npm - @runhalo/engine - Versions diffs - 0.3.1 → 0.4.0 - Mend

@runhalo/engine 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/rules/rules.json ADDED Viewed

@@ -0,0 +1,1005 @@
+{
+  "version": "1.0.0",
+  "generated_at": "2026-03-02T00:00:00Z",
+  "packs": {
+    "coppa": {
+      "id": "coppa",
+      "name": "COPPA 2.0 Core",
+      "description": "20 rules for COPPA & COPPA 2.0 compliance. Effective April 22, 2026.",
+      "jurisdiction": "US-Federal",
+      "jurisdiction_level": "federal",
+      "is_free": true,
+      "effective_date": "2026-04-22",
+      "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312"
+    },
+    "ethical": {
+      "id": "ethical",
+      "name": "Ethical Design",
+      "description": "5 rules detecting dark patterns that exploit children's psychology.",
+      "jurisdiction": "international",
+      "jurisdiction_level": "advisory",
+      "is_free": true,
+      "effective_date": null,
+      "source_url": "https://runhalo.dev/ethical-design"
+    },
+    "ai-audit": {
+      "id": "ai-audit",
+      "name": "AI-Generated Code Audit",
+      "description": "6 rules catching COPPA risks commonly introduced by AI coding assistants.",
+      "jurisdiction": "international",
+      "jurisdiction_level": "advisory",
+      "is_free": true,
+      "effective_date": null,
+      "source_url": "https://runhalo.dev/ai-audit"
+    },
+    "au-sbd": {
+      "id": "au-sbd",
+      "name": "AU Safety by Design",
+      "description": "6 rules based on Australia's eSafety Commissioner Safety by Design framework.",
+      "jurisdiction": "AU-Federal",
+      "jurisdiction_level": "federal",
+      "is_free": false,
+      "effective_date": "2021-01-23",
+      "source_url": "https://www.esafety.gov.au/industry/safety-by-design"
+    },
+    "ut-sb142": {
+      "id": "ut-sb142",
+      "name": "Utah SB 142 (App Store Accountability)",
+      "description": "5 rules for Utah SB 142 compliance — age assurance, parental consent, minor account defaults, DM restrictions, and supervisory tools.",
+      "jurisdiction": "US-UT",
+      "jurisdiction_level": "state",
+      "is_free": true,
+      "effective_date": "2026-05-06",
+      "source_url": "https://le.utah.gov/~2025/bills/static/SB0142.html"
+    }
+  },
+  "rules": [
+    {
+      "id": "coppa-auth-001",
+      "name": "Unverified Social Login Providers",
+      "severity": "critical",
+      "category": "auth",
+      "description": "Social login (Google, Facebook, Twitter) without age gating is prohibited for child-directed apps",
+      "patterns": [
+        { "pattern": "signInWithPopup\\s*\\(\\s*\\w+\\s*,\\s*['\"](google|facebook|twitter|github)['\"]", "flags": "gi" },
+        { "pattern": "signInWithPopup\\s*\\(\\s*['\"](google|facebook|twitter|github)['\"]", "flags": "gi" },
+        { "pattern": "signInWithPopup\\s*\\(\\s*\\w+\\s*,\\s*\\w+\\s*\\)", "flags": "gi" },
+        { "pattern": "firebase\\.auth\\(\\)\\s*\\.\\s*signInWithPopup", "flags": "gi" },
+        { "pattern": "passport\\.authenticate\\s*\\(\\s*['\"](google|facebook|twitter)['\"]", "flags": "gi" },
+        { "pattern": "SOCIALACCOUNT_PROVIDERS\\s*=\\s*\\{[^}]*(?:google|facebook|twitter|github)", "flags": "gi" },
+        { "pattern": "SOCIAL_AUTH_(?:GOOGLE|FACEBOOK|TWITTER|GITHUB)_(?:KEY|SECRET)", "flags": "gi" },
+        { "pattern": "make_(?:google|facebook|twitter|github)_blueprint\\s*\\(", "flags": "gi" },
+        { "pattern": "oauth\\.register\\s*\\(\\s*['\"](?:google|facebook|twitter|github)['\"]", "flags": "gi" },
+        { "pattern": "goth\\.UseProviders\\s*\\(", "flags": "gi" },
+        { "pattern": "\\.oauth2Login\\s*\\(\\s*\\)", "flags": "gi" },
+        { "pattern": "ClientRegistration\\.withRegistrationId\\s*\\(\\s*['\"](?:google|facebook|twitter|github)['\"]", "flags": "gi" },
+        { "pattern": "Firebase\\.auth\\.signInWithCredential", "flags": "gi" },
+        { "pattern": "GoogleSignIn\\.getClient\\s*\\(", "flags": "gi" },
+        { "pattern": "LoginManager\\.getInstance\\s*\\(\\s*\\)\\s*\\.logIn", "flags": "gi" }
+      ],
+      "fix_suggestion": "Wrap the auth call in a conditional check for user.age >= 13 or use signInWithParentEmail() for children",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-data-002",
+      "name": "PII Collection in URL Parameters",
+      "severity": "high",
+      "category": "data",
+      "description": "Email, name, DOB, or phone in GET request URLs exposes PII in logs",
+      "patterns": [
+        { "pattern": "(\\?|&)(email|first_?name|last_?name|dob|phone|birthdate)=", "flags": "gi" },
+        { "pattern": "axios\\.get\\s*\\(\\s*[`'\"]https?://[^\\s]*\\?[^`'\"]*\\$\\{", "flags": "gi" },
+        { "pattern": "fetch\\s*\\(\\s*[`'\"]https?://[^\\s]*\\?[^`'\"]*\\$\\{", "flags": "gi" },
+        { "pattern": "\\?[^'\"`\\s]*\\$\\{[^}]*(?:\\.email|\\.firstName|\\.lastName|\\.dob|\\.phone)[^}]*\\}", "flags": "gi" }
+      ],
+      "fix_suggestion": "Switch to POST method and move PII to request body",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "python", "java", "swift"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "pii-sanitizer",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-tracking-003",
+      "name": "Third-Party Ad Trackers",
+      "severity": "critical",
+      "category": "tracking",
+      "description": "Facebook Pixel, Google Analytics, or other ad trackers without child_directed_treatment flag",
+      "patterns": [
+        { "pattern": "fbq\\s*\\(\\s*['\"]init['\"]", "flags": "gi" },
+        { "pattern": "ga\\s*\\(\\s*['\"]create['\"]", "flags": "gi" },
+        { "pattern": "adsbygoogle", "flags": "gi" },
+        { "pattern": "gtag\\s*\\(\\s*['\"]config['\"]", "flags": "gi" },
+        { "pattern": "google-analytics\\.com/analytics\\.js", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add \"child_directed_treatment\": true or \"restrictDataProcessing\": true to SDK initialization",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "html"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "remove-tracker",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-geo-004",
+      "name": "Precise Geolocation Collection",
+      "severity": "high",
+      "category": "geo",
+      "description": "High-accuracy geolocation without parental consent is prohibited",
+      "patterns": [
+        { "pattern": "navigator\\.geolocation\\.getCurrentPosition", "flags": "gi" },
+        { "pattern": "navigator\\.geolocation\\.watchPosition", "flags": "gi" },
+        { "pattern": "CLLocationManager\\.startUpdatingLocation\\(\\)", "flags": "gi" },
+        { "pattern": "locationServices\\.requestLocation", "flags": "gi" },
+        { "pattern": "LocationManager\\s*\\.\\s*requestLocationUpdates\\s*\\(", "flags": "gi" },
