@runhalo/engine 0.4.0 → 0.5.0

package/rules/rules.json

@@ -5,7 +5,7 @@
     "coppa": {
       "id": "coppa",
       "name": "COPPA 2.0 Core",
-      "description": "20 rules for COPPA & COPPA 2.0 compliance. Effective April 22, 2026.",
+      "description": "25 rules for COPPA & COPPA 2.0 compliance. Effective April 22, 2026.",
       "jurisdiction": "US-Federal",
       "jurisdiction_level": "federal",
       "is_free": true,
@@ -51,6 +51,56 @@
       "is_free": true,
       "effective_date": "2026-05-06",
       "source_url": "https://le.utah.gov/~2025/bills/static/SB0142.html"
+    },
+    "uk-aadc": {
+      "id": "uk-aadc",
+      "name": "UK Age Appropriate Design Code",
+      "description": "15 rules for the UK ICO Children's Code (AADC) — the 15 standards for age-appropriate online services.",
+      "jurisdiction": "UK",
+      "jurisdiction_level": "national",
+      "is_free": false,
+      "effective_date": "2021-09-02",
+      "source_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/"
+    },
+    "eu-dsa": {
+      "id": "eu-dsa",
+      "name": "EU DSA Article 28 (Minor Protection)",
+      "description": "10 rules for EU Digital Services Act Article 28 — online protection of minors on platforms.",
+      "jurisdiction": "EU",
+      "jurisdiction_level": "supranational",
+      "is_free": false,
+      "effective_date": "2024-02-17",
+      "source_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    "au-osa": {
+      "id": "au-osa",
+      "name": "AU Online Safety Act",
+      "description": "12 rules for Australia's Online Safety Act 2021 (as amended 2024) — age verification, content moderation, under-16 social media ban, and eSafety Commissioner compliance.",
+      "jurisdiction": "AU-Federal",
+      "jurisdiction_level": "federal",
+      "is_free": false,
+      "effective_date": "2025-01-01",
+      "source_url": "https://www.esafety.gov.au/whats-on/online-safety-act"
+    },
+    "caadca": {
+      "id": "caadca",
+      "name": "California AADCA",
+      "description": "15 rules for the California Age-Appropriate Design Code Act (AB 2273) — default privacy, age estimation, profiling restrictions, dark pattern prohibitions, and data minimization for child users.",
+      "jurisdiction": "US-CA",
+      "jurisdiction_level": "state",
+      "is_free": false,
+      "effective_date": "2024-07-01",
+      "source_url": "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202120220AB2273"
+    },
+    "eu-ai-act": {
+      "id": "eu-ai-act",
+      "name": "EU AI Act (Children)",
+      "description": "15 rules for EU AI Act compliance in children's AI systems — risk management (Art. 9), transparency (Art. 13), and constitutional AI principles.",
+      "jurisdiction": "EU",
+      "jurisdiction_level": "supranational",
+      "is_free": false,
+      "effective_date": "2026-08-01",
+      "source_url": "https://artificialintelligenceact.eu/"
     }
   },
   "rules": [
@@ -58,6 +108,7 @@
       "id": "coppa-auth-001",
       "name": "Unverified Social Login Providers",
       "severity": "critical",
+      "confidence": "low",
       "category": "auth",
       "description": "Social login (Google, Facebook, Twitter) without age gating is prohibited for child-directed apps",
       "patterns": [
@@ -90,13 +141,14 @@
       "id": "coppa-data-002",
       "name": "PII Collection in URL Parameters",
       "severity": "high",
+      "confidence": "medium",
       "category": "data",
       "description": "Email, name, DOB, or phone in GET request URLs exposes PII in logs",
       "patterns": [
-        { "pattern": "(\\?|&)(email|first_?name|last_?name|dob|phone|birthdate)=", "flags": "gi" },
-        { "pattern": "axios\\.get\\s*\\(\\s*[`'\"]https?://[^\\s]*\\?[^`'\"]*\\$\\{", "flags": "gi" },
-        { "pattern": "fetch\\s*\\(\\s*[`'\"]https?://[^\\s]*\\?[^`'\"]*\\$\\{", "flags": "gi" },
-        { "pattern": "\\?[^'\"`\\s]*\\$\\{[^}]*(?:\\.email|\\.firstName|\\.lastName|\\.dob|\\.phone)[^}]*\\}", "flags": "gi" }
+        { "pattern": "(?<!(?:test|spec|mock|fixture|example|__test__|__mock__|__fixture__)[^\\n]{0,50})(\\?|&)(email|first_?name|last_?name|dob|phone|birthdate)=", "flags": "gi" },
+        { "pattern": "axios\\.get\\s*\\(\\s*[`'\"]https?://[^\\s]*\\?[^`'\"]*(?:email|first_?name|last_?name|dob|phone|birthdate|birth_?date|ssn|username)=[^`'\"]*\\$\\{", "flags": "gi" },
+        { "pattern": "fetch\\s*\\(\\s*[`'\"]https?://[^\\s]*\\?[^`'\"]*(?:email|first_?name|last_?name|dob|phone|birthdate|birth_?date|ssn|username)=[^`'\"]*\\$\\{", "flags": "gi" },
+        { "pattern": "\\?[^'\"`\\s]*\\$\\{[^}]*(?:\\.email|\\.firstName|\\.lastName|\\.dob|\\.phone|\\.birthdate|\\.ssn)[^}]*\\}", "flags": "gi" }
       ],
       "fix_suggestion": "Switch to POST method and move PII to request body",
       "penalty": "$51,744 per violation",
@@ -111,6 +163,7 @@
       "id": "coppa-tracking-003",
       "name": "Third-Party Ad Trackers",
       "severity": "critical",
+      "confidence": "low",
       "category": "tracking",
       "description": "Facebook Pixel, Google Analytics, or other ad trackers without child_directed_treatment flag",
       "patterns": [
@@ -133,6 +186,7 @@
       "id": "coppa-geo-004",
       "name": "Precise Geolocation Collection",
       "severity": "high",
+      "confidence": "low",
       "category": "geo",
       "description": "High-accuracy geolocation without parental consent is prohibited",
       "patterns": [
@@ -161,10 +215,11 @@
       "id": "coppa-retention-005",
       "name": "Missing Data Retention Policy",
       "severity": "medium",
+      "confidence": "medium",
       "category": "retention",
-      "description": "User schemas must have deleted_at, expiration_date, or TTL index for data retention",
+      "description": "User schemas containing PII fields must have deleted_at, expiration_date, or TTL index for data retention",
       "patterns": [
-        { "pattern": "new\\s+Schema\\s*\\(\\s*\\{[^{}]*\\}", "flags": "gi" },
+        { "pattern": "new\\s+Schema\\s*\\(\\s*\\{[^{}]*(?:email|password|username|phone|dob|birth|firstName|lastName|first_name|last_name|fullName|full_name|displayName|display_name|address|ssn)[^{}]*\\}", "flags": "gi" },
         { "pattern": "class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(\\s*models\\.Model\\s*\\)", "flags": "gi" },
         { "pattern": "class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(\\s*(?:Base|db\\.Model)\\s*\\)", "flags": "gi" },
         { "pattern": "type\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s+struct\\s*\\{", "flags": "gi" },
@@ -184,14 +239,14 @@
       "id": "coppa-sec-006",
       "name": "Unencrypted PII Transmission",
       "severity": "critical",
+      "confidence": "medium",
       "category": "security",
       "description": "HTTP transmission of PII exposes data in transit. All API endpoints handling personal information must use HTTPS.",
       "patterns": [
-        { "pattern": "http://[^\\s]*(/api/|/login|/user|/register|/profile)", "flags": "gi" },
-        { "pattern": "http://localhost:[^\\s]*(/api/)", "flags": "gi" },
-        { "pattern": "axios\\.get\\s*\\(\\s*['\"]http://", "flags": "gi" },
-        { "pattern": "fetch\\s*\\(\\s*['\"]http://", "flags": "gi" },
-        { "pattern": "http://[^\\s]*email[^\\s]*", "flags": "gi" }
+        { "pattern": "http://(?!localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|\\[::1\\]|10\\.|192\\.168\\.|172\\.(?:1[6-9]|2[0-9]|3[01]))[^\\s]*(/api/|/login|/user|/register|/profile)", "flags": "gi" },
+        { "pattern": "axios\\.get\\s*\\(\\s*['\"]http://(?!localhost|127\\.0\\.0\\.1)", "flags": "gi" },
+        { "pattern": "fetch\\s*\\(\\s*['\"]http://(?!localhost|127\\.0\\.0\\.1)", "flags": "gi" },
+        { "pattern": "http://(?!localhost|127\\.0\\.0\\.1)[^\\s]*email[^\\s]*", "flags": "gi" }
       ],
       "fix_suggestion": "Replace http:// with https:// for all API endpoints and resources",
       "penalty": "Security breach liability + COPPA penalties",
@@ -206,6 +261,7 @@
       "id": "coppa-audio-007",
       "name": "Unauthorized Audio Recording",
       "severity": "high",
+      "confidence": "low",
       "category": "audio",
       "description": "Audio recording without explicit user consent is prohibited. COPPA 2.0 clarifies voice prints as biometric data.",
       "patterns": [
@@ -230,12 +286,13 @@
       "id": "coppa-ui-008",
       "name": "Missing Privacy Policy on Registration",
       "severity": "medium",
+      "confidence": "medium",
       "category": "ui",
       "description": "Registration forms collecting PII must include a clear link to the privacy policy",
       "patterns": [
-        { "pattern": "\\b(?:SignUp|Register|Registration|CreateAccount)Form\\b", "flags": "gi" },
-        { "pattern": "\\b(?:sign[-_]?up|register|registration|create[-_]?account)[-_]form\\b", "flags": "gi" },
-        { "pattern": "<form[^>]*(?:id|class|name)\\s*=\\s*[\"'][^\"']*(?:register|signup|sign[-_]up|create[-_]account)[^\"']*[\"']", "flags": "gi" }
+        { "pattern": "(?<!(?:interface|type|import|from|require|mock|Mock|jest\\.fn)\\s{0,10})\\b(?!Admin|Teacher|Staff|Instructor|Educator|Parent|Guardian)(?:SignUp|Register|Registration|CreateAccount)Form\\b(?!\\s*(?:\\{|<|\\||&|extends|implements))", "flags": "gi" },
+        { "pattern": "(?<!(?:import|from|require|mock|type|interface)\\s{0,10})\\b(?!admin[-_]?|teacher[-_]?|staff[-_]?|instructor[-_]?|parent[-_]?)(?:sign[-_]?up|register|registration|create[-_]?account)[-_]form\\b(?!\\s*(?:type|interface|schema))", "flags": "gi" },
+        { "pattern": "<form[^>]*(?:id|class|name)\\s*=\\s*[\"'][^\"']*(?!admin|teacher|staff|instructor|educator|parent|guardian)(?:register|signup|sign[-_]up|create[-_]account)[^\"']*[\"']", "flags": "gi" }
       ],
       "fix_suggestion": "Add <a href=\"/privacy\">Privacy Policy</a> link to registration form footer",
       "penalty": "Compliance failure",
@@ -250,6 +307,7 @@
       "id": "coppa-flow-009",
       "name": "Direct Contact Collection Without Parent Context",
       "severity": "high",
+      "confidence": "high",
       "category": "flow",
       "description": "Forms collecting child email/phone must also require parent email for consent verification",
       "patterns": [
@@ -269,13 +327,14 @@
       "id": "coppa-sec-010",
       "name": "Weak Default Student Passwords",
       "severity": "medium",
+      "confidence": "high",
       "category": "security",
       "description": "Default passwords like \"password\", \"123456\", or \"changeme\" create security vulnerabilities",
       "patterns": [
-        { "pattern": "(password|default_pass|temp_password)\\s*=\\s*['\"](123456|password|changeme|student|welcome)['\"]", "flags": "gi" },
+        { "pattern": "(?:const|let|var|export|config|env|setting)\\s*(?:\\w+\\s*=\\s*\\{[^}]*?)?(password|default_pass|temp_password)\\s*[:=]\\s*['\"](123456|password|changeme|student|welcome)['\"]", "flags": "gi" },
         { "pattern": "defaultPassword:\\s*['\"](123456|password|changeme)['\"]", "flags": "gi" },
         { "pattern": "initialPassword:\\s*['\"](123456|password)['\"]", "flags": "gi" },
-        { "pattern": "pass\\s*=\\s*['\"](student123|child123|default)['\"]", "flags": "gi" }
+        { "pattern": "(?:const|let|var|config)\\s*\\w*[Pp]ass\\w*\\s*=\\s*['\"](student123|child123|default)['\"]", "flags": "gi" }
       ],
       "fix_suggestion": "Use a secure random string generator for temporary credentials",
       "penalty": "Security audit failure",
@@ -290,6 +349,7 @@
       "id": "coppa-ext-011",
       "name": "Unmoderated Third-Party Chat",
       "severity": "high",
+      "confidence": "medium",
       "category": "external",
       "description": "Third-party chat widgets (Intercom, Zendesk, Drift) allow children to disclose PII freely",
       "patterns": [
@@ -313,6 +373,7 @@
       "id": "coppa-bio-012",
       "name": "Biometric Data Collection",
       "severity": "critical",
+      "confidence": "medium",
       "category": "biometric",
       "description": "Face recognition, voice prints, or gait analysis requires explicit parental consent. COPPA 2.0 explicitly classifies biometrics as PI.",
       "patterns": [
@@ -337,6 +398,7 @@
       "id": "coppa-notif-013",
       "name": "Direct Push Notifications Without Consent",
       "severity": "medium",
+      "confidence": "low",
       "category": "notification",
       "description": "Push notifications are \"Online Contact Info\" under COPPA 2.0. Direct notifications to children require parental consent.",
       "patterns": [
@@ -361,15 +423,16 @@
       "id": "coppa-ugc-014",
       "name": "UGC Upload Without PII Filter",
       "severity": "high",
+      "confidence": "medium",
       "category": "ugc",
       "description": "Text areas for \"bio\", \"about me\", or comments must pass through PII scrubbing before database storage",
       "patterns": [
         { "pattern": "<textarea[^>]*placeholder=[\"'](?:bio|about me|describe yourself)[^\"']*[\"']", "flags": "gi" },
         { "pattern": "user\\.bio\\s*=", "flags": "gi" },
         { "pattern": "aboutMe\\s*=", "flags": "gi" },
-        { "pattern": "(?:submit|save|post)Comment\\s*\\(", "flags": "gi" },
-        { "pattern": "saveBio\\s*\\(|updateBio\\s*\\(", "flags": "gi" },
-        { "pattern": "commentForm.*submit|handleCommentSubmit", "flags": "gi" }
+        { "pattern": "(?:submit|save|post)Comment\\s*\\((?![^)]*(?:admin|moderate|internal|review))", "flags": "gi" },
+        { "pattern": "(?:saveBio|updateBio)\\s*\\((?![^)]*(?:admin|moderate|internal))", "flags": "gi" },
+        { "pattern": "(?<!admin|Admin|moderate|Moderate)(?:commentForm.*submit|handleCommentSubmit)", "flags": "gi" }
       ],
       "fix_suggestion": "Add middleware hook for PII scrubbing (regex or AWS Comprehend) before database storage",
       "penalty": "$51,744 per violation",
@@ -384,6 +447,7 @@
       "id": "coppa-sec-015",
       "name": "Reflected XSS Risk",
       "severity": "medium",
+      "confidence": "medium",
       "category": "security",
       "description": "DangerouslySetInnerHTML or innerHTML with user-controlled content creates XSS vulnerabilities",
       "patterns": [
@@ -393,7 +457,7 @@
         { "pattern": "\\.html\\s*\\(\\s*(?:user|req\\.|request\\.|params?\\.)", "flags": "gi" },
         { "pattern": "v-html\\s*=\\s*[\"']?(?!.*sanitize)", "flags": "gi" }
       ],
-      "fix_suggestion": "Use standard JSX rendering or DOMPurify before setting HTML content",
+      "fix_suggestion": "Use standard JSX rendering or DOMPurify before setting HTML content. Note: vendor/bundled libraries may trigger this rule — use .haloignore to suppress.",
       "penalty": "Security failure",
       "languages": ["typescript", "javascript", "tsx", "jsx", "vue"],
       "packs": ["coppa"],
@@ -406,12 +470,13 @@
       "id": "coppa-cookies-016",
       "name": "Missing Cookie Notice",
       "severity": "low",
+      "confidence": "medium",
       "category": "cookies",
       "description": "Cookies or localStorage storing tracking data or PII requires a consent banner",
       "patterns": [
         { "pattern": "document\\.cookie\\s*=\\s*[^;]*(?:user|email|name|token|session|track|id|uid|analytics)", "flags": "gi" },
-        { "pattern": "localStorage\\.setItem\\s*\\(\\s*['\"][^'\"]*(?:user|email|token|session|track|auth|login|id|uid|analytics)[^'\"]*['\"]", "flags": "gi" },
-        { "pattern": "sessionStorage\\.setItem\\s*\\(\\s*['\"][^'\"]*(?:user|email|token|session|track|auth|login|id|uid|analytics)[^'\"]*['\"]", "flags": "gi" },
+        { "pattern": "localStorage\\.setItem\\s*\\(\\s*['\"][^'\"]*(?:user_?id|user_?email|user_?token|auth_?token|session_?token|track_?id|tracking|login_?token|uid|analytics_?id|user_?data|user_?profile)[^'\"]*['\"]", "flags": "gi" },
+        { "pattern": "sessionStorage\\.setItem\\s*\\(\\s*['\"][^'\"]*(?:user_?id|user_?email|user_?token|auth_?token|session_?token|track_?id|tracking|login_?token|uid|analytics_?id|user_?data|user_?profile)[^'\"]*['\"]", "flags": "gi" },
         { "pattern": "\\.set_cookie\\s*\\(\\s*['\"][^'\"]*(?:user|email|token|session|track|auth|login|uid|analytics)[^'\"]*['\"]", "flags": "gi" },
         { "pattern": "http\\.SetCookie\\s*\\(\\s*\\w+\\s*,\\s*&http\\.Cookie\\s*\\{", "flags": "gi" },
         { "pattern": "\\.addCookie\\s*\\(\\s*new\\s+Cookie\\s*\\(", "flags": "gi" },
@@ -431,11 +496,12 @@
       "id": "coppa-ext-017",
       "name": "Unwarned External Links",
       "severity": "medium",
+      "confidence": "medium",
       "category": "external",
       "description": "External links in child-facing views should trigger a \"You are leaving...\" modal",
