npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/fria/fria-generator.test.ts ADDED Viewed

@@ -0,0 +1,273 @@
+import { describe, it, expect } from 'vitest';
+import { generateFria, generateFriaStructured } from './fria-generator.js';
+import type { AgentPassport } from '../../types/passport.types.js';
+import { createMockPassport } from '../../test-helpers/factories.js';
+const TEMPLATE = `# Template 3: Fundamental Rights Impact Assessment (FRIA)
+### 1. Assessment Header
+| Field | Value |
+|-------|-------|
+| Document Title | Fundamental Rights Impact Assessment — [AI System Name] |
+| Assessment ID | FRIA-[YYYY]-[NNN] |
+| Date | [Date] |
+| Assessor | [Name, Title] |
+| DPO Consulted | [Name, Date] |
+### 2. AI System Description
+- System name: [Name]
+- Provider: [Name]
+- Version: [Number]
+- Intended purpose: [Description]
+- Deployment context: [Where and how the system is used]
+### 3. Deployer Information
+- Organisation: [Name]
+### 4. Fundamental Rights Risk Assessment
+| Fundamental Right | Risk Level | Description |
+|---|---|---|
+| Non-discrimination | [H/M/L/N] | [Description] |
+| Privacy | [H/M/L/N] | [Description] |
+### 5. Mitigation Measures and Human Oversight
+- Override mechanism: [Description of how human can intervene/stop the system]
+`;
+const createManifest = createMockPassport;
+describe('generateFria', () => {
+  it('replaces AI System Name from manifest', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.markdown).toContain('Fundamental Rights Impact Assessment — Test Agent');
+    expect(result.prefilledFields).toContain('AI System Name');
+  });
+  it('replaces Provider from manifest.model.provider', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.markdown).toContain('Provider: OpenAI');
+    expect(result.prefilledFields).toContain('Provider');
+  });
+  it('replaces Version from manifest.version', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.markdown).toContain('Version: 1.0.0');
+    expect(result.prefilledFields).toContain('Version');
+  });
+  it('replaces Intended purpose from manifest.description', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.markdown).toContain('Intended purpose: An AI agent for testing compliance');
+    expect(result.prefilledFields).toContain('Intended purpose');
+  });
+  it('generates FRIA ID with current year', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    const year = new Date().getFullYear();
+    expect(result.markdown).toMatch(new RegExp(`FRIA-${year}-\\d{3}`));
+    expect(result.prefilledFields).toContain('Assessment ID');
+  });
+  it('fills date with current date', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    const today = new Date().toISOString().slice(0, 10);
+    expect(result.markdown).toContain(today);
+  });
+  it('uses organization param over manifest.owner.team', () => {
+    const result = generateFria({
+      manifest: createManifest(),
+      template: TEMPLATE,
+      organization: 'Custom Org',
+    });
+    expect(result.markdown).toContain('Organisation: Custom Org');
+  });
+  it('falls back to owner.team when no organization param', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.markdown).toContain('Organisation: Acme Corp');
+  });
+  it('fills assessor when provided', () => {
+    const result = generateFria({
+      manifest: createManifest(),
+      template: TEMPLATE,
+      assessor: 'Jane Doe, CTO',
+    });
+    expect(result.markdown).toContain('Jane Doe, CTO');
+    expect(result.prefilledFields).toContain('Assessor');
+  });
+  it('lists assessor as manual field when not provided', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.manualFields).toContain('Assessor (Name, Title)');
+  });
+  it('pre-fills risk level from high-risk passport', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    // First row should get H (high risk)
+    expect(result.markdown).toContain('| H |');
+  });
