@runhalo/engine 0.5.0 → 0.6.0

package/rules/rules.json

@@ -5,7 +5,7 @@
     "coppa": {
       "id": "coppa",
       "name": "COPPA 2.0 Core",
-      "description": "25 rules for COPPA & COPPA 2.0 compliance. Effective April 22, 2026.",
+      "description": "26 rules for COPPA & COPPA 2.0 compliance. Effective April 22, 2026. Updated March 12, 2026 for 2025 final rule amendments.",
       "jurisdiction": "US-Federal",
       "jurisdiction_level": "federal",
       "is_free": true,
@@ -95,7 +95,7 @@
     "eu-ai-act": {
       "id": "eu-ai-act",
       "name": "EU AI Act (Children)",
-      "description": "15 rules for EU AI Act compliance in children's AI systems — risk management (Art. 9), transparency (Art. 13), and constitutional AI principles.",
+      "description": "30 rules for EU AI Act compliance in children's AI systems — risk management (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), accuracy & robustness (Art. 15), and constitutional AI principles.",
       "jurisdiction": "EU",
       "jurisdiction_level": "supranational",
       "is_free": false,
@@ -129,7 +129,7 @@
         { "pattern": "LoginManager\\.getInstance\\s*\\(\\s*\\)\\s*\\.logIn", "flags": "gi" }
       ],
       "fix_suggestion": "Wrap the auth call in a conditional check for user.age >= 13 or use signInWithParentEmail() for children",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -151,7 +151,7 @@
         { "pattern": "\\?[^'\"`\\s]*\\$\\{[^}]*(?:\\.email|\\.firstName|\\.lastName|\\.dob|\\.phone|\\.birthdate|\\.ssn)[^}]*\\}", "flags": "gi" }
       ],
       "fix_suggestion": "Switch to POST method and move PII to request body",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "java", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -174,7 +174,7 @@
         { "pattern": "google-analytics\\.com/analytics\\.js", "flags": "gi" }
       ],
       "fix_suggestion": "Add \"child_directed_treatment\": true or \"restrictDataProcessing\": true to SDK initialization",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "html"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -203,7 +203,7 @@
         { "pattern": "android\\.permission\\.ACCESS_FINE_LOCATION", "flags": "gi" }
       ],
       "fix_suggestion": "Downgrade accuracy to kCLLocationAccuracyThreeKilometers or require parental consent",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "swift", "kotlin", "java", "python", "xml"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -217,7 +217,7 @@
       "severity": "medium",
       "confidence": "medium",
       "category": "retention",
-      "description": "User schemas containing PII fields must have deleted_at, expiration_date, or TTL index for data retention",
+      "description": "COPPA 2025 explicitly prohibits indefinite retention of children's PI. Operators must retain data only as long as reasonably necessary for the purpose collected. Schemas with PII fields must define retention periods, deletion mechanisms, and purpose limitation.",
       "patterns": [
         { "pattern": "new\\s+Schema\\s*\\(\\s*\\{[^{}]*(?:email|password|username|phone|dob|birth|firstName|lastName|first_name|last_name|fullName|full_name|displayName|display_name|address|ssn)[^{}]*\\}", "flags": "gi" },
         { "pattern": "class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(\\s*models\\.Model\\s*\\)", "flags": "gi" },
@@ -226,8 +226,8 @@
         { "pattern": "@Entity[\\s\\S]*?class\\s+(?:User|Child|Student|Profile|Account|Member)", "flags": "gi" },
         { "pattern": "data\\s+class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(", "flags": "gi" }
       ],
-      "fix_suggestion": "Add deleted_at column, expiration_date field, or TTL index to database schema",
-      "penalty": "Regulatory audit failure",
+      "fix_suggestion": "Add explicit retention period (retentionDays, expiresAt, or TTL index), deleted_at column, and document the purpose limitation for data collection per COPPA 2025 § 312.10",
+      "penalty": "$53,088 per violation (COPPA 2025 indefinite retention prohibition)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "sql"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -274,7 +274,7 @@
         { "pattern": "new\\s+MediaRecorder\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Wrap audio recording in click handler and add parental consent check",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "swift", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -315,7 +315,7 @@
         { "pattern": "(child_email|student_email|kid_email)\\s*=", "flags": "gi" }
       ],
