@runhalo/engine 0.4.0 → 0.6.0

package/dist/fp-patterns.js

@@ -0,0 +1,426 @@
+"use strict";
+/**
+ * FP Pattern Library — Sprint 11b
+ *
+ * Structured false positive patterns for the AI Review Board.
+ * Expands from 8 generic patterns (hardcoded in ai-review prompt) to 30+
+ * rule-specific checklists derived from Sprint 10a/10b/11a validated FP fixes.
+ *
+ * Used by:
+ * - AI Review Board system prompt (rule-specific dismissal criteria)
+ * - FP Adjustment Pipeline (pattern matching against known FPs)
+ * - Future: engine heuristic refinement
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FP_PATTERNS = void 0;
+exports.getPatternsForRule = getPatternsForRule;
+exports.getPatternsForRules = getPatternsForRules;
+exports.formatPatternsForPrompt = formatPatternsForPrompt;
+// ─── Global Patterns (apply to many rules) ────────────────────
+const GLOBAL_PATTERNS = [
+    {
+        id: 'vendor-library',
+        ruleIds: ['*'],
+        name: 'Vendored / Third-Party Library Code',
+        description: 'Files in vendor paths are third-party code the project does not control.',
+        codeSignals: [
+            'vendor/', 'node_modules/', 'third_party/', 'bower_components/', 'external/',
+            'lib/google', 'lib/yui', 'h5plib/', 'lib/requirejs/', 'lib/jquery',
+        ],
+        promptGuidance: 'Check if the file path contains vendor indicators. Vendor code is NOT the developer\'s responsibility. → DISMISS',
+        source: 'Sprint 10a',
+    },
+    {
+        id: 'test-code',
+        ruleIds: ['*'],
+        name: 'Test / Fixture / Config Code',
+        description: 'Test files, fixtures, and test configs do not run in production.',
+        codeSignals: [
+            'test/', '__tests__/', 'spec/', 'tests/', 'fixtures/', 'mocks/',
+            'envs/test', 'config/test', 'settings/test', 'conftest.py',
+            '.test.', '.spec.', '_test.', '_spec.',
+        ],
+        promptGuidance: 'Check if the file is a test, fixture, or test config. Test code does not reach production users. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    {
+        id: 'admin-internal',
+        ruleIds: ['*'],
+        name: 'Admin / Internal-Only Code',
+        description: 'Admin routes, staff-only views, and internal tools have different risk profiles than user-facing code.',
+        codeSignals: [
+            'admin/', 'instructor/', 'teacher/', 'staff/', 'management/', 'backoffice/',
+            'cms/', 'moderator/', 'superuser/',
+            '@staff_member_required', '@permission_required', 'is_staff', 'is_superuser',
+        ],
+        promptGuidance: 'Check if the code is in an admin/staff path or uses staff-only decorators. Admin code is NOT child-facing. → DISMISS or DOWNGRADE',
+        source: 'Sprint 11a',
+    },
+    {
+        id: 'doc-generator',
+        ruleIds: ['*'],
+        name: 'Documentation Generator Output',
+        description: 'JSDoc, TypeDoc, Sphinx, and other doc generator output is not user-facing code.',
+        codeSignals: [
+            'jsdoc/', 'typedoc/', 'apidoc/', 'javadoc/', 'doxygen/', 'sphinx/',
+            '_build/', '_static/', 'docs/api/', 'docs/generated/',
+            'jsdoc.html', 'typedoc.html',
+        ],
+        promptGuidance: 'Check if the file is generated documentation (JSDoc, Sphinx, etc.). Doc templates are not user-facing. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    {
+        id: 'comment-only',
+        ruleIds: ['*'],
+        name: 'Comment-Only Matches',
+        description: 'Matches in code comments, TODO notes, or documentation strings are not executable code.',
+        codeSignals: [
+            '//', '/*', '#', '"""', "'''", '<!--', '--', '%%',
+        ],
+        promptGuidance: 'Check if the matched line is a comment, TODO, or docstring. Comments are not executable. → DISMISS',
+        source: 'Sprint 8',
+    },
+];
+// ─── Rule-Specific Patterns ────────────────────────────────────
+const RULE_PATTERNS = [
+    // coppa-sec-006: Unencrypted HTTP URLs
+    {
+        id: 'sec006-example-urls',
+        ruleIds: ['coppa-sec-006'],
+        name: 'Example / Placeholder URLs',
+        description: 'URLs like http://example.com, http://localhost, or http://127.0.0.1 in docs or configs are not real security risks.',
+        codeSignals: [
+            'example.com', 'example.org', 'localhost', '127.0.0.1',
+            'httpbin.org', 'placeholder', 'test-server', 'dev-server',
+        ],
+        promptGuidance: 'Check if the HTTP URL is a placeholder (example.com, localhost, etc.) or in a test/doc context. Placeholder URLs are not real HTTP traffic. → DISMISS',
+        source: 'Sprint 10a',
+    },
+    {
+        id: 'sec006-test-config',
+        ruleIds: ['coppa-sec-006'],
+        name: 'HTTP URLs in Test Configuration',
+        description: 'Test configs (envs/test.py, settings/test.py) use HTTP URLs for local test servers.',
+        codeSignals: [
+            'envs/test', 'config/test', 'settings/test', 'conftest.py',
+            'TEST_', 'test_settings', 'DEBUG = True',
+        ],
+        promptGuidance: 'Check if the HTTP URL is in a test configuration file. Test configs don\'t run in production. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    // coppa-sec-015: XSS / innerHTML
