@complior/engine 0.9.0

package/src/domain/scanner/rules/banned-packages.test.ts

@@ -0,0 +1,249 @@
+import { describe, it, expect } from 'vitest';
+import {
+  BANNED_PACKAGES,
+  PROHIBITED_PATTERNS,
+  AI_SDK_PACKAGES,
+  BIAS_TESTING_PACKAGES,
+  isBannedPackage,
+  isAiSdkPackage,
+  matchProhibitedPattern,
+} from './banned-packages.js';
+
+describe('BANNED_PACKAGES', () => {
+  it('contains 40+ prohibited packages', () => {
+    expect(BANNED_PACKAGES.length).toBeGreaterThanOrEqual(40);
+  });
+
+  it('covers all 8 Art. 5 prohibition categories', () => {
+    const articles = new Set(BANNED_PACKAGES.map((bp) => bp.article));
+    expect(articles).toContain('Art. 5(1)(a)'); // Subliminal/manipulative
+    expect(articles).toContain('Art. 5(1)(b)'); // Vulnerability exploitation
+    expect(articles).toContain('Art. 5(1)(c)'); // Social scoring
+    expect(articles).toContain('Art. 5(1)(d)'); // Criminal prediction
+    expect(articles).toContain('Art. 5(1)(e)'); // Facial scraping
+    expect(articles).toContain('Art. 5(1)(f)'); // Emotion recognition
+    expect(articles).toContain('Art. 5(1)(g)'); // Biometric categorization
+    expect(articles).toContain('Art. 5(1)(h)'); // Real-time biometric ID
+  });
+
+  it('has correct penalty on all entries', () => {
+    for (const bp of BANNED_PACKAGES) {
+      expect(bp.penalty).toBe('€35M or 7% turnover');
+    }
+  });
+
+  it('has obligationId on all entries', () => {
+    for (const bp of BANNED_PACKAGES) {
+      expect(bp.obligationId).toBe('eu-ai-act-OBL-002');
+    }
+  });
+
+  it('has no duplicate package names', () => {
+    const names = BANNED_PACKAGES.map((bp) => bp.name.toLowerCase());
+    const unique = new Set(names);
+    expect(unique.size).toBe(names.length);
+  });
+
+  it('has non-empty prohibitedWhen for every package', () => {
+    for (const bp of BANNED_PACKAGES) {
+      expect(bp.prohibitedWhen.length).toBeGreaterThan(0);
+    }
+  });
+
+  it('has verifyMessage containing a question for every package', () => {
+    for (const bp of BANNED_PACKAGES) {
+      expect(bp.verifyMessage).toMatch(/\?/);
+    }
+  });
+
+  it('has consistent prohibitedWhen within each article group', () => {
+    const byArticle = new Map<string, Set<string>>();
+    for (const bp of BANNED_PACKAGES) {
+      if (!byArticle.has(bp.article)) byArticle.set(bp.article, new Set());
+      byArticle.get(bp.article)!.add(bp.prohibitedWhen);
+    }
+    for (const [article, texts] of byArticle) {
+      expect(texts.size, `${article} should have one prohibitedWhen text`).toBe(1);
+    }
+  });
+});
+
+describe('isBannedPackage', () => {
+  it('finds exact match', () => {
+    expect(isBannedPackage('deepface')).toBeDefined();
+    expect(isBannedPackage('deepface')?.article).toBe('Art. 5(1)(f)');
+  });
+
+  it('case-insensitive match', () => {
+    expect(isBannedPackage('DeepFace')).toBeDefined();
+    expect(isBannedPackage('SUBLIMINAL-AI')).toBeDefined();
+  });
+
+  it('returns undefined for non-banned package', () => {
+    expect(isBannedPackage('react')).toBeUndefined();
+    expect(isBannedPackage('express')).toBeUndefined();
+  });
+
+  // Art. 5(1)(a) subliminal/manipulative
+  it('detects subliminal manipulation packages', () => {
+    expect(isBannedPackage('subliminal-ai')?.article).toBe('Art. 5(1)(a)');
+    expect(isBannedPackage('dark-patterns')?.article).toBe('Art. 5(1)(a)');
+    expect(isBannedPackage('manipulative-ux')?.article).toBe('Art. 5(1)(a)');
+  });
