npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/scanner/layers/layer5-docs.test.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import { describe, it, expect } from 'vitest';
+import { DOCUMENT_CHECKLISTS, buildDocValidationPrompt, docValidationToFindings, getChecklist, detectDocType } from './layer5-docs.js';
+import type { DocValidationResult } from './layer5-docs.js';
+describe('DOCUMENT_CHECKLISTS', () => {
+  it('has checklists for 4 document types', () => {
+    expect(DOCUMENT_CHECKLISTS.length).toBe(4);
+    expect(DOCUMENT_CHECKLISTS.map((c) => c.docType)).toEqual([
+      'fria', 'technical-documentation', 'transparency-notice', 'risk-management',
+    ]);
+  });
+  it('FRIA has 8 elements with 5 required', () => {
+    const fria = DOCUMENT_CHECKLISTS.find((c) => c.docType === 'fria')!;
+    expect(fria.elements.length).toBe(8);
+    expect(fria.elements.filter((e) => e.required).length).toBe(5);
+  });
+});
+describe('buildDocValidationPrompt', () => {
+  it('includes document content and checklist', () => {
+    const checklist = DOCUMENT_CHECKLISTS[0]!;
+    const prompt = buildDocValidationPrompt('# FRIA\n## Risk Assessment\nHigh risk identified.', checklist);
+    expect(prompt).toContain('FRIA');
+    expect(prompt).toContain('affected-rights');
+    expect(prompt).toContain('REQUIRED');
+    expect(prompt).toContain('Risk Assessment');
+  });
+  it('truncates very long documents', () => {
+    const longDoc = 'x'.repeat(20000);
+    const checklist = DOCUMENT_CHECKLISTS[0]!;
+    const prompt = buildDocValidationPrompt(longDoc, checklist);
+    expect(prompt.length).toBeLessThan(15000); // truncated to 8000 chars
+  });
+});
+describe('docValidationToFindings', () => {
+  it('creates pass finding for high quality docs', () => {
+    const results: DocValidationResult[] = [{
+      docType: 'fria',
+      file: 'docs/fria.md',
+      qualityScore: 85,
+      elementsPresent: 7,
+      elementsTotal: 8,
+      missingElements: ['consultation'],
+      feedback: [],
+      severity: 'info',
+    }];
+    const findings = docValidationToFindings(results);
+    expect(findings[0]?.type).toBe('pass');
+    expect(findings[0]?.checkId).toBe('l5-doc-fria');
+  });
+  it('creates fail finding for low quality docs', () => {
+    const results: DocValidationResult[] = [{
+      docType: 'fria',
+      file: 'docs/fria.md',
+      qualityScore: 40,
+      elementsPresent: 3,
+      elementsTotal: 8,
+      missingElements: ['quantitative-assessment', 'affected-population', 'monitoring-plan', 'proportionality', 'alternatives'],
+      feedback: ['Add quantitative risk assessment', 'Describe affected population'],
+      severity: 'high',
+    }];
+    const findings = docValidationToFindings(results);
+    expect(findings[0]?.type).toBe('fail');
+    expect(findings[0]?.message).toContain('quantitative-assessment');
+  });
+});
+describe('getChecklist', () => {
+  it('returns checklist by doc type', () => {
+    expect(getChecklist('fria')?.article).toBe('Art. 27');
+    expect(getChecklist('risk-management')?.article).toBe('Art. 9');
+    expect(getChecklist('unknown')).toBeUndefined();
+  });
+});
+describe('detectDocType', () => {
+  it('detects FRIA from filename', () => {
+    expect(detectDocType('docs/fria.md')).toBe('fria');
+    expect(detectDocType('docs/FRIA.md')).toBe('fria');
+  });
+  it('detects technical documentation', () => {
+    expect(detectDocType('docs/technical-documentation.md')).toBe('technical-documentation');
+    expect(detectDocType('docs/tech-documentation.md')).toBe('technical-documentation');
+  });
+  it('detects risk management', () => {
+    expect(detectDocType('docs/risk-management.md')).toBe('risk-management');
+    expect(detectDocType('docs/risk-assessment.md')).toBe('risk-management');
+  });
+  it('returns undefined for unknown docs', () => {
+    expect(detectDocType('docs/readme.md')).toBeUndefined();
+  });
+});

package/src/domain/scanner/layers/layer5-docs.ts ADDED Viewed

@@ -0,0 +1,250 @@
+/**
+ * L5 Document Validation: LLM checks document CONTENT against
+ * regulation-specific checklists (Art. 27 FRIA, Art. 11 Tech Doc, etc.).
