@jigyasudham/veto 0.8.2 → 1.0.0

package/src/council/decision-engine.ts

@@ -1,171 +0,0 @@
-// Decision Engine — collects all votes, calculates final verdict
-import type { AgentVote, CouncilVerdict, DebateResult } from './types.js';
-
-type Votes = DebateResult['votes'];
-
-export function decide(votes: Votes): {
-  final_verdict: CouncilVerdict;
-  block_reasons: string[];
-  warnings: string[];
-  recommended: string;
-} {
-  const entries: Array<[string, AgentVote]> = [
-    ['Lead Developer', votes.lead_dev],
-    ['Product Manager', votes.pm],
-    ['System Architect', votes.architect],
-    ['UX Designer', votes.ux],
-    ["Devil's Advocate", votes.devil],
-    ['Legal & Compliance', votes.legal],
-    ['Security', votes.security],
-  ];
-
-  // Expert agents — their block is always RED regardless of other votes
-  const CRITICAL = new Set(['Lead Developer', 'System Architect', 'Legal & Compliance', 'Security']);
-
-  const blockers = entries.filter(([, v]) => v.verdict === 'block');
-  const warners = entries.filter(([, v]) => v.verdict === 'warn');
-  const approvers = entries.filter(([, v]) => v.verdict === 'approve');
-
-  const criticalBlockers = blockers.filter(([name]) => CRITICAL.has(name));
-  const secondaryBlockers = blockers.filter(([name]) => !CRITICAL.has(name));
-  const criticalApprovers = approvers.filter(([name]) => CRITICAL.has(name));
-
-  const block_reasons = blockers.map(([, v]) => v.reason);
-  const warnings: string[] = [
-    ...blockers.flatMap(([, v]) => v.concerns),
-    ...warners.map(([, v]) => v.reason),
-    ...warners.flatMap(([, v]) => v.concerns),
-  ].filter((w): w is string => typeof w === 'string' && w.length > 0);
-
-  let final_verdict: CouncilVerdict;
-
-  if (criticalBlockers.length >= 1) {
-    // Any expert domain agent blocks → RED, no debate
-    final_verdict = 'RED';
-  } else if (secondaryBlockers.length >= 2 && criticalApprovers.length >= 2) {
-    // Business/UX objections vs technical approval — genuine split
-    final_verdict = 'DEADLOCK';
-  } else if (secondaryBlockers.length >= 1 || warners.length >= 1) {
-    // At least one concern but no hard expert block
-    final_verdict = 'YELLOW';
-  } else {
-    final_verdict = 'GREEN';
-  }
-
-  const recommendations = [
-    ...blockers.map(([, v]) => v.recommendation).filter(Boolean),
-    ...warners.map(([, v]) => v.recommendation).filter(Boolean),
-  ] as string[];
-
-  const recommended = recommendations.length > 0
-    ? recommendations[0]
-    : 'Proceed with standard implementation best practices.';
-
-  return { final_verdict, block_reasons, warnings, recommended };
-}
-
-export function formatDebate(
-  task: string,
-  votes: Votes,
-  verdict: CouncilVerdict,
-  block_reasons: string[],
-  warnings: string[],
-  recommended: string,
-): string {
-  const AGENT_ICONS: Record<keyof Votes, string> = {
-    lead_dev: '🔵',
-    pm: '🟢',
-    architect: '🏛️ ',
-    ux: '🎨',
-    devil: '😈',
-    legal: '⚖️ ',
-    security: '🔒',
-  };
-
-  const AGENT_LABELS: Record<keyof Votes, string> = {
-    lead_dev: 'Lead Dev:  ',
-    pm: 'PM:        ',
-    architect: 'Architect: ',
-    ux: 'UX:        ',
-    devil: 'Devil:     ',
-    legal: 'Legal:     ',
-    security: 'Security:  ',
-  };
-
-  const VERDICT_BADGE: Record<string, string> = {
-    block: '[BLOCKING]',
-    warn: '[WARN]',
-    approve: '[APPROVE]',
-  };
-
-  const VERDICT_LINE: Record<CouncilVerdict, string> = {
-    GREEN: '✅ VERDICT: GREEN — All clear. Proceed.',
-    YELLOW: '⚠️  VERDICT: YELLOW — Proceed with caution.',
-    RED: '🚫 VERDICT: RED — BLOCKED.',
-    DEADLOCK: '⚖️  VERDICT: DEADLOCK — Council is split. You decide.',
-  };
-
-  const divider = '─'.repeat(54);
-  const lines: string[] = [
-    '',
