@runhalo/engine 0.5.0 → 0.7.0

package/rules/rules.json

@@ -1,11 +1,11 @@
 {
   "version": "1.0.0",
-  "generated_at": "2026-03-02T00:00:00Z",
+  "generated_at": "2026-03-13T00:00:00Z",
   "packs": {
     "coppa": {
       "id": "coppa",
       "name": "COPPA 2.0 Core",
-      "description": "25 rules for COPPA & COPPA 2.0 compliance. Effective April 22, 2026.",
+      "description": "26 rules for COPPA & COPPA 2.0 compliance. Effective April 22, 2026. Updated March 12, 2026 for 2025 final rule amendments.",
       "jurisdiction": "US-Federal",
       "jurisdiction_level": "federal",
       "is_free": true,
@@ -95,12 +95,72 @@
     "eu-ai-act": {
       "id": "eu-ai-act",
       "name": "EU AI Act (Children)",
-      "description": "15 rules for EU AI Act compliance in children's AI systems — risk management (Art. 9), transparency (Art. 13), and constitutional AI principles.",
+      "description": "30 rules for EU AI Act compliance in children's AI systems — risk management (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), accuracy & robustness (Art. 15), and constitutional AI principles.",
       "jurisdiction": "EU",
       "jurisdiction_level": "supranational",
       "is_free": false,
       "effective_date": "2026-08-01",
       "source_url": "https://artificialintelligenceact.eu/"
+    },
+    "gdpr-art8": {
+      "id": "gdpr-art8",
+      "name": "EU GDPR Article 8 (Child Consent)",
+      "description": "5 rules for GDPR Article 8 compliance — child consent age fragmentation across EU member states, legitimate interest restrictions, and data minimization for minors.",
+      "jurisdiction": "EU",
+      "jurisdiction_level": "supranational",
+      "is_free": false,
+      "effective_date": "2018-05-25",
+      "source_url": "https://gdpr-info.eu/art-8-gdpr/"
+    },
+    "india-dpdp": {
+      "id": "india-dpdp",
+      "name": "India DPDP Act 2023 (Section 9)",
+      "description": "5 rules for India's Digital Personal Data Protection Act — strictest global framework. Under-18 tracking ban, parental consent for all processing, blanket prohibition on behavioral monitoring.",
+      "jurisdiction": "IN",
+      "jurisdiction_level": "national",
+      "is_free": false,
+      "effective_date": "2023-08-11",
+      "source_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
+    },
+    "brazil-lgpd": {
+      "id": "brazil-lgpd",
+      "name": "Brazil LGPD Article 14 (Children's Data)",
+      "description": "4 rules for Brazil's LGPD Article 14 — best interest standard for children under 12, data minimization, and age-appropriate notices.",
+      "jurisdiction": "BR",
+      "jurisdiction_level": "national",
+      "is_free": false,
+      "effective_date": "2020-09-18",
+      "source_url": "https://lgpd-brazil.info/chapter_02/article_14"
+    },
+    "canada-pipeda": {
+      "id": "canada-pipeda",
+      "name": "Canada PIPEDA (Children's Consent)",
+      "description": "4 rules for Canada's PIPEDA — meaningful consent for minors, OPC reasonable purpose test, behavioral advertising restrictions for children.",
+      "jurisdiction": "CA",
+      "jurisdiction_level": "national",
+      "is_free": false,
+      "effective_date": "2000-01-01",
+      "source_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
+    },
+    "south-korea-pipa": {
+      "id": "south-korea-pipa",
+      "name": "South Korea PIPA (Under-14 Protection)",
+      "description": "3 rules for South Korea's Personal Information Protection Act — parental consent for under-14, clear child-appropriate language, and fines up to 3% global revenue.",
+      "jurisdiction": "KR",
+      "jurisdiction_level": "national",
+      "is_free": false,
+      "effective_date": "2011-09-30",
+      "source_url": "https://iclg.com/practice-areas/data-protection-laws-and-regulations/korea"
+    },
+    "behavioral-design": {
+      "id": "behavioral-design",
+      "name": "Behavioral Design Patterns",
+      "description": "4 rules detecting harmful behavioral design patterns and rewarding positive design in children's products. Framework-agnostic, based on AAP/WHO guidelines.",
+      "jurisdiction": "international",
+      "jurisdiction_level": "advisory",
+      "is_free": false,
+      "effective_date": null,
+      "source_url": "https://runhalo.dev/behavioral-design"
     }
   },
   "rules": [
@@ -129,7 +189,7 @@
         { "pattern": "LoginManager\\.getInstance\\s*\\(\\s*\\)\\s*\\.logIn", "flags": "gi" }
       ],
       "fix_suggestion": "Wrap the auth call in a conditional check for user.age >= 13 or use signInWithParentEmail() for children",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -151,7 +211,7 @@
         { "pattern": "\\?[^'\"`\\s]*\\$\\{[^}]*(?:\\.email|\\.firstName|\\.lastName|\\.dob|\\.phone|\\.birthdate|\\.ssn)[^}]*\\}", "flags": "gi" }
       ],
       "fix_suggestion": "Switch to POST method and move PII to request body",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "java", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -174,7 +234,7 @@
         { "pattern": "google-analytics\\.com/analytics\\.js", "flags": "gi" }
       ],
       "fix_suggestion": "Add \"child_directed_treatment\": true or \"restrictDataProcessing\": true to SDK initialization",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "html"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -203,7 +263,7 @@
         { "pattern": "android\\.permission\\.ACCESS_FINE_LOCATION", "flags": "gi" }
       ],
       "fix_suggestion": "Downgrade accuracy to kCLLocationAccuracyThreeKilometers or require parental consent",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "swift", "kotlin", "java", "python", "xml"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -217,7 +277,7 @@
       "severity": "medium",
       "confidence": "medium",
       "category": "retention",
-      "description": "User schemas containing PII fields must have deleted_at, expiration_date, or TTL index for data retention",
+      "description": "COPPA 2025 explicitly prohibits indefinite retention of children's PI. Operators must retain data only as long as reasonably necessary for the purpose collected. Schemas with PII fields must define retention periods, deletion mechanisms, and purpose limitation.",
       "patterns": [
         { "pattern": "new\\s+Schema\\s*\\(\\s*\\{[^{}]*(?:email|password|username|phone|dob|birth|firstName|lastName|first_name|last_name|fullName|full_name|displayName|display_name|address|ssn)[^{}]*\\}", "flags": "gi" },
         { "pattern": "class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(\\s*models\\.Model\\s*\\)", "flags": "gi" },
@@ -226,8 +286,8 @@
