npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/scanner/finding-attribution.test.ts ADDED Viewed

@@ -0,0 +1,444 @@
+import { describe, it, expect } from 'vitest';
+import { buildFileOwnership, attributeFindings, expandPerAgentFindings, PER_AGENT_DOC_CHECK_IDS, type AgentInfo } from './finding-attribution.js';
+import { buildImportGraph } from './import-graph.js';
+import type { FileInfo } from '../../ports/scanner.port.js';
+import type { Finding } from '../../types/common.types.js';
+const makeFile = (path: string, content: string): FileInfo => ({
+  path: `/project/${path}`,
+  relativePath: path,
+  content,
+  extension: '.' + (path.split('.').pop() ?? 'ts'),
+});
+const makeFinding = (overrides: Partial<Finding> = {}): Finding => ({
+  checkId: 'test-check',
+  type: 'fail',
+  message: 'test finding',
+  severity: 'medium',
+  ...overrides,
+});
+describe('buildFileOwnership', () => {
+  it('assigns files reachable by one agent only', () => {
+    const files = [
+      makeFile('agent-a/index.ts', `import { helper } from './helper.js';`),
+      makeFile('agent-a/helper.ts', `export const helper = 1;`),
+      makeFile('agent-b/main.ts', `export const b = 2;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-a', sourceFiles: ['agent-a/index.ts'] },
+      { name: 'agent-b', sourceFiles: ['agent-b/main.ts'] },
+    ];
+    const ownership = buildFileOwnership(agents, graph);
+    expect(ownership.fileToOwner.get('agent-a/index.ts')).toBe('agent-a');
+    expect(ownership.fileToOwner.get('agent-a/helper.ts')).toBe('agent-a');
+    expect(ownership.fileToOwner.get('agent-b/main.ts')).toBe('agent-b');
+    expect(ownership.sharedFiles.size).toBe(0);
+  });
+  it('marks files reachable by 2+ agents as shared', () => {
+    const files = [
+      makeFile('agent-a/index.ts', `import { util } from '../lib/util.js';`),
+      makeFile('agent-b/main.ts', `import { util } from '../lib/util.js';`),
+      makeFile('lib/util.ts', `export const util = 1;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-a', sourceFiles: ['agent-a/index.ts'] },
+      { name: 'agent-b', sourceFiles: ['agent-b/main.ts'] },
+    ];
+    const ownership = buildFileOwnership(agents, graph);
+    expect(ownership.sharedFiles.has('lib/util.ts')).toBe(true);
+    expect(ownership.fileToOwner.has('lib/util.ts')).toBe(false);
+  });
+});
+describe('attributeFindings', () => {
+  // Test 1: Single agent — all findings attributed
+  it('attributes all findings to sole agent', () => {
+    const files = [makeFile('src/app.ts', `export const x = 1;`)];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [{ name: 'my-agent', sourceFiles: ['src/app.ts'] }];
+    const findings = [
+      makeFinding({ file: 'src/app.ts' }),
+      makeFinding({ file: 'other.ts' }),
+      makeFinding(), // no file
+    ];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result).toHaveLength(3);
+    expect(result.every(f => f.agentId === 'my-agent')).toBe(true);
+  });
+  // Test 2: Two agents, separate dirs — correct attribution
+  it('attributes findings to correct agents by import graph', () => {
+    const files = [
+      makeFile('agent-a/index.ts', `import { h } from './helper.js';`),
+      makeFile('agent-a/helper.ts', `export const h = 1;`),
+      makeFile('agent-b/main.ts', `import { u } from './utils.js';`),
+      makeFile('agent-b/utils.ts', `export const u = 2;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-a', sourceFiles: ['agent-a/index.ts'] },
+      { name: 'agent-b', sourceFiles: ['agent-b/main.ts'] },
+    ];
+    const findings = [
+      makeFinding({ checkId: 'c1', file: 'agent-a/helper.ts' }),
+      makeFinding({ checkId: 'c2', file: 'agent-b/utils.ts' }),
+    ];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result[0].agentId).toBe('agent-a');
+    expect(result[1].agentId).toBe('agent-b');
+  });
