@nugehs/bouncer 0.1.0

package/src/lib/packs.js

@@ -0,0 +1,169 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { buildContext, evalRule } from "./engine.js";
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const BUILTIN_DIR = path.resolve(here, "../packs");
+
+/** Read a single pack JSON file and validate its shape minimally. */
+function readPack(file) {
+  const pack = JSON.parse(fs.readFileSync(file, "utf8"));
+  if (!pack.id) throw new Error(`Pack ${file} is missing "id".`);
+  if (!Array.isArray(pack.rules)) throw new Error(`Pack ${pack.id} is missing a "rules" array.`);
+  pack._file = file;
+  return pack;
+}
+
+/** List every pack available to bouncer (built-in + any from extraDirs), as metadata. */
+export function availablePacks(extraDirs = []) {
+  const dirs = [BUILTIN_DIR, ...extraDirs];
+  const out = [];
+  const seen = new Set();
+  for (const dir of dirs) {
+    let entries = [];
+    try {
+      entries = fs.readdirSync(dir).filter((f) => f.endsWith(".json"));
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const pack = readPack(path.join(dir, entry));
+      if (seen.has(pack.id)) continue;
+      seen.add(pack.id);
+      out.push({
+        id: pack.id,
+        title: pack.title,
+        authority: pack.authority,
+        url: pack.url,
+        rules: pack.rules.length,
+        builtin: dir === BUILTIN_DIR,
+      });
+    }
+  }
+  return out;
+}
+
+/** Resolve the configured pack ids to loaded pack objects. */
+export function loadPacks(cfg) {
+  const dirs = [BUILTIN_DIR, ...(cfg.packDirs || [])];
+  const wanted = cfg.packs && cfg.packs.length ? cfg.packs : null;
+  const byId = new Map();
+
+  for (const dir of dirs) {
+    let entries = [];
+    try {
+      entries = fs.readdirSync(dir).filter((f) => f.endsWith(".json"));
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const pack = readPack(path.join(dir, entry));
+      if (!byId.has(pack.id)) byId.set(pack.id, pack);
+    }
+  }
+
+  if (!wanted) return [...byId.values()];
+
+  const resolved = [];
+  for (const id of wanted) {
+    const pack = byId.get(id);
+    if (!pack) throw new Error(`Pack not found: ${id}. Run \`bouncer packs\` to list available packs.`);
+    resolved.push(pack);
+  }
+  return resolved;
+}
+
+/** Run every rule in the configured packs against the target repo. */
+export function runCheck(cfg) {
+  const ctx = buildContext(cfg);
+  const packs = loadPacks(cfg);
+  const ignore = new Set(cfg.ignore || []);
+
+  const findings = [];
+  for (const pack of packs) {
+    const meta = { id: pack.id, title: pack.title, authority: pack.authority };
+    for (const rule of pack.rules) {
+      if (ignore.has(rule.id)) continue;
+      findings.push(evalRule(rule, ctx, meta));
+    }
+  }
+
+  const totals = { pass: 0, fail: 0, unknown: 0 };
+  for (const f of findings) totals[f.status] += 1;
+
+  const checked = findings.length;
+  const score = checked ? Math.round((totals.pass / checked) * 100) : 100;
+
+  return {
+    findings,
+    totals,
+    score,
+    meta: {
+      adapter: cfg.target.adapter,
+      repo: ctx.root,
+      filesScanned: ctx.files.length,
+      packs: packs.map((p) => ({ id: p.id, title: p.title, authority: p.authority })),
+    },
+  };
+}
+
+/** Flat list of every rule the configured packs would apply (no scanning). */
+export function listRules(cfg) {
+  const packs = loadPacks(cfg);
+  const rules = [];
+  for (const pack of packs) {