         { "pattern": "@Entity[\\s\\S]*?class\\s+(?:User|Child|Student|Profile|Account|Member)", "flags": "gi" },
         { "pattern": "data\\s+class\\s+(?:User|Child|Student|Profile|Account|Member)\\w*\\s*\\(", "flags": "gi" }
       ],
-      "fix_suggestion": "Add deleted_at column, expiration_date field, or TTL index to database schema",
-      "penalty": "Regulatory audit failure",
+      "fix_suggestion": "Add explicit retention period (retentionDays, expiresAt, or TTL index), deleted_at column, and document the purpose limitation for data collection per COPPA 2025 § 312.10",
+      "penalty": "$53,088 per violation (COPPA 2025 indefinite retention prohibition)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "sql"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -274,7 +334,7 @@
         { "pattern": "new\\s+MediaRecorder\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Wrap audio recording in click handler and add parental consent check",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "swift", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -315,7 +375,7 @@
         { "pattern": "(child_email|student_email|kid_email)\\s*=", "flags": "gi" }
       ],
       "fix_suggestion": "Make parent_email required when collecting child contact information",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -361,7 +421,7 @@
         { "pattern": "Freshdesk|FreshChat", "flags": "gi" }
       ],
       "fix_suggestion": "Disable chat widget for unauthenticated or under-13 users via conditional rendering",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "html"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -375,19 +435,25 @@
       "severity": "critical",
       "confidence": "medium",
       "category": "biometric",
-      "description": "Face recognition, voice prints, or gait analysis requires explicit parental consent. COPPA 2.0 explicitly classifies biometrics as PI.",
+      "description": "COPPA 2025 explicitly adds biometric identifiers to the definition of PI. Face recognition, voice prints, gait analysis, behavioral biometrics (keystroke dynamics, mouse movement patterns), iris/pupil scanning, and health biometric APIs all require verifiable parental consent.",
       "patterns": [
         { "pattern": "(?:import\\s+.*from\\s+['\"]face-api\\.js['\"]|require\\s*\\(\\s*['\"]face-api\\.js['\"]\\s*\\))", "flags": "gi" },
         { "pattern": "LocalAuthentication.*evaluatePolicy", "flags": "gi" },
-        { "pattern": "FaceID|TouchID", "flags": "gi" },
-        { "pattern": "biometricAuth|BiometricAuth", "flags": "g" },
-        { "pattern": "voicePrint|VoicePrint", "flags": "g" },
-        { "pattern": "livenessCheck|LivenessCheck", "flags": "g" },
-        { "pattern": "FaceMatcher|FaceDetector|FaceRecognizer", "flags": "g" }
-      ],
-      "fix_suggestion": "Ensure biometric data remains local-only (on-device) or obtain verifiable parental consent",
-      "penalty": "$51,744 per violation",
-      "languages": ["typescript", "javascript", "swift", "kotlin"],
+        { "pattern": "(?:biometricAuth|BiometricAuth|biometricPrompt|BiometricPrompt)", "flags": "g" },
+        { "pattern": "voicePrint|VoicePrint|voiceRecognition|VoiceRecognition|speakerVerification", "flags": "g" },
+        { "pattern": "livenessCheck|LivenessCheck|livenessDetection", "flags": "g" },
+        { "pattern": "FaceMatcher|FaceDetector|FaceRecognizer|FaceLandmarks", "flags": "g" },
+        { "pattern": "keystrokeDynamic|keystrokePattern|typingBiometric|keyPressAnalysis", "flags": "g" },
+        { "pattern": "gaitAnalysis|gaitDetect|gaitRecognition|motionBiometric", "flags": "g" },
+        { "pattern": "mouseMovementPattern|cursorTracking|behavioralBiometric", "flags": "g" },
+        { "pattern": "irisScann?|pupilDetect|eyeTracking|gazeTracking", "flags": "gi" },
+        { "pattern": "(?:HKHealthStore|HKQuantityType|HealthKit).*(?:heartRate|stepCount|workout|sleep)", "flags": "gi" },
+        { "pattern": "(?:GoogleFit|FitnessOptions|HistoryClient).*(?:heartRate|steps|calories|sleep)", "flags": "gi" },
+        { "pattern": "(?:import|require).*(?:face-api|@mediapipe\\/face|@tensorflow\\/tfjs-models\\/face|deepface|insightface)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Ensure biometric data remains local-only (on-device) or obtain verifiable parental consent per COPPA 2025. Do not transmit biometric identifiers to servers without separate parental consent.",
+      "penalty": "$53,088 per violation",
+      "languages": ["typescript", "javascript", "swift", "kotlin", "python", "java"],
       "packs": ["coppa"],
       "fixability": "guided",
       "transform_type": null,
@@ -397,10 +463,10 @@
     {
       "id": "coppa-notif-013",
       "name": "Direct Push Notifications Without Consent",
-      "severity": "medium",
+      "severity": "low",
       "confidence": "low",
       "category": "notification",
-      "description": "Push notifications are \"Online Contact Info\" under COPPA 2.0. Direct notifications to children require parental consent.",
+      "description": "FTC declined to codify push notification restrictions in the 2025 final rule but stated it 'remains concerned about push notifications and other engagement techniques.' Best practice: gate push subscriptions behind parental consent. Maps to NGL Labs and Sendit enforcement patterns.",
       "patterns": [
         { "pattern": "FirebaseMessaging\\.subscribeToTopic", "flags": "gi" },
         { "pattern": "OneSignal\\.promptForPushNotifications", "flags": "gi" },
@@ -411,7 +477,7 @@
         { "pattern": "new\\s+Notification\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Gate push notification subscription behind parental dashboard setting",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "swift", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -435,7 +501,7 @@
         { "pattern": "(?<!admin|Admin|moderate|Moderate)(?:commentForm.*submit|handleCommentSubmit)", "flags": "gi" }
       ],
       "fix_suggestion": "Add middleware hook for PII scrubbing (regex or AWS Comprehend) before database storage",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -534,7 +600,7 @@
         { "pattern": "(?:setUserId|set_user_id)\\s*\\([^)]*(?:email|\\.name|phone)", "flags": "gi" }
       ],
       "fix_suggestion": "Hash user ID and omit email/name from analytics payload",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -579,7 +645,7 @@
         { "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})profileVisibility\\s*=\\s*['\"]?(?:public|Public)['\"]?", "flags": "gi" }
       ],
       "fix_suggestion": "Change default visibility to \"private\" or false",
-      "penalty": "$51,744 per violation",
