npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/fixer/strategies/metadata.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import type { FixStrategy, FixAction } from '../types.js';
+import { generateCreateDiff } from '../diff.js';
+import { ENGINE_VERSION } from '../../../version.js';
+export const metadataStrategy: FixStrategy = (finding, context) => {
+  if (finding.checkId !== 'compliance-metadata') return null;
+  const metadataPath = '.well-known/ai-compliance.json';
+  const content = JSON.stringify({
+    version: '1.0',
+    scanner: `complior/${ENGINE_VERSION}`,
+    scannedAt: '[SCAN_DATE]',
+    organization: '[PASSPORT:owner.team]',
+    ai_systems: [
+      {
+        name: '[PASSPORT:display_name]',
+        provider: '[PASSPORT:model.provider]',
+        risk_level: '[PASSPORT:risk_class]',
+        compliance_score: 0,
+      },
+    ],
+    jurisdiction: 'EU',
+    regulation: 'EU AI Act (Regulation (EU) 2024/1689)',
+  }, null, 2);
+  const action: FixAction = {
+    type: 'create',
+    path: metadataPath,
+    content,
+    description: 'Create machine-readable compliance metadata',
+  };
+  return {
+    obligationId: finding.obligationId ?? 'eu-ai-act-OBL-021',
+    checkId: finding.checkId,
+    article: finding.articleReference ?? 'Art. 50',
+    fixType: 'metadata_generation',
+    framework: context.framework,
+    actions: [action],
+    diff: generateCreateDiff(metadataPath, content),
+    scoreImpact: 4,
+    commitMessage: 'fix: add compliance metadata .well-known (Art. 50) -- via Complior',
+    description: 'Create machine-readable compliance metadata for programmatic verification',
+  };
+};

package/src/domain/fixer/strategies/permission-guard.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import type { FixStrategy, FixAction } from '../types.js';
+import { generateCreateDiff } from '../diff.js';
+export const permissionGuardStrategy: FixStrategy = (finding, context) => {
+  if (finding.checkId !== 'l4-human-oversight') return null;
+  const filePath = 'src/middleware/human-approval-gate.ts';
+  const content = `// Human Approval Gate (EU AI Act, Art. 14)
+// Requires human approval for high-risk AI decisions
+export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
+export interface ApprovalRequest {
+  readonly id: string;
+  readonly action: string;
+  readonly riskLevel: RiskLevel;
+  readonly requestedAt: string;
+  readonly timeoutMs: number;
+}
+export interface ApprovalResult {
+  readonly approved: boolean;
+  readonly approvedBy?: string;
+  readonly approvedAt?: string;
+  readonly reason?: string;
+}
+const RISK_THRESHOLDS: Record<RiskLevel, boolean> = {
+  low: false,
+  medium: false,
+  high: true,
+  critical: true,
+};
+const pendingApprovals = new Map<string, ApprovalRequest>();
+export const requiresApproval = (riskLevel: RiskLevel): boolean =>
+  RISK_THRESHOLDS[riskLevel];
+export const requestApproval = (action: string, riskLevel: RiskLevel, timeoutMs = 300_000): ApprovalRequest => {
+  const request: ApprovalRequest = {
+    id: crypto.randomUUID(),
+    action,
+    riskLevel,
+    requestedAt: new Date().toISOString(),
+    timeoutMs,
+  };
+  pendingApprovals.set(request.id, request);
+  return request;
+};
+export const approveRequest = (id: string, approvedBy: string): ApprovalResult => {
+  const request = pendingApprovals.get(id);
+  if (!request) return { approved: false, reason: 'Request not found' };
+  pendingApprovals.delete(id);
+  return { approved: true, approvedBy, approvedAt: new Date().toISOString() };
+};
+export const rejectRequest = (id: string, reason: string): ApprovalResult => {
+  pendingApprovals.delete(id);
+  return { approved: false, reason };
+};
+`;
+  const action: FixAction = {
+    type: 'create',
+    path: filePath,
+    content,
+    description: 'Create human approval gate for high-risk AI decisions',
+  };
+  return {
+    obligationId: finding.obligationId ?? 'eu-ai-act-OBL-006',
+    checkId: finding.checkId,
+    article: finding.articleReference ?? 'Art. 14',
