package/src/domain/scanner/layers/layer5-llm.ts +262 -0
  415. package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
  416. package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
  417. package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
  418. package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
  419. package/src/domain/scanner/regulation-version.test.ts +54 -0
  420. package/src/domain/scanner/regulation-version.ts +23 -0
  421. package/src/domain/scanner/role-filter.test.ts +116 -0
  422. package/src/domain/scanner/role-filter.ts +51 -0
  423. package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
  424. package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
  425. package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
  426. package/src/domain/scanner/rules/banned-packages.ts +55 -0
  427. package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
  428. package/src/domain/scanner/rules/comment-filter.ts +297 -0
  429. package/src/domain/scanner/rules/index.ts +9 -0
  430. package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
  431. package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
  432. package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
  433. package/src/domain/scanner/sbom.test.ts +136 -0
  434. package/src/domain/scanner/sbom.ts +103 -0
  435. package/src/domain/scanner/scan-cache.test.ts +136 -0
  436. package/src/domain/scanner/scan-cache.ts +115 -0
  437. package/src/domain/scanner/scanner.test.ts +125 -0
  438. package/src/domain/scanner/score-calculator.test.ts +363 -0
  439. package/src/domain/scanner/score-calculator.ts +189 -0
  440. package/src/domain/scanner/security-score.test.ts +107 -0
  441. package/src/domain/scanner/security-score.ts +116 -0
  442. package/src/domain/scanner/source-filter.ts +24 -0
  443. package/src/domain/scanner/validators.ts +223 -0
  444. package/src/domain/shared/compliance-constants.ts +48 -0
  445. package/src/domain/shared/disclosure-patterns.ts +16 -0
  446. package/src/domain/shared/index.ts +6 -0
  447. package/src/domain/shared/parse-dependencies.ts +21 -0
  448. package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
  449. package/src/domain/supply-chain/index.ts +3 -0
  450. package/src/domain/supply-chain/supply-chain.test.ts +211 -0
  451. package/src/domain/supply-chain/types.ts +32 -0
  452. package/src/domain/whatif/config-fixer.ts +187 -0
  453. package/src/domain/whatif/index.ts +6 -0
  454. package/src/domain/whatif/scenario-engine.ts +121 -0
  455. package/src/domain/whatif/simulate-actions.test.ts +161 -0
  456. package/src/domain/whatif/simulate-actions.ts +114 -0
  457. package/src/domain/whatif/whatif.test.ts +135 -0
  458. package/src/e2e/gaps-e2e.test.ts +259 -0
  459. package/src/e2e/smoke.test.ts +101 -0
  460. package/src/hooks/hooks-export.test.ts +81 -0
  461. package/src/hooks/installer.ts +113 -0
  462. package/src/http/cors.test.ts +38 -0
  463. package/src/http/create-router.ts +259 -0
  464. package/src/http/routes/agent.route.ts +380 -0
  465. package/src/http/routes/audit.route.ts +66 -0
  466. package/src/http/routes/badge.route.ts +23 -0
  467. package/src/http/routes/cert.route.ts +66 -0
  468. package/src/http/routes/chat.route.ts +228 -0
  469. package/src/http/routes/cost.route.ts +33 -0
  470. package/src/http/routes/debt.route.ts +29 -0
  471. package/src/http/routes/disclaimer.route.ts +64 -0
  472. package/src/http/routes/eval.route.ts +161 -0
  473. package/src/http/routes/events.route.test.ts +108 -0
  474. package/src/http/routes/events.route.ts +71 -0
  475. package/src/http/routes/external-scan.route.ts +24 -0
  476. package/src/http/routes/file.route.ts +54 -0
  477. package/src/http/routes/fix.route.ts +219 -0
  478. package/src/http/routes/frameworks.route.test.ts +66 -0
  479. package/src/http/routes/frameworks.route.ts +36 -0
  480. package/src/http/routes/git.route.ts +27 -0
  481. package/src/http/routes/guided-onboarding.route.ts +65 -0
  482. package/src/http/routes/import.route.ts +64 -0
  483. package/src/http/routes/jurisdiction.route.ts +22 -0
  484. package/src/http/routes/obligations.route.test.ts +122 -0
  485. package/src/http/routes/obligations.route.ts +110 -0
  486. package/src/http/routes/onboarding.route.ts +53 -0
  487. package/src/http/routes/provider.route.ts +42 -0
  488. package/src/http/routes/proxy.route.ts +40 -0
  489. package/src/http/routes/redteam.route.ts +84 -0
  490. package/src/http/routes/report.route.ts +29 -0
  491. package/src/http/routes/scan.route.ts +104 -0
  492. package/src/http/routes/share.route.ts +44 -0
  493. package/src/http/routes/shell.route.ts +27 -0
  494. package/src/http/routes/status.route.ts +66 -0
  495. package/src/http/routes/supply-chain.route.ts +121 -0
  496. package/src/http/routes/sync.route.ts +328 -0
  497. package/src/http/routes/tools.route.ts +29 -0
  498. package/src/http/routes/whatif.route.ts +96 -0
  499. package/src/http/utils/validation.ts +31 -0
  500. package/src/index.ts +1 -0
  501. package/src/infra/bundle-fetcher.ts +77 -0
  502. package/src/infra/cache-storage.ts +34 -0
  503. package/src/infra/event-bus.ts +31 -0
  504. package/src/infra/file-collector.ts +61 -0
  505. package/src/infra/file-ops-adapter.ts +95 -0
