@complior/engine 0.9.0

package/src/domain/scanner/layers/layer2-docs.ts

@@ -0,0 +1,297 @@
+import type { CheckResult } from '../../../types/common.types.js';
+import type { DocQualityLevel } from '../../../types/passport.types.js';
+import type { ScanContext } from '../../../ports/scanner.port.js';
+import { DOCUMENT_VALIDATORS } from '../validators.js';
+import {
+  parseMarkdownHeadings,
+  headingMatches,
+  extractSectionContents,
+  extractGroupedSectionContent,
+  measureSemanticDepth,
+  hasAiReviewMarker,
+} from './layer2-parsing.js';
+
+// Re-export for backward compatibility
+export { measureSectionDepth, measureSemanticDepth } from './layer2-parsing.js';
+export type { SectionDepth, SemanticDepth } from './layer2-parsing.js';
+
+// --- Types ---
+
+export interface ValidatorSection {
+  readonly title: string;
+  readonly required: boolean;
+}
+
+export interface DocumentValidator {
+  readonly document: string;
+  readonly obligation: string;
+  readonly article: string;
+  readonly file_patterns: readonly string[];
+  readonly required_sections: readonly ValidatorSection[];
+}
+
+export type L2Status = 'VALID' | 'PARTIAL' | 'SHALLOW' | 'EMPTY';
+
+export interface L2CheckResult {
+  readonly obligationId: string;
+  readonly article: string;
+  readonly document: string;
+  readonly status: L2Status;
+  readonly foundSections: readonly string[];
+  readonly missingSections: readonly string[];
+  readonly totalRequired: number;
+  readonly matchedRequired: number;
+  readonly shallowSections?: readonly string[];
+  readonly sectionFeedback?: readonly string[];     // per-section actionable feedback
+  readonly completenessScore?: number;              // 0-100 overall document quality
+  readonly docQuality: DocQualityLevel;
+}
+
+// --- Validator Loading ---
+
+export const loadValidators = (): readonly DocumentValidator[] => DOCUMENT_VALIDATORS;
+
+/** Marker injected by Complior fix into auto-generated scaffold files. */
+const SCAFFOLD_MARKER = '<!-- COMPLIOR:SCAFFOLD -->';
+const hasScaffoldMarker = (content: string): boolean => content.includes(SCAFFOLD_MARKER);
+
+/** Derive doc quality from L2 status + AI review marker presence + scaffold marker. */
+const classifyDocQuality = (status: L2Status, content: string): DocQualityLevel =>
+  hasAiReviewMarker(content)
+    ? 'reviewed'
+    : hasScaffoldMarker(content)
+      ? 'scaffold'
+      : (status === 'SHALLOW' || status === 'EMPTY' || status === 'PARTIAL') ? 'scaffold' : 'draft';
+
+// --- L2 Check Logic ---
+
+const findMatchingFile = (
+  validator: DocumentValidator,
+  files: readonly { readonly relativePath: string; readonly content: string }[],
+): { readonly relativePath: string; readonly content: string } | undefined => {
+  for (const file of files) {
+    const filename = file.relativePath.split('/').pop() ?? '';
+    for (const pattern of validator.file_patterns) {
+      if (filename.toLowerCase() === pattern.toLowerCase()) {
+        return file;
+      }
+    }
+  }
+  return undefined;
+};
+
+export const validateDocument = (
+  validator: DocumentValidator,
+  content: string,
+): L2CheckResult => {
+  const obligationId = validator.obligation;
+  const headings = parseMarkdownHeadings(content);
+  const requiredSections = validator.required_sections.filter((s) => s.required);
+
+  if (content.trim().length === 0 || headings.length === 0) {
+    return {
+      obligationId,
+      article: validator.article,
+      document: validator.document,
+      status: 'EMPTY',
+      foundSections: [],
+      missingSections: requiredSections.map((s) => s.title),
+      totalRequired: requiredSections.length,
+      matchedRequired: 0,
+      docQuality: classifyDocQuality('EMPTY', content),
+    };
+  }
+
+  const found: string[] = [];
+  const missing: string[] = [];
+
+  for (const section of requiredSections) {
+    const matched = headings.some((h) => headingMatches(h, section.title));
+    if (matched) {
+      found.push(section.title);
+    } else {
+      missing.push(section.title);
+    }
+  }
+
+  // If all headings present, check content depth for SHALLOW detection
+  if (missing.length === 0 && found.length > 0) {
+    const sectionContents = extractSectionContents(content);
