npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/scanner/cross-layer.test.ts ADDED Viewed

@@ -0,0 +1,372 @@
+import { describe, it, expect } from 'vitest';
+import { runCrossLayerChecks, crossLayerToCheckResults, CROSS_LAYER_RULES } from './cross-layer.js';
+import type { CheckResult } from '../../types/common.types.js';
+import type { L2CheckResult } from './layers/layer2-docs.js';
+import type { L3CheckResult } from './layers/layer3-config.js';
+import type { L4CheckResult } from './layers/layer4-patterns.js';
+const makeL1Pass = (checkId: string): CheckResult => ({
+  type: 'pass',
+  checkId,
+  message: `${checkId} found`,
+});
+const makeL1Fail = (checkId: string): CheckResult => ({
+  type: 'fail',
+  checkId,
+  message: `${checkId} missing`,
+  severity: 'medium',
+});
+const makeL2 = (overrides: Partial<L2CheckResult> = {}): L2CheckResult => ({
+  obligationId: 'eu-ai-act-OBL-011',
+  article: 'Art. 26',
+  document: 'monitoring-policy',
+  status: 'VALID',
+  foundSections: ['Monitoring Scope'],
+  missingSections: [],
+  totalRequired: 1,
+  matchedRequired: 1,
+  ...overrides,
+});
+const makeL3 = (overrides: Partial<L3CheckResult> = {}): L3CheckResult => ({
+  type: 'ai-sdk-detected',
+  status: 'OK',
+  message: 'AI SDK detected: OpenAI',
+  packageName: 'openai',
+  ecosystem: 'npm',
+  ...overrides,
+});
+const makeL4 = (overrides: Partial<L4CheckResult> = {}): L4CheckResult => ({
+  obligationId: 'eu-ai-act-OBL-015',
+  article: 'Art. 50(1)',
+  category: 'disclosure',
+  patternType: 'positive',
+  status: 'FOUND',
+  matchedPattern: 'AI disclosure component',
+  recommendation: 'Add disclosure',
+  ...overrides,
+});
+describe('CROSS_LAYER_RULES', () => {
+  it('has 6 rules defined', () => {
+    expect(CROSS_LAYER_RULES).toHaveLength(6);
+  });
+  it('all rules have id and description', () => {
+    for (const rule of CROSS_LAYER_RULES) {
+      expect(rule.id).toBeTruthy();
+      expect(rule.description).toBeTruthy();
+    }
+  });
+});
+describe('cross-doc-code-mismatch', () => {
+  it('fires when monitoring doc exists but no monitoring code', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [makeL2({ document: 'monitoring-policy', status: 'VALID' })],
+      [],
+      [], // No monitoring code
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-doc-code-mismatch');
+    expect(mismatch).toBeDefined();
+    expect(mismatch?.severity).toBe('medium');
+  });
+  it('does not fire when monitoring doc and code both present', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [makeL2({ document: 'monitoring-policy', status: 'VALID' })],
+      [],
+      [makeL4({ category: 'deployer-monitoring', status: 'FOUND' })],
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-doc-code-mismatch');
+    expect(mismatch).toBeUndefined();
+  });
+  it('does not fire when no monitoring doc', () => {
+    const findings = runCrossLayerChecks([], [], [], []);
+    const mismatch = findings.find((f) => f.ruleId === 'cross-doc-code-mismatch');
+    expect(mismatch).toBeUndefined();
+  });
+  it('fires for SHALLOW monitoring docs too', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [makeL2({ document: 'monitoring-policy', status: 'SHALLOW' })],
+      [],
+      [],
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-doc-code-mismatch');
+    expect(mismatch).toBeDefined();
+  });
+});
+describe('cross-banned-with-wrapper', () => {
+  it('fires when banned package has compliance controls', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [],
+      [makeL3({ type: 'banned-package', status: 'PROHIBITED' })],
+      [makeL4({ category: 'disclosure', status: 'FOUND' })],
+    );
+    const wrapped = findings.find((f) => f.ruleId === 'cross-banned-with-wrapper');
+    expect(wrapped).toBeDefined();
+    expect(wrapped?.severity).toBe('medium');
+  });
+  it('does not fire when banned package has no controls', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [],
+      [makeL3({ type: 'banned-package', status: 'PROHIBITED' })],