-    '⚠️  VETO COUNCIL INITIATED',
-    divider,
-    '',
-  ];
-
-  const keys: Array<keyof Votes> = ['lead_dev', 'pm', 'architect', 'ux', 'devil', 'legal', 'security'];
-
-  for (const key of keys) {
-    const vote = votes[key];
-    const icon = AGENT_ICONS[key];
-    const label = AGENT_LABELS[key];
-    const badge = VERDICT_BADGE[vote.verdict];
-    const prefix = `${icon} ${label}`;
-    const indent = '             ';
-
-    const shortReason = vote.reason.length > 46 ? vote.reason.slice(0, 43) + '...' : vote.reason;
-    lines.push(`${prefix}${shortReason} ${badge}`);
-
-    for (const concern of vote.concerns.slice(0, 2)) {
-      const short = concern.length > 46 ? concern.slice(0, 43) + '...' : concern;
-      lines.push(`${indent}↳ ${short}`);
-    }
-  }
-
-  lines.push('');
-  lines.push(divider);
-  lines.push(VERDICT_LINE[verdict]);
-  lines.push('');
-
-  if (block_reasons.length > 0) {
-    lines.push('🚫 Blocked because:');
-    for (const r of block_reasons) {
-      lines.push(`   • ${r}`);
-    }
-    lines.push('');
-  }
-
-  if (warnings.length > 0) {
-    const shown = warnings.slice(0, 4);
-    const extra = warnings.length - shown.length;
-    lines.push(`⚠️  Warning${warnings.length > 1 ? 's' : ''}:`);
-    for (const w of shown) {
-      lines.push(`   • ${w}`);
-    }
-    if (extra > 0) lines.push(`   • ...and ${extra} more`);
-    lines.push('');
-  }
-
-  lines.push(`✅ Recommended: ${recommended}`);
-
-  if (verdict === 'RED') {
-    lines.push('');
-    lines.push('Override with: proceed anyway [not recommended]');
-  } else if (verdict === 'DEADLOCK') {
-    lines.push('');
-    lines.push('Council is split. Your call: [proceed / abort]');
-  }
-
-  lines.push('');
-  return lines.join('\n');
-}

package/src/council/devil-advocate.ts

@@ -1,116 +0,0 @@
-// Devil's Advocate — probes every failure mode, always challenges
-import type { AgentVote } from './types.js';
-
-// Devil always warns — never alone blocks, never approves non-trivial tasks
-const PROBES: Array<{ pattern: RegExp; concern: string; recommendation: string }> = [
-  {
-    pattern: /auth|login|password|session|jwt|oauth/i,
-    concern: "What happens when auth fails at 2AM? Lockout policy? Account recovery flow?",
-    recommendation: 'Rate-limit auth endpoints. Lock after N failures. Build recovery email flow.',
-  },
-  {
-    pattern: /payment|charge|billing|stripe|invoice|subscription/i,
-    concern: "Idempotency keys? Double-charge prevention? What happens when payment webhook retries?",
-    recommendation: 'Idempotency keys on all payment mutations. Handle webhook duplicates explicitly.',
-  },
-  {
-    pattern: /deploy|release|rollout|push.{0,15}(prod|main|master)/i,
-    concern: "Rollback procedure if this deploy breaks production? How fast can you revert?",
-    recommendation: 'Document rollback runbook before deploying. Consider feature flag as kill switch.',
-  },
-  {
-    pattern: /migrat|schema.?change|alter.?table|add.{0,10}column/i,
-    concern: "Tested down-migration exists? What if this runs mid-traffic on prod?",
-    recommendation: 'Test down-migration on a copy. Use zero-downtime migration patterns (expand/contract).',
-  },
-  {
-    pattern: /\bcache\b|\bredis\b/i,
-    concern: "Cache stampede on cold start? Cache poisoning from bad writes? Invalidation race?",
-    recommendation: 'Probabilistic early expiry prevents stampede. Lock on cache miss for hot keys.',
-  },
-  {
-    pattern: /email|notification|sms|push.?notif/i,
-    concern: "Delivery failure handled? Retry queue? Duplicate notification prevention?",
-    recommendation: 'Add retry queue with exponential backoff. Idempotency key per notification.',
-  },
-  {
-    pattern: /webhook|callback.?url/i,
