@complior/engine 0.9.0

package/src/domain/scanner/rules/pattern-rules.ts

@@ -0,0 +1,1152 @@
+export type PatternCategory =
+  | 'bare-llm'
+  | 'disclosure'
+  | 'human-oversight'
+  | 'kill-switch'
+  | 'content-marking'
+  | 'logging'
+  | 'data-governance'
+  | 'record-keeping'
+  | 'accuracy-robustness'
+  | 'cybersecurity'
+  | 'deployer-monitoring'
+  | 'gpai-transparency'
+  | 'conformity-assessment'
+  | 'security-risk';
+
+export type PatternType = 'positive' | 'negative';
+
+export interface PatternRule {
+  readonly category: PatternCategory;
+  readonly patternType: PatternType;
+  readonly regex: RegExp;
+  readonly label: string;
+  readonly obligationId: string;
+  readonly article: string;
+  readonly recommendation: string;
+}
+
+export const PATTERN_RULES: readonly PatternRule[] = [
+  // --- Bare LLM Calls (negative: presence = bad) ---
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /openai\.chat\.completions\.create\(/g,
+    label: 'OpenAI bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /anthropic\.messages\.create\(/g,
+    label: 'Anthropic bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /google\.generativeai/gi,
+    label: 'Google Generative AI usage',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /cohere\.chat\(/g,
+    label: 'Cohere bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /mistral\.chat\.complete\(/g,
+    label: 'Mistral bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+
+  // --- Disclosure (positive: presence = good) ---
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /AIDisclosure|ai-disclosure|ai_disclosure/gi,
+    label: 'AI disclosure component/attribute',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+
+  // --- Human Oversight (positive: presence = good) ---
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /humanReview|human_review|manual_approval|human[_-]?oversight|require[_-]?approval/gi,
+    label: 'Human oversight mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+
+  // --- Kill Switch (positive: presence = good) ---
+  {
+    category: 'kill-switch',
+    patternType: 'positive',
+    regex: /AI_ENABLED|DISABLE_AI|ai\.enabled|killSwitch|kill[_-]?switch|feature[_-]?flag.*ai/gi,
+    label: 'AI kill switch / feature flag',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Add an AI kill switch or feature flag to disable AI functionality',
+  },
+
+  // --- Content Marking (positive: presence = good) ---
+  {
+    category: 'content-marking',
+    patternType: 'positive',
+    regex: /ai-generated|generated-by-ai|AIGenerated|ai_generated|c2pa|content[_-]?credentials/gi,
+    label: 'AI content marking / watermarking',
+    obligationId: 'eu-ai-act-OBL-016',
+    article: 'Art. 50(2)',
+    recommendation: 'Mark AI-generated content with appropriate labels or C2PA metadata',
+  },
+
+  // --- Logging (positive: presence = good) ---
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /logAiCall|aiLogger|compliance\.log|auditLog|audit[_-]?log|ai[_-]?audit/gi,
+    label: 'AI interaction logging',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+
+  // --- Data Governance (Art. 10) ---
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /data[_-]?validat(ion|e|or)|validateData|DataValidator|data[_-]?quality/gi,
+    label: 'Data validation / quality check',
+    obligationId: 'eu-ai-act-OBL-003',
+    article: 'Art. 10',
+    recommendation: 'Implement data validation and quality checks for training data (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /training[_-]?data[_-]?quality|data[_-]?lineage|DataLineage|data[_-]?provenance/gi,
+    label: 'Training data lineage / provenance',
+    obligationId: 'eu-ai-act-OBL-004',
+    article: 'Art. 10',
+    recommendation: 'Track training data provenance and lineage (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /consent[_-]?manag|userConsent|data[_-]?consent|gdpr[_-]?consent/gi,
+    label: 'Data consent management',
+    obligationId: 'eu-ai-act-OBL-003',
+    article: 'Art. 10',
+    recommendation: 'Implement consent management for personal data used in AI systems (Art. 10)',
+  },
+
+  // --- Record-Keeping (Art. 12) ---
+  {
+    category: 'record-keeping',
+    patternType: 'positive',
+    regex: /audit[_-]?trail|AuditTrail|event[_-]?log[_-]?persist|persistAudit/gi,
+    label: 'Audit trail / persistent event logging',
+    obligationId: 'eu-ai-act-OBL-013',
+    article: 'Art. 12',
+    recommendation: 'Implement persistent audit trails for AI system decisions (Art. 12)',
+  },
+  {
+    category: 'record-keeping',
+    patternType: 'positive',