+ */
+import type { Finding } from '../../../types/common.types.js';
+export interface DocumentChecklist {
+  readonly docType: string;
+  readonly article: string;
+  readonly elements: readonly ChecklistElement[];
+}
+export interface ChecklistElement {
+  readonly id: string;
+  readonly description: string;
+  readonly required: boolean;
+}
+export interface DocValidationResult {
+  readonly docType: string;
+  readonly file: string;
+  readonly qualityScore: number;          // 0-100
+  readonly elementsPresent: number;
+  readonly elementsTotal: number;
+  readonly missingElements: readonly string[];
+  readonly feedback: readonly string[];
+  readonly severity: 'high' | 'medium' | 'low' | 'info';
+}
+/** Regulation checklists per document type */
+export const DOCUMENT_CHECKLISTS: readonly DocumentChecklist[] = [
+  {
+    docType: 'fria',
+    article: 'Art. 27',
+    elements: [
+      { id: 'affected-rights', description: 'Specific fundamental rights affected (Art. 6-50 EU Charter)', required: true },
+      { id: 'quantitative-assessment', description: 'Quantitative risk assessment (probability × impact)', required: true },
+      { id: 'mitigation-measures', description: 'Concrete mitigation measures (not generic)', required: true },
+      { id: 'affected-population', description: 'Description of affected population', required: true },
+      { id: 'monitoring-plan', description: 'Monitoring plan for rights impact', required: true },
+      { id: 'proportionality', description: 'Proportionality analysis', required: false },
+      { id: 'alternatives', description: 'Alternatives considered', required: false },
+      { id: 'consultation', description: 'Stakeholder consultation process', required: false },
+    ],
+  },
+  {
+    docType: 'technical-documentation',
+    article: 'Art. 11',
+    elements: [
+      { id: 'system-description', description: 'General description of the AI system', required: true },
+      { id: 'intended-purpose', description: 'Intended purpose and intended use', required: true },
+      { id: 'hardware-requirements', description: 'Hardware and software requirements', required: true },
+      { id: 'training-data', description: 'Training data description and methodology', required: true },
+      { id: 'performance-metrics', description: 'Performance metrics and benchmarks', required: true },
+      { id: 'limitations', description: 'Known limitations and conditions of use', required: true },
+      { id: 'human-oversight', description: 'Human oversight measures', required: true },
+      { id: 'risk-management', description: 'Risk management measures', required: true },
+      { id: 'testing-validation', description: 'Testing and validation procedures', required: true },
+      { id: 'logging-capability', description: 'Logging capabilities description', required: false },
+      { id: 'lifecycle-changes', description: 'Changes throughout lifecycle', required: false },
+      { id: 'standards', description: 'Applied standards and conformity', required: false },
+    ],
+  },
+  {
+    docType: 'transparency-notice',
+    article: 'Art. 13',
+    elements: [
+      { id: 'ai-disclosure', description: 'Clear disclosure that system uses AI', required: true },
+      { id: 'capabilities', description: 'System capabilities description', required: true },
+      { id: 'limitations', description: 'System limitations description', required: true },
+      { id: 'human-contact', description: 'Human contact information', required: true },
+      { id: 'opt-out', description: 'Opt-out mechanism description', required: false },
+      { id: 'data-usage', description: 'Data usage explanation', required: false },
+    ],
+  },
+  {
+    docType: 'risk-management',
+    article: 'Art. 9',
+    elements: [
+      { id: 'risk-identification', description: 'Risk identification methodology', required: true },
+      { id: 'probability-assessment', description: 'Probability assessment for each risk', required: true },
+      { id: 'impact-assessment', description: 'Impact assessment for each risk', required: true },
+      { id: 'mitigation-measures', description: 'Mitigation measures per risk', required: true },
+      { id: 'residual-risks', description: 'Residual risk assessment', required: true },
+      { id: 'monitoring-plan', description: 'Risk monitoring plan', required: false },
+      { id: 'review-schedule', description: 'Review schedule', required: false },
+      { id: 'responsible-persons', description: 'Responsible persons', required: false },
+    ],
+  },
+];
+/**
+ * Build LLM prompt for document validation.