+      "penalty": "$53,088 per violation",
       "languages": ["typescript", "javascript", "python", "swift"],
       "packs": ["coppa"],
       "fixability": "auto",
@@ -587,6 +653,36 @@
       "scaffold_id": null,
       "guidance_url": null
     },
+    {
+      "id": "coppa-ads-021",
+      "name": "Targeted Advertising Without Separate Consent",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "advertising",
+      "description": "COPPA 2025 requires separate, specific opt-in consent before collecting children's PI for targeted advertising. Marketing consent cannot be bundled with general terms acceptance. Ad SDK initialization without a distinct consent flow is a violation.",
+      "patterns": [
+        { "pattern": "(?:import|require).*(?:google-mobile-ads|@react-native-firebase\\/admob|react-native-admob)", "flags": "gi" },
+        { "pattern": "(?:GADMobileAds|GADRequest|GADBannerView|GADInterstitial)\\.\\w+", "flags": "gi" },
+        { "pattern": "MobileAds\\.initialize|AdRequest\\.Builder|AdView|InterstitialAd\\.load", "flags": "gi" },
+        { "pattern": "(?:FBAudienceNetwork|FBAdView|FBInterstitialAd|FBNativeAd)", "flags": "gi" },
+        { "pattern": "(?:import|require).*(?:react-native-fbads|@react-native-community\\/fbads)", "flags": "gi" },
+        { "pattern": "UnityAds\\.(?:initialize|show|load)|import\\s+UnityAds", "flags": "gi" },
+        { "pattern": "IronSource\\.(?:init|showRewardedVideo|loadInterstitial)|import\\s+IronSource", "flags": "gi" },
+        { "pattern": "AppLovin\\.(?:initialize|showAd)|import.*AppLovinSDK", "flags": "gi" },
+        { "pattern": "Chartboost\\.(?:start|showInterstitial|cacheInterstitial)", "flags": "gi" },
+        { "pattern": "AdColony\\.(?:configure|requestInterstitial)", "flags": "gi" },
+        { "pattern": "Vungle\\.(?:init|playAd|loadAd)", "flags": "gi" },
+        { "pattern": "mopub\\.(?:loadBanner|loadInterstitial)|MoPubInterstitial", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a separate, specific opt-in consent flow for advertising before initializing ad SDKs. Marketing consent must NOT be bundled with general terms acceptance. Use age-gated ad experiences or contextual-only advertising for children under 13.",
+      "penalty": "$53,088 per violation (COPPA 2025 separate advertising consent requirement)",
+      "languages": ["typescript", "javascript", "swift", "kotlin", "java", "python"],
+      "packs": ["coppa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "consent-ads",
+      "guidance_url": null
+    },
     {
       "id": "ETHICAL-001",
       "name": "Infinite Scroll / Endless Feed",
@@ -990,10 +1086,10 @@
       "category": "age-verification",
       "description": "Utah SB 142 requires an age assurance system with at least 95% accuracy to identify minor account holders (under 18). Account creation flows that lack age verification gates violate this requirement. Excludes test factories and seed scripts.",
       "patterns": [
-        { "pattern": "(?:createUser|signUp|register)\\s*\\((?![^)]*(?:age|dateOfBirth|dob|birthDate|birth_date))[^)]*\\)", "flags": "gi" },
-        { "pattern": "(?:create_user|sign_up|create_account)\\s*\\((?![^)]*(?:age|date_of_birth|dob|birth_date))[^)]*\\)", "flags": "gi" },
-        { "pattern": "(?:RegistrationService)\\.(?:create|register)\\s*\\((?![^)]*(?:age|dob|birth))", "flags": "gi" },
-        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts)\\s*\\((?![^)]*(?:age|dob|birth_date|date_of_birth))[^)]*\\)\\s*VALUES", "flags": "gi" }
+        { "pattern": "(?:createUser|signUp|createAccount|registerUser|registerAccount)\\s*\\((?![^)]*(?:age|dateOfBirth|dob|birthDate|birth_date))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:create_user|sign_up|create_account|register_user|register_account)\\s*\\((?![^)]*(?:age|date_of_birth|dob|birth_date))[^)]*\\)", "flags": "gi" },
+        { "pattern": "(?:RegistrationService|UserRegistration|AccountService)\\.(?:create|register)\\s*\\((?![^)]*(?:age|dob|birth))", "flags": "gi" },
+        { "pattern": "INSERT\\s+INTO\\s+(?:users|accounts|members)\\s*\\((?![^)]*(?:age|dob|birth_date|date_of_birth))[^)]*\\)\\s*VALUES", "flags": "gi" }
       ],
       "fix_suggestion": "Add an age assurance step (date-of-birth collection, age estimation, or ID verification) before account creation. If the user is under 18, flag the account as a minor account and require parental consent before activation. See Utah SB 142 §13-72-201.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
@@ -1108,7 +1204,7 @@
         { "pattern": "(?:palmPrint|palm_print|irisPattern|iris_pattern|retinaScan|retina_scan)\\s*[:=]", "flags": "gi" }
       ],
       "fix_suggestion": "Obtain Verifiable Parental Consent (VPC) before collecting any biometric identifiers. Under COPPA 2.0, biometric data is 'personal information' requiring the highest consent standard. Keep biometric processing local-only where possible.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1131,7 +1227,7 @@
         { "pattern": "(?:saveDeviceToken|storeDeviceToken|registerDeviceToken|savePushToken|storePushToken)\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Gate push notification token registration behind a parental consent check. Under COPPA 2.0, push tokens are 'online contact information' — parents must explicitly opt in, and you must provide an opt-out mechanism accessible from a parental dashboard.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "swift", "kotlin", "java"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1153,7 +1249,7 @@
         { "pattern": "(?:shareStudentData|share_student_data|exportStudentRecords|export_student_records)\\s*\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Ensure ed-tech data collected under the 'school official' exception is used exclusively for the authorized educational purpose. Remove any analytics, advertising, or profiling code paths that touch student data. COPPA 2.0 makes this an explicit prohibition.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1175,7 +1271,7 @@
         { "pattern": "(?:childData|child_data|minorData|minor_data|studentData|student_data).*(?:archive|Archive|longTermStorage|long_term_storage)", "flags": "gi" }
       ],
       "fix_suggestion": "Implement automatic data deletion policies for children's personal information. Set reasonable TTLs based on the purpose of collection. Add a scheduled deletion job that purges expired child data. COPPA 2.0 requires deletion when data is no longer reasonably necessary.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1197,7 +1293,7 @@
         { "pattern": "<input[^>]*type=['\"]checkbox['\"][^>]*(?:consent|agree|parent)", "flags": "gi" }
