npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/scanner/role-filter.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import type { Role, Finding } from '../../types/common.types.js';
+/**
+ * Static mapping: checkId → required role.
+ * Checks NOT listed here apply to 'both' (all roles).
+ */
+const CHECK_ROLE: ReadonlyMap<string, Role> = new Map([
+  // Provider-only (org builds AI system)
+  ['qms', 'provider'],
+  ['gpai-transparency', 'provider'],
+  ['gpai-systemic-risk', 'provider'],
+  ['l3-missing-bias-testing', 'provider'],
+  ['l4-data-governance', 'provider'],
+  ['l4-content-marking', 'provider'],
+  ['l4-gpai-transparency', 'provider'],
+  ['l4-conformity-assessment', 'provider'],
+  ['content-marking', 'provider'],
+  // Deployer-only (org uses AI system)
+  ['monitoring-policy', 'deployer'],
+  ['worker-notification', 'deployer'],
+  ['incident-report', 'deployer'],
+  ['fria', 'deployer'],
+  ['l4-deployer-monitoring', 'deployer'],
+  ['l4-record-keeping', 'deployer'],
+]);
+/** Get the required role for a check. Unlisted checks → 'both'. */
+export const getCheckRole = (checkId: string): Role =>
+  CHECK_ROLE.get(checkId) ?? 'both';
+/**
+ * Filter findings by project role.
+ * Findings for an inapplicable role become type: 'skip' (visible but not scored).
+ * If projectRole is 'both', all findings pass through unchanged.
+ */
+export const filterFindingsByRole = (
+  findings: readonly Finding[],
+  projectRole: Role,
+): readonly Finding[] => {
+  if (projectRole === 'both') return findings;
+  return findings.map(f => {
+    const role = getCheckRole(f.checkId);
+    if (role === 'both' || role === projectRole) return f;
+    return {
+      ...f,
+      type: 'skip' as const,
+      message: `Skipped: ${role}-only check (project role: ${projectRole})`,
+    };
+  });
+};

package/src/domain/scanner/rules/banned-packages-data.ts ADDED Viewed

@@ -0,0 +1,553 @@
+export interface BannedPackage {
+  readonly name: string;
+  readonly ecosystem: 'npm' | 'pip' | 'cargo' | 'go' | 'any';
+  readonly reason: string;
+  readonly obligationId: string;
+  readonly article: string;
+  readonly penalty: string;
+  readonly prohibitedWhen: string;
+  readonly verifyMessage: string;
+}
+export const BANNED_PACKAGES: readonly BannedPackage[] = [
+  // --- Art. 5(1)(a): Subliminal/manipulative/deceptive techniques ---
+  {
+    name: 'subliminal-ai',
+    ecosystem: 'any',
+    reason: 'Subliminal manipulation',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(a)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Used as subliminal or manipulative technique to distort behavior beyond person\'s awareness, causing significant harm',
+    verifyMessage: 'Does this influence user decisions through techniques they are not aware of?',
+  },
+  {
+    name: 'dark-patterns',
+    ecosystem: 'npm',
+    reason: 'Deceptive design patterns',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(a)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Used as subliminal or manipulative technique to distort behavior beyond person\'s awareness, causing significant harm',
+    verifyMessage: 'Does this influence user decisions through techniques they are not aware of?',
+  },
+  {
+    name: 'deceptive-design',
+    ecosystem: 'npm',
+    reason: 'Deceptive design toolkit',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(a)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Used as subliminal or manipulative technique to distort behavior beyond person\'s awareness, causing significant harm',
+    verifyMessage: 'Does this influence user decisions through techniques they are not aware of?',
+  },
+  {
+    name: 'nudge-ai',
+    ecosystem: 'any',
+    reason: 'AI-based behavioral nudging',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(a)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Used as subliminal or manipulative technique to distort behavior beyond person\'s awareness, causing significant harm',
+    verifyMessage: 'Does this influence user decisions through techniques they are not aware of?',
+  },
+  {
+    name: 'manipulative-ux',
+    ecosystem: 'npm',
+    reason: 'Manipulative UX patterns',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(a)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Used as subliminal or manipulative technique to distort behavior beyond person\'s awareness, causing significant harm',
