npm - @runhalo/engine - Versions diffs - 0.2.0 → 0.3.1 - Mend

@runhalo/engine 0.2.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/framework-detect.d.ts +15 -0
package/dist/framework-detect.js +108 -0
package/dist/framework-detect.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.js +326 -14
package/dist/index.js.map +1 -1
package/dist/scaffold-engine.d.ts +67 -0
package/dist/scaffold-engine.js +104 -0
package/dist/scaffold-engine.js.map +1 -0
package/dist/scaffolds/index.d.ts +23 -0
package/dist/scaffolds/index.js +19 -0
package/dist/scaffolds/index.js.map +1 -0
package/dist/scaffolds/templates/age-gate-auth.d.ts +7 -0
package/dist/scaffolds/templates/age-gate-auth.js +254 -0
package/dist/scaffolds/templates/age-gate-auth.js.map +1 -0
package/dist/scaffolds/templates/consent-cookies.d.ts +7 -0
package/dist/scaffolds/templates/consent-cookies.js +253 -0
package/dist/scaffolds/templates/consent-cookies.js.map +1 -0
package/dist/scaffolds/templates/pii-sanitizer.d.ts +7 -0
package/dist/scaffolds/templates/pii-sanitizer.js +263 -0
package/dist/scaffolds/templates/pii-sanitizer.js.map +1 -0
package/dist/scaffolds/templates/retention-policy.d.ts +7 -0
package/dist/scaffolds/templates/retention-policy.js +247 -0
package/dist/scaffolds/templates/retention-policy.js.map +1 -0
package/package.json +1 -1

package/dist/framework-detect.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Framework Detection — detects project framework from package.json
+ * Used by ScaffoldEngine to generate framework-specific code scaffolds
+ */
+export type Framework = 'react' | 'nextjs' | 'vue' | 'svelte' | 'plain-js';
+export interface FrameworkDetectionResult {
+    framework: Framework;
+    typescript: boolean;
+    confidence: number;
+}
+/**
+ * Detect the project framework by reading package.json
+ * Priority: next > react > vue > svelte > plain-js
+ */
+export declare function detectFramework(projectPath: string): FrameworkDetectionResult;

package/dist/framework-detect.js ADDED Viewed

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * Framework Detection — detects project framework from package.json
+ * Used by ScaffoldEngine to generate framework-specific code scaffolds
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectFramework = detectFramework;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+/**
+ * Detect the project framework by reading package.json
+ * Priority: next > react > vue > svelte > plain-js
+ */
+function detectFramework(projectPath) {
+    const result = {
+        framework: 'plain-js',
+        typescript: false,
+        confidence: 0.3,
+    };
+    // Try to read package.json
+    const pkgPath = path.join(projectPath, 'package.json');
+    let pkg = null;
+    try {
+        if (fs.existsSync(pkgPath)) {
+            pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        }
+    }
+    catch {
+        // Malformed package.json — fall through to defaults
+    }
+    if (!pkg) {
+        // Check for tsconfig.json even without package.json
+        const tsconfigPath = path.join(projectPath, 'tsconfig.json');
+        if (fs.existsSync(tsconfigPath)) {
+            result.typescript = true;
+        }
+        return result;
+    }
+    const deps = pkg.dependencies || {};
+    const devDeps = pkg.devDependencies || {};
+    const allDeps = { ...deps, ...devDeps };
+    // Detect TypeScript
+    if (allDeps['typescript']) {
+        result.typescript = true;
+    }
+    else {
+        const tsconfigPath = path.join(projectPath, 'tsconfig.json');
+        if (fs.existsSync(tsconfigPath)) {
+            result.typescript = true;
+        }
+    }
+    // Detect framework (priority order — Next.js includes React, so check first)
+    if (deps['next'] || devDeps['next']) {
+        result.framework = 'nextjs';
+        result.confidence = 0.95;
+    }
+    else if (deps['react'] || devDeps['react']) {
+        result.framework = 'react';
+        result.confidence = 0.9;
+    }
+    else if (deps['vue'] || devDeps['vue']) {
+        result.framework = 'vue';
+        result.confidence = 0.9;
+    }
+    else if (deps['svelte'] || devDeps['svelte']) {
+        result.framework = 'svelte';
+        result.confidence = 0.9;
+    }
+    else {
+        result.framework = 'plain-js';
+        result.confidence = 0.5;
+    }
+    return result;
+}
+//# sourceMappingURL=framework-detect.js.map