       ],
       "fix_suggestion": "Upgrade consent mechanism to meet COPPA 2.0 VPC standards. For external data sharing, use credit card verification, video calls, government ID, or knowledge-based authentication. Simple checkboxes and email confirmations do not meet the VPC standard for external use of children's data.",
-      "penalty": "$51,744 per violation (FTC Final Rule effective April 22, 2026)",
+      "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": ["typescript", "javascript", "python", "go", "java", "kotlin", "swift"],
       "packs": ["coppa"],
       "fixability": "guided",
@@ -1523,6 +1619,89 @@
       "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/15-online-tools/"
     },
 
+    {
+      "id": "aadc-best-interest-016",
+      "name": "Monetization Override Without Child Safety Check",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "safety",
+      "description": "AADC Standard 1 requires the best interests of the child to be a primary consideration. In-app purchase prompts, subscription upsells, or premium feature gates in child-facing flows without age-gated suppression prioritize revenue over child wellbeing.",
+      "patterns": [
+        { "pattern": "(?:inAppPurchase|in_app_purchase|purchaseProduct|buyItem|makePurchase|requestPayment)(?![\\s\\S]{0,500}(?:isChild|isMinor|age_check|under18|parental))", "flags": "gi" },
+        { "pattern": "(?:upsell|upgrade_prompt|premium_gate|paywall).*(?:show|display|render|present)(?![\\s\\S]{0,500}(?:isChild|isMinor|age_gate|child_safe))", "flags": "gi" },
+        { "pattern": "(?:lootBox|mysteryBox|gacha|virtualCurrency|coinPurchase)(?![\\s\\S]{0,500}(?:isChild|isMinor|age|parental))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Before showing monetization prompts (in-app purchases, upsells, premium gates), check if the user is a child and suppress or gate these flows accordingly. The best interests of the child must take priority over commercial interests. See ICO AADC Standard 1.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/1-best-interests-of-the-child/"
+    },
+    {
+      "id": "aadc-dpia-017",
+      "name": "Child Data Processing Without DPIA Reference",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "compliance",
+      "description": "AADC Standard 2 requires a Data Protection Impact Assessment (DPIA) for services likely to be accessed by children. Code that processes child data (user profiles with age, student records, child accounts) should reference or link to DPIA documentation.",
+      "patterns": [
+        { "pattern": "(?:childProfile|studentRecord|minorData|childAccount|kidUser|child_data).*(?:create|save|store|process|collect)(?![\\s\\S]{0,1000}(?:dpia|impact_assessment|risk_assessment|data_protection_impact))", "flags": "gi" },
+        { "pattern": "(?:isChild|isMinor|age\\s*<\\s*18|under18|is_underage).*(?:userData|personalData|profile|account).*(?:create|save|insert)(?![\\s\\S]{0,1000}(?:dpia|impact_assessment))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Conduct a DPIA before processing children's data and reference it in your codebase. Add DPIA completion checks or documentation links where child data is processed. See ICO AADC Standard 2 and ICO DPIA guidance.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift", "go"],
+      "packs": ["uk-aadc"],
+      "fixability": "manual",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/2-data-protection-impact-assessments/"
+    },
+    {
+      "id": "aadc-transparency-018",
+      "name": "Privacy Notice Without Child-Friendly Version",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "transparency",
+      "description": "AADC Standard 4 requires privacy information to be concise, prominent, and in clear language suited to the age of the child. Services must provide 'bite-sized' explanations at the point of data use, not just adult-facing legal privacy policies.",
+      "patterns": [
+        { "pattern": "(?:privacyPolicy|privacy_policy|termsOfService|terms_of_service|cookiePolicy|cookie_policy)(?:Url|Link|Page|Modal|Component)(?![\\s\\S]{0,800}(?:childFriendly|child_friendly|kidVersion|simplified|biteSized|bite_sized|ageAppropriate|age_appropriate))", "flags": "gi" },
+        { "pattern": "(?:showPrivacy|displayTerms|openConsent|renderPolicy)(?![\\s\\S]{0,500}(?:simplified|childFriendly|child_friendly|kidMode|age_appropriate))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Provide age-appropriate, bite-sized privacy notices alongside standard privacy policies. At the point of data collection, show concise explanations a child can understand. Consider using icons, animations, or short sentences instead of legal language. See ICO AADC Standard 4.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "html"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/4-transparency/"
+    },
+    {
+      "id": "aadc-iot-019",
+      "name": "Connected Toy/Device Without Privacy Mode",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "safety",
+      "description": "AADC Standard 14 requires connected toys and devices to include effective tools to enable conformance with the Code. IoT devices that communicate with children's data must have hardware/software privacy modes, mute capabilities, and clear data collection indicators.",
+      "patterns": [
+        { "pattern": "(?:bluetooth|BLE|BluetoothLE|CoreBluetooth|CBCentralManager|BluetoothAdapter)\\s*\\.\\s*(?:connect|pair|scan|discover)(?![\\s\\S]{0,800}(?:privacyMode|privacy_mode|childSafe|child_safe|mute|dataOff))", "flags": "gi" },
+        { "pattern": "(?:MQTT|mqtt|mqttClient|IoTHub|deviceTwin|smartToy|connectedDevice).*(?:publish|send|subscribe|telemetry)(?![\\s\\S]{0,800}(?:privacyMode|privacy_mode|childSafe|child_safe|parentalControl|parental_control))", "flags": "gi" },
+        { "pattern": "(?:voiceAssistant|smartSpeaker|alexaSkill|googleAction|siriIntent).*(?:child|kid|minor|family)(?![\\s\\S]{0,500}(?:privacyMode|privacy_mode|mute|childLock|child_lock))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Connected toys and IoT devices must include privacy modes that limit data collection, hardware mute capabilities for microphones/cameras, and clear indicators when data is being collected. Ensure parental controls are built into the device software. See ICO AADC Standard 14.",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
+      "languages": ["typescript", "javascript", "python", "java", "kotlin", "swift", "go"],
+      "packs": ["uk-aadc"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/14-connected-toys-and-devices/"
+    },
+
     {
       "id": "dsa-ad-profiling-001",