+
+  // Art. 5(1)(c) social scoring
+  it('detects social scoring packages', () => {
+    expect(isBannedPackage('social-credit-score')?.article).toBe('Art. 5(1)(c)');
+    expect(isBannedPackage('trust-score')?.article).toBe('Art. 5(1)(c)');
+    expect(isBannedPackage('behavior-score')?.article).toBe('Art. 5(1)(c)');
+  });
+
+  // Art. 5(1)(d) predictive policing
+  it('detects predictive policing packages', () => {
+    expect(isBannedPackage('predpol')?.article).toBe('Art. 5(1)(d)');
+    expect(isBannedPackage('crime-prediction')?.article).toBe('Art. 5(1)(d)');
+  });
+
+  // Art. 5(1)(e) facial scraping
+  it('detects facial scraping packages', () => {
+    expect(isBannedPackage('clearview-ai')?.article).toBe('Art. 5(1)(e)');
+    expect(isBannedPackage('face-scraper')?.article).toBe('Art. 5(1)(e)');
+  });
+
+  // Art. 5(1)(g) biometric categorization
+  it('detects biometric categorization packages', () => {
+    expect(isBannedPackage('insightface')?.article).toBe('Art. 5(1)(g)');
+    expect(isBannedPackage('arcface')?.article).toBe('Art. 5(1)(g)');
+    expect(isBannedPackage('face-api.js')?.article).toBe('Art. 5(1)(g)');
+    expect(isBannedPackage('clarifai')?.article).toBe('Art. 5(1)(g)');
+  });
+
+  // Art. 5(1)(h) real-time biometric
+  it('detects real-time biometric packages', () => {
+    expect(isBannedPackage('surveillance-ai')?.article).toBe('Art. 5(1)(h)');
+    expect(isBannedPackage('mass-surveillance')?.article).toBe('Art. 5(1)(h)');
+    expect(isBannedPackage('live-biometric')?.article).toBe('Art. 5(1)(h)');
+  });
+});
+
+describe('PROHIBITED_PATTERNS', () => {
+  it('contains patterns covering all 8 Art. 5 sub-articles', () => {
+    expect(PROHIBITED_PATTERNS.length).toBeGreaterThanOrEqual(10);
+    // Verify all 8 sub-articles (a) through (h) are covered
+    const articles = new Set(PROHIBITED_PATTERNS.map(p => p.article));
+    expect(articles.has('Art. 5(1)(a)')).toBe(true);
+    expect(articles.has('Art. 5(1)(b)')).toBe(true);
+    expect(articles.has('Art. 5(1)(c)')).toBe(true);
+    expect(articles.has('Art. 5(1)(d)')).toBe(true);
+    expect(articles.has('Art. 5(1)(e)')).toBe(true);
+    expect(articles.has('Art. 5(1)(f)')).toBe(true);
+    expect(articles.has('Art. 5(1)(g)')).toBe(true);
+    expect(articles.has('Art. 5(1)(h)')).toBe(true);
+  });
+
+  it('all patterns have article references', () => {
+    for (const p of PROHIBITED_PATTERNS) {
+      expect(p.article).toMatch(/^Art\. 5\(1\)/);
+    }
+  });
+});
+
+describe('matchProhibitedPattern', () => {
+  it('detects emotion recognition in real-time context', () => {
+    const result = matchProhibitedPattern('uses emotion recognition in real-time');
+    expect(result).toBeDefined();
+    expect(result?.article).toBe('Art. 5(1)(f)');
+  });
+
+  it('detects social scoring', () => {
+    const result = matchProhibitedPattern('implements social scoring algorithm');
+    expect(result).toBeDefined();
+    expect(result?.article).toBe('Art. 5(1)(c)');
+  });
+
+  it('detects predictive policing', () => {
+    const result = matchProhibitedPattern('predictive policing model');
+    expect(result).toBeDefined();
+    expect(result?.article).toBe('Art. 5(1)(d)');
+  });
+
+  it('detects mass surveillance', () => {
+    const result = matchProhibitedPattern('mass surveillance system');
+    expect(result).toBeDefined();
+    expect(result?.article).toBe('Art. 5(1)(h)');
+  });
+
+  it('detects biometric categorization', () => {