       "fix_suggestion": "Make parent_email required when collecting child contact information",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -361,7 +361,7 @@
         { "pattern": "Freshdesk|FreshChat", "flags": "gi" }
       ],
       "fix_suggestion": "Disable chat widget for unauthenticated or under-13 users via conditional rendering",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "html"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -375,19 +375,25 @@
       "severity": "critical",
       "confidence": "medium",
       "category": "biometric",
-      "description": "Face recognition, voice prints, or gait analysis requires explicit parental consent. COPPA 2.0 explicitly classifies biometrics as PI.",
+      "description": "COPPA 2025 explicitly adds biometric identifiers to the definition of PI. Face recognition, voice prints, gait analysis, behavioral biometrics (keystroke dynamics, mouse movement patterns), iris/pupil scanning, and health biometric APIs all require verifiable parental consent.",
       "patterns": [
         { "pattern": "(?:import\\s+.*from\\s+['\"]face-api\\.js['\"]|require\\s*\\(\\s*['\"]face-api\\.js['\"]\\s*\\))", "flags": "gi" },
         { "pattern": "LocalAuthentication.*evaluatePolicy", "flags": "gi" },
-        { "pattern": "FaceID|TouchID", "flags": "gi" },
-        { "pattern": "biometricAuth|BiometricAuth", "flags": "g" },
-        { "pattern": "voicePrint|VoicePrint", "flags": "g" },
-        { "pattern": "livenessCheck|LivenessCheck", "flags": "g" },
-        { "pattern": "FaceMatcher|FaceDetector|FaceRecognizer", "flags": "g" }
-      ],
-      "fix_suggestion": "Ensure biometric data remains local-only (on-device) or obtain verifiable parental consent",
-      "penalty": "$51,744 per violation",
-      "languages": ["typescript", "javascript", "swift", "kotlin"],
+        { "pattern": "(?:biometricAuth|BiometricAuth|biometricPrompt|BiometricPrompt)", "flags": "g" },
+        { "pattern": "voicePrint|VoicePrint|voiceRecognition|VoiceRecognition|speakerVerification", "flags": "g" },
+        { "pattern": "livenessCheck|LivenessCheck|livenessDetection", "flags": "g" },
+        { "pattern": "FaceMatcher|FaceDetector|FaceRecognizer|FaceLandmarks", "flags": "g" },
+        { "pattern": "keystrokeDynamic|keystrokePattern|typingBiometric|keyPressAnalysis", "flags": "g" },
+        { "pattern": "gaitAnalysis|gaitDetect|gaitRecognition|motionBiometric", "flags": "g" },
+        { "pattern": "mouseMovementPattern|cursorTracking|behavioralBiometric", "flags": "g" },
+        { "pattern": "irisScann?|pupilDetect|eyeTracking|gazeTracking", "flags": "gi" },
+        { "pattern": "(?:HKHealthStore|HKQuantityType|HealthKit).*(?:heartRate|stepCount|workout|sleep)", "flags": "gi" },
+        { "pattern": "(?:GoogleFit|FitnessOptions|HistoryClient).*(?:heartRate|steps|calories|sleep)", "flags": "gi" },
+        { "pattern": "(?:import|require).*(?:face-api|@mediapipe\\/face|@tensorflow\\/tfjs-models\\/face|deepface|insightface)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Ensure biometric data remains local-only (on-device) or obtain verifiable parental consent per COPPA 2025. Do not transmit biometric identifiers to servers without separate parental consent.",
+      "penalty": "$53,088 per violation",
+      "languages": ["typescript", "javascript", "swift", "kotlin", "python", "java"],
       "packs": ["coppa"],
       "fixability": "guided",
       "transform_type": null,
@@ -397,10 +403,10 @@
     {
       "id": "coppa-notif-013",
       "name": "Direct Push Notifications Without Consent",
-      "severity": "medium",
+      "severity": "low",
       "confidence": "low",
       "category": "notification",
-      "description": "Push notifications are \"Online Contact Info\" under COPPA 2.0. Direct notifications to children require parental consent.",
+      "description": "FTC declined to codify push notification restrictions in the 2025 final rule but stated it 'remains concerned about push notifications and other engagement techniques.' Best practice: gate push subscriptions behind parental consent. Maps to NGL Labs and Sendit enforcement patterns.",
       "patterns": [
         { "pattern": "FirebaseMessaging\\.subscribeToTopic", "flags": "gi" },
         { "pattern": "OneSignal\\.promptForPushNotifications", "flags": "gi" },
@@ -411,7 +417,7 @@
         { "pattern": "new\\s+Notification\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Gate push notification subscription behind parental dashboard setting",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "swift", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -435,7 +441,7 @@