       "name": "Profiling-Based Ad Targeting Without Minor Exclusion",
@@ -2364,7 +2543,9 @@
       "patterns": [
         { "pattern": "model\\.(?:fit|train|finetune)\\(", "flags": "gi" },
         { "pattern": "(?:trainModel|fitModel|trainPipeline)\\(", "flags": "gi" },
-        { "pattern": "(?:tensorflow|torch|sklearn|keras)\\.(?:fit|train)", "flags": "gi" }
+        { "pattern": "(?:tensorflow|torch|sklearn|keras)\\.(?:fit|train)", "flags": "gi" },
+        { "pattern": "whisper\\.load_model\\(", "flags": "gi" },
+        { "pattern": "model\\.transcribe\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Add fairness testing to ML pipeline: run bias audits (demographic parity, equalized odds) before deploying models that affect children.",
       "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
@@ -2386,7 +2567,10 @@
         { "pattern": "(?:generateImage|aiGenerate|textToImage|imageGeneration)\\(", "flags": "gi" },
         { "pattern": "(?:syntheticContent|aiContent|generatedContent)", "flags": "gi" },
         { "pattern": "(?:dall-e|stable-diffusion|midjourney|openai\\.images)", "flags": "gi" },
-        { "pattern": "(?:textToSpeech|voiceSynthesis|tts)\\.(?:generate|create|synthesize)", "flags": "gi" }
+        { "pattern": "(?:textToSpeech|voiceSynthesis|tts)\\.(?:generate|create|synthesize)", "flags": "gi" },
+        { "pattern": "from\\s+elevenlabs\\s+import", "flags": "gi" },
+        { "pattern": "elevenlabs\\.(?:generate|clone|Voice)", "flags": "gi" },
+        { "pattern": "generate\\s*\\(\\s*text\\s*=", "flags": "gi" }
       ],
       "fix_suggestion": "Add visible AI-generated content labels: include 'AI Generated' badge/watermark on all synthetic media shown to children.",
       "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
@@ -2449,7 +2633,11 @@
       "patterns": [
         { "pattern": "(?:loadModel|deployModel|serveModel)\\(", "flags": "gi" },
         { "pattern": "(?:modelEndpoint|inferenceEndpoint|predictionService)", "flags": "gi" },
-        { "pattern": "(?:huggingface|openai|anthropic|cohere)\\.(?:create|complete|generate)", "flags": "gi" }
+        { "pattern": "(?:huggingface|openai|anthropic|cohere)\\.(?:create|complete|generate)", "flags": "gi" },
+        { "pattern": "(?:ChatOpenAI|AzureChatOpenAI|ChatAnthropic|ChatCohere|ChatGoogleGenerativeAI)\\(", "flags": "gi" },
+        { "pattern": "from\\s+langchain_openai\\s+import", "flags": "gi" },
+        { "pattern": "whisper\\.load_model\\(", "flags": "gi" },
+        { "pattern": "OpenAIEmbeddings\\(", "flags": "gi" }
       ],
       "fix_suggestion": "Create a model card documenting training data sources, intended use, limitations, and bias considerations.",
       "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
@@ -2627,6 +2815,880 @@
       "transform_type": null,
       "scaffold_id": null,
       "guidance_url": null
+    },
+    {
+      "id": "CAI-DATAMIN-001",
+      "name": "Excessive Data Collection in AI Pipeline",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "AI systems processing children's data must implement data minimization — collecting only what is strictly necessary. Broad collection scopes, wildcard field selection, or indefinite retention violate the data minimization principle (GDPR Art. 5(1)(c), IEEE 7010-2020).",
+      "patterns": [
+        { "pattern": "(?:collectUserData|gatherData|harvestData|scrapeUser)\\((?![^)]*(?:fields|only|select))", "flags": "gi" },
+        { "pattern": "(?:fields|columns|attributes)\\s*[:=]\\s*['\"]\\*['\"]", "flags": "gi" },
+        { "pattern": "(?:retention|ttl|expiry)\\s*[:=]\\s*['\"](?:indefinite|forever|permanent|never)['\"]", "flags": "gi" },
+        { "pattern": "(?:trackAll|collectAll|logAll)(?:Events|Data|Interactions|Behaviors)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement data minimization: specify exact fields needed, set finite retention periods (e.g., 30 days), and document the purpose for each data field collected.",
+      "penalty": "Constitutional AI Principle: Data Minimization (GDPR Art. 5(1)(c), IEEE 7010-2020)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-NEURO-001",
+      "name": "AI Interface Without Neurodivergent Accommodations",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "constitutional-ai",
+      "description": "AI systems for children must accommodate neurodivergent users (ADHD, autism, dyslexia). Timed interactions, rapid UI transitions, and sensory-heavy content without alternatives violate accessibility principles (WCAG 2.2, IEEE 2089-2021 Section 7.3).",
+      "patterns": [
+        { "pattern": "(?:countdownTimer|timeLimit|timedQuiz|timedResponse|timedAssessment)\\(", "flags": "gi" },
+        { "pattern": "(?:autoAdvance|autoScroll|autoPlay|rapidFire)\\s*[:=]\\s*true", "flags": "gi" },
+        { "pattern": "(?:flashingContent|strobeEffect|blinkAnimation|rapidTransition)\\(", "flags": "gi" },
+        { "pattern": "(?:forcedPacing|fixedSpeed|noExtension)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add neurodivergent accommodations: offer extended time options, reduce-motion mode, pause/resume controls, and adjustable pacing for all timed AI interactions.",
+      "penalty": "Constitutional AI Principle: Neurodivergent Accessibility (IEEE 2089-2021 Section 7.3)",
+      "languages": ["typescript", "javascript", "python", "tsx", "jsx"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-COREG-001",
+      "name": "AI Decision Affecting Child Without Parent Involvement",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "High-impact AI decisions about children (content restrictions, learning path changes, behavioral assessments) must include a parental co-regulation mechanism — parents must be notified and given override capability (IEEE 2089-2021 Section 6.4, UN CRC Art. 5).",
+      "patterns": [
+        { "pattern": "(?:setContentRestriction|restrictAccess|blockContent|limitUsage)\\((?![^)]*parent)", "flags": "gi" },
+        { "pattern": "(?:adjustLearningPath|changeDifficulty|skipLesson|modifyCurriculum)\\((?![^)]*parent)", "flags": "gi" },
+        { "pattern": "(?:behavioralAssessment|emotionDetection|sentimentAnalysis|moodClassification)\\(.*(?:child|student|minor|kid)", "flags": "gi" },
+        { "pattern": "(?:autoRestrict|autoBlock|autoLimit)(?:Content|Access|Usage)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement parental co-regulation: notify parents of high-impact AI decisions, provide override controls, and require parent-child joint confirmation for significant changes.",
+      "penalty": "Constitutional AI Principle: Parental Co-Regulation (IEEE 2089-2021 Section 6.4)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "CAI-CRISIS-001",