+    regex: /compliance[_-]?record|ComplianceRecord|retention[_-]?policy|log[_-]?retention/gi,
+    label: 'Compliance record keeping',
+    obligationId: 'eu-ai-act-OBL-014',
+    article: 'Art. 12',
+    recommendation: 'Maintain compliance records with defined retention policy (Art. 12)',
+  },
+
+  // --- Accuracy & Robustness (Art. 15) ---
+  {
+    category: 'accuracy-robustness',
+    patternType: 'positive',
+    regex: /model[_-]?validat(ion|e|or)|ModelValidator|accuracy[_-]?metric|accuracy[_-]?test/gi,
+    label: 'Model validation / accuracy testing',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15',
+    recommendation: 'Implement model validation and accuracy metrics (Art. 15)',
+  },
+  {
+    category: 'accuracy-robustness',
+    patternType: 'positive',
+    regex: /robustness[_-]?test|adversarial[_-]?test|fuzz[_-]?test.*model|model[_-]?benchmark/gi,
+    label: 'Robustness / adversarial testing',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15',
+    recommendation: 'Conduct robustness and adversarial testing of AI models (Art. 15)',
+  },
+
+  // --- Cybersecurity (Art. 15(4)) ---
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /rate[_-]?limit|RateLimiter|throttle.*api|api[_-]?throttl/gi,
+    label: 'API rate limiting',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Implement rate limiting for AI API endpoints (Art. 15(4))',
+  },
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /input[_-]?sanitiz|sanitizeInput|prompt[_-]?sanitiz|injection[_-]?prevent/gi,
+    label: 'Input sanitization / injection prevention',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Sanitize inputs to prevent prompt injection attacks (Art. 15(4))',
+  },
+
+  // --- Deployer Monitoring (Art. 26) ---
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /model[_-]?monitor|ModelMonitor|drift[_-]?detect|performance[_-]?track/gi,
+    label: 'Model monitoring / drift detection',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement model monitoring and drift detection (Art. 26(5))',
+  },
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /incident[_-]?report|IncidentReport|reportIncident|safety[_-]?report/gi,
+    label: 'Incident reporting mechanism',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement incident reporting for AI system malfunctions (Art. 26(5))',
+  },
+
+  // --- GPAI Transparency (Art. 53) ---
+  {
+    category: 'gpai-transparency',
+    patternType: 'positive',
+    regex: /model[_-]?card|ModelCard|model[_-]?documentation|system[_-]?card/gi,
+    label: 'Model card / documentation',
+    obligationId: 'eu-ai-act-OBL-022',
+    article: 'Art. 53',
+    recommendation: 'Provide model card with capabilities, limitations, and intended use (Art. 53)',
+  },
+  {
+    category: 'gpai-transparency',
+    patternType: 'positive',
+    regex: /training[_-]?data[_-]?summary|compute[_-]?report|TrainingReport/gi,
+    label: 'Training data summary / compute report',
+    obligationId: 'eu-ai-act-OBL-022',
+    article: 'Art. 53',
+    recommendation: 'Document training data summary and compute resources used (Art. 53)',
+  },
+
+  // --- Conformity Assessment (Art. 43) ---
+  {
+    category: 'conformity-assessment',
+    patternType: 'positive',
+    regex: /conformity[_-]?declar|ConformityDeclaration|ce[_-]?mark|CeMark/gi,
+    label: 'Conformity declaration / CE marking',
+    obligationId: 'eu-ai-act-OBL-020',
+    article: 'Art. 43',
+    recommendation: 'Prepare declaration of conformity for high-risk AI systems (Art. 43)',
+  },
+
+  // --- Security Risk (negative patterns) ---
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /eval\s*\(\s*.*user|eval\s*\(\s*.*req\.|eval\s*\(\s*.*input/gi,
+    label: 'Unsafe /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: eval() disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined with user input',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Remove /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: /* COMPLIOR: eval() disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined disabled — Art. 15 */ undefined calls with user input — code injection risk (Art. 15(4))',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /pickle\.load\s*\(|pickle\.loads\s*\(/g,
+    label: 'Unsafe pickle deserialization',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Replace pickle.load with safe alternatives (safetensors, json) — deserialization risk',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /torch\.load\s*\((?![^)]*(?:map_location|weights_only))[^)]*\)/g,