  506. package/src/infra/file-watcher.test.ts +90 -0
  507. package/src/infra/file-watcher.ts +106 -0
  508. package/src/infra/git-adapter.ts +93 -0
  509. package/src/infra/git-history-adapter.ts +41 -0
  510. package/src/infra/headless-browser.ts +178 -0
  511. package/src/infra/llm-adapter.test.ts +83 -0
  512. package/src/infra/llm-adapter.ts +86 -0
  513. package/src/infra/logger.ts +27 -0
  514. package/src/infra/project-config.test.ts +74 -0
  515. package/src/infra/project-config.ts +35 -0
  516. package/src/infra/rate-limiter.test.ts +36 -0
  517. package/src/infra/rate-limiter.ts +34 -0
  518. package/src/infra/retry.ts +46 -0
  519. package/src/infra/saas-client.ts +123 -0
  520. package/src/infra/search-adapter.ts +113 -0
  521. package/src/infra/shell-adapter.ts +68 -0
  522. package/src/infra/tool-manager.test.ts +99 -0
  523. package/src/infra/tool-manager.ts +197 -0
  524. package/src/llm/agents/agent-modes.test.ts +44 -0
  525. package/src/llm/agents/modes.ts +68 -0
  526. package/src/llm/routing/cost-routing.test.ts +37 -0
  527. package/src/llm/routing/cost-tracker.ts +74 -0
  528. package/src/llm/routing/model-routing.test.ts +79 -0
  529. package/src/llm/routing/model-routing.ts +38 -0
  530. package/src/llm/routing/pricing.ts +19 -0
  531. package/src/llm/sse-protocol.ts +77 -0
  532. package/src/llm/tool-definitions.ts +83 -0
  533. package/src/llm/tool-executors.ts +80 -0
  534. package/src/llm/tools/types.ts +13 -0
  535. package/src/mcp/create-mcp-stack.ts +82 -0
  536. package/src/mcp/handlers.ts +245 -0
  537. package/src/mcp/index.ts +28 -0
  538. package/src/mcp/mcp-server.test.ts +80 -0
  539. package/src/mcp/server.ts +79 -0
  540. package/src/mcp/tools.ts +48 -0
  541. package/src/onboarding/auto-detect.ts +164 -0
  542. package/src/onboarding/onboarding.test.ts +89 -0
  543. package/src/onboarding/profile.ts +169 -0
  544. package/src/onboarding/questions.ts +112 -0
  545. package/src/onboarding/wizard.ts +66 -0
  546. package/src/output/github-issue.ts +32 -0
  547. package/src/output/json-output.ts +67 -0
  548. package/src/ports/browser.port.ts +23 -0
  549. package/src/ports/events.port.ts +28 -0
  550. package/src/ports/llm.port.ts +23 -0
  551. package/src/ports/logger.port.ts +6 -0
  552. package/src/ports/process.port.ts +6 -0
  553. package/src/ports/scanner.port.ts +15 -0
  554. package/src/server.ts +134 -0
  555. package/src/services/badge-service.ts +67 -0
  556. package/src/services/chat-service.test.ts +162 -0
  557. package/src/services/chat-service.ts +152 -0
  558. package/src/services/cost-service.ts +52 -0
  559. package/src/services/debt-service.ts +65 -0
  560. package/src/services/eval-integration.test.ts +132 -0
  561. package/src/services/eval-service.test.ts +373 -0
  562. package/src/services/eval-service.ts +463 -0
  563. package/src/services/external-scan-service.ts +60 -0
  564. package/src/services/file-service.ts +37 -0
  565. package/src/services/fix-service.test.ts +470 -0
  566. package/src/services/fix-service.ts +648 -0
  567. package/src/services/framework-service.test.ts +159 -0
  568. package/src/services/framework-service.ts +67 -0
  569. package/src/services/onboarding-service.ts +165 -0
  570. package/src/services/passport-audit.ts +244 -0
  571. package/src/services/passport-documents.ts +258 -0
  572. package/src/services/passport-service-utils.ts +72 -0
  573. package/src/services/passport-service.test.ts +251 -0
  574. package/src/services/passport-service.ts +339 -0
  575. package/src/services/proxy-service.ts +81 -0
  576. package/src/services/report-service.ts +72 -0
  577. package/src/services/scan-service.test.ts +470 -0
  578. package/src/services/scan-service.ts +335 -0
  579. package/src/services/share-service.ts +108 -0
  580. package/src/services/shared/backup.ts +23 -0
  581. package/src/services/status-service.ts +38 -0
  582. package/src/services/undo-service.test.ts +190 -0
  583. package/src/services/undo-service.ts +144 -0
  584. package/src/test-helpers/factories.ts +116 -0
  585. package/src/types/common.schemas.ts +147 -0
  586. package/src/types/common.types.ts +292 -0
  587. package/src/types/contract.test.ts +217 -0
  588. package/src/types/errors.ts +52 -0
  589. package/src/types/framework.types.ts +87 -0
  590. package/src/types/passport-schemas.ts +241 -0
  591. package/src/types/passport.types.ts +296 -0
  592. package/src/version.ts +1 -0
  593. package/tsconfig.json +20 -0
  594. package/vitest.config.ts +9 -0
package/data/regulations/eu-ai-act/regulation-meta.json ADDED
@@ -0,0 +1,482 @@
1
+ {
2
+ "stage_1_metadata": {
3
+ "regulation_id": "eu-ai-act",
4
+ "official_name": "Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)",
5
+ "official_name_en": "EU Artificial Intelligence Act (EU AI Act)",
6
+ "jurisdiction": "European Union (all 27 Member States + EEA relevance)",
7
+ "jurisdiction_code": "EU",
8
+ "type": "comprehensive",
9
+ "status": "in-force",
10
+ "enacted_date": "2024-06-13",
11
+ "published_date": "2024-07-12",
12
+ "entry_into_force_date": "2024-08-01",
13
+ "enforcement_dates": [
14
+ {
15
+ "phase": "Phase 0 — Entry into force",
16
+ "date": "2024-08-01",
17
+ "what_applies": "Regulation enters into force. No obligations yet enforceable."