+    fixType: 'code_injection',
+    framework: context.framework,
+    actions: [action],
+    diff: generateCreateDiff(filePath, content),
+    scoreImpact: 5,
+    commitMessage: 'fix: add human approval gate (Art. 14) -- via Complior',
+    description: 'Add human-in-the-loop approval gate for high-risk AI decisions',
+  };
+};

package/src/domain/fixer/strategies/record-keeping.ts ADDED Viewed

@@ -0,0 +1,69 @@
+import type { FixStrategy, FixAction } from '../types.js';
+import { generateCreateDiff } from '../diff.js';
+export const recordKeepingStrategy: FixStrategy = (finding, context) => {
+  if (finding.checkId !== 'l4-record-keeping') return null;
+  const auditPath = 'src/compliance/audit-trail.ts';
+  const content = `// Audit Trail & Record Keeping (EU AI Act, Art. 12)
+// Persistent event logging for AI system compliance records
+export interface AuditTrailEntry {
+  readonly id: string;
+  readonly timestamp: string;
+  readonly eventType: 'decision' | 'input' | 'output' | 'error' | 'override';
+  readonly agentId: string;
+  readonly sessionId: string;
+  readonly payload: Record<string, unknown>;
+  readonly retentionDays: number;
+}
+const complianceRecord: AuditTrailEntry[] = [];
+/** Append an entry to the audit trail for compliance record keeping. */
+export const persistAudit = (entry: Omit<AuditTrailEntry, 'id' | 'timestamp'>): AuditTrailEntry => {
+  const full: AuditTrailEntry = {
+    ...entry,
+    id: crypto.randomUUID(),
+    timestamp: new Date().toISOString(),
+  };
+  complianceRecord.push(full);
+  return full;
+};
+/** Retrieve all audit trail entries (compliance records). */
+export const getAuditTrail = (): readonly AuditTrailEntry[] => [...complianceRecord];
+/** Apply log retention policy — remove entries older than retentionDays. */
+export const applyRetentionPolicy = (): number => {
+  const now = Date.now();
+  const before = complianceRecord.length;
+  const keep = complianceRecord.filter((e) => {
+    const age = (now - new Date(e.timestamp).getTime()) / (1000 * 60 * 60 * 24);
+    return age <= e.retentionDays;
+  });
+  complianceRecord.length = 0;
+  complianceRecord.push(...keep);
+  return before - complianceRecord.length;
+};
+`;
+  const action: FixAction = {
+    type: 'create',
+    path: auditPath,
+    content,
+    description: 'Create audit trail module for compliance record keeping',
+  };
+  return {
+    obligationId: finding.obligationId ?? 'eu-ai-act-OBL-012',
+    checkId: finding.checkId,
+    article: finding.articleReference ?? 'Art. 12',
+    fixType: 'code_injection',
+    framework: context.framework,
+    actions: [action],
+    diff: generateCreateDiff(auditPath, content),
+    scoreImpact: 5,
+    commitMessage: 'fix: add audit trail for record keeping (Art. 12) -- via Complior',
+    description: 'Add persistent audit trail for AI system compliance records',
+  };
+};

package/src/domain/fixer/strategies/secret-rotation.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import type { FixStrategy, FixAction } from '../types.js';
+import { generateCreateDiff } from '../diff.js';
+// --- Strategy: Secret Rotation (Art. 15.4) ---
+export const secretRotationStrategy: FixStrategy = (finding, context) => {
+  if (!finding.checkId.startsWith('l4-nhi-') || finding.checkId === 'l4-nhi-clean') return null;
+  // Extract secret type from checkId: l4-nhi-openai-key → OPENAI_API_KEY
+  const suffix = finding.checkId.replace('l4-nhi-', '').replace(/-/g, '_').toUpperCase();
+  const envVar = suffix.endsWith('_KEY') ? suffix : `${suffix}_KEY`;
+  const gitignoreContent = `# Secrets — never commit
+.env
+.env.*
+*.key
+*.pem
+*.p12
+`;
+  const envExampleContent = `# Replace with vault references or environment-specific values
+${envVar}=<replace-with-vault-reference>
+`;
+  const actions: FixAction[] = [
+    {
+      type: 'create',
+      path: '.gitignore',
+      content: gitignoreContent,
+      description: 'Add secret file patterns to .gitignore',
+    },
+    {