-    concern: "Webhook replay attacks? Signature verification? What if your handler is slow?",
-    recommendation: 'Verify webhook signatures. Respond 200 immediately, process async.',
-  },
-  {
-    pattern: /\bapi\b|endpoint|http.?client|fetch|axios/i,
-    concern: "External API goes down? Timeout set? Circuit breaker? Fallback behavior?",
-    recommendation: 'Set explicit timeout (3-5s). Circuit breaker for critical external deps.',
-  },
-  {
-    pattern: /file|upload|s3|blob|storage|bucket/i,
-    concern: "Partial upload failure? Storage quota? File type validation before processing?",
-    recommendation: 'Handle partial failures. Alert at 80% storage. Validate file type + scan for malware.',
-  },
-  {
-    pattern: /cron|schedule|job|queue|worker/i,
-    concern: "Job fails silently? Duplicate concurrent runs? Stuck job detection?",
-    recommendation: 'Log all job outcomes. Prevent concurrent runs with distributed lock. Set max duration.',
-  },
-  {
-    pattern: /third.?party|external.{0,15}service|vendor|sdk/i,
-    concern: "Vendor going down? SDK breaking changes? Data you do not control changing format?",
-    recommendation: 'Wrap in adapter layer. Monitor third-party SLA separately. Pin SDK version.',
-  },
-  {
-    pattern: /delete|remove|drop|destroy|purge/i,
-    concern: "Is this reversible? Backup before? What if it runs against wrong environment?",
-    recommendation: 'Soft-delete first (add deleted_at). Hard-delete only after confirmed safe.',
-  },
-  {
-    pattern: /rate.?limit|throttle/i,
-    concern: "What happens when the rate limit is hit? User notified clearly? Retry-After header?",
-    recommendation: 'Return 429 with Retry-After. Show clear user message. Log for monitoring.',
-  },
-  {
-    pattern: /concurren|parallel|race.?condition|mutex|lock/i,
-    concern: "Race condition under concurrent requests? Lock contention under load?",
-    recommendation: 'Test with concurrent load. Use optimistic locking or distributed mutex.',
-  },
-  {
-    pattern: /secret|key|token|credential|api.?key/i,
-    concern: "Rotation strategy? What if this key leaks? Who has access and is it logged?",
-    recommendation: 'Rotate keys on schedule. Audit access logs. Use short-lived tokens where possible.',
-  },
-];
-
-const GENERIC: { concern: string; recommendation: string } = {
-  concern: "What is the failure mode here? What breaks at 2AM on a Sunday with no one watching?",
-  recommendation: 'Add monitoring, alerting, and a runbook for when this breaks.',
-};
-
-const TRIVIAL = /^(rename|fix typo|reorder|reformat|format code|update comment|add comment)\b/i;
-
-export function analyze(task: string): AgentVote {
-  if (TRIVIAL.test(task.trim())) {
-    return { verdict: 'approve', reason: 'Trivial change — no failure modes to probe.', concerns: [] };
-  }
-
-  const matched: Array<{ concern: string; recommendation: string }> = [];
-
-  for (const probe of PROBES) {
-    if (probe.pattern.test(task)) {
-      matched.push({ concern: probe.concern, recommendation: probe.recommendation });
-    }
-  }
-
-  // Devil always raises at least one concern for non-trivial tasks
-  if (matched.length === 0) {
-    matched.push(GENERIC);
-  }
-
-  const top = matched.slice(0, 3); // cap at 3 concerns to avoid flooding
-
-  return {
-    verdict: 'warn',
-    reason: top[0].concern,
-    concerns: top.slice(1).map(m => m.concern),
-    recommendation: top.map(m => m.recommendation).join(' | '),
-  };
-}

package/src/council/index.ts

@@ -1,44 +0,0 @@
-// Council orchestrator — runs all 7 agents in parallel, returns debate result
-import { analyze as leadDevAnalyze } from './lead-developer.js';
-import { analyze as pmAnalyze } from './product-manager.js';