+    verifyMessage: 'Does this influence user decisions through techniques they are not aware of?',
+  },
+  {
+    name: 'subliminal-messaging',
+    ecosystem: 'any',
+    reason: 'Subliminal messaging toolkit',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(a)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Used as subliminal or manipulative technique to distort behavior beyond person\'s awareness, causing significant harm',
+    verifyMessage: 'Does this influence user decisions through techniques they are not aware of?',
+  },
+  // --- Art. 5(1)(b): Exploitation of vulnerabilities ---
+  {
+    name: 'vulnerability-exploitation',
+    ecosystem: 'any',
+    reason: 'Exploits age/disability/social vulnerabilities',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(b)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Exploits vulnerabilities due to age, disability, or social/economic situation to distort behavior, causing significant harm',
+    verifyMessage: 'Does this target or exploit vulnerable groups (children, elderly, disabled)?',
+  },
+  // --- Art. 5(1)(c): Social scoring ---
+  {
+    name: 'social-credit-score',
+    ecosystem: 'any',
+    reason: 'Social scoring',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(c)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Evaluates or classifies persons based on social behavior or personal characteristics, leading to detrimental treatment unrelated to the original context',
+    verifyMessage: 'Does this aggregate personal behavior into a score that affects access to services?',
+  },
+  {
+    name: 'social-score',
+    ecosystem: 'any',
+    reason: 'Social behavior scoring',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(c)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Evaluates or classifies persons based on social behavior or personal characteristics, leading to detrimental treatment unrelated to the original context',
+    verifyMessage: 'Does this aggregate personal behavior into a score that affects access to services?',
+  },
+  {
+    name: 'reputation-score',
+    ecosystem: 'any',
+    reason: 'Person reputation scoring',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(c)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Evaluates or classifies persons based on social behavior or personal characteristics, leading to detrimental treatment unrelated to the original context',
+    verifyMessage: 'Does this aggregate personal behavior into a score that affects access to services?',
+  },
+  {
+    name: 'citizen-score',
+    ecosystem: 'any',
+    reason: 'Citizen scoring system',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(c)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Evaluates or classifies persons based on social behavior or personal characteristics, leading to detrimental treatment unrelated to the original context',
+    verifyMessage: 'Does this aggregate personal behavior into a score that affects access to services?',
+  },
+  {
+    name: 'trust-score',
+    ecosystem: 'any',
+    reason: 'Social trust scoring',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(c)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Evaluates or classifies persons based on social behavior or personal characteristics, leading to detrimental treatment unrelated to the original context',
+    verifyMessage: 'Does this aggregate personal behavior into a score that affects access to services?',
+  },
+  {
+    name: 'behavior-score',
+    ecosystem: 'any',
+    reason: 'Behavioral scoring of persons',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(c)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Evaluates or classifies persons based on social behavior or personal characteristics, leading to detrimental treatment unrelated to the original context',
+    verifyMessage: 'Does this aggregate personal behavior into a score that affects access to services?',
+  },
+  {
+    name: 'credit-social',
+    ecosystem: 'any',
+    reason: 'Social credit scoring',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(c)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Evaluates or classifies persons based on social behavior or personal characteristics, leading to detrimental treatment unrelated to the original context',