+      type: 'create',
+      path: '.env.example',
+      content: envExampleContent,
+      description: 'Create .env.example with placeholder secret references',
+    },
+  ];
+  return {
+    obligationId: finding.obligationId ?? 'eu-ai-act-OBL-008',
+    checkId: finding.checkId,
+    article: finding.articleReference ?? 'Art. 15(4)',
+    fixType: 'config_fix',
+    framework: context.framework,
+    actions,
+    diff: generateCreateDiff('.gitignore', gitignoreContent) + '\n' + generateCreateDiff('.env.example', envExampleContent),
+    scoreImpact: 6,
+    commitMessage: `fix: add secret rotation scaffold for ${envVar} (Art. 15.4) -- via Complior`,
+    description: `Add .gitignore entries and .env.example for secret ${envVar}`,
+  };
+};

package/src/domain/fixer/strategies.test.ts ADDED Viewed

@@ -0,0 +1,341 @@
+import { describe, it, expect } from 'vitest';
+import type { Finding } from '../../types/common.types.js';
+import { findStrategy } from './strategies/index.js';
+import type { FixContext } from './types.js';
+// --- Helpers ---
+const makeContext = (overrides?: Partial<FixContext>): FixContext => ({
+  projectPath: '/test/project',
+  framework: 'generic',
+  existingFiles: [],
+  ...overrides,
+});
+const makeFinding = (overrides: Partial<Finding> & { checkId: string }): Finding => ({
+  type: 'fail',
+  message: 'Test finding',
+  severity: 'high',
+  ...overrides,
+});
+// --- Strategy tests ---
+describe('findStrategy', () => {
+  it('generates disclosure fix for ai-disclosure finding', () => {
+    const finding = makeFinding({
+      checkId: 'ai-disclosure',
+      obligationId: 'eu-ai-act-OBL-015',
+      articleReference: 'Art. 50(1)',
+    });
+    const plan = findStrategy(finding, makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.commitMessage).toContain('Art. 50.1');
+    expect(plan!.actions.length).toBeGreaterThan(0);
+    expect(plan!.diff).toBeTruthy();
+  });
+  it('generates React component for Next.js framework', () => {
+    const finding = makeFinding({ checkId: 'ai-disclosure' });
+    const plan = findStrategy(finding, makeContext({ framework: 'Next.js' }));
+    expect(plan).not.toBeNull();
+    expect(plan!.actions[0].path).toContain('AIDisclosure.tsx');
+  });
+  it('generates middleware for Express framework', () => {
+    const finding = makeFinding({ checkId: 'ai-disclosure' });
+    const plan = findStrategy(finding, makeContext({ framework: 'Express' }));
+    expect(plan).not.toBeNull();
+    expect(plan!.actions[0].path).toContain('middleware');
+  });
+  it('generates content marking fix', () => {
+    const finding = makeFinding({ checkId: 'content-marking' });
+    const plan = findStrategy(finding, makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('config_fix');
+    expect(plan!.actions[0].path).toContain('content-marking');
+  });
+  it('generates logging fix', () => {
+    const finding = makeFinding({ checkId: 'interaction-logging' });
+    const plan = findStrategy(finding, makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.actions[0].path).toContain('logger');
+  });
+  it('generates documentation fix from template map', () => {
+    const finding = makeFinding({
+      checkId: 'ai-literacy',
+      obligationId: 'eu-ai-act-OBL-001',
+    });
+    const plan = findStrategy(finding, makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('template_generation');
+    expect(plan!.actions[0].path).toContain('ai-literacy-policy.md');
+  });
+  it('generates metadata fix', () => {
+    const finding = makeFinding({ checkId: 'compliance-metadata' });
+    const plan = findStrategy(finding, makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('metadata_generation');
+    expect(plan!.actions[0].path).toContain('.well-known');
+  });
+  it('skips documentation fix when output file already exists', () => {
+    const finding = makeFinding({
+      checkId: 'ai-literacy',
+      obligationId: 'eu-ai-act-OBL-001',
+    });
+    const plan = findStrategy(finding, makeContext({