18
+ },
19
+ {
20
+ "phase": "Phase 1 — Prohibited practices + AI literacy",
21
+ "date": "2025-02-02",
22
+ "what_applies": "Article 5 prohibitions (banned AI practices: social scoring, manipulative AI, predictive policing by profiling, real-time remote biometric ID in public except narrow exceptions). Article 4 AI literacy obligation for all operators."
23
+ },
24
+ {
25
+ "phase": "Phase 2 — GPAI rules + Governance + Penalties",
26
+ "date": "2025-08-02",
27
+ "what_applies": "Chapter V obligations for general-purpose AI (GPAI) model providers (Articles 51–56). Governance bodies operational (AI Office, AI Board, Advisory Forum, Scientific Panel). Member States designate national competent authorities. Penalty regime under Article 99 becomes applicable. Codes of Practice for GPAI finalized."
28
+ },
29
+ {
30
+ "phase": "Phase 3 — Majority of provisions including high-risk AI (Annex III)",
31
+ "date": "2026-08-02",
32
+ "what_applies": "High-risk AI systems under Annex III (standalone high-risk): full compliance required (Articles 6–49 for high-risk). Transparency obligations (Article 50). Deployer obligations (Article 26). Fundamental rights impact assessments (Article 27). Registration in EU database (Article 49). Innovation sandboxes required (Article 57). Post-market monitoring (Article 72). Serious incident reporting (Article 73)."
33
+ },
34
+ {
35
+ "phase": "Phase 4 — Full enforcement including Annex II high-risk (product safety)",
36
+ "date": "2027-08-02",
37
+ "what_applies": "High-risk AI systems under Article 6(1) / Annex II (AI as safety component of products covered by EU harmonization legislation, e.g., medical devices, machinery, toys). Legacy GPAI models placed on market before Aug 2025 must be compliant. Full scope of AI Act applies to all risk categories."
38
+ },
39
+ {
40
+ "phase": "Phase 5 — Large-scale IT systems in AFSJ",
41
+ "date": "2030-12-31",
42
+ "what_applies": "AI systems that are components of large-scale IT systems in the Area of Freedom, Security and Justice (Annex X) placed on market before Aug 2027 must be brought into compliance."
43
+ }
44
+ ],
45
+ "full_enforcement_date": "2027-08-02",
46
+ "regulatory_body": "European AI Office (EU-level for GPAI), National Market Surveillance Authorities (Member State level for most AI systems), European Artificial Intelligence Board (coordination)",
47
+ "max_penalty": "€35,000,000 or 7% of total worldwide annual turnover, whichever is higher",
48
+ "penalty_details": {
49
+ "tier_1_prohibited_practices": "Up to €35M or 7% of worldwide annual turnover (whichever higher) — for violations of Article 5 prohibited AI practices",
50
+ "tier_2_other_obligations": "Up to €15M or 3% of worldwide annual turnover (whichever higher) — for violations of provider/deployer/importer/distributor/notified body obligations",
51
+ "tier_3_incorrect_information": "Up to €7.5M or 1% of worldwide annual turnover (whichever higher) — for supplying incorrect, incomplete, or misleading information to authorities",
52
+ "gpai_providers": "Up to €15M or 3% of worldwide annual turnover (whichever higher) — imposed by European Commission under Article 101",
53
+ "sme_rule": "For SMEs and start-ups, fines are capped at the LOWER of the percentage or fixed amount (instead of higher)",
54
+ "eu_institutions": "Up to €1.5M for prohibited practices violations, up to €750K for other violations (Article 100)"
55
+ },
56
+ "official_text_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
57
+ "language": "All 24 official EU languages (English reference text widely used)",
58
+ "extraterritorial": true,
59
+ "extraterritorial_conditions": "Applies to: (a) providers placing AI systems/GPAI models on EU market regardless of location; (b) deployers established or located in EU; (c) providers and deployers in third countries where AI output is used in the EU; (d) importers and distributors in EU; (e) product manufacturers placing AI+product on EU market; (f) authorised representatives of non-EU providers; (g) affected persons located in EU. Does NOT apply to: purely personal non-professional use, R&D before market placement, military/defence/national security, third-country public authorities under international cooperation agreements with adequate safeguards.",
60
+ "risk_based": true,
61
+ "risk_levels": [
62
+ "Unacceptable risk (prohibited)",
63
+ "High risk",
64
+ "Limited risk (transparency obligations)",
65
+ "Minimal/No risk",
66
+ "General-purpose AI (GPAI) — separate classification track",
67
+ "GPAI with systemic risk — elevated GPAI obligations"
68
+ ],
69
+ "key_definitions": {
70
+ "AI system": "A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments (Art. 3(1))",
71
+ "provider": "A natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge (Art. 3(3))",
72
+ "deployer": "A natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity (Art. 3(4))",
73
+ "authorised_representative": "A natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI system or a GPAI model to carry out obligations under the AI Act on its behalf (Art. 3(5))",
74