+    verifyMessage: 'Does this aggregate personal behavior into a score that affects access to services?',
+  },
+  // --- Art. 5(1)(d): Individual criminal risk prediction ---
+  {
+    name: 'predpol',
+    ecosystem: 'any',
+    reason: 'Predictive policing based on profiling',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(d)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Assesses risk of criminal offence based solely on profiling or personality traits, without objective verifiable facts',
+    verifyMessage: 'Does this predict criminality based on personal characteristics rather than verified facts?',
+  },
+  {
+    name: 'predictive-policing',
+    ecosystem: 'any',
+    reason: 'Predictive policing',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(d)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Assesses risk of criminal offence based solely on profiling or personality traits, without objective verifiable facts',
+    verifyMessage: 'Does this predict criminality based on personal characteristics rather than verified facts?',
+  },
+  {
+    name: 'crime-prediction',
+    ecosystem: 'any',
+    reason: 'Criminal risk prediction via profiling',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(d)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Assesses risk of criminal offence based solely on profiling or personality traits, without objective verifiable facts',
+    verifyMessage: 'Does this predict criminality based on personal characteristics rather than verified facts?',
+  },
+  {
+    name: 'precrime',
+    ecosystem: 'any',
+    reason: 'Pre-crime risk assessment',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(d)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Assesses risk of criminal offence based solely on profiling or personality traits, without objective verifiable facts',
+    verifyMessage: 'Does this predict criminality based on personal characteristics rather than verified facts?',
+  },
+  {
+    name: 'recidivism-predictor',
+    ecosystem: 'any',
+    reason: 'Recidivism prediction via profiling',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(d)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Assesses risk of criminal offence based solely on profiling or personality traits, without objective verifiable facts',
+    verifyMessage: 'Does this predict criminality based on personal characteristics rather than verified facts?',
+  },
+  // --- Art. 5(1)(e): Untargeted facial scraping ---
+  {
+    name: 'clearview-ai',
+    ecosystem: 'any',
+    reason: 'Untargeted facial scraping from internet/CCTV',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(e)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Creates or expands facial recognition databases through untargeted scraping from internet or CCTV footage',
+    verifyMessage: 'Does this collect facial images from public sources without individual consent?',
+  },
+  {
+    name: 'face-scraper',
+    ecosystem: 'any',
+    reason: 'Facial image scraping toolkit',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(e)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Creates or expands facial recognition databases through untargeted scraping from internet or CCTV footage',
+    verifyMessage: 'Does this collect facial images from public sources without individual consent?',
+  },
+  // --- Art. 5(1)(f): Emotion recognition in workplace/education ---
+  {
+    name: 'deepface',
+    ecosystem: 'pip',
+    reason: 'Emotion recognition',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(f)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+    verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+  },
+  {
+    name: 'fer',
+    ecosystem: 'pip',
+    reason: 'Facial Emotion Recognition',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(f)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+    verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+  },
+  {
+    name: 'emotion-recognition',
+    ecosystem: 'npm',
+    reason: 'Emotion recognition',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(f)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+    verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+  },