+        { "pattern": "FusedLocationProviderClient|fusedLocationClient\\s*\\.\\s*(?:requestLocationUpdates|getLastLocation|getCurrentLocation)", "flags": "gi" },
+        { "pattern": "LocationRequest\\.create\\s*\\(\\s*\\)\\s*\\.\\s*setPriority\\s*\\(\\s*LocationRequest\\.PRIORITY_HIGH_ACCURACY", "flags": "gi" },
+        { "pattern": "LocationRequest\\.Builder\\s*\\(\\s*Priority\\.PRIORITY_HIGH_ACCURACY", "flags": "gi" },
+        { "pattern": "geocoder\\.(?:ip|google|osm|mapquest)\\s*\\(", "flags": "gi" },
+        { "pattern": "(?:Nominatim|GoogleV3|Bing)\\s*\\([^)]*\\)\\s*\\.(?:geocode|reverse)", "flags": "gi" },
+        { "pattern": "android\\.permission\\.ACCESS_FINE_LOCATION", "flags": "gi" }
+      ],
+      "fix_suggestion": "Downgrade accuracy to kCLLocationAccuracyThreeKilometers or require parental consent",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "swift", "kotlin", "java", "python", "xml"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "remove-geo",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-retention-005",
+      "name": "Missing Data Retention Policy",
+      "severity": "medium",
+      "category": "retention",
+      "description": "User schemas must have deleted_at, expiration_date, or TTL index for data retention",
+      "patterns": [
+        { "pattern": "new\\s+Schema\\s*\\(\\s*\\{[^{}]*\\}", "flags": "gi" },
+        { "pattern": "class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(\\s*models\\.Model\\s*\\)", "flags": "gi" },
+        { "pattern": "class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(\\s*(?:Base|db\\.Model)\\s*\\)", "flags": "gi" },
+        { "pattern": "type\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s+struct\\s*\\{", "flags": "gi" },
+        { "pattern": "@Entity[\\s\\S]*?class\\s+(?:User|Child|Student|Profile|Account|Member)", "flags": "gi" },
+        { "pattern": "data\\s+class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add deleted_at column, expiration_date field, or TTL index to database schema",
+      "penalty": "Regulatory audit failure",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "sql"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "retention-policy",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-sec-006",
+      "name": "Unencrypted PII Transmission",
+      "severity": "critical",
+      "category": "security",
+      "description": "HTTP transmission of PII exposes data in transit. All API endpoints handling personal information must use HTTPS.",
+      "patterns": [
+        { "pattern": "http://[^\\s]*(/api/|/login|/user|/register|/profile)", "flags": "gi" },
+        { "pattern": "http://localhost:[^\\s]*(/api/)", "flags": "gi" },
+        { "pattern": "axios\\.get\\s*\\(\\s*['\"]http://", "flags": "gi" },
+        { "pattern": "fetch\\s*\\(\\s*['\"]http://", "flags": "gi" },
+        { "pattern": "http://[^\\s]*email[^\\s]*", "flags": "gi" }
+      ],
+      "fix_suggestion": "Replace http:// with https:// for all API endpoints and resources",
+      "penalty": "Security breach liability + COPPA penalties",
+      "languages": ["typescript", "javascript", "python", "java", "swift"],
+      "packs": ["coppa"],
+      "fixability": "auto",
+      "transform_type": "url-upgrade",
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-audio-007",
+      "name": "Unauthorized Audio Recording",
+      "severity": "high",
+      "category": "audio",
+      "description": "Audio recording without explicit user consent is prohibited. COPPA 2.0 clarifies voice prints as biometric data.",
+      "patterns": [
+        { "pattern": "getUserMedia\\s*\\(\\s*\\{[^}]*audio\\s*:\\s*true[^}]*\\}", "flags": "gi" },
+        { "pattern": "getUserMedia\\s*\\(\\s*\\{\\s*audio\\s*\\}", "flags": "gi" },
+        { "pattern": "getUserMedia\\s*\\(\\s*\\{\\s*audio\\s*,", "flags": "gi" },
+        { "pattern": "AVAudioSession\\s*\\.\\s*sharedInstance", "flags": "gi" },
+        { "pattern": "AVAudioRecorder\\s*\\(", "flags": "gi" },
+        { "pattern": "new\\s+AudioRecord\\s*\\(", "flags": "gi" },
+        { "pattern": "new\\s+MediaRecorder\\s*\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Wrap audio recording in click handler and add parental consent check",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "swift", "kotlin"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "consent-audio",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-ui-008",
+      "name": "Missing Privacy Policy on Registration",
+      "severity": "medium",
+      "category": "ui",
+      "description": "Registration forms collecting PII must include a clear link to the privacy policy",
+      "patterns": [
+        { "pattern": "\\b(?:SignUp|Register|Registration|CreateAccount)Form\\b", "flags": "gi" },
+        { "pattern": "\\b(?:sign[-_]?up|register|registration|create[-_]?account)[-_]form\\b", "flags": "gi" },
+        { "pattern": "<form[^>]*(?:id|class|name)\\s*=\\s*[\"'][^\"']*(?:register|signup|sign[-_]up|create[-_]account)[^\"']*[\"']", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add <a href=\"/privacy\">Privacy Policy</a> link to registration form footer",
+      "penalty": "Compliance failure",
+      "languages": ["typescript", "javascript", "html", "tsx", "jsx", "php"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "privacy-link",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-flow-009",
+      "name": "Direct Contact Collection Without Parent Context",
+      "severity": "high",
+      "category": "flow",
+      "description": "Forms collecting child email/phone must also require parent email for consent verification",
+      "patterns": [
+        { "pattern": "(child_email|student_email)\\s*:\\s*String", "flags": "gi" },
+        { "pattern": "(child_email|student_email|kid_email)\\s*=", "flags": "gi" }
+      ],
+      "fix_suggestion": "Make parent_email required when collecting child contact information",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "parent-email",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-sec-010",
+      "name": "Weak Default Student Passwords",
+      "severity": "medium",
+      "category": "security",
+      "description": "Default passwords like \"password\", \"123456\", or \"changeme\" create security vulnerabilities",
+      "patterns": [
+        { "pattern": "(password|default_pass|temp_password)\\s*=\\s*['\"](123456|password|changeme|student|welcome)['\"]", "flags": "gi" },
+        { "pattern": "defaultPassword:\\s*['\"](123456|password|changeme)['\"]", "flags": "gi" },
+        { "pattern": "initialPassword:\\s*['\"](123456|password)['\"]", "flags": "gi" },