+      [],
+    );
+    const wrapped = findings.find((f) => f.ruleId === 'cross-banned-with-wrapper');
+    expect(wrapped).toBeUndefined();
+  });
+  it('fires for human-oversight control too', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [],
+      [makeL3({ type: 'banned-package', status: 'PROHIBITED' })],
+      [makeL4({ category: 'human-oversight', status: 'FOUND' })],
+    );
+    const wrapped = findings.find((f) => f.ruleId === 'cross-banned-with-wrapper');
+    expect(wrapped).toBeDefined();
+  });
+});
+describe('cross-logging-no-retention', () => {
+  it('fires when logging in code but no retention config', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [],
+      [makeL3({ type: 'log-retention', status: 'WARNING' })],
+      [makeL4({ category: 'logging', status: 'FOUND' })],
+    );
+    const noRetention = findings.find((f) => f.ruleId === 'cross-logging-no-retention');
+    expect(noRetention).toBeDefined();
+    expect(noRetention?.article).toBe('Art. 12');
+  });
+  it('does not fire when retention config is OK', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [],
+      [makeL3({ type: 'log-retention', status: 'OK' })],
+      [makeL4({ category: 'logging', status: 'FOUND' })],
+    );
+    const noRetention = findings.find((f) => f.ruleId === 'cross-logging-no-retention');
+    expect(noRetention).toBeUndefined();
+  });
+  it('does not fire when no logging code', () => {
+    const findings = runCrossLayerChecks([], [], [], []);
+    const noRetention = findings.find((f) => f.ruleId === 'cross-logging-no-retention');
+    expect(noRetention).toBeUndefined();
+  });
+});
+describe('cross-kill-switch-no-test', () => {
+  it('fires when kill switch found but no test file in context', () => {
+    const ctx = {
+      projectPath: '/test',
+      files: [
+        { relativePath: 'src/kill-switch.ts', content: '', extension: '.ts' },
+      ],
+    };
+    const findings = runCrossLayerChecks(
+      [makeL1Fail('documentation')],
+      [],
+      [],
+      [makeL4({ category: 'kill-switch', status: 'FOUND' })],
+      ctx,
+    );
+    const noTest = findings.find((f) => f.ruleId === 'cross-kill-switch-no-test');
+    expect(noTest).toBeDefined();
+    expect(noTest?.severity).toBe('low');
+  });
+  it('does not fire when kill-switch test file exists in context', () => {
+    const ctx = {
+      projectPath: '/test',
+      files: [
+        { relativePath: 'src/kill-switch.ts', content: '', extension: '.ts' },
+        { relativePath: 'src/kill-switch.test.ts', content: '', extension: '.ts' },
+      ],
+    };
+    const findings = runCrossLayerChecks(
+      [],
+      [],
+      [],
+      [makeL4({ category: 'kill-switch', status: 'FOUND' })],
+      ctx,
+    );
+    const noTest = findings.find((f) => f.ruleId === 'cross-kill-switch-no-test');
+    expect(noTest).toBeUndefined();
+  });
+  it('fires when no context provided', () => {
+    const findings = runCrossLayerChecks(
+      [],
+      [],
+      [],
+      [makeL4({ category: 'kill-switch', status: 'FOUND' })],
+    );
+    const noTest = findings.find((f) => f.ruleId === 'cross-kill-switch-no-test');
+    expect(noTest).toBeDefined();
+  });
+});
+describe('cross-passport-code-mismatch', () => {
+  it('fires when passport exists + AI SDK in deps but no disclosure', () => {
+    const findings = runCrossLayerChecks(
+      [makeL1Pass('passport-presence')],
+      [],
+      [makeL3({ type: 'ai-sdk-detected' })],
+      [], // No disclosure
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-passport-code-mismatch');
+    expect(mismatch).toBeDefined();
+    expect(mismatch?.severity).toBe('medium');
+    expect(mismatch?.article).toBe('Art. 50(1)');
+  });
+  it('does not fire when passport exists and disclosure present', () => {
+    const findings = runCrossLayerChecks(
+      [makeL1Pass('passport-presence')],
+      [],
+      [makeL3({ type: 'ai-sdk-detected' })],