+    for (const rule of pack.rules) {
+      rules.push({
+        packId: pack.id,
+        ruleId: rule.id,
+        standard: rule.standard,
+        severity: rule.severity || "medium",
+        surface: typeof rule.surface === "string" ? rule.surface : undefined,
+        intent: rule.intent,
+      });
+    }
+  }
+  return rules;
+}
+
+/** Find a single rule across the configured packs and render how it is checked. */
+export function explainRule(cfg, ruleId) {
+  const packs = loadPacks(cfg);
+  for (const pack of packs) {
+    const rule = pack.rules.find((r) => r.id === ruleId);
+    if (rule) {
+      return {
+        packId: pack.id,
+        packTitle: pack.title,
+        authority: pack.authority,
+        url: pack.url,
+        ...rule,
+        checks: renderAssert(rule.assert),
+      };
+    }
+  }
+  throw new Error(`Rule not found: ${ruleId}. Run \`bouncer list\` to see available rules.`);
+}
+
+/** Human-readable description of an assertion tree. */
+function renderAssert(node, depth = 0) {
+  const pad = "  ".repeat(depth);
+  if (node.allOf) return [`${pad}ALL of:`, ...node.allOf.flatMap((n) => renderAssert(n, depth + 1))];
+  if (node.anyOf) return [`${pad}ANY of:`, ...node.anyOf.flatMap((n) => renderAssert(n, depth + 1))];
+  if (node.not) return [`${pad}NOT:`, ...renderAssert(node.not, depth + 1)];
+  if (node.find) {
+    const where = Array.isArray(node.in) ? node.in.join(", ") : node.in || "any";
+    const expect = node.expect === "absent" ? "must NOT appear" : "must appear";
+    return [`${pad}- /${node.find}/  ${expect} in surface [${where}]`];
+  }
+  if (node.allInFile) {
+    const where = Array.isArray(node.in) ? node.in.join(", ") : node.in || "any";
+    const expect = node.expect === "absent" ? "must NOT all co-occur" : "must all co-occur";
+    return [
+      `${pad}- all of these patterns ${expect} in a single file in surface [${where}]:`,
+      ...node.allInFile.map((p) => `${pad}    /${p}/`),
+    ];
+  }
+  return [`${pad}- (empty)`];
+}

package/src/lib/reporters/html.js

@@ -0,0 +1,156 @@
+// Self-contained HTML compliance report (inline CSS + a little vanilla JS, no deps).
+// Modelled on tieline's report: a health ring, summary cards, and per-pack control
+// tables with each rule's verdict, the legal standard, and file-level evidence.
+
+const esc = (s) =>
+  String(s ?? "").replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" }[c]));
+
+const shortFile = (f) => {
+  const p = String(f).split("/");
+  return p.length > 2 ? p.slice(-2).join("/") : String(f);
+};
+const locCell = (file, line) =>
+  `<td class="loc" title="${esc(file)}${line ? ":" + line : ""}">${esc(shortFile(file))}${line ? ":" + line : ""}</td>`;
+
+export function reportHtml(result, meta = {}) {
+  const { findings = [], totals = {}, score = 100, meta: rmeta = {} } = result;
+
+  const byPack = new Map();
+  for (const f of findings) {
+    if (!byPack.has(f.packId)) byPack.set(f.packId, []);
+    byPack.get(f.packId).push(f);
+  }
+
+  const packSections = [...byPack.values()].map((rows) => packTable(rows)).join("\n");
+
+  return `<!doctype html>
+<html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>bouncer · compliance report</title>
+<style>${CSS}</style></head>
+<body>
+<header class="hero">
+  <div class="hero-inner">
+    <div class="brand"><span class="logo">⛨</span> bouncer<span class="sub">compliance report</span></div>
+    <div class="meta">