+    {
+        id: 'sec015-sanitized',
+        ruleIds: ['coppa-sec-015'],
+        name: 'Sanitized innerHTML',
+        description: 'innerHTML assignments that use DOMPurify, framework escaping, or sanitization functions are safe.',
+        codeSignals: [
+            'DOMPurify', 'sanitize(', 'purify(', 'Escape.html(', 'escapeHtml(',
+            'htmlspecialchars', 'markSafe', 'SafeString', 'bleach.clean',
+        ],
+        promptGuidance: 'Check if the innerHTML assignment is preceded by sanitization (DOMPurify, Escape.html, htmlspecialchars, etc.). Sanitized HTML is NOT an XSS risk. → DISMISS',
+        source: 'Sprint 10a',
+    },
+    // coppa-ui-008: Missing privacy policy on registration
+    {
+        id: 'ui008-admin-form',
+        ruleIds: ['coppa-ui-008'],
+        name: 'Admin / Configuration Forms',
+        description: 'Admin config forms, LTI registration, and internal settings are not user-facing registration.',
+        codeSignals: [
+            'admin', 'config', 'settings', 'lti', 'cartridge', 'oauth',
+            'device_registration', 'api_key', 'webhook',
+        ],
+        promptGuidance: 'Check if this is an admin configuration form, LTI cartridge registration, OAuth setup, or API key form. These are NOT user-facing signup forms — no privacy policy needed. → DISMISS',
+        source: 'Sprint 10a',
+    },
+    {
+        id: 'ui008-non-registration',
+        ruleIds: ['coppa-ui-008'],
+        name: 'Non-Registration Forms',
+        description: 'Search forms, login forms, contact forms, and feedback forms are not registration flows.',
+        codeSignals: [
+            'login', 'signin', 'sign-in', 'search', 'contact', 'feedback',
+            'password_reset', 'forgot_password',
+        ],
+        promptGuidance: 'Check if this form is a login, search, contact, or password reset form (NOT a registration/signup form). Only registration/signup forms require privacy policy links. → DISMISS',
+        source: 'Sprint 10b',
+    },
+    // coppa-cookies-016: Cookie usage
+    {
+        id: 'cookies016-consent-impl',
+        ruleIds: ['coppa-cookies-016'],
+        name: 'Cookie Consent Implementation',
+        description: 'Cookie consent UIs that set preference cookies are privacy-solution code, not violations.',
+        codeSignals: [
+            'cookie-consent', 'cookie_consent', 'consent-banner', 'gdpr-consent',
+            'CookieConsent', 'cookiePolicy', 'acceptCookies', 'cookie_preferences',
+        ],
+        promptGuidance: 'Check if this code is IMPLEMENTING cookie consent (setting a preference cookie to remember the user\'s choice). Cookie consent code is privacy-protective, NOT a violation. → DISMISS',
+        source: 'Sprint 10b',
+    },
+    {
+        id: 'cookies016-deletion',
+        ruleIds: ['coppa-cookies-016'],
+        name: 'Cookie Deletion / Cleanup',
+        description: 'Code that deletes cookies (expires in past, max-age=0) is cleanup, not setting.',
+        codeSignals: [
+            'max-age=0', 'max-age=-1', 'expires=Thu, 01 Jan 1970', 'new Date(0)',
+            '=deleted', 'deleteCookie', 'removeCookie', 'clearCookie', 'expireCookie',
+        ],
+        promptGuidance: 'Check if the cookie operation is DELETING a cookie (max-age=0, expired date, =deleted value). Cookie deletion is cleanup code, NOT setting cookies. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    // coppa-ext-017: External links / third-party SDKs
+    {
+        id: 'ext017-ie-conditional',
+        ruleIds: ['coppa-ext-017'],
+        name: 'IE Conditional Comment Blocks',
+        description: 'Browser upgrade links inside IE conditional comments (<!--[if IE]>) are deprecated browser banners.',
+        codeSignals: [
+            '<!--[if', '[endif]-->', 'IE', 'browser upgrade', 'outdated browser',
+        ],
+        promptGuidance: 'Check if the external link is inside an IE conditional comment (<!--[if IE]>). Browser upgrade banners for deprecated IE versions are not child-facing content. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    {
+        id: 'ext017-doc-template',
+        ruleIds: ['coppa-ext-017'],
+        name: 'Documentation Template Links',
+        description: 'External links in JSDoc, TypeDoc, or Sphinx templates are developer documentation, not child-facing.',
+        codeSignals: [
+            'jsdoc', 'typedoc', 'sphinx', 'apidoc', 'docs/api/',
+        ],
+        promptGuidance: 'Check if the external link is in a documentation template (JSDoc, Sphinx, etc.). Doc links are for developers, not children. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    // coppa-flow-009: Child contact collection
+    {
+        id: 'flow009-admin-backend',
+        ruleIds: ['coppa-flow-009'],
+        name: 'Admin Backend Email Access',
+        description: 'Backend admin functions that read existing user emails (for admin purposes) are not collecting from children.',
+        codeSignals: [
+            'admin/', 'instructor/', 'staff/', '@staff_member_required',
+            'get_email', 'user.email', 'existing_email',
+        ],