         { "pattern": "(?<!admin|Admin|moderate|Moderate)(?:commentForm.*submit|handleCommentSubmit)", "flags": "gi" }
       ],
       "fix_suggestion": "Add middleware hook for PII scrubbing (regex or AWS Comprehend) before database storage",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -534,7 +540,7 @@
         { "pattern": "(?:setUserId|set_user_id)\\s*\\([^)]*(?:email|\\.name|phone)", "flags": "gi" }
       ],
       "fix_suggestion": "Hash user ID and omit email/name from analytics payload",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -579,7 +585,7 @@
         { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})profileVisibility\\s*=\\s*['\"]?(?:public|Public)['\"]?", "flags": "gi" }
       ],
       "fix_suggestion": "Change default visibility to \"private\" or false",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "swift"],
       "packs": ["coppa"],
       "fixability": "auto",
@@ -587,6 +593,36 @@
       "scaffold_id": null,
       "guidance_url": null
     },
+    {
+      "id": "coppa-ads-021",
+      "name": "Targeted Advertising Without Separate Consent",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "advertising",
+      "description": "COPPA 2025 requires separate, specific opt-in consent before collecting children's PI for targeted advertising. Marketing consent cannot be bundled with general terms acceptance. Ad SDK initialization without a distinct consent flow is a violation.",
+      "patterns": [
+        { "pattern": "(?:import|require).*(?:google-mobile-ads|@react-native-firebase\\/admob|react-native-admob)", "flags": "gi" },
+        { "pattern": "(?:GADMobileAds|GADRequest|GADBannerView|GADInterstitial)\\.\\w+", "flags": "gi" },
+        { "pattern": "MobileAds\\.initialize|AdRequest\\.Builder|AdView|InterstitialAd\\.load", "flags": "gi" },
+        { "pattern": "(?:FBAudienceNetwork|FBAdView|FBInterstitialAd|FBNativeAd)", "flags": "gi" },
+        { "pattern": "(?:import|require).*(?:react-native-fbads|@react-native-community\\/fbads)", "flags": "gi" },
+        { "pattern": "UnityAds\\.(?:initialize|show|load)|import\\s+UnityAds", "flags": "gi" },
+        { "pattern": "IronSource\\.(?:init|showRewardedVideo|loadInterstitial)|import\\s+IronSource", "flags": "gi" },
+        { "pattern": "AppLovin\\.(?:initialize|showAd)|import.*AppLovinSDK", "flags": "gi" },
+        { "pattern": "Chartboost\\.(?:start|showInterstitial|cacheInterstitial)", "flags": "gi" },
+        { "pattern": "AdColony\\.(?:configure|requestInterstitial)", "flags": "gi" },
+        { "pattern": "Vungle\\.(?:init|playAd|loadAd)", "flags": "gi" },
+        { "pattern": "mopub\\.(?:loadBanner|loadInterstitial)|MoPubInterstitial", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a separate, specific opt-in consent flow for advertising before initializing ad SDKs. Marketing consent must NOT be bundled with general terms acceptance. Use age-gated ad experiences or contextual-only advertising for children under 13.",
+      "penalty": "$53,088 per violation (COPPA 2025 separate advertising consent requirement)",
+      "languages": ["typescript", "javascript", "swift", "kotlin", "java", "python"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "consent-ads",
+      "guidance_url": null
+    },
     {
       "id": "ETHICAL-001",
       "name": "Infinite Scroll / Endless Feed",
@@ -990,10 +1026,10 @@
       "category": "age-verification",
       "description": "Utah SB 142 requires an age assurance system with at least 95% accuracy to identify minor account holders (under 18). Account creation flows that lack age verification gates violate this requirement. Excludes test factories and seed scripts.",
       "patterns": [
-        { "pattern": "(?:createUser|signUp|register)\\s*\\((?![^)]*(?:age|dateOfBirth|dob|birthDate|birth_date))[^)]*\\)", "flags": "gi" },
-        { "pattern": "(?:create_user|sign_up|create_account)\\s*\\((?![^)]*(?:age|date_of_birth|dob|birth_date))[^)]*\\)", "flags": "gi" },
-        { "pattern": "(?:RegistrationService)\\.(?:create|register)\\s*\\((?![^)]*(?:age|dob|birth))", "flags": "gi" },
-        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts)\\s*\\((?![^)]*(?:age|dob|birth_date|date_of_birth))[^)]*\\)\\s*VALUES", "flags": "gi" }
+        { "pattern": "(?:createUser|signUp|createAccount|registerUser|registerAccount)\\s*\\((?![^)]*(?:age|dateOfBirth|dob|birthDate|birth_date))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:create_user|sign_up|create_account|register_user|register_account)\\s*\\((?![^)]*(?:age|date_of_birth|dob|birth_date))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:RegistrationService|UserRegistration|AccountService)\\.(?:create|register)\\s*\\((?![^)]*(?:age|dob|birth))", "flags": "gi" },