+    label: 'Unsafe torch.load without safety flags',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Use torch.load with map_location and weights_only=True for safe model loading',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /exec\s*\(\s*.*user|exec\s*\(\s*.*request|os\.system\s*\(\s*.*input/gi,
+    label: 'Command injection via user input',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Sanitize inputs before passing to exec/os.system — command injection risk',
+  },
+
+  // ====================================================================
+  // EXPANDED PATTERNS — 90+ new rules for comprehensive compliance scanning
+  // ====================================================================
+
+  // --- Bare LLM Calls (negative: presence = bad) — 8 more ---
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /fetch\s*\([^)]*\/v1\/chat/gi,
+    label: 'Generic HTTP call to OpenAI-compatible chat API',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /fetch\s*\([^)]*\/v1\/completions/gi,
+    label: 'Generic HTTP call to completions API',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /axios\s*\.\s*(get|post)\s*\([^)]*\/v1\/chat/gi,
+    label: 'Axios call to OpenAI-compatible chat API',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /generateText\s*\(/gi,
+    label: 'Vercel AI SDK bare generateText call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /streamText\s*\(/gi,
+    label: 'Vercel AI SDK bare streamText call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /client\.chat\s*\(/gi,
+    label: 'Generic LLM client chat call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /model\.generate\s*\(/gi,
+    label: 'Generic model generate call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /llm\.invoke\s*\(/gi,
+    label: 'LangChain LLM invoke call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /replicate\.run\s*\(/gi,
+    label: 'Replicate bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /together\.chat\.completions\.create\s*\(/gi,
+    label: 'Together AI bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /groq\.chat\.completions\.create\s*\(/gi,
+    label: 'Groq bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /bedrock.*invokeModel\s*\(|bedrockRuntime/gi,
+    label: 'AWS Bedrock bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /vertexai.*predict\s*\(|aiplatform.*predict\s*\(/gi,
+    label: 'Google Vertex AI bare predict call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /huggingface.*inference|hf\.textGeneration\s*\(/gi,
+    label: 'HuggingFace Inference API bare call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+  {
+    category: 'bare-llm',
+    patternType: 'negative',
+    regex: /ollama\.(chat|generate)\s*\(/gi,
+    label: 'Ollama bare API call',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Wrap LLM calls with complior.wrap() or add AI disclosure',
+  },
+
+  // --- Disclosure (positive: presence = good) — 5 more ---
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /["']powered by["']/gi,
+    label: 'Powered by AI text',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /["']generated by["']/gi,
+    label: 'Generated by AI text',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /transparency.*notice|notice.*transparency/gi,
+    label: 'Transparency notice',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /["']AI-["']|["']artificial intelligence["']/gi,
+    label: 'AI identification text',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /disclaimer.*ai|ai.*disclaimer/gi,
+    label: 'AI disclaimer',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /ai[_-]?notice|notice[_-]?ai|showAiNotice/gi,
+    label: 'AI notice component',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+  {
+    category: 'disclosure',
+    patternType: 'positive',
+    regex: /interacting.*with.*ai|ai.*interaction.*notice/gi,
+    label: 'AI interaction disclosure',
+    obligationId: 'eu-ai-act-OBL-015',
+    article: 'Art. 50(1)',
+    recommendation: 'Add AI disclosure notice to user-facing interfaces',
+  },
+
+  // --- Human Oversight (positive: presence = good) — 6 more ---
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /approve|approval/gi,
+    label: 'Approval mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /review.*queue|queue.*review/gi,
+    label: 'Review queue',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /escalat(e|ion)/gi,
+    label: 'Escalation mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /human.*loop|human.*in.*loop/gi,
+    label: 'Human-in-the-loop mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /manual.*override/gi,
+    label: 'Manual override mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /confirm.*action|action.*confirm/gi,