       "patterns": [
         { "pattern": "<a[^>]+href=[\"']https?://(?!.*(?:privacy|terms|legal|tos|policy|consent|support|help|docs|documentation))[^\"']+[\"'][^>]*target=[\"']_blank[\"'][^>]*>", "flags": "gi" },
-        { "pattern": "window\\.open\\s*\\(\\s*['\"]https?://(?!.*(?:privacy|terms|legal|tos|policy))", "flags": "gi" }
+        { "pattern": "window\\.open\\s*\\(\\s*['\"]https?://(?!.*(?:privacy|terms|legal|tos|policy|support|help|docs|documentation|faq|about))", "flags": "gi" }
       ],
       "fix_suggestion": "Wrap external links in SafeLink component with warning modal",
       "penalty": "Warning",
@@ -450,6 +516,7 @@
       "id": "coppa-analytics-018",
       "name": "Mapping PII to Analytics User IDs",
       "severity": "high",
+      "confidence": "medium",
       "category": "analytics",
       "description": "Passing email, name, or phone to analytics.identify() exposes PII to third parties",
       "patterns": [
@@ -479,6 +546,7 @@
       "id": "coppa-edu-019",
       "name": "Missing Teacher/School Verification",
       "severity": "medium",
+      "confidence": "low",
       "category": "education",
       "description": "Teacher accounts using generic email (@gmail.com) bypass \"School Official\" consent exception",
       "patterns": [
@@ -500,14 +568,15 @@
       "id": "coppa-default-020",
       "name": "Default Public Profile Visibility",
       "severity": "critical",
+      "confidence": "medium",
       "category": "defaults",
       "description": "Default profile visibility must be private. COPPA 2.0 requires privacy by design.",
       "patterns": [
-        { "pattern": "isProfileVisible:\\s*true", "flags": "gi" },
-        { "pattern": "visibility:\\s*['\"]public['\"]", "flags": "gi" },
-        { "pattern": "defaultPrivacy:\\s*['\"]public['\"]", "flags": "gi" },
-        { "pattern": "isPublic:\\s*true[^}]*(profile|User)", "flags": "gi" },
-        { "pattern": "profileVisibility\\s*=\\s*['\"]?(?:public|Public)['\"]?", "flags": "gi" }
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})isProfileVisible:\\s*true", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:profile|user|account|member)[^\\n]{0,30}visibility:\\s*['\"]public['\"]", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})defaultPrivacy:\\s*['\"]public['\"]", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})isPublic:\\s*true[^}]*(profile|User)", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})profileVisibility\\s*=\\s*['\"]?(?:public|Public)['\"]?", "flags": "gi" }
       ],
       "fix_suggestion": "Change default visibility to \"private\" or false",
       "penalty": "$51,744 per violation",
@@ -522,17 +591,18 @@
       "id": "ETHICAL-001",
       "name": "Infinite Scroll / Endless Feed",
       "severity": "high",
+      "confidence": "medium",
       "category": "ethical-design",
       "description": "Infinite scroll exploits lack of impulse control. Children spend 2-3x longer on infinite feeds.",
       "patterns": [
-        { "pattern": "IntersectionObserver.*isIntersecting.*loadMore", "flags": "gi" },
-        { "pattern": "window\\.addEventListener.*['\"]scroll['\"].*fetchNext", "flags": "gi" },
-        { "pattern": "import.*InfiniteScroll", "flags": "gi" },
-        { "pattern": "<InfiniteScroll", "flags": "gi" },
+        { "pattern": "IntersectionObserver[^\\n]*isIntersecting[^\\n]*(?:loadMore|fetchMore|nextPage)", "flags": "gi" },
+        { "pattern": "window\\.addEventListener[^\\n]*['\"]scroll['\"][^\\n]*(?:fetchNext|loadNext|loadMore)", "flags": "gi" },
+        { "pattern": "import[^\\n]*(?:InfiniteScroll|InfiniteLoader|InfiniteList)(?![^\\n]*(?:admin|Admin|table|Table|data))", "flags": "gi" },
+        { "pattern": "<(?:InfiniteScroll|InfiniteLoader)(?![^>]*(?:admin|table|data-table))", "flags": "gi" },
         { "pattern": "ngx-infinite-scroll", "flags": "gi" },
         { "pattern": "vue-infinite-loading", "flags": "gi" }
       ],
-      "fix_suggestion": "Replace infinite scroll with pagination or \"Load More\" buttons to create natural stopping points",
+      "fix_suggestion": "Replace infinite scroll with pagination or \"Load More\" buttons to create natural stopping points. Suppress with .haloignore for admin/internal dashboards.",
       "penalty": "Ethical Design Violation",
       "languages": ["typescript", "javascript", "tsx", "jsx", "vue"],
       "packs": ["ethical"],
@@ -545,6 +615,7 @@
       "id": "ETHICAL-002",
       "name": "Streak Pressure Mechanics",
       "severity": "high",
+      "confidence": "medium",
       "category": "ethical-design",
       "description": "Streak mechanics use loss aversion to manufacture daily compulsive usage",
       "patterns": [
@@ -568,6 +639,7 @@
       "id": "ETHICAL-003",
       "name": "Variable Ratio Rewards (Loot Boxes)",
       "severity": "critical",
+      "confidence": "medium",
       "category": "ethical-design",
       "description": "Randomized rewards (loot boxes, gacha) exploit gambling psychology in developing brains",
       "patterns": [
@@ -592,13 +664,14 @@
       "id": "ETHICAL-004",
       "name": "Manipulative Notification Language",
       "severity": "medium",
+      "confidence": "medium",
       "category": "ethical-design",
-      "description": "Notifications using urgency (\"Hurry!\", \"Missing out\") manipulate children's fear of social exclusion",
+      "description": "User-facing strings using urgency language (\"Hurry!\", \"Missing out\") manipulate children's fear of social exclusion. Only flags text inside string literals or JSX content.",
       "patterns": [
-        { "pattern": "hurry|limited\\s*time|missing\\s*out|don'?t\\s*miss|left\\s*behind", "flags": "gi" },
-        { "pattern": "everyone\\s*else\\s*is", "flags": "gi" },
-        { "pattern": "last\\s*chance", "flags": "gi" },
-        { "pattern": "running\\s*out", "flags": "gi" }
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?(?:hurry|limited\\s*time|missing\\s*out|don'?t\\s*miss|left\\s*behind)", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?everyone\\s*else\\s*is", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?last\\s*chance", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?running\\s*out(?!\\s*of\\s*(?:memory|disk|space|storage|connections|retries|attempts|time))", "flags": "gi" }
       ],
       "fix_suggestion": "Use neutral, informational language. Avoid FOMO (Fear Of Missing Out) triggers.",
       "penalty": "Ethical Design Violation",
@@ -613,17 +686,18 @@
       "id": "ETHICAL-005",
       "name": "Artificial Scarcity / Countdowns",
       "severity": "medium",
+      "confidence": "medium",
       "category": "ethical-design",
       "description": "Fake scarcity (\"Only 2 left!\") and countdown timers pressure children into impulsive decisions",
       "patterns": [
-        { "pattern": "CountdownTimer", "flags": "gi" },
-        { "pattern": "only\\s*\\d+\\s*left", "flags": "gi" },
-        { "pattern": "offer\\s*ends\\s*in", "flags": "gi" },
-        { "pattern": "selling\\s*fast", "flags": "gi" },
-        { "pattern": "almost\\s*sold\\s*out", "flags": "gi" },
-        { "pattern": "limited\\s*availability", "flags": "gi" }
+        { "pattern": "(?:sale|offer|deal|promo|discount|purchase|buy|shop|cart|checkout)[^\\n]*CountdownTimer|CountdownTimer[^\\n]*(?:sale|offer|deal|promo|discount|purchase|buy|shop|cart|checkout)", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?only\\s*\\d+\\s*left", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?offer\\s*ends\\s*in", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?selling\\s*fast", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?almost\\s*sold\\s*out", "flags": "gi" },
+        { "pattern": "(?:[\"'`>])\\s*[^\"'`<\\n]*?limited\\s*availability", "flags": "gi" }
       ],
-      "fix_suggestion": "Remove artificial urgency. If an offer expires, state the date calmly without countdown pressure.",
+      "fix_suggestion": "Remove artificial urgency. If an offer expires, state the date calmly without countdown pressure. Suppress with .haloignore for non-commerce timers (quizzes, sessions, deploys).",
       "penalty": "Ethical Design Violation",
       "languages": ["typescript", "javascript", "tsx", "jsx", "html"],
       "packs": ["ethical"],
@@ -636,6 +710,7 @@
       "id": "AI-AUDIT-001",
       "name": "Placeholder Analytics Script",
       "severity": "high",
+      "confidence": "high",
       "category": "ai-audit",
       "description": "AI-generated code frequently includes placeholder analytics (UA-XXXXX, G-XXXXXX, fbq) copied from training data. These may activate real tracking without child_directed_treatment flags.",
       "patterns": [
@@ -658,6 +733,7 @@
       "id": "AI-AUDIT-002",
       "name": "AI-Generated Hardcoded Secrets",
       "severity": "critical",
+      "confidence": "medium",
       "category": "ai-audit",
       "description": "AI coding assistants frequently generate placeholder API keys, tokens, and secrets inline. These may be committed to version control and exposed.",
       "patterns": [
@@ -665,7 +741,7 @@
         { "pattern": "(?:secret|SECRET|token|TOKEN)\\s*[:=]\\s*['\"](?!process\\.env)[a-zA-Z0-9_-]{20,}['\"]", "flags": "gi" },
         { "pattern": "SUPABASE_(?:ANON_KEY|SERVICE_ROLE_KEY)\\s*[:=]\\s*['\"]ey[a-zA-Z0-9_.+-]{30,}['\"]", "flags": "gi" },
         { "pattern": "FIREBASE_(?:API_KEY|CONFIG)\\s*[:=]\\s*['\"]AI[a-zA-Z0-9_-]{30,}['\"]", "flags": "gi" },
-        { "pattern": "(?:password|passwd|pwd)\\s*[:=]\\s*['\"](?!process\\.env)[^'\"]{8,}['\"]\\s*(?:,|;|\\})", "flags": "gi" }
+        { "pattern": "(?:password|passwd|pwd)\\s*[:=]\\s*['\"](?!process\\.env|test|Test|mock|Mock|example|Example|dummy|Dummy|fake|Fake|fixture)[^'\"]{8,}['\"]\\s*(?:,|;|\\})", "flags": "gi" }
       ],
       "fix_suggestion": "Move all secrets to environment variables. Use process.env.API_KEY or a secrets manager. Never hardcode credentials.",
       "penalty": "Security exposure — credentials in source code",
@@ -680,6 +756,7 @@
       "id": "AI-AUDIT-003",
       "name": "Hallucinated/Placeholder API URLs",
       "severity": "medium",
+      "confidence": "high",
       "category": "ai-audit",
       "description": "AI models often generate fake API endpoints (api.example.com, jsonplaceholder, reqres.in) that may be replaced with real endpoints without proper review.",
       "patterns": [
@@ -700,6 +777,7 @@
       "id": "AI-AUDIT-004",
       "name": "Copy-Paste Tracking Boilerplate",
       "severity": "high",
+      "confidence": "medium",
       "category": "ai-audit",
       "description": "AI assistants reproduce common analytics setup patterns from training data. These often include user identification, event tracking, and session recording without consent flows.",
       "patterns": [
@@ -726,6 +804,7 @@
       "id": "AI-AUDIT-005",
       "name": "AI-Generated Insecure Defaults",
       "severity": "medium",
+      "confidence": "high",
       "category": "ai-audit",
       "description": "AI models commonly generate code with insecure default configurations: CORS *, disabled SSL verification, permissive CSP, or open CORS origins.",
       "patterns": [
@@ -749,6 +828,7 @@
       "id": "AI-AUDIT-006",
       "name": "Unresolved Compliance TODOs",
       "severity": "low",
+      "confidence": "high",
       "category": "ai-audit",
       "description": "AI-generated code often includes TODO/FIXME comments for compliance-related features (consent, age verification, privacy policy) that may ship unimplemented.",
       "patterns": [
@@ -769,14 +849,15 @@
       "id": "AU-SBD-001",
       "name": "Default Public Profile Visibility",
       "severity": "high",
+      "confidence": "low",
       "category": "safety-by-design",
       "description": "User profiles default to public or visible. AU Safety by Design requires privacy-by-default for minors — profiles should be private until explicitly changed by the user or a verified parent.",
       "patterns": [
-        { "pattern": "(?:visibility|profile_?visibility|is_?public|isPublic)\\s*[:=]\\s*(?:['\"]public['\"]|true)", "flags": "gi" },
-        { "pattern": "default(?:_?visibility|_?privacy|_?profile)\\s*[:=]\\s*['\"](?:public|open|visible|everyone)['\"]", "flags": "gi" },
-        { "pattern": "(?:privacy|profilePrivacy)\\s*[:=]\\s*\\{[^}]*default\\s*:\\s*['\"](?:public|open|everyone)['\"]", "flags": "gi" },
-        { "pattern": "(?:showProfile|profileVisible|publicByDefault|show_profile)\\s*[:=]\\s*true", "flags": "gi" },
-        { "pattern": "(?:searchable|discoverable|findable)\\s*[:=]\\s*true\\b", "flags": "gi" }
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:visibility|profile_?visibility|is_?public|isPublic)\\s*[:=]\\s*(?:['\"]public['\"]|true)", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})default(?:_?visibility|_?privacy|_?profile)\\s*[:=]\\s*['\"](?:public|open|visible|everyone)['\"]", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:privacy|profilePrivacy)\\s*[:=]\\s*\\{[^}]*default\\s*:\\s*['\"](?:public|open|everyone)['\"]", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:showProfile|profileVisible|publicByDefault|show_profile)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|admin|Admin|dashboard|internal|//|\\*)\\s{0,20})(?:user|profile|account|member)[^\\n]{0,50}(?:searchable|discoverable|findable)\\s*[:=]\\s*true\\b", "flags": "gi" }
       ],
       "fix_suggestion": "Set profile visibility to \"private\" by default. Require explicit user action (or parental consent for children) to make profiles public. AU SbD Principle 1: safety as a fundamental design consideration.",
       "penalty": "Default public exposure of minor profiles",
@@ -791,11 +872,12 @@
       "id": "AU-SBD-002",
       "name": "Social Features Without Report/Block",
       "severity": "medium",
+      "confidence": "medium",
       "category": "safety-by-design",
-      "description": "Social interaction features (comments, posts, messaging) detected without corresponding report or block mechanisms. AU SbD Principle 2 requires users to have tools to protect themselves from harmful interactions.",
+      "description": "Social interaction features (comments, posts, messaging) detected without corresponding report or block mechanisms. AU SbD Principle 2 requires users to have tools to protect themselves from harmful interactions. Excludes window.postMessage (IPC) and admin/internal contexts.",
       "patterns": [
         { "pattern": "(?:addComment|postComment|submitComment|createComment|commentCreate)\\s*(?:=|:|\\()", "flags": "gi" },
-        { "pattern": "(?:sendMessage|createMessage|postMessage|submitMessage|messageCreate)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?<!window\\.)(?:sendMessage|createMessage|submitMessage|messageCreate)\\s*(?:=|:|\\()", "flags": "gi" },
         { "pattern": "(?:createPost|submitPost|publishPost|addPost|postCreate)\\s*(?:=|:|\\()", "flags": "gi" },
         { "pattern": "(?:addReview|submitReview|createReview|postReview|reviewCreate)\\s*(?:=|:|\\()", "flags": "gi" },
         { "pattern": "(?:shareContent|createShare|submitShare)\\s*(?:=|:|\\()", "flags": "gi" }
@@ -813,11 +895,12 @@
       "id": "AU-SBD-003",
       "name": "Unrestricted Direct Messaging for Minors",
       "severity": "critical",
+      "confidence": "medium",
       "category": "safety-by-design",
       "description": "Direct messaging or chat functionality without safety controls (contact restrictions, message filtering, or parental oversight). The AU Online Safety Act requires platforms to take reasonable steps to prevent child exploitation in private communications.",
       "patterns": [
         { "pattern": "(?:directMessage|sendDM|privateMess|createDM|dmChannel|startChat|privateChat|initiateChat)\\s*(?:=|:|\\()", "flags": "gi" },
-        { "pattern": "(?:WebSocket|io\\.connect|socket\\.emit)\\s*\\([^)]*(?:chat|message|dm|private)", "flags": "gi" },
+        { "pattern": "(?:WebSocket|io\\.connect|socket\\.emit)\\s*\\([^)]*(?:chat|message|dm|private)(?![^\\n]*(?:admin|support|internal|helpdesk|customer_?service))", "flags": "gi" },
         { "pattern": "(?:allowDMs?|enableDMs?|allow_?direct_?message|enable_?private_?message)\\s*[:=]\\s*true", "flags": "gi" },
         { "pattern": "(?:contactStranger|messageAnyone|openChat|unrestricted_?message)\\s*[:=]\\s*true", "flags": "gi" }
       ],
@@ -834,12 +917,13 @@
       "id": "AU-SBD-004",
       "name": "Recommendation Algorithm Without Safety Guardrails",
       "severity": "high",
+      "confidence": "medium",
       "category": "safety-by-design",