+        promptGuidance: 'Check if this code is an admin/instructor backend function reading EXISTING user emails (not collecting new ones from children). Admin data access for administration is not child contact collection. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    // coppa-retention-005: Data retention
+    {
+        id: 'retention005-no-pii',
+        ruleIds: ['coppa-retention-005'],
+        name: 'Annotated Non-PII Models',
+        description: 'Django models annotated with no_pii docstrings have been verified to contain no PII despite having User FKs.',
+        codeSignals: [
+            '.. no_pii:', '# no_pii', 'no_pii = True', 'NO_PII',
+        ],
+        promptGuidance: 'Check if this Django model has a `.. no_pii:` docstring annotation. Models marked no_pii have been verified to contain no personally identifiable information despite having User foreign keys. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    {
+        id: 'retention005-has-retention-policy',
+        ruleIds: ['coppa-retention-005'],
+        name: 'Retention Policy Exists Elsewhere',
+        description: 'The model may lack inline retention fields but the project has a documented retention policy, privacy policy, or data lifecycle configuration.',
+        codeSignals: [
+            'retentionPolicy', 'retention_policy', 'dataRetention', 'data_retention',
+            'RETENTION_DAYS', 'RETENTION_PERIOD', 'DATA_LIFECYCLE',
+            'privacy-policy', 'data-deletion', 'purge_schedule', 'cleanup_task',
+        ],
+        promptGuidance: 'Check if the project has a documented retention policy, data lifecycle config, or scheduled purge task that covers this model. If retention is handled at the application/policy level rather than the schema level, the model may still be compliant. → DOWNGRADE',
+        source: 'Sprint 17',
+    },
+    // coppa-data-002: PII in URLs / data exposure
+    {
+        id: 'data002-admin-data',
+        ruleIds: ['coppa-data-002'],
+        name: 'Admin-Only Data Access',
+        description: 'Data access in admin/staff routes is for administration, not exposing children\'s PII.',
+        codeSignals: [
+            'admin/', 'staff/', 'instructor/', '@permission_required',
+            'management/', 'backoffice/',
+        ],
+        promptGuidance: 'Check if this data access is in an admin/staff route. Admin data access for operational purposes is not PII exposure to unauthorized parties. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    // coppa-tracking-003: Analytics tracking
+    {
+        id: 'tracking003-admin-analytics',
+        ruleIds: ['coppa-tracking-003'],
+        name: 'Admin Analytics / Internal Metrics',
+        description: 'Analytics code in admin dashboards or internal monitoring is not tracking children.',
+        codeSignals: [
+            'admin/', 'dashboard/', 'monitoring/', 'internal/', 'staff/',
+            'admin_analytics', 'server_metrics', 'error_tracking',
+        ],
+        promptGuidance: 'Check if this analytics/tracking code is in an admin dashboard or internal monitoring tool. Admin analytics are for operators, not tracking children. → DISMISS',
+        source: 'Sprint 11a',
+    },
+    // coppa-auth-001: Authentication
+    {
+        id: 'auth001-enum-constant',
+        ruleIds: ['coppa-auth-001'],
+        name: 'Password Enum Constants',
+        description: 'Constants like PASSWORD = "password" or METHOD_PASSWORD are enum names, not default passwords.',
+        codeSignals: [
+            'PASSWORD =', 'METHOD_PASSWORD', 'AUTH_METHOD', 'GRANT_TYPE',
+            'enum', 'const', 'final', 'CONST',
+        ],
+        promptGuidance: 'Check if this is an enum constant or type definition containing "password" (e.g., PASSWORD = "password", METHOD_PASSWORD). Self-referential constant definitions are NOT default passwords. → DISMISS',
+        source: 'Sprint 8',
+    },
+    // coppa-notif-013: Push notifications
+    {
+        id: 'notif013-ui-notification',
+        ruleIds: ['coppa-notif-013'],
+        name: 'UI Toast / Internal Notifications',
+        description: 'PHP/Python notification classes for UI toast messages are NOT push notifications.',
+        codeSignals: [
+            'notification()', 'new notification', 'toast', 'flash_message',
+            'add_notification', 'notify_user', 'in_app_notification',
+        ],
+        promptGuidance: 'Check if this is a UI toast/flash notification class (NOT a push notification). Look for push-specific APIs: ServiceWorker, PushManager, FCM, APNs, OneSignal. In-app UI notifications are NOT push notifications. → DISMISS',
+        source: 'Sprint 10a',
+    },
+    // coppa-audio-007: Audio/video capture
+    {
+        id: 'audio007-media-playback',
+        ruleIds: ['coppa-audio-007'],
+        name: 'Media Playback (Not Capture)',
+        description: 'Audio/video playback elements (<audio>, <video>, play()) are NOT recording/capture.',
+        codeSignals: [
+            '<audio', '<video', '.play()', '.pause()', 'audioContext',
+            'new Audio(', 'createMediaElement', 'HTMLAudioElement',
+        ],
+        promptGuidance: 'Check if this is media PLAYBACK (playing audio/video) vs. media CAPTURE (getUserMedia, MediaRecorder). Playback does not collect data from children. → DISMISS',
+        source: 'Sprint 11b',
+    },