+  // Test 3: Shared utility imported by both agents → project-level
+  it('leaves shared utility findings as project-level', () => {
+    const files = [
+      makeFile('agent-a/index.ts', `import { util } from '../lib/shared.js';`),
+      makeFile('agent-b/main.ts', `import { util } from '../lib/shared.js';`),
+      makeFile('lib/shared.ts', `export const util = 1;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-a', sourceFiles: ['agent-a/index.ts'] },
+      { name: 'agent-b', sourceFiles: ['agent-b/main.ts'] },
+    ];
+    const findings = [makeFinding({ file: 'lib/shared.ts' })];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result[0].agentId).toBeUndefined();
+  });
+  // Test 4: Transitive imports (3 levels deep)
+  it('follows transitive imports through 3 levels', () => {
+    const files = [
+      makeFile('src/entry.ts', `import { mid } from './mid.js';`),
+      makeFile('src/mid.ts', `import { deep } from './deep.js';`),
+      makeFile('src/deep.ts', `export const deep = 1;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-x', sourceFiles: ['src/entry.ts'] },
+      { name: 'agent-y', sourceFiles: [] },
+    ];
+    const findings = [
+      makeFinding({ checkId: 'c1', file: 'src/mid.ts' }),
+      makeFinding({ checkId: 'c2', file: 'src/deep.ts' }),
+    ];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result[0].agentId).toBe('agent-x');
+    expect(result[1].agentId).toBe('agent-x');
+  });
+  // Test 5: Finding without file (L1) in multi-agent → project-level
+  it('leaves L1 findings without file as project-level in multi-agent', () => {
+    const files = [
+      makeFile('a/index.ts', `export const a = 1;`),
+      makeFile('b/main.ts', `export const b = 2;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-a', sourceFiles: ['a/index.ts'] },
+      { name: 'agent-b', sourceFiles: ['b/main.ts'] },
+    ];
+    const findings = [makeFinding({ file: undefined })];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result[0].agentId).toBeUndefined();
+  });
+  // Test 6: Directory prefix fallback (doc file under agent dir)
+  it('uses directory prefix fallback for non-code files', () => {
+    const files = [
+      makeFile('agents/bot-a/src/index.ts', `export const a = 1;`),
+      makeFile('agents/bot-a/config.ts', `export const c = 1;`),
+      makeFile('agents/bot-b/src/main.ts', `export const b = 2;`),
+      makeFile('agents/bot-b/config.ts', `export const c = 2;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'bot-a', sourceFiles: ['agents/bot-a/src/index.ts', 'agents/bot-a/config.ts'] },
+      { name: 'bot-b', sourceFiles: ['agents/bot-b/src/main.ts', 'agents/bot-b/config.ts'] },
+    ];
+    // README under bot-a's directory, not in import graph
+    const findings = [makeFinding({ file: 'agents/bot-a/docs/README.md' })];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result[0].agentId).toBe('bot-a');
+  });
+  // Test 7: Root-level config (package.json) → project-level
+  it('leaves root-level configs as project-level', () => {
+    const files = [
+      makeFile('src/a.ts', `export const a = 1;`),
+      makeFile('src/b.ts', `export const b = 2;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-a', sourceFiles: ['src/a.ts'] },
+      { name: 'agent-b', sourceFiles: ['src/b.ts'] },
+    ];
+    const findings = [makeFinding({ file: 'package.json' })];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result[0].agentId).toBeUndefined();
+  });
+  // Test 8: Empty agents array → no attribution
+  it('returns findings unchanged when no agents', () => {
+    const graph = buildImportGraph([]);
+    const findings = [makeFinding({ file: 'src/app.ts' })];
+    const result = attributeFindings(findings, [], graph);
+    expect(result[0].agentId).toBeUndefined();
+  });
+  // Test 9: Circular imports — handled, no infinite loop
+  it('handles circular imports without infinite loop', () => {