       "description": "Content recommendation or feed algorithms detected without safety filtering, content classification, or age-appropriate guardrails. AU SbD requires platforms to assess and mitigate algorithmic harms, particularly for young users.",
       "patterns": [
-        { "pattern": "(?:recommendContent|getRecommendations|suggestContent|personalizedFeed|forYouFeed|contentFeed)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:personalizedFeed|forYouFeed|contentFeed)\\s*(?:=|:|\\()", "flags": "gi" },
         { "pattern": "(?:algorithm|algo)(?:_?feed|_?rank|_?recommend|_?suggest)\\s*(?:=|:|\\()", "flags": "gi" },
-        { "pattern": "(?:trending|viral|popular)(?:_?content|_?posts|_?feed|_?items)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:trending|viral|popular)(?:_?content|_?posts|_?feed|_?items)\\s*(?:=|:|\\()(?![^\\n]*(?:curated|editorial|manual|handpick|staff_?pick))", "flags": "gi" },
         { "pattern": "(?:engagement_?score|clickBait|engagement_?rank|watch_?next|autoplay_?next)\\s*[:=]", "flags": "gi" },
         { "pattern": "(?:rabbit_?hole|endless_?feed|infinite_?recommend|auto_?suggest)\\s*[:=]\\s*true", "flags": "gi" }
       ],
@@ -856,12 +940,13 @@
       "id": "AU-SBD-005",
       "name": "Engagement Features Without Time Awareness",
       "severity": "medium",
+      "confidence": "medium",
       "category": "safety-by-design",
       "description": "High-engagement features (autoplay, continuous scrolling, notifications) detected without corresponding digital wellbeing controls (screen time limits, break reminders, usage dashboards). AU SbD encourages platforms to build in digital wellbeing tools.",
       "patterns": [
-        { "pattern": "(?:autoplay|auto_?play)\\s*[:=]\\s*true", "flags": "gi" },
-        { "pattern": "(?:autoPlay|autoPlayNext|playNext|nextEpisode)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:autoPlayNext|playNext|nextEpisode|autoplay_?next)\\s*[:=]\\s*true", "flags": "gi" },
         { "pattern": "(?:continuous_?play|binge_?mode|marathon_?mode|watch_?party)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:autoplay|auto_?play)\\s*[:=]\\s*true(?=[^\\n]*(?:feed|playlist|series|queue|channel|episode|next))", "flags": "gi" },
         { "pattern": "(?:push_?notification|sendNotification|scheduleNotif|notif_?trigger).*(?:re_?engage|comeback|miss_?you|inactive)", "flags": "gi" },
         { "pattern": "(?:daily_?reward|login_?bonus|daily_?streak|come_?back_?reward)\\s*(?:=|:|\\()", "flags": "gi" }
       ],
@@ -878,6 +963,7 @@
       "id": "AU-SBD-006",
       "name": "Location Data Without Explicit Consent",
       "severity": "critical",
+      "confidence": "low",
       "category": "safety-by-design",
       "description": "Location data collection or sharing enabled without explicit, informed opt-in. AU SbD and the Privacy Act 1988 require data minimization, especially for children's geolocation data — location should never be collected by default.",
       "patterns": [
@@ -900,13 +986,14 @@
       "id": "ut-sb142-001",
       "name": "Minor Account Creation Without Age Assurance",
       "severity": "critical",
+      "confidence": "medium",
       "category": "age-verification",
-      "description": "Utah SB 142 requires an age assurance system with at least 95% accuracy to identify minor account holders (under 18). Account creation flows that lack age verification gates violate this requirement.",
+      "description": "Utah SB 142 requires an age assurance system with at least 95% accuracy to identify minor account holders (under 18). Account creation flows that lack age verification gates violate this requirement. Excludes test factories and seed scripts.",
       "patterns": [
         { "pattern": "(?:createUser|signUp|register)\\s*\\((?![^)]*(?:age|dateOfBirth|dob|birthDate|birth_date))[^)]*\\)", "flags": "gi" },
         { "pattern": "(?:create_user|sign_up|create_account)\\s*\\((?![^)]*(?:age|date_of_birth|dob|birth_date))[^)]*\\)", "flags": "gi" },
-        { "pattern": "(?:UserFactory|AccountFactory|RegistrationService)\\.(?:create|build|register)\\s*\\(", "flags": "gi" },
-        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts)\\s*\\([^)]*\\)\\s*VALUES", "flags": "gi" }
+        { "pattern": "(?:RegistrationService)\\.(?:create|register)\\s*\\((?![^)]*(?:age|dob|birth))", "flags": "gi" },
+        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts)\\s*\\((?![^)]*(?:age|dob|birth_date|date_of_birth))[^)]*\\)\\s*VALUES", "flags": "gi" }
       ],
       "fix_suggestion": "Add an age assurance step (date-of-birth collection, age estimation, or ID verification) before account creation. If the user is under 18, flag the account as a minor account and require parental consent before activation. See Utah SB 142 §13-72-201.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
@@ -921,13 +1008,14 @@
       "id": "ut-sb142-002",
       "name": "Missing Parental Consent for Minor Account",
       "severity": "critical",
+      "confidence": "low",
       "category": "parental-consent",
       "description": "Utah SB 142 requires verifiable parental consent before a minor (under 18) can use a social media platform or download apps. Code that activates minor accounts without a parental consent verification step violates this requirement.",
       "patterns": [
-        { "pattern": "(?:activateAccount|enableAccount|verifyEmail|confirmRegistration)\\s*\\((?![^)]*(?:parent|guardian|consent|parental))[^)]*\\)", "flags": "gi" },
-        { "pattern": "(?:activate_account|enable_account|verify_email|confirm_registration)\\s*\\((?![^)]*(?:parent|guardian|consent|parental))[^)]*\\)", "flags": "gi" },
-        { "pattern": "(?:isMinor|is_minor|isUnder18|is_under_18)\\s*(?:&&|\\|\\||and|or)\\s*(?!.*(?:parentConsent|parent_consent|guardianApproval|guardian_approval))", "flags": "gi" },
-        { "pattern": "(?:minor|child|teen)(?:Account|_account|Profile|_profile)\\s*[:=]\\s*(?:true|1|'active'|\"active\")", "flags": "gi" }
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:activateAccount|enableAccount|verifyEmail|confirmRegistration)\\s*\\((?![^)]*(?:parent|guardian|consent|parental))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:activate_account|enable_account|verify_email|confirm_registration)\\s*\\((?![^)]*(?:parent|guardian|consent|parental))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:activate|enable|register)[^\\n]{0,40}(?:isMinor|is_minor|isUnder18|is_under_18)\\s*(?:&&|\\|\\||and|or)\\s*(?!.*(?:parentConsent|parent_consent|guardianApproval|guardian_approval))", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:minor|child|teen)(?:Account|_account|Profile|_profile)\\s*[:=]\\s*(?:true|1|'active'|\"active\")", "flags": "gi" }
       ],
       "fix_suggestion": "Before activating any minor account, implement a verifiable parental consent flow: send a verification email/SMS to a parent-linked account, require parental ID verification, or integrate with a COPPA-safe consent provider. See Utah SB 142 §13-72-202.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
@@ -942,6 +1030,7 @@
       "id": "ut-sb142-003",
       "name": "Default DM Access Open for Minors",
       "severity": "high",
+      "confidence": "medium",
       "category": "messaging-safety",
       "description": "Utah SB 142 requires that direct messaging for minor accounts be restricted to connected accounts only by default. Code that enables open or unrestricted DM access for all users (including minors) violates this requirement.",
       "patterns": [
@@ -963,10 +1052,11 @@
       "id": "ut-sb142-004",
       "name": "Missing Parental Supervisory Tools",
       "severity": "high",
+      "confidence": "medium",
       "category": "parental-controls",
       "description": "Utah SB 142 requires platforms to offer parents supervisory tools: time limits, mandatory break scheduling, usage data viewing, connected account lists, and setting-change notifications. Applications that provide user accounts for minors without implementing or referencing a parental dashboard violate this requirement.",
       "patterns": [
-        { "pattern": "(?:userSettings|user_settings|accountSettings|account_settings)\\s*[:=]\\s*\\{(?![^}]*(?:parent|guardian|supervisory|parental|family))[^}]*\\}", "flags": "gi" },
+        { "pattern": "(?:minor|child|student|teen|kid|youth)\\w*(?:Settings|Config|Account|Profile|Preferences)\\s*[:=]\\s*\\{(?![^}]*(?:parent|guardian|supervisory|parental|family))[^}]*\\}", "flags": "gi" },
         { "pattern": "(?:screenTime|screen_time|timeLimit|time_limit|usageLimit|usage_limit)\\s*[:=]\\s*(?:null|undefined|false|0|'disabled'|\"disabled\")", "flags": "gi" },
         { "pattern": "(?:parentalControls|parental_controls|familySettings|family_settings)\\s*[:=]\\s*(?:false|null|undefined|'disabled'|\"disabled\")", "flags": "gi" }
       ],
@@ -983,14 +1073,15 @@
       "id": "ut-sb142-005",
       "name": "Minor Profile Visible to Search Engines",
       "severity": "medium",
+      "confidence": "medium",
       "category": "privacy-defaults",
       "description": "Utah SB 142 requires that minor accounts have search engine indexing disabled by default and account visibility restricted to connected users only. Code that allows public profile indexing or unrestricted profile visibility for all users violates this requirement.",
       "patterns": [
-        { "pattern": "(?:indexable|searchable|seo_?visible|allow_?indexing|search_?engine_?visible)\\s*[:=]\\s*(?:true|1|'yes'|\"yes\")", "flags": "gi" },
-        { "pattern": "<meta\\s+name=['\"]robots['\"]\\s+content=['\"](?:index|all|follow)['\"]", "flags": "gi" },
-        { "pattern": "(?:profileVisibility|profile_visibility|accountVisibility|account_visibility)\\s*[:=]\\s*(?:'public'|\"public\"|'everyone'|\"everyone\"|'all'|\"all\")", "flags": "gi" },
-        { "pattern": "(?:isPublicProfile|is_public_profile|publicProfile|public_profile)\\s*[:=]\\s*(?:true|1)", "flags": "gi" },
-        { "pattern": "X-Robots-Tag\\s*[:=]\\s*(?:'index'|\"index\"|'all'|\"all\")", "flags": "gi" }
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|admin|Admin|internal|//|\\*)\\s{0,20})(?:user|profile|account|member)[^\\n]{0,50}(?:indexable|seo_?visible|allow_?indexing|search_?engine_?visible)\\s*[:=]\\s*(?:true|1|'yes'|\"yes\")", "flags": "gi" },
+        { "pattern": "(?:user|profile|account|member|minor|child|student)[^\\n]{0,30}<meta\\s+name=['\"]robots['\"]\\s+content=['\"](?:index|all)['\"]", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:profileVisibility|profile_visibility|accountVisibility|account_visibility)\\s*[:=]\\s*(?:'public'|\"public\"|'everyone'|\"everyone\"|'all'|\"all\")", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:isPublicProfile|is_public_profile|publicProfile|public_profile)\\s*[:=]\\s*(?:true|1)", "flags": "gi" },
+        { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|//|\\*)\\s{0,20})X-Robots-Tag\\s*[:=]\\s*(?:'index'|\"index\"|'all'|\"all\")", "flags": "gi" }
       ],
       "fix_suggestion": "Default minor accounts to non-indexable (noindex, nofollow) and restrict profile visibility to connected/approved users only. Add a robots meta tag or X-Robots-Tag header that blocks search engine crawling for minor profiles. See Utah SB 142 §13-72-301.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
@@ -1000,6 +1091,1542 @@
       "transform_type": null,
       "scaffold_id": null,
       "guidance_url": null
+    },
+    {
+      "id": "coppa-2-021",
+      "name": "Biometric Identifier Collection Without VPC",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "bio",
+      "description": "COPPA 2.0 expands 'personal information' to include biometric identifiers: fingerprints, voiceprints, facial geometry, gait patterns. Collection requires Verifiable Parental Consent (VPC) before any data capture.",
+      "patterns": [
+        { "pattern": "(?:fingerprint|faceprint|voiceprint|gaitAnalysis|gait_analysis)\\s*[:=]", "flags": "gi" },
+        { "pattern": "(?:biometric|Biometric)(?:Data|Info|Template|Hash|Feature|Scan)\\s*[:=]", "flags": "gi" },
+        { "pattern": "(?:faceGeometry|face_geometry|facialGeometry|facial_geometry)\\s*[:=]", "flags": "gi" },
+        { "pattern": "(?:ARFaceAnchor|ARFaceGeometry)\\.(?:geometry|blendShapes)", "flags": "g" },
+        { "pattern": "(?:SpeakerRecognition|VoiceEnrollment|VoiceVerification)\\s*\\(", "flags": "g" },
+        { "pattern": "(?:palmPrint|palm_print|irisPattern|iris_pattern|retinaScan|retina_scan)\\s*[:=]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Obtain Verifiable Parental Consent (VPC) before collecting any biometric identifiers. Under COPPA 2.0, biometric data is 'personal information' requiring the highest consent standard. Keep biometric processing local-only where possible.",
+      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-2-022",
+      "name": "Push Notification Token Without Parental Opt-In",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "notif",
+      "description": "COPPA 2.0 classifies device push notification tokens as 'online contact information'. Subscribing a child's device to push notifications requires prior parental consent and an opt-out mechanism.",
+      "patterns": [
+        { "pattern": "(?:messaging|Messaging)\\.(?:getToken|requestPermission|subscribeToTopic)\\s*\\(", "flags": "g" },
+        { "pattern": "(?:registerForRemoteNotifications|requestAuthorization)\\s*\\(\\s*\\[?\\s*\\.(?:alert|badge|sound)", "flags": "g" },
+        { "pattern": "(?:PushNotificationIOS|PushNotification)\\.(?:requestPermissions|configure)\\s*\\(", "flags": "g" },
+        { "pattern": "(?:expo-notifications|@notifee|react-native-push-notification).*(?:requestPermissions|getToken)", "flags": "gi" },
+        { "pattern": "(?:saveDeviceToken|storeDeviceToken|registerDeviceToken|savePushToken|storePushToken)\\s*\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Gate push notification token registration behind a parental consent check. Under COPPA 2.0, push tokens are 'online contact information' — parents must explicitly opt in, and you must provide an opt-out mechanism accessible from a parental dashboard.",
+      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "languages": ["typescript", "javascript", "swift", "kotlin", "java"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-2-023",
+      "name": "Ed-Tech Data Use Beyond Educational Purpose",
+      "severity": "high",
+      "confidence": "low",
+      "category": "edu",
+      "description": "COPPA 2.0 restricts ed-tech providers operating under the 'school official' exception: student data may only be used for the educational purpose authorized by the school. No advertising, profiling, or secondary data use.",
+      "patterns": [
+        { "pattern": "(?:student|Student)(?:Data|Profile|Record|Info).*(?:marketing|advertising|adTargeting|ad_targeting|profiling|analytics\\.identify|recommend)", "flags": "gi" },
+        { "pattern": "(?:classroomData|classroom_data|schoolData|school_data).*(?:thirdParty|third_party|partner|advertis|market)", "flags": "gi" },
+        { "pattern": "(?:edtech|EdTech|LMS|lms).*(?:analytics\\.track|mixpanel|amplitude|segment\\.identify)", "flags": "gi" },
+        { "pattern": "(?:shareStudentData|share_student_data|exportStudentRecords|export_student_records)\\s*\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Ensure ed-tech data collected under the 'school official' exception is used exclusively for the authorized educational purpose. Remove any analytics, advertising, or profiling code paths that touch student data. COPPA 2.0 makes this an explicit prohibition.",
+      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-2-024",
+      "name": "Data Retention Beyond Reasonable Necessity",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "retention",
+      "description": "COPPA 2.0 strengthens data retention requirements: operators must delete children's personal information when it is no longer reasonably necessary for the purpose for which it was collected. Indefinite retention or missing deletion mechanisms violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:retentionPolicy|retention_policy|dataRetention|data_retention)\\s*[:=]\\s*(?:'forever'|\"forever\"|'indefinite'|\"indefinite\"|'none'|\"none\"|null|undefined|-1|0)", "flags": "gi" },
+        { "pattern": "(?:deleteAfterDays|delete_after_days|ttlDays|ttl_days|expiresIn|expires_in)\\s*[:=]\\s*(?:null|undefined|0|-1|false)", "flags": "gi" },