+ "importer": "A natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country (Art. 3(6))",
75
+ "distributor": "A natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market (Art. 3(7))",
76
+ "operator": "A provider, product manufacturer, deployer, authorised representative, importer or distributor (Art. 3(8))",
77
+ "placing_on_the_market": "The first making available of an AI system or a general-purpose AI model on the Union market (Art. 3(9))",
78
+ "putting_into_service": "The supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purpose (Art. 3(11))",
79
+ "intended_purpose": "The use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider (Art. 3(12))",
80
+ "reasonably_foreseeable_misuse": "The use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems (Art. 3(13))",
81
+ "high_risk_AI_system": "An AI system that falls under Article 6 criteria — either as safety component of products under Annex II legislation requiring third-party conformity assessment, or listed in Annex III use cases",
82
+ "general_purpose_AI_model": "An AI model, including where trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications (Art. 3(63))",
83
+ "general_purpose_AI_model_with_systemic_risk": "A GPAI model with high impact capabilities evaluated on the basis of appropriate technical tools and methodologies, including indicators and benchmarks (Art. 3(65)), presumed when cumulative compute > 10^25 FLOPs (Art. 51(2))",
84
+ "deep_fake": "AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful (Art. 3(60))",
85
+ "AI_literacy": "Skills, knowledge and understanding that allows providers, deployers and affected persons, taking into account their respective rights and obligations, to make an informed deployment of AI systems, to become aware of the opportunities and risks of AI and possible harm it can cause (Art. 3(56))",
86
+ "substantial_modification": "A change to an AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment carried out by the provider and as a result of which the compliance of the AI system with the requirements is affected or the intended purpose is modified (Art. 3(23))",
87
+ "fundamental_rights_impact_assessment": "Assessment that public deployers (and certain private deployers) of high-risk AI must conduct before putting the system into use to evaluate risks to fundamental rights (Art. 27)",
88
+ "post_market_monitoring": "All activities carried out by providers to collect and review experience gained from the use of AI systems for the purpose of identifying any need to immediately apply corrective or preventive actions (Art. 3(25))",
89
+ "serious_incident": "An incident or malfunctioning of an AI system that directly or indirectly leads to death, serious damage to health, serious disruption of critical infrastructure, violation of fundamental rights obligations, or serious damage to property or environment (Art. 3(49))"
90
+ }
91
+ },
92
+ "stage_2_role_mapping": {
93
+ "roles": [
94
+ {
95
+ "role_id": "eu-ai-act-role-provider",
96
+ "name_in_law": "Provider (fournisseur)",
97
+ "name_en": "Provider",
98
+ "definition": "A natural or legal person, public authority, agency or other body that develops an AI system or a GPAI model or that has an AI system or a GPAI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge (Art. 3(3))",
99
+ "maps_to_complior": "provider",
100
+ "obligations_summary": "Most extensive obligations: risk management system (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping/logging (Art. 12), transparency and provision of information to deployers (Art. 13), human oversight design (Art. 14), accuracy/robustness/cybersecurity (Art. 15), quality management system (Art. 17), conformity assessment (Art. 43), CE marking (Art. 48), EU database registration (Art. 49), post-market monitoring (Art. 72), serious incident reporting (Art. 73), cooperation with authorities (Art. 21).",
101
+ "relevant_articles": [
102
+ "Art. 3(3)",
103
+ "Art. 9",
104
+ "Art. 10",
105
+ "Art. 11",
106
+ "Art. 12",
107
+ "Art. 13",
108
+ "Art. 14",
109
+ "Art. 15",
110
+ "Art. 16",
111
+ "Art. 17",
112
+ "Art. 18",
113
+ "Art. 20",
114
+ "Art. 21",
115
+ "Art. 43",
116
+ "Art. 47",
117
+ "Art. 48",
118
+ "Art. 49",
119
+ "Art. 50(1)",
120
+ "Art. 50(2)",
121
+ "Art. 50(4)",
122
+ "Art. 72",
123
+ "Art. 73"
124
+ ]
125
+ },
126
+ {
127
+ "role_id": "eu-ai-act-role-deployer",
128
+ "name_in_law": "Deployer (déployeur)",
129
+ "name_en": "Deployer",
130
+ "definition": "A natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity (Art. 3(4))",
131
+ "maps_to_complior": "deployer",
132
+ "obligations_summary": "Use AI in accordance with instructions (Art. 26(1)), assign human oversight to competent persons (Art. 26(2)), ensure input data is relevant (Art. 26(4)), monitor AI operation (Art. 26(5)), keep logs (Art. 26(6)), inform workers/representatives (Art. 26(7)), fundamental rights impact assessment for public deployers and certain private deployers (Art. 27), inform affected persons of AI decisions (Art. 26(11)), transparency obligations for AI interaction (Art. 50), cooperation with authorities (Art. 26(10)).",