+  {
+    name: 'py-feat',
+    ecosystem: 'pip',
+    reason: 'Facial expression analysis (emotion recognition)',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(f)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+    verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+  },
+  {
+    name: 'emopy',
+    ecosystem: 'pip',
+    reason: 'Emotion recognition from facial expressions',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(f)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+    verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+  },
+  {
+    name: 'affectiva',
+    ecosystem: 'any',
+    reason: 'Emotion AI / affective computing',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(f)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+    verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+  },
+  {
+    name: 'emotion-api',
+    ecosystem: 'any',
+    reason: 'Emotion detection API client',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(f)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Infers emotions in workplace or educational settings, except for medical or safety purposes',
+    verifyMessage: 'Is this used to detect emotions of employees or students? (Medical/safety use is exempt)',
+  },
+  // --- Art. 5(1)(g): Biometric categorization by protected characteristics ---
+  {
+    name: 'face-api.js',
+    ecosystem: 'npm',
+    reason: 'Biometric identification / categorization',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'insightface',
+    ecosystem: 'pip',
+    reason: 'Biometric face analysis and categorization',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'arcface',
+    ecosystem: 'pip',
+    reason: 'Face recognition / biometric categorization',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'openface',
+    ecosystem: 'any',
+    reason: 'Open-source face recognition',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'compreface',
+    ecosystem: 'any',
+    reason: 'Face recognition / biometric ID service',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'amazon-rekognition',
+    ecosystem: 'any',
+    reason: 'Cloud biometric identification',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: '@azure/cognitiveservices-face',
+    ecosystem: 'npm',
+    reason: 'Cloud biometric face API',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'azure-cognitiveservices-vision-face',
+    ecosystem: 'pip',
+    reason: 'Cloud biometric face API',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'google-cloud-vision',
+    ecosystem: 'pip',
+    reason: 'Cloud biometric identification',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'clarifai',
+    ecosystem: 'any',
+    reason: 'Visual biometric recognition',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'kairos',
+    ecosystem: 'any',
+    reason: 'Face recognition API',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'luxand',
+    ecosystem: 'any',
+    reason: 'Face recognition SDK',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'facepp',
+    ecosystem: 'any',
+    reason: 'Face++ biometric recognition',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  {
+    name: 'deepid',
+    ecosystem: 'pip',
+    reason: 'Deep face identification',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(g)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Categorizes persons by biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation',
+    verifyMessage: 'Does this classify people by protected characteristics (race, religion, sexual orientation)?',
+  },
+  // --- Art. 5(1)(h): Real-time remote biometric ID in public spaces ---
+  {
+    name: 'real-time-facial',
+    ecosystem: 'any',
+    reason: 'Real-time facial recognition in public spaces',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(h)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Real-time remote biometric identification in publicly accessible spaces for law enforcement, except for targeted search for specific victims, prevention of imminent threat, or specific serious crimes',
+    verifyMessage: 'Is this used for real-time biometric identification in public spaces? (Specific law enforcement exceptions may apply)',
+  },
+  {
+    name: 'crowd-face',