+    // coppa-sec-006: Unencrypted HTTP (additional)
+    {
+        id: 'sec006-protocol-handler',
+        ruleIds: ['coppa-sec-006'],
+        name: 'Protocol Handler / Schema Reference',
+        description: 'References to http:// in protocol handling, URL parsing, or schema definitions are not real HTTP traffic.',
+        codeSignals: [
+            'protocol', 'scheme', 'urlparse', 'URL(', 'new URL',
+            'startsWith(\'http\')', 'replace(\'http\', \'https\')',
+        ],
+        promptGuidance: 'Check if the http:// reference is in URL parsing, protocol handling, or a schema definition (not an actual HTTP request). Protocol handling code is not sending unencrypted traffic. → DISMISS',
+        source: 'Sprint 11b',
+    },
+    // coppa-ext-017: External links (additional)
+    {
+        id: 'ext017-cdn-resource',
+        ruleIds: ['coppa-ext-017'],
+        name: 'CDN / Static Resource Links',
+        description: 'Links to CDN resources (fonts, CSS frameworks, JS libraries) are infrastructure, not child data exfiltration.',
+        codeSignals: [
+            'cdn.', 'fonts.googleapis', 'cdnjs.cloudflare', 'unpkg.com',
+            'jsdelivr.net', 'bootstrapcdn', 'fontawesome',
+        ],
+        promptGuidance: 'Check if the external link is a CDN resource (Google Fonts, cdnjs, unpkg, etc.). CDN links load static assets and do not exfiltrate child data. → DISMISS',
+        source: 'Sprint 11b',
+    },
+    // coppa-ext-017: Translation / i18n bundle files
+    {
+        id: 'ext017-i18n-bundle',
+        ruleIds: ['coppa-ext-017'],
+        name: 'Translation / i18n Bundle Files',
+        description: 'Internationalization files contain URL strings for localization but are not navigable links. Common in Blockly-derived projects.',
+        codeSignals: [
+            'msg/js/', 'locales/', 'i18n/', 'translations/', 'lang/',
+            'messages/', 'locale/', 'nls/', 'l10n/',
+            'Blockly.Msg.', 'MSG_', 'LOCALE_',
+        ],
+        promptGuidance: 'Check if the file is a translation/i18n/locale bundle (msg/js/, locales/, translations/, lang/). URL strings in translation files are display text, not navigable links. → DISMISS',
+        source: 'Sprint 17 W3 — blind test (Open Roberta Lab)',
+    },
+    // coppa-tracking-003: Analytics (additional)
+    {
+        id: 'tracking003-error-monitoring',
+        ruleIds: ['coppa-tracking-003'],
+        name: 'Error Monitoring / Logging',
+        description: 'Error monitoring tools (Sentry, Bugsnag, LogRocket) track errors, not user behavior.',
+        codeSignals: [
+            'Sentry', 'Bugsnag', 'LogRocket', 'Rollbar', 'errorHandler',
+            'captureException', 'captureMessage', 'error_report',
+        ],
+        promptGuidance: 'Check if this is error monitoring/logging (Sentry, Bugsnag, etc.) vs. behavioral analytics (GA, Mixpanel). Error monitoring tracks bugs, not children. → DOWNGRADE (not DISMISS — error tools may still collect device info)',
+        source: 'Sprint 11b',
+    },
+    // coppa-ads-021: Targeted advertising
+    {
+        id: 'ads021-admin-analytics',
+        ruleIds: ['coppa-ads-021'],
+        name: 'Admin / Internal Ad Management',
+        description: 'Ad SDK references in admin dashboards, ad management tools, or revenue reporting are not child-facing ad delivery.',
+        codeSignals: [
+            'admin/', 'dashboard/', 'revenue/', 'reporting/', 'backoffice/',
+            'adManager', 'ad_management', 'campaign_manager', 'revenue_report',
+        ],
+        promptGuidance: 'Check if this ad SDK reference is in an admin/revenue dashboard or ad management tool. Admin ad management code is NOT serving ads to children. → DISMISS',
+        source: 'Sprint 17',
+    },
+    {
+        id: 'ads021-contextual-only',
+        ruleIds: ['coppa-ads-021'],
+        name: 'Contextual Advertising (Non-Targeted)',
+        description: 'Contextual ads served based on page content (not user data) do not require separate consent under COPPA.',
+        codeSignals: [
+            'contextual', 'non_personalized', 'npa=1', 'nonPersonalizedAds',
+            'child_directed_treatment', 'tag_for_child_directed_treatment',
+            'coppa_compliance', 'MAX_AD_CONTENT_RATING',
+        ],
+        promptGuidance: 'Check if the ad SDK is configured for contextual/non-personalized ads (npa=1, child_directed_treatment, MAX_AD_CONTENT_RATING). Contextual-only ads that don\'t track user behavior are COPPA-compliant. → DISMISS',
+        source: 'Sprint 17',
+    },
+    {
+        id: 'ads021-has-consent-flow',
+        ruleIds: ['coppa-ads-021'],
+        name: 'Separate Consent Flow Present',
+        description: 'Ad SDK initialization that follows a separate, specific consent flow for advertising satisfies COPPA 2025.',
+        codeSignals: [
+            'adConsent', 'advertisingConsent', 'ad_consent', 'marketing_consent',
+            'ConsentForm', 'ConsentInformation', 'UMPConsentForm',
+            'ATTrackingManager', 'requestTrackingAuthorization',
+            'consentForAds', 'adsConsentGranted',
+        ],
+        promptGuidance: 'Check if there is a SEPARATE consent flow specifically for advertising (distinct from general terms). Look for ConsentForm, ATTrackingManager, or custom ad consent UI. If separate ad consent exists, the SDK initialization may be compliant. → DISMISS',