+    const files = [
+      makeFile('src/a.ts', `import { b } from './b.js';`),
+      makeFile('src/b.ts', `import { a } from './a.js';`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'circle-agent', sourceFiles: ['src/a.ts'] },
+      { name: 'other', sourceFiles: [] },
+    ];
+    const findings = [
+      makeFinding({ file: 'src/a.ts' }),
+      makeFinding({ file: 'src/b.ts' }),
+    ];
+    const result = attributeFindings(findings, agents, graph);
+    expect(result[0].agentId).toBe('circle-agent');
+    expect(result[1].agentId).toBe('circle-agent');
+  });
+  // Test 10: Graph ownership beats directory prefix
+  it('prefers graph ownership over directory prefix', () => {
+    const files = [
+      makeFile('agent-a/index.ts', `import { helper } from '../lib/helper.js';`),
+      makeFile('lib/helper.ts', `export const helper = 1;`),
+      makeFile('agent-b/main.ts', `export const b = 2;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'agent-a', sourceFiles: ['agent-a/index.ts'] },
+      { name: 'agent-b', sourceFiles: ['agent-b/main.ts'] },
+    ];
+    // lib/helper.ts is only reachable from agent-a via import graph
+    // It's NOT under agent-b's directory prefix
+    const findings = [makeFinding({ file: 'lib/helper.ts' })];
+    const result = attributeFindings(findings, agents, graph);
+    // Graph ownership: agent-a imports lib/helper → owned by agent-a
+    expect(result[0].agentId).toBe('agent-a');
+  });
+});
+describe('E2E: full multi-agent attribution pipeline', () => {
+  it('attributes findings correctly across complex multi-agent project', () => {
+    // Simulate a real multi-agent project:
+    // - agent-chat: imports openai, has chat service + helper
+    // - agent-embed: imports @ai-sdk/openai, has embed pipeline + processor
+    // - shared lib/logger used by both
+    // - config files under each agent dir
+    // - root-level package.json
+    const files = [
+      // Agent Chat subtree
+      makeFile('agents/chat/src/index.ts',
+        `import { OpenAI } from 'openai';\nimport { format } from './format.js';\nimport { log } from '../../lib/logger.js';`),
+      makeFile('agents/chat/src/format.ts',
+        `export const format = (msg: string) => msg.trim();`),
+      // Agent Embed subtree
+      makeFile('agents/embed/src/main.ts',
+        `import { embed } from '@ai-sdk/openai';\nimport { process } from './processor.js';\nimport { log } from '../../lib/logger.js';`),
+      makeFile('agents/embed/src/processor.ts',
+        `export const process = (data: string[]) => data;`),
+      // Shared lib — imported by both
+      makeFile('lib/logger.ts',
+        `export const log = (msg: string) => console.log(msg);`),
+      // Root config
+      makeFile('package.json', `{"name":"multi-agent-project"}`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [
+      { name: 'chat-agent', sourceFiles: ['agents/chat/src/index.ts'] },
+      { name: 'embed-agent', sourceFiles: ['agents/embed/src/main.ts'] },
+    ];
+    const findings = [
+      // Finding on chat's direct file
+      makeFinding({ checkId: 'sdk-no-disclosure', file: 'agents/chat/src/index.ts', severity: 'high' }),
+      // Finding on chat's transitively-imported helper
+      makeFinding({ checkId: 'missing-error-handling', file: 'agents/chat/src/format.ts', severity: 'medium' }),
+      // Finding on embed's direct file
+      makeFinding({ checkId: 'sdk-no-disclosure', file: 'agents/embed/src/main.ts', severity: 'high' }),
+      // Finding on embed's transitively-imported processor
+      makeFinding({ checkId: 'missing-validation', file: 'agents/embed/src/processor.ts', severity: 'medium' }),
+      // Finding on shared logger — project-level
+      makeFinding({ checkId: 'logging-no-retention', file: 'lib/logger.ts', severity: 'low' }),
+      // Finding on root package.json — project-level