+        { "pattern": "pass\\s*=\\s*['\"](student123|child123|default)['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Use a secure random string generator for temporary credentials",
+      "penalty": "Security audit failure",
+      "languages": ["typescript", "javascript", "python", "java", "swift"],
+      "packs": ["coppa"],
+      "fixability": "auto",
+      "transform_type": "remove-default",
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-ext-011",
+      "name": "Unmoderated Third-Party Chat",
+      "severity": "high",
+      "category": "external",
+      "description": "Third-party chat widgets (Intercom, Zendesk, Drift) allow children to disclose PII freely",
+      "patterns": [
+        { "pattern": "intercom\\.init", "flags": "gi" },
+        { "pattern": "zendesk\\.init", "flags": "gi" },
+        { "pattern": "drift\\.init", "flags": "gi" },
+        { "pattern": "<script[^>]+src=['\"][^'\"]*intercom", "flags": "gi" },
+        { "pattern": "<script[^>]+src=['\"][^'\"]*(zendesk|zdassets)", "flags": "gi" },
+        { "pattern": "Freshdesk|FreshChat", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable chat widget for unauthenticated or under-13 users via conditional rendering",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "html"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "chat-moderation",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-bio-012",
+      "name": "Biometric Data Collection",
+      "severity": "critical",
+      "category": "biometric",
+      "description": "Face recognition, voice prints, or gait analysis requires explicit parental consent. COPPA 2.0 explicitly classifies biometrics as PI.",
+      "patterns": [
+        { "pattern": "(?:import\\s+.*from\\s+['\"]face-api\\.js['\"]|require\\s*\\(\\s*['\"]face-api\\.js['\"]\\s*\\))", "flags": "gi" },
+        { "pattern": "LocalAuthentication.*evaluatePolicy", "flags": "gi" },
+        { "pattern": "FaceID|TouchID", "flags": "gi" },
+        { "pattern": "biometricAuth|BiometricAuth", "flags": "g" },
+        { "pattern": "voicePrint|VoicePrint", "flags": "g" },
+        { "pattern": "livenessCheck|LivenessCheck", "flags": "g" },
+        { "pattern": "FaceMatcher|FaceDetector|FaceRecognizer", "flags": "g" }
+      ],
+      "fix_suggestion": "Ensure biometric data remains local-only (on-device) or obtain verifiable parental consent",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "swift", "kotlin"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "consent-biometric",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-notif-013",
+      "name": "Direct Push Notifications Without Consent",
+      "severity": "medium",
+      "category": "notification",
+      "description": "Push notifications are \"Online Contact Info\" under COPPA 2.0. Direct notifications to children require parental consent.",
+      "patterns": [
+        { "pattern": "FirebaseMessaging\\.subscribeToTopic", "flags": "gi" },
+        { "pattern": "OneSignal\\.promptForPushNotifications", "flags": "gi" },
+        { "pattern": "sendPushNotification\\s*\\(", "flags": "gi" },
+        { "pattern": "fcm\\.send\\s*\\(", "flags": "gi" },
+        { "pattern": "PushManager\\.subscribe\\s*\\(", "flags": "gi" },
+        { "pattern": "Notification\\.requestPermission", "flags": "gi" },
+        { "pattern": "new\\s+Notification\\s*\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Gate push notification subscription behind parental dashboard setting",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "swift", "kotlin"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "consent-notif",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-ugc-014",
+      "name": "UGC Upload Without PII Filter",
+      "severity": "high",
+      "category": "ugc",
+      "description": "Text areas for \"bio\", \"about me\", or comments must pass through PII scrubbing before database storage",
+      "patterns": [
+        { "pattern": "<textarea[^>]*placeholder=[\"'](?:bio|about me|describe yourself)[^\"']*[\"']", "flags": "gi" },
+        { "pattern": "user\\.bio\\s*=", "flags": "gi" },
+        { "pattern": "aboutMe\\s*=", "flags": "gi" },
+        { "pattern": "(?:submit|save|post)Comment\\s*\\(", "flags": "gi" },
+        { "pattern": "saveBio\\s*\\(|updateBio\\s*\\(", "flags": "gi" },
+        { "pattern": "commentForm.*submit|handleCommentSubmit", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add middleware hook for PII scrubbing (regex or AWS Comprehend) before database storage",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "pii-filter",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-sec-015",
+      "name": "Reflected XSS Risk",
+      "severity": "medium",
+      "category": "security",
+      "description": "DangerouslySetInnerHTML or innerHTML with user-controlled content creates XSS vulnerabilities",
+      "patterns": [
+        { "pattern": "dangerouslySetInnerHTML\\s*=\\s*\\{\\s*\\{\\s*__html\\s*:\\s*(?!['\"]<)[^}]*\\}\\s*\\}", "flags": "gi" },
+        { "pattern": "\\.innerHTML\\s*=\\s*\\$\\{", "flags": "gi" },
+        { "pattern": "\\.innerHTML\\s*=\\s*(?!['\"]?\\s*['\"]?\\s*;)(?!.*[Ll]ocal(?:ize|ization))(?!.*styleContent)[^;]*\\b(?:user|input|query|param|req\\.|request\\.|body\\.|data\\.)\\w*", "flags": "gi" },
+        { "pattern": "\\.html\\s*\\(\\s*(?:user|req\\.|request\\.|params?\\.)", "flags": "gi" },
+        { "pattern": "v-html\\s*=\\s*[\"']?(?!.*sanitize)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Use standard JSX rendering or DOMPurify before setting HTML content",
+      "penalty": "Security failure",
+      "languages": ["typescript", "javascript", "tsx", "jsx", "vue"],
+      "packs": ["coppa"],
+      "fixability": "auto",
+      "transform_type": "sanitize-input",
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-cookies-016",
+      "name": "Missing Cookie Notice",
+      "severity": "low",
+      "category": "cookies",
+      "description": "Cookies or localStorage storing tracking data or PII requires a consent banner",
+      "patterns": [
+        { "pattern": "document\\.cookie\\s*=\\s*[^;]*(?:user|email|name|token|session|track|id|uid|analytics)", "flags": "gi" },
+        { "pattern": "localStorage\\.setItem\\s*\\(\\s*['\"][^'\"]*(?:user|email|token|session|track|auth|login|id|uid|analytics)[^'\"]*['\"]", "flags": "gi" },
+        { "pattern": "sessionStorage\\.setItem\\s*\\(\\s*['\"][^'\"]*(?:user|email|token|session|track|auth|login|id|uid|analytics)[^'\"]*['\"]", "flags": "gi" },
+        { "pattern": "\\.set_cookie\\s*\\(\\s*['\"][^'\"]*(?:user|email|token|session|track|auth|login|uid|analytics)[^'\"]*['\"]", "flags": "gi" },
+        { "pattern": "http\\.SetCookie\\s*\\(\\s*\\w+\\s*,\\s*&http\\.Cookie\\s*\\{", "flags": "gi" },