+  it('generates human oversight description from autonomy level', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.markdown).toContain('direct human supervision');
+    expect(result.prefilledFields).toContain('Human oversight mechanism');
+  });
+  it('includes human_approval_required in oversight', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.markdown).toContain('deploy, delete');
+  });
+  it('lists manual fields that cannot be auto-filled', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.manualFields).toContain('DPO Consulted (Name, Date)');
+    expect(result.manualFields).toContain('Deployment context');
+    expect(result.manualFields).toContain('Overall risk assessment decision');
+    expect(result.manualFields).toContain('Assessor sign-off');
+    expect(result.manualFields.length).toBeGreaterThan(10);
+  });
+  it('returns frozen result', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(Object.isFrozen(result)).toBe(true);
+    expect(Object.isFrozen(result.prefilledFields)).toBe(true);
+    expect(Object.isFrozen(result.manualFields)).toBe(true);
+  });
+  it('pre-fills impact when provided', () => {
+    const result = generateFria({
+      manifest: createManifest(),
+      template: TEMPLATE + '\n[e.g., AI may produce biased outcomes against certain ethnic groups in credit decisions]',
+      impact: 'Credit scoring bias against minorities',
+    });
+    expect(result.markdown).toContain('Credit scoring bias against minorities');
+    expect(result.prefilledFields).toContain('Impact description');
+    expect(result.manualFields).not.toContain('Fundamental Rights risk descriptions');
+  });
+  it('pre-fills mitigation when provided', () => {
+    const result = generateFria({
+      manifest: createManifest(),
+      template: TEMPLATE + '\n[e.g., Regular bias audits, human review of rejections, fairness metrics monitoring]',
+      mitigation: 'Quarterly bias audits and model retraining',
+    });
+    expect(result.markdown).toContain('Quarterly bias audits and model retraining');
+    expect(result.prefilledFields).toContain('Mitigation measures');
+    expect(result.manualFields).not.toContain('Mitigation measures');
+  });
+  it('pre-fills approval when provided', () => {
+    const result = generateFria({
+      manifest: createManifest(),
+      template: TEMPLATE + '\nDecision-maker: _________________ Date: _________',
+      approval: 'Jane Doe, CTO',
+    });
+    expect(result.markdown).toContain('Decision-maker: Jane Doe, CTO');
+    expect(result.prefilledFields).toContain('Decision-maker sign-off');
+    expect(result.manualFields).not.toContain('Decision-maker sign-off');
+  });
+  it('leaves manual fields when flags not provided', () => {
+    const result = generateFria({
+      manifest: createManifest(),
+      template: TEMPLATE + '\n[e.g., AI may produce biased outcomes against certain ethnic groups in credit decisions]\n[e.g., Regular bias audits, human review of rejections, fairness metrics monitoring]\nDecision-maker: _________________ Date: _________',
+    });
+    expect(result.manualFields).toContain('Fundamental Rights risk descriptions');
+    expect(result.manualFields).toContain('Mitigation measures');
+    expect(result.manualFields).toContain('Decision-maker sign-off');
+  });
+  it('includes structured payload in result', () => {
+    const result = generateFria({ manifest: createManifest(), template: TEMPLATE });
+    expect(result.structured).toBeDefined();
+    expect(result.structured.toolSlug).toBe('agent-test-001');
+    expect(result.structured.sections.general_info.toolName).toBe('Test Agent');
+  });
+});
+describe('generateFriaStructured', () => {
+  it('maps general_info from manifest', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '' });
+    expect(s.toolSlug).toBe('agent-test-001');
+    expect(s.sections.general_info.toolName).toBe('Test Agent');
+    expect(s.sections.general_info.vendor).toBe('Acme Corp');
+    expect(s.sections.general_info.purpose).toBe('An AI agent for testing compliance');