+        { "pattern": "(?:neverDelete|never_delete|keepForever|keep_forever|permanentStorage|permanent_storage)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:childData|child_data|minorData|minor_data|studentData|student_data).*(?:archive|Archive|longTermStorage|long_term_storage)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement automatic data deletion policies for children's personal information. Set reasonable TTLs based on the purpose of collection. Add a scheduled deletion job that purges expired child data. COPPA 2.0 requires deletion when data is no longer reasonably necessary.",
+      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "coppa-2-025",
+      "name": "Consent Mechanism Not Meeting VPC Standard",
+      "severity": "high",
+      "confidence": "low",
+      "category": "consent",
+      "description": "COPPA 2.0 requires Verifiable Parental Consent (VPC) via methods that provide a greater level of assurance: signed consent forms, credit card transactions, video calls, government ID, or knowledge-based authentication. Simple email-based consent ('email plus') is only valid for internal use.",
+      "patterns": [
+        { "pattern": "(?:parentConsent|parent_consent|parentalConsent|parental_consent)\\s*[:=]\\s*(?:true|1|'yes'|\"yes\")", "flags": "gi" },
+        { "pattern": "(?:consentMethod|consent_method|verificationMethod|verification_method)\\s*[:=]\\s*(?:'email'|\"email\"|'checkbox'|\"checkbox\"|'click'|\"click\")", "flags": "gi" },
+        { "pattern": "(?:parentEmail|parent_email).*(?:sendVerification|send_verification|sendConsent|send_consent)\\s*\\(", "flags": "gi" },
+        { "pattern": "<input[^>]*type=['\"]checkbox['\"][^>]*(?:consent|agree|parent)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Upgrade consent mechanism to meet COPPA 2.0 VPC standards. For external data sharing, use credit card verification, video calls, government ID, or knowledge-based authentication. Simple checkboxes and email confirmations do not meet the VPC standard for external use of children's data.",
+      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+
+    {
+      "id": "aadc-defaults-001",
+      "name": "Default Privacy Set to Public",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "privacy",
+      "description": "AADC Standard 7 requires settings to be 'high privacy' by default. Children's data should only be visible to others if the child actively changes the setting. Default-public profiles, content, or activity violate this standard.",
+      "patterns": [
+        { "pattern": "(?:default|initial)(?:Privacy|Visibility|Setting)\\s*[:=]\\s*['\"]?(?:public|open|everyone|all)['\"]?", "flags": "gi" },
+        { "pattern": "shareByDefault\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:discoverability|discoverable)\\s*[:=]\\s*['\"]?(?:public|everyone|all)['\"]?", "flags": "gi" },
+        { "pattern": "(?:searchable|allowStrangers|showOnlineStatus|showActivity)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Set all privacy defaults to the most restrictive option. Profiles, activity, and content should be private by default. Users (especially children) should actively opt in to share data with others. See ICO AADC Standard 7.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "auto",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/7-default-settings/"
+    },
+    {
+      "id": "aadc-defaults-002",
+      "name": "Opt-Out Tracking Enabled by Default",
+      "severity": "high",
+      "confidence": "high",
+      "category": "tracking",
+      "description": "AADC Standard 7 requires optional data uses to be individually selected and activated. Tracking, analytics, or personalization enabled by default with an opt-out mechanism violates this standard.",
+      "patterns": [
+        { "pattern": "(?:tracking|analytics|personalization|marketing)(?:Enabled|Active|On)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "defaultConsent\\s*[:=]\\s*(?:true|['\"]granted['\"]|['\"]accepted['\"])", "flags": "gi" },
+        { "pattern": "optOut|opt_out|optedOut", "flags": "gi" }
+      ],
+      "fix_suggestion": "Switch from opt-out to opt-in for all tracking, analytics, and personalization. These features must be off by default and require active user consent before activation. See ICO AADC Standard 7.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift", "html"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/7-default-settings/"
+    },
+    {
+      "id": "aadc-minimisation-003",
+      "name": "Excessive Personal Data Collection",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "data-collection",
+      "description": "AADC Standard 8 requires collecting only the minimum personal data needed to provide the service. Requiring fields like phone, address, school, gender, or ethnicity beyond what is necessary violates data minimisation.",
+      "patterns": [
+        { "pattern": "(?:required|mandatory)\\s*[:=].*(?:phone|address|school|gender|ethnicity|religion)", "flags": "gi" },
+        { "pattern": "<input[^>]*required[^>]*(?:phone|address|middleName|employer|school)", "flags": "gi" },
+        { "pattern": "(?:collectAll|gatherAll|harvestData)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Review which personal data fields are truly required for your service. Make non-essential fields optional. Give children choices over which elements of data they wish to provide. See ICO AADC Standard 8.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "html", "php"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/8-data-minimisation/"
+    },
+    {
+      "id": "aadc-sharing-004",
+      "name": "Third-Party Data Sharing Without Child Safety Check",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "data-sharing",
+      "description": "AADC Standard 9 prohibits disclosing children's data unless there is a compelling reason. Analytics and advertising SDKs that share data with third parties require child-safety checks before initialization.",
+      "patterns": [
+        { "pattern": "(?:facebook|google|amplitude|mixpanel|segment)\\.(?:track|identify|log|init)", "flags": "gi" },
+        { "pattern": "(?:AdMob|MoPub|UnityAds|IronSource|AppLovin|InMobi)", "flags": "g" },
+        { "pattern": "(?:ad|advertising)SDK\\.init", "flags": "gi" },
+        { "pattern": "(?:databroker|dataBroker|sellData|dataMarketplace)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Before initializing third-party SDKs, check user age and disable data sharing for children. Use child-directed SDK configurations (e.g., tag_for_child_directed_treatment). Do not share children's data with data brokers or ad networks. See ICO AADC Standard 9.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/9-data-sharing/"
+    },
+    {
+      "id": "aadc-geolocation-005",
+      "name": "Geolocation Enabled by Default",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "geolocation",
+      "description": "AADC Standard 10 requires geolocation options to be switched off by default. Location tracking, sharing, and high-accuracy positioning must not be activated without explicit user action.",
+      "patterns": [
+        { "pattern": "(?:geolocation|location(?:Tracking|Sharing|Service))(?:Enabled|Active|On|Default)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:enableLocation|shareLocation|trackLocation)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:enableHighAccuracy|highAccuracy)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Set geolocation to off by default. Require explicit user action to enable location services. When location is active, provide a prominent visible indicator. Location sharing with others should reset to off at end of session. See ICO AADC Standard 10.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "auto",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/10-geolocation/"
+    },
+    {
+      "id": "aadc-geolocation-006",
+      "name": "Continuous Background Location Tracking",
+      "severity": "high",
+      "confidence": "high",
+      "category": "geolocation",
+      "description": "AADC Standard 10 requires using minimum granularity for geolocation. Continuous background location tracking or watch-based location monitoring collects excessive positional data from children.",
+      "patterns": [
+        { "pattern": "(?:backgroundLocation|Background.*Location.*Mode|backgroundLocationUpdate)", "flags": "gi" },
+        { "pattern": "startUpdatingLocation|requestLocationUpdates|LocationManager.*startMonitoring", "flags": "g" },
+        { "pattern": "navigator\\.geolocation\\.watchPosition", "flags": "g" }
+      ],
+      "fix_suggestion": "Use single-point location requests instead of continuous monitoring. Avoid background location tracking. Use the minimum granularity needed (e.g., city-level rather than precise coordinates). See ICO AADC Standard 10.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/10-geolocation/"
+    },
+    {
+      "id": "aadc-profiling-007",
+      "name": "Profiling or Algorithmic Feed Enabled by Default",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "profiling",
+      "description": "AADC Standard 12 requires profiling to be switched off by default for children. Algorithmic content feeds, behavioral profiling, and personalization engines must not be active without explicit opt-in.",
+      "patterns": [
+        { "pattern": "(?:profiling|personaliz(?:e|ation)|algorithmicFeed)(?:Enabled|Active|On|Default)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:enableProfiling|enablePersonalization)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:behaviorProfile|userProfile|interestGraph)\\s*[:=]", "flags": "gi" },
+        { "pattern": "(?:userSegment|audienceSegment|cohort)\\s*[:=]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Switch profiling off by default. Provide a chronological or non-personalized feed as the default experience. Only enable algorithmic personalization if the child actively opts in. See ICO AADC Standard 12.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/12-profiling/"
+    },
+    {
+      "id": "aadc-profiling-008",
+      "name": "Behavioral Data Collection for Recommendation Engine",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "profiling",
+      "description": "AADC Standard 12 restricts profiling children. Collecting behavioral data (interests, habits, browsing patterns) to feed recommendation algorithms requires safeguards to protect children from harmful content amplification.",
+      "patterns": [
+        { "pattern": "(?:trackBehavior|behavioralData|browsingHistory|viewHistory|watchHistory)", "flags": "gi" },
+        { "pattern": "(?:recommend|suggest).*(?:algorithm|engine|model|ml)", "flags": "gi" },
+        { "pattern": "(?:contentRecommend|personalizedFeed|forYou|fyp)", "flags": "gi" }
+      ],
+      "fix_suggestion": "If using recommendation algorithms, implement age-appropriate content filtering. Do not amplify harmful, addictive, or age-inappropriate content to children. Provide transparency about why content is recommended. See ICO AADC Standard 12.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/12-profiling/"
+    },
+    {
+      "id": "aadc-nudge-009",
+      "name": "Pre-Checked Consent or Privacy Boxes",
+      "severity": "high",
+      "confidence": "high",
+      "category": "dark-patterns",
+      "description": "AADC Standard 13 prohibits nudge techniques that lead children to weaken or turn off privacy protections. Pre-checked consent, marketing, or data-sharing boxes are a nudge that defaults to less privacy.",
+      "patterns": [
+        { "pattern": "(?:checked|defaultChecked|preChecked)\\s*[:=]\\s*true.*(?:consent|share|track|market|newsletter|terms)", "flags": "gi" },
+        { "pattern": "(?:consent|share|track|market|newsletter|terms).*(?:checked|defaultChecked|preChecked)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "<input[^>]*checked[^>]*(?:consent|agree|marketing|newsletter|share)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Remove all pre-checked consent and data-sharing boxes. Consent inputs should start unchecked, requiring active selection by the user. This applies to marketing consent, newsletter signups, data sharing agreements, and privacy preferences. See ICO AADC Standard 13.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "html", "php", "python"],
+      "packs": ["uk-aadc"],
+      "fixability": "auto",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/13-nudge-techniques/"
+    },
+    {
+      "id": "aadc-nudge-010",
+      "name": "Confirmshaming or Guilt-Based Privacy Nudge",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "dark-patterns",
+      "description": "AADC Standard 13 prohibits exploiting psychological processes to weaken children's privacy. Confirmshaming uses guilt, shame, or fear-of-missing-out language to pressure users into sharing more data or accepting weaker privacy settings.",
+      "patterns": [
+        { "pattern": "(?:confirmSham|guiltTrip|shameText|shameModal|fomo(?:Text|Message|Modal))", "flags": "gi" },
+        { "pattern": "(?:are you sure|really want to|miss out|lose access).*(?:privacy|private|restrict|decline)", "flags": "gi" },
+        { "pattern": "(?:everyone.(?:else\\s)?is|your friends are|left behind|missing out).*(?:share|public|join)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Present privacy choices neutrally without emotional manipulation. Avoid language that makes children feel bad for choosing privacy. Do not imply social exclusion or loss for choosing restrictive settings. See ICO AADC Standard 13.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "html", "python"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/13-nudge-techniques/"
+    },
+    {
+      "id": "aadc-nudge-011",
+      "name": "Privacy-Weakening Reward Mechanism",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "dark-patterns",
+      "description": "AADC Standard 13 prohibits nudges that lead children to provide unnecessary personal data. Offering rewards, unlocks, or premium features in exchange for sharing more data or making profiles public incentivizes weaker privacy.",
+      "patterns": [
+        { "pattern": "(?:unlock|bonus|reward|premium|upgrade).*(?:share|public|visible|data|profile)", "flags": "gi" },
+        { "pattern": "(?:shareMore|goPublic|makeVisible).*(?:unlock|get|earn|reward|access)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Do not gate features or rewards behind data sharing or public profile requirements. Core service features should be available regardless of privacy settings. See ICO AADC Standard 13.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/13-nudge-techniques/"
+    },
+    {
+      "id": "aadc-age-012",
+      "name": "Weak Age Gate Using Self-Declaration Only",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "age-assurance",
+      "description": "AADC Standard 3 requires a risk-based approach to recognizing user age. Simple self-declaration checkboxes or dropdowns ('Are you over 13?') are easily bypassed and provide inadequate age assurance for high-risk services.",
+      "patterns": [
+        { "pattern": "(?:isOver13|isOver18|isAdult|isMinor)\\s*[:=]\\s*(?:true|false|!?\\w+\\.checked)", "flags": "gi" },
+        { "pattern": "(?:ageGate|age_gate|ageCheck|age_check).*(?:checkbox|select|dropdown|input)", "flags": "gi" },
+        { "pattern": "(?:age|birth).*(?:self.?report|self.?declare|self.?certif)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a risk-based age assurance approach. For high-risk services, use age estimation technology, identity verification, or neutral age estimation rather than simple self-declaration. If unable to verify age, apply the code's standards to all users. See ICO AADC Standard 3.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift", "html"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/3-age-appropriate-application/"
+    },
+    {
+      "id": "aadc-detrimental-013",
+      "name": "Targeted Advertising to Minors",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "advertising",
+      "description": "AADC Standard 5 prohibits using children's personal data in ways detrimental to their wellbeing. Targeted advertising using children's behavioral data, profiles, or personal information is a detrimental use under the code.",
+      "patterns": [
+        { "pattern": "(?:targetedAd|personalized(?:Ad|Advert)|behavioralAd).*(?:child|minor|student|kid|teen)", "flags": "gi" },
+        { "pattern": "(?:child|minor|student|kid|teen).*(?:adTarget|targetAd|personalized(?:Ad|Advert))", "flags": "gi" },