133
+ "relevant_articles": [
134
+ "Art. 3(4)",
135
+ "Art. 4",
136
+ "Art. 26",
137
+ "Art. 27",
138
+ "Art. 50(3)",
139
+ "Art. 50(4)",
140
+ "Art. 86",
141
+ "Art. 95"
142
+ ]
143
+ },
144
+ {
145
+ "role_id": "eu-ai-act-role-importer",
146
+ "name_in_law": "Importer (importateur)",
147
+ "name_en": "Importer",
148
+ "definition": "A natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country (Art. 3(6))",
149
+ "maps_to_complior": "other",
150
+ "obligations_summary": "Verify conformity assessment completed, CE marking present, technical documentation available, provider has appointed authorised representative. Ensure storage/transport conditions do not jeopardize compliance. Keep copy of EU declaration of conformity. (Art. 23)",
151
+ "relevant_articles": [
152
+ "Art. 3(6)",
153
+ "Art. 23"
154
+ ]
155
+ },
156
+ {
157
+ "role_id": "eu-ai-act-role-distributor",
158
+ "name_in_law": "Distributor (distributeur)",
159
+ "name_en": "Distributor",
160
+ "definition": "A natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market (Art. 3(7))",
161
+ "maps_to_complior": "other",
162
+ "obligations_summary": "Verify CE marking present, required documentation accompanies system, provider and importer have fulfilled labeling obligations. Not make available non-conforming systems. (Art. 24)",
163
+ "relevant_articles": [
164
+ "Art. 3(7)",
165
+ "Art. 24"
166
+ ]
167
+ },
168
+ {
169
+ "role_id": "eu-ai-act-role-authorised-rep",
170
+ "name_in_law": "Authorised representative (mandataire)",
171
+ "name_en": "Authorised Representative",
172
+ "definition": "A natural or legal person located or established in the EU who has received and accepted a written mandate from a non-EU provider to carry out AI Act obligations on its behalf (Art. 3(5))",
173
+ "maps_to_complior": "other",
174
+ "obligations_summary": "Perform obligations per mandate: verify conformity, keep documentation, provide information to authorities, cooperate with enforcement, terminate mandate if provider acts contrary to AI Act. (Art. 22)",
175
+ "relevant_articles": [
176
+ "Art. 3(5)",
177
+ "Art. 22"
178
+ ]
179
+ },
180
+ {
181
+ "role_id": "eu-ai-act-role-product-manufacturer",
182
+ "name_in_law": "Product manufacturer",
183
+ "name_en": "Product Manufacturer",
184
+ "definition": "Entity placing on the market or putting into service an AI system together with their product and under their own name or trademark (Art. 2(1)(e))",
185
+ "maps_to_complior": "provider",
186
+ "obligations_summary": "When integrating AI as safety component into regulated products, assumes provider obligations for the AI component. Must ensure product-level conformity assessment covers AI requirements.",
187
+ "relevant_articles": [
188
+ "Art. 2(1)(e)",
189
+ "Art. 25"
190
+ ]
191
+ },
192
+ {
193
+ "role_id": "eu-ai-act-role-gpai-provider",
194
+ "name_in_law": "Provider of general-purpose AI model",
195
+ "name_en": "GPAI Model Provider",
196
+ "definition": "Provider that develops or has developed a general-purpose AI model and places it on the EU market, regardless of establishment location",
197
+ "maps_to_complior": "provider",
198
+ "obligations_summary": "Technical documentation (Art. 53 + Annex XI), transparency information to downstream providers (Art. 53 + Annex XII), copyright compliance policy (Art. 53(1)(c)), summary of training content (Art. 53(1)(d)). Additional for systemic risk: model evaluation (Art. 55), adversarial testing (Art. 55), serious incident tracking and reporting (Art. 55), cybersecurity (Art. 55).",
199
+ "relevant_articles": [
200
+ "Art. 51",
201
+ "Art. 52",
202
+ "Art. 53",
203
+ "Art. 54",
204
+ "Art. 55",
205
+ "Art. 56"
206
+ ]
207
+ },
208
+ {
209
+ "role_id": "eu-ai-act-role-affected-person",
210
+ "name_in_law": "Affected person (personne concernée)",
211
+ "name_en": "Affected Person",
212
+ "definition": "A natural person or a group of persons who are subject to or otherwise affected by an AI system (implicit across multiple articles, e.g., Art. 86)",
213
+ "maps_to_complior": "other",
214
+ "obligations_summary": "No obligations — holder of rights: right to explanation of individual AI decisions (Art. 86), right to lodge complaint with market surveillance authority (Art. 85), right to effective judicial remedy (Art. 87).",
215
+ "relevant_articles": [
216
+ "Art. 85",
217
+ "Art. 86",
218
+ "Art. 87"
219
+ ]
220
+ }
221
+ ]
222
+ },
223
+ "stage_3_risk_classification": {
224
+ "system": "The EU AI Act uses a risk-based pyramid approach with four primary tiers plus a separate GPAI track. AI systems are classified based on their intended purpose, the domain of use, and the potential impact on fundamental rights, health, and safety. Higher risk = more obligations. Unacceptable risk systems are banned outright. High-risk systems face the heaviest regulatory burden. Limited-risk systems have transparency obligations. Minimal-risk systems are essentially unregulated (voluntary codes of conduct only).",
225
+ "levels": [
226
+ {
227
+ "level_id": "unacceptable",