+        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts|members)\\s*\\((?![^)]*(?:age|dob|birth_date|date_of_birth))[^)]*\\)\\s*VALUES", "flags": "gi" }
       ],
       "fix_suggestion": "Add an age assurance step (date-of-birth collection, age estimation, or ID verification) before account creation. If the user is under 18, flag the account as a minor account and require parental consent before activation. See Utah SB 142 §13-72-201.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
@@ -1108,7 +1144,7 @@
         { "pattern": "(?:palmPrint|palm_print|irisPattern|iris_pattern|retinaScan|retina_scan)\\s*[:=]", "flags": "gi" }
       ],
       "fix_suggestion": "Obtain Verifiable Parental Consent (VPC) before collecting any biometric identifiers. Under COPPA 2.0, biometric data is 'personal information' requiring the highest consent standard. Keep biometric processing local-only where possible.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1131,7 +1167,7 @@
         { "pattern": "(?:saveDeviceToken|storeDeviceToken|registerDeviceToken|savePushToken|storePushToken)\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Gate push notification token registration behind a parental consent check. Under COPPA 2.0, push tokens are 'online contact information' — parents must explicitly opt in, and you must provide an opt-out mechanism accessible from a parental dashboard.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "swift", "kotlin", "java"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1153,7 +1189,7 @@
         { "pattern": "(?:shareStudentData|share_student_data|exportStudentRecords|export_student_records)\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Ensure ed-tech data collected under the 'school official' exception is used exclusively for the authorized educational purpose. Remove any analytics, advertising, or profiling code paths that touch student data. COPPA 2.0 makes this an explicit prohibition.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1175,7 +1211,7 @@
         { "pattern": "(?:childData|child_data|minorData|minor_data|studentData|student_data).*(?:archive|Archive|longTermStorage|long_term_storage)", "flags": "gi" }
       ],
       "fix_suggestion": "Implement automatic data deletion policies for children's personal information. Set reasonable TTLs based on the purpose of collection. Add a scheduled deletion job that purges expired child data. COPPA 2.0 requires deletion when data is no longer reasonably necessary.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1197,7 +1233,7 @@
         { "pattern": "<input[^>]*type=['\"]checkbox['\"][^>]*(?:consent|agree|parent)", "flags": "gi" }
       ],
       "fix_suggestion": "Upgrade consent mechanism to meet COPPA 2.0 VPC standards. For external data sharing, use credit card verification, video calls, government ID, or knowledge-based authentication. Simple checkboxes and email confirmations do not meet the VPC standard for external use of children's data.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -2364,7 +2400,9 @@
       "patterns": [
         { "pattern": "model\\.(?:fit|train|finetune)\\(", "flags": "gi" },
         { "pattern": "(?:trainModel|fitModel|trainPipeline)\\(", "flags": "gi" },
-        { "pattern": "(?:tensorflow|torch|sklearn|keras)\\.(?:fit|train)", "flags": "gi" }
+        { "pattern": "(?:tensorflow|torch|sklearn|keras)\\.(?:fit|train)", "flags": "gi" },
+        { "pattern": "whisper\\.load_model\\(", "flags": "gi" },
+        { "pattern": "model\\.transcribe\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Add fairness testing to ML pipeline: run bias audits (demographic parity, equalized odds) before deploying models that affect children.",
       "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
@@ -2386,7 +2424,10 @@
         { "pattern": "(?:generateImage|aiGenerate|textToImage|imageGeneration)\\(", "flags": "gi" },
         { "pattern": "(?:syntheticContent|aiContent|generatedContent)", "flags": "gi" },
         { "pattern": "(?:dall-e|stable-diffusion|midjourney|openai\\.images)", "flags": "gi" },
-        { "pattern": "(?:textToSpeech|voiceSynthesis|tts)\\.(?:generate|create|synthesize)", "flags": "gi" }
+        { "pattern": "(?:textToSpeech|voiceSynthesis|tts)\\.(?:generate|create|synthesize)", "flags": "gi" },
+        { "pattern": "from\\s+elevenlabs\\s+import", "flags": "gi" },
+        { "pattern": "elevenlabs\\.(?:generate|clone|Voice)", "flags": "gi" },
+        { "pattern": "generate\\s*\\(\\s*text\\s*=", "flags": "gi" }