+    const shallowSections: string[] = [];
+    const feedbackItems: string[] = [];
+    let totalQualityScore = 0;
+    let scoredSections = 0;
+
+    for (const sectionTitle of found) {
+      // Find matching heading in extracted contents
+      const matchedHeading = [...sectionContents.keys()].find((h) =>
+        headingMatches(h, sectionTitle),
+      );
+      if (matchedHeading !== undefined) {
+        // Use grouped extraction to include child sub-headings (### under ##)
+        const sectionContent = extractGroupedSectionContent(content, sectionTitle);
+        const semantic = measureSemanticDepth(sectionContent, sectionTitle);
+        if (semantic.isShallow) {
+          shallowSections.push(sectionTitle);
+        }
+        if (semantic.feedback && !semantic.feedback.endsWith(': adequate')) {
+          feedbackItems.push(semantic.feedback);
+        }
+        totalQualityScore += semantic.qualityScore;
+        scoredSections++;
+      }
+    }
+
+    const shallowRatio = found.length > 0 ? shallowSections.length / found.length : 0;
+    const completenessScore = scoredSections > 0
+      ? Math.round(totalQualityScore / scoredSections)
+      : 0;
+    const status: L2Status = shallowRatio > 0.5
+      ? 'SHALLOW'
+      : completenessScore < 50
+        ? 'PARTIAL'
+        : 'VALID';
+
+    const docQuality = classifyDocQuality(status, content);
+
+    return {
+      obligationId,
+      article: validator.article,
+      document: validator.document,
+      status,
+      foundSections: found,
+      missingSections: missing,
+      totalRequired: requiredSections.length,
+      matchedRequired: found.length,
+      shallowSections: shallowSections.length > 0 ? shallowSections : undefined,
+      sectionFeedback: feedbackItems.length > 0 ? feedbackItems : undefined,
+      completenessScore,
+      docQuality,
+    };
+  }
+
+  const status: L2Status = missing.length === 0
+    ? 'VALID'
+    : found.length === 0
+      ? 'EMPTY'
+      : 'PARTIAL';
+
+  const docQuality = classifyDocQuality(status, content);
+
+  return {
+    obligationId,
+    article: validator.article,
+    document: validator.document,
+    status,
+    foundSections: found,
+    missingSections: missing,
+    totalRequired: requiredSections.length,
+    matchedRequired: found.length,
+    docQuality,
+  };
+};
+
+// --- Scanner Integration ---
+
+export const runLayer2 = (ctx: ScanContext): readonly L2CheckResult[] => {
+  const validators = loadValidators();
+  const results: L2CheckResult[] = [];
+
+  for (const validator of validators) {
+    const file = findMatchingFile(validator, ctx.files);
+    if (file === undefined) continue; // L1 didn't find it — L2 skips
+
+    results.push(validateDocument(validator, file.content));
+  }
+
+  return results;
+};
+
+export const layer2ToCheckResults = (l2Results: readonly L2CheckResult[]): readonly CheckResult[] => {
+  return l2Results.map((r): CheckResult => {
+    if (r.status === 'VALID') {
+      // Scaffold docs should never pass — they need manual editing
+      if (r.docQuality === 'scaffold') {
+        return {
+          type: 'fail',
+          checkId: `l2-${r.document}`,
+          message: `${r.article}: ${r.document} — document is scaffold/template quality, fill placeholder fields to upgrade`,
+          severity: 'low',
+          obligationId: r.obligationId,
+          articleReference: r.article,
+          fix: `Edit ${r.document} — replace [bracketed] placeholders with actual data`,
+          docQuality: r.docQuality,
+        };
+      }
+      return {
+        type: 'pass',
+        checkId: `l2-${r.document}`,
+        message: `${r.article}: ${r.document} — all ${r.totalRequired} required sections present`,
+      };
+    }
+
+    if (r.status === 'SHALLOW') {
+      const shallowList = r.shallowSections?.join(', ') ?? 'multiple sections';
+      const feedbackSuffix = r.sectionFeedback && r.sectionFeedback.length > 0
+        ? `. Suggestions: ${r.sectionFeedback.join('. ')}`
+        : '';
+      const scoreSuffix = r.completenessScore !== undefined
+        ? ` (quality: ${r.completenessScore}/100)`
+        : '';
+      return {
+        type: 'fail',
+        checkId: `l2-${r.document}`,