+      "name": "AI Chatbot Without Crisis Escalation Protocol",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "constitutional-ai",
+      "description": "AI systems interacting with children must detect crisis signals (self-harm, suicidal ideation, abuse disclosure) and immediately escalate to human professionals. Chatbots and AI companions without crisis detection in child-facing contexts violate duty of care (IEEE 2089-2021 Section 8, Surgeon General Advisory 2023).",
+      "patterns": [
+        { "pattern": "(?:chatCompletion|generateResponse|botReply|aiResponse)\\((?![^)]*(?:crisis|safety|escalat|safeguard)).*(?:child|student|minor|kid|youth)", "flags": "gi" },
+        { "pattern": "(?:child|student|minor|kid|youth).*(?:chatCompletion|generateResponse|botReply|aiResponse)\\((?![^)]*(?:crisis|safety|escalat|safeguard))", "flags": "gi" },
+        { "pattern": "(?:aiCompanion|virtualFriend|chatBot|aiTutor)\\.(?:respond|reply|send)\\((?![^)]*(?:crisis|safety))", "flags": "gi" },
+        { "pattern": "(?:studentChat|childChat|youthChat|kidChat)\\.(?:send|post|submit)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement crisis escalation: add keyword detection for self-harm/suicide/abuse signals, immediately route to crisis hotline (988 Suicide & Crisis Lifeline), notify a designated adult, and halt AI-only interaction.",
+      "penalty": "Constitutional AI Principle: Crisis Escalation Protocol (IEEE 2089-2021 Section 8)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-001",
+      "name": "Training Data Without Quality Documentation",
+      "severity": "high",
+      "confidence": "low",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(2) requires training data sets to be subject to data governance practices — including documentation of data sources, collection methodology, and quality metrics. ML pipelines without data provenance tracking violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:loadDataset|readTrainingData|importDataset|fetchTrainingSet)\\((?![^)]*(?:provenance|source|documentation|metadata))", "flags": "gi" },
+        { "pattern": "(?:trainData|trainingSet|trainingCorpus)\\s*[:=]\\s*(?:pd\\.read|csv\\.reader|json\\.load|open\\()", "flags": "gi" },
+        { "pattern": "(?:DataLoader|Dataset)\\.(?:from_|load_)(?:csv|json|parquet|tfrecord)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add data governance documentation: create a data card for each training dataset documenting source, collection method, size, demographics, known biases, and quality metrics.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-002",
+      "name": "Training Data Without Bias Testing",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(2)(f) requires examination of training data for possible biases, especially for children where demographic imbalances can cause disproportionate harm. Model training without bias audits violates this requirement.",
+      "patterns": [
+        { "pattern": "model\\.(?:fit|train|finetune)\\((?![^)]*(?:bias|fairness|audit|balanced))", "flags": "gi" },
+        { "pattern": "(?:pipeline|trainer)\\.(?:train|run|execute)\\((?![^)]*(?:bias|fairness|equit))", "flags": "gi" },
+        { "pattern": "(?:AutoML|autoTrain|autoFit)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add bias testing to the training pipeline: run demographic parity checks, compute equalized odds metrics, and document bias audit results before deployment.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-003",
+      "name": "No Data Representativeness Validation",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(3) requires training data to be representative of the deployment context. Children's AI systems must validate that training data represents age, cultural, and linguistic diversity of the target population.",
+      "patterns": [
+        { "pattern": "(?:trainModel|buildModel|createModel)\\((?![^)]*(?:representative|demograph|diversity|balanced|stratif))", "flags": "gi" },
+        { "pattern": "train_test_split\\((?![^)]*stratif)", "flags": "gi" },
+        { "pattern": "(?:DataSplit|splitData|partitionData)\\((?![^)]*(?:stratif|balanced|representative))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Validate data representativeness: use stratified sampling, verify demographic coverage across age groups, and document gaps between training data and target child population.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-GOVERNANCE-004",
+      "name": "Training Data Without Consent Verification",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "ai-governance",
+      "description": "EU AI Act Art. 10(5) combined with GDPR Art. 6/9 requires that training data collection respects data protection law. Children's data used for training without verified parental consent is a severe violation.",
+      "patterns": [
+        { "pattern": "(?:collectTrainingData|gatherTrainingSamples|buildTrainingSet)\\((?![^)]*consent)", "flags": "gi" },
+        { "pattern": "(?:userInteraction|chatLog|sessionData|behaviorLog)\\.(?:export|save|dump).*(?:train|model|dataset)", "flags": "gi" },
+        { "pattern": "(?:finetuneOn|trainOn|learnFrom)(?:User|Child|Student)(?:Data|Input|Interactions)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Verify consent before using children's data for training: implement opt-in parental consent for data use in ML training, maintain consent audit trail, and provide data deletion mechanisms.",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover (combined with GDPR)",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-001",
+      "name": "AI System Without Human-in-the-Loop Mechanism",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(1) requires high-risk AI systems to be designed for effective human oversight. AI systems making consequential decisions for children without a human review checkpoint violate this requirement.",
+      "patterns": [
+        { "pattern": "(?:autoApprove|autoAccept|autoGrade|autoAssess)\\(", "flags": "gi" },
+        { "pattern": "(?:automatedDecision|aiDecision|mlDecision)\\.(?:execute|apply|commit)\\(", "flags": "gi" },
+        { "pattern": "(?:contentFilter|safetyFilter|moderationFilter)\\.(?:autoApply|autoEnforce)\\(", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add human-in-the-loop: implement review queues for consequential AI decisions, add manual override capabilities, and require human approval for actions affecting child accounts.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-002",