+        { "pattern": "\\.addCookie\\s*\\(\\s*new\\s+Cookie\\s*\\(", "flags": "gi" },
+        { "pattern": "ResponseCookie\\.from\\s*\\(", "flags": "gi" },
+        { "pattern": "(?:set_cookie|SetCookie|addCookie|add_cookie)\\s*\\([^)]*(?:user|email|token|session|track|auth|uid|analytics)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add a cookie consent banner component before setting tracking or PII cookies",
+      "penalty": "Compliance warning",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "consent-cookies",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-ext-017",
+      "name": "Unwarned External Links",
+      "severity": "medium",
+      "category": "external",
+      "description": "External links in child-facing views should trigger a \"You are leaving...\" modal",
+      "patterns": [
+        { "pattern": "<a[^>]+href=[\"']https?://(?!.*(?:privacy|terms|legal|tos|policy|consent|support|help|docs|documentation))[^\"']+[\"'][^>]*target=[\"']_blank[\"'][^>]*>", "flags": "gi" },
+        { "pattern": "window\\.open\\s*\\(\\s*['\"]https?://(?!.*(?:privacy|terms|legal|tos|policy))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Wrap external links in SafeLink component with warning modal",
+      "penalty": "Warning",
+      "languages": ["typescript", "javascript", "html", "tsx", "jsx"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "exit-modal",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-analytics-018",
+      "name": "Mapping PII to Analytics User IDs",
+      "severity": "high",
+      "category": "analytics",
+      "description": "Passing email, name, or phone to analytics.identify() exposes PII to third parties",
+      "patterns": [
+        { "pattern": "analytics\\.identify\\s*\\([^)]*email", "flags": "gi" },
+        { "pattern": "mixpanel\\.identify.*email", "flags": "gi" },
+        { "pattern": "segment\\.identify.*email", "flags": "gi" },
+        { "pattern": "amplitude\\.identify.*email", "flags": "gi" },
+        { "pattern": "identify\\s*\\(\\s*\\{[^}]*(?:email|name|phone)[^}]*\\}", "flags": "gi" },
+        { "pattern": "analytics\\.identify\\s*\\(\\s*\\w+\\s*,\\s*\\{[^}]*(?:email|name|phone)", "flags": "gi" },
+        { "pattern": "mp\\.people_set\\s*\\([^)]*(?:email|\\$email|name|phone)", "flags": "gi" },
+        { "pattern": "analytics\\.Enqueue\\s*\\(\\s*analytics\\.Identify\\s*\\{[^}]*(?:Email|Name|Phone)", "flags": "gi" },
+        { "pattern": "Amplitude\\.getInstance\\s*\\(\\s*\\)\\s*\\.setUserId\\s*\\([^)]*email", "flags": "gi" },
+        { "pattern": "MixpanelAPI\\.\\w*identify\\s*\\([^)]*email", "flags": "gi" },
+        { "pattern": "FirebaseAnalytics\\.setUserId\\s*\\([^)]*(?:email|name)", "flags": "gi" },
+        { "pattern": "(?:setUserId|set_user_id)\\s*\\([^)]*(?:email|\\.name|phone)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Hash user ID and omit email/name from analytics payload",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "anonymize-analytics",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-edu-019",
+      "name": "Missing Teacher/School Verification",
+      "severity": "medium",
+      "category": "education",
+      "description": "Teacher accounts using generic email (@gmail.com) bypass \"School Official\" consent exception",
+      "patterns": [
+        { "pattern": "(?:teacher|educator)(?:Sign[Uu]p|[Rr]egist(?:er|ration))\\s*(?:\\(|=|:)", "flags": "gi" },
+        { "pattern": "createTeacherAccount|registerTeacher|teacherAuth", "flags": "gi" },
+        { "pattern": "role\\s*(?:=|:)\\s*['\"]teacher['\"].*(?:@gmail|@yahoo|@hotmail)", "flags": "gi" },
+        { "pattern": "isTeacher\\s*&&\\s*!.*\\.edu", "flags": "gi" }
+      ],
+      "fix_suggestion": "Restrict teacher sign-ups to verified EDU domains or require manual approval",
+      "penalty": "Loss of School Official consent status",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "school-verify",
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-default-020",
+      "name": "Default Public Profile Visibility",
+      "severity": "critical",
+      "category": "defaults",
+      "description": "Default profile visibility must be private. COPPA 2.0 requires privacy by design.",
+      "patterns": [
+        { "pattern": "isProfileVisible:\\s*true", "flags": "gi" },
+        { "pattern": "visibility:\\s*['\"]public['\"]", "flags": "gi" },
+        { "pattern": "defaultPrivacy:\\s*['\"]public['\"]", "flags": "gi" },
+        { "pattern": "isPublic:\\s*true[^}]*(profile|User)", "flags": "gi" },
+        { "pattern": "profileVisibility\\s*=\\s*['\"]?(?:public|Public)['\"]?", "flags": "gi" }
+      ],
+      "fix_suggestion": "Change default visibility to \"private\" or false",
+      "penalty": "$51,744 per violation",
+      "languages": ["typescript", "javascript", "python", "swift"],
+      "packs": ["coppa"],
+      "fixability": "auto",
+      "transform_type": "set-default",
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "ETHICAL-001",
+      "name": "Infinite Scroll / Endless Feed",
+      "severity": "high",
+      "category": "ethical-design",
+      "description": "Infinite scroll exploits lack of impulse control. Children spend 2-3x longer on infinite feeds.",
+      "patterns": [
+        { "pattern": "IntersectionObserver.*isIntersecting.*loadMore", "flags": "gi" },
+        { "pattern": "window\\.addEventListener.*['\"]scroll['\"].*fetchNext", "flags": "gi" },
+        { "pattern": "import.*InfiniteScroll", "flags": "gi" },
+        { "pattern": "<InfiniteScroll", "flags": "gi" },
+        { "pattern": "ngx-infinite-scroll", "flags": "gi" },
+        { "pattern": "vue-infinite-loading", "flags": "gi" }
+      ],
+      "fix_suggestion": "Replace infinite scroll with pagination or \"Load More\" buttons to create natural stopping points",
+      "penalty": "Ethical Design Violation",
+      "languages": ["typescript", "javascript", "tsx", "jsx", "vue"],
+      "packs": ["ethical"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://docs.runhalo.dev/ethical/infinite-scroll"
+    },
+    {
+      "id": "ETHICAL-002",
+      "name": "Streak Pressure Mechanics",
+      "severity": "high",
+      "category": "ethical-design",
+      "description": "Streak mechanics use loss aversion to manufacture daily compulsive usage",
+      "patterns": [
+        { "pattern": "streak.*>.*0.*loss", "flags": "gi" },
+        { "pattern": "lose.*your.*streak", "flags": "gi" },
+        { "pattern": "streak.*ends.*in", "flags": "gi" },
+        { "pattern": "don'?t.*break.*streak", "flags": "gi" },
+        { "pattern": "dailyStreak", "flags": "gi" },
+        { "pattern": "consecutiveDays", "flags": "gi" }
+      ],