+      existingFiles: ['/test/docs/compliance/ai-literacy-policy.md'],
+    }));
+    expect(plan).toBeNull();
+  });
+  it('returns null for unknown checkId without obligationId', () => {
+    const finding = makeFinding({ checkId: 'unknown-check' });
+    const plan = findStrategy(finding, makeContext());
+    expect(plan).toBeNull();
+  });
+});
+// --- New strategy tests (13 strategies + 2 variant tests) ---
+describe('new fix strategies', () => {
+  it('returns null for l4-bare-llm (info finding, no fix strategy)', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-bare-llm' }), makeContext());
+    expect(plan).toBeNull();
+  });
+  it('generates permission guard fix for l4-human-oversight', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-human-oversight' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.scoreImpact).toBe(5);
+    expect(plan!.actions[0].path).toContain('human-approval-gate');
+  });
+  it('generates kill switch fix for l4-kill-switch', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-kill-switch' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.scoreImpact).toBe(5);
+    expect(plan!.actions[0].path).toContain('kill-switch');
+  });
+  it('generates error handler fix for l4-security-risk', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-security-risk' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.scoreImpact).toBe(4);
+    expect(plan!.actions[0].path).toContain('ai-error-handler');
+  });
+  it('generates HITL gate fix for l4-conformity-assessment', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-conformity-assessment' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.scoreImpact).toBe(5);
+    expect(plan!.actions[0].path).toContain('conformity-checklist');
+  });
+  it('generates data governance fix for l4-data-governance', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-data-governance' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.scoreImpact).toBe(5);
+    expect(plan!.actions[0].path).toContain('data-governance');
+  });
+  it('generates secret rotation fix for l4-nhi-openai-key', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-nhi-openai-key' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('config_fix');
+    expect(plan!.scoreImpact).toBe(6);
+    expect(plan!.actions).toHaveLength(2);
+    expect(plan!.actions[0].path).toBe('.gitignore');
+    expect(plan!.actions[1].path).toBe('.env.example');
+  });
+  it('skips secret rotation for l4-nhi-clean', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-nhi-clean' }), makeContext());
+    expect(plan).toBeNull();
+  });
+  it('generates bandit fix for ext-bandit-b301', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'ext-bandit-b301' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('template_generation');
+    expect(plan!.scoreImpact).toBe(4);
+    expect(plan!.actions[0].path).toBe('complior-security-fixes.md');
+  });
+  it('generates CVE upgrade plan for l3-dep-vuln', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l3-dep-vuln', message: 'CVE-2024-1234 in lodash' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('dependency_fix');
+    expect(plan!.scoreImpact).toBe(5);
+    expect(plan!.actions[0].path).toBe('complior-upgrade-plan.md');
+  });
+  it('generates license fix for l3-dep-license', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l3-dep-license' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('dependency_fix');
+    expect(plan!.scoreImpact).toBe(4);
+    expect(plan!.actions[0].path).toBe('complior-license-review.md');
+  });
+  it('generates CI compliance workflow for l3-ci-compliance', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l3-ci-compliance' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('config_fix');
+    expect(plan!.scoreImpact).toBe(4);
+    expect(plan!.actions[0].path).toContain('compliance-check.yml');
+  });
+  it('generates bias testing config for l3-missing-bias-testing', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l3-missing-bias-testing' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('config_fix');