package/dist/framework-detect.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"framework-detect.js","sourceRoot":"","sources":["../src/framework-detect.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBH,0CA6DC;AA5ED,uCAAyB;AACzB,2CAA6B;AAU7B;;;GAGG;AACH,SAAgB,eAAe,CAAC,WAAmB;IACjD,MAAM,MAAM,GAA6B;QACvC,SAAS,EAAE,UAAU;QACrB,UAAU,EAAE,KAAK;QACjB,UAAU,EAAE,GAAG;KAChB,CAAC;IAEF,2BAA2B;IAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IACvD,IAAI,GAAG,GAAQ,IAAI,CAAC;IAEpB,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;IACtD,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,oDAAoD;QACpD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAC7D,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC3B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;IACpC,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAExC,oBAAoB;IACpB,IAAI,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;IAC3B,CAAC;SAAM,CAAC;QACN,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAC7D,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACpC,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC5B,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;IAC3B,CAAC;SAAM,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC;QAC3B,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC;IAC1B,CAAC;SAAM,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,MAAM,CAAC,SAAS,GAAG,KAAK,CAAC;QACzB,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC;IAC1B,CAAC;SAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/C,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC5B,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;QAC9B,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC;IAC1B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/index.d.ts CHANGED Viewed

@@ -79,6 +79,8 @@ declare const REMEDIATION_MAP: Record<string, RemediationSpec>;
 declare function getRemediation(ruleId: string): RemediationSpec;
 export declare const COPPA_RULES: Rule[];
 export declare const ETHICAL_RULES: Rule[];
+export declare const AI_AUDIT_RULES: Rule[];
+export declare const AU_SBD_RULES: Rule[];
 export interface IgnoreConfig {
     /** File glob patterns to ignore entirely */
     ignoredFiles: string[];
@@ -120,6 +122,8 @@ export interface EngineConfig {
     ignoreConfig?: IgnoreConfig;
     projectDomains?: string[];
     ethical?: boolean;
+    aiAudit?: boolean;
+    sectorAuSbd?: boolean;
 }
 export interface ScanResult {
     filePath: string;
@@ -173,4 +177,10 @@ export type { FixResult, FileFixResult, FixOptions } from './fixer';
 export { transformUrlUpgrade, transformRemoveDefault, transformSanitizeInput, transformSetDefault, } from './fixer';
 export { ComplianceScoreEngine } from './scoring';
 export type { ComplianceScoreResult, LetterGrade } from './scoring';
+export { ScaffoldEngine } from './scaffold-engine';
+export type { GuidedFixResult, GuidedFixSummary } from './scaffold-engine';
+export { detectFramework } from './framework-detect';
+export type { Framework, FrameworkDetectionResult } from './framework-detect';
+export { SCAFFOLD_REGISTRY } from './scaffolds/index';
+export type { ScaffoldTemplate, ScaffoldFile } from './scaffolds/index';
 export default HaloEngine;

package/dist/index.js CHANGED Viewed

@@ -44,7 +44,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ComplianceScoreEngine = exports.transformSetDefault = exports.transformSanitizeInput = exports.transformRemoveDefault = exports.transformUrlUpgrade = exports.FixEngine = exports.REMEDIATION_MAP = exports.HaloEngine = exports.ETHICAL_RULES = exports.COPPA_RULES = exports.treeSitterParser = exports.TreeSitterParser = void 0;
+exports.SCAFFOLD_REGISTRY = exports.detectFramework = exports.ScaffoldEngine = exports.ComplianceScoreEngine = exports.transformSetDefault = exports.transformSanitizeInput = exports.transformRemoveDefault = exports.transformUrlUpgrade = exports.FixEngine = exports.REMEDIATION_MAP = exports.HaloEngine = exports.AU_SBD_RULES = exports.AI_AUDIT_RULES = exports.ETHICAL_RULES = exports.COPPA_RULES = exports.treeSitterParser = exports.TreeSitterParser = void 0;
 exports.loadRulesFromYAML = loadRulesFromYAML;
 exports.parseHaloignore = parseHaloignore;
 exports.shouldIgnoreFile = shouldIgnoreFile;
@@ -56,10 +56,14 @@ const tree_sitter_1 = __importDefault(require("tree-sitter"));
 const tree_sitter_typescript_1 = __importDefault(require("tree-sitter-typescript"));
 const tree_sitter_javascript_1 = __importDefault(require("tree-sitter-javascript"));
 const yaml = __importStar(require("js-yaml"));
-// Extract category from ruleId (e.g. "coppa-auth-001" → "auth", "ETHICAL-001" → "ethical")
+// Extract category from ruleId (e.g. "coppa-auth-001" → "auth", "ETHICAL-001" → "ethical", "AU-SBD-001" → "au-sbd")
 function extractCategory(ruleId) {
     if (ruleId.startsWith('ETHICAL'))
         return 'ethical';
+    if (ruleId.startsWith('AI-AUDIT'))
+        return 'ai-audit';
+    if (ruleId.startsWith('AU-SBD'))
+        return 'au-sbd';
     const match = ruleId.match(/^coppa-(\w+)-\d+$/);
     return match ? match[1] : 'unknown';
 }
@@ -71,7 +75,8 @@ function detectLanguage(filePath) {
         '.py': 'python', '.swift': 'swift', '.java': 'java', '.kt': 'kotlin',
         '.html': 'html', '.vue': 'vue', '.svelte': 'svelte', '.php': 'php',
         '.cpp': 'cpp', '.h': 'cpp', '.hpp': 'cpp', '.cs': 'csharp',
-        '.qml': 'qml', '.sql': 'sql',
+        '.qml': 'qml', '.sql': 'sql', '.go': 'go', '.rb': 'ruby',
+        '.xml': 'xml', '.erb': 'ruby',