+      [makeL4({ category: 'disclosure', status: 'FOUND' })],
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-passport-code-mismatch');
+    expect(mismatch).toBeUndefined();
+  });
+  it('does not fire when no passport exists', () => {
+    const findings = runCrossLayerChecks(
+      [makeL1Fail('passport-presence')],
+      [],
+      [makeL3({ type: 'ai-sdk-detected' })],
+      [],
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-passport-code-mismatch');
+    expect(mismatch).toBeUndefined();
+  });
+});
+describe('cross-permission-passport-mismatch', () => {
+  it('fires when undeclared-permission fail exists', () => {
+    const findings = runCrossLayerChecks(
+      [
+        makeL1Fail('undeclared-permission'),
+        makeL1Fail('undeclared-permission'),
+      ],
+      [],
+      [],
+      [],
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-permission-passport-mismatch');
+    expect(mismatch).toBeDefined();
+    expect(mismatch?.severity).toBe('high');
+    expect(mismatch?.description).toContain('2 undeclared');
+  });
+  it('does not fire when no undeclared permissions', () => {
+    const findings = runCrossLayerChecks(
+      [makeL1Pass('passport-presence')],
+      [],
+      [],
+      [],
+    );
+    const mismatch = findings.find((f) => f.ruleId === 'cross-permission-passport-mismatch');
+    expect(mismatch).toBeUndefined();
+  });
+});
+describe('runCrossLayerChecks', () => {
+  it('returns empty for fully compliant project', () => {
+    const findings = runCrossLayerChecks(
+      [makeL1Pass('test-suite')],
+      [makeL2({ document: 'monitoring-policy', status: 'VALID' })],
+      [
+        makeL3({ type: 'ai-sdk-detected' }),
+        makeL3({ type: 'log-retention', status: 'OK' }),
+      ],
+      [
+        makeL4({ category: 'disclosure', status: 'FOUND' }),
+        makeL4({ category: 'deployer-monitoring', status: 'FOUND' }),
+        makeL4({ category: 'logging', status: 'FOUND' }),
+      ],
+    );
+    // No cross-layer issues when all layers are aligned
+    expect(findings).toHaveLength(0);
+  });
+  it('can return multiple findings', () => {
+    const findings = runCrossLayerChecks(
+      [makeL1Fail('undeclared-permission')],
+      [makeL2({ document: 'monitoring-policy', status: 'VALID' })],
+      [],
+      [makeL4({ category: 'logging', status: 'FOUND' })],
+    );
+    // Should fire at least: doc-code-mismatch + permission-passport-mismatch
+    expect(findings.length).toBeGreaterThanOrEqual(2);
+  });
+});
+describe('crossLayerToCheckResults', () => {
+  it('converts findings to fail CheckResults', () => {
+    const findings = runCrossLayerChecks(
+      [makeL1Fail('undeclared-permission')],
+      [],
+      [],
+      [],
+    );
+    const checkResults = crossLayerToCheckResults(findings);
+    expect(checkResults.length).toBeGreaterThan(0);
+    expect(checkResults.every((r) => r.type === 'fail')).toBe(true);
+  });
+  it('preserves severity and article', () => {
+    const checkResults = crossLayerToCheckResults([{
+      ruleId: 'test-rule',
+      description: 'Test finding',
+      severity: 'high',
+      layers: ['L3', 'L4'],
+      obligationId: 'eu-ai-act-OBL-015',
+      article: 'Art. 50(1)',
+    }]);
+    expect(checkResults).toHaveLength(1);
+    if (checkResults[0].type === 'fail') {
+      expect(checkResults[0].severity).toBe('high');
+      expect(checkResults[0].articleReference).toBe('Art. 50(1)');
+      expect(checkResults[0].obligationId).toBe('eu-ai-act-OBL-015');
+    }
+  });
+});

package/src/domain/scanner/cross-layer.ts ADDED Viewed

@@ -0,0 +1,232 @@
+import type { CheckResult } from '../../types/common.types.js';
+import type { ScanContext } from '../../ports/scanner.port.js';
+import type { L2CheckResult } from './layers/layer2-docs.js';
+import type { L3CheckResult } from './layers/layer3-config.js';
+import type { L4CheckResult } from './layers/layer4-patterns.js';
+export interface CrossLayerFinding {
+  readonly ruleId: string;