+    const result = matchProhibitedPattern('biometric categorization by race');
+    expect(result).toBeDefined();
+    expect(result?.article).toBe('Art. 5(1)(g)');
+  });
+
+  it('detects vulnerability exploitation (Art. 5(1)(b))', () => {
+    const result = matchProhibitedPattern('exploit vulnerable elderly users');
+    expect(result).toBeDefined();
+    expect(result?.article).toBe('Art. 5(1)(b)');
+
+    const r2 = matchProhibitedPattern('targeting disabled persons');
+    expect(r2).toBeDefined();
+    expect(r2?.article).toBe('Art. 5(1)(b)');
+  });
+
+  it('returns undefined for benign text', () => {
+    expect(matchProhibitedPattern('hello world')).toBeUndefined();
+    expect(matchProhibitedPattern('user authentication')).toBeUndefined();
+  });
+});
+
+describe('AI_SDK_PACKAGES', () => {
+  it('contains 51 AI SDK entries', () => {
+    expect(AI_SDK_PACKAGES.size).toBe(51);
+  });
+
+  it('isAiSdkPackage finds known SDKs', () => {
+    expect(isAiSdkPackage('openai')).toBe('OpenAI');
+    expect(isAiSdkPackage('@anthropic-ai/sdk')).toBe('Anthropic');
+    expect(isAiSdkPackage('transformers')).toBe('Hugging Face Transformers');
+  });
+
+  it('isAiSdkPackage finds new SDK entries', () => {
+    // npm
+    expect(isAiSdkPackage('@openclaw/sdk')).toBe('OpenClaw');
+    expect(isAiSdkPackage('groq-sdk')).toBe('Groq');
+    expect(isAiSdkPackage('ollama')).toBe('Ollama');
+    expect(isAiSdkPackage('@aws-sdk/client-bedrock-runtime')).toBe('Amazon Bedrock');
+    expect(isAiSdkPackage('@azure/openai')).toBe('Azure OpenAI');
+    expect(isAiSdkPackage('@ai-sdk/google')).toBe('Vercel AI SDK (Google)');
+    expect(isAiSdkPackage('@ai-sdk/mistral')).toBe('Vercel AI SDK (Mistral)');
+    expect(isAiSdkPackage('@ai-sdk/amazon-bedrock')).toBe('Vercel AI SDK (Bedrock)');
+    expect(isAiSdkPackage('@langchain/core')).toBe('LangChain Core');
+    expect(isAiSdkPackage('@langchain/openai')).toBe('LangChain (OpenAI)');
+    expect(isAiSdkPackage('@langchain/anthropic')).toBe('LangChain (Anthropic)');
+    expect(isAiSdkPackage('@langchain/community')).toBe('LangChain (Community)');
+    // pip
+    expect(isAiSdkPackage('crewai')).toBe('CrewAI');
+    expect(isAiSdkPackage('pyautogen')).toBe('AutoGen');
+    expect(isAiSdkPackage('groq')).toBe('Groq');
+    expect(isAiSdkPackage('together')).toBe('Together AI');
+    expect(isAiSdkPackage('fireworks-ai')).toBe('Fireworks AI');
+    expect(isAiSdkPackage('litellm')).toBe('LiteLLM');
+    expect(isAiSdkPackage('semantic-kernel')).toBe('Semantic Kernel');
+    expect(isAiSdkPackage('haystack-ai')).toBe('Haystack');
+    expect(isAiSdkPackage('instructor')).toBe('Instructor');
+    expect(isAiSdkPackage('dspy-ai')).toBe('DSPy');
+    expect(isAiSdkPackage('phidata')).toBe('Phidata');
+    expect(isAiSdkPackage('boto3')).toBe('AWS SDK (Bedrock)');
+    expect(isAiSdkPackage('deepseek-sdk')).toBe('DeepSeek');
+  });
+
+  it('isAiSdkPackage returns undefined for non-SDK', () => {
+    expect(isAiSdkPackage('express')).toBeUndefined();
+  });
+});
+
+describe('BIAS_TESTING_PACKAGES', () => {
+  it('contains bias testing libraries', () => {
+    expect(BIAS_TESTING_PACKAGES.has('fairlearn')).toBe(true);
+    expect(BIAS_TESTING_PACKAGES.has('aif360')).toBe(true);
+  });
+});

package/src/domain/scanner/rules/banned-packages.ts

@@ -0,0 +1,55 @@
+export type { BannedPackage, ProhibitedPattern } from './banned-packages-data.js';
+export { BANNED_PACKAGES, PROHIBITED_PATTERNS } from './banned-packages-data.js';