+        source: 'Sprint 17',
+    },
+    // Generic: Framework-handled patterns
+    {
+        id: 'framework-auto-escape',
+        ruleIds: ['coppa-sec-015', 'coppa-sec-006'],
+        name: 'Framework Auto-Escaping',
+        description: 'Modern frameworks (React, Vue, Angular, Django, Rails) auto-escape output by default.',
+        codeSignals: [
+            'React', 'Vue', 'Angular', 'Svelte', 'Next.js',
+            'Django', 'Rails', 'Laravel', 'Flask',
+            'jsx', 'tsx', '.vue', '.svelte',
+        ],
+        promptGuidance: 'Check if the framework auto-escapes output (React JSX, Vue templates, Django templates, etc.). Framework auto-escaping prevents most XSS without explicit sanitization. → DOWNGRADE',
+        source: 'Sprint 8',
+    },
+];
+// ─── Exports ────────────────────────────────────────────────
+/** All FP patterns — global + rule-specific */
+exports.FP_PATTERNS = [...GLOBAL_PATTERNS, ...RULE_PATTERNS];
+/** Get patterns for a specific rule ID */
+function getPatternsForRule(ruleId) {
+    return exports.FP_PATTERNS.filter((p) => p.ruleIds.includes('*') || p.ruleIds.includes(ruleId));
+}
+/** Get patterns for a set of rule IDs (for batch prompts) */
+function getPatternsForRules(ruleIds) {
+    const uniqueRules = new Set(ruleIds);
+    return exports.FP_PATTERNS.filter((p) => p.ruleIds.includes('*') || p.ruleIds.some((id) => uniqueRules.has(id)));
+}
+/** Format patterns as prompt text for the AI Review Board */
+function formatPatternsForPrompt(patterns) {
+    return patterns
+        .map((p, i) => `${i + 1}. **${p.name}** [${p.ruleIds.join(', ')}]\n   ${p.description}\n   Signals: ${p.codeSignals.slice(0, 5).join(', ')}${p.codeSignals.length > 5 ? '...' : ''}\n   → ${p.promptGuidance}`)
+        .join('\n\n');
+}
+//# sourceMappingURL=fp-patterns.js.map

package/dist/fp-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fp-patterns.js","sourceRoot":"","sources":["../src/fp-patterns.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAmbH,gDAIC;AAGD,kDAKC;AAGD,0DAIC;AAnbD,iEAAiE;AAEjE,MAAM,eAAe,GAAgB;IACnC;QACE,EAAE,EAAE,gBAAgB;QACpB,OAAO,EAAE,CAAC,GAAG,CAAC;QACd,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EAAE,0EAA0E;QACvF,WAAW,EAAE;YACX,SAAS,EAAE,eAAe,EAAE,cAAc,EAAE,mBAAmB,EAAE,WAAW;YAC5E,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,gBAAgB,EAAE,YAAY;SACnE;QACD,cAAc,EAAE,kHAAkH;QAClI,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,WAAW;QACf,OAAO,EAAE,CAAC,GAAG,CAAC;QACd,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE;YACX,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ;YAC/D,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,aAAa;YAC1D,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;SACvC;QACD,cAAc,EAAE,4GAA4G;QAC5H,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,OAAO,EAAE,CAAC,GAAG,CAAC;QACd,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,wGAAwG;QACrH,WAAW,EAAE;YACX,QAAQ,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,aAAa,EAAE,aAAa;YAC3E,MAAM,EAAE,YAAY,EAAE,YAAY;YAClC,wBAAwB,EAAE,sBAAsB,EAAE,UAAU,EAAE,cAAc;SAC7E;QACD,cAAc,EAAE,mIAAmI;QACnJ,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,OAAO,EAAE,CAAC,GAAG,CAAC;QACd,IAAI,EAAE,gCAAgC;QACtC,WAAW,EAAE,iFAAiF;QAC9F,WAAW,EAAE;YACX,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS;YAClE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,iBAAiB;YACrD,YAAY,EAAE,cAAc;SAC7B;QACD,cAAc,EAAE,kHAAkH;QAClI,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,OAAO,EAAE,CAAC,GAAG,CAAC;QACd,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,yFAAyF;QACtG,WAAW,EAAE;YACX,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI;SAClD;QACD,cAAc,EAAE,oGAAoG;QACpH,MAAM,EAAE,UAAU;KACnB;CACF,CAAC;AAEF,kEAAkE;AAElE,MAAM,aAAa,GAAgB;IACjC,uCAAuC;IACvC;QACE,EAAE,EAAE,qBAAqB;QACzB,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,qHAAqH;QAClI,WAAW,EAAE;YACX,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,WAAW;YACtD,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY;SAC1D;QACD,cAAc,EAAE,uJAAuJ;QACvK,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,iCAAiC;QACvC,WAAW,EAAE,qFAAqF;QAClG,WAAW,EAAE;YACX,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,aAAa;YAC1D,OAAO,EAAE,eAAe,EAAE,cAAc;SACzC;QACD,cAAc,EAAE,yGAAyG;QACzH,MAAM,EAAE,YAAY;KACrB;IAED,iCAAiC;IACjC;QACE,EAAE,EAAE,kBAAkB;QACtB,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,mGAAmG;QAChH,WAAW,EAAE;YACX,WAAW,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa;YAClE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc;SAC7D;QACD,cAAc,EAAE,8JAA8J;QAC9K,MAAM,EAAE,YAAY;KACrB;IAED,uDAAuD;IACvD;QACE,EAAE,EAAE,kBAAkB;QACtB,OAAO,EAAE,CAAC,cAAc,CAAC;QACzB,IAAI,EAAE,6BAA6B;QACnC,WAAW,EAAE,+FAA+F;QAC5G,WAAW,EAAE;YACX,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO;YAC1D,qBAAqB,EAAE,SAAS,EAAE,SAAS;SAC5C;QACD,cAAc,EAAE,sLAAsL;QACtM,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,OAAO,EAAE,CAAC,cAAc,CAAC;QACzB,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,0FAA0F;QACvG,WAAW,EAAE;YACX,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU;YAC7D,gBAAgB,EAAE,iBAAiB;SACpC;QACD,cAAc,EAAE,iLAAiL;QACjM,MAAM,EAAE,YAAY;KACrB;IAED,kCAAkC;IAClC