-import { analyze as architectAnalyze } from './system-architect.js';
-import { analyze as uxAnalyze } from './ux-designer.js';
-import { analyze as devilAnalyze } from './devil-advocate.js';
-import { analyze as legalAnalyze } from './legal-compliance.js';
-import { analyze as securityAnalyze } from './security.js';
-import { decide, formatDebate } from './decision-engine.js';
-
-export type { AgentVote, AgentVerdict, CouncilVerdict, DebateInput, DebateResult } from './types.js';
-
-import type { DebateInput, DebateResult } from './types.js';
-
-export async function runDebate(input: DebateInput): Promise<DebateResult> {
-  const fullText = input.context ? `${input.task}\n${input.context}` : input.task;
-
-  // All 7 agents run in parallel — none depend on each other
-  const [lead_dev, pm, architect, ux, devil, legal, security] = await Promise.all([
-    Promise.resolve(leadDevAnalyze(fullText)),
-    Promise.resolve(pmAnalyze(fullText)),
-    Promise.resolve(architectAnalyze(fullText)),
-    Promise.resolve(uxAnalyze(fullText)),
-    Promise.resolve(devilAnalyze(fullText)),
-    Promise.resolve(legalAnalyze(fullText)),
-    Promise.resolve(securityAnalyze(fullText)),
-  ]);
-
-  const votes = { lead_dev, pm, architect, ux, devil, legal, security };
-  const { final_verdict, block_reasons, warnings, recommended } = decide(votes);
-  const debated_at = new Date().toISOString();
-  const formatted_output = formatDebate(input.task, votes, final_verdict, block_reasons, warnings, recommended);
-
-  return {
-    task: input.task,
-    final_verdict,
-    votes,
-    recommended,
-    block_reasons,
-    warnings,
-    debated_at,
-    formatted_output,
-  };
-}

package/src/council/lead-developer.ts

@@ -1,118 +0,0 @@
-// Lead Developer — code quality, security, no shortcuts
-import type { AgentVote } from './types.js';
-
-const BLOCK_RULES: Array<{ pattern: RegExp; reason: string; recommendation: string }> = [
-  {
-    pattern: /\bmd5\b/i,
-    reason: 'MD5 is cryptographically broken since 2008. Rainbow tables crack it instantly.',
-    recommendation: 'Use bcrypt (cost 12) for passwords. Use SHA-256 for checksums only.',
-  },
-  {
-    pattern: /\bsha-?1\b/i,
-    reason: 'SHA-1 collision attacks are practical since 2017. Deprecated for all security use.',
-    recommendation: 'Use SHA-256 or SHA-3. For passwords use bcrypt/argon2.',
-  },
-  {
-    pattern: /\b(des|3des|triple.?des)\b/i,
-    reason: 'DES/3DES is broken. Brute-forceable in hours.',
-    recommendation: 'Use AES-256-GCM for symmetric encryption.',
-  },
-  {
-    pattern: /\brc4\b/i,
-    reason: 'RC4 is broken — biased keystream, practical attacks exist.',
-    recommendation: 'Use ChaCha20-Poly1305 or AES-256-GCM.',
-  },
-  {
-    pattern: /\beval\s*\(/i,
-    reason: 'eval() enables arbitrary code execution from user input.',
-    recommendation: 'Remove eval(). Use JSON.parse() for data, redesign for logic.',
-  },
-  {
-    pattern: /\bnew\s+Function\s*\(/i,
-    reason: 'new Function() is eval() in disguise. Same arbitrary execution risk.',
-    recommendation: 'Never construct functions from strings. Redesign the logic.',
-  },
-  {
-    pattern: /hardcod.{0,20}(password|secret|key|token|credential)/i,
-    reason: 'Hardcoded credentials ship to version control and get leaked.',
-    recommendation: 'Move to environment variables. Use dotenv locally, vault in prod.',
-  },
-  {
-    pattern: /(password|secret|api.?key|token).{0,20}hardcod/i,
-    reason: 'Hardcoded credentials in source is a critical vulnerability.',
-    recommendation: 'Use process.env.VAR_NAME. Never commit secrets.',
-  },
-  {
-    pattern: /disable.{0,15}(ssl|tls|cert(?:ificate)?(?:.?verif)?)/i,
-    reason: 'Disabling SSL/TLS validation exposes all traffic to MITM attacks.',