+        message: `${r.article}: ${r.document} — headings present but content is shallow in: ${shallowList}${scoreSuffix}`,
+        severity: 'medium',
+        obligationId: r.obligationId,
+        articleReference: r.article,
+        fix: `Expand shallow sections in ${r.document} with details (dates, specifics, lists): ${shallowList}${feedbackSuffix}`,
+      };
+    }
+
+    if (r.status === 'PARTIAL') {
+      // Two PARTIAL triggers: missing sections OR low content quality
+      if (r.missingSections.length > 0) {
+        return {
+          type: 'fail',
+          checkId: `l2-${r.document}`,
+          message: `${r.article}: ${r.document} — missing sections: ${r.missingSections.join(', ')} (${r.matchedRequired}/${r.totalRequired})`,
+          severity: 'medium',
+          obligationId: r.obligationId,
+          articleReference: r.article,
+          fix: `Add missing sections to ${r.document}: ${r.missingSections.join(', ')}`,
+        };
+      }
+      // All headings present but content quality < 50
+      const scoreSuffix = r.completenessScore !== undefined
+        ? ` (quality: ${r.completenessScore}/100)`
+        : '';
+      const feedbackSuffix = r.sectionFeedback && r.sectionFeedback.length > 0
+        ? `. Suggestions: ${r.sectionFeedback.join('. ')}`
+        : '';
+      const scaffoldHint = r.docQuality === 'scaffold'
+        ? '. Remove <!-- COMPLIOR:SCAFFOLD --> comment after editing to upgrade to draft quality'
+        : '';
+      return {
+        type: 'fail',
+        checkId: `l2-${r.document}`,
+        message: `${r.article}: ${r.document} — all sections present but content needs enrichment${scoreSuffix}`,
+        severity: 'low',
+        obligationId: r.obligationId,
+        articleReference: r.article,
+        fix: `Enrich content in ${r.document} — add specifics, dates, tables${feedbackSuffix}${scaffoldHint}`,
+      };
+    }
+
+    // EMPTY
+    return {
+      type: 'fail',
+      checkId: `l2-${r.document}`,
+      message: `${r.article}: ${r.document} — document is empty or has no headings (0/${r.totalRequired} required sections)`,
+      severity: 'high',
+      obligationId: r.obligationId,
+      articleReference: r.article,
+      fix: `Populate ${r.document} with required sections: ${r.missingSections.join(', ')}`,
+    };
+  });
+};

package/src/domain/scanner/layers/layer2-parsing.ts

@@ -0,0 +1,217 @@
+export interface SectionDepth {
+  readonly wordCount: number;
+  readonly sentenceCount: number;
+  readonly hasLists: boolean;
+  readonly hasTables: boolean;
+  readonly hasSpecifics: boolean;
+  readonly isShallow: boolean;
+}
+
+const HEADING_REGEX = /^#{1,4}\s+(.+)$/gm;
+
+export const parseMarkdownHeadings = (content: string): readonly string[] => {
+  const headings: string[] = [];
+  let match: RegExpExecArray | null;
+  while ((match = HEADING_REGEX.exec(content)) !== null) {
+    headings.push(match[1].trim());
+  }
+  return headings;
+};
+
+export const normalize = (text: string): string =>
+  text.toLowerCase().replace(/[\s_-]+/g, ' ').trim();
+
+export const headingMatches = (heading: string, sectionTitle: string): boolean =>
+  normalize(heading).includes(normalize(sectionTitle));
+
+const LIST_REGEX = /^[\s]*[-*•]\s+|^\s*\d+\.\s+/m;
+const TABLE_REGEX = /\|.*\|.*\|/;
+const SPECIFICS_REGEX = /\b\d{4}[-/]\d{2}[-/]\d{2}\b|\b\d+%|\b\d+\.\d+\b|€|Art\.\s*\d+/;
+
+export const extractSectionContents = (content: string): ReadonlyMap<string, string> => {
+  const sections = new Map<string, string>();
+  const lines = content.split('\n');
+  let currentHeading: string | null = null;
+  let currentContent: string[] = [];
+
+  for (const line of lines) {
+    const headingMatch = /^#{1,4}\s+(.+)$/.exec(line);
+    if (headingMatch) {
+      if (currentHeading !== null) {
+        sections.set(currentHeading, currentContent.join('\n'));
+      }
+      currentHeading = headingMatch[1].trim();
+      currentContent = [];
+    } else if (currentHeading !== null) {
+      currentContent.push(line);
+    }
+  }
+
+  if (currentHeading !== null) {
+    sections.set(currentHeading, currentContent.join('\n'));
+  }
+
+  return sections;
+};
+
+/**
+ * Extract content for a target heading, including all child sub-headings
+ * until the next heading of equal or higher level.