+      "fix_suggestion": "Remove streak loss penalties. Frame progress as cumulative (e.g., \"15 days practiced\") rather than consecutive.",
+      "penalty": "Ethical Design Violation",
+      "languages": ["typescript", "javascript", "swift", "kotlin"],
+      "packs": ["ethical"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://docs.runhalo.dev/ethical/streak-pressure"
+    },
+    {
+      "id": "ETHICAL-003",
+      "name": "Variable Ratio Rewards (Loot Boxes)",
+      "severity": "critical",
+      "category": "ethical-design",
+      "description": "Randomized rewards (loot boxes, gacha) exploit gambling psychology in developing brains",
+      "patterns": [
+        { "pattern": "Math\\.random\\(\\).*reward", "flags": "gi" },
+        { "pattern": "loot_?box", "flags": "gi" },
+        { "pattern": "gacha", "flags": "gi" },
+        { "pattern": "mystery_?crate", "flags": "gi" },
+        { "pattern": "openCrate", "flags": "gi" },
+        { "pattern": "rarityTable", "flags": "gi" },
+        { "pattern": "dropRates", "flags": "gi" }
+      ],
+      "fix_suggestion": "Replace random rewards with transparent, effort-based rewards. Disclosure of odds is a minimum requirement.",
+      "penalty": "Ethical Design Violation",
+      "languages": ["typescript", "javascript", "python", "csharp"],
+      "packs": ["ethical"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://docs.runhalo.dev/ethical/variable-rewards"
+    },
+    {
+      "id": "ETHICAL-004",
+      "name": "Manipulative Notification Language",
+      "severity": "medium",
+      "category": "ethical-design",
+      "description": "Notifications using urgency (\"Hurry!\", \"Missing out\") manipulate children's fear of social exclusion",
+      "patterns": [
+        { "pattern": "hurry|limited\\s*time|missing\\s*out|don'?t\\s*miss|left\\s*behind", "flags": "gi" },
+        { "pattern": "everyone\\s*else\\s*is", "flags": "gi" },
+        { "pattern": "last\\s*chance", "flags": "gi" },
+        { "pattern": "running\\s*out", "flags": "gi" }
+      ],
+      "fix_suggestion": "Use neutral, informational language. Avoid FOMO (Fear Of Missing Out) triggers.",
+      "penalty": "Ethical Design Violation",
+      "languages": ["typescript", "javascript", "json", "xml"],
+      "packs": ["ethical"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://docs.runhalo.dev/ethical/manipulative-notifications"
+    },
+    {
+      "id": "ETHICAL-005",
+      "name": "Artificial Scarcity / Countdowns",
+      "severity": "medium",
+      "category": "ethical-design",
+      "description": "Fake scarcity (\"Only 2 left!\") and countdown timers pressure children into impulsive decisions",
+      "patterns": [
+        { "pattern": "CountdownTimer", "flags": "gi" },
+        { "pattern": "only\\s*\\d+\\s*left", "flags": "gi" },
+        { "pattern": "offer\\s*ends\\s*in", "flags": "gi" },
+        { "pattern": "selling\\s*fast", "flags": "gi" },
+        { "pattern": "almost\\s*sold\\s*out", "flags": "gi" },
+        { "pattern": "limited\\s*availability", "flags": "gi" }
+      ],
+      "fix_suggestion": "Remove artificial urgency. If an offer expires, state the date calmly without countdown pressure.",
+      "penalty": "Ethical Design Violation",
+      "languages": ["typescript", "javascript", "tsx", "jsx", "html"],
+      "packs": ["ethical"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://docs.runhalo.dev/ethical/artificial-scarcity"
+    },
+    {
+      "id": "AI-AUDIT-001",
+      "name": "Placeholder Analytics Script",
+      "severity": "high",
+      "category": "ai-audit",
+      "description": "AI-generated code frequently includes placeholder analytics (UA-XXXXX, G-XXXXXX, fbq) copied from training data. These may activate real tracking without child_directed_treatment flags.",
+      "patterns": [
+        { "pattern": "gtag\\s*\\(\\s*['\"]config['\"]\\s*,\\s*['\"](?:UA-|G-)X{3,}['\"]", "flags": "gi" },
+        { "pattern": "fbq\\s*\\(\\s*['\"]init['\"]\\s*,\\s*['\"](?:0{5,}|1{5,}|X{5,}|YOUR_|PIXEL_ID|123456789)['\"]", "flags": "gi" },
+        { "pattern": "ga\\s*\\(\\s*['\"]create['\"]\\s*,\\s*['\"]UA-(?:0{5,}|X{5,}|YOUR_)['\"]", "flags": "gi" },
+        { "pattern": "['\"](?:UA|G)-(?:XXXXXXX|0000000|YOUR_ID|REPLACE_ME)['\"]", "flags": "gi" },
+        { "pattern": "analytics_id\\s*[:=]\\s*['\"](?:placeholder|test|example|TODO|FIXME)['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Remove placeholder analytics IDs. If analytics are needed, use a COPPA-compliant provider with child_directed_treatment: true.",
+      "penalty": "AI-generated compliance risk",
+      "languages": ["typescript", "javascript", "html"],
+      "packs": ["ai-audit"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-AUDIT-002",
+      "name": "AI-Generated Hardcoded Secrets",
+      "severity": "critical",
+      "category": "ai-audit",
+      "description": "AI coding assistants frequently generate placeholder API keys, tokens, and secrets inline. These may be committed to version control and exposed.",
+      "patterns": [
+        { "pattern": "(?:api_?key|apiKey|API_KEY)\\s*[:=]\\s*['\"](?:sk-|pk-|ak-|key-)[a-zA-Z0-9]{10,}['\"]", "flags": "gi" },
+        { "pattern": "(?:secret|SECRET|token|TOKEN)\\s*[:=]\\s*['\"](?!process\\.env)[a-zA-Z0-9_-]{20,}['\"]", "flags": "gi" },
+        { "pattern": "SUPABASE_(?:ANON_KEY|SERVICE_ROLE_KEY)\\s*[:=]\\s*['\"]ey[a-zA-Z0-9_.+-]{30,}['\"]", "flags": "gi" },
+        { "pattern": "FIREBASE_(?:API_KEY|CONFIG)\\s*[:=]\\s*['\"]AI[a-zA-Z0-9_-]{30,}['\"]", "flags": "gi" },
+        { "pattern": "(?:password|passwd|pwd)\\s*[:=]\\s*['\"](?!process\\.env)[^'\"]{8,}['\"]\\s*(?:,|;|\\})", "flags": "gi" }
+      ],
+      "fix_suggestion": "Move all secrets to environment variables. Use process.env.API_KEY or a secrets manager. Never hardcode credentials.",
+      "penalty": "Security exposure — credentials in source code",
+      "languages": ["typescript", "javascript", "python", "java"],
+      "packs": ["ai-audit"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-AUDIT-003",
+      "name": "Hallucinated/Placeholder API URLs",
+      "severity": "medium",
+      "category": "ai-audit",
+      "description": "AI models often generate fake API endpoints (api.example.com, jsonplaceholder, reqres.in) that may be replaced with real endpoints without proper review.",
+      "patterns": [
+        { "pattern": "fetch\\s*\\(\\s*['\"]https?://(?:api\\.example\\.com|jsonplaceholder\\.typicode\\.com|reqres\\.in|httpbin\\.org|mockapi\\.io|dummyjson\\.com)[^'\"]*['\"]", "flags": "gi" },
+        { "pattern": "axios\\.\\w+\\s*\\(\\s*['\"]https?://(?:api\\.example\\.com|jsonplaceholder\\.typicode\\.com|reqres\\.in|httpbin\\.org|dummyjson\\.com)[^'\"]*['\"]", "flags": "gi" },