-    recommendation: 'Fix the certificate properly. Never disable validation in production.',
-  },
-  {
-    pattern: /cors.{0,15}['"]\s*\*\s*['"]/i,
-    reason: 'CORS wildcard (*) allows any origin to read API responses.',
-    recommendation: 'Specify exact allowed origins: ["https://yourdomain.com"].',
-  },
-  {
-    pattern: /innerHTML\s*=\s*.*(req\b|input\b|param|user|body)/i,
-    reason: 'Setting innerHTML from user data enables stored XSS attacks.',
-    recommendation: 'Use textContent for text. Sanitize with DOMPurify if HTML is needed.',
-  },
-  {
-    pattern: /no.{0,10}input.{0,10}(valid|sanitiz)/i,
-    reason: 'Explicitly skipping input validation is the root cause of most injections.',
-    recommendation: 'Validate all external input at the boundary with zod/joi schemas.',
-  },
-];
-
-const WARN_RULES: Array<{ pattern: RegExp; concern: string }> = [
-  { pattern: /\bjquery\b/i, concern: 'jQuery in 2025 adds 30KB for what native DOM provides for free.' },
-  { pattern: /\bvar\s+[a-zA-Z_$]/i, concern: 'var has function-scope hoisting. Use const (default) or let.' },
-  { pattern: /catch\s*\([^)]*\)\s*\{\s*(\/\/[^\n]*)?\s*\}/i, concern: 'Empty catch silently swallows errors.' },
-  { pattern: /console\.(log|debug)\b/i, concern: 'console.log in production leaks internal state. Use structured logging.' },
-  { pattern: /\/\/\s*(todo|fixme|hack|xxx)\b/i, concern: 'Unresolved TODO/FIXME — resolve before shipping.' },
-  { pattern: /:\s*any\b/i, concern: 'TypeScript any disables type safety. Use unknown or a proper type.' },
-  { pattern: /\b(xdescribe|xit|xtest|\.skip)\b/i, concern: 'Skipped tests hide regressions. Fix or delete them.' },
-  { pattern: /Math\.random\(\)/i, concern: 'Math.random() is not cryptographically secure. Use crypto.randomBytes().' },
-];
-
-const TRIVIAL = /^(rename|fix typo|reorder|reformat|format code|update comment|add comment)\b/i;
-
-export function analyze(task: string): AgentVote {
-  if (TRIVIAL.test(task.trim())) {
-    return { verdict: 'approve', reason: 'Trivial change — no security or quality concerns.', concerns: [] };
-  }
-
-  const blocks: Array<{ reason: string; recommendation: string }> = [];
-  const concerns: string[] = [];
-
-  for (const rule of BLOCK_RULES) {
-    if (rule.pattern.test(task)) {
-      blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
-    }
-  }
-  for (const rule of WARN_RULES) {
-    if (rule.pattern.test(task)) {
-      concerns.push(rule.concern);
-    }
-  }
-
-  if (blocks.length > 0) {
-    return {
-      verdict: 'block',
-      reason: blocks[0].reason,
-      concerns: [...blocks.slice(1).map(b => b.reason), ...concerns],
-      recommendation: blocks.map(b => b.recommendation).join(' | '),
-    };
-  }
-
-  if (concerns.length > 0) {
-    return {
-      verdict: 'warn',
-      reason: `${concerns.length} code quality issue${concerns.length > 1 ? 's' : ''} detected.`,
-      concerns,
-      recommendation: 'Address quality concerns before shipping to production.',
-    };
-  }
-
-  return { verdict: 'approve', reason: 'No security or quality violations detected.', concerns: [] };
-}

package/src/council/legal-compliance.ts

@@ -1,152 +0,0 @@
-// Legal & Compliance — licenses, data privacy, GDPR, ToS, IP, regulatory
-import type { AgentVote } from './types.js';
-
-const BLOCK_RULES: Array<{ pattern: RegExp; reason: string; recommendation: string }> = [
-  {
-    pattern: /\b(gpl|gnu.?general.?public.?license)\b/i,
-    reason: 'GPL code in a non-GPL project creates license contamination — entire project must become GPL.',
-    recommendation: 'Audit all dependencies with license-checker. Replace GPL deps with MIT/Apache/BSD alternatives.',
-  },
-  {
-    pattern: /\bagpl\b/i,