+      <span>${esc(rmeta.adapter || "adapter")} · ${esc(String(rmeta.filesScanned ?? 0))} files</span>
+      ${meta.generatedAt ? `<span class="dim">${esc(meta.generatedAt)}</span>` : ""}
+    </div>
+  </div>
+  <div class="ring" style="--p:${score}">
+    <svg viewBox="0 0 120 120"><circle class="track" cx="60" cy="60" r="52"/><circle class="value ${score >= 90 ? "ok" : score >= 70 ? "warn" : "bad"}" cx="60" cy="60" r="52"/></svg>
+    <div class="ring-label"><strong>${score}%</strong><span>controls present</span></div>
+  </div>
+</header>
+
+<main>
+  <section class="cards">
+    ${card("pass", totals.pass || 0, "ok", "required control found")}
+    ${card("fail", totals.fail || 0, "bad", "surface exists, control missing")}
+    ${card("unknown", totals.unknown || 0, "warn", "surface not located — can't determine")}
+  </section>
+
+  <p class="disclaimer">bouncer checks that the controls a regulation requires are present in code. It is an engineering aid, <strong>not legal advice</strong> and not a substitute for a compliance/DPO review.</p>
+
+  ${packSections}
+</main>
+
+<footer>Generated by <strong>bouncer</strong> · static compliance-controls checker</footer>
+<script>${JS}</script>
+</body></html>`;
+}
+
+function card(label, value, kind, sub) {
+  return `<div class="cardx ${kind}"><div class="num">${value}</div><div class="lab">${esc(label)}</div><div class="csub">${esc(sub)}</div></div>`;
+}
+
+function packTable(rows) {
+  const head = rows[0];
+  const ordered = [...rows].sort((a, b) => order(a.status) - order(b.status));
+  const body = ordered
+    .map((f) => {
+      const evidence =
+        f.status === "pass" && f.hits[0]
+          ? locCell(f.hits[0].file, f.hits[0].line)
+          : f.status === "fail" && f.hits[0]
+            ? locCell(f.hits[0].file, f.hits[0].line)
+            : `<td class="loc dim">${f.status === "unknown" ? "not located" : "—"}</td>`;
+      const detail =
+        f.status === "fail"
+          ? `<div class="sub">${esc(f.intent || "")}</div><div class="fix">Fix: ${esc(f.fix || "")}</div>`
+          : f.status === "unknown"
+            ? `<div class="sub dim">surface not found in this repo — can't determine</div>`
+            : "";
+      return `<tr data-status="${f.status}" data-text="${esc(f.ruleId + " " + (f.standard || ""))}">
+        <td class="verdict"><span class="pill ${f.status}">${esc(f.status)}</span></td>
+        <td class="sev ${esc(f.severity)}">${esc(f.severity)}</td>
+        <td class="rule"><span class="rid">${esc(f.ruleId)}</span><div class="std">${esc(f.standard || "")}</div>${detail}</td>
+        ${evidence}
+      </tr>`;
+    })
+    .join("\n");
+
+  return `<section class="panel">
+    <h2>${esc(head.packTitle)}</h2>
+    <p class="hint">${esc(head.authority || "")} &nbsp;·&nbsp; <span class="k ok">●</span> pass · <span class="k bad">●</span> fail · <span class="k warn">●</span> unknown</p>
+    <table class="grid">
+      <thead><tr><th>Verdict</th><th>Severity</th><th>Control / standard</th><th>Evidence</th></tr></thead>
+      <tbody>${body}</tbody>
+    </table>
+  </section>`;
+}
+
+function order(status) {
+  return status === "fail" ? 0 : status === "unknown" ? 1 : 2;
+}
+
+const CSS = `
+:root{--bg:#0d1117;--panel:#161b22;--line:#21262d;--ink:#e6edf3;--dim:#8b949e;--ok:#2ea043;--bad:#f85149;--warn:#d29922;--mute:#6e7681}
+*{box-sizing:border-box}