;QACE,EAAE,EAAE,yBAAyB;QAC7B,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAC9B,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,2FAA2F;QACxG,WAAW,EAAE;YACX,gBAAgB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,cAAc;YACpE,eAAe,EAAE,cAAc,EAAE,eAAe,EAAE,oBAAoB;SACvE;QACD,cAAc,EAAE,uLAAuL;QACvM,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAC9B,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,iFAAiF;QAC9F,WAAW,EAAE;YACX,WAAW,EAAE,YAAY,EAAE,0BAA0B,EAAE,aAAa;YACpE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,cAAc;SAC1E;QACD,cAAc,EAAE,+JAA+J;QAC/K,MAAM,EAAE,YAAY;KACrB;IAED,mDAAmD;IACnD;QACE,EAAE,EAAE,uBAAuB;QAC3B,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,qGAAqG;QAClH,WAAW,EAAE;YACX,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,iBAAiB,EAAE,kBAAkB;SACrE;QACD,cAAc,EAAE,2KAA2K;QAC3L,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,sGAAsG;QACnH,WAAW,EAAE;YACX,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW;SACpD;QACD,cAAc,EAAE,wIAAwI;QACxJ,MAAM,EAAE,YAAY;KACrB;IAED,2CAA2C;IAC3C;QACE,EAAE,EAAE,uBAAuB;QAC3B,OAAO,EAAE,CAAC,gBAAgB,CAAC;QAC3B,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,+GAA+G;QAC5H,WAAW,EAAE;YACX,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,wBAAwB;YAC3D,WAAW,EAAE,YAAY,EAAE,gBAAgB;SAC5C;QACD,cAAc,EAAE,kNAAkN;QAClO,MAAM,EAAE,YAAY;KACrB;IAED,sCAAsC;IACtC;QACE,EAAE,EAAE,qBAAqB;QACzB,OAAO,EAAE,CAAC,qBAAqB,CAAC;QAChC,IAAI,EAAE,0BAA0B;QAChC,WAAW,EAAE,8GAA8G;QAC3H,WAAW,EAAE;YACX,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,QAAQ;SACpD;QACD,cAAc,EAAE,2MAA2M;QAC3N,MAAM,EAAE,YAAY;KACrB;IACD;QACE,EAAE,EAAE,mCAAmC;QACvC,OAAO,EAAE,CAAC,qBAAqB,CAAC;QAChC,IAAI,EAAE,mCAAmC;QACzC,WAAW,EAAE,gJAAgJ;QAC7J,WAAW,EAAE;YACX,iBAAiB,EAAE,kBAAkB,EAAE,eAAe,EAAE,gBAAgB;YACxE,gBAAgB,EAAE,kBAAkB,EAAE,gBAAgB;YACtD,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,cAAc;SACpE;QACD,cAAc,EAAE,oQAAoQ;QACpR,MAAM,EAAE,WAAW;KACpB;IAED,8CAA8C;IAC9C;QACE,EAAE,EAAE,oBAAoB;QACxB,OAAO,EAAE,CAAC,gBAAgB,CAAC;QAC3B,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,wFAAwF;QACrG,WAAW,EAAE;YACX,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,sBAAsB;YACzD,aAAa,EAAE,aAAa;SAC7B;QACD,cAAc,EAAE,yJAAyJ;QACzK,MAAM,EAAE,YAAY;KACrB;IAED,yCAAyC;IACzC;QACE,EAAE,EAAE,6BAA6B;QACjC,OAAO,EAAE,CAAC,oBAAoB,CAAC;QAC/B,IAAI,EAAE,oCAAoC;QAC1C,WAAW,EAAE,qFAAqF;QAClG,WAAW,EAAE;YACX,QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,QAAQ;YAC5D,iBAAiB,EAAE,gBAAgB,EAAE,gBAAgB;SACtD;QACD,cAAc,EAAE,iKAAiK;QACjL,MAAM,EAAE,YAAY;KACrB;IAED,iCAAiC;IACjC;QACE,EAAE,EAAE,uBAAuB;QAC3B,OAAO,EAAE,CAAC,gBAAgB,CAAC;QAC3B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,gGAAgG;QAC7G,WAAW,EAAE;YACX,YAAY,EAAE,iBAAiB,EAAE,aAAa,EAAE,YAAY;YAC5D,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;SAClC;QACD,cAAc,EAAE,uMAAuM;QACvN,MAAM,EAAE,UAAU;KACnB;IAED,sCAAsC;IACtC;QACE,EAAE,EAAE,0BAA0B;QAC9B,OAAO,EAAE,CAAC,iBAAiB,CAAC;QAC5B,IAAI,EAAE,mCAAmC;QACzC,WAAW,EAAE,mFAAmF;QAChG,WAAW,EAAE;YACX,gBAAgB,EAAE,kBAAkB,EAAE,OAAO,EAAE,eAAe;YAC9D,kBAAkB,EAAE,aAAa,EAAE,qBAAqB;SACzD;QACD,cAAc,EAAE,8NAA8N;QAC9O,MAAM,EAAE,YAAY;KACrB;IAED,uCAAuC;IACvC;QACE,EAAE,EAAE,yBAAyB;QAC7B,OAAO,EAAE,CAAC,iBAAiB,CAAC;QAC5B,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,qFAAqF;QAClG,WAAW,EAAE;YACX,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,cAAc;YACzD,YAAY,EAAE,oBAAoB,EAAE,kBAAkB;SACvD;QACD,cAAc,EAAE,gKAAgK;QAChL,MAAM,EAAE,YAAY;KACrB;IAED,+CAA+C;IAC/C;QACE,EAAE,EAAE,yBAAyB;QAC7B,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EAAE,2GAA2G;QACxH,WAAW,EAAE;YACX,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS;YACnD,sBAAsB,EAAE,8BAA8B;SACvD;QACD,cAAc,EAAE,gMAAgM;QAChN,MAAM,EAAE,YAAY;KACrB;IAED,6CAA6C;IAC7C;QACE,EAAE,EAAE,qBAAqB;QACzB,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,6BAA6B;QACnC,WAAW,EAAE,+GAA+G;QAC5H,WAAW,EAAE;YACX,MAAM,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,WAAW;YAC3D,cAAc,EAAE,cAAc,EAAE,aAAa;SAC9C;QACD,cAAc,EAAE,2JAA2J;QAC3K,MAAM,EAAE,YAAY;KACrB;IAED,iDAAiD;IACjD;QACE,EAAE,EAAE,oBAAoB;QACxB,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,iCAAiC;QACvC,WAAW,EAAE,kIAAkI;QAC/I,WAAW,EAAE;YACX,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO;YACxD,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO;YACvC,cAAc,EAAE,MAAM,EAAE,SAAS;SAClC;QACD,cAAc,EAAE,oLAAoL;QACpM,MAAM,EAAE,8CAA8C;KACvD;IAED,6CAA6C;IAC7C;QACE,EAAE,EAAE,8BAA8B;QAClC,OAAO,EAAE,CAAC,oBAAoB,CAAC;QAC/B,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,sFAAsF;QACnG,WAAW,EAAE;YACX,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc;YAC3D,kBAAkB,EAAE,gBAAgB,EAAE,cAAc;SACrD;QACD,cAAc,EAAE,8NAA8N;QAC9O,MAAM,EAAE,YAAY;KACrB;IAED,sCAAsC;IACtC;QACE,EAAE,EAAE,wBAAwB;QAC5B,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,gCAAgC;QACtC,WAAW,EAAE,oHAAoH;QACjI,WAAW,EAAE;YACX,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa;YAC/D,WAAW,EAAE,eAAe,EAAE,kBAAkB,EAAE,gBAAgB;SACnE;QACD,cAAc,EAAE,2JAA2J;QAC3K,MAAM,EAAE,WAAW;KACpB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,uCAAuC;QAC7C,WAAW,EAAE,0GAA0G;QACvH,WAAW,EAAE;YACX,YAAY,EAAE,kBAAkB,EAAE,OAAO,EAAE,oBAAoB;YAC/D,0BAA0B,EAAE,kCAAkC;YAC9D,kBAAkB,EAAE,uBAAuB;SAC5C;QACD,cAAc,EAAE,oNAAoN;QACpO,MAAM,EAAE,WAAW;KACpB;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,OAAO,EAAE,CAAC,eAAe,CAAC;QAC1B,