+ * Example: for "## System Elements", aggregates ### 2.1, ### 2.2, etc.
+ */
+export const extractGroupedSectionContent = (
+  content: string,
+  targetHeading: string,
+): string => {
+  const lines = content.split('\n');
+  let capturing = false;
+  let targetLevel = 0;
+  const captured: string[] = [];
+
+  for (const line of lines) {
+    const match = /^(#{1,4})\s+(.+)$/.exec(line);
+    if (match) {
+      const level = match[1].length;
+      const heading = match[2].trim();
+      if (!capturing && headingMatches(heading, targetHeading)) {
+        capturing = true;
+        targetLevel = level;
+        continue;
+      }
+      if (capturing && level <= targetLevel) {
+        break; // next sibling or parent — stop
+      }
+      // child heading — include its content
+    }
+    if (capturing) {
+      captured.push(line);
+    }
+  }
+
+  return captured.join('\n');
+};
+
+// --- Semantic Depth (E-12 enhancement) ---
+
+export interface SemanticDepth extends SectionDepth {
+  readonly hasNumericMetrics: boolean;     // percentages, counts, thresholds
+  readonly hasLegalReferences: boolean;    // "Art. X", "GDPR", "ISO"
+  readonly hasDateReferences: boolean;     // dates, deadlines, "annually"
+  readonly hasActionItems: boolean;        // "must", "shall", "required to"
+  readonly hasMeasurableTargets: boolean;  // "99.9%", ">95%", "within 24 hours"
+  readonly placeholderCount: number;       // [TODO], [Name], [Company] etc.
+  readonly qualityScore: number;           // 0-100 per section
+  readonly feedback: string;              // actionable recommendation
+}
+
+const NUMERIC_METRICS_REGEX = /\b\d+(\.\d+)?%|\b\d+(\.\d+)?\s*(ms|seconds?|minutes?|hours?|days?|requests?|errors?|users?)|\b[<>≥≤]=?\s*\d+/;
+const LEGAL_REF_REGEX = /\bArt\.\s*\d+|\bGDPR\b|\bISO\s*\d+|\bNIST\b|\bAIUC|EU\s*AI\s*Act|Regulation\s*\(EU\)/i;
+const DATE_REF_REGEX = /\b\d{4}[-/]\d{2}[-/]\d{2}\b|\b(annually|quarterly|monthly|weekly|bi-annual|semi-annual)\b|\b(Q[1-4]\s*20\d{2}|H[12]\s*20\d{2})\b/i;
+const ACTION_REGEX = /\b(must|shall|required to|obliged to|needs? to|will implement|will ensure)\b/i;
+const MEASURABLE_REGEX = /\b\d+(\.\d+)?%|\bwithin\s+\d+\s*(hours?|days?|minutes?)|\b(SLA|KPI|SLO|threshold|target|benchmark)\b/i;
+
+/**
+ * Detect bracketed placeholder patterns like [Name], [TODO: ...], [Company Name].