+ */
+export const buildDocValidationPrompt = (
+  docContent: string,
+  checklist: DocumentChecklist,
+): string => {
+  const elementList = checklist.elements
+    .map((e, i) => `${i + 1}. [${e.required ? 'REQUIRED' : 'OPTIONAL'}] ${e.id}: ${e.description}`)
+    .join('\n');
+  return `You are a compliance auditor validating a ${checklist.docType} document against EU AI Act ${checklist.article}.
+Analyze the document below and determine which required elements are adequately covered.
+An element is "present" if it contains SPECIFIC, CONCRETE information (not generic placeholder text).
+Generic phrases like "we comply with all laws" or "risks will be assessed" are NOT adequate.
+Document content:
+---
+${docContent.slice(0, 8000)}
+---
+Required elements to check:
+${elementList}
+Respond ONLY in this JSON format:
+{
+  "elements": [
+    { "id": "element-id", "present": true/false, "adequate": true/false, "feedback": "specific feedback" }
+  ],
+  "overallScore": 0-100,
+  "summary": "1-2 sentence summary"
+}`;
+};
+/**
+ * Convert document validation results into scanner findings.
+ */
+export const docValidationToFindings = (
+  results: readonly DocValidationResult[],
+): readonly Finding[] => {
+  const findings: Finding[] = [];
+  for (const result of results) {
+    if (result.qualityScore >= 80) {
+      findings.push({
+        checkId: `l5-doc-${result.docType}`,
+        type: 'pass',
+        message: `${result.docType} content validation: ${result.elementsPresent}/${result.elementsTotal} elements adequate (score: ${result.qualityScore}/100)`,
+        severity: 'info',
+        confidence: 85,
+        confidenceLevel: 'LIKELY_PASS',
+        l5Analyzed: true,
+      });
+    } else {
+      const missing = result.missingElements.join(', ');
+      findings.push({
+        checkId: `l5-doc-${result.docType}`,
+        type: 'fail',
+        message: `${result.docType} content validation: missing/inadequate elements: ${missing} (score: ${result.qualityScore}/100)`,
+        severity: result.severity,
+        obligationId: `eu-ai-act-doc-${result.docType}`,
+        fix: result.feedback.join('; '),
+        file: result.file,
+        confidence: 85,
+        confidenceLevel: 'LIKELY_FAIL',
+        l5Analyzed: true,
+      });
+    }
+  }
+  return findings;
+};
+/** Type guard for record-shaped objects (used instead of `as` assertions). */
+const isRecord = (v: unknown): v is Record<string, unknown> =>
+  typeof v === 'object' && v !== null;
+/**
+ * Parse LLM JSON response into a DocValidationResult.
+ * Returns undefined if the response cannot be parsed.