+        { "pattern": "(?:childProfile|minorProfile|studentProfile).*(?:ad|marketing|monetize)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Do not serve targeted or personalized advertising to children. Use only contextual advertising (based on page content, not user data) if advertising is necessary. See ICO AADC Standard 5.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/5-detrimental-use-of-data/"
+    },
+    {
+      "id": "aadc-parental-014",
+      "name": "Covert Child Monitoring Without Notification",
+      "severity": "high",
+      "confidence": "high",
+      "category": "parental-controls",
+      "description": "AADC Standard 11 requires that if parental monitoring or tracking features are active, the child must be given an obvious sign. Covert surveillance features that hide monitoring from the child violate this standard.",
+      "patterns": [
+        { "pattern": "(?:silentTrack|hiddenMonitor|stealthMode|covertMonitor|invisibleTrack)", "flags": "gi" },
+        { "pattern": "(?:hideTracking|invisible.*monitor|stealth.*(?:parent|track|monitor))", "flags": "gi" },
+        { "pattern": "(?:parentalMonitor|parentTrack|monitorChild|childTrack|parentalSpy)", "flags": "gi" }
+      ],
+      "fix_suggestion": "When parental monitoring or tracking is active, display a clear, prominent indicator visible to the child. Provide age-appropriate explanations of what monitoring is active. Respect the child's growing autonomy. See ICO AADC Standard 11.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/11-parental-controls/"
+    },
+    {
+      "id": "aadc-tools-015",
+      "name": "User Content Without Report or Block Mechanism",
+      "severity": "medium",
+      "confidence": "medium",
+      "category": "safety",
+      "description": "AADC Standard 15 requires prominent tools to help children report concerns. AADC Standard 6 requires active content moderation. User-generated content (comments, messages, posts) without report, flag, or block mechanisms fails both standards.",
+      "patterns": [
+        { "pattern": "(?:comment|post|message|chat).*(?:submit|publish|send)(?![\\s\\S]{0,1000}(?:report|flag|block|moderate|filter))", "flags": "gi" },
+        { "pattern": "(?:directMessage|privateChat|sendMessage|userChat)(?![\\s\\S]{0,500}(?:report|block|moderate|filter))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add prominent report, flag, and block mechanisms alongside all user-generated content features. Implement content moderation for user communications. Provide children with easy ways to report harmful content. See ICO AADC Standards 6 and 15.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/15-online-tools/"
+    },
+
+    {
+      "id": "dsa-ad-profiling-001",
+      "name": "Profiling-Based Ad Targeting Without Minor Exclusion",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "advertising",
+      "description": "DSA Article 28(2) strictly prohibits presenting advertisements based on profiling using personal data when the platform is aware with reasonable certainty that the recipient is a minor. This ban cannot be overridden by parental consent.",
+      "patterns": [
+        { "pattern": "(?:targetAudience|behavioralTarget|interest_based|personalized_ad|profile_target)", "flags": "gi" },
+        { "pattern": "(?:adPersonalization|ad_personalization|personalized_ads)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:targeting|retargeting|remarketing)\\s*[:=].*(?:interest|behavior|engagement|browsing)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Before serving ads, check if the user is a minor. If so, disable all profiling-based ad targeting. Only contextual advertising (based on page content, not user data) is permitted for minors under DSA Article 28(2). This restriction cannot be waived by parental consent.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-autoplay-002",
+      "name": "Media Autoplay Without Minor-Conditional Default",
+      "severity": "high",
+      "confidence": "high",
+      "category": "addictive-design",
+      "description": "DSA Article 28(1) Guidelines require autoplay of video/audio content to be disabled by default for minor users. Autoplay drives extended engagement and undermines minors' ability to control their usage.",
+      "patterns": [
+        { "pattern": "autoplay|autoPlay|auto_play", "flags": "gi" },
+        { "pattern": "\\.play\\(\\)", "flags": "g" },
+        { "pattern": "(?:autoplay|autoPlay|auto_play)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable autoplay by default for minor users. Require explicit user action to play media content. If autoplay is needed, gate it behind an age check and provide prominent controls to pause or stop playback. See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "html", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "auto",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-infinite-scroll-003",
+      "name": "Infinite Scroll Without Minor Gating",
+      "severity": "high",
+      "confidence": "high",
+      "category": "addictive-design",
+      "description": "DSA Article 28(1) Guidelines require continuous content delivery mechanisms (infinite scroll) to be disabled by default for minors. Infinite scroll exploits psychological mechanisms to extend session times beyond user intent.",
+      "patterns": [
+        { "pattern": "(?:InfiniteScroll|infinite.?scroll|useInfiniteScroll)", "flags": "gi" },
+        { "pattern": "IntersectionObserver.*(?:load.?more|next.?page|fetch.?more)", "flags": "gi" },
+        { "pattern": "(?:onEndReached|onScrollEnd|loadMore|infiniteLoad)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable infinite scroll by default for minor users. Provide pagination or a 'Load More' button that requires deliberate action. Include session time awareness features (e.g., 'You've been scrolling for X minutes'). See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-push-notify-004",
+      "name": "Push Notification Registration Without Minor Checks",
+      "severity": "high",
+      "confidence": "high",
+      "category": "notifications",
+      "description": "DSA Article 28(1) Guidelines require push notifications to be disabled by default for minors, with additional restrictions during core sleep hours. Notification registration without age-gating or time-of-day restrictions violates this requirement.",
+      "patterns": [
+        { "pattern": "Notification\\.requestPermission", "flags": "g" },
+        { "pattern": "PushManager\\.subscribe", "flags": "g" },
+        { "pattern": "(?:firebase\\.messaging|FCM|APNs)\\.(?:getToken|requestPermission|register)", "flags": "gi" },
+        { "pattern": "registerForRemoteNotifications|requestNotificationPermission", "flags": "g" }
+      ],
+      "fix_suggestion": "Disable push notifications by default for minor users. If notifications are enabled, restrict them during sleep hours (typically 10pm-7am based on age). Require explicit opt-in and provide granular notification controls. See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-streak-005",
+      "name": "Streak or Engagement Loop Mechanics",
+      "severity": "high",
+      "confidence": "high",
+      "category": "addictive-design",
+      "description": "DSA Article 28(1) Guidelines require streak mechanics and daily engagement reward loops to be disabled by default for minors. These patterns create compulsive usage through loss aversion and variable reward schedules.",
+      "patterns": [
+        { "pattern": "(?:streakCount|streak_count|dailyStreak|daily_streak|consecutiveDays|consecutive_days)", "flags": "gi" },
+        { "pattern": "(?:streakReward|streak_reward|streakBonus|streak_bonus)", "flags": "gi" },
+        { "pattern": "(?:loseStreak|lose_streak|streakBroken|streak_broken|resetStreak|reset_streak)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable streak mechanics by default for minor users. If streaks are offered, ensure they do not penalize users for breaks and do not create anxiety about losing progress. Consider replacing streaks with non-compulsive engagement features. See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-recommender-006",
+      "name": "Behavioral Recommendation Without Non-Profiled Alternative",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "profiling",
+      "description": "DSA Articles 27 and 28 require platforms to offer at least one recommendation option that is not based on profiling and to make it the default for minors. Engagement-based signals (watch time, dwell time, scroll depth) in recommender systems without a non-profiled fallback violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:watchTime|watch_time|dwellTime|dwell_time|engagementScore|engagement_score)", "flags": "gi" },
+        { "pattern": "(?:clickThroughRate|click_through_rate|scrollDepth|scroll_depth|viewingHistory|viewing_history)", "flags": "gi" },
+        { "pattern": "(?:implicitSignal|implicit_signal|behavioralSignal|behavioral_signal)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Provide a chronological or editorial feed as the default experience for minor users. If using algorithmic recommendations, ensure a non-profiled alternative is easily accessible and set as default. Prioritize explicit user preferences over implicit behavioral signals. See DSA Articles 27 and 28.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_27.html"
+    },
+    {
+      "id": "dsa-cross-tracking-007",
+      "name": "Cross-Platform Tracking of Minors",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "tracking",
+      "description": "DSA Article 28(1) Guidelines restrict using minors' activity across or beyond the platform unless it serves the best interests of the minor. Cross-site tracking, device fingerprinting, and cross-app identifiers used for profiling minors violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:thirdPartyCookie|third_party_cookie|crossSiteTrack|cross_site_track)", "flags": "gi" },
+        { "pattern": "(?:deviceFingerprint|device_fingerprint|browserFingerprint|browser_fingerprint)", "flags": "gi" },
+        { "pattern": "(?:crossAppId|cross_app_id|advertisingId|advertising_id|IDFA|GAID)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Do not use cross-platform tracking identifiers for minors. Disable third-party cookies, device fingerprinting, and advertising identifiers for users known to be under 18. Activity tracking must be limited to the current platform and session. See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-ai-disclosure-008",
+      "name": "AI or Chatbot Interaction Without Disclosure",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "transparency",
+      "description": "DSA Article 28(1) Guidelines require clear, persistent signals when minors are interacting with AI rather than humans. AI features (chatbots, AI-generated responses, AI-powered filters) must be opt-in for minors, not automatically enabled.",
+      "patterns": [
+        { "pattern": "(?:chatbot|ChatBot|chat_bot|AiAssistant|ai_assistant|virtualAssistant)", "flags": "gi" },
+        { "pattern": "(?:generateResponse|aiResponse|ai_response|llmOutput|llm_output|completionApi)", "flags": "gi" },
+        { "pattern": "(?:syntheticContent|synthetic_content|aiGenerated|ai_generated)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Display a clear, persistent, child-friendly indicator when a minor is interacting with AI rather than a human. AI chatbots, AI-generated content, and AI-powered features must require explicit opt-in for minor users. See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-ephemeral-009",
+      "name": "Ephemeral or Disappearing Content Feature",
+      "severity": "medium",
+      "confidence": "high",
+      "category": "addictive-design",
+      "description": "DSA Article 28(1) Guidelines require disappearing/ephemeral content features (Stories-style) to be disabled by default for minors. These features create urgency and FOMO, driving compulsive checking behavior.",
+      "patterns": [
+        { "pattern": "(?:ephemeral|disappearing|selfDestruct|self_destruct|expiringContent|expiring_content)", "flags": "gi" },
+        { "pattern": "(?:storyDuration|story_duration|storyExpire|story_expire|viewOnce|view_once)", "flags": "gi" },
+        { "pattern": "(?:ephemeralMessage|ephemeral_message|tempContent|temp_content)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable disappearing/ephemeral content features by default for minor users. If offered, ensure content expiration does not create artificial urgency. Allow minors to review content without time pressure. See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "dsa-read-receipts-010",
+      "name": "Read Receipts or Typing Indicators Enabled by Default",
+      "severity": "medium",
+      "confidence": "high",
+      "category": "privacy",
+      "description": "DSA Article 28(1) Guidelines require read receipts and typing indicators to be disabled by default for minor users. These features create social pressure to respond immediately and can enable monitoring and bullying.",
+      "patterns": [
+        { "pattern": "(?:readReceipt|read_receipt|readStatus|read_status|seenStatus|seen_status)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:typingIndicator|typing_indicator|isTyping|is_typing)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:showRead|show_read|markAsRead|mark_as_read).*(?:visible|enabled|default)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable read receipts and typing indicators by default for minor users. Allow minors to choose whether to share their read status and typing activity. These features should require explicit opt-in. See DSA Article 28(1) Guidelines.",
+      "penalty": "Up to 6% of annual global turnover (DSA Article 52)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["eu-dsa"],
+      "fixability": "auto",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.eu-digital-services-act.com/Digital_Services_Act_Article_28.html"
+    },
+    {
+      "id": "caadca-privacy-001",
+      "name": "Default Tracking Enabled",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "privacy-defaults",
+      "description": "CAADCA requires default high-privacy settings for children. Tracking, analytics, or telemetry must be OFF by default. Code that initializes tracking as enabled without explicit consent violates CAADCA Section 31(b)(7).",
+      "patterns": [
+        { "pattern": "(?:trackingEnabled|tracking_enabled|enableTracking|enable_tracking)\\s*[:=]\\s*(?:true|1)", "flags": "gi" },
+        { "pattern": "(?:analytics|telemetry|tracking)\\s*[:=]\\s*\\{[^}]*(?:enabled|active|on)\\s*:\\s*true", "flags": "gi" },
+        { "pattern": "(?:doNotTrack|do_not_track|dnt)\\s*[:=]\\s*(?:false|0)", "flags": "gi" },
+        { "pattern": "(?:optOut|opt_out)\\s*[:=]\\s*false\\b", "flags": "gi" }
+      ],
+      "fix_suggestion": "Set tracking, analytics, and telemetry to OFF by default. Require explicit opt-in consent before enabling any data collection. Children should not be tracked by default under CAADCA.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "auto",
+      "transform_type": "set-default",
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-privacy-002",
+      "name": "Analytics Without Privacy Mode",
+      "severity": "high",
+      "confidence": "low",
+      "category": "privacy-defaults",
+      "description": "CAADCA requires privacy-protective defaults. Analytics SDKs must be initialized with privacy mode, anonymization, or child-safe configuration. Code that initializes analytics without privacy protections may violate CAADCA.",
+      "patterns": [
+        { "pattern": "(?:GoogleAnalytics|ReactGA|gtag|ga)\\s*(?:\\.|\\()\\s*(?:init|initialize|create)\\s*\\((?![^)]*(?:anonym|privacy|child|coppa|restrict))", "flags": "gi" },
+        { "pattern": "(?:Amplitude|Mixpanel|Segment|Heap|FullStory)\\s*\\.\\s*(?:init|initialize|setup)\\s*\\((?![^)]*(?:anonym|privacy|child|restrict))", "flags": "gi" },
+        { "pattern": "(?:anonymizeIp|anonymize_ip|ip_anonymization)\\s*[:=]\\s*(?:false|0)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Initialize analytics with privacy mode enabled: anonymize IPs, disable user-level tracking, enable child-safe mode. Consider using privacy-preserving analytics alternatives.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-age-001",
+      "name": "Missing Age Estimation or Verification",
+      "severity": "high",
+      "confidence": "low",
+      "category": "age-estimation",