+      makeFinding({ checkId: 'banned-package', file: 'package.json', severity: 'critical' }),
+      // L1 finding without file — project-level
+      makeFinding({ checkId: 'missing-fria', file: undefined, severity: 'high' }),
+    ];
+    const result = attributeFindings(findings, agents, graph);
+    // Chat agent owns its files
+    expect(result[0].agentId).toBe('chat-agent');   // index.ts
+    expect(result[1].agentId).toBe('chat-agent');   // format.ts (transitive)
+    // Embed agent owns its files
+    expect(result[2].agentId).toBe('embed-agent');  // main.ts
+    expect(result[3].agentId).toBe('embed-agent');  // processor.ts (transitive)
+    // Shared logger → project-level (no agentId)
+    expect(result[4].agentId).toBeUndefined();
+    // Root config → project-level (no agentId)
+    expect(result[5].agentId).toBeUndefined();
+    // L1 finding without file → project-level
+    expect(result[6].agentId).toBeUndefined();
+  });
+  it('attributeFindings is pure — does not mutate input', () => {
+    const files = [
+      makeFile('src/app.ts', `import { OpenAI } from 'openai';`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [{ name: 'test-agent', sourceFiles: ['src/app.ts'] }];
+    const original = makeFinding({ file: 'src/app.ts' });
+    const findings = [original];
+    const result = attributeFindings(findings, agents, graph);
+    // Original finding not mutated
+    expect(original.agentId).toBeUndefined();
+    // Result has new agentId
+    expect(result[0].agentId).toBe('test-agent');
+    // Different object reference
+    expect(result[0]).not.toBe(original);
+  });
+  it('buildFileOwnership returns frozen immutable result', () => {
+    const files = [
+      makeFile('src/a.ts', `export const a = 1;`),
+    ];
+    const graph = buildImportGraph(files);
+    const agents: AgentInfo[] = [{ name: 'agent', sourceFiles: ['src/a.ts'] }];
+    const ownership = buildFileOwnership(agents, graph);
+    expect(Object.isFrozen(ownership)).toBe(true);
+  });
+});
+describe('expandPerAgentFindings', () => {
+  const agents: AgentInfo[] = [
+    { name: 'agent-x', sourceFiles: ['src/x.ts'] },
+    { name: 'agent-y', sourceFiles: ['src/y.ts'] },
+  ];
+  it('single agent → no expansion', () => {
+    const singleAgent: AgentInfo[] = [{ name: 'sole', sourceFiles: ['src/app.ts'] }];
+    const findings = [
+      makeFinding({ checkId: 'fria', type: 'fail' }),
+      makeFinding({ checkId: 'qms', type: 'fail' }),
+    ];
+    const result = expandPerAgentFindings(findings, singleAgent);
+    expect(result).toBe(findings); // same reference, no-op
+  });
+  it('multi-agent, FRIA fail → expanded to N per-agent fails', () => {
+    const findings = [
+      makeFinding({ checkId: 'fria', type: 'fail', message: 'No FRIA found' }),
+    ];
+    const result = expandPerAgentFindings(findings, agents);
+    expect(result).toHaveLength(2);
+    expect(result[0].agentId).toBe('agent-x');
+    expect(result[0].checkId).toBe('fria');
+    expect(result[1].agentId).toBe('agent-y');
+    expect(result[1].checkId).toBe('fria');
+  });
+  it('multi-agent, FRIA pass → expanded to per-agent passes', () => {
+    const findings = [
+      makeFinding({ checkId: 'fria', type: 'pass', message: 'FRIA found' }),
+    ];
+    const result = expandPerAgentFindings(findings, agents);
+    expect(result).toHaveLength(2);
+    expect(result[0]).toMatchObject({ checkId: 'fria', type: 'pass', agentId: 'agent-x' });
+    expect(result[1]).toMatchObject({ checkId: 'fria', type: 'pass', agentId: 'agent-y' });
+  });
+  it('multi-agent, mixed per-agent + project-only checks', () => {
+    const findings = [
+      makeFinding({ checkId: 'fria', type: 'fail' }),
+      makeFinding({ checkId: 'risk-management', type: 'fail' }),
+      makeFinding({ checkId: 'qms', type: 'fail' }),              // project-level, not expanded