     };
     return langMap[ext] || 'unknown';
 }
@@ -263,15 +268,37 @@ exports.COPPA_RULES = [
         severity: 'critical',
         description: 'Social login (Google, Facebook, Twitter) without age gating is prohibited for child-directed apps',
         patterns: [
+            // JS/TS — Firebase
             /signInWithPopup\s*\(\s*\w+\s*,\s*['"](google|facebook|twitter|github)['"]/gi,
             /signInWithPopup\s*\(\s*['"](google|facebook|twitter|github)['"]/gi,
             /signInWithPopup\s*\(\s*\w+\s*,\s*\w+\s*\)/gi,
             /firebase\.auth\(\)\s*\.\s*signInWithPopup/gi,
-            /passport\.authenticate\s*\(\s*['"](google|facebook|twitter)['"]/gi
+            // JS/TS — Passport.js
+            /passport\.authenticate\s*\(\s*['"](google|facebook|twitter)['"]/gi,
+            // Python — django-allauth social providers config
+            /SOCIALACCOUNT_PROVIDERS\s*=\s*\{[^}]*(?:google|facebook|twitter|github)/gi,
+            // Python — python-social-auth backends
+            /SOCIAL_AUTH_(?:GOOGLE|FACEBOOK|TWITTER|GITHUB)_(?:KEY|SECRET)/gi,
+            // Python — flask-dance blueprints
+            /make_(?:google|facebook|twitter|github)_blueprint\s*\(/gi,
+            // Python — authlib OAuth registration
+            /oauth\.register\s*\(\s*['"](?:google|facebook|twitter|github)['"]/gi,
+            // Go — goth social auth providers
+            /goth\.UseProviders\s*\(/gi,
+            // Java — Spring Security OAuth2 login
+            /\.oauth2Login\s*\(\s*\)/gi,
+            // Java — Spring OAuth2 client registration
+            /ClientRegistration\.withRegistrationId\s*\(\s*['"](?:google|facebook|twitter|github)['"]/gi,
+            // Kotlin/Java — Firebase Android
+            /Firebase\.auth\.signInWithCredential/gi,
+            // Kotlin/Java — Google Sign-In Android
+            /GoogleSignIn\.getClient\s*\(/gi,
+            // Kotlin/Java — Facebook Login Android SDK
+            /LoginManager\.getInstance\s*\(\s*\)\s*\.logIn/gi
         ],
         fixSuggestion: 'Wrap the auth call in a conditional check for user.age >= 13 or use signInWithParentEmail() for children',
         penalty: '$51,744 per violation',
-        languages: ['typescript', 'javascript', 'python', 'swift']
+        languages: ['typescript', 'javascript', 'python', 'go', 'java', 'kotlin', 'swift']
     },
     {
         id: 'coppa-data-002',
@@ -310,14 +337,30 @@ exports.COPPA_RULES = [
         severity: 'high',
         description: 'High-accuracy geolocation without parental consent is prohibited',
         patterns: [
+            // JS/TS — browser Geolocation API
             /navigator\.geolocation\.getCurrentPosition/gi,
             /navigator\.geolocation\.watchPosition/gi,
+            // Swift — CoreLocation
             /CLLocationManager\.startUpdatingLocation\(\)/gi,
-            /locationServices\.requestLocation/gi
+            /locationServices\.requestLocation/gi,
+            // Java Android — LocationManager
+            /LocationManager\s*\.\s*requestLocationUpdates\s*\(/gi,
+            // Java/Kotlin Android — Fused Location Provider (Google Play Services)
+            /FusedLocationProviderClient|fusedLocationClient\s*\.\s*(?:requestLocationUpdates|getLastLocation|getCurrentLocation)/gi,
+            // Java Android — high accuracy priority
+            /LocationRequest\.create\s*\(\s*\)\s*\.\s*setPriority\s*\(\s*LocationRequest\.PRIORITY_HIGH_ACCURACY/gi,
+            // Kotlin Android — LocationRequest.Builder
+            /LocationRequest\.Builder\s*\(\s*Priority\.PRIORITY_HIGH_ACCURACY/gi,
+            // Python — geocoder library
+            /geocoder\.(?:ip|google|osm|mapquest)\s*\(/gi,
+            // Python — geopy geolocators
+            /(?:Nominatim|GoogleV3|Bing)\s*\([^)]*\)\s*\.(?:geocode|reverse)/gi,
+            // Android manifest — fine location permission
+            /android\.permission\.ACCESS_FINE_LOCATION/gi
         ],
         fixSuggestion: 'Downgrade accuracy to kCLLocationAccuracyThreeKilometers or require parental consent',
         penalty: '$51,744 per violation',
-        languages: ['typescript', 'javascript', 'swift', 'kotlin']
+        languages: ['typescript', 'javascript', 'swift', 'kotlin', 'java', 'python', 'xml']
     },
     {
         id: 'coppa-retention-005',
@@ -325,11 +368,22 @@ exports.COPPA_RULES = [
         severity: 'medium',
         description: 'User schemas must have deleted_at, expiration_date, or TTL index for data retention',
         patterns: [
-            /new\s+Schema\s*\(\s*\{[^{}]*\}/gi
+            // JS/TS — Mongoose schemas
+            /new\s+Schema\s*\(\s*\{[^{}]*\}/gi,
+            // Python — Django models
+            /class\s+(?:User|Child|Student|Profile|Account|Member)\w*\s*\(\s*models\.Model\s*\)/gi,
+            // Python — SQLAlchemy declarative models
+            /class\s+(?:User|Child|Student|Profile|Account|Member)\w*\s*\(\s*(?:Base|db\.Model)\s*\)/gi,