+    expect(s.sections.general_info.riskLevel).toBe('high');
+    expect(s.sections.general_info.version).toBe('1.0.0');
+    expect(s.sections.general_info.provider).toBe('OpenAI');
+  });
+  it('uses organization option over manifest.owner.team', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '', organization: 'Custom Org' });
+    expect(s.sections.general_info.organisation).toBe('Custom Org');
+  });
+  it('falls back to owner.team for organisation', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '' });
+    expect(s.sections.general_info.organisation).toBe('Acme Corp');
+  });
+  it('fills assessorName when assessor provided', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '', assessor: 'Jane Doe' });
+    expect(s.sections.general_info.assessorName).toBe('Jane Doe');
+  });
+  it('generates 8 Charter rights in specific_risks', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '' });
+    expect(s.sections.specific_risks.risks).toHaveLength(8);
+    expect(s.sections.specific_risks.risks[0]!.right).toBe('Non-discrimination');
+    expect(s.sections.specific_risks.risks[0]!.article).toBe('Art. 21');
+  });
+  it('pre-fills first risk severity from high-risk passport', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '' });
+    expect(s.sections.specific_risks.risks[0]!.severity).toBe('H');
+    expect(s.sections.specific_risks.risks[1]!.severity).toBe('');
+  });
+  it('sets severity L for minimal risk', () => {
+    const manifest = createManifest({
+      compliance: { ...createManifest().compliance, eu_ai_act: { ...createManifest().compliance.eu_ai_act, risk_class: 'minimal' } },
+    } as Partial<AgentPassport>);
+    const s = generateFriaStructured({ manifest, template: '' });
+    expect(s.sections.specific_risks.risks[0]!.severity).toBe('L');
+  });
+  it('derives human_oversight from autonomy level L2', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '' });
+    expect(s.sections.human_oversight.hasHumanOversight).toBe(true);
+    expect(s.sections.human_oversight.oversightType).toBe('pre_decision');
+    expect(s.sections.human_oversight.mechanism).toContain('3 human approval gate(s)');
+  });
+  it('derives human_oversight from autonomy level L4', () => {
+    const manifest = createManifest({ autonomy_level: 'L4' } as Partial<AgentPassport>);
+    const s = generateFriaStructured({ manifest, template: '' });
+    expect(s.sections.human_oversight.hasHumanOversight).toBe(false);
+    expect(s.sections.human_oversight.oversightType).toBe('post_hoc');
+  });
+  it('leaves manual fields as empty strings/arrays', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '' });
+    expect(s.sections.general_info.deploymentContext).toBe('');
+    expect(s.sections.general_info.geographicScope).toBe('');
+    expect(s.sections.affected_persons.categories).toEqual([]);
+    expect(s.sections.affected_persons.description).toBe('');
+    expect(s.sections.mitigation_measures.measures).toEqual([]);
+    expect(s.sections.monitoring_plan.metrics).toEqual([]);
+    expect(s.sections.monitoring_plan.frequency).toBe('');
+  });
+  it('generates valid assessmentId and date', () => {
+    const s = generateFriaStructured({ manifest: createManifest(), template: '' });
+    const year = new Date().getFullYear();
+    expect(s.assessmentId).toMatch(new RegExp(`^FRIA-${year}-\\d{3}$`));
+    expect(s.date).toMatch(/^\d{4}-\d{2}-\d{2}$/);
+  });
+});

package/src/domain/fria/fria-generator.ts ADDED Viewed

@@ -0,0 +1,366 @@
+import type { AgentPassport } from '../../types/passport.types.js';
+import { mapDomain } from '../passport/builder/domain-mapper.js';
+import { deriveOversightDescription } from '../documents/passport-helpers.js';
+// --- Types ---
+export interface FriaGeneratorInput {
+  readonly manifest: AgentPassport;
+  readonly template: string;
+  readonly organization?: string;
+  readonly assessor?: string;
+  readonly impact?: string;
+  readonly mitigation?: string;
+  readonly approval?: string;