+  readonly description: string;
+  readonly severity: 'critical' | 'high' | 'medium' | 'low';
+  readonly layers: readonly string[];
+  readonly obligationId?: string;
+  readonly article?: string;
+}
+export interface CrossLayerRule {
+  readonly id: string;
+  readonly description: string;
+  readonly check: (
+    l1Results: readonly CheckResult[],
+    l2Results: readonly L2CheckResult[],
+    l3Results: readonly L3CheckResult[],
+    l4Results: readonly L4CheckResult[],
+    ctx?: ScanContext,
+  ) => readonly CrossLayerFinding[];
+}
+// Rule 1: Document says monitoring exists but no monitoring code found
+const docCodeMismatch: CrossLayerRule = {
+  id: 'cross-doc-code-mismatch',
+  description: 'Document claims monitoring but L4 finds no monitoring patterns',
+  check: (_l1, l2Results, _l3, l4Results) => {
+    const findings: CrossLayerFinding[] = [];
+    const hasMonitoringDoc = l2Results.some(
+      (r) => r.document === 'monitoring-policy' && (r.status === 'VALID' || r.status === 'SHALLOW'),
+    );
+    const hasMonitoringCode = l4Results.some(
+      (r) => r.category === 'deployer-monitoring' && r.status === 'FOUND',
+    );
+    if (hasMonitoringDoc && !hasMonitoringCode) {
+      findings.push({
+        ruleId: 'cross-doc-code-mismatch',
+        description: 'Monitoring policy document exists but no monitoring patterns found in code. Document may be aspirational.',
+        severity: 'medium',
+        layers: ['L2', 'L4'],
+        obligationId: 'eu-ai-act-OBL-011',
+        article: 'Art. 26(5)',
+      });
+    }
+    return findings;
+  },
+};
+// Rule 3: Banned package detected but wrapped with compliance layer → reduce severity
+const bannedWithWrapper: CrossLayerRule = {
+  id: 'cross-banned-with-wrapper',
+  description: 'Banned package found but compliance wrapper detected — severity may be reduced',
+  check: (_l1, _l2, l3Results, l4Results) => {
+    const findings: CrossLayerFinding[] = [];
+    const hasBanned = l3Results.some((r) => r.type === 'banned-package');
+    const hasCompliance = l4Results.some(
+      (r) =>
+        (r.category === 'disclosure' || r.category === 'human-oversight' || r.category === 'kill-switch') &&
+        r.status === 'FOUND',
+    );
+    if (hasBanned && hasCompliance) {
+      findings.push({
+        ruleId: 'cross-banned-with-wrapper',
+        description: 'Prohibited package detected but compliance controls (disclosure, oversight, kill-switch) are present. Review whether usage falls under an Art. 5 exception.',
+        severity: 'medium',
+        layers: ['L3', 'L4'],
+        article: 'Art. 5',
+      });
+    }
+    return findings;
+  },
+};
+// Rule 4: Logging found in code but no log retention config
+const loggingNoRetention: CrossLayerRule = {
+  id: 'cross-logging-no-retention',
+  description: 'Logging patterns found in code but no log retention configuration in infra',
+  check: (_l1, _l2, l3Results, l4Results) => {
+    const findings: CrossLayerFinding[] = [];
+    const hasLoggingCode = l4Results.some(
+      (r) => r.category === 'logging' && r.status === 'FOUND',
+    );
+    const hasRetentionConfig = l3Results.some(
+      (r) => r.type === 'log-retention' && r.status === 'OK',
+    );
+    if (hasLoggingCode && !hasRetentionConfig) {
+      findings.push({
+        ruleId: 'cross-logging-no-retention',
+        description: 'AI logging implemented in code but no log retention configuration found. Art. 12 requires log retention >= 180 days.',
+        severity: 'medium',
+        layers: ['L3', 'L4'],
+        obligationId: 'eu-ai-act-OBL-006',
+        article: 'Art. 12',
+      });
+    }
+    return findings;
+  },
+};
+// Rule 5: Kill switch found but no test files → untested safety mechanism
+const killSwitchWithoutTest: CrossLayerRule = {
+  id: 'cross-kill-switch-no-test',
+  description: 'Kill switch pattern found but no test files detected',
+  check: (_l1, _l2, _l3, l4Results, ctx) => {
+    const findings: CrossLayerFinding[] = [];