228
+ "name_in_law": "Prohibited AI practices",
229
+ "name_en": "Unacceptable Risk (Prohibited)",
230
+ "definition": "AI systems and practices that are deemed to pose a clear threat to the safety, livelihoods, and fundamental rights of persons and are therefore prohibited from being placed on the market, put into service, or used in the EU.",
231
+ "criteria": [
232
+ "AI systems that deploy subliminal, manipulative, or deceptive techniques to distort behavior and impair informed decision-making, causing significant harm",
233
+ "AI systems that exploit vulnerabilities of persons due to age, disability, or specific social/economic situation",
234
+ "Social scoring systems: AI that evaluates/classifies persons based on social behavior or personal characteristics leading to detrimental or disproportionate treatment",
235
+ "AI systems for making risk assessments of natural persons to predict criminal offending based solely on profiling or personality traits",
236
+ "AI systems that create or expand facial recognition databases through untargeted scraping of facial images from internet/CCTV",
237
+ "AI systems that infer emotions in workplace and educational settings (except for medical/safety reasons)",
238
+ "Biometric categorization systems using sensitive characteristics (race, political opinions, religion, sexual orientation, etc.)",
239
+ "Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions)"
240
+ ],
241
+ "obligations_level": "banned",
242
+ "examples_from_law": [
243
+ "AI system using subliminal techniques in advertising to manipulate purchasing decisions causing financial harm",
244
+ "AI scoring citizens based on social behavior to determine access to public services",
245
+ "AI predicting likelihood of committing crime based solely on facial features or personality profile",
246
+ "Scraping social media to build facial recognition database without consent or legal basis",
247
+ "AI emotion recognition in school classroom or office workplace (non-safety contexts)",
248
+ "Real-time facial recognition in public streets by police (except specific exceptions like missing children, imminent terrorist threats)"
249
+ ],
250
+ "our_mapping_logic": "If the AI system's use case matches ANY of the Article 5 prohibited practices → UNACCEPTABLE. Check against each prohibited category. Even if the system itself is benign, using it for a prohibited purpose triggers this level."
251
+ },
252
+ {
253
+ "level_id": "high",
254
+ "name_in_law": "High-risk AI system",
255
+ "name_en": "High Risk",
256
+ "definition": "AI systems that (a) are intended to be used as a safety component of products covered by EU harmonization legislation listed in Annex II and requiring third-party conformity assessment, OR (b) fall under one of the specific use-case areas listed in Annex III, unless the provider demonstrates the system does not pose a significant risk to health, safety or fundamental rights.",
257
+ "criteria": [
258
+ "TRACK A (Art. 6(1) — Annex II products): AI is a safety component of a product covered by EU harmonization legislation (machinery, toys, lifts, medical devices, motor vehicles, aviation, etc.) AND the product requires third-party conformity assessment",
259
+ "TRACK B (Art. 6(2) — Annex III use cases): AI is used in any of 8 high-risk domains: (1) biometrics, (2) critical infrastructure, (3) education & vocational training, (4) employment & worker management, (5) access to essential services (credit, insurance, public benefits), (6) law enforcement, (7) migration/asylum/border control, (8) administration of justice & democratic processes",
260
+ "Exception (Art. 6(3)): An Annex III system is NOT high-risk if it does not pose a significant risk of harm to health/safety/fundamental rights, including by not materially influencing decision-making outcome. This exception does NOT apply if the AI performs profiling."
261
+ ],
262
+ "obligations_level": "heavy",
263
+ "examples_from_law": [
264
+ "AI system used for CV screening / recruitment decision-making (Annex III area 4)",
265
+ "AI credit scoring system determining loan eligibility (Annex III area 5)",
266
+ "AI system managing power grid operations (Annex III area 2 — critical infrastructure)",
267
+ "AI-based medical diagnostic tool embedded in a medical device (Annex II — MDR)",
268
+ "AI for student assessment/grading that determines academic progression (Annex III area 3)",
269
+ "AI used to evaluate asylum applications (Annex III area 7)",
270
+ "AI used for predictive policing at specific locations (Annex III area 6)",
271
+ "AI assisting judges in legal research and fact-finding (Annex III area 8)"
272
+ ],
273
+ "our_mapping_logic": "Step 1: Is the AI a safety component of an Annex II regulated product requiring 3rd-party conformity assessment? → HIGH RISK. Step 2: Does the AI's intended purpose fall under any Annex III category? → Presumed HIGH RISK, unless provider can demonstrate non-significant risk (Art. 6(3) exception — not available for profiling systems). Step 3: If neither → not high-risk under this classification."