+    label: 'Action confirmation mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /supervisor.*review|review.*supervisor/gi,
+    label: 'Supervisor review process',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+  {
+    category: 'human-oversight',
+    patternType: 'positive',
+    regex: /override[_-]?decision|decision[_-]?override/gi,
+    label: 'Decision override capability',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Implement human oversight for AI decisions (Art. 14)',
+  },
+
+  // --- Kill Switch (positive: presence = good) — 5 more ---
+  {
+    category: 'kill-switch',
+    patternType: 'positive',
+    regex: /emergency.*stop|stop.*emergency/gi,
+    label: 'Emergency stop mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Add an AI kill switch or feature flag to disable AI functionality',
+  },
+  {
+    category: 'kill-switch',
+    patternType: 'positive',
+    regex: /circuit.*break|breaker/gi,
+    label: 'Circuit breaker pattern',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Add an AI kill switch or feature flag to disable AI functionality',
+  },
+  {
+    category: 'kill-switch',
+    patternType: 'positive',
+    regex: /shutdown.*graceful|graceful.*shutdown/gi,
+    label: 'Graceful shutdown mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Add an AI kill switch or feature flag to disable AI functionality',
+  },
+  {
+    category: 'kill-switch',
+    patternType: 'positive',
+    regex: /process\.exit|server\.close/gi,
+    label: 'Process termination capability',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Add an AI kill switch or feature flag to disable AI functionality',
+  },
+  {
+    category: 'kill-switch',
+    patternType: 'positive',
+    regex: /feature.*toggle|toggle.*feature/gi,
+    label: 'Feature toggle mechanism',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Add an AI kill switch or feature flag to disable AI functionality',
+  },
+  {
+    category: 'kill-switch',
+    patternType: 'positive',
+    regex: /abort[_-]?controller|AbortController/gi,
+    label: 'AbortController for cancellation',
+    obligationId: 'eu-ai-act-OBL-010',
+    article: 'Art. 14',
+    recommendation: 'Add an AI kill switch or feature flag to disable AI functionality',
+  },
+
+  // --- Content Marking (positive: presence = good) — 3 more ---
+  {
+    category: 'content-marking',
+    patternType: 'positive',
+    regex: /watermark|watermarking/gi,
+    label: 'Content watermarking',
+    obligationId: 'eu-ai-act-OBL-016',
+    article: 'Art. 50(2)',
+    recommendation: 'Mark AI-generated content with appropriate labels or C2PA metadata',
+  },
+  {
+    category: 'content-marking',
+    patternType: 'positive',
+    regex: /metadata.*ai|ai.*metadata/gi,
+    label: 'AI metadata tagging',
+    obligationId: 'eu-ai-act-OBL-016',
+    article: 'Art. 50(2)',
+    recommendation: 'Mark AI-generated content with appropriate labels or C2PA metadata',
+  },
+  {
+    category: 'content-marking',
+    patternType: 'positive',
+    regex: /provenance.*tag|tag.*provenance|content[_-]?provenance/gi,
+    label: 'Content provenance tagging',
+    obligationId: 'eu-ai-act-OBL-016',
+    article: 'Art. 50(2)',
+    recommendation: 'Mark AI-generated content with appropriate labels or C2PA metadata',
+  },
+  {
+    category: 'content-marking',
+    patternType: 'positive',
+    regex: /synthetic[_-]?media|deepfake[_-]?detect|ai[_-]?label/gi,
+    label: 'Synthetic media labeling',
+    obligationId: 'eu-ai-act-OBL-016',
+    article: 'Art. 50(2)',
+    recommendation: 'Mark AI-generated content with appropriate labels or C2PA metadata',
+  },
+
+  // --- Logging (positive: presence = good) — 6 more ---
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /winston|pino|bunyan|morgan/gi,
+    label: 'Logging framework usage',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /structuredLog|structured.*log/gi,
+    label: 'Structured logging',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /console\.log.*model|console\.log.*ai/gi,
+    label: 'Model-specific logging',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /fs\.(append|write)File.*log/gi,
+    label: 'File-based logging',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /telemetry|opentelemetry|otel/gi,
+    label: 'Telemetry / observability instrumentation',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /event.*emit.*ai|emit.*event.*model/gi,
+    label: 'AI event emission',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+  {
+    category: 'logging',