+export { AI_SDK_PACKAGES, BIAS_TESTING_PACKAGES } from './banned-packages-sdk.js';
+
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { BANNED_PACKAGES, type ProhibitedPattern, PROHIBITED_PATTERNS } from './banned-packages-data.js';
+import { AI_SDK_PACKAGES } from './banned-packages-sdk.js';
+import type { BannedPackage } from './banned-packages-data.js';
+
+// --- Custom banned packages from project-level .complior/banned-packages.json ---
+
+let customPackages: readonly BannedPackage[] = [];
+
+export const loadCustomBannedPackages = async (projectPath: string): Promise<readonly BannedPackage[]> => {
+  try {
+    const filePath = join(projectPath, '.complior', 'banned-packages.json');
+    const raw = await readFile(filePath, 'utf-8');
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return [];
+    customPackages = parsed
+      .filter((p: unknown) =>
+        typeof p === 'object' && p !== null && 'name' in p && typeof (p as Record<string, unknown>).name === 'string',
+      )
+      .map((p: Record<string, unknown>): BannedPackage => ({
+        name: String(p.name),
+        ecosystem: (['npm', 'pip', 'cargo', 'go'].includes(String(p.ecosystem ?? ''))
+          ? String(p.ecosystem) as BannedPackage['ecosystem'] : 'any'),
+        reason: String(p.reason ?? 'Custom banned package'),
+        obligationId: String(p.obligationId ?? 'eu-ai-act-OBL-002'),
+        article: String(p.article ?? 'Art. 5'),
+        penalty: String(p.penalty ?? '€35M or 7% turnover'),
+        prohibitedWhen: String(p.prohibitedWhen ?? 'Project-level policy prohibits this package'),
+        verifyMessage: String(p.verifyMessage ?? 'Verify this package is needed and does not violate policy'),
+      }));
+    return customPackages;
+  } catch {
+    customPackages = [];
+    return [];
+  }
+};
+
+// --- Lookups (built-in + custom) ---
+
+export const isBannedPackage = (name: string): BannedPackage | undefined => {
+  const lower = name.toLowerCase();
+  return BANNED_PACKAGES.find((bp) => bp.name.toLowerCase() === lower)
+    ?? customPackages.find((bp) => bp.name.toLowerCase() === lower);
+};
+
+export const isAiSdkPackage = (name: string): string | undefined =>
+  AI_SDK_PACKAGES.get(name);
+
+export const matchProhibitedPattern = (text: string): ProhibitedPattern | undefined =>
+  PROHIBITED_PATTERNS.find((p) => p.regex.test(text));

package/src/domain/scanner/rules/comment-filter.test.ts

@@ -0,0 +1,115 @@
+import { describe, it, expect } from 'vitest';
+import { stripCommentsAndStrings, stripCommentsOnly } from './comment-filter.js';
+
+describe('stripCommentsAndStrings', () => {
+  describe('TypeScript/JavaScript', () => {
+    it('strips line comments', () => {
+      const code = `const x = 1; // killSwitch\nconst y = 2;`;
+      const stripped = stripCommentsAndStrings(code, '.ts');
+      expect(stripped).not.toContain('killSwitch');
+      expect(stripped).toContain('const x = 1;');
+      expect(stripped).toContain('const y = 2;');
+    });
+
+    it('strips block comments', () => {
+      const code = `const x = /* killSwitch */ 1;`;
+      const stripped = stripCommentsAndStrings(code, '.ts');
+      expect(stripped).not.toContain('killSwitch');
+      expect(stripped).toContain('const x =');
+    });
+
+    it('strips string literals', () => {
+      const code = `const msg = "killSwitch";\nconst actual_killSwitch = true;`;
+      const stripped = stripCommentsAndStrings(code, '.ts');