+            // Go — GORM model structs with user-related names
+            /type\s+(?:User|Child|Student|Profile|Account|Member)\w*\s+struct\s*\{/gi,
+            // Java/Kotlin — JPA @Entity on user-related classes
+            /@Entity[\s\S]*?class\s+(?:User|Child|Student|Profile|Account|Member)/gi,
+            // Kotlin — data class for user models
+            /data\s+class\s+(?:User|Child|Student|Profile|Account|Member)\w*\s*\(/gi
         ],
         fixSuggestion: 'Add deleted_at column, expiration_date field, or TTL index to database schema',
         penalty: 'Regulatory audit failure',
-        languages: ['typescript', 'javascript', 'python', 'sql', 'swift']
+        languages: ['typescript', 'javascript', 'python', 'go', 'java', 'kotlin', 'sql']
     },
     // ========== Rules 6-20 (Sprint 2) ==========
     // Rule 6: Unencrypted PII Transmission
@@ -520,13 +574,24 @@ exports.COPPA_RULES = [
         severity: 'low',
         description: 'Cookies or localStorage storing tracking data or PII requires a consent banner',
         patterns: [
+            // JS/TS — browser APIs
             /document\.cookie\s*=\s*[^;]*(?:user|email|name|token|session|track|id|uid|analytics)/gi,
             /localStorage\.setItem\s*\(\s*['"][^'"]*(?:user|email|token|session|track|auth|login|id|uid|analytics)[^'"]*['"]/gi,
-            /sessionStorage\.setItem\s*\(\s*['"][^'"]*(?:user|email|token|session|track|auth|login|id|uid|analytics)[^'"]*['"]/gi
+            /sessionStorage\.setItem\s*\(\s*['"][^'"]*(?:user|email|token|session|track|auth|login|id|uid|analytics)[^'"]*['"]/gi,
+            // Python — Flask/Django response.set_cookie()
+            /\.set_cookie\s*\(\s*['"][^'"]*(?:user|email|token|session|track|auth|login|uid|analytics)[^'"]*['"]/gi,
+            // Go — net/http SetCookie
+            /http\.SetCookie\s*\(\s*\w+\s*,\s*&http\.Cookie\s*\{/gi,
+            // Java/Kotlin — HttpServletResponse.addCookie
+            /\.addCookie\s*\(\s*new\s+Cookie\s*\(/gi,
+            // Java/Kotlin — Spring ResponseCookie
+            /ResponseCookie\.from\s*\(/gi,
+            // Generic — any language setting cookies with PII field names
+            /(?:set_cookie|SetCookie|addCookie|add_cookie)\s*\([^)]*(?:user|email|token|session|track|auth|uid|analytics)/gi
         ],
         fixSuggestion: 'Add a cookie consent banner component before setting tracking or PII cookies',
         penalty: 'Compliance warning',
-        languages: ['typescript', 'javascript']
+        languages: ['typescript', 'javascript', 'python', 'go', 'java', 'kotlin']
     },
     // Rule 17: External Links to Non-Child-Safe Sites
     // Fixed Sprint 4: Exclude privacy/TOS links, mailto, and common safe targets
@@ -550,15 +615,30 @@ exports.COPPA_RULES = [
         severity: 'high',
         description: 'Passing email, name, or phone to analytics.identify() exposes PII to third parties',
         patterns: [
+            // JS/TS — client-side analytics SDKs
             /analytics\.identify\s*\([^)]*email/gi,
             /mixpanel\.identify.*email/gi,
             /segment\.identify.*email/gi,
             /amplitude\.identify.*email/gi,
-            /identify\s*\(\s*\{[^}]*(?:email|name|phone)[^}]*\}/gi
+            /identify\s*\(\s*\{[^}]*(?:email|name|phone)[^}]*\}/gi,
+            // Python — Segment analytics-python
+            /analytics\.identify\s*\(\s*\w+\s*,\s*\{[^}]*(?:email|name|phone)/gi,
+            // Python — Mixpanel people_set with PII
+            /mp\.people_set\s*\([^)]*(?:email|\$email|name|phone)/gi,
+            // Go — Segment analytics-go Identify with PII
+            /analytics\.Enqueue\s*\(\s*analytics\.Identify\s*\{[^}]*(?:Email|Name|Phone)/gi,
+            // Java/Kotlin — Amplitude setUserId with PII
+            /Amplitude\.getInstance\s*\(\s*\)\s*\.setUserId\s*\([^)]*email/gi,
+            // Java/Kotlin — Mixpanel identify with email
+            /MixpanelAPI\.\w*identify\s*\([^)]*email/gi,
+            // Java/Kotlin — Firebase Analytics with PII
+            /FirebaseAnalytics\.setUserId\s*\([^)]*(?:email|name)/gi,
+            // Generic — setUserId with email across languages
+            /(?:setUserId|set_user_id)\s*\([^)]*(?:email|\.name|phone)/gi
         ],
         fixSuggestion: 'Hash user ID and omit email/name from analytics payload',
         penalty: '$51,744 per violation',
-        languages: ['typescript', 'javascript']
+        languages: ['typescript', 'javascript', 'python', 'go', 'java', 'kotlin']
     },
     // Rule 19: School Official Consent Bypass
     // Fixed Sprint 4: Tightened patterns to match actual auth/registration flows only
@@ -687,6 +767,222 @@ exports.ETHICAL_RULES = [
         languages: ['typescript', 'javascript', 'tsx', 'jsx', 'html']
     }
 ];
+// AI-Generated Code Audit Rules
+// Catches patterns commonly introduced by AI coding assistants (Copilot, Claude, Cursor, etc.)