-    reason: 'AGPL requires open-sourcing any server code users interact with over a network.',
-    recommendation: 'Either make your code AGPL, obtain a commercial license, or replace the AGPL dependency.',
-  },
-  {
-    pattern: /collect.{0,40}(personal|pii|email|phone|address).{0,40}no.{0,20}consent/i,
-    reason: 'Collecting personal data without consent violates GDPR Article 6 and CCPA — fines up to 4% global revenue.',
-    recommendation: 'Add explicit consent collection before gathering PII. Document legal basis (contract, consent, legitimate interest).',
-  },
-  {
-    pattern: /\b(hipaa|phi|protected.?health|health.?record)\b/i,
-    reason: 'Health data (PHI) requires HIPAA-compliant infrastructure, signed BAAs, and mandatory audit logging.',
-    recommendation: 'Use a HIPAA-compliant cloud provider. Sign Business Associate Agreements. Encrypt PHI at rest and in transit.',
-  },
-  {
-    pattern: /collect.{0,30}(children|child|minor|under.{0,5}1[23])/i,
-    reason: 'Collecting data from under-13s without verifiable parental consent violates COPPA (US) and GDPR.',
-    recommendation: 'Add age gate. Obtain verifiable parental consent. Consult legal counsel before proceeding.',
-  },
-  {
-    pattern: /store.{0,30}(credit.?card|card.?number|\bpan\b|\bcvv\b|\bcvc\b)/i,
-    reason: 'Storing raw card data requires PCI-DSS Level 1 compliance — years of audits and millions in infrastructure.',
-    recommendation: "Never store raw card data. Use Stripe/Braintree tokenization. Your PCI scope drops to SAQ-A.",
-  },
-  {
-    pattern: /scrape.{0,30}(facebook|twitter|linkedin|instagram|google|youtube|amazon)/i,
-    reason: 'Scraping major platforms violates their ToS and has led to multi-million dollar lawsuits (hiQ v. LinkedIn).',
-    recommendation: 'Use official APIs only. Review ToS data-use clauses. Seek legal opinion if data has commercial value.',
-  },
-  {
-    pattern: /train.{0,40}(model|ai|ml|llm).{0,40}(user.?data|customer.?data|without.{0,15}consent)/i,
-    reason: 'Training AI/ML on user data without consent violates GDPR and the ToS of most data platforms.',
-    recommendation: 'Obtain explicit opt-in consent for ML training use. Provide opt-out. Document data flows in privacy policy.',
-  },
-  {
-    pattern: /\b(biometric|facial.?recogni|fingerprint).{0,30}(store|collect|process)\b/i,
-    reason: 'Biometric data has strict consent laws: BIPA (Illinois), GDPR Article 9, TX/WA state laws.',
-    recommendation: 'Obtain explicit written consent. Check state/country-specific laws. Consider if biometrics are necessary at all.',
-  },
-  {
-    pattern: /\bccpa\b.{0,30}(ignore|skip|bypass|not.{0,10}(apply|need))/i,
-    reason: 'CCPA applies to any business serving California residents above certain thresholds — not opt-in.',
-    recommendation: 'Add "Do Not Sell My Personal Information" link. Honor opt-out requests within 15 days.',
-  },
-];
-
-const WARN_RULES: Array<{ pattern: RegExp; concern: string; recommendation: string }> = [
-  {
-    pattern: /no.{0,25}privacy.?policy/i,
-    concern: 'Collecting any user data without a privacy policy violates GDPR, CCPA, and most app store guidelines.',
-    recommendation: 'Draft a privacy policy covering: what you collect, why, how long, who you share with, user rights.',
-  },
-  {
-    pattern: /log.{0,25}(email|ip.?address|phone|full.?name|ssn)|(email|phone|full.?name|ssn).{0,25}(log|plaintext|plain.?text)/i,
-    concern: 'Logging PII creates data retention liability and complicates right-to-erasure compliance.',
-    recommendation: 'Pseudonymize PII in logs (hash emails, truncate IPs). Set log retention to 30-90 days maximum.',
-  },
-  {
-    pattern: /no.{0,20}(delete|erasure|right.?to.?delete|data.?removal|forget)/i,