+}
+export interface FriaResult {
+  readonly markdown: string;
+  readonly structured: FriaStructuredPayload;
+  readonly prefilledFields: readonly string[];
+  readonly manualFields: readonly string[];
+}
+/** Structured FRIA payload — matches SaaS FRIASection schema */
+export interface FriaStructuredPayload {
+  readonly toolSlug: string;
+  readonly assessmentId: string;
+  readonly date: string;
+  readonly sections: {
+    readonly general_info: {
+      readonly toolName: string;
+      readonly vendor: string;
+      readonly purpose: string;
+      readonly domain: string;
+      readonly riskLevel: string;
+      readonly version: string;
+      readonly provider: string;
+      readonly deploymentContext: string;
+      readonly assessorName: string;
+      readonly assessorTitle: string;
+      readonly geographicScope: string;
+      readonly organisation: string;
+      readonly organisationType: string;
+    };
+    readonly affected_persons: {
+      readonly categories: readonly string[];
+      readonly vulnerableGroups: boolean;
+      readonly estimatedCount: string;
+      readonly description: string;
+    };
+    readonly specific_risks: {
+      readonly risks: ReadonlyArray<{
+        readonly right: string;
+        readonly article: string;
+        readonly severity: string;
+        readonly likelihood: string;
+        readonly description: string;
+        readonly affectedGroups: string;
+        readonly mitigation: string;
+      }>;
+    };
+    readonly human_oversight: {
+      readonly hasHumanOversight: boolean;
+      readonly oversightType: string;
+      readonly mechanism: string;
+      readonly responsibleRole: string;
+      readonly escalationProcess: string;
+      readonly reviewFrequency: string;
+    };
+    readonly mitigation_measures: {
+      readonly measures: ReadonlyArray<{
+        readonly risk: string;
+        readonly measure: string;
+        readonly responsible: string;
+        readonly deadline: string;
+      }>;
+      readonly incidentResponse: string;
+      readonly communicationPlan: string;
+      readonly suspensionCriteria: string;
+      readonly remediationProcess: string;
+      readonly internalComplaint: string;
+      readonly externalComplaint: string;
+    };
+    readonly monitoring_plan: {
+      readonly frequency: string;
+      readonly metrics: readonly string[];
+      readonly responsibleTeam: string;
+      readonly reviewProcess: string;
+      readonly nextReviewDate: string;
+      readonly dpiaReference: string;
+      readonly legalBasis: string;
+      readonly overallRiskDecision: string;
+      readonly conditionsForDeployment: string;
+    };
+  };
+}
+// --- Helpers ---
+const generateFriaId = (): string => {
+  const year = new Date().getFullYear();
+  const seq = String(Math.floor(Math.random() * 999) + 1).padStart(3, '0');
+  return `FRIA-${year}-${seq}`;
+};
+const deriveRiskLevel = (riskClass: string): string => {
+  switch (riskClass) {
+    case 'prohibited': return 'H';
+    case 'high': return 'H';
+    case 'limited': return 'M';
+    case 'minimal': return 'L';
+    default: return '[H/M/L/N]';
+  }
+};
+// --- Charter Rights for FRIA ---
+const CHARTER_RIGHTS = [
+  { right: 'Non-discrimination', article: 'Art. 21' },
+  { right: 'Privacy and data protection', article: 'Arts. 7-8' },
+  { right: 'Freedom of expression', article: 'Art. 11' },
+  { right: 'Human dignity', article: 'Art. 1' },
+  { right: 'Right to effective remedy', article: 'Art. 47' },
+  { right: 'Rights of the child', article: 'Art. 24' },
+  { right: 'Workers\' rights', article: 'Art. 31' },
+  { right: 'Right to good administration', article: 'Art. 41' },
+] as const;
+const mapOversightType = (level: string): string => {
+  if (level === 'L1' || level === 'L2') return 'pre_decision';
+  if (level === 'L3') return 'concurrent';
+  return 'post_hoc';
+};
+/** Generate structured FRIA JSON from manifest data */