+      "description": "CAADCA Section 31(b)(1) requires businesses to estimate the age of child users with a reasonable level of certainty. Registration or signup flows that collect no age indicator violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:createUser|create_user|registerUser|register_user|signUp|sign_up)\\s*\\((?![^)]*(?:age|dob|birthdate|birth_?date|date_?of_?birth))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:onboard|signup|register)(?:Form|Page|Screen|Component|View)\\b(?![^\\n]*(?:age|dob|birthdate|dateOfBirth))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add age estimation to your registration flow: collect date of birth, use an age estimation API, or implement neutral age screening. CAADCA requires 'reasonable certainty' that users are not children.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift", "html", "tsx", "jsx"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-profiling-001",
+      "name": "Behavioral Profiling Without Safeguards",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "profiling",
+      "description": "CAADCA Section 31(b)(4) prohibits profiling children by default. Code that builds behavioral profiles, interest graphs, or user segments without age-checking or child safeguards violates this requirement.",
+      "patterns": [
+        { "pattern": "(?:buildProfile|build_profile|createProfile|create_profile|userProfile|user_profile)\\s*(?:\\(|[:=])(?![^\\n]*(?:age|child|minor|under_?18|safeguard))", "flags": "gi" },
+        { "pattern": "(?:interestGraph|interest_graph|behaviorProfile|behavior_profile|userSegment|user_segment)\\s*[:=]", "flags": "gi" },
+        { "pattern": "(?:trackBehavior|track_behavior|logActivity|log_activity|recordAction|record_action)\\s*\\((?![^)]*(?:consent|age|child|privacy))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable behavioral profiling by default for users who may be children. If profiling is necessary, implement age verification first and apply heightened protections for children under 18.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-profiling-002",
+      "name": "Content Recommendation Without Age Filter",
+      "severity": "high",
+      "confidence": "low",
+      "category": "profiling",
+      "description": "CAADCA requires transparent, age-appropriate content recommendations. Recommendation engines that lack age-based filtering or content rating checks may expose children to harmful content.",
+      "patterns": [
+        { "pattern": "(?:recommend|getRecommendations|get_recommendations|suggestContent|suggest_content)\\s*\\((?![^)]*(?:age|rating|maturity|child|filter))", "flags": "gi" },
+        { "pattern": "(?:contentFeed|content_feed|forYou|for_you|discover)(?:Algorithm|Engine|Service)\\b(?![^\\n]*(?:age|rating|child|safe))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add age-based filtering to content recommendations. Implement content rating checks and exclude age-inappropriate material for child users. Make recommendation logic transparent per CAADCA requirements.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-darkpat-001",
+      "name": "Manipulative Consent UI",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "dark-patterns",
+      "description": "CAADCA Section 31(b)(7) prohibits dark patterns that lead children to provide unnecessary personal information, weaken privacy settings, or extend use. UI patterns like 'skip' or 'continue without' on consent screens are manipulative.",
+      "patterns": [
+        { "pattern": "(?:skip|dismiss|later|not now|maybe later|no thanks|continue without)(?:Consent|Privacy|Permission|Setup)\\b", "flags": "gi" },
+        { "pattern": ">\\s*(?:Skip|No thanks|Not now|Maybe later|Continue without|I don't care)\\s*<", "flags": "gi" },
+        { "pattern": "(?:text-(?:xs|sm)|opacity-(?:50|60|70)|text-gray-(?:300|400)|color:\\s*#(?:ccc|ddd|999)).*(?:decline|reject|opt.?out|privacy)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Present consent choices with equal visual weight. Don't make privacy-protective options harder to find or smaller than privacy-invasive options. Avoid manipulative language that pressures children to share data.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "html", "tsx", "jsx", "vue", "svelte"],
+      "packs": ["caadca"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-darkpat-002",
+      "name": "Urgency-Creating Countdown Timer",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "dark-patterns",
+      "description": "CAADCA prohibits dark patterns that exploit children. Countdown timers on offers, limited-time promotions, or fear-of-missing-out (FOMO) mechanics are manipulative design patterns targeting children.",
+      "patterns": [
+        { "pattern": "(?:countdown|timer|timeLeft|time_left|expiresIn|expires_in|hurry|limited.?time|act.?now|last.?chance)(?:Component|Timer|Widget|Banner)\\b", "flags": "gi" },
+        { "pattern": "(?:setInterval|setTimeout)\\s*\\([^)]*(?:countdown|timer|remaining|expir|urgent|hurry)", "flags": "gi" },
+        { "pattern": "(?:FOMO|fomo|scarcity|urgency)(?:Banner|Modal|Popup|Alert|Notification)\\b", "flags": "gi" }
+      ],
+      "fix_suggestion": "Remove urgency-creating countdown timers, FOMO mechanics, and limited-time pressure from child-facing interfaces. CAADCA prohibits manipulative design that exploits children's vulnerability to pressure tactics.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "html", "tsx", "jsx", "vue", "svelte"],
+      "packs": ["caadca"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-darkpat-003",
+      "name": "Confirmshaming Pattern",
+      "severity": "medium",
+      "confidence": "medium",
+      "category": "dark-patterns",
+      "description": "CAADCA prohibits manipulative design patterns that shame children into making privacy-invasive choices. Confirmshaming uses guilt-inducing language on opt-out or decline buttons.",
+      "patterns": [
+        { "pattern": ">\\s*(?:No,? I don't want|I prefer not to|I'll miss out|No,? I hate saving|I don't like)\\s*", "flags": "gi" },
+        { "pattern": "(?:confirmshaming|confirm_shaming|guiltTrip|guilt_trip|shameButton|shame_button)\\b", "flags": "gi" }
+      ],
+      "fix_suggestion": "Use neutral, non-manipulative language for all opt-out and decline options. Replace confirmshaming copy with straightforward alternatives like 'No thanks' or 'Decline'.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "html", "tsx", "jsx", "vue", "svelte"],
+      "packs": ["caadca"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-geo-001",
+      "name": "Precise Geolocation Without Purpose",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "geolocation",
+      "description": "CAADCA Section 31(b)(3) restricts collecting children's precise geolocation. Code that requests fine-grained location (GPS) without a clear, necessary purpose violates this requirement.",
+      "patterns": [
+        { "pattern": "(?:getCurrentPosition|watchPosition|geolocation\\.get)\\s*\\((?![^)]*(?:coarse|approximate|city|region|purpose|reason))", "flags": "gi" },
+        { "pattern": "(?:enableHighAccuracy|high_accuracy)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:ACCESS_FINE_LOCATION|kCLLocationAccuracyBest|kCLLocationAccuracyNearestTenMeters)", "flags": "g" },
+        { "pattern": "(?:latitude|longitude|lat|lng|coordinates).*(?:store|save|persist|track|log|send|upload)\\s*\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Use coarse/approximate location (city-level) instead of precise GPS coordinates. Only request fine-grained location when strictly necessary for core functionality. Never persistently track a child's location.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-datamin-001",
+      "name": "Excessive Data Collection",
+      "severity": "high",
+      "confidence": "low",
+      "category": "data-minimization",
+      "description": "CAADCA Section 31(b)(3) requires data minimization — only collect personal information that is reasonably necessary. Code that collects extensive personal data fields beyond what the service needs may violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:collectData|collect_data|gatherInfo|gather_info|harvestData|harvest_data)\\s*\\(", "flags": "gi" },
+        { "pattern": "(?:required|mandatory)\\s*[:=]\\s*true[^\\n]*(?:phone|address|school|gender|ethnicity|income|ssn|social_security)", "flags": "gi" },
+        { "pattern": "(?:deviceFingerprint|device_fingerprint|browserFingerprint|browser_fingerprint|canvasFingerprint|canvas_fingerprint)\\b", "flags": "gi" }
+      ],
+      "fix_suggestion": "Only collect data that is strictly necessary for the service's core functionality. Remove collection of non-essential fields. Implement data minimization by design per CAADCA requirements.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-iap-001",
+      "name": "One-Click Purchase Without Confirmation",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "in-app-purchases",
+      "description": "CAADCA requires friction in purchase flows for children. One-click or instant purchases without a confirmation step can lead to unauthorized spending by minors.",
+      "patterns": [
+        { "pattern": "(?:oneClickPurchase|one_click_purchase|instantPurchase|instant_purchase|quickBuy|quick_buy)\\b", "flags": "gi" },
+        { "pattern": "(?:purchase|buy|checkout|pay)\\s*\\((?![^)]*(?:confirm|verify|approve|consent|auth))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:skipConfirmation|skip_confirmation|autoCharge|auto_charge|autoPurchase|auto_purchase)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add a confirmation step before any purchase. Require explicit confirmation (e.g., 'Are you sure?' dialog) before processing payments. For children, require parental authentication for purchases.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-iap-002",
+      "name": "In-App Purchase Without Parental Gate",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "in-app-purchases",
+      "description": "CAADCA requires parental consent for financial transactions involving children. In-app purchase flows that don't check for age or parental authorization expose children to unauthorized spending.",
+      "patterns": [
+        { "pattern": "(?:makePurchase|make_purchase|processPurchase|process_purchase|completePurchase|complete_purchase)\\s*\\((?![^)]*(?:parent|guardian|age|minor|child|consent))", "flags": "gi" },
+        { "pattern": "(?:virtualCurrency|virtual_currency|coins|gems|vbucks|robux).*(?:purchase|buy|spend)\\s*\\((?![^)]*(?:parent|guardian|consent|auth))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add parental authentication or consent before allowing in-app purchases for users who may be children. Implement age-gating and require parental approval for virtual currency purchases.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-notify-001",
+      "name": "Push Notifications Without Frequency Limit",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "notifications",
+      "description": "CAADCA prohibits features that encourage excessive use by children. Push notifications without frequency limits or quiet hours can manipulate children into compulsive engagement.",
+      "patterns": [
+        { "pattern": "(?:sendNotification|send_notification|pushNotification|push_notification|sendPush|send_push)\\s*\\((?![^)]*(?:limit|throttle|frequency|quiet|schedule|age|child))", "flags": "gi" },
+        { "pattern": "(?:notificationFrequency|notification_frequency|pushFrequency|push_frequency)\\s*[:=]\\s*(?:unlimited|0|null|undefined)", "flags": "gi" },
+        { "pattern": "(?:streakReminder|streak_reminder|comeBackNotification|come_back_notification|missYou|miss_you)\\b", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement notification frequency limits and quiet hours for child users. Disable streak-based and FOMO notifications. Allow children to control notification settings easily.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-transparency-001",
+      "name": "Missing Child-Friendly Privacy Notice",
+      "severity": "high",
+      "confidence": "low",
+      "category": "transparency",
+      "description": "CAADCA Section 31(b)(6) requires privacy information to be provided in clear, age-appropriate language. Registration forms and data collection points must include prominent, child-friendly privacy disclosures.",
+      "patterns": [
+        { "pattern": "<form[^>]*(?:id|class|name)\\s*=\\s*[\"'][^\"']*(?:register|signup|sign[-_]up|create[-_]account)[^\"']*[\"'](?![\\s\\S]{0,500}(?:privacy|data|information|collected|shared|used))", "flags": "gi" },
+        { "pattern": "(?:termsAndConditions|terms_and_conditions|tosAccepted|tos_accepted)\\s*(?:&&|\\|\\|)\\s*(?!.*(?:privacyPolicy|privacy_policy|privacyNotice|privacy_notice))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add a clear, child-friendly privacy notice to all data collection points. Use simple language explaining what data is collected, why, and who has access. Include a prominent link to your privacy policy.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "html", "tsx", "jsx", "vue", "svelte"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "caadca-ads-001",
+      "name": "Targeted Advertising to Children",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "advertising",
+      "description": "CAADCA Section 31(b)(4) prohibits profiling children for targeted advertising. Code that serves behavioral or targeted ads without age verification violates this requirement.",
+      "patterns": [
+        { "pattern": "(?:targetedAd|targeted_ad|personalizedAd|personalized_ad|behavioralAd|behavioral_ad)\\s*(?:\\(|[:=])(?![^\\n]*(?:age|child|minor|disable|restrict))", "flags": "gi" },
+        { "pattern": "(?:AdMob|GoogleAds|FacebookAds|adNetwork|ad_network)\\s*\\.\\s*(?:show|display|load|request)\\s*\\((?![^)]*(?:child|minor|age|coppa|restrict))", "flags": "gi" },
+        { "pattern": "(?:adPersonalization|ad_personalization|adTargeting|ad_targeting)\\s*[:=]\\s*(?:true|1|'enabled'|\"enabled\")", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disable targeted and behavioral advertising for users who may be children. Use only contextual (non-personalized) ads. Implement age verification before serving personalized advertising.",
+      "penalty": "$2,500-$7,500 per affected child",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["caadca"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-001",
+      "name": "Missing Age Verification at Registration",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "Account creation or signup flow detected without age verification. The AU Online Safety Act 2021 (as amended 2024) s.63B requires social media platforms to take reasonable steps to verify that users are aged 16 or over before allowing account creation. Registration flows must include age assurance mechanisms — not just self-declaration.",
+      "patterns": [
+        { "pattern": "(?:createAccount|create_account|registerUser|register_user)\\s*\\((?![^)]*(?:age|dob|dateOfBirth|date_of_birth|birthDate|birth_date|ageVerif|ageCheck|age_check|verifyAge|verify_age))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:signUp|sign_up|onboardUser|onboard_user)\\s*\\((?![^)]*(?:age|dob|dateOfBirth|date_of_birth|birthDate|birth_date|ageVerif|ageCheck|verify_age))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:UserRegistration|AccountCreation|SignupService)\\s*\\.\\s*(?:create|register|submit|process)\\s*\\((?![^)]*(?:age|birth|dob|verif))", "flags": "gi" },
+        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts|members)\\s*\\((?![^)]*(?:age|dob|birth_date|date_of_birth))[^)]*\\)\\s*VALUES", "flags": "gi" },
+        { "pattern": "(?:router|app)\\.(?:post|put)\\s*\\(\\s*['\"](?:\\/register|\\/signup|\\/create-account)['\"](?![^\\n]*(?:ageGate|age_gate|ageVerif|age_verif|checkAge|check_age))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add an age verification step before account creation. Under AU OSA s.63B, social media services must use reasonably effective age assurance to prevent under-16s from creating accounts. Implement identity-based verification (document check, biometric estimation, or digital ID) — not just self-declaration.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-002",
+      "name": "Self-Declaration Age Check",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "Reliance on self-declared age (checkbox, simple DOB field without verification) detected. The AU Online Safety Act 2021 (as amended 2024) s.63C requires 'reasonably effective' age assurance — simple self-declaration (e.g., 'I am over 16' checkbox or unverified date-of-birth entry) does not meet this threshold. Platforms must use technology-based age assurance methods.",