+ */
+export const parseDocValidationResponse = (
+  llmText: string,
+  docType: string,
+  filePath: string,
+  totalElements: number,
+): DocValidationResult | undefined => {
+  const jsonMatch = llmText.match(/\{[\s\S]*\}/);
+  if (!jsonMatch) return undefined;
+  let raw: unknown;
+  try {
+    raw = JSON.parse(jsonMatch[0]);
+  } catch {
+    return undefined;
+  }
+  if (!isRecord(raw)) return undefined;
+  const overallScore = typeof raw['overallScore'] === 'number' ? raw['overallScore'] : 50;
+  const elements = Array.isArray(raw['elements']) ? raw['elements'] : [];
+  const present = elements.filter((e: unknown) => {
+    if (!isRecord(e)) return false;
+    return e['present'] === true && e['adequate'] === true;
+  }).length;
+  const missing = elements
+    .filter((e: unknown) => {
+      if (!isRecord(e)) return true;
+      return e['present'] !== true || e['adequate'] !== true;
+    })
+    .map((e: unknown) => {
+      if (!isRecord(e)) return 'unknown';
+      return typeof e['id'] === 'string' ? e['id'] : 'unknown';
+    });
+  const feedback: string[] = [];
+  for (const e of elements) {
+    if (!isRecord(e)) continue;
+    const fb = e['feedback'];
+    if (typeof fb === 'string' && fb.length > 0) {
+      feedback.push(fb);
+    }
+  }
+  const severity: DocValidationResult['severity'] =
+    overallScore < 40 ? 'high' : overallScore < 60 ? 'medium' : overallScore < 80 ? 'low' : 'info';
+  return {
+    docType,
+    file: filePath,
+    qualityScore: overallScore,
+    elementsPresent: present,
+    elementsTotal: totalElements,
+    missingElements: missing,
+    feedback,
+    severity,
+  };
+};
+/**
+ * Get checklist for a document type.
+ */
+export const getChecklist = (docType: string): DocumentChecklist | undefined =>
+  DOCUMENT_CHECKLISTS.find((c) => c.docType === docType);
+/**
+ * Determine document type from file path.
+ */
+export const detectDocType = (filePath: string): string | undefined => {
+  const filename = filePath.split('/').pop()?.toLowerCase() ?? '';
+  if (/fria/i.test(filename)) return 'fria';
+  if (/tech.*doc|technical.*doc/i.test(filename)) return 'technical-documentation';
+  if (/transparency/i.test(filename)) return 'transparency-notice';
+  if (/risk.*manage|risk.*assess/i.test(filename)) return 'risk-management';
+  return undefined;
+};

package/src/domain/scanner/layers/layer5-llm.test.ts ADDED Viewed

@@ -0,0 +1,146 @@
+import { describe, it, expect } from 'vitest';
+import { selectPromptType, extractSnippets, buildL5Prompt, createLayer5 } from './layer5-llm.js';
+import type { Finding } from '../../../types/common.types.js';
+const makeFinding = (overrides: Partial<Finding> = {}): Finding => ({
+  checkId: 'ai-disclosure',
+  type: 'fail',
+  message: 'No AI disclosure found',
+  severity: 'high',
+  confidence: 55,
+  confidenceLevel: 'UNCERTAIN',
+  ...overrides,
+});
+describe('Scanner L5 — LLM Deep Analysis', () => {
+  it('selectPromptType maps disclosure to code_pattern_check', () => {
+    expect(selectPromptType(makeFinding({ checkId: 'ai-disclosure' }))).toBe('code_pattern_check');
+  });
+  it('selectPromptType maps documentation to documentation_check', () => {
+    expect(selectPromptType(makeFinding({ checkId: 'documentation', message: 'Missing documentation' }))).toBe('documentation_check');
+  });
+  it('selectPromptType maps monitoring to architecture_check', () => {
+    expect(selectPromptType(makeFinding({ checkId: 'monitoring', message: 'No monitoring found' }))).toBe('architecture_check');
+  });
+  it('selectPromptType maps data-related to data_handling_check', () => {
+    expect(selectPromptType(makeFinding({ checkId: 'data-retention', message: 'No data retention policy' }))).toBe('data_handling_check');
+  });
+  it('extractSnippets returns relevant code', () => {
+    const files = new Map([
+      ['src/app.tsx', 'export function App() { return <AIDisclosure />; }'],
+      ['src/utils.ts', 'export const add = (a: number, b: number) => a + b;'],