       ],
       "fix_suggestion": "Add visible AI-generated content labels: include 'AI Generated' badge/watermark on all synthetic media shown to children.",
       "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
@@ -2449,7 +2490,11 @@
       "patterns": [
         { "pattern": "(?:loadModel|deployModel|serveModel)\\(", "flags": "gi" },
         { "pattern": "(?:modelEndpoint|inferenceEndpoint|predictionService)", "flags": "gi" },
-        { "pattern": "(?:huggingface|openai|anthropic|cohere)\\.(?:create|complete|generate)", "flags": "gi" }
+        { "pattern": "(?:huggingface|openai|anthropic|cohere)\\.(?:create|complete|generate)", "flags": "gi" },
+        { "pattern": "(?:ChatOpenAI|AzureChatOpenAI|ChatAnthropic|ChatCohere|ChatGoogleGenerativeAI)\\(", "flags": "gi" },
+        { "pattern": "from\\s+langchain_openai\\s+import", "flags": "gi" },
+        { "pattern": "whisper\\.load_model\\(", "flags": "gi" },
+        { "pattern": "OpenAIEmbeddings\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Create a model card documenting training data sources, intended use, limitations, and bias considerations.",
       "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
@@ -2627,6 +2672,329 @@
       "transform_type": null,
       "scaffold_id": null,
       "guidance_url": null
+    },
+    {
+      "id": "CAI-DATAMIN-001",
+      "name": "Excessive Data Collection in AI Pipeline",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "AI systems processing children's data must implement data minimization — collecting only what is strictly necessary. Broad collection scopes, wildcard field selection, or indefinite retention violate the data minimization principle (GDPR Art. 5(1)(c), IEEE 7010-2020).",
+      "patterns": [
+        { "pattern": "(?:collectUserData|gatherData|harvestData|scrapeUser)\\((?![^)]*(?:fields|only|select))", "flags": "gi" },
+        { "pattern": "(?:fields|columns|attributes)\\s*[:=]\\s*['\"]\\*['\"]", "flags": "gi" },
+        { "pattern": "(?:retention|ttl|expiry)\\s*[:=]\\s*['\"](?:indefinite|forever|permanent|never)['\"]", "flags": "gi" },
+        { "pattern": "(?:trackAll|collectAll|logAll)(?:Events|Data|Interactions|Behaviors)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement data minimization: specify exact fields needed, set finite retention periods (e.g., 30 days), and document the purpose for each data field collected.",
+      "penalty": "Constitutional AI Principle: Data Minimization (GDPR Art. 5(1)(c), IEEE 7010-2020)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-NEURO-001",
+      "name": "AI Interface Without Neurodivergent Accommodations",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "constitutional-ai",
+      "description": "AI systems for children must accommodate neurodivergent users (ADHD, autism, dyslexia). Timed interactions, rapid UI transitions, and sensory-heavy content without alternatives violate accessibility principles (WCAG 2.2, IEEE 2089-2021 Section 7.3).",
+      "patterns": [
+        { "pattern": "(?:countdownTimer|timeLimit|timedQuiz|timedResponse|timedAssessment)\\(", "flags": "gi" },
+        { "pattern": "(?:autoAdvance|autoScroll|autoPlay|rapidFire)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:flashingContent|strobeEffect|blinkAnimation|rapidTransition)\\(", "flags": "gi" },
+        { "pattern": "(?:forcedPacing|fixedSpeed|noExtension)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add neurodivergent accommodations: offer extended time options, reduce-motion mode, pause/resume controls, and adjustable pacing for all timed AI interactions.",
+      "penalty": "Constitutional AI Principle: Neurodivergent Accessibility (IEEE 2089-2021 Section 7.3)",
+      "languages": ["typescript", "javascript", "python", "tsx", "jsx"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-COREG-001",
+      "name": "AI Decision Affecting Child Without Parent Involvement",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "High-impact AI decisions about children (content restrictions, learning path changes, behavioral assessments) must include a parental co-regulation mechanism — parents must be notified and given override capability (IEEE 2089-2021 Section 6.4, UN CRC Art. 5).",
+      "patterns": [
+        { "pattern": "(?:setContentRestriction|restrictAccess|blockContent|limitUsage)\\((?![^)]*parent)", "flags": "gi" },
+        { "pattern": "(?:adjustLearningPath|changeDifficulty|skipLesson|modifyCurriculum)\\((?![^)]*parent)", "flags": "gi" },
+        { "pattern": "(?:behavioralAssessment|emotionDetection|sentimentAnalysis|moodClassification)\\(.*(?:child|student|minor|kid)", "flags": "gi" },