+        { "pattern": "(?:BASE_URL|API_URL|ENDPOINT)\\s*[:=]\\s*['\"]https?://(?:api\\.example\\.com|your-api|my-api|TODO|REPLACE)[^'\"]*['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Replace placeholder URLs with actual endpoints from environment variables. Review all API calls for COPPA data handling compliance.",
+      "penalty": "AI-generated placeholder risk",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["ai-audit"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-AUDIT-004",
+      "name": "Copy-Paste Tracking Boilerplate",
+      "severity": "high",
+      "category": "ai-audit",
+      "description": "AI assistants reproduce common analytics setup patterns from training data. These often include user identification, event tracking, and session recording without consent flows.",
+      "patterns": [
+        { "pattern": "hotjar\\.init\\s*\\(", "flags": "gi" },
+        { "pattern": "Sentry\\.init\\s*\\(\\s*\\{[^}]*dsn", "flags": "gi" },
+        { "pattern": "LogRocket\\.init\\s*\\(", "flags": "gi" },
+        { "pattern": "FullStory\\.init\\s*\\(", "flags": "gi" },
+        { "pattern": "heap\\.load\\s*\\(", "flags": "gi" },
+        { "pattern": "posthog\\.init\\s*\\(", "flags": "gi" },
+        { "pattern": "amplitude\\.init\\s*\\(", "flags": "gi" },
+        { "pattern": "mixpanel\\.init\\s*\\(", "flags": "gi" },
+        { "pattern": "window\\.clarity\\s*\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Remove session recording and analytics initialization unless COPPA consent is obtained. These tools capture keystrokes, mouse movements, and user behavior — all PII for children.",
+      "penalty": "Third-party data collection without consent",
+      "languages": ["typescript", "javascript", "html"],
+      "packs": ["ai-audit"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-AUDIT-005",
+      "name": "AI-Generated Insecure Defaults",
+      "severity": "medium",
+      "category": "ai-audit",
+      "description": "AI models commonly generate code with insecure default configurations: CORS *, disabled SSL verification, permissive CSP, or open CORS origins.",
+      "patterns": [
+        { "pattern": "cors\\s*\\(\\s*\\{\\s*origin\\s*:\\s*(?:['\"]?\\*['\"]?|true)", "flags": "gi" },
+        { "pattern": "Access-Control-Allow-Origin['\"]\\s*,\\s*['\"]\\*", "flags": "gi" },
+        { "pattern": "rejectUnauthorized\\s*:\\s*false", "flags": "gi" },
+        { "pattern": "NODE_TLS_REJECT_UNAUTHORIZED\\s*=\\s*['\"]?0['\"]?", "flags": "gi" },
+        { "pattern": "content-security-policy['\"]\\s*,\\s*['\"]default-src\\s+\\*", "flags": "gi" },
+        { "pattern": "sameSite\\s*:\\s*['\"]none['\"]\\s*,?\\s*secure\\s*:\\s*false", "flags": "gi" }
+      ],
+      "fix_suggestion": "Replace wildcard CORS with specific allowed origins. Enable SSL verification. Use restrictive CSP. Set secure cookies.",
+      "penalty": "Security misconfiguration",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["ai-audit"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-AUDIT-006",
+      "name": "Unresolved Compliance TODOs",
+      "severity": "low",
+      "category": "ai-audit",
+      "description": "AI-generated code often includes TODO/FIXME comments for compliance-related features (consent, age verification, privacy policy) that may ship unimplemented.",
+      "patterns": [
+        { "pattern": "//\\s*(?:TODO|FIXME|HACK|XXX).*(?:consent|age\\s*verif|privacy\\s*policy|parental|coppa|gdpr|data\\s*retention)", "flags": "gi" },
+        { "pattern": "//\\s*(?:TODO|FIXME).*(?:implement|add|need|require).*(?:auth|login|permission|access\\s*control)", "flags": "gi" },
+        { "pattern": "#\\s*(?:TODO|FIXME).*(?:consent|age\\s*verif|privacy|parental|coppa)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Resolve all compliance-related TODOs before shipping. Each unresolved TODO is a potential COPPA violation in production.",
+      "penalty": "Unimplemented compliance requirement",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["ai-audit"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-SBD-001",
+      "name": "Default Public Profile Visibility",
+      "severity": "high",
+      "category": "safety-by-design",
+      "description": "User profiles default to public or visible. AU Safety by Design requires privacy-by-default for minors — profiles should be private until explicitly changed by the user or a verified parent.",
+      "patterns": [
+        { "pattern": "(?:visibility|profile_?visibility|is_?public|isPublic)\\s*[:=]\\s*(?:['\"]public['\"]|true)", "flags": "gi" },
+        { "pattern": "default(?:_?visibility|_?privacy|_?profile)\\s*[:=]\\s*['\"](?:public|open|visible|everyone)['\"]", "flags": "gi" },
+        { "pattern": "(?:privacy|profilePrivacy)\\s*[:=]\\s*\\{[^}]*default\\s*:\\s*['\"](?:public|open|everyone)['\"]", "flags": "gi" },
+        { "pattern": "(?:showProfile|profileVisible|publicByDefault|show_profile)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:searchable|discoverable|findable)\\s*[:=]\\s*true\\b", "flags": "gi" }
+      ],
+      "fix_suggestion": "Set profile visibility to \"private\" by default. Require explicit user action (or parental consent for children) to make profiles public. AU SbD Principle 1: safety as a fundamental design consideration.",
+      "penalty": "Default public exposure of minor profiles",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin", "php", "csharp"],
+      "packs": ["au-sbd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-SBD-002",
+      "name": "Social Features Without Report/Block",
+      "severity": "medium",
+      "category": "safety-by-design",
+      "description": "Social interaction features (comments, posts, messaging) detected without corresponding report or block mechanisms. AU SbD Principle 2 requires users to have tools to protect themselves from harmful interactions.",
+      "patterns": [
+        { "pattern": "(?:addComment|postComment|submitComment|createComment|commentCreate)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:sendMessage|createMessage|postMessage|submitMessage|messageCreate)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:createPost|submitPost|publishPost|addPost|postCreate)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:addReview|submitReview|createReview|postReview|reviewCreate)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:shareContent|createShare|submitShare)\\s*(?:=|:|\\()", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement report and block mechanisms alongside every social feature. Users must be able to report harmful content and block abusive accounts. AU SbD Principle 2: user empowerment and autonomy.",