+ * Excludes markdown links [text](url) via negative lookahead, and checkboxes [x]/[ ] via min length.
+ */
+const PLACEHOLDER_BRACKET_REGEX = /\[[^\]]{2,60}\](?!\()/g;
+
+export const measureSemanticDepth = (content: string, sectionTitle: string): SemanticDepth => {
+  const base = measureSectionDepth(content);
+  const trimmed = content.trim();
+
+  const hasNumericMetrics = NUMERIC_METRICS_REGEX.test(trimmed);
+  const hasLegalReferences = LEGAL_REF_REGEX.test(trimmed);
+  const hasDateReferences = DATE_REF_REGEX.test(trimmed);
+  const hasActionItems = ACTION_REGEX.test(trimmed);
+  const hasMeasurableTargets = MEASURABLE_REGEX.test(trimmed);
+
+  // Placeholder detection: [Name], [TODO: Company], [H/M/L/N], etc.
+  const placeholderMatches = trimmed.match(PLACEHOLDER_BRACKET_REGEX) ?? [];
+  const placeholderCount = placeholderMatches.filter(m =>
+    !/^\[[ xX]\]$/.test(m) &&  // not checkbox
+    !/^\[!\w/.test(m),          // not image alt start
+  ).length;
+
+  // Quality score: weighted sum of semantic signals
+  let qualityScore = 0;
+  if (base.wordCount >= 50) qualityScore += 20;
+  else if (base.wordCount >= 20) qualityScore += 10;
+  if (base.hasLists) qualityScore += 10;
+  if (base.hasTables) qualityScore += 10;
+  if (base.hasSpecifics) qualityScore += 10;
+  if (hasNumericMetrics) qualityScore += 15;
+  if (hasLegalReferences) qualityScore += 10;
+  if (hasDateReferences) qualityScore += 5;
+  if (hasActionItems) qualityScore += 10;
+  if (hasMeasurableTargets) qualityScore += 10;
+
+  // Placeholder penalty: scaffold documents have many [TODO], [Name], etc.
+  if (placeholderCount > 0) {
+    qualityScore -= placeholderCount * 10;
+    if (placeholderCount >= 3) qualityScore -= 20; // heavy scaffold penalty
+  }
+  qualityScore = Math.max(0, qualityScore);
+
+  // Generate feedback
+  const suggestions: string[] = [];
+  if (placeholderCount > 0) suggestions.push(`Fill ${placeholderCount} placeholder(s) — replace [bracketed] fields with actual data`);
+  if (!hasNumericMetrics) suggestions.push('Add numeric metrics (accuracy %, response time, thresholds)');
+  if (!hasLegalReferences) suggestions.push('Add legal references (Art. numbers, standards)');
+  if (!hasDateReferences) suggestions.push('Add timeline (dates, review frequency)');
+  if (!hasMeasurableTargets) suggestions.push('Add measurable targets (KPIs, SLAs)');
+  if (base.wordCount < 50) suggestions.push(`Expand content (currently ${base.wordCount} words, minimum 50 recommended)`);
+  if (!base.hasLists && !base.hasTables) suggestions.push('Add structured content (lists or tables)');
+
+  const feedback = suggestions.length > 0
+    ? `Section "${sectionTitle}": ${suggestions.join('; ')}`
+    : `Section "${sectionTitle}": adequate`;
+
+  // Override isShallow based on semantic quality
+  const isShallow = qualityScore < 30;
+
+  return {
+    ...base,
+    isShallow,
+    hasNumericMetrics,
+    hasLegalReferences,
+    hasDateReferences,
+    hasActionItems,
+    hasMeasurableTargets,
+    placeholderCount,
+    qualityScore,
+    feedback,
+  };
+};
+
+// --- AI Review Marker Detection ---
+
+export const AI_REVIEW_MARKER_REGEX = /<!--\s*complior:reviewed\s+(\d{4}-\d{2}-\d{2}T[\d:.]+Z?)\s*-->/;
+
+export const hasAiReviewMarker = (content: string): boolean =>
+  AI_REVIEW_MARKER_REGEX.test(content);
+
+export const extractReviewDate = (content: string): string | undefined =>
+  content.match(AI_REVIEW_MARKER_REGEX)?.[1];
+
+// --- Section Depth ---
+
+export const measureSectionDepth = (content: string): SectionDepth => {