+body{margin:0;background:var(--bg);color:var(--ink);font:14px/1.5 ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,sans-serif}
+.hero{display:flex;align-items:center;justify-content:space-between;gap:24px;padding:28px 32px;background:linear-gradient(135deg,#161b22,#0d1117);border-bottom:1px solid var(--line)}
+.brand{font-size:22px;font-weight:700;letter-spacing:.3px}
+.brand .logo{color:#58a6ff;margin-right:6px}
+.brand .sub{font-size:13px;font-weight:500;color:var(--dim);margin-left:10px}
+.meta{margin-top:6px;color:var(--dim);font-size:13px;display:flex;gap:14px}
+.meta .dim{color:var(--mute)}
+.ring{position:relative;width:120px;height:120px;flex:none}
+.ring svg{transform:rotate(-90deg)}
+.ring .track{fill:none;stroke:var(--line);stroke-width:10}
+.ring .value{fill:none;stroke-width:10;stroke-linecap:round;stroke-dasharray:calc(var(--p)*3.27) 327}
+.ring .value.ok{stroke:var(--ok)}.ring .value.warn{stroke:var(--warn)}.ring .value.bad{stroke:var(--bad)}
+.ring-label{position:absolute;inset:0;display:flex;flex-direction:column;align-items:center;justify-content:center}
+.ring-label strong{font-size:24px}.ring-label span{font-size:11px;color:var(--dim)}
+main{max-width:1040px;margin:0 auto;padding:28px 32px}
+.cards{display:grid;grid-template-columns:repeat(3,1fr);gap:14px;margin-bottom:18px}
+.cardx{background:var(--panel);border:1px solid var(--line);border-radius:10px;padding:16px 18px}
+.cardx .num{font-size:30px;font-weight:700}
+.cardx .lab{text-transform:uppercase;letter-spacing:.6px;font-size:12px;color:var(--dim)}
+.cardx .csub{font-size:12px;color:var(--mute);margin-top:4px}
+.cardx.ok .num{color:var(--ok)}.cardx.bad .num{color:var(--bad)}.cardx.warn .num{color:var(--warn)}
+.disclaimer{background:#1c2128;border:1px solid var(--line);border-radius:8px;padding:10px 14px;color:var(--dim);font-size:12.5px}
+.panel{background:var(--panel);border:1px solid var(--line);border-radius:12px;padding:18px 20px;margin-top:18px}
+.panel h2{margin:0 0 2px;font-size:16px}
+.hint{color:var(--dim);font-size:12.5px;margin:0 0 12px}
+.k{font-size:10px;vertical-align:middle}.k.ok{color:var(--ok)}.k.bad{color:var(--bad)}.k.warn{color:var(--warn)}
+table.grid{width:100%;border-collapse:collapse;font-size:13px}
+.grid th{text-align:left;color:var(--dim);font-weight:600;font-size:11px;text-transform:uppercase;letter-spacing:.5px;padding:6px 10px;border-bottom:1px solid var(--line)}
+.grid td{padding:10px;border-bottom:1px solid var(--line);vertical-align:top}
+.pill{display:inline-block;padding:2px 9px;border-radius:999px;font-size:11px;font-weight:700;text-transform:uppercase}
+.pill.pass{background:rgba(46,160,67,.15);color:var(--ok)}
+.pill.fail{background:rgba(248,81,73,.15);color:var(--bad)}
+.pill.unknown{background:rgba(210,153,34,.15);color:var(--warn)}
+.sev{font-size:12px;text-transform:capitalize;color:var(--dim)}
+.sev.high{color:var(--bad)}.sev.medium{color:var(--warn)}
+.rule .rid{font-family:ui-monospace,SFMono-Regular,Menlo,monospace;font-size:12.5px}
+.rule .std{color:var(--dim);font-size:12px;margin-top:2px}
+.rule .sub{margin-top:6px;font-size:12.5px}
+.rule .fix{margin-top:3px;font-size:12px;color:#7ee787}
+.loc{font-family:ui-monospace,SFMono-Regular,Menlo,monospace;font-size:12px;color:#79c0ff;white-space:nowrap}
+.dim{color:var(--mute)}
+footer{max-width:1040px;margin:0 auto;padding:20px 32px 40px;color:var(--mute);font-size:12px}
+`;
+
+const JS = `
+// no-op placeholder for future filtering; report is fully static.