+        { "pattern": "(?:autoRestrict|autoBlock|autoLimit)(?:Content|Access|Usage)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement parental co-regulation: notify parents of high-impact AI decisions, provide override controls, and require parent-child joint confirmation for significant changes.",
+      "penalty": "Constitutional AI Principle: Parental Co-Regulation (IEEE 2089-2021 Section 6.4)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-CRISIS-001",
+      "name": "AI Chatbot Without Crisis Escalation Protocol",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "AI systems interacting with children must detect crisis signals (self-harm, suicidal ideation, abuse disclosure) and immediately escalate to human professionals. Chatbots and AI companions without crisis detection in child-facing contexts violate duty of care (IEEE 2089-2021 Section 8, Surgeon General Advisory 2023).",
+      "patterns": [
+        { "pattern": "(?:chatCompletion|generateResponse|botReply|aiResponse)\\((?![^)]*(?:crisis|safety|escalat|safeguard)).*(?:child|student|minor|kid|youth)", "flags": "gi" },
+        { "pattern": "(?:child|student|minor|kid|youth).*(?:chatCompletion|generateResponse|botReply|aiResponse)\\((?![^)]*(?:crisis|safety|escalat|safeguard))", "flags": "gi" },
+        { "pattern": "(?:aiCompanion|virtualFriend|chatBot|aiTutor)\\.(?:respond|reply|send)\\((?![^)]*(?:crisis|safety))", "flags": "gi" },
+        { "pattern": "(?:studentChat|childChat|youthChat|kidChat)\\.(?:send|post|submit)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement crisis escalation: add keyword detection for self-harm/suicide/abuse signals, immediately route to crisis hotline (988 Suicide & Crisis Lifeline), notify a designated adult, and halt AI-only interaction.",
+      "penalty": "Constitutional AI Principle: Crisis Escalation Protocol (IEEE 2089-2021 Section 8)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-001",
+      "name": "Training Data Without Quality Documentation",
+      "severity": "high",
+      "confidence": "low",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(2) requires training data sets to be subject to data governance practices — including documentation of data sources, collection methodology, and quality metrics. ML pipelines without data provenance tracking violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:loadDataset|readTrainingData|importDataset|fetchTrainingSet)\\((?![^)]*(?:provenance|source|documentation|metadata))", "flags": "gi" },
+        { "pattern": "(?:trainData|trainingSet|trainingCorpus)\\s*[:=]\\s*(?:pd\\.read|csv\\.reader|json\\.load|open\\()", "flags": "gi" },
+        { "pattern": "(?:DataLoader|Dataset)\\.(?:from_|load_)(?:csv|json|parquet|tfrecord)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add data governance documentation: create a data card for each training dataset documenting source, collection method, size, demographics, known biases, and quality metrics.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-002",
+      "name": "Training Data Without Bias Testing",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(2)(f) requires examination of training data for possible biases, especially for children where demographic imbalances can cause disproportionate harm. Model training without bias audits violates this requirement.",
+      "patterns": [
+        { "pattern": "model\\.(?:fit|train|finetune)\\((?![^)]*(?:bias|fairness|audit|balanced))", "flags": "gi" },
+        { "pattern": "(?:pipeline|trainer)\\.(?:train|run|execute)\\((?![^)]*(?:bias|fairness|equit))", "flags": "gi" },
+        { "pattern": "(?:AutoML|autoTrain|autoFit)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add bias testing to the training pipeline: run demographic parity checks, compute equalized odds metrics, and document bias audit results before deployment.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-003",
+      "name": "No Data Representativeness Validation",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(3) requires training data to be representative of the deployment context. Children's AI systems must validate that training data represents age, cultural, and linguistic diversity of the target population.",
+      "patterns": [
+        { "pattern": "(?:trainModel|buildModel|createModel)\\((?![^)]*(?:representative|demograph|diversity|balanced|stratif))", "flags": "gi" },
+        { "pattern": "train_test_split\\((?![^)]*stratif)", "flags": "gi" },