+    const hasKillSwitch = l4Results.some(
+      (r) => r.category === 'kill-switch' && r.status === 'FOUND',
+    );
+    const hasTestFiles = ctx !== undefined && ctx.files.some(
+      (f) => /kill.?switch/i.test(f.relativePath) && /\.(test|spec)\./i.test(f.relativePath),
+    );
+    if (hasKillSwitch && !hasTestFiles) {
+      findings.push({
+        ruleId: 'cross-kill-switch-no-test',
+        description: 'AI kill switch pattern found in code but no automated tests detected for it. Safety mechanisms should be tested.',
+        severity: 'low',
+        layers: ['L1', 'L4'],
+        article: 'Art. 14',
+      });
+    }
+    return findings;
+  },
+};
+// Rule 6: AI SDK in deps but no disclosure pattern
+const passportCodeMismatch: CrossLayerRule = {
+  id: 'cross-passport-code-mismatch',
+  description: 'AI SDK in dependencies but no disclosure pattern in code',
+  check: (l1Results, _l2, l3Results, l4Results) => {
+    const findings: CrossLayerFinding[] = [];
+    // Check if passport exists (L1 passport-presence pass)
+    const hasPassport = l1Results.some(
+      (r) => r.type === 'pass' && r.checkId === 'passport-presence',
+    );
+    if (!hasPassport) return findings;
+    // AI SDK in dependencies (L3) but no disclosure pattern (L4)
+    const hasAiSdk = l3Results.some((r) => r.type === 'ai-sdk-detected');
+    const hasDisclosure = l4Results.some(
+      (r) => r.category === 'disclosure' && r.status === 'FOUND',
+    );
+    if (hasAiSdk && !hasDisclosure) {
+      findings.push({
+        ruleId: 'cross-passport-code-mismatch',
+        description: 'AI SDK in dependencies but no disclosure pattern found — ensure Art. 50(1) transparency requirements are met.',
+        severity: 'medium',
+        layers: ['L1', 'L3', 'L4'],
+        obligationId: 'eu-ai-act-OBL-015',
+        article: 'Art. 50(1)',
+      });
+    }
+    return findings;
+  },
+};
+// Rule 7: Undeclared permissions — governance failure
+const permissionPassportMismatch: CrossLayerRule = {
+  id: 'cross-permission-passport-mismatch',
+  description: 'Undeclared permissions in passport — governance gap per Art. 26(4)',
+  check: (l1Results, _l2, _l3, _l4Results) => {
+    const undeclaredCount = l1Results.filter(
+      (r) => r.type === 'fail' && r.checkId === 'undeclared-permission',
+    ).length;
+    if (undeclaredCount === 0) return [];
+    return [{
+      ruleId: 'cross-permission-passport-mismatch',
+      description: `${undeclaredCount} undeclared permission(s) in passport — governance gap per Art. 26(4)`,
+      severity: 'high',
+      layers: ['L1'],
+      obligationId: 'eu-ai-act-OBL-011',
+      article: 'Art. 26(4)',
+    }];
+  },
+};
+export const CROSS_LAYER_RULES: readonly CrossLayerRule[] = [
+  docCodeMismatch,
+  bannedWithWrapper,
+  loggingNoRetention,
+  killSwitchWithoutTest,
+  passportCodeMismatch,
+  permissionPassportMismatch,
+];
+export const runCrossLayerChecks = (
+  l1Results: readonly CheckResult[],
+  l2Results: readonly L2CheckResult[],
+  l3Results: readonly L3CheckResult[],
+  l4Results: readonly L4CheckResult[],
+  ctx?: ScanContext,
+): readonly CrossLayerFinding[] => {
+  const allFindings: CrossLayerFinding[] = [];
+  for (const rule of CROSS_LAYER_RULES) {
+    allFindings.push(...rule.check(l1Results, l2Results, l3Results, l4Results, ctx));
+  }
+  return allFindings;
+};
+export const crossLayerToCheckResults = (findings: readonly CrossLayerFinding[]): readonly CheckResult[] =>
+  findings.map((f): CheckResult => ({
+    type: 'fail',
+    checkId: f.ruleId,
+    message: f.description,
+    severity: f.severity,
+    obligationId: f.obligationId,
+    articleReference: f.article,
+  }));

package/src/domain/scanner/data/ai-packages.ts ADDED Viewed

@@ -0,0 +1,82 @@
+/**
+ * Central AI SDK package registry.
+ * Single source of truth for AI package detection across all language ecosystems.
+ * NOTE: banned-packages.ts stays separate — different purpose (Art. 5 prohibition patterns).