+document.querySelectorAll('.pill').forEach(function(p){});
+`;

package/src/lib/reporters/human.js

@@ -0,0 +1,72 @@
+import { printText } from "../output.js";
+import { GLYPH } from "../brand.js";
+
+const SEV_ORDER = { high: 0, medium: 1, low: 2 };
+
+/** Terminal report grouped by pack, ordered fail -> unknown -> pass within each pack. */
+export function reportHuman(result, { statusFilter = "all" } = {}) {
+  const { findings, totals, score, meta } = result;
+
+  printText("");
+  printText(`  bouncer · compliance-controls report`);
+  printText(`  ${meta.repo}`);
+  printText(`  adapter: ${meta.adapter} · files scanned: ${meta.filesScanned}`);
+  printText("");
+
+  const byPack = new Map();
+  for (const f of findings) {
+    if (!byPack.has(f.packId)) byPack.set(f.packId, []);
+    byPack.get(f.packId).push(f);
+  }
+
+  for (const [, rows] of byPack) {
+    const head = rows[0];
+    printText(`  ${head.packTitle}`);
+    printText(`  ${dim(head.authority || "")}`);
+    const ordered = [...rows].sort(byStatusThenSeverity);
+    for (const f of ordered) {
+      if (statusFilter !== "all" && !statusMatches(f.status, statusFilter)) continue;
+      printText(`    ${mark(f.status)} ${pad(f.severity, 6)} ${f.ruleId}`);
+      printText(`        ${dim(f.standard || "")}`);
+      if (f.status === "pass" && f.hits[0]) {
+        printText(`        evidence: ${f.hits[0].file}:${f.hits[0].line}`);
+      } else if (f.status === "fail") {
+        printText(`        ${f.intent || ""}`);
+        printText(`        fix: ${f.fix || ""}`);
+        for (const h of f.hits.slice(0, 3)) {
+          printText(`        offending: ${h.file}:${h.line}`);
+        }
+      } else if (f.status === "unknown") {
+        printText(`        surface not located in this repo — can't determine`);
+      }
+    }
+    printText("");
+  }
+
+  printText(`  ${GLYPH.pass} pass ${totals.pass}   ${GLYPH.fail} fail ${totals.fail}   ${GLYPH.unknown} unknown ${totals.unknown}   ·   score ${score}%`);
+  printText("");
+}
+
+function byStatusThenSeverity(a, b) {
+  const order = { fail: 0, unknown: 1, pass: 2 };
+  if (order[a.status] !== order[b.status]) return order[a.status] - order[b.status];
+  return (SEV_ORDER[a.severity] ?? 1) - (SEV_ORDER[b.severity] ?? 1);
+}
+
+function statusMatches(status, filter) {
+  if (filter === "fail") return status === "fail";
+  if (filter === "unknown") return status === "unknown" || status === "fail";
+  return true;
+}
+
+function mark(status) {
+  return status === "pass" ? GLYPH.pass : status === "fail" ? GLYPH.fail : GLYPH.unknown;
+}
+
+function pad(s, n) {
+  return String(s || "").padEnd(n);
+}
+
+function dim(s) {
+  return s;
+}

package/src/lib/reporters/json.js

@@ -0,0 +1,5 @@
+import { printJson } from "../output.js";
+
+export function reportJson(result) {
+  printJson(result);
+}

package/src/lib/walk.js

@@ -0,0 +1,109 @@
+import fs from "node:fs";
+import path from "node:path";
+
+const SKIP = new Set([
+  "node_modules",
+  "dist",
+  ".git",
+  ".next",
+  "coverage",
+  ".worktrees",
+  ".yarn",
+  "build",
+  "out",
+]);
+
+/**
+ * Recursively collect files under `dir` whose basename passes `filter`.