+      makeFinding({ checkId: 'technical-documentation', type: 'pass' }), // pass, expanded per-agent
+      makeFinding({ checkId: 'ai-literacy', type: 'fail' }),       // project-level
+    ];
+    const result = expandPerAgentFindings(findings, agents);
+    // fria fail → 2, risk-management fail → 2, qms → 1, tech-doc pass → 2, ai-literacy → 1
+    expect(result).toHaveLength(8);
+    // First 2: fria expanded
+    expect(result[0]).toMatchObject({ checkId: 'fria', agentId: 'agent-x' });
+    expect(result[1]).toMatchObject({ checkId: 'fria', agentId: 'agent-y' });
+    // Next 2: risk-management expanded
+    expect(result[2]).toMatchObject({ checkId: 'risk-management', agentId: 'agent-x' });
+    expect(result[3]).toMatchObject({ checkId: 'risk-management', agentId: 'agent-y' });
+    // qms stays project-level
+    expect(result[4]).toMatchObject({ checkId: 'qms' });
+    expect(result[4].agentId).toBeUndefined();
+    // tech-doc pass expanded per-agent (each agent gets credit)
+    expect(result[5]).toMatchObject({ checkId: 'technical-documentation', type: 'pass', agentId: 'agent-x' });
+    expect(result[6]).toMatchObject({ checkId: 'technical-documentation', type: 'pass', agentId: 'agent-y' });
+    // ai-literacy stays project-level
+    expect(result[7]).toMatchObject({ checkId: 'ai-literacy' });
+    expect(result[7].agentId).toBeUndefined();
+  });
+  it('PER_AGENT_DOC_CHECK_IDS contains all 7 per-agent checks', () => {
+    expect(PER_AGENT_DOC_CHECK_IDS.size).toBe(7);
+    expect(PER_AGENT_DOC_CHECK_IDS.has('fria')).toBe(true);
+    expect(PER_AGENT_DOC_CHECK_IDS.has('data-governance')).toBe(true);
+    expect(PER_AGENT_DOC_CHECK_IDS.has('qms')).toBe(false);
+  });
+});

package/src/domain/scanner/finding-attribution.ts ADDED Viewed

@@ -0,0 +1,195 @@
+import type { Finding } from '../../types/common.types.js';
+import type { ImportGraph } from './import-graph.js';
+export interface AgentInfo {
+  readonly name: string;
+  readonly sourceFiles: readonly string[];
+}
+export interface FileOwnershipMap {
+  readonly fileToOwner: ReadonlyMap<string, string>;   // file → sole agent
+  readonly sharedFiles: ReadonlySet<string>;            // files reachable by 2+ agents
+}
+/**
+ * BFS forward from each agent's sourceFiles through the import graph.
+ * Files reachable by exactly 1 agent → owned by that agent.
+ * Files reachable by 2+ agents → shared (project-level).
+ */
+export const buildFileOwnership = (
+  agents: readonly AgentInfo[],
+  importGraph: ImportGraph,
+): FileOwnershipMap => {
+  // reachable[file] = set of agent names that can reach it
+  const reachableBy = new Map<string, Set<string>>();
+  for (const agent of agents) {
+    const visited = new Set<string>();
+    const queue = [...agent.sourceFiles];
+    // Seed: mark all sourceFiles as visited
+    for (const sf of agent.sourceFiles) {
+      visited.add(sf);
+    }
+    while (queue.length > 0) {
+      const current = queue.shift()!;
+      // Record reachability
+      if (!reachableBy.has(current)) reachableBy.set(current, new Set());
+      reachableBy.get(current)!.add(agent.name);
+      // BFS forward through imports
+      const node = importGraph.nodes.get(current);
+      if (!node) continue;
+      for (const imp of node.imports) {
+        if (!visited.has(imp)) {
+          visited.add(imp);
+          queue.push(imp);
+        }
+      }
+    }
+  }
+  const fileToOwner = new Map<string, string>();
+  const sharedFiles = new Set<string>();
+  for (const [file, owners] of reachableBy) {
+    if (owners.size === 1) {
+      fileToOwner.set(file, owners.values().next().value!);
+    } else {
+      sharedFiles.add(file);
+    }
+  }
+  return Object.freeze({ fileToOwner, sharedFiles });
+};
+/**
+ * Compute common directory prefix of an agent's sourceFiles.
+ * Returns '' if no common prefix.