+      // killSwitch in string should be stripped
+      // killSwitch as variable name should remain
+      expect(stripped).toContain('actual_killSwitch');
+    });
+
+    it('strips template literals', () => {
+      const code = 'const msg = `The killSwitch is ${status}`;';
+      const stripped = stripCommentsAndStrings(code, '.ts');
+      expect(stripped).not.toContain('killSwitch');
+    });
+
+    it('preserves line numbers', () => {
+      const code = `line1\n// comment\nline3`;
+      const stripped = stripCommentsAndStrings(code, '.ts');
+      const lines = stripped.split('\n');
+      expect(lines.length).toBe(3);
+      expect(lines[0]).toContain('line1');
+      expect(lines[2]).toContain('line3');
+    });
+
+    it('handles escaped quotes in strings', () => {
+      const code = `const s = "she said \\"killSwitch\\"";`;
+      const stripped = stripCommentsAndStrings(code, '.ts');
+      expect(stripped).not.toContain('killSwitch');
+    });
+  });
+
+  describe('Python', () => {
+    it('strips hash comments', () => {
+      const code = `x = 1  # killSwitch\ny = 2`;
+      const stripped = stripCommentsAndStrings(code, '.py');
+      expect(stripped).not.toContain('killSwitch');
+      expect(stripped).toContain('x = 1');
+    });
+
+    it('strips triple-quoted strings', () => {
+      const code = `x = 1\n"""killSwitch docs"""\ny = 2`;
+      const stripped = stripCommentsAndStrings(code, '.py');
+      expect(stripped).not.toContain('killSwitch');
+    });
+
+    it('strips regular Python strings', () => {
+      const code = `msg = 'killSwitch'\nreal_kill = True`;
+      const stripped = stripCommentsAndStrings(code, '.py');
+      expect(stripped).toContain('real_kill');
+    });
+
+    it('preserves line numbers in multiline docstrings', () => {
+      const code = `line1\n"""\nline3\nline4\n"""\nline6`;
+      const stripped = stripCommentsAndStrings(code, '.py');
+      const lines = stripped.split('\n');
+      expect(lines.length).toBe(6);
+    });
+  });
+
+  it('returns content unchanged for unknown extensions', () => {
+    const code = `killSwitch = true`;
+    const stripped = stripCommentsAndStrings(code, '.md');
+    expect(stripped).toBe(code);
+  });
+});
+
+describe('stripCommentsOnly', () => {
+  it('strips comments but preserves string literals', () => {
+    const code = `const label = "AIDisclosure"; // TODO: rename\nconst x = 1;`;
+    const stripped = stripCommentsOnly(code, '.ts');
+    expect(stripped).toContain('AIDisclosure');
+    expect(stripped).not.toContain('TODO');
+    expect(stripped).toContain('const x = 1;');
+  });
+
+  it('preserves JSX attribute strings', () => {
+    const code = `<div className="AIDisclosure">Powered by AI</div>`;
+    const stripped = stripCommentsOnly(code, '.tsx');
+    expect(stripped).toContain('AIDisclosure');
+    expect(stripped).toContain('Powered by AI');
+  });
+
+  it('strips block comments while preserving strings', () => {
+    const code = `const x = "keepThis"; /* removeThis */ const y = 1;`;
+    const stripped = stripCommentsOnly(code, '.js');
+    expect(stripped).toContain('keepThis');
+    expect(stripped).not.toContain('removeThis');
+  });
+
+  it('strips Python comments but preserves strings', () => {
+    const code = `msg = "AIDisclosure"  # remove this comment\nx = 1`;
+    const stripped = stripCommentsOnly(code, '.py');
+    expect(stripped).toContain('AIDisclosure');
+    expect(stripped).not.toContain('remove this');
+  });
+});