+    ecosystem: 'any',
+    reason: 'Crowd facial recognition',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(h)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Real-time remote biometric identification in publicly accessible spaces for law enforcement, except for targeted search for specific victims, prevention of imminent threat, or specific serious crimes',
+    verifyMessage: 'Is this used for real-time biometric identification in public spaces? (Specific law enforcement exceptions may apply)',
+  },
+  {
+    name: 'surveillance-ai',
+    ecosystem: 'any',
+    reason: 'AI surveillance system',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(h)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Real-time remote biometric identification in publicly accessible spaces for law enforcement, except for targeted search for specific victims, prevention of imminent threat, or specific serious crimes',
+    verifyMessage: 'Is this used for real-time biometric identification in public spaces? (Specific law enforcement exceptions may apply)',
+  },
+  {
+    name: 'mass-surveillance',
+    ecosystem: 'any',
+    reason: 'Mass surveillance toolkit',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(h)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Real-time remote biometric identification in publicly accessible spaces for law enforcement, except for targeted search for specific victims, prevention of imminent threat, or specific serious crimes',
+    verifyMessage: 'Is this used for real-time biometric identification in public spaces? (Specific law enforcement exceptions may apply)',
+  },
+  {
+    name: 'live-biometric',
+    ecosystem: 'any',
+    reason: 'Live biometric identification',
+    obligationId: 'eu-ai-act-OBL-002',
+    article: 'Art. 5(1)(h)',
+    penalty: '€35M or 7% turnover',
+    prohibitedWhen: 'Real-time remote biometric identification in publicly accessible spaces for law enforcement, except for targeted search for specific victims, prevention of imminent threat, or specific serious crimes',
+    verifyMessage: 'Is this used for real-time biometric identification in public spaces? (Specific law enforcement exceptions may apply)',
+  },
+];
+export interface ProhibitedPattern {
+  readonly regex: RegExp;
+  readonly reason: string;
+  readonly article: string;
+}
+export const PROHIBITED_PATTERNS: readonly ProhibitedPattern[] = [
+  // Art. 5(1)(a) — Subliminal/manipulative/deceptive techniques
+  { regex: /subliminal.*messag/i, reason: 'Subliminal messaging', article: 'Art. 5(1)(a)' },
+  { regex: /manipulat(e|ive|ion).*behavio(r|ur)/i, reason: 'Behavioral manipulation', article: 'Art. 5(1)(a)' },
+  { regex: /dark.?pattern.*ai/i, reason: 'AI-powered dark patterns', article: 'Art. 5(1)(a)' },
+  { regex: /deceptive.*ai.*technique/i, reason: 'Deceptive AI technique', article: 'Art. 5(1)(a)' },
+  { regex: /covert.*persuasion/i, reason: 'Covert persuasion technique', article: 'Art. 5(1)(a)' },
+  // Art. 5(1)(b) — Exploitation of vulnerabilities (age, disability, social/economic situation)
+  { regex: /exploit.*(vulnerab|elderly|disabled|minors?|children)/i, reason: 'Exploitation of vulnerable groups', article: 'Art. 5(1)(b)' },
+  { regex: /target.*(elderly|senior|disabled|impair|minor|child)/i, reason: 'Targeting vulnerable persons', article: 'Art. 5(1)(b)' },
+  { regex: /age.?based.*(manipulat|exploit|target)/i, reason: 'Age-based exploitation', article: 'Art. 5(1)(b)' },
+  { regex: /disability.*(exploit|manipulat|target)/i, reason: 'Disability-based exploitation', article: 'Art. 5(1)(b)' },
+  { regex: /economic.?vulnerab.*(exploit|target)/i, reason: 'Economic vulnerability exploitation', article: 'Art. 5(1)(b)' },
+  // Art. 5(1)(c) — Social scoring
+  { regex: /social.*scor(e|ing)/i, reason: 'Social scoring system', article: 'Art. 5(1)(c)' },
+  { regex: /citizen.*rating/i, reason: 'Citizen rating system', article: 'Art. 5(1)(c)' },
+  { regex: /behavio(r|ur).*rating.*system/i, reason: 'Behavioral rating system', article: 'Art. 5(1)(c)' },
+  // Art. 5(1)(d) — Criminal risk prediction based on profiling
+  { regex: /predictive.*polic/i, reason: 'Predictive policing', article: 'Art. 5(1)(d)' },
+  { regex: /crime.*predict/i, reason: 'Criminal risk prediction', article: 'Art. 5(1)(d)' },