+export const generateFriaStructured = (input: FriaGeneratorInput): FriaStructuredPayload => {
+  const { manifest, organization, assessor } = input;
+  const today = new Date().toISOString().slice(0, 10);
+  const riskClass = manifest.compliance?.eu_ai_act?.risk_class ?? '';
+  const firstSeverity = deriveRiskLevel(riskClass);
+  return {
+    toolSlug: manifest.agent_id,
+    assessmentId: generateFriaId(),
+    date: today,
+    sections: {
+      general_info: {
+        toolName: manifest.display_name,
+        vendor: manifest.owner?.team ?? '',
+        purpose: manifest.description,
+        domain: mapDomain(manifest),
+        riskLevel: riskClass,
+        version: manifest.version,
+        provider: manifest.model?.provider ?? '',
+        deploymentContext: '',
+        assessorName: assessor ?? '',
+        assessorTitle: '',
+        geographicScope: '',
+        organisation: organization ?? manifest.owner?.team ?? '',
+        organisationType: '',
+      },
+      affected_persons: {
+        categories: [],
+        vulnerableGroups: false,
+        estimatedCount: '',
+        description: '',
+      },
+      specific_risks: {
+        risks: CHARTER_RIGHTS.map((cr, i) => ({
+          right: cr.right,
+          article: cr.article,
+          severity: i === 0 && firstSeverity !== '[H/M/L/N]' ? firstSeverity : '',
+          likelihood: '',
+          description: '',
+          affectedGroups: '',
+          mitigation: '',
+        })),
+      },
+      human_oversight: {
+        hasHumanOversight: ['L1', 'L2', 'L3'].includes(manifest.autonomy_level),
+        oversightType: mapOversightType(manifest.autonomy_level),
+        mechanism: manifest.autonomy_evidence?.human_approval_gates > 0
+          ? `${manifest.autonomy_evidence.human_approval_gates} human approval gate(s) detected`
+          : '',
+        responsibleRole: '',
+        escalationProcess: '',
+        reviewFrequency: '',
+      },
+      mitigation_measures: {
+        measures: [],
+        incidentResponse: '',
+        communicationPlan: '',
+        suspensionCriteria: '',
+        remediationProcess: '',
+        internalComplaint: '',
+        externalComplaint: '',
+      },
+      monitoring_plan: {
+        frequency: '',
+        metrics: [],
+        responsibleTeam: '',
+        reviewProcess: '',
+        nextReviewDate: '',
+        dpiaReference: '',
+        legalBasis: '',
+        overallRiskDecision: '',
+        conditionsForDeployment: '',
+      },
+    },
+  };
+};
+// --- Markdown Generator ---
+export const generateFria = (input: FriaGeneratorInput): FriaResult => {
+  const { manifest, template, organization, assessor, impact, mitigation, approval } = input;
+  const prefilledFields: string[] = [];
+  const manualFields: string[] = [];
+  let markdown = template;
+  // 1. Assessment Header
+  // [AI System Name]
+  markdown = markdown.replaceAll('[AI System Name]', manifest.display_name);
+  prefilledFields.push('AI System Name');
+  // FRIA-[YYYY]-[NNN]
+  const friaId = generateFriaId();
+  markdown = markdown.replace('FRIA-[YYYY]-[NNN]', friaId);
+  prefilledFields.push('Assessment ID');
+  // [Date] in header
+  const today = new Date().toISOString().slice(0, 10);
+  markdown = markdown.replaceAll('[Date]', today);
+  prefilledFields.push('Date');
+  // Assessor
+  if (assessor) {
+    markdown = markdown.replace('[Name, Title]', assessor);
+    prefilledFields.push('Assessor');
+  } else {
+    manualFields.push('Assessor (Name, Title)');
+  }
+  // DPO
+  manualFields.push('DPO Consulted (Name, Date)');
+  // 2. AI System Description
+  // System name in section 2
+  markdown = markdown.replace('System name: [Name]', `System name: ${manifest.display_name}`);
+  // Provider
+  markdown = markdown.replace('Provider: [Name]', `Provider: ${manifest.model.provider}`);
+  prefilledFields.push('Provider');
+  // Version
+  markdown = markdown.replace('Version: [Number]', `Version: ${manifest.version}`);