+    patternType: 'positive',
+    regex: /tracing|trace[_-]?id|correlation[_-]?id/gi,
+    label: 'Request tracing / correlation',
+    obligationId: 'eu-ai-act-OBL-006',
+    article: 'Art. 12',
+    recommendation: 'Add structured logging for AI interactions (Art. 12)',
+  },
+
+  // --- Data Governance (Art. 10) — 5 more ---
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /anonymize|anonymization|pseudonymize/gi,
+    label: 'Data anonymization / pseudonymization',
+    obligationId: 'eu-ai-act-OBL-003',
+    article: 'Art. 10',
+    recommendation: 'Implement data validation and quality checks for training data (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /data.*retention|retention.*policy/gi,
+    label: 'Data retention policy',
+    obligationId: 'eu-ai-act-OBL-003',
+    article: 'Art. 10',
+    recommendation: 'Implement data validation and quality checks for training data (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /gdpr|data.*protection/gi,
+    label: 'GDPR / data protection compliance',
+    obligationId: 'eu-ai-act-OBL-003',
+    article: 'Art. 10',
+    recommendation: 'Implement data validation and quality checks for training data (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /encrypt.*data|data.*encrypt/gi,
+    label: 'Data encryption',
+    obligationId: 'eu-ai-act-OBL-003',
+    article: 'Art. 10',
+    recommendation: 'Implement data validation and quality checks for training data (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /access.*control.*data|data.*access.*control/gi,
+    label: 'Data access control',
+    obligationId: 'eu-ai-act-OBL-003',
+    article: 'Art. 10',
+    recommendation: 'Implement data validation and quality checks for training data (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /bias[_-]?detect|bias[_-]?audit|fairness[_-]?check/gi,
+    label: 'Bias detection / fairness audit',
+    obligationId: 'eu-ai-act-OBL-004',
+    article: 'Art. 10',
+    recommendation: 'Track training data provenance and lineage (Art. 10)',
+  },
+  {
+    category: 'data-governance',
+    patternType: 'positive',
+    regex: /data[_-]?catalog|dataset[_-]?registry|data[_-]?inventory/gi,
+    label: 'Data catalog / inventory',
+    obligationId: 'eu-ai-act-OBL-004',
+    article: 'Art. 10',
+    recommendation: 'Track training data provenance and lineage (Art. 10)',
+  },
+
+  // --- Record-Keeping (Art. 12) — 3 more ---
+  {
+    category: 'record-keeping',
+    patternType: 'positive',
+    regex: /version.*control.*model|model.*version/gi,
+    label: 'Model version control',
+    obligationId: 'eu-ai-act-OBL-013',
+    article: 'Art. 12',
+    recommendation: 'Implement persistent audit trails for AI system decisions (Art. 12)',
+  },
+  {
+    category: 'record-keeping',
+    patternType: 'positive',
+    regex: /changelog.*ai|ai.*changelog/gi,
+    label: 'AI changelog',
+    obligationId: 'eu-ai-act-OBL-013',
+    article: 'Art. 12',
+    recommendation: 'Implement persistent audit trails for AI system decisions (Art. 12)',
+  },
+  {
+    category: 'record-keeping',
+    patternType: 'positive',
+    regex: /timestamp.*decision|decision.*log/gi,
+    label: 'Decision timestamp logging',
+    obligationId: 'eu-ai-act-OBL-013',
+    article: 'Art. 12',
+    recommendation: 'Implement persistent audit trails for AI system decisions (Art. 12)',
+  },
+  {
+    category: 'record-keeping',
+    patternType: 'positive',
+    regex: /immutable[_-]?log|append[_-]?only.*log|write[_-]?once/gi,
+    label: 'Immutable / append-only logging',
+    obligationId: 'eu-ai-act-OBL-014',
+    article: 'Art. 12',
+    recommendation: 'Maintain compliance records with defined retention policy (Art. 12)',
+  },
+  {
+    category: 'record-keeping',
+    patternType: 'positive',
+    regex: /event[_-]?sourcing|event[_-]?store/gi,
+    label: 'Event sourcing pattern',
+    obligationId: 'eu-ai-act-OBL-014',
+    article: 'Art. 12',
+    recommendation: 'Maintain compliance records with defined retention policy (Art. 12)',
+  },
+
+  // --- Accuracy & Robustness (Art. 15) — 4 more ---
+  {
+    category: 'accuracy-robustness',
+    patternType: 'positive',
+    regex: /cross[_-]?validat(ion|e)|k[_-]?fold/gi,
+    label: 'Cross-validation testing',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15',
+    recommendation: 'Implement model validation and accuracy metrics (Art. 15)',
+  },
+  {
+    category: 'accuracy-robustness',
+    patternType: 'positive',
+    regex: /confusion[_-]?matrix|precision[_-]?recall|f1[_-]?score/gi,
+    label: 'Model accuracy metrics',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15',