+  const trimmed = content.trim();
+  const words = trimmed.split(/\s+/).filter((w) => w.length > 0);
+  const sentences = trimmed.split(/[.!?]+/).filter((s) => s.trim().length > 0);
+  const hasLists = LIST_REGEX.test(trimmed);
+  const hasTables = TABLE_REGEX.test(trimmed);
+  const hasSpecifics = SPECIFICS_REGEX.test(trimmed);
+
+  const isShallow = words.length < 50 && !hasLists && !hasTables && !hasSpecifics;
+
+  return {
+    wordCount: words.length,
+    sentenceCount: sentences.length,
+    hasLists,
+    hasTables,
+    hasSpecifics,
+    isShallow,
+  };
+};

package/src/domain/scanner/layers/layer3-config.test.ts

@@ -0,0 +1,187 @@
+import { describe, it, expect } from 'vitest';
+import { runLayer3, layer3ToCheckResults } from './layer3-config.js';
+import { createScanFile, createScanCtx } from '../../../test-helpers/factories.js';
+
+describe('runLayer3', () => {
+  it('detects AI SDK in package.json (npm project)', () => {
+    const ctx = createScanCtx([
+      createScanFile('package.json', JSON.stringify({
+        dependencies: {
+          'openai': '^4.56.0',
+          'express': '^4.18.0',
+        },
+      })),
+    ]);
+
+    const results = runLayer3(ctx);
+    const sdkFindings = results.filter((r) => r.type === 'ai-sdk-detected');
+
+    expect(sdkFindings.length).toBeGreaterThan(0);
+    expect(sdkFindings.some((r) => r.message.includes('OpenAI'))).toBe(true);
+  });
+
+  it('detects prohibited package in requirements.txt (pip project)', () => {
+    const ctx = createScanCtx([
+      createScanFile('requirements.txt', `anthropic>=0.7.0
+deepface==1.0.2
+flask>=2.0.0
+`),
+    ]);
+
+    const results = runLayer3(ctx);
+    const banned = results.filter((r) => r.type === 'banned-package');
+    const sdks = results.filter((r) => r.type === 'ai-sdk-detected');
+
+    expect(banned).toHaveLength(1);
+    expect(banned[0].status).toBe('PROHIBITED');
+    expect(banned[0].packageName).toBe('deepface');
+    expect(banned[0].article).toBe('Art. 5(1)(f)');
+    expect(banned[0].message).toContain('Art. 5 REVIEW:');
+    expect(banned[0].message).toContain('Verify:');
+    expect(banned[0].bannedPackage).toBeDefined();
+    expect(banned[0].bannedPackage?.prohibitedWhen).toContain('workplace or educational');
+
+    expect(sdks.some((r) => r.message.includes('Anthropic'))).toBe(true);
+  });
+
+  it('detects AI SDK in go.mod (Go project)', () => {
+    const ctx = createScanCtx([
+      createScanFile('go.mod', `module myapp
+
+go 1.21
+
+require (
+	github.com/sashabaranov/go-openai v1.20.0
+	github.com/gin-gonic/gin v1.9.1
+)
+`),
+    ]);
+
+    const results = runLayer3(ctx);
+    const sdkFindings = results.filter((r) => r.type === 'ai-sdk-detected');
+
+    expect(sdkFindings).toHaveLength(1);
+    expect(sdkFindings[0].message).toContain('OpenAI');
+  });
+
+  it('aggregates mixed dependencies (npm + pip + .env)', () => {
+    const ctx = createScanCtx([
+      createScanFile('package.json', JSON.stringify({
+        dependencies: { 'openai': '^4.0.0' },
+      })),
+      createScanFile('requirements.txt', 'anthropic>=0.7.0\n'),
+      createScanFile('.env', 'OPENAI_API_KEY=sk-xxx\nLOG_LEVEL=info\nSENTRY_DSN=https://xxx\n'),
+    ]);
+
+    const results = runLayer3(ctx);
+    const sdkFindings = results.filter((r) => r.type === 'ai-sdk-detected');
+    const envFindings = results.filter((r) => r.type === 'env-config');
+
+    // At least 2 AI SDKs (openai from npm, anthropic from pip)
+    expect(sdkFindings.length).toBeGreaterThanOrEqual(2);
+
+    // .env has API key, LOG_LEVEL, and SENTRY_DSN — all OK