+    expect(plan!.scoreImpact).toBe(4);
+    expect(plan!.actions[0].path).toBe('bias-testing.config.json');
+  });
+  it('generates doc-code sync report for cross-doc-code-mismatch', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'cross-doc-code-mismatch' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('template_generation');
+    expect(plan!.scoreImpact).toBe(5);
+    expect(plan!.actions[0].path).toBe('complior-doc-sync-report.md');
+  });
+});
+// FRIA fix via documentationStrategy (OBL-013 in template-registry)
+describe('FRIA template fix', () => {
+  const ctx = makeContext();
+  it('triggers on obligationId eu-ai-act-OBL-013', () => {
+    const finding = makeFinding({ checkId: 'fria', obligationId: 'eu-ai-act-OBL-013' });
+    const plan = findStrategy(finding, ctx);
+    expect(plan).not.toBeNull();
+    expect(plan!.article).toBe('Art. 27');
+    expect(plan!.fixType).toBe('template_generation');
+    expect(plan!.obligationId).toBe('eu-ai-act-OBL-013');
+  });
+  it('skips if output file already exists', () => {
+    const finding = makeFinding({ checkId: 'fria', obligationId: 'eu-ai-act-OBL-013' });
+    const ctxWithFria = makeContext({ existingFiles: ['docs/compliance/fria.md'] });
+    const plan = findStrategy(finding, ctxWithFria);
+    expect(plan).toBeNull();
+  });
+});
+describe('R2: kill-switch test strategy', () => {
+  it('generates test file for cross-kill-switch-no-test', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'cross-kill-switch-no-test' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.scoreImpact).toBe(4);
+    expect(plan!.actions[0].path).toContain('kill-switch.test.ts');
+    expect(plan!.actions[0].type).toBe('create');
+  });
+  it('returns null for unrelated checkIds', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-kill-switch' }), makeContext());
+    // l4-kill-switch is handled by killSwitchStrategy, not killSwitchTestStrategy
+    expect(plan).not.toBeNull();
+    expect(plan!.actions[0].path).not.toContain('kill-switch.test.ts');
+  });
+});
+describe('N2: log-retention strategy', () => {
+  it('generates docker-compose override for cross-logging-no-retention', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'cross-logging-no-retention' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('config_fix');
+    expect(plan!.scoreImpact).toBe(4);
+    expect(plan!.actions[0].path).toBe('docker-compose.override.yml');
+    expect(plan!.actions[0].content).toContain('max-size');
+    expect(plan!.actions[0].content).toContain('max-file');
+  });
+  it('returns null for unrelated checkIds', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-logging' }), makeContext());
+    expect(plan).not.toBeNull();
+    // l4-logging is handled by loggingStrategy, not logRetentionStrategy
+    expect(plan!.actions[0].path).not.toBe('docker-compose.override.yml');
+  });
+});
+describe('BUG-2b: L2 draft/reviewed with useAi', () => {
+  it('returns null for L2 reviewed docs without useAi', () => {
+    const finding = makeFinding({ checkId: 'l2-fria', obligationId: 'eu-ai-act-OBL-013', docQuality: 'reviewed' });
+    const plan = findStrategy(finding, makeContext());
+    expect(plan).toBeNull();
+  });
+  it('generates plan for L2 reviewed docs when useAi is true', () => {
+    const finding = makeFinding({ checkId: 'l2-fria', obligationId: 'eu-ai-act-OBL-013', docQuality: 'reviewed' });
+    const ctx = makeContext({ useAi: true });
+    const plan = findStrategy(finding, ctx);
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('ai_enrichment');
+  });
+  it('generates plan for L2 draft docs when useAi is true', () => {
+    const finding = makeFinding({ checkId: 'l2-fria', obligationId: 'eu-ai-act-OBL-013', docQuality: 'draft' });
+    const ctx = makeContext({ useAi: true });
+    const plan = findStrategy(finding, ctx);
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('ai_enrichment');
+  });