+ * Returns absolute paths. Missing directories are skipped silently.
+ */
+export function walk(dir, filter = () => true) {
+  const out = [];
+  let entries;
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return out;
+  }
+  for (const entry of entries) {
+    if (entry.name.startsWith(".") && entry.name !== ".") continue;
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (SKIP.has(entry.name)) continue;
+      out.push(...walk(full, filter));
+    } else if (entry.isFile() && filter(entry.name)) {
+      out.push(full);
+    }
+  }
+  return out;
+}
+
+/**
+ * Expand a single level of brace alternation: "a.{ts,tsx}" -> ["a.ts", "a.tsx"].
+ * Recurses so multiple brace groups in one pattern all expand.
+ */
+export function expandBraces(pattern) {
+  const open = pattern.indexOf("{");
+  if (open === -1) return [pattern];
+  const close = pattern.indexOf("}", open);
+  if (close === -1) return [pattern];
+  const head = pattern.slice(0, open);
+  const tail = pattern.slice(close + 1);
+  const options = pattern.slice(open + 1, close).split(",");
+  const out = [];
+  for (const option of options) {
+    for (const expanded of expandBraces(head + option + tail)) {
+      out.push(expanded);
+    }
+  }
+  return out;
+}
+
+/** Translate a glob (supports **, *, ?, and brace groups) into a RegExp anchored to the whole path. */
+export function globToRegExp(glob) {
+  let re = "^";
+  for (let i = 0; i < glob.length; ) {
+    const c = glob[i];
+    if (c === "*" && glob[i + 1] === "*") {
+      if (glob[i + 2] === "/") {
+        re += "(?:.*/)?";
+        i += 3;
+      } else {
+        re += ".*";
+        i += 2;
+      }
+    } else if (c === "*") {
+      re += "[^/]*";
+      i += 1;
+    } else if (c === "?") {
+      re += "[^/]";
+      i += 1;
+    } else if ("\\^$.|+()[]{}".includes(c)) {
+      re += "\\" + c;
+      i += 1;
+    } else {
+      re += c;
+      i += 1;
+    }
+  }
+  return new RegExp(re + "$");
+}
+
+/** True when `relPath` matches any of the provided globs (brace groups expanded first). */
+export function matchesAnyGlob(relPath, globs) {
+  for (const glob of globs) {
+    for (const expanded of expandBraces(glob)) {
+      if (globToRegExp(expanded).test(relPath)) return true;
+    }
+  }
+  return false;
+}
+
+/** Line number (1-based) of a character offset within text. */
+export function lineAt(text, offset) {
+  let line = 1;
+  for (let i = 0; i < offset && i < text.length; i++) {
+    if (text[i] === "\n") line++;
+  }
+  return line;
+}

package/src/packs/uk-aadc.json

@@ -0,0 +1,109 @@
+{
+  "id": "uk-aadc",
+  "title": "UK Age Appropriate Design Code (ICO Children's Code)",
+  "authority": "ICO — UK GDPR / Data Protection Act 2018",
+  "url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/",
+  "rules": [
+    {
+      "id": "aadc.age-assurance-present",
+      "standard": "Standard 3 — Age-appropriate application",
+      "severity": "high",
+      "surface": "signup",
+      "intent": "The service must establish age with a level of certainty appropriate to the risks — a real age-assurance step at sign-up, not nothing.",
+      "fix": "Capture date of birth or run age assurance at registration so age-appropriate treatment can be applied.",
+      "assert": {
+        "find": "date[_-]?of[_-]?birth|dateOfBirth|\\bdob\\b|birth[_-]?date|age[_-]?(gate|check|verif|assur|estimat)",
+        "in": ["signup", "auth"],
+        "expect": "present"
+      }
+    },
+    {
+      "id": "aadc.self-declared-age-insufficient",
+      "standard": "Standard 3 — Age-appropriate application",
+      "severity": "medium",
+      "surface": "signup",