+      "name": "No Emergency Stop or Override Mechanism",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(4)(d) requires human overseers to be able to intervene or interrupt the AI system at any time. AI systems without kill switch, emergency stop, or override mechanism are non-compliant.",
+      "patterns": [
+        { "pattern": "(?:aiService|mlService|aiPipeline|aiWorker)\\.(?:start|run|deploy)\\((?![^)]*(?:killSwitch|emergencyStop|override|interrupt))", "flags": "gi" },
+        { "pattern": "(?:startAI|launchAI|deployAI|activateAI)\\((?![^)]*(?:stop|halt|kill|override|interrupt))", "flags": "gi" },
+        { "pattern": "(?:autonomousMode|autoMode|unsupervisedMode)\\s*[:=]\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement emergency stop: add a kill switch endpoint (/api/ai/stop), monitoring alerts for anomalous behavior, and immediate halt capability accessible to human overseers.",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-003",
+      "name": "AI Output Without Interpretability for Overseer",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(4)(b) requires that human overseers can correctly interpret the AI system's output. AI predictions, classifications, or recommendations served without explanation metadata are non-compliant.",
+      "patterns": [
+        { "pattern": "model\\.predict\\((?![^)]*(?:explain|interpret|shap|lime|feature_import))", "flags": "gi" },
+        { "pattern": "(?:classifier|predictor|estimator)\\.predict(?:_proba)?\\((?![^)]*(?:explain|interpret|reason))", "flags": "gi" },
+        { "pattern": "(?:getRecommendation|getPrediction|getClassification)\\((?![^)]*(?:reason|explain|confidence))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add interpretability: attach explanation metadata (SHAP values, feature importance, confidence scores, or natural language reasoning) to every AI output served to overseers.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-OVERSIGHT-004",
+      "name": "No Oversight Audit Trail",
+      "severity": "high",
+      "confidence": "low",
+      "category": "ai-oversight",
+      "description": "EU AI Act Art. 14(4) requires human oversight actions (reviews, overrides, approvals) to be logged. AI systems without audit trails for human oversight actions cannot demonstrate compliance.",
+      "patterns": [
+        { "pattern": "(?:humanReview|manualOverride|humanApproval)\\.(?:submit|process|execute)\\((?![^)]*(?:log|audit|record|track))", "flags": "gi" },
+        { "pattern": "(?:override|overrule|escalate)(?:Decision|Prediction|Classification)\\((?![^)]*(?:log|audit|record))", "flags": "gi" },
+        { "pattern": "(?:approveContent|rejectContent|flagContent)\\((?![^)]*(?:log|audit|trail|record))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add oversight audit trail: log every human review, override, and approval action with timestamp, reviewer ID, original AI output, and human decision rationale.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-ACCURACY-001",
+      "name": "No Error Rate Monitoring",
+      "severity": "high",
+      "confidence": "low",
+      "category": "ai-accuracy",
+      "description": "EU AI Act Art. 15(1) requires high-risk AI systems to achieve appropriate levels of accuracy and declare expected error rates. AI inference endpoints without accuracy monitoring or error rate tracking are non-compliant.",
+      "patterns": [
+        { "pattern": "(?:serveModel|deployModel|modelEndpoint|inferenceAPI)\\.(?:start|deploy|listen)\\((?![^)]*(?:monitor|metric|accuracy|errorRate))", "flags": "gi" },
+        { "pattern": "(?:predictionService|mlService|aiEndpoint)\\.(?:init|start|register)\\((?![^)]*(?:monitor|metric|accuracy))", "flags": "gi" },
+        { "pattern": "app\\.(?:post|get)\\s*\\(\\s*['\"].*(?:predict|classify|recommend|infer)[^'\"]*['\"]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add accuracy monitoring: implement real-time error rate tracking, declare expected accuracy levels in model documentation, and set up alerts when accuracy degrades below thresholds.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-ACCURACY-002",
+      "name": "No Fallback for AI Failure",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "ai-accuracy",
+      "description": "EU AI Act Art. 15(3) requires AI systems to be resilient against errors, faults, and inconsistencies. AI calls without error handling, timeouts, or fallback mechanisms expose children to unpredictable behavior.",
+      "patterns": [
+        { "pattern": "(?:openai|anthropic|cohere|replicate)\\.\\w+(?:\\.\\w+)*\\((?![^\\n]*(?:catch|try|timeout|fallback|retry))", "flags": "gi" },
+        { "pattern": "await\\s+(?:generateText|generateResponse|aiComplete|llmCall)\\((?![^\\n]*(?:catch|try|timeout|fallback))", "flags": "gi" },
+        { "pattern": "(?:fetch|axios)\\s*\\(\\s*[^)]*(?:inference|predict|classify|openai|anthropic)(?![^\\n]*(?:catch|timeout|retry))", "flags": "gi" },
+        { "pattern": "(?:ChatOpenAI|AzureChatOpenAI|ChatAnthropic|ChatCohere)\\((?![^\\n]*(?:callbacks|on_error|fallback|retry))", "flags": "gi" },
+        { "pattern": "whisper\\.load_model\\((?![^\\n]*(?:try|catch|except|fallback))", "flags": "gi" },
+        { "pattern": "from\\s+elevenlabs\\s+import(?![^\\n]*(?:try|catch|except|fallback))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add AI failure fallback: wrap all AI calls in try/catch with timeouts, implement graceful degradation (e.g., static content when AI unavailable), and log all failures for review.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AI-ACCURACY-003",
+      "name": "No Adversarial Robustness Testing",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "ai-accuracy",
+      "description": "EU AI Act Art. 15(4) requires high-risk AI systems to be resilient against attempts by unauthorized third parties to manipulate outputs (adversarial attacks). AI systems processing children's input without input validation or adversarial testing are vulnerable to prompt injection and manipulation.",
+      "patterns": [
+        { "pattern": "(?:userInput|userMessage|userPrompt|childInput).*(?:openai|anthropic|llm|model)(?![^\\n]*(?:sanitize|validate|filter|moderate|guard))", "flags": "gi" },
+        { "pattern": "(?:openai|anthropic|llm|model)\\.(?:generate|complete|create|chat)\\(.*(?:userInput|userMessage|userPrompt|childInput)(?![^\\n]*(?:sanitize|validate|filter|moderate|guard))", "flags": "gi" },
+        { "pattern": "(?:systemPrompt|messages)\\s*[:=].*\\+\\s*(?:userInput|req\\.body|input)(?![^\\n]*(?:sanitize|validate|escape))", "flags": "gi" },