+// that create COPPA compliance risks. AI models often reproduce training data patterns
+// including analytics boilerplate, insecure defaults, and placeholder credentials.
+exports.AI_AUDIT_RULES = [
+    // AI-AUDIT-001: Placeholder Analytics
+    {
+        id: 'AI-AUDIT-001',
+        name: 'Placeholder Analytics Script',
+        severity: 'high',
+        description: 'AI-generated code frequently includes placeholder analytics (UA-XXXXX, G-XXXXXX, fbq) copied from training data. These may activate real tracking without child_directed_treatment flags.',
+        patterns: [
+            /gtag\s*\(\s*['"]config['"]\s*,\s*['"](?:UA-|G-)X{3,}['"]/gi,
+            /fbq\s*\(\s*['"]init['"]\s*,\s*['"](?:0{5,}|1{5,}|X{5,}|YOUR_|PIXEL_ID|123456789)['"]/gi,
+            /ga\s*\(\s*['"]create['"]\s*,\s*['"]UA-(?:0{5,}|X{5,}|YOUR_)['"]/gi,
+            /['"](?:UA|G)-(?:XXXXXXX|0000000|YOUR_ID|REPLACE_ME)['"]/gi,
+            /analytics_id\s*[:=]\s*['"](?:placeholder|test|example|TODO|FIXME)['"]/gi
+        ],
+        fixSuggestion: 'Remove placeholder analytics IDs. If analytics are needed, use a COPPA-compliant provider with child_directed_treatment: true.',
+        penalty: 'AI-generated compliance risk',
+        languages: ['typescript', 'javascript', 'html']
+    },
+    // AI-AUDIT-002: Hardcoded Secrets
+    {
+        id: 'AI-AUDIT-002',
+        name: 'AI-Generated Hardcoded Secrets',
+        severity: 'critical',
+        description: 'AI coding assistants frequently generate placeholder API keys, tokens, and secrets inline. These may be committed to version control and exposed.',
+        patterns: [
+            /(?:api_?key|apiKey|API_KEY)\s*[:=]\s*['"](?:sk-|pk-|ak-|key-)[a-zA-Z0-9]{10,}['"]/gi,
+            /(?:secret|SECRET|token|TOKEN)\s*[:=]\s*['"](?!process\.env)[a-zA-Z0-9_-]{20,}['"]/gi,
+            /SUPABASE_(?:ANON_KEY|SERVICE_ROLE_KEY)\s*[:=]\s*['"]ey[a-zA-Z0-9_.+-]{30,}['"]/gi,
+            /FIREBASE_(?:API_KEY|CONFIG)\s*[:=]\s*['"]AI[a-zA-Z0-9_-]{30,}['"]/gi,
+            /(?:password|passwd|pwd)\s*[:=]\s*['"](?!process\.env)[^'"]{8,}['"]\s*(?:,|;|\})/gi
+        ],
+        fixSuggestion: 'Move all secrets to environment variables. Use process.env.API_KEY or a secrets manager. Never hardcode credentials.',
+        penalty: 'Security exposure — credentials in source code',
+        languages: ['typescript', 'javascript', 'python', 'java']
+    },
+    // AI-AUDIT-003: Hallucinated URLs
+    {
+        id: 'AI-AUDIT-003',
+        name: 'Hallucinated/Placeholder API URLs',
+        severity: 'medium',
+        description: 'AI models often generate fake API endpoints (api.example.com, jsonplaceholder, reqres.in) that may be replaced with real endpoints without proper review.',
+        patterns: [
+            /fetch\s*\(\s*['"]https?:\/\/(?:api\.example\.com|jsonplaceholder\.typicode\.com|reqres\.in|httpbin\.org|mockapi\.io|dummyjson\.com)[^'"]*['"]/gi,
+            /axios\.\w+\s*\(\s*['"]https?:\/\/(?:api\.example\.com|jsonplaceholder\.typicode\.com|reqres\.in|httpbin\.org|dummyjson\.com)[^'"]*['"]/gi,
+            /(?:BASE_URL|API_URL|ENDPOINT)\s*[:=]\s*['"]https?:\/\/(?:api\.example\.com|your-api|my-api|TODO|REPLACE)[^'"]*['"]/gi
+        ],
+        fixSuggestion: 'Replace placeholder URLs with actual endpoints from environment variables. Review all API calls for COPPA data handling compliance.',
+        penalty: 'AI-generated placeholder risk',
+        languages: ['typescript', 'javascript', 'python']