+      "penalty": "Social features without safety controls",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin", "php"],
+      "packs": ["au-sbd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-SBD-003",
+      "name": "Unrestricted Direct Messaging for Minors",
+      "severity": "critical",
+      "category": "safety-by-design",
+      "description": "Direct messaging or chat functionality without safety controls (contact restrictions, message filtering, or parental oversight). The AU Online Safety Act requires platforms to take reasonable steps to prevent child exploitation in private communications.",
+      "patterns": [
+        { "pattern": "(?:directMessage|sendDM|privateMess|createDM|dmChannel|startChat|privateChat|initiateChat)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:WebSocket|io\\.connect|socket\\.emit)\\s*\\([^)]*(?:chat|message|dm|private)", "flags": "gi" },
+        { "pattern": "(?:allowDMs?|enableDMs?|allow_?direct_?message|enable_?private_?message)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:contactStranger|messageAnyone|openChat|unrestricted_?message)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add safety controls to messaging: restrict contacts to approved friends, implement message filtering, enable parental oversight, and log communications for safety review. AU Online Safety Act 2021 s.45-46.",
+      "penalty": "Unrestricted private communication channel",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-sbd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-SBD-004",
+      "name": "Recommendation Algorithm Without Safety Guardrails",
+      "severity": "high",
+      "category": "safety-by-design",
+      "description": "Content recommendation or feed algorithms detected without safety filtering, content classification, or age-appropriate guardrails. AU SbD requires platforms to assess and mitigate algorithmic harms, particularly for young users.",
+      "patterns": [
+        { "pattern": "(?:recommendContent|getRecommendations|suggestContent|personalizedFeed|forYouFeed|contentFeed)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:algorithm|algo)(?:_?feed|_?rank|_?recommend|_?suggest)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:trending|viral|popular)(?:_?content|_?posts|_?feed|_?items)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:engagement_?score|clickBait|engagement_?rank|watch_?next|autoplay_?next)\\s*[:=]", "flags": "gi" },
+        { "pattern": "(?:rabbit_?hole|endless_?feed|infinite_?recommend|auto_?suggest)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add age-appropriate content filters to recommendation algorithms. Classify content before serving, implement safety guardrails, and provide transparency on how content is selected. AU SbD Principle 3: transparency and accountability.",
+      "penalty": "Unfiltered algorithmic content delivery",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-sbd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-SBD-005",
+      "name": "Engagement Features Without Time Awareness",
+      "severity": "medium",
+      "category": "safety-by-design",
+      "description": "High-engagement features (autoplay, continuous scrolling, notifications) detected without corresponding digital wellbeing controls (screen time limits, break reminders, usage dashboards). AU SbD encourages platforms to build in digital wellbeing tools.",
+      "patterns": [
+        { "pattern": "(?:autoplay|auto_?play)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:autoPlay|autoPlayNext|playNext|nextEpisode)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:continuous_?play|binge_?mode|marathon_?mode|watch_?party)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:push_?notification|sendNotification|scheduleNotif|notif_?trigger).*(?:re_?engage|comeback|miss_?you|inactive)", "flags": "gi" },
+        { "pattern": "(?:daily_?reward|login_?bonus|daily_?streak|come_?back_?reward)\\s*(?:=|:|\\()", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement digital wellbeing features: screen time dashboards, break reminders after sustained use, and configurable usage limits (especially for accounts under 18). AU SbD: promote healthy technology use.",
+      "penalty": "Engagement-maximizing features without wellbeing controls",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-sbd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-SBD-006",
+      "name": "Location Data Without Explicit Consent",
+      "severity": "critical",
+      "category": "safety-by-design",
+      "description": "Location data collection or sharing enabled without explicit, informed opt-in. AU SbD and the Privacy Act 1988 require data minimization, especially for children's geolocation data — location should never be collected by default.",
+      "patterns": [
+        { "pattern": "(?:shareLocation|share_?location|locationSharing|broadcastLocation)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:location_?visible|show_?location|display_?location|location_?public)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:trackLocation|location_?tracking|geo_?tracking|locationTracker)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "navigator\\.geolocation\\.(?:watchPosition|getCurrentPosition)\\s*\\(", "flags": "gi" },
+        { "pattern": "(?:CLLocationManager|LocationManager|FusedLocationProvider).*(?:startUpdating|requestLocation|requestLocationUpdates)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Require explicit opt-in for any location data collection. Never enable location sharing by default. For minors, require parental consent before any geolocation access. AU Privacy Act 1988 APP 3.2.",
+      "penalty": "Default location data exposure",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-sbd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "ut-sb142-001",
+      "name": "Minor Account Creation Without Age Assurance",
+      "severity": "critical",
+      "category": "age-verification",
+      "description": "Utah SB 142 requires an age assurance system with at least 95% accuracy to identify minor account holders (under 18). Account creation flows that lack age verification gates violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:createUser|signUp|register)\\s*\\((?![^)]*(?:age|dateOfBirth|dob|birthDate|birth_date))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:create_user|sign_up|create_account)\\s*\\((?![^)]*(?:age|date_of_birth|dob|birth_date))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:UserFactory|AccountFactory|RegistrationService)\\.(?:create|build|register)\\s*\\(", "flags": "gi" },