+ */
+export interface AiPackageEntry {
+  readonly name: string;
+  readonly ecosystem: 'npm' | 'pypi' | 'go' | 'rust' | 'java';
+}
+const AI_PACKAGE_REGISTRY: readonly AiPackageEntry[] = [
+  // npm (JS/TS)
+  { name: 'openai', ecosystem: 'npm' },
+  { name: '@anthropic-ai/sdk', ecosystem: 'npm' },
+  { name: '@google/generative-ai', ecosystem: 'npm' },
+  { name: '@ai-sdk/openai', ecosystem: 'npm' },
+  { name: '@ai-sdk/anthropic', ecosystem: 'npm' },
+  { name: '@ai-sdk/google', ecosystem: 'npm' },
+  { name: '@ai-sdk/core', ecosystem: 'npm' },
+  { name: 'langchain', ecosystem: 'npm' },
+  { name: '@langchain/core', ecosystem: 'npm' },
+  { name: '@langchain/openai', ecosystem: 'npm' },
+  { name: '@langchain/anthropic', ecosystem: 'npm' },
+  { name: 'cohere-ai', ecosystem: 'npm' },
+  { name: '@mistralai/mistralai', ecosystem: 'npm' },
+  { name: '@huggingface/inference', ecosystem: 'npm' },
+  { name: 'replicate', ecosystem: 'npm' },
+  { name: 'together-ai', ecosystem: 'npm' },
+  { name: '@complior/sdk', ecosystem: 'npm' },
+  // PyPI (Python)
+  { name: 'anthropic', ecosystem: 'pypi' },
+  { name: 'google.generativeai', ecosystem: 'pypi' },
+  { name: 'cohere', ecosystem: 'pypi' },
+  { name: 'mistralai', ecosystem: 'pypi' },
+  { name: 'huggingface_hub', ecosystem: 'pypi' },
+  { name: 'transformers', ecosystem: 'pypi' },
+  { name: 'torch', ecosystem: 'pypi' },
+  { name: 'tensorflow', ecosystem: 'pypi' },
+  { name: 'keras', ecosystem: 'pypi' },
+  // Go
+  { name: 'github.com/sashabaranov/go-openai', ecosystem: 'go' },
+  { name: 'github.com/anthropics/anthropic-sdk-go', ecosystem: 'go' },
+  { name: 'cloud.google.com/go/ai/generativelanguage', ecosystem: 'go' },
+  { name: 'github.com/tmc/langchaingo', ecosystem: 'go' },
+  { name: 'github.com/cohere-ai/cohere-go', ecosystem: 'go' },
+  // Rust
+  { name: 'async-openai', ecosystem: 'rust' },
+  { name: 'anthropic', ecosystem: 'rust' },
+  { name: 'google-generative-ai', ecosystem: 'rust' },
+  { name: 'llm', ecosystem: 'rust' },
+  { name: 'candle-core', ecosystem: 'rust' },
+  { name: 'tch', ecosystem: 'rust' },
+  { name: 'rust-bert', ecosystem: 'rust' },
+  { name: 'langchain-rust', ecosystem: 'rust' },
+  // Java
+  { name: 'dev.langchain4j', ecosystem: 'java' },
+  { name: 'com.theokanning.openai-gpt3-java', ecosystem: 'java' },
+  { name: 'com.google.cloud.aiplatform', ecosystem: 'java' },
+  { name: 'ai.djl', ecosystem: 'java' },
+  { name: 'org.deeplearning4j', ecosystem: 'java' },
+  { name: 'com.azure.ai.openai', ecosystem: 'java' },
+];
+const byEcosystem = (eco: AiPackageEntry['ecosystem']): ReadonlySet<string> =>
+  new Set(AI_PACKAGE_REGISTRY.filter((p) => p.ecosystem === eco).map((p) => p.name));
+/** npm + PyPI packages (used by import-graph for JS/TS/Python import detection). */
+export const NPM_AI_PACKAGES: ReadonlySet<string> = byEcosystem('npm');
+export const PIP_AI_PACKAGES: ReadonlySet<string> = byEcosystem('pypi');
+/** Combined npm + PyPI set (backward-compatible with old AI_PACKAGES). */
+export const AI_PACKAGES: ReadonlySet<string> = new Set([...NPM_AI_PACKAGES, ...PIP_AI_PACKAGES]);
+/** Language-specific sets (used by language adapters). */
+export const GO_AI_PACKAGES: ReadonlySet<string> = byEcosystem('go');
+export const RUST_AI_PACKAGES: ReadonlySet<string> = byEcosystem('rust');
+export const JAVA_AI_PACKAGES: ReadonlySet<string> = byEcosystem('java');