+ */
+const computeAgentRoot = (sourceFiles: readonly string[]): string => {
+  const dirs = sourceFiles
+    .map(f => {
+      const idx = f.lastIndexOf('/');
+      return idx >= 0 ? f.substring(0, idx + 1) : '';
+    })
+    .filter(Boolean);
+  if (dirs.length === 0) return '';
+  let common = dirs[0];
+  for (const d of dirs) {
+    while (common && !d.startsWith(common)) {
+      const trimmed = common.substring(0, common.length - 1);
+      const slash = trimmed.lastIndexOf('/');
+      common = slash >= 0 ? trimmed.substring(0, slash + 1) : '';
+    }
+  }
+  return common;
+};
+/**
+ * Build sorted (longest first) agent root directories for prefix fallback.
+ */
+const buildAgentRoots = (
+  agents: readonly AgentInfo[],
+): readonly { readonly name: string; readonly root: string }[] => {
+  const roots: { name: string; root: string }[] = [];
+  for (const agent of agents) {
+    const root = computeAgentRoot(agent.sourceFiles);
+    if (root) roots.push({ name: agent.name, root });
+  }
+  // Longest root first → most specific match wins
+  roots.sort((a, b) => b.root.length - a.root.length);
+  return roots;
+};
+/** Check IDs that require per-agent documents in multi-agent projects (EU AI Act per-AI-system). */
+export const PER_AGENT_DOC_CHECK_IDS: ReadonlySet<string> = new Set([
+  'fria',
+  'risk-management',
+  'technical-documentation',
+  'declaration-of-conformity',
+  'art5-screening',
+  'instructions-for-use',
+  'data-governance',
+]);
+/**
+ * In multi-agent projects, expand project-level document-presence findings
+ * into per-agent findings. Each agent needs its own compliance documents,
+ * and each agent should receive credit for existing project-level docs.
+ *
+ * - agents.length ≤ 1 → no-op (single agent already gets all findings)
+ * - PASS/FAIL/SKIP on per-agent checkId → N findings, one per agent with agentId
+ */
+export const expandPerAgentFindings = (
+  findings: readonly Finding[],
+  agents: readonly AgentInfo[],
+): readonly Finding[] => {
+  if (agents.length <= 1) return findings;
+  const result: Finding[] = [];
+  for (const f of findings) {
+    if (!PER_AGENT_DOC_CHECK_IDS.has(f.checkId)) {
+      result.push(f);
+      continue;
+    }
+    // Expand doc findings to all agents — both passes and fails
+    for (const agent of agents) {
+      result.push({ ...f, agentId: agent.name });
+    }
+  }
+  return result;
+};
+/**
+ * Attribute findings to agents using import-graph ownership + directory prefix fallback.
+ *
+ * Algorithm:
+ * - 0 agents → return as-is
+ * - 1 agent  → all findings → that agent (fast path)
+ * - N agents → graph-based ownership, then directory prefix fallback for non-code files
+ */
+export const attributeFindings = (
+  findings: readonly Finding[],
+  agents: readonly AgentInfo[],
+  importGraph: ImportGraph,
+): readonly Finding[] => {
+  if (agents.length === 0) return findings;
+  // Single agent → all findings belong to it
+  if (agents.length === 1) {
+    const sole = agents[0].name;
+    return findings.map(f => ({ ...f, agentId: sole }));
+  }
+  // Multi-agent: graph-based ownership + directory prefix fallback
+  const ownership = buildFileOwnership(agents, importGraph);
+  const agentRoots = buildAgentRoots(agents);
+  return findings.map(f => {
+    // 1. No file (L1) → project-level
+    if (!f.file) return f;
+    // 2. Graph-based: sole owner
+    const owner = ownership.fileToOwner.get(f.file);
+    if (owner) return { ...f, agentId: owner };
+    // 3. Shared file (reachable by 2+ agents) → project-level
+    if (ownership.sharedFiles.has(f.file)) return f;
+    // 4. Directory prefix fallback (for docs, configs not in import graph)
+    for (const { name, root } of agentRoots) {
+      if (f.file.startsWith(root)) return { ...f, agentId: name };
+    }
+    // 5. Root-level / unattributable → project-level
+    return f;
+  });
+};