+        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts)\\s*\\([^)]*\\)\\s*VALUES", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add an age assurance step (date-of-birth collection, age estimation, or ID verification) before account creation. If the user is under 18, flag the account as a minor account and require parental consent before activation. See Utah SB 142 §13-72-201.",
+      "penalty": "Up to $2,500 per violation; private right of action for parents",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["ut-sb142"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": null
+    },
+    {
+      "id": "ut-sb142-002",
+      "name": "Missing Parental Consent for Minor Account",
+      "severity": "critical",
+      "category": "parental-consent",
+      "description": "Utah SB 142 requires verifiable parental consent before a minor (under 18) can use a social media platform or download apps. Code that activates minor accounts without a parental consent verification step violates this requirement.",
+      "patterns": [
+        { "pattern": "(?:activateAccount|enableAccount|verifyEmail|confirmRegistration)\\s*\\((?![^)]*(?:parent|guardian|consent|parental))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:activate_account|enable_account|verify_email|confirm_registration)\\s*\\((?![^)]*(?:parent|guardian|consent|parental))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:isMinor|is_minor|isUnder18|is_under_18)\\s*(?:&&|\\|\\||and|or)\\s*(?!.*(?:parentConsent|parent_consent|guardianApproval|guardian_approval))", "flags": "gi" },
+        { "pattern": "(?:minor|child|teen)(?:Account|_account|Profile|_profile)\\s*[:=]\\s*(?:true|1|'active'|\"active\")", "flags": "gi" }
+      ],
+      "fix_suggestion": "Before activating any minor account, implement a verifiable parental consent flow: send a verification email/SMS to a parent-linked account, require parental ID verification, or integrate with a COPPA-safe consent provider. See Utah SB 142 §13-72-202.",
+      "penalty": "Up to $2,500 per violation; private right of action for parents",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["ut-sb142"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "ut-sb142-003",
+      "name": "Default DM Access Open for Minors",
+      "severity": "high",
+      "category": "messaging-safety",
+      "description": "Utah SB 142 requires that direct messaging for minor accounts be restricted to connected accounts only by default. Code that enables open or unrestricted DM access for all users (including minors) violates this requirement.",
+      "patterns": [
+        { "pattern": "(?:allowDirectMessages|allow_direct_messages|dmEnabled|dm_enabled|messagesEnabled|messages_enabled)\\s*[:=]\\s*(?:true|1|'all'|\"all\"|'everyone'|\"everyone\")", "flags": "gi" },
+        { "pattern": "(?:messagingPermission|messaging_permission|dmAccess|dm_access|messageAccess|message_access)\\s*[:=]\\s*(?:'public'|\"public\"|'open'|\"open\"|'all'|\"all\")", "flags": "gi" },
+        { "pattern": "(?:canMessage|can_message|canDM|can_dm)\\s*[:=]\\s*(?:true|1)(?!.*(?:friend|follow|connect|mutual))", "flags": "gi" },
+        { "pattern": "default(?:_?[Mm]essaging|_?[Dd][Mm])\\s*[:=]\\s*(?:'open'|\"open\"|'public'|\"public\"|true)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Set default DM permissions for minor accounts to 'connected-only' or 'friends-only'. Only allow messaging between mutually connected accounts. Provide parental controls to further restrict messaging. See Utah SB 142 §13-72-301.",
+      "penalty": "Up to $2,500 per violation; private right of action for parents",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["ut-sb142"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "ut-sb142-004",
+      "name": "Missing Parental Supervisory Tools",
+      "severity": "high",
+      "category": "parental-controls",
+      "description": "Utah SB 142 requires platforms to offer parents supervisory tools: time limits, mandatory break scheduling, usage data viewing, connected account lists, and setting-change notifications. Applications that provide user accounts for minors without implementing or referencing a parental dashboard violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:userSettings|user_settings|accountSettings|account_settings)\\s*[:=]\\s*\\{(?![^}]*(?:parent|guardian|supervisory|parental|family))[^}]*\\}", "flags": "gi" },
+        { "pattern": "(?:screenTime|screen_time|timeLimit|time_limit|usageLimit|usage_limit)\\s*[:=]\\s*(?:null|undefined|false|0|'disabled'|\"disabled\")", "flags": "gi" },
+        { "pattern": "(?:parentalControls|parental_controls|familySettings|family_settings)\\s*[:=]\\s*(?:false|null|undefined|'disabled'|\"disabled\")", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a parental supervisory dashboard that allows parents to: set daily time limits, schedule mandatory breaks, view usage data and connected account lists, and receive notifications when account settings change. See Utah SB 142 §13-72-302.",
+      "penalty": "Up to $2,500 per violation; private right of action for parents",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["ut-sb142"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "ut-sb142-005",
+      "name": "Minor Profile Visible to Search Engines",
+      "severity": "medium",
+      "category": "privacy-defaults",
+      "description": "Utah SB 142 requires that minor accounts have search engine indexing disabled by default and account visibility restricted to connected users only. Code that allows public profile indexing or unrestricted profile visibility for all users violates this requirement.",
+      "patterns": [
+        { "pattern": "(?:indexable|searchable|seo_?visible|allow_?indexing|search_?engine_?visible)\\s*[:=]\\s*(?:true|1|'yes'|\"yes\")", "flags": "gi" },
+        { "pattern": "<meta\\s+name=['\"]robots['\"]\\s+content=['\"](?:index|all|follow)['\"]", "flags": "gi" },
+        { "pattern": "(?:profileVisibility|profile_visibility|accountVisibility|account_visibility)\\s*[:=]\\s*(?:'public'|\"public\"|'everyone'|\"everyone\"|'all'|\"all\")", "flags": "gi" },
+        { "pattern": "(?:isPublicProfile|is_public_profile|publicProfile|public_profile)\\s*[:=]\\s*(?:true|1)", "flags": "gi" },
+        { "pattern": "X-Robots-Tag\\s*[:=]\\s*(?:'index'|\"index\"|'all'|\"all\")", "flags": "gi" }
+      ],
+      "fix_suggestion": "Default minor accounts to non-indexable (noindex, nofollow) and restrict profile visibility to connected/approved users only. Add a robots meta tag or X-Robots-Tag header that blocks search engine crawling for minor profiles. See Utah SB 142 §13-72-301.",
+      "penalty": "Up to $2,500 per violation; private right of action for parents",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["ut-sb142"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    }
+  ]
+}