+      "patterns": [
+        { "pattern": "(?:isOver16|is_over_16|isOver18|is_over_18|isAdult|is_adult|ageConfirmed|age_confirmed)\\s*[:=]\\s*(?:true|false|checkbox|input)", "flags": "gi" },
+        { "pattern": "(?:ageGate|age_gate|ageCheck|age_check)\\s*[:=]\\s*['\"]?(?:self[_-]?declar|checkbox|honor|trust|confirm)['\"]?", "flags": "gi" },
+        { "pattern": "<input[^>]*(?:type=['\"](?:checkbox|date)['\"])[^>]*(?:age|birth|dob|over.?1[68])[^>]*>", "flags": "gi" },
+        { "pattern": "(?:confirmAge|confirm_age|declareAge|declare_age|ageDeclaration|age_declaration)\\s*(?:=|:|\\()", "flags": "gi" },
+        { "pattern": "(?:age_?verification_?method|ageVerificationMethod)\\s*[:=]\\s*['\"](?:self|declaration|checkbox|honor|dob_only)['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Replace self-declaration age checks with a reasonably effective age assurance method. AU OSA s.63C requires technology-based verification such as biometric age estimation, digital identity document checks, or government-issued digital ID verification. A simple checkbox or unverified DOB field is insufficient.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-003",
+      "name": "Missing Under-16 Account Purge",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "online-safety",
+      "description": "Underage user detection without corresponding account deletion or data purge mechanism. When a social media platform determines a user is under 16, the AU Online Safety Act 2021 (as amended 2024) s.63D requires the platform to close the account and delete associated personal data. Failing to purge underage accounts exposes the platform to enforcement action by the eSafety Commissioner.",
+      "patterns": [
+        { "pattern": "(?:userAge|user_age|accountAge|account_age)\\s*(?:<|<=)\\s*1[68](?![^\\n]*(?:delete|purge|remove|close|disable|suspend|deactivate|terminate))", "flags": "gi" },
+        { "pattern": "(?:isMinor|is_minor|isUnderage|is_underage|isChild|is_child)\\s*[:=]\\s*true(?![^\\n]*(?:delete|purge|remove|close|disable|suspend|deactivate))", "flags": "gi" },
+        { "pattern": "(?:age|userAge|user_age)\\s*(?:<|<=)\\s*1[68]\\s*(?:\\)|\\{|&&|\\|\\|)(?![\\s\\S]{0,200}(?:deleteAccount|delete_account|purgeUser|purge_user|removeData|remove_data|closeAccount|close_account))", "flags": "gi" },
+        { "pattern": "(?:underage_?detected|minorDetected|minor_detected|failed_?age_?check|failedAgeCheck)\\s*(?:=|:|\\()(?![^\\n]*(?:delete|purge|remove|close|wipe|destroy))", "flags": "gi" }
+      ],
+      "fix_suggestion": "When a user is determined to be under 16, immediately close the account and delete all associated personal data. Implement an automated purge pipeline triggered by underage detection. AU OSA s.63D requires platforms to take reasonable steps to close accounts and remove data of users found to be under the minimum age.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-004",
+      "name": "Class 1/Class 2 Content Without Moderation",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "User-generated content upload or submission detected without content moderation, classification, or safety scanning. The AU Online Safety Act 2021 Schedule 2 classifies illegal content as Class 1 (e.g., CSAM, terrorism) and harmful content as Class 2 (e.g., violence, self-harm). Platforms must proactively detect and prevent distribution of such material under s.109 (BOSE determination).",
+      "patterns": [
+        { "pattern": "(?:uploadContent|upload_content|submitPost|submit_post|uploadImage|upload_image|uploadVideo|upload_video|uploadMedia|upload_media)\\s*\\((?![^)]*(?:moderate|classify|scan|filter|review|check|safety|csam|hash))", "flags": "gi" },
+        { "pattern": "(?:createPost|create_post|publishContent|publish_content|postContent|post_content)\\s*\\((?![^)]*(?:moderate|classify|scan|filter|review|check|safety))", "flags": "gi" },
+        { "pattern": "(?:multer|formidable|busboy|express-fileupload)\\s*\\((?![^\\n]*(?:contentModerat|content_moderat|photoScan|photo_scan|imageSafety|image_safety|hashCheck|hash_check))", "flags": "gi" },
+        { "pattern": "(?:S3|GCS|Azure|CloudStorage)\\.(?:upload|putObject|put_object|createBlob)\\s*\\((?![^\\n]*(?:moderate|scan|classify|filter|safety))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement content moderation before or immediately after content upload. Use automated scanning for Class 1 material (CSAM hash matching via PhotoDNA or similar), and classification/filtering for Class 2 material (violence, self-harm). AU OSA Schedule 2 and BOSE s.109 require proactive detection and rapid removal.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-005",
+      "name": "Content Removal SLA Non-Compliance",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "Content reporting or flagging mechanism detected without time-bound removal or escalation workflow. The AU Online Safety Act 2021 s.88 empowers the eSafety Commissioner to issue removal notices requiring compliance within 24 hours. Platforms must have automated escalation and removal pipelines to meet this SLA.",
+      "patterns": [
+        { "pattern": "(?:reportContent|report_content|flagContent|flag_content|reportPost|report_post|flagPost|flag_post)\\s*(?:=|:|\\()(?![^\\n]*(?:autoRemove|auto_remove|queueReview|queue_review|removalSLA|removal_sla|escalat|removeWithin|remove_within|timer|deadline|sla))", "flags": "gi" },
+        { "pattern": "(?:contentReport|content_report|flaggedContent|flagged_content|reportQueue|report_queue)\\s*[:=]\\s*\\{(?![^}]*(?:sla|deadline|ttl|timeout|escalat|autoRemov|auto_remov|maxAge|max_age|expir))", "flags": "gi" },
+        { "pattern": "(?:handleReport|handle_report|processFlag|process_flag|reviewContent|review_content)\\s*\\((?![^)]*(?:sla|deadline|timeout|urgent|priority|escalat))", "flags": "gi" },
+        { "pattern": "(?:abuse_?report|safety_?report|harm_?report)\\s*(?:=|:|\\()(?![^\\n]*(?:24.?h|twenty.?four|sla|deadline|urgent|escalat|auto.?remov))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a time-bound content removal pipeline. AU OSA s.88 removal notices require compliance within 24 hours. Add SLA tracking, automated escalation for unresolved reports, and priority queuing for eSafety Commissioner notices. Ensure removal timestamps are logged for compliance auditing.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-006",
+      "name": "Minor Data Retention Without TTL",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "Storage of child or minor user data without time-to-live, retention policy, or automatic deletion mechanism. The AU Online Safety Act 2021 BOSE determination (s.109) and Privacy Act 1988 APP 11.2 require data minimization and defined retention limits for personal information, particularly for minors. Data must not be kept longer than necessary.",
+      "patterns": [
+        { "pattern": "(?:childData|child_data|minorData|minor_data|kidProfile|kid_profile|childProfile|child_profile|underageData|underage_data)\\s*[:=]\\s*\\{(?![^}]*(?:ttl|expir|retention|deleteAfter|delete_after|maxAge|max_age|purge|cleanup))", "flags": "gi" },
+        { "pattern": "(?:userData|user_data|userProfile|user_profile|accountData|account_data)\\s*[:=]\\s*\\{[^}]*(?:isMinor|is_minor|isChild|is_child|age\\s*[:=]\\s*\\d)(?![^}]*(?:ttl|expir|retention|deleteAfter|delete_after|purge))", "flags": "gi" },
+        { "pattern": "(?:CREATE\\s+TABLE|createTable|defineSchema|Schema)\\s*[^;]*(?:child|minor|kid|youth|teen)[^;]*(?![^;]*(?:ttl|expir|retention|deleted_at|purge_at|cleanup))", "flags": "gi" },
+        { "pattern": "(?:store|save|persist|cache|retain)(?:Child|Minor|Youth|Kid|Teen)(?:Data|Profile|Record|Info)\\s*\\((?![^)]*(?:ttl|expir|retention|maxAge|max_age|purge))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add retention limits (TTL, expiresAt, or retention policy) to all data stores containing minor user information. Implement automated purge mechanisms. AU OSA BOSE (s.109) expects data minimization, and Privacy Act 1988 APP 11.2 requires deletion when data is no longer needed for its collected purpose.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-007",
+      "name": "Missing Safety Impact Assessment Hook",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "online-safety",
+      "description": "Feature launch, deployment, or rollout code detected without a safety assessment or risk evaluation step. The AU Online Safety Act 2021 BOSE determination (s.109) expects platforms to proactively assess the safety impact of new features before deployment, particularly features that affect minors or user-generated content.",
+      "patterns": [
+        { "pattern": "(?:featureLaunch|feature_launch|launchFeature|launch_feature|deployFeature|deploy_feature|rolloutFeature|rollout_feature)\\s*(?:=|:|\\()(?![^\\n]*(?:safetyReview|safety_review|impactAssess|impact_assess|riskEval|risk_eval|safetyCheck|safety_check))", "flags": "gi" },
+        { "pattern": "(?:featureFlag|feature_flag|featureToggle|feature_toggle)\\s*\\.\\s*(?:enable|activate|launch|rollout)\\s*\\((?![^)]*(?:safety|risk|assess|review|impact))", "flags": "gi" },
+        { "pattern": "(?:releaseFeature|release_feature|enableFeature|enable_feature|shipFeature|ship_feature)\\s*\\((?![^)]*(?:safety|risk|assess|review|impact|audit))", "flags": "gi" },
+        { "pattern": "(?:gradualRollout|gradual_rollout|canaryRelease|canary_release|abTest|ab_test)\\s*(?:=|:|\\()(?![^\\n]*(?:safety|risk|assess|impact|child|minor))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add a safety impact assessment gate before feature launches. Create a safetyReview() or impactAssessment() hook that evaluates potential harms to minors, content moderation implications, and regulatory compliance before enabling new features. AU OSA BOSE (s.109) expects proactive safety evaluation.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-008",
+      "name": "Missing Transparency Report Generation",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "online-safety",
+      "description": "Platform analytics, metrics, or reporting infrastructure detected without transparency report generation for safety compliance. The AU Online Safety Act 2021 BOSE determination (s.109) requires platforms to publish transparency reports covering content removal statistics, complaint resolution rates, and safety enforcement actions.",
+      "patterns": [
+        { "pattern": "(?:platformMetrics|platform_metrics|adminDashboard|admin_dashboard|analyticsReport|analytics_report|moderationStats|moderation_stats)\\s*(?:=|:|\\()(?![^\\n]*(?:transparencyReport|transparency_report|safetyMetrics|safety_metrics|complianceReport|compliance_report|publicReport|public_report))", "flags": "gi" },
+        { "pattern": "(?:generateReport|generate_report|exportMetrics|export_metrics|buildReport|build_report)\\s*\\((?![^)]*(?:transparency|compliance|safety|eSafety|esafety|public|removal|enforcement))", "flags": "gi" },
+        { "pattern": "(?:contentRemovalCount|removal_count|flaggedCount|flagged_count|reportCount|report_count)\\s*[:=](?![^\\n]*(?:transparencyReport|transparency_report|publicReport|public_report|publish|disclose))", "flags": "gi" },
+        { "pattern": "(?:moderationDashboard|moderation_dashboard|trustSafety|trust_safety|safetyOps|safety_ops)\\s*[:=]\\s*\\{(?![^}]*(?:transparency|public|disclose|publish|compliance))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement transparency report generation that publishes safety statistics including: content removal counts by category, average removal time, complaint resolution rates, and eSafety Commissioner notice compliance. AU OSA BOSE (s.109) requires platforms to be transparent about their safety practices.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-009",
+      "name": "Third-Party SDK Without Safety Vetting",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "Third-party SDK, script, or external library loading detected without safety vetting or allowlisting. The AU Online Safety Act 2021 BOSE determination (s.109) requires platforms to ensure third-party services integrated into their products also comply with online safety requirements. Unvetted third-party code may introduce content safety, data handling, or age-verification gaps.",
+      "patterns": [
+        { "pattern": "(?:loadScript|load_script|injectScript|inject_script|loadSDK|load_sdk|importSDK|import_sdk)\\s*\\((?![^)]*(?:vetted|approved|allowlist|allow_list|whitelist|white_list|trusted|verified|safety))", "flags": "gi" },
+        { "pattern": "document\\.createElement\\s*\\(\\s*['\"]script['\"]\\s*\\)[^;]*\\.src\\s*=(?![^;]*(?:vetted|approved|allowlist|allow_list|trusted|verified))", "flags": "gi" },
+        { "pattern": "(?:thirdParty|third_party|externalSDK|external_sdk|vendorScript|vendor_script)\\s*[:=]\\s*(?:\\[|\\{)(?![^\\]\\}]*(?:vetted|approved|allowlist|allow_list|verified|safety_check|safety_reviewed))", "flags": "gi" },
+        { "pattern": "(?:addPlugin|add_plugin|registerPlugin|register_plugin|installAddon|install_addon)\\s*\\((?![^)]*(?:vetted|approved|allowlist|allow_list|trusted|verified|safety))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a third-party SDK vetting process. Maintain an allowlist of approved SDKs and verify each third-party integration for AU OSA compliance before deployment. Ensure third-party services handle minor data appropriately and support content moderation requirements. AU OSA BOSE (s.109) extends safety expectations to third-party integrations.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-010",
+      "name": "Missing Complaint Mechanism",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "User-facing feature, dashboard, or settings page detected without an accessible complaint or safety reporting mechanism. The AU Online Safety Act 2021 s.46 requires platforms to provide users (including parents and guardians) with a clear and accessible way to report online safety concerns, including cyberbullying, harmful content, and image-based abuse.",
+      "patterns": [
+        { "pattern": "(?:userDashboard|user_dashboard|userSettings|user_settings|profilePage|profile_page|accountPage|account_page)\\s*[:=]\\s*\\{(?![^}]*(?:report|complaint|feedback|supportTicket|support_ticket|helpCenter|help_center|safetyReport|safety_report))", "flags": "gi" },
+        { "pattern": "(?:renderProfile|render_profile|renderDashboard|render_dashboard|renderSettings|render_settings)\\s*\\((?![^\\n]*(?:report|complaint|feedback|support|safety|help))", "flags": "gi" },
+        { "pattern": "(?:menuItems|menu_items|navItems|nav_items|sidebarItems|sidebar_items)\\s*[:=]\\s*\\[(?![^\\]]*(?:report|complaint|feedback|support|safety|help))", "flags": "gi" },
+        { "pattern": "(?:UserProfile|Dashboard|Settings|Account)(?:Page|Screen|View|Component)\\s*(?:=|extends|implements)(?![^\\n]*(?:Report|Complaint|Feedback|Support|Safety|Help))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add an accessible complaint and safety reporting mechanism to all user-facing pages. Users must be able to report cyberbullying, harmful content, and image-based abuse. AU OSA s.46 requires platforms to provide clear reporting pathways and respond to complaints in a timely manner.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-011",
+      "name": "Cross-Border Minor Data Transfer",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "online-safety",
+      "description": "Transfer of child or minor user data to overseas servers, regions, or third-party international endpoints detected without adequate protection controls. The AU Online Safety Act 2021 BOSE (s.109) and Privacy Act 1988 APP 8 require that personal information transferred overseas receives equivalent protection. For minors' data, additional safeguards are expected.",
+      "patterns": [
+        { "pattern": "(?:dataTransfer|data_transfer|syncToCloud|sync_to_cloud|replicateTo|replicate_to|exportData|export_data)\\s*\\([^)]*(?:overseas|international|foreign|offshore|cross.?border|eu-west|us-east|ap-southeast|cn-north)[^)]*\\)(?![^\\n]*(?:adequateProtection|adequate_protection|encryptedTransfer|encrypted_transfer|dataProtection|data_protection|safeguard))", "flags": "gi" },
+        { "pattern": "(?:childData|child_data|minorData|minor_data|kidData|kid_data|youthData|youth_data)[^\\n]*(?:transfer|sync|replicate|export|send|transmit)\\s*\\([^)]*(?:region|endpoint|server|host|bucket)(?![^)]*(?:domestic|local|au-|sydney|melbourne|protect|encrypt|safeguard))", "flags": "gi" },