+      "intent": "A bare self-declaration checkbox ('I am over 18') is not sufficient age assurance under current ICO/Ofcom expectations.",
+      "fix": "Replace or back the self-declared age checkbox with real age assurance (DOB + verification, estimation, or ID).",
+      "assert": {
+        "find": "type=[\"']checkbox[\"'][^>]*(age|over\\s*18|18\\s*\\+)|(over\\s*18|18\\s*\\+|i am over)[^<]{0,40}checkbox",
+        "in": ["signup", "auth"],
+        "expect": "absent"
+      }
+    },
+    {
+      "id": "aadc.high-privacy-default",
+      "standard": "Standard 7 — Default settings",
+      "severity": "high",
+      "surface": "profile",
+      "intent": "Settings must be 'high privacy' by default for children — profiles private unless the child changes it.",
+      "fix": "Default profile visibility to private/followers-only for accounts that may belong to a child.",
+      "assert": {
+        "allInFile": [
+          "visibility|profileVisibility|isPrivate|accountPrivacy",
+          "default|initial|defaultValue|initialState",
+          "private|PRIVATE|followers|true"
+        ],
+        "within": 4,
+        "in": ["profile"],
+        "expect": "present"
+      }
+    },
+    {
+      "id": "aadc.geolocation-default-off",
+      "standard": "Standard 10 — Geolocation",
+      "severity": "high",
+      "surface": "profile",
+      "intent": "Geolocation must default to off for children, and any setting that makes a child's location visible to others must default off.",
+      "fix": "Default any location-sharing / geolocation setting to off; switch it back off at the end of each session.",
+      "assert": {
+        "allInFile": [
+          "geo|location|geolocation|shareLocation|locationSharing",
+          "default|initial|defaultValue|initialState",
+          "false|off|disabled|private"
+        ],
+        "within": 4,
+        "in": ["profile", "any"],
+        "expect": "present"
+      }
+    },
+    {
+      "id": "aadc.no-nudge-techniques",
+      "standard": "Standard 13 — Nudge techniques",
+      "severity": "medium",
+      "surface": "any",
+      "intent": "Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken their privacy.",
+      "fix": "Remove copy/flows that push users to make profiles public, share location, or disable privacy to unlock features.",
+      "assert": {
+        "find": "make[^\\n<]{0,20}(profile|account)[^\\n<]{0,20}public|share[^\\n<]{0,20}location[^\\n<]{0,20}(unlock|get|earn)|turn off[^\\n<]{0,20}privacy",
+        "in": ["any"],
+        "expect": "absent"
+      }
+    },
+    {
+      "id": "aadc.parental-consent-under13",
+      "standard": "Standard 9 — Data minimisation / lawful basis (under 13)",
+      "severity": "high",
+      "surface": "signup",
+      "intent": "Where the service relies on consent for a child under 13, parental/guardian consent must be obtained.",
+      "fix": "Add a parental/guardian consent flow for under-13 sign-ups before processing their data.",
+      "assert": {
+        "find": "parental[_-]?consent|guardian[_-]?consent|parentEmail|guardianEmail|under[_-]?13",
+        "in": ["signup", "auth"],
+        "expect": "present"
+      }
+    },
+    {
+      "id": "aadc.dpia-exists",
+      "standard": "Standard 2 — Data Protection Impact Assessments",
+      "severity": "high",
+      "surface": "governance",
+      "intent": "A DPIA must be completed and maintained for services likely to be accessed by children.",
+      "fix": "Add and keep current a Data Protection Impact Assessment (DPIA) artifact in the repo or linked from it.",
+      "assert": {
+        "find": "data protection impact assessment|\\bDPIA\\b",
+        "in": ["governance", "any"],
+        "expect": "present"
+      }
+    }
+  ]
+}