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,4GAA4G;QACzH,WAAW,EAAE;YACX,WAAW,EAAE,oBAAoB,EAAE,YAAY,EAAE,mBAAmB;YACpE,aAAa,EAAE,oBAAoB,EAAE,gBAAgB;YACrD,mBAAmB,EAAE,8BAA8B;YACnD,eAAe,EAAE,mBAAmB;SACrC;QACD,cAAc,EAAE,2PAA2P;QAC3Q,MAAM,EAAE,WAAW;KACpB;IAED,sCAAsC;IACtC;QACE,EAAE,EAAE,uBAAuB;QAC3B,OAAO,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;QAC3C,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,uFAAuF;QACpG,WAAW,EAAE;YACX,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS;YAC9C,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO;YACrC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS;SAChC;QACD,cAAc,EAAE,qLAAqL;QACrM,MAAM,EAAE,UAAU;KACnB;CACF,CAAC;AAEF,+DAA+D;AAE/D,+CAA+C;AAClC,QAAA,WAAW,GAAgB,CAAC,GAAG,eAAe,EAAE,GAAG,aAAa,CAAC,CAAC;AAE/E,0CAA0C;AAC1C,SAAgB,kBAAkB,CAAC,MAAc;IAC/C,OAAO,mBAAW,CAAC,MAAM,CACvB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC7D,CAAC;AACJ,CAAC;AAED,6DAA6D;AAC7D,SAAgB,mBAAmB,CAAC,OAAiB;IACnD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IACrC,OAAO,mBAAW,CAAC,MAAM,CACvB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAC9E,CAAC;AACJ,CAAC;AAED,6DAA6D;AAC7D,SAAgB,uBAAuB,CAAC,QAAqB;IAC3D,OAAO,QAAQ;SACZ,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,iBAAiB,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,cAAc,EAAE,CAAC;SAC9M,IAAI,CAAC,MAAM,CAAC,CAAC;AAClB,CAAC"}

package/dist/frameworks/angular.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Angular Framework Profile
+ *
+ * Angular provides strong built-in security:
+ * - Template interpolation auto-escaping (DomSanitizer)
+ * - Built-in XSRF/CSRF protection in HttpClient
+ * - Strict contextual escaping for URLs, styles, and HTML
+ * - RouterLink handles navigation safely
+ */
+import { FrameworkProfile } from './types';
+export declare const angularProfile: FrameworkProfile;

package/dist/frameworks/angular.js

@@ -0,0 +1,41 @@
+"use strict";
+/**
+ * Angular Framework Profile
+ *
+ * Angular provides strong built-in security:
+ * - Template interpolation auto-escaping (DomSanitizer)
+ * - Built-in XSRF/CSRF protection in HttpClient
+ * - Strict contextual escaping for URLs, styles, and HTML
+ * - RouterLink handles navigation safely
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.angularProfile = void 0;
+exports.angularProfile = {
+    id: 'angular',
+    name: 'Angular',
+    ecosystem: 'javascript',
+    handled_rules: [
+        {
+            rule_id: 'coppa-sec-015',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'Angular auto-escapes template interpolation via DomSanitizer. bypassSecurityTrust* is the explicit escape hatch.',
+            documentation_url: 'https://angular.io/guide/security#preventing-cross-site-scripting-xss',
+        },
+        {
+            rule_id: 'coppa-ext-017',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'Angular RouterLink provides safe internal navigation. External links can be intercepted via route guards.',
+            documentation_url: 'https://angular.io/api/router/RouterLink',
+        },
+    ],
+    safe_patterns: [
+        {
+            description: 'Angular DomSanitizer and template security',
+            patterns: [/@angular/, /DomSanitizer/, /bypassSecurityTrust/],
+            applies_to_rules: ['coppa-sec-015'],
+        },
+    ],
+};
+//# sourceMappingURL=angular.js.map

package/dist/frameworks/angular.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"angular.js","sourceRoot":"","sources":["../../src/frameworks/angular.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAIU,QAAA,cAAc,GAAqB;IAC9C,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,SAAS;IACf,SAAS,EAAE,YAAY;IACvB,aAAa,EAAE;QACb;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,kHAAkH;YAC1H,iBAAiB,EAAE,uEAAuE;SAC3F;QACD;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,2GAA2G;YACnH,iBAAiB,EAAE,0CAA0C;SAC9D;KACF;IACD,aAAa,EAAE;QACb;YACE,WAAW,EAAE,4CAA4C;YACzD,QAAQ,EAAE,CAAC,UAAU,EAAE,cAAc,EAAE,qBAAqB,CAAC;YAC7D,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;KACF;CACF,CAAC"}

package/dist/frameworks/django.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Django Framework Profile
+ *
+ * Django provides built-in protections that overlap with several COPPA rules:
+ * - Template engine auto-escapes all variables by default
+ * - SecurityMiddleware enforces HTTPS when configured
+ * - Built-in password validators enforce complexity requirements
+ * - django-lifecycle and django-reversion can handle data retention externally
+ */
+import { FrameworkProfile } from './types';
+export declare const djangoProfile: FrameworkProfile;

package/dist/frameworks/django.js

@@ -0,0 +1,57 @@
+"use strict";
+/**
+ * Django Framework Profile
+ *
+ * Django provides built-in protections that overlap with several COPPA rules:
+ * - Template engine auto-escapes all variables by default
+ * - SecurityMiddleware enforces HTTPS when configured
+ * - Built-in password validators enforce complexity requirements
+ * - django-lifecycle and django-reversion can handle data retention externally
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.djangoProfile = void 0;
+exports.djangoProfile = {
+    id: 'django',
+    name: 'Django',
+    ecosystem: 'python',
+    handled_rules: [
+        {
+            rule_id: 'coppa-sec-015',