-    concern: 'GDPR Article 17 mandates honoring right-to-erasure requests within 30 days.',
-    recommendation: 'Build user data deletion endpoint. Cascade to backups. Document deletion confirmation process.',
-  },
-  {
-    pattern: /open.?source|npm.{0,20}install|pip.{0,20}install|composer|cargo.{0,20}add/i,
-    concern: 'New dependencies may carry GPL/AGPL licenses that contaminate your project license.',
-    recommendation: 'Run license-checker or FOSSA after adding deps. Block GPL/AGPL in CI for proprietary projects.',
-  },
-  {
-    pattern: /cookie|tracking|analytics|pixel|beacon/i,
-    concern: 'Cookies and tracking pixels require consent banners for EU/UK users (ePrivacy Directive + GDPR).',
-    recommendation: 'Integrate consent management platform (Cookiebot, OneTrust) for EU users.',
-  },
-  {
-    pattern: /third.?party.{0,30}(share|send|forward|transmit).{0,30}(user|personal|customer)/i,
-    concern: 'Sharing personal data with third parties requires disclosure in privacy policy and may need consent.',
-    recommendation: 'List all third-party data recipients in privacy policy. Sign Data Processing Agreements (DPAs).',
-  },
-  {
-    pattern: /retain.{0,30}(forever|indefinitely|no.?limit|no.?expiry)|store.{0,30}forever/i,
-    concern: 'Retaining personal data indefinitely violates GDPR storage limitation principle (Article 5(1)(e)).',
-    recommendation: 'Define retention periods per data type. Auto-delete or anonymize after the period expires.',
-  },
-  {
-    pattern: /\b(trademark|patent|copyright)\b/i,
-    concern: 'IP risk flagged — verify you have rights to use and distribute this.',
-    recommendation: 'Confirm licensing rights. Consult an IP attorney if building on patented methods or using third-party branding.',
-  },
-  {
-    pattern: /\b(gdpr|data.?protection)\b.{0,30}(ignore|bypass|skip|not.{0,10}(apply|worry))/i,
-    concern: "GDPR applies to any service used by EU residents regardless of where you're based.",
-    recommendation: 'Conduct a GDPR compliance review. Appoint a Data Protection Officer if required.',
-  },
-  {
-    pattern: /export.{0,20}(encryption|crypto|cipher).{0,20}(us|usa|america|international)/i,
-    concern: 'Exporting encryption software may require US export license (EAR/ECCN classification).',
-    recommendation: 'Check ECCN classification for your encryption strength. File annual self-classification if needed.',
-  },
-];
-
-const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
-
-export function analyze(task: string): AgentVote {
-  if (TRIVIAL.test(task.trim())) {
-    return { verdict: 'approve', reason: 'Trivial change — no legal concerns.', concerns: [] };
-  }
-
-  const blocks: Array<{ reason: string; recommendation: string }> = [];
-  const concerns: string[] = [];
-  const recommendations: string[] = [];
-
-  for (const rule of BLOCK_RULES) {
-    if (rule.pattern.test(task)) {
-      blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
-    }
-  }
-  for (const rule of WARN_RULES) {
-    if (rule.pattern.test(task)) {
-      concerns.push(rule.concern);
-      recommendations.push(rule.recommendation);
-    }
-  }
-
-  if (blocks.length > 0) {
-    return {
-      verdict: 'block',
-      reason: blocks[0].reason,
-      concerns: blocks.slice(1).map(b => b.reason),
-      recommendation: blocks.map(b => b.recommendation).join(' | '),
-    };
-  }
-
-  if (concerns.length > 0) {
-    return {
-      verdict: 'warn',
-      reason: `${concerns.length} legal or compliance concern${concerns.length > 1 ? 's' : ''} — review before shipping.`,
-      concerns,
-      recommendation: recommendations[0],
-    };
-  }
-
-  return { verdict: 'approve', reason: 'No legal or compliance issues detected.', concerns: [] };
-}