+      ['src/compliance.ts', 'export const disclosure = "This service uses AI";'],
+    ]);
+    const snippets = extractSnippets(makeFinding(), files);
+    expect(snippets.length).toBeGreaterThan(0);
+    expect(snippets[0].relevance).toBeGreaterThan(0);
+  });
+  it('extractSnippets limits to 500 lines', () => {
+    const longFile = Array(600).fill('const x = 1;').join('\n');
+    const files = new Map([['src/long.ts', longFile]]);
+    const snippets = extractSnippets(makeFinding(), files);
+    if (snippets.length > 0) {
+      expect(snippets[0].endLine).toBeLessThanOrEqual(500);
+    }
+  });
+  it('buildL5Prompt includes finding info and snippets', () => {
+    const snippets = [{ file: 'src/app.tsx', startLine: 1, endLine: 5, content: 'const x = 1;', relevance: 0.8 }];
+    const prompt = buildL5Prompt('code_pattern_check', makeFinding(), snippets);
+    expect(prompt).toContain('ai-disclosure');
+    expect(prompt).toContain('No AI disclosure found');
+    expect(prompt).toContain('src/app.tsx');
+    expect(prompt).toContain('implementation patterns');
+  });
+  it('isUncertain identifies uncertain findings', () => {
+    const l5 = createLayer5({
+      callLlm: async () => ({ text: '{}', inputTokens: 0, outputTokens: 0 }),
+      readFile: async () => '',
+      calculateCost: () => 0,
+    });
+    expect(l5.isUncertain(makeFinding({ confidence: 55 }))).toBe(true);
+    expect(l5.isUncertain(makeFinding({ confidence: 95 }))).toBe(false);
+    expect(l5.isUncertain(makeFinding({ confidence: 20 }))).toBe(false);
+  });
+  it('analyzeFindings processes uncertain findings', async () => {
+    const l5 = createLayer5({
+      callLlm: async () => ({
+        text: JSON.stringify({
+          verdict: 'pass',
+          confidence: 85,
+          reasoning: 'Disclosure component found',
+          evidence: ['src/app.tsx:1 — AIDisclosure component'],
+        }),
+        inputTokens: 500,
+        outputTokens: 200,
+      }),
+      readFile: async () => '',
+      calculateCost: () => 0.01,
+    });
+    const findings: Finding[] = [
+      makeFinding({ confidence: 55 }),
+      makeFinding({ checkId: 'logging', confidence: 45, message: 'No logging found' }),
+      makeFinding({ checkId: 'certain', confidence: 95, message: 'Already certain' }),
+    ];
+    const files = new Map([['src/app.tsx', 'const disclosure = true;']]);
+    const results = await l5.analyzeFindings(findings, files);
+    // Only 2 uncertain findings should be analyzed (confidence 40-70)
+    expect(results).toHaveLength(2);
+    expect(results[0].verdict).toBe('pass');
+    expect(results[0].newConfidence).toBe(85);
+  });
+  it('applyResults updates findings', () => {
+    const l5 = createLayer5({
+      callLlm: async () => ({ text: '{}', inputTokens: 0, outputTokens: 0 }),
+      readFile: async () => '',
+      calculateCost: () => 0,
+    });
+    const findings: Finding[] = [makeFinding({ confidence: 55 })];
+    const l5Results = [{
+      findingId: 'ai-disclosure',
+      originalConfidence: 55,
+      newConfidence: 85,
+      verdict: 'pass' as const,
+      reasoning: 'Found',
+      evidence: [],
+      promptType: 'code_pattern_check' as const,
+      cost: 0.01,
+    }];
+    const updated = l5.applyResults(findings, l5Results);
+    expect(updated[0].type).toBe('pass');
+    expect(updated[0].confidence).toBe(85);
+    expect(updated[0].severity).toBe('info');
+  });
+  it('handles LLM errors gracefully', async () => {
+    const l5 = createLayer5({
+      callLlm: async () => { throw new Error('LLM timeout'); },
+      readFile: async () => '',
+      calculateCost: () => 0,
+    });
+    const findings: Finding[] = [makeFinding({ confidence: 55 })];
+    const results = await l5.analyzeFindings(findings, new Map());
+    expect(results).toHaveLength(1);
+    expect(results[0].verdict).toBe('uncertain');
+    expect(results[0].reasoning).toContain('failed');
+  });
+});