274
+ },
275
+ {
276
+ "level_id": "limited",
277
+ "name_in_law": "AI systems with specific transparency obligations",
278
+ "name_en": "Limited Risk (Transparency Obligations)",
279
+ "definition": "AI systems that interact with natural persons, generate synthetic content (text, audio, image, video), or are used for emotion recognition or biometric categorization — subject to transparency/disclosure obligations under Article 50 even if not classified as high-risk.",
280
+ "criteria": [
281
+ "AI systems intended to directly interact with natural persons (chatbots, voice assistants, etc.)",
282
+ "AI systems that generate synthetic audio, image, video or text content (generative AI outputs)",
283
+ "AI systems used for emotion recognition (not in prohibited category)",
284
+ "AI systems used for biometric categorization (not in prohibited category)",
285
+ "Deep fake generation systems"
286
+ ],
287
+ "obligations_level": "moderate",
288
+ "examples_from_law": [
289
+ "Customer service chatbot — must disclose AI interaction to users",
290
+ "AI image generator (Midjourney, DALL-E type) — output must be machine-readable marked as AI-generated",
291
+ "AI text generator used for news articles — must label content as AI-generated when published on matters of public interest",
292
+ "AI voice cloning system — must disclose content is artificially generated",
293
+ "Deep fake video tool — output must be clearly labeled"
294
+ ],
295
+ "our_mapping_logic": "Does the AI system (a) interact directly with people (chat/voice)? (b) generate synthetic content? (c) perform emotion recognition? (d) perform biometric categorization? (e) generate deep fakes? If YES to any → LIMITED RISK with Article 50 transparency obligations."
296
+ },
297
+ {
298
+ "level_id": "minimal",
299
+ "name_in_law": "Minimal risk (no specific obligations)",
300
+ "name_en": "Minimal/No Risk",
301
+ "definition": "AI systems that do not fall into any of the above categories. The vast majority of AI systems currently used in the EU fall into this category (e.g., AI-powered spam filters, AI in video games, inventory management AI).",
302
+ "criteria": [
303
+ "Does not fall under prohibited practices (Art. 5)",
304
+ "Does not meet high-risk criteria (Art. 6, Annex II/III)",
305
+ "Does not have specific transparency triggers (Art. 50)",
306
+ "General-purpose AI model obligations may still apply to the model provider separately"
307
+ ],
308
+ "obligations_level": "light",
309
+ "examples_from_law": [
310
+ "AI-powered spam filters",
311
+ "AI in video games",
312
+ "AI-based inventory management systems",
313
+ "AI recommendation engines (unless in high-risk domain)",
314
+ "AI-powered translation tools"
315
+ ],
316
+ "our_mapping_logic": "If the system fails to match any criteria for unacceptable, high, or limited risk → MINIMAL. Note: AI literacy (Art. 4) and voluntary codes of conduct (Art. 95) still apply."
317
+ },
318
+ {
319
+ "level_id": "gpai",
320
+ "name_in_law": "General-purpose AI model",
321
+ "name_en": "General-Purpose AI (GPAI)",
322
+ "definition": "A separate classification track for AI models (not systems) that display significant generality and can perform a wide range of tasks. GPAI providers have specific obligations regardless of downstream risk level. A subset of GPAI with systemic risk has elevated obligations.",
323
+ "criteria": [
324
+ "GPAI Model (Art. 51): Model displays significant generality, capable of competently performing wide range of distinct tasks, can be integrated into variety of downstream systems/applications",
325
+ "GPAI with Systemic Risk (Art. 51(2)): GPAI model with high impact capabilities — PRESUMED if cumulative training compute exceeds 10^25 FLOPs, or designated by Commission based on Annex XIII criteria"
326
+ ],
327
+ "obligations_level": "moderate to heavy (depending on systemic risk)",
328
+ "examples_from_law": [
329
+ "GPT-4, Claude, Gemini — large language models → GPAI, likely with systemic risk",
330
+ "Stable Diffusion, Midjourney — image generation models → GPAI",
331
+ "Smaller fine-tuned models below 10^25 FLOPs threshold → GPAI without systemic risk",
332
+ "Open-source GPAI models — some exemptions on documentation if parameters/weights made publicly available (Art. 53(2))"
333
+ ],
334
+ "our_mapping_logic": "Is the entity providing a FOUNDATION MODEL that can perform diverse tasks? → GPAI. Was cumulative training compute ≥ 10^25 FLOPs or is it designated by Commission? → GPAI WITH SYSTEMIC RISK. This is a PROVIDER-side classification. Deployers using GPAI-based systems classify the SYSTEM itself (not the model) under the standard risk pyramid."
335
+ }
336
+ ],
337
+ "classification_questions": [
338
+ {
339
+ "question_id": "CQ1",
340
+ "question": "Does your AI system manipulate people's behavior without their awareness, exploit vulnerable groups, or assign social scores that affect people's rights?",
341
+ "answers": [
342
+ {
343
+ "text": "Yes, or we're not sure",
344
+ "points_to_level": "unacceptable",
345
+ "explanation": "These uses are prohibited under Article 5. The system cannot be deployed in the EU."
346
+ },
347
+ {
348
+ "text": "No, our system does none of these things",
349
+ "points_to_level": "continue_to_next",
350
+ "explanation": "Proceed to further classification."
351
+ }
352
+ ]
353
+ },
354
+ {
355
+ "question_id": "CQ2",
356
+ "question": "Is your AI system a safety component built into a physical product that requires a CE mark or similar EU product certification (e.g., medical device, machinery, vehicle)?",
357
+ "answers": [
358
+ {
359
+ "text": "Yes, it is embedded in a certified/regulated product",
360
+ "points_to_level": "high",
361
+ "explanation": "Falls under Article 6(1) / Annex II — high-risk as product safety component."