+    },
+    // AI-AUDIT-004: Copy-Paste Tracking Boilerplate
+    {
+        id: 'AI-AUDIT-004',
+        name: 'Copy-Paste Tracking Boilerplate',
+        severity: 'high',
+        description: 'AI assistants reproduce common analytics setup patterns from training data. These often include user identification, event tracking, and session recording without consent flows.',
+        patterns: [
+            /hotjar\.init\s*\(/gi,
+            /Sentry\.init\s*\(\s*\{[^}]*dsn/gi,
+            /LogRocket\.init\s*\(/gi,
+            /FullStory\.init\s*\(/gi,
+            /heap\.load\s*\(/gi,
+            /posthog\.init\s*\(/gi,
+            /amplitude\.init\s*\(/gi,
+            /mixpanel\.init\s*\(/gi,
+            /window\.clarity\s*\(/gi
+        ],
+        fixSuggestion: 'Remove session recording and analytics initialization unless COPPA consent is obtained. These tools capture keystrokes, mouse movements, and user behavior — all PII for children.',
+        penalty: 'Third-party data collection without consent',
+        languages: ['typescript', 'javascript', 'html']
+    },
+    // AI-AUDIT-005: Insecure Defaults
+    {
+        id: 'AI-AUDIT-005',
+        name: 'AI-Generated Insecure Defaults',
+        severity: 'medium',
+        description: 'AI models commonly generate code with insecure default configurations: CORS *, disabled SSL verification, permissive CSP, or open CORS origins.',
+        patterns: [
+            /cors\s*\(\s*\{\s*origin\s*:\s*(?:['"]?\*['"]?|true)/gi,
+            /Access-Control-Allow-Origin['"]\s*,\s*['"]\*/gi,
+            /rejectUnauthorized\s*:\s*false/gi,
+            /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0['"]?/gi,
+            /content-security-policy['"]\s*,\s*['"]default-src\s+\*/gi,
+            /sameSite\s*:\s*['"]none['"]\s*,?\s*secure\s*:\s*false/gi
+        ],
+        fixSuggestion: 'Replace wildcard CORS with specific allowed origins. Enable SSL verification. Use restrictive CSP. Set secure cookies.',
+        penalty: 'Security misconfiguration',
+        languages: ['typescript', 'javascript', 'python']
+    },
+    // AI-AUDIT-006: TODO/FIXME Compliance Gaps
+    {
+        id: 'AI-AUDIT-006',
+        name: 'Unresolved Compliance TODOs',
+        severity: 'low',
+        description: 'AI-generated code often includes TODO/FIXME comments for compliance-related features (consent, age verification, privacy policy) that may ship unimplemented.',
+        patterns: [
+            /\/\/\s*(?:TODO|FIXME|HACK|XXX).*(?:consent|age\s*verif|privacy\s*policy|parental|coppa|gdpr|data\s*retention)/gi,
+            /\/\/\s*(?:TODO|FIXME).*(?:implement|add|need|require).*(?:auth|login|permission|access\s*control)/gi,
+            /#\s*(?:TODO|FIXME).*(?:consent|age\s*verif|privacy|parental|coppa)/gi
+        ],
+        fixSuggestion: 'Resolve all compliance-related TODOs before shipping. Each unresolved TODO is a potential COPPA violation in production.',
+        penalty: 'Unimplemented compliance requirement',
+        languages: ['typescript', 'javascript', 'python', 'java', 'swift', 'kotlin']
+    }
+];
+// Australia Safety by Design (SbD) Rules
+// Based on the eSafety Commissioner's Safety by Design framework (Online Safety Act 2021).
+// Detects code patterns that violate SbD principles: service provider responsibility,
+// user empowerment, and transparency/accountability — especially for platforms serving minors.