+        { "pattern": "(?:transferTo|transfer_to|migrateData|migrate_data|moveData|move_data)\\s*\\([^)]*(?:region|server|endpoint)[^)]*\\)[^\\n]*(?:child|minor|kid|youth|under.?1[68])(?![^\\n]*(?:protect|encrypt|safeguard|consent|adequate))", "flags": "gi" },
+        { "pattern": "(?:CROSS_REGION|CROSS_BORDER|INTERNATIONAL|OVERSEAS)_(?:SYNC|TRANSFER|REPLICATION)\\s*[:=]\\s*(?:true|1|['\"]enabled['\"])(?![^\\n]*(?:minor.?protect|child.?safe|adequate.?protect|data.?protect))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Ensure minor data transferred internationally has equivalent protection. Implement encryption in transit, verify the receiving jurisdiction's data protection adequacy, and document safeguards. AU Privacy Act 1988 APP 8 requires reasonable steps to ensure overseas recipients handle data consistently with Australian Privacy Principles. BOSE (s.109) heightens expectations for minors.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-012",
+      "name": "Age-Restricted Content Without Re-Authentication",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "online-safety",
+      "description": "Access to age-restricted, mature, or harmful content categories detected without re-authentication or age re-verification. The AU Online Safety Act 2021 s.109 BOSE expectations and the Restricted Access System Declaration require platforms to implement stepped access controls — users must re-verify their age or identity before viewing restricted content, even if previously authenticated.",
+      "patterns": [
+        { "pattern": "(?:restrictedContent|restricted_content|matureContent|mature_content|adultContent|adult_content|ageGatedContent|age_gated_content|nsfw)\\s*(?:=|:|\\()(?![^\\n]*(?:reAuth|re_auth|reVerify|re_verify|confirmAge|confirm_age|ageCheck|age_check|verifyAge|verify_age|stepUp|step_up))", "flags": "gi" },
+        { "pattern": "(?:serveContent|serve_content|showContent|show_content|displayContent|display_content)\\s*\\([^)]*(?:restricted|mature|adult|nsfw|age.?gated|r18|r_18|classification)(?![^)]*(?:reAuth|re_auth|reVerify|re_verify|confirmAge|confirm_age|checkAge|check_age))", "flags": "gi" },
+        { "pattern": "(?:contentRating|content_rating|ageRating|age_rating|classification)\\s*[:=]\\s*['\"](?:R18|MA15|X18|restricted|mature|adult)['\"](?![^\\n]*(?:reAuth|re_auth|reVerify|re_verify|gate|confirm|check|stepUp|step_up))", "flags": "gi" },
+        { "pattern": "(?:accessRestricted|access_restricted|viewMature|view_mature|unlockContent|unlock_content)\\s*\\((?![^)]*(?:reAuth|re_auth|reVerify|re_verify|confirmAge|confirm_age|stepUpAuth|step_up_auth|identityCheck|identity_check))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement re-authentication or age re-verification before serving age-restricted content. Even if a user is already logged in, access to R18+ or MA15+ classified content should require a step-up verification (biometric, PIN, or identity re-check). AU OSA Restricted Access System Declaration and BOSE (s.109) require robust access controls for restricted material.",
+      "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
+      "languages": ["typescript", "javascript", "python", "java", "swift", "kotlin"],
+      "packs": ["au-osa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-RISK-001",
+      "name": "Unconsented Behavioral Profiling",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "ai-risk",
+      "description": "Behavioral profiling of children without explicit opt-in consent violates EU AI Act Art. 9. Analytics platforms must gate identify() calls behind verified consent.",
+      "patterns": [
+        { "pattern": "(?:analytics|mixpanel|segment|amplitude)\\.identify\\(", "flags": "gi" },
+        { "pattern": "(?:trackUser|identifyUser|profileUser)\\(", "flags": "gi" },
+        { "pattern": "userProfile\\.(?:set|update|create)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Gate user identification behind explicit consent: if (hasParentalConsent) { analytics.identify(...) }",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac35M or 7% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-RISK-002",
+      "name": "Algorithmic Manipulation Without Audit",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-risk",
+      "description": "Content recommendation algorithms targeting children must have audit trails per EU AI Act Art. 9. Ranking and recommendation functions need logging hooks.",
+      "patterns": [
+        { "pattern": "(?:rankContent|recommendNext|algorithmicFeed|personalizedFeed|contentRanking)\\(", "flags": "gi" },
+        { "pattern": "(?:getRecommendations|suggestContent|curateForUser)\\(", "flags": "gi" },
+        { "pattern": "sortBy:\\s*['\"](?:engagement|relevance|trending)['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add audit logging to recommendation functions: log input features, output ranking, and model version for each recommendation served.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-RISK-003",
+      "name": "ML Model Without Fairness Testing",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-risk",
+      "description": "ML models processing children's data must undergo bias and fairness testing per EU AI Act Art. 9. Training pipelines need documented fairness checks.",
+      "patterns": [
+        { "pattern": "model\\.(?:fit|train|finetune)\\(", "flags": "gi" },
+        { "pattern": "(?:trainModel|fitModel|trainPipeline)\\(", "flags": "gi" },
+        { "pattern": "(?:tensorflow|torch|sklearn|keras)\\.(?:fit|train)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add fairness testing to ML pipeline: run bias audits (demographic parity, equalized odds) before deploying models that affect children.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-RISK-004",
+      "name": "Synthetic Content Without Labeling",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-risk",
+      "description": "AI-generated images, text, or audio must be clearly labeled per EU AI Act Art. 50. Children especially need visible disclosure of synthetic content.",
+      "patterns": [
+        { "pattern": "(?:generateImage|aiGenerate|textToImage|imageGeneration)\\(", "flags": "gi" },
+        { "pattern": "(?:syntheticContent|aiContent|generatedContent)", "flags": "gi" },
+        { "pattern": "(?:dall-e|stable-diffusion|midjourney|openai\\.images)", "flags": "gi" },
+        { "pattern": "(?:textToSpeech|voiceSynthesis|tts)\\.(?:generate|create|synthesize)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add visible AI-generated content labels: include 'AI Generated' badge/watermark on all synthetic media shown to children.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-RISK-005",
+      "name": "Automated Decision Without Human Appeal",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "ai-risk",
+      "description": "Automated decisions affecting children (bans, suspensions, access denial) must have a human appeal mechanism per EU AI Act Art. 14.",
+      "patterns": [
+        { "pattern": "(?:banUser|suspendAccount|denyAccess|autoModerate|autoBan)\\(", "flags": "gi" },
+        { "pattern": "(?:blockUser|restrictUser|muteUser|shadowBan)\\(", "flags": "gi" },
+        { "pattern": "moderationAction:\\s*['\"](?:ban|suspend|restrict)['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add human appeal mechanism: implement an appeal/review endpoint and surface it in the moderation notification to the user.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac35M or 7% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-TRANSPARENCY-001",
+      "name": "Missing AI Disclosure",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-transparency",
+      "description": "AI systems interacting with children must disclose they are AI per EU AI Act Art. 13. Chatbots, tutors, and assistants need visible AI disclosure.",
+      "patterns": [
+        { "pattern": "(?:ChatBot|AIChatbot|VirtualAssistant|AITutor|ChatInterface)", "flags": "gi" },
+        { "pattern": "(?:createChatbot|initBot|botResponse|chatCompletion)\\(", "flags": "gi" },
+        { "pattern": "role:\\s*['\"](?:assistant|system|bot)['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add AI disclosure: show 'You are chatting with an AI' before first interaction and in the UI header.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python", "tsx", "jsx"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-TRANSPARENCY-002",
+      "name": "No Training Data Disclosure",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-transparency",
+      "description": "High-risk AI systems must disclose training data sources per EU AI Act Art. 13. Children's AI products need model cards or equivalent documentation.",
+      "patterns": [
+        { "pattern": "(?:loadModel|deployModel|serveModel)\\(", "flags": "gi" },
+        { "pattern": "(?:modelEndpoint|inferenceEndpoint|predictionService)", "flags": "gi" },
+        { "pattern": "(?:huggingface|openai|anthropic|cohere)\\.(?:create|complete|generate)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Create a model card documenting training data sources, intended use, limitations, and bias considerations.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-TRANSPARENCY-003",
+      "name": "Algorithmic Decision Blackbox",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-transparency",
+      "description": "High-stakes decisions (content removal, access control) must have explainability mechanisms per EU AI Act Art. 13. Opaque automated decisions violate transparency requirements.",
+      "patterns": [
+        { "pattern": "(?:moderateContent|flagContent|removeContent|hidePost)\\((?![^)]*reason)", "flags": "gi" },
+        { "pattern": "(?:filterContent|censorContent|suppressContent)\\(", "flags": "gi" },
+        { "pattern": "autoDecision\\((?![^)]*explain)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add explainability: include a 'reason' parameter in automated decisions and surface it to affected users.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-TRANSPARENCY-004",
+      "name": "Age-Based Personalization Not Disclosed",
+      "severity": "medium",
+      "confidence": "medium",
+      "category": "ai-transparency",
+      "description": "Personalized content that varies by age must disclose this to users per EU AI Act Art. 13. Children should know their experience is age-adapted.",
+      "patterns": [
+        { "pattern": "(?:if|switch)\\s*\\([^)]*(?:age|userAge|childAge)\\s*[<>=]", "flags": "gi" },
+        { "pattern": "ageGroup:\\s*['\"](?:child|teen|minor|under13|under16)['\"]", "flags": "gi" },
+        { "pattern": "(?:ageFilter|ageGate|ageRestriction)\\([^)]*(?:content|feed|results)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disclose age-based personalization: add a visible notice that 'Content is adapted for your age group' when age-specific filtering is active.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python", "tsx", "jsx"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-TRANSPARENCY-005",
+      "name": "Missing AI Terms of Service",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-transparency",
+      "description": "AI-powered services for children need dedicated AI terms explaining capabilities, limitations, and data practices per EU AI Act Art. 13.",
+      "patterns": [
+        { "pattern": "(?:aiService|aiFeature|mlService|aiEndpoint)\\.(?:init|start|enable)", "flags": "gi" },
+        { "pattern": "(?:enableAI|activateAI|aiPowered)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "feature[Ff]lag.*['\"](?:ai|ml|chatbot|recommendation)['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add dedicated AI terms of service: create an /ai-terms page explaining how AI features work, their limitations, and child-specific protections.",
+      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-PEDAGOGY-001",
+      "name": "AI Tutor Bypass (Auto-Answering)",
+      "severity": "medium",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "Educational AI must scaffold learning, not provide direct answers. Auto-answering bypasses critical thinking development (Vygotsky's Zone of Proximal Development).",
+      "patterns": [
+        { "pattern": "(?:getAnswer|solveQuestion|provideSolution|autoSolve)\\(", "flags": "gi" },
+        { "pattern": "(?:answerQuestion|generateAnswer|solveHomework)\\(", "flags": "gi" },
+        { "pattern": "(?:homeworkHelper|essayWriter|mathSolver)\\.(?:solve|answer|complete)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Replace auto-answering with scaffolded hints: provide progressive clues instead of complete solutions.",
+      "penalty": "Constitutional AI Principle: Scaffolding Rule",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-DEPENDENCY-001",
+      "name": "Emotional Over-Reliance Risk",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "AI companions/tutors must detect and mitigate emotional dependency in children. Extended interactions without disengagement prompts risk unhealthy attachment (IEEE 2089-2021).",
+      "patterns": [
+        { "pattern": "(?:aiCompanion|virtualFriend|aiBuddy|chatCompanion)", "flags": "gi" },
+        { "pattern": "(?:emotionalSupport|moodTracker|feelings).*(?:ai|bot|assistant)", "flags": "gi" },
+        { "pattern": "(?:companionBot|friendBot|socialBot)\\.(?:init|create|start)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add disengagement prompts: remind users to take breaks after extended sessions and suggest real-world activities.",
+      "penalty": "Constitutional AI Principle: Anti-Dependency Clause (IEEE 2089-2021)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-SYNTHESIS-001",
+      "name": "Synthetic Content Without Child-Readable Labels",
+      "severity": "medium",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "AI-generated content shown to children must have labels comprehensible to the child's age group. Abstract disclaimers are insufficient — use visual indicators.",
+      "patterns": [
+        { "pattern": "(?:generateForChild|childContent|kidsGenerate)\\(", "flags": "gi" },
+        { "pattern": "(?:aiStory|aiImage|aiVideo|generatedStory)(?![^\\n]*(?:label|badge|disclosure|watermark))", "flags": "gi" },
+        { "pattern": "(?:storyGenerator|imageGenerator|contentGenerator)\\.(?:create|generate)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add child-comprehensible AI labels: use emoji or visual badges (e.g., sparkle icon) instead of text-only 'AI Generated' disclaimers.",
+      "penalty": "Constitutional AI Principle: Truth in Synthesis",
+      "languages": ["typescript", "javascript", "python", "tsx", "jsx"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-NUDGE-001",
+      "name": "Engagement Optimization Without Disclosure",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "Algorithms optimizing for engagement/time-on-device in children's apps violate No-Nudge principles (IEEE 2089-2021). Must disclose engagement optimization and offer wellbeing modes.",
+      "patterns": [
+        { "pattern": "optimizeFor:\\s*['\"](?:engagement|retention|timeOnApp|sessionDuration)['\"]", "flags": "gi" },
+        { "pattern": "(?:engagementScore|retentionMetric|dailyActiveMinutes|sessionLength)", "flags": "gi" },
+        { "pattern": "(?:maximizeEngagement|boostRetention|increaseTimeSpent)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Disclose engagement optimization and add wellbeing features: implement screen time limits, usage dashboards, and 'take a break' reminders.",
+      "penalty": "Constitutional AI Principle: No-Nudge Mandate (IEEE 2089-2021)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-RESET-001",
+      "name": "No User Identity Reset Mechanism",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "constitutional-ai",
+      "description": "AI systems learning child preferences must offer periodic identity/preference reset capability. Children's interests change rapidly — stale profiles can create filter bubbles.",
+      "patterns": [
+        { "pattern": "(?:userPreferences|learningProfile|interestProfile|userModel)\\.(?:save|persist|update)", "flags": "gi" },
+        { "pattern": "(?:personalizeFor|buildProfile|profileLearning)\\(", "flags": "gi" },
+        { "pattern": "(?:recommendationProfile|contentPreferences)\\.(?:set|update)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add identity reset capability: implement 'Reset My Preferences' option and offer periodic 'Would you like to refresh your interests?' prompts.",
+      "penalty": "Constitutional AI Principle: Right to Reset",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
     }
   ]
 }