+  { regex: /recidivism.*predict/i, reason: 'Recidivism prediction', article: 'Art. 5(1)(d)' },
+  { regex: /criminal.*profil/i, reason: 'Criminal profiling', article: 'Art. 5(1)(d)' },
+  // Art. 5(1)(e) — Untargeted facial scraping
+  { regex: /facial.*scrap(e|ing)/i, reason: 'Facial image scraping', article: 'Art. 5(1)(e)' },
+  { regex: /face.*harvest/i, reason: 'Face data harvesting', article: 'Art. 5(1)(e)' },
+  { regex: /scrape.*face.*image/i, reason: 'Scraping facial images', article: 'Art. 5(1)(e)' },
+  // Art. 5(1)(f) — Emotion recognition in workplace/education
+  { regex: /emotion.*recogni(tion|ze|zer).*real.?time/i, reason: 'Real-time emotion recognition', article: 'Art. 5(1)(f)' },
+  { regex: /emotion.*detect.*work(place|er|force)/i, reason: 'Workplace emotion detection', article: 'Art. 5(1)(f)' },
+  { regex: /emotion.*detect.*school|classroom.*emotion/i, reason: 'Education emotion detection', article: 'Art. 5(1)(f)' },
+  { regex: /affect(ive)?.?comput.*employ/i, reason: 'Affective computing for employees', article: 'Art. 5(1)(f)' },
+  // Art. 5(1)(g) — Biometric categorization by sensitive characteristics
+  { regex: /biometric.*categori[sz]/i, reason: 'Biometric categorization', article: 'Art. 5(1)(g)' },
+  { regex: /infer.*(race|religion|politic|sexual.?orient)/i, reason: 'Inferring sensitive attributes', article: 'Art. 5(1)(g)' },
+  { regex: /biometric.*(race|ethnic|gender)/i, reason: 'Biometric sensitive classification', article: 'Art. 5(1)(g)' },
+  // Art. 5(1)(h) — Real-time remote biometric identification in public spaces
+  { regex: /mass.*surveillance/i, reason: 'Mass surveillance', article: 'Art. 5(1)(h)' },
+  { regex: /real.?time.*biometric.*identif/i, reason: 'Real-time biometric identification', article: 'Art. 5(1)(h)' },
+  { regex: /live.*face.*recogni(tion|ze)/i, reason: 'Live facial recognition', article: 'Art. 5(1)(h)' },
+  { regex: /public.*space.*biometric/i, reason: 'Public space biometric ID', article: 'Art. 5(1)(h)' },
+];

package/src/domain/scanner/rules/banned-packages-sdk.ts ADDED Viewed

@@ -0,0 +1,65 @@
+export const AI_SDK_PACKAGES: ReadonlyMap<string, string> = new Map([
+  // npm
+  ['openai', 'OpenAI'],
+  ['@anthropic-ai/sdk', 'Anthropic'],
+  ['anthropic', 'Anthropic'],
+  ['@google/generative-ai', 'Google AI'],
+  ['@google-cloud/aiplatform', 'Google Vertex AI'],
+  ['cohere-ai', 'Cohere'],
+  ['@mistralai/mistralai', 'Mistral'],
+  ['ai', 'Vercel AI SDK'],
+  ['@ai-sdk/openai', 'Vercel AI SDK (OpenAI)'],
+  ['@ai-sdk/anthropic', 'Vercel AI SDK (Anthropic)'],
+  ['@ai-sdk/google', 'Vercel AI SDK (Google)'],
+  ['@ai-sdk/mistral', 'Vercel AI SDK (Mistral)'],
+  ['@ai-sdk/amazon-bedrock', 'Vercel AI SDK (Bedrock)'],
+  ['langchain', 'LangChain'],
+  ['@langchain/core', 'LangChain Core'],
+  ['@langchain/openai', 'LangChain (OpenAI)'],
+  ['@langchain/anthropic', 'LangChain (Anthropic)'],
+  ['@langchain/community', 'LangChain (Community)'],
+  ['llamaindex', 'LlamaIndex'],
+  ['replicate', 'Replicate'],
+  ['huggingface', 'Hugging Face'],
+  ['@huggingface/inference', 'Hugging Face Inference'],
+  ['@openclaw/sdk', 'OpenClaw'],
+  ['groq-sdk', 'Groq'],
+  ['ollama', 'Ollama'],
+  ['@aws-sdk/client-bedrock-runtime', 'Amazon Bedrock'],
+  ['@azure/openai', 'Azure OpenAI'],
+  // pip
+  ['google-generativeai', 'Google AI'],
+  ['cohere', 'Cohere'],
+  ['mistralai', 'Mistral'],
+  ['llama-index', 'LlamaIndex'],
+  ['transformers', 'Hugging Face Transformers'],
+  ['torch', 'PyTorch'],
+  ['tensorflow', 'TensorFlow'],
+  ['crewai', 'CrewAI'],
+  ['pyautogen', 'AutoGen'],
+  ['groq', 'Groq'],
+  ['together', 'Together AI'],
+  ['fireworks-ai', 'Fireworks AI'],
+  ['litellm', 'LiteLLM'],
+  ['semantic-kernel', 'Semantic Kernel'],
+  ['haystack-ai', 'Haystack'],
+  ['instructor', 'Instructor'],
+  ['dspy-ai', 'DSPy'],
+  ['phidata', 'Phidata'],
+  ['boto3', 'AWS SDK (Bedrock)'],
+  ['deepseek-sdk', 'DeepSeek'],
+  // cargo
+  ['async-openai', 'OpenAI (Rust)'],
+  ['llm', 'LLM (Rust)'],
+  // go
+  ['github.com/sashabaranov/go-openai', 'OpenAI (Go)'],
+  ['github.com/anthropics/anthropic-sdk-go', 'Anthropic (Go)'],
+]);
+export const BIAS_TESTING_PACKAGES: ReadonlySet<string> = new Set([
+  'fairlearn',
+  'aif360',
+  'aequitas',
+  'responsibleai',
+  '@responsible-ai/fairness',
+]);