+    const okEnvs = envFindings.filter((r) => r.status === 'OK');
+    expect(okEnvs.length).toBeGreaterThan(0);
+  });
+
+  it('detects log retention in docker-compose.override.yml', () => {
+    const ctx = createScanCtx([
+      createScanFile('docker-compose.override.yml', `services:
+  app:
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "60"
+`),
+    ]);
+
+    const results = runLayer3(ctx);
+    const retention = results.filter((r) => r.type === 'log-retention');
+
+    expect(retention).toHaveLength(1);
+    expect(retention[0].status).toBe('OK');
+  });
+
+  it('skips bias-testing warning when bias-testing config file present', () => {
+    const ctx = createScanCtx([
+      createScanFile('package.json', JSON.stringify({
+        dependencies: { 'openai': '^4.56.0' },
+      })),
+      createScanFile('bias-testing.config.json', '{ "enabled": true }'),
+    ]);
+
+    const results = runLayer3(ctx);
+    const biasFindings = results.filter((r) => r.type === 'missing-bias-testing');
+
+    expect(biasFindings).toHaveLength(0);
+  });
+
+  it('returns no AI SDK findings for non-AI project', () => {
+    const ctx = createScanCtx([
+      createScanFile('package.json', JSON.stringify({
+        dependencies: {
+          'express': '^4.18.0',
+          'react': '^18.2.0',
+          'lodash': '^4.17.0',
+        },
+      })),
+    ]);
+
+    const results = runLayer3(ctx);
+    const sdkFindings = results.filter((r) => r.type === 'ai-sdk-detected');
+    const bannedFindings = results.filter((r) => r.type === 'banned-package');
+
+    expect(sdkFindings).toHaveLength(0);
+    expect(bannedFindings).toHaveLength(0);
+  });
+});
+
+describe('layer3ToCheckResults', () => {
+  it('converts PROHIBITED finding to critical fail with contextual fix', () => {
+    const results = layer3ToCheckResults([{
+      type: 'banned-package',
+      status: 'PROHIBITED',
+      message: 'Art. 5 REVIEW: "deepface" detected — Emotion recognition. Prohibited under Art. 5(1)(f) when: Infers emotions in workplace or educational settings, except for medical or safety purposes. Verify: Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+      obligationId: 'eu-ai-act-OBL-002',
+      article: 'Art. 5(1)(f)',
+      packageName: 'deepface',
+      ecosystem: 'pip',
+      penalty: '€35M or 7% turnover',
+      bannedPackage: {
+        name: 'deepface',
+        ecosystem: 'pip',
+        reason: 'Emotion recognition',
+        obligationId: 'eu-ai-act-OBL-002',
+        article: 'Art. 5(1)(f)',
+        penalty: '€35M or 7% turnover',
+        prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+        verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+      },
+    }]);
+
+    expect(results).toHaveLength(1);
+    expect(results[0].type).toBe('fail');
+    if (results[0].type === 'fail') {
+      expect(results[0].severity).toBe('critical');
+      expect(results[0].message).toContain('Art. 5 REVIEW:');
+      expect(results[0].message).toContain('Verify:');
+      expect(results[0].fix).toContain('Verify your use case');
+      expect(results[0].fix).toContain('Document your use case to confirm compliance');
+    }
+  });
+
+  it('converts OK finding to pass', () => {
+    const results = layer3ToCheckResults([{
+      type: 'ai-sdk-detected',
+      status: 'OK',
+      message: 'AI SDK detected: OpenAI (openai@4.56.0) in npm',
+      packageName: 'openai',
+      ecosystem: 'npm',
+    }]);
+
+    expect(results).toHaveLength(1);
+    expect(results[0].type).toBe('pass');
+  });
+});