+  it('still returns template_generation for L1 findings with useAi', () => {
+    const finding = makeFinding({ checkId: 'fria', obligationId: 'eu-ai-act-OBL-013' });
+    const ctx = makeContext({ useAi: true });
+    const plan = findStrategy(finding, ctx);
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('template_generation');
+  });
+});
+describe('N5: L4 logging and record-keeping strategies', () => {
+  it('generates logging fix for l4-logging (not just interaction-logging)', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-logging' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.actions[0].path).toContain('logger');
+  });
+  it('logging scaffold includes L4-recognizable patterns (auditLog, logAiCall)', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-logging' }), makeContext());
+    expect(plan).not.toBeNull();
+    const content = plan!.actions[0].content ?? '';
+    expect(content).toContain('auditLog');
+    expect(content).toContain('logAiCall');
+    expect(content).toContain('aiLogger');
+  });
+  it('generates record-keeping fix for l4-record-keeping', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-record-keeping' }), makeContext());
+    expect(plan).not.toBeNull();
+    expect(plan!.fixType).toBe('code_injection');
+    expect(plan!.actions[0].path).toContain('audit-trail');
+  });
+  it('record-keeping scaffold includes L4-recognizable patterns (persistAudit, complianceRecord)', () => {
+    const plan = findStrategy(makeFinding({ checkId: 'l4-record-keeping' }), makeContext());
+    expect(plan).not.toBeNull();
+    const content = plan!.actions[0].content ?? '';
+    expect(content).toContain('persistAudit');
+    expect(content).toContain('complianceRecord');
+  });
+});

package/src/domain/fixer/template-engine.test.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import { describe, it, expect } from 'vitest';
+import { fillTemplate, getTemplateForObligation, getAvailableTemplates } from './template-engine.js';
+describe('fillTemplate', () => {
+  it('replaces [Company Name] placeholder', () => {
+    const template = 'Policy for [Company Name]';
+    const result = fillTemplate(template, { companyName: 'ACME Corp' });
+    expect(result).toBe('Policy for ACME Corp');
+  });
+  it('replaces multiple placeholders', () => {
+    const template = '[Company Name] — Version [X.Y] — [Date]';
+    const result = fillTemplate(template, {
+      companyName: 'TestCo',
+      version: '2.0',
+      date: '2026-01-15',
+    });
+    expect(result).toBe('TestCo — Version 2.0 — 2026-01-15');
+  });
+  it('uses defaults when no data provided', () => {
+    const template = 'Policy for [Company Name]';
+    const result = fillTemplate(template);
+    expect(result).toBe('Policy for [Company Name]');
+  });
+  it('replaces German placeholders', () => {
+    const template = 'Richtlinie für [Firmenname]';
+    const result = fillTemplate(template, { companyName: 'TestGmbH' });
+    expect(result).toBe('Richtlinie für TestGmbH');
+  });
+});
+describe('getTemplateForObligation', () => {
+  it('returns mapping for known obligation', () => {
+    const mapping = getTemplateForObligation('eu-ai-act-OBL-001');
+    expect(mapping).toBeDefined();
+    expect(mapping!.templateFile).toBe('ai-literacy.md');
+    expect(mapping!.article).toBe('Art. 4');
+  });
+  it('returns undefined for unknown obligation', () => {
+    const mapping = getTemplateForObligation('unknown-obl');
+    expect(mapping).toBeUndefined();
+  });
+});
+describe('getAvailableTemplates', () => {
+  it('returns all 14 templates', () => {
+    const templates = getAvailableTemplates();
+    expect(templates).toHaveLength(14);
+  });
+  it('each template has required fields', () => {
+    const templates = getAvailableTemplates();
+    for (const t of templates) {
+      expect(t.obligationId).toBeTruthy();
+      expect(t.article).toBeTruthy();
+      expect(t.templateFile).toBeTruthy();
+      expect(t.outputFile).toBeTruthy();
+      expect(t.description).toBeTruthy();
+    }
+  });
+});