+exports.AU_SBD_RULES = [
+    // AU-SBD-001: Default Public Profiles
+    {
+        id: 'AU-SBD-001',
+        name: 'Default Public Profile Visibility',
+        severity: 'high',
+        description: 'User profiles default to public or visible. AU Safety by Design requires privacy-by-default for minors — profiles should be private until explicitly changed by the user or a verified parent.',
+        patterns: [
+            /(?:visibility|profile_?visibility|is_?public|isPublic)\s*[:=]\s*(?:['"]public['"]|true)/gi,
+            /default(?:_?visibility|_?privacy|_?profile)\s*[:=]\s*['"](?:public|open|visible|everyone)['"]/gi,
+            /(?:privacy|profilePrivacy)\s*[:=]\s*\{[^}]*default\s*:\s*['"](?:public|open|everyone)['"]/gi,
+            /(?:showProfile|profileVisible|publicByDefault|show_profile)\s*[:=]\s*true/gi,
+            /(?:searchable|discoverable|findable)\s*[:=]\s*true\b/gi,
+        ],
+        fixSuggestion: 'Set profile visibility to "private" by default. Require explicit user action (or parental consent for children) to make profiles public. AU SbD Principle 1: safety as a fundamental design consideration.',
+        penalty: 'Default public exposure of minor profiles',
+        languages: ['typescript', 'javascript', 'python', 'java', 'swift', 'kotlin', 'php', 'csharp']
+    },
+    // AU-SBD-002: Missing Report/Block Mechanism
+    {
+        id: 'AU-SBD-002',
+        name: 'Social Features Without Report/Block',
+        severity: 'medium',
+        description: 'Social interaction features (comments, posts, messaging) detected without corresponding report or block mechanisms. AU SbD Principle 2 requires users to have tools to protect themselves from harmful interactions.',
+        patterns: [
+            /(?:addComment|postComment|submitComment|createComment|commentCreate)\s*(?:=|:|\()/gi,
+            /(?:sendMessage|createMessage|postMessage|submitMessage|messageCreate)\s*(?:=|:|\()/gi,
+            /(?:createPost|submitPost|publishPost|addPost|postCreate)\s*(?:=|:|\()/gi,
+            /(?:addReview|submitReview|createReview|postReview|reviewCreate)\s*(?:=|:|\()/gi,
+            /(?:shareContent|createShare|submitShare)\s*(?:=|:|\()/gi,
+        ],
+        fixSuggestion: 'Implement report and block mechanisms alongside every social feature. Users must be able to report harmful content and block abusive accounts. AU SbD Principle 2: user empowerment and autonomy.',
+        penalty: 'Social features without safety controls',
+        languages: ['typescript', 'javascript', 'python', 'java', 'swift', 'kotlin', 'php']
+    },
+    // AU-SBD-003: Unrestricted Direct Messaging
+    {
+        id: 'AU-SBD-003',
+        name: 'Unrestricted Direct Messaging for Minors',
+        severity: 'critical',
+        description: 'Direct messaging or chat functionality without safety controls (contact restrictions, message filtering, or parental oversight). The AU Online Safety Act requires platforms to take reasonable steps to prevent child exploitation in private communications.',
+        patterns: [
+            /(?:directMessage|sendDM|privateMess|createDM|dmChannel|startChat|privateChat|initiateChat)\s*(?:=|:|\()/gi,
+            /(?:WebSocket|io\.connect|socket\.emit)\s*\([^)]*(?:chat|message|dm|private)/gi,
+            /(?:allowDMs?|enableDMs?|allow_?direct_?message|enable_?private_?message)\s*[:=]\s*true/gi,
+            /(?:contactStranger|messageAnyone|openChat|unrestricted_?message)\s*[:=]\s*true/gi,
+        ],
+        fixSuggestion: 'Add safety controls to messaging: restrict contacts to approved friends, implement message filtering, enable parental oversight, and log communications for safety review. AU Online Safety Act 2021 s.45-46.',
+        penalty: 'Unrestricted private communication channel',
+        languages: ['typescript', 'javascript', 'python', 'java', 'swift', 'kotlin']
+    },
+    // AU-SBD-004: Algorithmic Feeds Without Safety Guardrails
+    {
+        id: 'AU-SBD-004',
+        name: 'Recommendation Algorithm Without Safety Guardrails',
+        severity: 'high',
+        description: 'Content recommendation or feed algorithms detected without safety filtering, content classification, or age-appropriate guardrails. AU SbD requires platforms to assess and mitigate algorithmic harms, particularly for young users.',
+        patterns: [
+            /(?:recommendContent|getRecommendations|suggestContent|personalizedFeed|forYouFeed|contentFeed)\s*(?:=|:|\()/gi,
+            /(?:algorithm|algo)(?:_?feed|_?rank|_?recommend|_?suggest)\s*(?:=|:|\()/gi,
+            /(?:trending|viral|popular)(?:_?content|_?posts|_?feed|_?items)\s*(?:=|:|\()/gi,
+            /(?:engagement_?score|clickBait|engagement_?rank|watch_?next|autoplay_?next)\s*[:=]/gi,
+            /(?:rabbit_?hole|endless_?feed|infinite_?recommend|auto_?suggest)\s*[:=]\s*true/gi,
+        ],
+        fixSuggestion: 'Add age-appropriate content filters to recommendation algorithms. Classify content before serving, implement safety guardrails, and provide transparency on how content is selected. AU SbD Principle 3: transparency and accountability.',
+        penalty: 'Unfiltered algorithmic content delivery',