+  prefilledFields.push('Version');
+  // Intended purpose
+  markdown = markdown.replace('Intended purpose: [Description]', `Intended purpose: ${manifest.description}`);
+  prefilledFields.push('Intended purpose');
+  // Deployment context, categories, geographic scope — manual
+  manualFields.push('Deployment context');
+  manualFields.push('Categories of persons affected');
+  manualFields.push('Geographic scope');
+  // 3. Deployer Information
+  const orgName = organization ?? manifest.owner.team;
+  if (orgName) {
+    markdown = markdown.replace('Organisation: [Name]', `Organisation: ${orgName}`);
+    prefilledFields.push('Organisation');
+  } else {
+    manualFields.push('Organisation');
+  }
+  manualFields.push('Organisation type');
+  manualFields.push('Article 27 trigger');
+  // 4. Risk Assessment table — set default risk level from passport
+  const riskLevel = deriveRiskLevel(manifest.compliance.eu_ai_act.risk_class);
+  // Impact description — replace placeholder or leave as manual
+  if (impact) {
+    markdown = markdown.replace('[e.g., AI may produce biased outcomes against certain ethnic groups in credit decisions]', impact);
+    prefilledFields.push('Impact description');
+  } else {
+    manualFields.push('Fundamental Rights risk descriptions');
+  }
+  manualFields.push('Affected groups');
+  // Mitigation measures — replace placeholder or leave as manual
+  if (mitigation) {
+    markdown = markdown.replace('[e.g., Regular bias audits, human review of rejections, fairness metrics monitoring]', mitigation);
+    prefilledFields.push('Mitigation measures');
+  } else {
+    manualFields.push('Mitigation measures');
+  }
+  // Pre-fill first risk row level if we know the risk class
+  if (riskLevel !== '[H/M/L/N]') {
+    // Replace only in the table rows (after the header)
+    const tableRows = markdown.split('\n');
+    let replaced = false;
+    for (let i = 0; i < tableRows.length; i++) {
+      if (tableRows[i]!.includes('| [H/M/L/N]') && !replaced) {
+        tableRows[i] = tableRows[i]!.replace('[H/M/L/N]', riskLevel);
+        replaced = true;
+        // Only pre-fill first row to hint, rest remain manual
+      }
+    }
+    markdown = tableRows.join('\n');
+  }
+  // 5. Mitigation Measures and Human Oversight
+  const oversightDesc = deriveOversightDescription(manifest);
+  markdown = markdown.replace(
+    '[Description of how human can intervene/stop the system]',
+    oversightDesc,
+  );
+  prefilledFields.push('Human oversight mechanism');
+  manualFields.push('Assigned oversight person');
+  manualFields.push('Escalation process');
+  manualFields.push('Review frequency');
+  // 6-8: Mostly manual
+  manualFields.push('Incident response plan');
+  manualFields.push('Communication to affected persons');
+  manualFields.push('System suspension criteria');
+  manualFields.push('Remediation process');
+  manualFields.push('Internal complaint mechanism');
+  manualFields.push('External complaint options');
+  manualFields.push('DPIA reference');
+  manualFields.push('Legal basis for data processing');
+  // 9. Conclusion — manual
+  manualFields.push('Overall risk assessment decision');
+  manualFields.push('Conditions for deployment');
+  manualFields.push('Next review date');
+  // 10. Sign-off
+  manualFields.push('Assessor sign-off');
+  manualFields.push('DPO sign-off');
+  if (approval) {
+    markdown = markdown.replace(
+      'Decision-maker: _________________ Date: _________',
+      `Decision-maker: ${approval} Date: ${new Date().toISOString().split('T')[0]}`,
+    );
+    prefilledFields.push('Decision-maker sign-off');
+  } else {
+    manualFields.push('Decision-maker sign-off');
+  }
+  manualFields.push('Market surveillance notification');
+  const structured = generateFriaStructured(input);
+  return Object.freeze({
+    markdown,
+    structured,
+    prefilledFields: Object.freeze([...prefilledFields]),
+    manualFields: Object.freeze([...manualFields]),
+  });
+};