+            action: 'suppress',
+            reason: 'Django templates auto-escape all variables by default.',
+            documentation_url: 'https://docs.djangoproject.com/en/stable/ref/templates/language/#automatic-html-escaping',
+        },
+        {
+            rule_id: 'coppa-retention-005',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'Django models with django-lifecycle or django-reversion may handle retention externally.',
+            documentation_url: 'https://docs.djangoproject.com/en/stable/topics/db/models/',
+        },
+        {
+            rule_id: 'coppa-sec-006',
+            action: 'suppress',
+            reason: 'Django SecurityMiddleware enforces HTTPS when configured.',
+            documentation_url: 'https://docs.djangoproject.com/en/stable/ref/middleware/#module-django.middleware.security',
+        },
+        {
+            rule_id: 'coppa-sec-010',
+            action: 'suppress',
+            reason: 'Django built-in password validators enforce complexity.',
+            documentation_url: 'https://docs.djangoproject.com/en/stable/topics/auth/passwords/#module-django.contrib.auth.password_validation',
+        },
+    ],
+    safe_patterns: [
+        {
+            description: 'Django CSRF middleware for cross-site request forgery protection',
+            patterns: [/CsrfViewMiddleware/, /csrf_token/],
+            applies_to_rules: ['coppa-sec-015'],
+        },
+        {
+            description: 'Django admin interface with built-in auth and access controls',
+            patterns: [/admin\.site\.register/, /class.*Admin\(/, /admin\.py/],
+            applies_to_rules: ['coppa-auth-001', 'coppa-ui-008', 'coppa-default-020'],
+        },
+    ],
+};
+//# sourceMappingURL=django.js.map

package/dist/frameworks/django.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"django.js","sourceRoot":"","sources":["../../src/frameworks/django.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAIU,QAAA,aAAa,GAAqB;IAC7C,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,QAAQ;IACd,SAAS,EAAE,QAAQ;IACnB,aAAa,EAAE;QACb;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,wDAAwD;YAChE,iBAAiB,EAAE,0FAA0F;SAC9G;QACD;YACE,OAAO,EAAE,qBAAqB;YAC9B,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,0FAA0F;YAClG,iBAAiB,EAAE,4DAA4D;SAChF;QACD;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,2DAA2D;YACnE,iBAAiB,EAAE,4FAA4F;SAChH;QACD;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,yDAAyD;YACjE,iBAAiB,EAAE,gHAAgH;SACpI;KACF;IACD,aAAa,EAAE;QACb;YACE,WAAW,EAAE,kEAAkE;YAC/E,QAAQ,EAAE,CAAC,oBAAoB,EAAE,YAAY,CAAC;YAC9C,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;QACD;YACE,WAAW,EAAE,+DAA+D;YAC5E,QAAQ,EAAE,CAAC,uBAAuB,EAAE,gBAAgB,EAAE,WAAW,CAAC;YAClE,gBAAgB,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,mBAAmB,CAAC;SAC1E;KACF;CACF,CAAC"}

package/dist/frameworks/index.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Framework Allowlisting System
+ *
+ * Entry point for Halo's framework-aware rule management. When a developer
+ * declares their framework in .halorc.json (e.g. { "framework": "nextjs" }),
+ * Halo loads the corresponding profile and automatically suppresses or
+ * downgrades rules that the framework already handles natively.
+ *
+ * Usage:
+ *   import { applyFrameworkOverrides } from './frameworks';
+ *   const result = applyFrameworkOverrides(violations, 'nextjs');
+ *   // result.violations  — filtered/downgraded violations
+ *   // result.suppressedCount — number of violations removed
+ *   // result.downgradedCount — number of violations with reduced severity
+ */
+export type { FrameworkAction, FrameworkRuleOverride, FrameworkSafePattern, FrameworkProfile } from './types';
+import { FrameworkProfile } from './types';
+/**
+ * Minimal violation shape used by the framework system to avoid circular
+ * imports with the engine's Violation type. Any object with at least ruleId
+ * and severity will work.
+ */
+interface ViolationLike {
+    ruleId: string;
+    severity: string;
+    [key: string]: any;
+}
+/**
+ * Look up a framework profile by its id.
+ *
+ * @param id - Framework identifier (e.g. "nextjs", "django", "rails")
+ * @returns The matching FrameworkProfile, or null if not found
+ */
+export declare function getFrameworkProfile(id: string): FrameworkProfile | null;
+/**
+ * List all registered framework ids.
+ *
+ * @returns Sorted array of framework id strings
+ */
+export declare function listFrameworks(): string[];
+/**
+ * Apply a framework's rule overrides to a set of violations.
+ *
+ * For each violation whose ruleId appears in the framework's handled_rules:
+ * - "suppress" removes the violation from the output entirely
+ * - "downgrade" reduces the violation's severity to the specified level
+ *
+ * Violations whose ruleId is NOT in the framework's profile are passed
+ * through unchanged.
+ *
+ * @param violations - Array of violation objects to filter
+ * @param frameworkId - Framework identifier to look up
+ * @returns Object with the filtered violations array and counts
+ */
+export declare function applyFrameworkOverrides<T extends ViolationLike>(violations: T[], frameworkId: string): {
+    violations: T[];
+    suppressedCount: number;
+    downgradedCount: number;
+};