+        languages: ['typescript', 'javascript', 'python', 'java', 'swift', 'kotlin']
+    },
+    // AU-SBD-005: Missing Digital Wellbeing / Screen Time Controls
+    {
+        id: 'AU-SBD-005',
+        name: 'Engagement Features Without Time Awareness',
+        severity: 'medium',
+        description: 'High-engagement features (autoplay, continuous scrolling, notifications) detected without corresponding digital wellbeing controls (screen time limits, break reminders, usage dashboards). AU SbD encourages platforms to build in digital wellbeing tools.',
+        patterns: [
+            /(?:autoplay|auto_?play)\s*[:=]\s*true/gi,
+            /(?:autoPlay|autoPlayNext|playNext|nextEpisode)\s*[:=]\s*true/gi,
+            /(?:continuous_?play|binge_?mode|marathon_?mode|watch_?party)\s*[:=]\s*true/gi,
+            /(?:push_?notification|sendNotification|scheduleNotif|notif_?trigger).*(?:re_?engage|comeback|miss_?you|inactive)/gi,
+            /(?:daily_?reward|login_?bonus|daily_?streak|come_?back_?reward)\s*(?:=|:|\()/gi,
+        ],
+        fixSuggestion: 'Implement digital wellbeing features: screen time dashboards, break reminders after sustained use, and configurable usage limits (especially for accounts under 18). AU SbD: promote healthy technology use.',
+        penalty: 'Engagement-maximizing features without wellbeing controls',
+        languages: ['typescript', 'javascript', 'python', 'java', 'swift', 'kotlin']
+    },
+    // AU-SBD-006: Location Sharing Without Explicit Opt-In
+    {
+        id: 'AU-SBD-006',
+        name: 'Location Data Without Explicit Consent',
+        severity: 'critical',
+        description: 'Location data collection or sharing enabled without explicit, informed opt-in. AU SbD and the Privacy Act 1988 require data minimization, especially for children\'s geolocation data — location should never be collected by default.',
+        patterns: [
+            /(?:shareLocation|share_?location|locationSharing|broadcastLocation)\s*[:=]\s*true/gi,
+            /(?:location_?visible|show_?location|display_?location|location_?public)\s*[:=]\s*true/gi,
+            /(?:trackLocation|location_?tracking|geo_?tracking|locationTracker)\s*[:=]\s*true/gi,
+            /navigator\.geolocation\.(?:watchPosition|getCurrentPosition)\s*\(/gi,
+            /(?:CLLocationManager|LocationManager|FusedLocationProvider).*(?:startUpdating|requestLocation|requestLocationUpdates)/gi,
+        ],
+        fixSuggestion: 'Require explicit opt-in for any location data collection. Never enable location sharing by default. For minors, require parental consent before any geolocation access. AU Privacy Act 1988 APP 3.2.',
+        penalty: 'Default location data exposure',
+        languages: ['typescript', 'javascript', 'python', 'java', 'swift', 'kotlin']
+    }
+];
 /**
  * Parse a .haloignore file content
  *
@@ -792,6 +1088,14 @@ class HaloEngine {
         if (config.ethical) {
             this.rules = [...this.rules, ...exports.ETHICAL_RULES];
         }
+        // Add AI-Generated Code Audit Rules if enabled (P2.5)
+        if (config.aiAudit) {
+            this.rules = [...this.rules, ...exports.AI_AUDIT_RULES];
+        }
+        // Add Australia Safety by Design sector rules if enabled (P3-3)
+        if (config.sectorAuSbd) {
+            this.rules = [...this.rules, ...exports.AU_SBD_RULES];
+        }
         if (config.severityFilter) {
             this.rules = this.rules.filter(r => config.severityFilter.includes(r.severity));
         }
@@ -916,7 +1220,8 @@ class HaloEngine {
                     const trimmedLine = lineContent.trim();
                     if (trimmedLine.startsWith('//') || trimmedLine.startsWith('/*') || trimmedLine.startsWith('*') || trimmedLine.startsWith('<!--') || trimmedLine.startsWith('#')) {
                         // Exception: don't skip halo-ignore comments (those are suppression directives)
-                        if (!trimmedLine.includes('halo-ignore')) {
+                        // Exception: AI-AUDIT-006 intentionally scans comments for compliance TODOs
+                        if (!trimmedLine.includes('halo-ignore') && rule.id !== 'AI-AUDIT-006') {
                             continue;
                         }
                     }
@@ -1036,5 +1341,12 @@ Object.defineProperty(exports, "transformSetDefault", { enumerable: true, get: f
 // Re-export compliance score engine (Sprint 5 Track 3)
 var scoring_1 = require("./scoring");
 Object.defineProperty(exports, "ComplianceScoreEngine", { enumerable: true, get: function () { return scoring_1.ComplianceScoreEngine; } });
+// Re-export scaffold engine (Sprint 5 P2)
+var scaffold_engine_1 = require("./scaffold-engine");
+Object.defineProperty(exports, "ScaffoldEngine", { enumerable: true, get: function () { return scaffold_engine_1.ScaffoldEngine; } });
+var framework_detect_1 = require("./framework-detect");
+Object.defineProperty(exports, "detectFramework", { enumerable: true, get: function () { return framework_detect_1.detectFramework; } });
+var index_1 = require("./scaffolds/index");
+Object.defineProperty(exports, "SCAFFOLD_REGISTRY", { enumerable: true, get: function () { return index_1.SCAFFOLD_REGISTRY; } });
 exports.default = HaloEngine;
 //# sourceMappingURL=index.js.map