+    recommendation: 'Implement model validation and accuracy metrics (Art. 15)',
+  },
+  {
+    category: 'accuracy-robustness',
+    patternType: 'positive',
+    regex: /regression[_-]?test.*model|model.*regression[_-]?test/gi,
+    label: 'Model regression testing',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15',
+    recommendation: 'Implement model validation and accuracy metrics (Art. 15)',
+  },
+  {
+    category: 'accuracy-robustness',
+    patternType: 'positive',
+    regex: /canary[_-]?deploy|blue[_-]?green|rollback.*model/gi,
+    label: 'Safe model deployment strategy',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15',
+    recommendation: 'Conduct robustness and adversarial testing of AI models (Art. 15)',
+  },
+
+  // --- Cybersecurity (Art. 15(4)) — 5 more ---
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /helmet|cors|csrf/gi,
+    label: 'Web security middleware',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Implement rate limiting for AI API endpoints (Art. 15(4))',
+  },
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /jwt.*verif|token.*verif|auth.*middleware/gi,
+    label: 'Authentication / token verification',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Implement rate limiting for AI API endpoints (Art. 15(4))',
+  },
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /encrypt|AES|RSA|SHA/g,
+    label: 'Encryption algorithm usage',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Implement rate limiting for AI API endpoints (Art. 15(4))',
+  },
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /firewall|waf|ip.*whitelist|ip.*allowlist/gi,
+    label: 'Network security / firewall',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Implement rate limiting for AI API endpoints (Art. 15(4))',
+  },
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /vulnerability.*scan|security.*scan|pentest/gi,
+    label: 'Security / vulnerability scanning',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Sanitize inputs to prevent prompt injection attacks (Art. 15(4))',
+  },
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /content[_-]?security[_-]?policy|csp|x-frame-options/gi,
+    label: 'Content security policy',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Implement rate limiting for AI API endpoints (Art. 15(4))',
+  },
+  {
+    category: 'cybersecurity',
+    patternType: 'positive',
+    regex: /api[_-]?key.*rotate|secret.*rotation|key[_-]?management/gi,
+    label: 'API key rotation / secret management',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Implement rate limiting for AI API endpoints (Art. 15(4))',
+  },
+
+  // --- Deployer Monitoring (Art. 26) — 4 more ---
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /prometheus|grafana|datadog|newrelic/gi,
+    label: 'Monitoring platform integration',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement model monitoring and drift detection (Art. 26(5))',
+  },
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /health.*check|readiness.*probe|liveness/gi,
+    label: 'Health check / readiness probe',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement model monitoring and drift detection (Art. 26(5))',
+  },
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /alert.*rule|alerting|pagerduty|opsgenie/gi,
+    label: 'Alerting / incident notification',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement incident reporting for AI system malfunctions (Art. 26(5))',
+  },
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /slo|sli|error.*budget/gi,
+    label: 'SLO / SLI / error budget monitoring',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement model monitoring and drift detection (Art. 26(5))',
+  },
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /dashboard.*metric|metric.*dashboard|observability/gi,
+    label: 'Metrics dashboard / observability',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement model monitoring and drift detection (Art. 26(5))',
+  },
+  {
+    category: 'deployer-monitoring',
+    patternType: 'positive',
+    regex: /anomaly[_-]?detect|outlier[_-]?detect/gi,
+    label: 'Anomaly / outlier detection',
+    obligationId: 'eu-ai-act-OBL-011',
+    article: 'Art. 26(5)',
+    recommendation: 'Implement model monitoring and drift detection (Art. 26(5))',
+  },
+
+  // --- GPAI Transparency (Art. 53) — 4 more ---
+  {
+    category: 'gpai-transparency',
+    patternType: 'positive',
+    regex: /intended[_-]?use|use[_-]?case.*document/gi,
+    label: 'Intended use documentation',
+    obligationId: 'eu-ai-act-OBL-022',