362
+ },
363
+ {
364
+ "text": "No, it is standalone software / SaaS",
365
+ "points_to_level": "continue_to_next",
366
+ "explanation": "Not product-embedded. Check Annex III use cases."
367
+ }
368
+ ]
369
+ },
370
+ {
371
+ "question_id": "CQ3",
372
+ "question": "Is your AI system used for any of these purposes: hiring/recruitment, credit scoring, student grading, benefits eligibility, law enforcement, border control, or judicial decisions?",
373
+ "answers": [
374
+ {
375
+ "text": "Yes, it's used in one or more of these areas",
376
+ "points_to_level": "high",
377
+ "explanation": "These are Annex III high-risk use cases. Full high-risk compliance required."
378
+ },
379
+ {
380
+ "text": "No, none of these apply",
381
+ "points_to_level": "continue_to_next",
382
+ "explanation": "Not an Annex III high-risk system. Check other use cases."
383
+ }
384
+ ]
385
+ },
386
+ {
387
+ "question_id": "CQ4",
388
+ "question": "Does your AI system manage or control critical infrastructure (energy, water, transport, telecom, digital infrastructure)?",
389
+ "answers": [
390
+ {
391
+ "text": "Yes",
392
+ "points_to_level": "high",
393
+ "explanation": "Annex III area 2 — critical infrastructure AI is high-risk."
394
+ },
395
+ {
396
+ "text": "No",
397
+ "points_to_level": "continue_to_next",
398
+ "explanation": "Continue classification."
399
+ }
400
+ ]
401
+ },
402
+ {
403
+ "question_id": "CQ5",
404
+ "question": "Does your AI system use biometric data (face recognition, fingerprints, voice prints, gait analysis) to identify, categorize, or detect emotions of people?",
405
+ "answers": [
406
+ {
407
+ "text": "Yes, for identification in law enforcement or public spaces",
408
+ "points_to_level": "unacceptable",
409
+ "explanation": "Real-time remote biometric ID in public spaces is generally prohibited (Art. 5)."
410
+ },
411
+ {
412
+ "text": "Yes, for other biometric purposes (not real-time law enforcement in public)",
413
+ "points_to_level": "high",
414
+ "explanation": "Biometric identification/categorization falls under Annex III area 1 — high-risk."
415
+ },
416
+ {
417
+ "text": "No biometric processing",
418
+ "points_to_level": "continue_to_next",
419
+ "explanation": "Continue classification."
420
+ }
421
+ ]
422
+ },
423
+ {
424
+ "question_id": "CQ6",
425
+ "question": "Does your AI system directly interact with people (chatbot, voice assistant, virtual agent) or generate synthetic content (text, images, audio, video)?",
426
+ "answers": [
427
+ {
428
+ "text": "Yes, it interacts with people or generates content",
429
+ "points_to_level": "limited",
430
+ "explanation": "Article 50 transparency obligations apply — must disclose AI interaction and label AI-generated content."
431
+ },
432
+ {
433
+ "text": "No, it works in the background without user interaction and doesn't generate content",
434
+ "points_to_level": "minimal",
435
+ "explanation": "Likely minimal risk. Only general obligations (AI literacy, voluntary codes) apply."
436
+ }
437
+ ]
438
+ },
439
+ {
440
+ "question_id": "CQ7",
441
+ "question": "Are you developing/providing an AI foundation model (large language model, large image model) that can be used for many different purposes by downstream developers?",
442
+ "answers": [
443
+ {
444
+ "text": "Yes, we provide a general-purpose AI model",
445
+ "points_to_level": "gpai",
446
+ "explanation": "GPAI model provider obligations under Chapter V apply (Articles 51–56)."
447
+ },
448
+ {
449
+ "text": "No, we use or deploy specific AI applications",
450
+ "points_to_level": "continue_to_next",
451
+ "explanation": "Standard risk classification applies based on use case."
452
+ }
453
+ ]
454
+ },
455
+ {
456
+ "question_id": "CQ8",
457
+ "question": "Does your AI system make or significantly assist decisions that have legal effects or similarly significant effects on natural persons (e.g., contract decisions, access to public services)?",
458
+ "answers": [
459
+ {
460
+ "text": "Yes, it influences decisions with legal or significant individual impact",
461
+ "points_to_level": "high",
462
+ "explanation": "Likely falls under Annex III high-risk categories. Check specific domain against Annex III list."
463
+ },
464
+ {
465
+ "text": "No, decisions are low-stakes or advisory only",
466
+ "points_to_level": "limited",
467
+ "explanation": "May still have transparency obligations if user-facing. Otherwise minimal risk."
468
+ }
469
+ ]
470
+ }
471
+ ]
472
+ },
473
+ "version": {
474
+ "framework_version": "3.0-production",
475
+ "processed_date": "2026-02-17",
476
+ "source_regulation_version": "Regulation (EU) 2024/1689 as published in OJ L 2024/1689",
477
+ "processing_prompt_version": "12-stage-v2",
478
+ "last_regulatory_update_checked": "2025-12-17 (Code of Practice on content marking draft)",
479
+ "next_review_due": "2026-03-01",
480
+ "notes": "Production-grade framework with granular obligation decomposition, full what_not_to_do coverage, expanded deployer obligations, and comprehensive tech specs for scanner."
481
+ }
482
+ }