+        { "pattern": "(?:DataSplit|splitData|partitionData)\\((?![^)]*(?:stratif|balanced|representative))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Validate data representativeness: use stratified sampling, verify demographic coverage across age groups, and document gaps between training data and target child population.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-004",
+      "name": "Training Data Without Consent Verification",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(5) combined with GDPR Art. 6/9 requires that training data collection respects data protection law. Children's data used for training without verified parental consent is a severe violation.",
+      "patterns": [
+        { "pattern": "(?:collectTrainingData|gatherTrainingSamples|buildTrainingSet)\\((?![^)]*consent)", "flags": "gi" },
+        { "pattern": "(?:userInteraction|chatLog|sessionData|behaviorLog)\\.(?:export|save|dump).*(?:train|model|dataset)", "flags": "gi" },
+        { "pattern": "(?:finetuneOn|trainOn|learnFrom)(?:User|Child|Student)(?:Data|Input|Interactions)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Verify consent before using children's data for training: implement opt-in parental consent for data use in ML training, maintain consent audit trail, and provide data deletion mechanisms.",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover (combined with GDPR)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-001",
+      "name": "AI System Without Human-in-the-Loop Mechanism",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(1) requires high-risk AI systems to be designed for effective human oversight. AI systems making consequential decisions for children without a human review checkpoint violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:autoApprove|autoAccept|autoGrade|autoAssess)\\(", "flags": "gi" },
+        { "pattern": "(?:automatedDecision|aiDecision|mlDecision)\\.(?:execute|apply|commit)\\(", "flags": "gi" },
+        { "pattern": "(?:contentFilter|safetyFilter|moderationFilter)\\.(?:autoApply|autoEnforce)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add human-in-the-loop: implement review queues for consequential AI decisions, add manual override capabilities, and require human approval for actions affecting child accounts.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-002",
+      "name": "No Emergency Stop or Override Mechanism",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(4)(d) requires human overseers to be able to intervene or interrupt the AI system at any time. AI systems without kill switch, emergency stop, or override mechanism are non-compliant.",
+      "patterns": [
+        { "pattern": "(?:aiService|mlService|aiPipeline|aiWorker)\\.(?:start|run|deploy)\\((?![^)]*(?:killSwitch|emergencyStop|override|interrupt))", "flags": "gi" },
+        { "pattern": "(?:startAI|launchAI|deployAI|activateAI)\\((?![^)]*(?:stop|halt|kill|override|interrupt))", "flags": "gi" },
+        { "pattern": "(?:autonomousMode|autoMode|unsupervisedMode)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement emergency stop: add a kill switch endpoint (/api/ai/stop), monitoring alerts for anomalous behavior, and immediate halt capability accessible to human overseers.",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-003",
+      "name": "AI Output Without Interpretability for Overseer",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(4)(b) requires that human overseers can correctly interpret the AI system's output. AI predictions, classifications, or recommendations served without explanation metadata are non-compliant.",
+      "patterns": [
+        { "pattern": "model\\.predict\\((?![^)]*(?:explain|interpret|shap|lime|feature_import))", "flags": "gi" },
+        { "pattern": "(?:classifier|predictor|estimator)\\.predict(?:_proba)?\\((?![^)]*(?:explain|interpret|reason))", "flags": "gi" },
+        { "pattern": "(?:getRecommendation|getPrediction|getClassification)\\((?![^)]*(?:reason|explain|confidence))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add interpretability: attach explanation metadata (SHAP values, feature importance, confidence scores, or natural language reasoning) to every AI output served to overseers.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-004",
+      "name": "No Oversight Audit Trail",
+      "severity": "high",
+      "confidence": "low",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(4) requires human oversight actions (reviews, overrides, approvals) to be logged. AI systems without audit trails for human oversight actions cannot demonstrate compliance.",
+      "patterns": [