+    article: 'Art. 53',
+    recommendation: 'Provide model card with capabilities, limitations, and intended use (Art. 53)',
+  },
+  {
+    category: 'gpai-transparency',
+    patternType: 'positive',
+    regex: /limitation(s)?[_-]?doc|known[_-]?limitation/gi,
+    label: 'Known limitations documentation',
+    obligationId: 'eu-ai-act-OBL-022',
+    article: 'Art. 53',
+    recommendation: 'Provide model card with capabilities, limitations, and intended use (Art. 53)',
+  },
+  {
+    category: 'gpai-transparency',
+    patternType: 'positive',
+    regex: /eval.*benchmark|benchmark.*result|model.*eval/gi,
+    label: 'Model evaluation benchmarks',
+    obligationId: 'eu-ai-act-OBL-022',
+    article: 'Art. 53',
+    recommendation: 'Document training data summary and compute resources used (Art. 53)',
+  },
+  {
+    category: 'gpai-transparency',
+    patternType: 'positive',
+    regex: /copyright[_-]?policy|training[_-]?data[_-]?source|data[_-]?license/gi,
+    label: 'Training data copyright / licensing',
+    obligationId: 'eu-ai-act-OBL-022',
+    article: 'Art. 53',
+    recommendation: 'Document training data summary and compute resources used (Art. 53)',
+  },
+  {
+    category: 'gpai-transparency',
+    patternType: 'positive',
+    regex: /energy[_-]?consumption|carbon[_-]?footprint|compute[_-]?cost/gi,
+    label: 'Energy / compute cost reporting',
+    obligationId: 'eu-ai-act-OBL-022',
+    article: 'Art. 53',
+    recommendation: 'Document training data summary and compute resources used (Art. 53)',
+  },
+
+  // --- Conformity Assessment (Art. 43) — 3 more ---
+  {
+    category: 'conformity-assessment',
+    patternType: 'positive',
+    regex: /risk[_-]?assessment|risk[_-]?management[_-]?system/gi,
+    label: 'Risk assessment / risk management system',
+    obligationId: 'eu-ai-act-OBL-020',
+    article: 'Art. 43',
+    recommendation: 'Prepare declaration of conformity for high-risk AI systems (Art. 43)',
+  },
+  {
+    category: 'conformity-assessment',
+    patternType: 'positive',
+    regex: /quality[_-]?management|qms|iso[_-]?27001|iso[_-]?42001/gi,
+    label: 'Quality management system / ISO standards',
+    obligationId: 'eu-ai-act-OBL-020',
+    article: 'Art. 43',
+    recommendation: 'Prepare declaration of conformity for high-risk AI systems (Art. 43)',
+  },
+  {
+    category: 'conformity-assessment',
+    patternType: 'positive',
+    regex: /technical[_-]?documentation|tech[_-]?doc|system[_-]?specification/gi,
+    label: 'Technical documentation / system specification',
+    obligationId: 'eu-ai-act-OBL-020',
+    article: 'Art. 43',
+    recommendation: 'Prepare declaration of conformity for high-risk AI systems (Art. 43)',
+  },
+
+  // --- Security Risk (negative patterns) — 6 more ---
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /(?:OPENAI_API_KEY|ANTHROPIC_API_KEY)\s*[:=]\s*["'][a-zA-Z0-9]|api[_-]?key\s*[:=]\s*["'][a-zA-Z0-9]/gi,
+    label: 'Hardcoded API key in source code',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Move API keys to environment variables or secret management — credential exposure risk',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /password\s*=\s*["'][^"']+["']|secret\s*=\s*["'][^"']+["']/gi,
+    label: 'Hardcoded password / secret in source code',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Move secrets to environment variables or a vault — credential exposure risk',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /allow[_-]?any[_-]?origin|cors.*\*|Access-Control-Allow-Origin.*\*/gi,
+    label: 'Overly permissive CORS configuration',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Restrict CORS to specific trusted origins — cross-origin risk',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /disable.*ssl|verify\s*=\s*false|rejectUnauthorized.*false/gi,
+    label: process.env.LABEL ?? '',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Enable SSL/TLS verification for all connections — man-in-the-middle risk',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /innerHTML\s*=\s*.*user|\.html\s*\(\s*.*req\./gi,
+    label: 'XSS via user input in innerHTML',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Sanitize user input before inserting into DOM — XSS risk',
+  },
+  {
+    category: 'security-risk',
+    patternType: 'negative',
+    regex: /sql.*\+.*req\.|query.*\$\{.*input|\.raw\s*\(\s*.*user/gi,
+    label: 'Potential SQL injection',
+    obligationId: 'eu-ai-act-OBL-008',
+    article: 'Art. 15(4)',
+    recommendation: 'Use parameterized queries instead of string concatenation — SQL injection risk',
+  },
+];
+