+        { "pattern": "(?:humanReview|manualOverride|humanApproval)\\.(?:submit|process|execute)\\((?![^)]*(?:log|audit|record|track))", "flags": "gi" },
+        { "pattern": "(?:override|overrule|escalate)(?:Decision|Prediction|Classification)\\((?![^)]*(?:log|audit|record))", "flags": "gi" },
+        { "pattern": "(?:approveContent|rejectContent|flagContent)\\((?![^)]*(?:log|audit|trail|record))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add oversight audit trail: log every human review, override, and approval action with timestamp, reviewer ID, original AI output, and human decision rationale.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-ACCURACY-001",
+      "name": "No Error Rate Monitoring",
+      "severity": "high",
+      "confidence": "low",
+      "category": "ai-accuracy",
+      "description": "EU AI Act Art. 15(1) requires high-risk AI systems to achieve appropriate levels of accuracy and declare expected error rates. AI inference endpoints without accuracy monitoring or error rate tracking are non-compliant.",
+      "patterns": [
+        { "pattern": "(?:serveModel|deployModel|modelEndpoint|inferenceAPI)\\.(?:start|deploy|listen)\\((?![^)]*(?:monitor|metric|accuracy|errorRate))", "flags": "gi" },
+        { "pattern": "(?:predictionService|mlService|aiEndpoint)\\.(?:init|start|register)\\((?![^)]*(?:monitor|metric|accuracy))", "flags": "gi" },
+        { "pattern": "app\\.(?:post|get)\\s*\\(\\s*['\"].*(?:predict|classify|recommend|infer)[^'\"]*['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add accuracy monitoring: implement real-time error rate tracking, declare expected accuracy levels in model documentation, and set up alerts when accuracy degrades below thresholds.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-ACCURACY-002",
+      "name": "No Fallback for AI Failure",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-accuracy",
+      "description": "EU AI Act Art. 15(3) requires AI systems to be resilient against errors, faults, and inconsistencies. AI calls without error handling, timeouts, or fallback mechanisms expose children to unpredictable behavior.",
+      "patterns": [
+        { "pattern": "(?:openai|anthropic|cohere|replicate)\\.\\w+(?:\\.\\w+)*\\((?![^\\n]*(?:catch|try|timeout|fallback|retry))", "flags": "gi" },
+        { "pattern": "await\\s+(?:generateText|generateResponse|aiComplete|llmCall)\\((?![^\\n]*(?:catch|try|timeout|fallback))", "flags": "gi" },
+        { "pattern": "(?:fetch|axios)\\s*\\(\\s*[^)]*(?:inference|predict|classify|openai|anthropic)(?![^\\n]*(?:catch|timeout|retry))", "flags": "gi" },
+        { "pattern": "(?:ChatOpenAI|AzureChatOpenAI|ChatAnthropic|ChatCohere)\\((?![^\\n]*(?:callbacks|on_error|fallback|retry))", "flags": "gi" },
+        { "pattern": "whisper\\.load_model\\((?![^\\n]*(?:try|catch|except|fallback))", "flags": "gi" },
+        { "pattern": "from\\s+elevenlabs\\s+import(?![^\\n]*(?:try|catch|except|fallback))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add AI failure fallback: wrap all AI calls in try/catch with timeouts, implement graceful degradation (e.g., static content when AI unavailable), and log all failures for review.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-ACCURACY-003",
+      "name": "No Adversarial Robustness Testing",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-accuracy",
+      "description": "EU AI Act Art. 15(4) requires high-risk AI systems to be resilient against attempts by unauthorized third parties to manipulate outputs (adversarial attacks). AI systems processing children's input without input validation or adversarial testing are vulnerable to prompt injection and manipulation.",
+      "patterns": [
+        { "pattern": "(?:userInput|userMessage|userPrompt|childInput).*(?:openai|anthropic|llm|model)(?![^\\n]*(?:sanitize|validate|filter|moderate|guard))", "flags": "gi" },
+        { "pattern": "(?:openai|anthropic|llm|model)\\.(?:generate|complete|create|chat)\\(.*(?:userInput|userMessage|userPrompt|childInput)(?![^\\n]*(?:sanitize|validate|filter|moderate|guard))", "flags": "gi" },
+        { "pattern": "(?:systemPrompt|messages)\\s*[:=].*\\+\\s*(?:userInput|req\\.body|input)(?![^\\n]*(?:sanitize|validate|escape))", "flags": "gi" },
+        { "pattern": "(?:promptTemplate|buildPrompt|createPrompt)\\(.*(?:user|child|student)(?![^)]*(?:sanitize|validate|clean|escape))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add adversarial robustness: implement input sanitization for all user-provided text before passing to AI models, add prompt injection detection, and run periodic adversarial testing.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
     }
   ]
 }