+        { "pattern": "(?:promptTemplate|buildPrompt|createPrompt)\\(.*(?:user|child|student)(?![^)]*(?:sanitize|validate|clean|escape))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Add adversarial robustness: implement input sanitization for all user-provided text before passing to AI models, add prompt injection detection, and run periodic adversarial testing.",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
+      "languages": ["typescript", "javascript", "python"],
+      "packs": ["eu-ai-act"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "gdpr-art8-age-gate-001",
+      "name": "Hardcoded Age Threshold Without EU Geo-Routing",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "age-gating",
+      "description": "GDPR Article 8 allows EU member states to set consent age between 13-16. A hardcoded age threshold (e.g., age < 13) without geo-routing fails to comply with member states that set the threshold at 14, 15, or 16. Ireland/Spain/UK = 13, France = 15, Germany/Netherlands = 16.",
+      "patterns": [
+        { "pattern": "(?:age|userAge|childAge|minimumAge)\\s*(?:<|<=|===?|==)\\s*13(?!\\d)", "flags": "gi" },
+        { "pattern": "(?:MIN_AGE|MINIMUM_AGE|AGE_LIMIT|AGE_THRESHOLD|COPPA_AGE)\\s*(?:=|:)\\s*13(?!\\d)", "flags": "gi" },
+        { "pattern": "isChild\\s*=.*(?:age|years?)\\s*<\\s*13(?!\\d)", "flags": "gi" },
+        { "pattern": "(?:ageLimit|age_limit|min_age|minimum_age)\\s*(?:=|:)\\s*13(?!\\d)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement geo-aware age gating that adjusts the consent threshold based on the user's EU member state. Use IP geolocation or user-declared country to route: DE/NL=16, FR=15, IE/ES/UK/DK/SE/PL/LV=13. Consider defaulting to 16 (strictest) for unknown EU origins.",
+      "penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift", "go"],
+      "packs": ["gdpr-art8"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": "https://gdpr-info.eu/art-8-gdpr/"
+    },
+    {
+      "id": "gdpr-art8-legit-interest-002",
+      "name": "Legitimate Interest Basis for Minor's Data Processing",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "legal-basis",
+      "description": "GDPR Article 6(1)(f) legitimate interest cannot generally be used as a legal basis for processing children's data. The EDPB states that controllers should not rely on legitimate interest for children's data without a strict balancing test that heavily favors child rights.",
+      "patterns": [
+        { "pattern": "(?:legalBasis|legal_basis|lawful_basis|processing_basis)\\s*(?:=|:)\\s*['\"](?:legitimate[_\\s-]?interest|f\\)|6\\.1\\.f)['\"]", "flags": "gi" },
+        { "pattern": "(?:LEGAL_BASIS|LAWFUL_BASIS|PROCESSING_GROUND)\\s*(?:=|:)\\s*['\"](?:LEGITIMATE_INTEREST|LI)['\"]", "flags": "gi" },
+        { "pattern": "legitimateInterest\\s*:\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "For children's data, use consent (GDPR Art. 6(1)(a)) or contract performance as the legal basis. Legitimate interest is generally inappropriate for processing children's data under EDPB guidelines.",
+      "penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
+      "packs": ["gdpr-art8"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://gdpr-info.eu/art-6-gdpr/"
+    },
+    {
+      "id": "gdpr-art8-child-profiling-003",
+      "name": "Automated Decision-Making or Profiling of Minors",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "profiling",
+      "description": "GDPR Article 22 restricts automated individual decision-making, including profiling, that produces legal or similarly significant effects. For children, the EDPB recommends that profiling should not be permitted except where it is in the child's interest.",
+      "patterns": [
+        { "pattern": "(?:profileChild|profile_child|childProfile|child_profile|minorProfile|minor_profile)\\s*(?:=|:)", "flags": "gi" },
+        { "pattern": "(?:userSegment|user_segment|audienceSegment|audience_segment|cohort)\\s*(?:=|:).*(?:child|minor|kid|teen|youth|under.?1[3-8])", "flags": "gi" },
+        { "pattern": "(?:behaviorScore|behavior_score|engagementScore|engagement_score|riskScore|risk_score)\\s*(?:=|:).*(?:child|minor|student|kid)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Do not profile children or use their data for automated decision-making unless it is demonstrably in the child's best interest. Provide meaningful human oversight for any automated processing that affects children.",
+      "penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
+      "packs": ["gdpr-art8"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://gdpr-info.eu/art-22-gdpr/"
+    },
+    {
+      "id": "gdpr-art8-data-minimization-004",
+      "name": "Excessive Data Collection from Minors",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "data-minimization",
+      "description": "GDPR Article 5(1)(c) requires data minimization — only collecting data that is adequate, relevant, and limited to what is necessary. For children's services, this standard is applied more strictly.",
+      "patterns": [
+        { "pattern": "(?:collectAll|collect_all|gatherAll|gather_all|fetchAll|fetch_all)(?:Data|Info|UserData|Profile)", "flags": "gi" },
+        { "pattern": "required\\s*:\\s*true.*(?:phone|address|school|birthday|gender|ethnicity|income|ssn|social.?security)", "flags": "gi" },
+        { "pattern": "(?:optionalFields|optional_fields)\\s*(?:=|:)\\s*\\[\\]", "flags": "gi" }
+      ],
+      "fix_suggestion": "Only collect data that is strictly necessary for the service. Make non-essential fields optional. Conduct a data minimization assessment for all fields collected from users who may be children.",
+      "penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
+      "packs": ["gdpr-art8"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://gdpr-info.eu/art-5-gdpr/"
+    },
+    {
+      "id": "gdpr-art8-erasure-005",
+      "name": "Missing Right to Erasure Implementation for Children",
+      "severity": "high",
+      "confidence": "low",
+      "category": "erasure",
+      "description": "GDPR Article 17(1)(f) specifically strengthens the right to erasure when data was collected from a child. Services must provide clear mechanisms for children (or their parents) to request deletion of all personal data.",
+      "patterns": [
+        { "pattern": "(?:deleteAccount|delete_account|removeUser|remove_user|purgeUser|purge_user)\\s*(?:=|\\()", "flags": "gi" },
+        { "pattern": "(?:softDelete|soft_delete|isDeleted|is_deleted|deletedAt|deleted_at)\\s*(?:=|:)(?!.*(?:where|scope|filter|query|find|nil|null|false|!=|<>))", "flags": "gi" },
+        { "pattern": "(?:retainAfterDelete|retain_after_delete|keepAfterDeletion|archiveDeleted|archive_deleted)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a complete data erasure endpoint that deletes all personal data when requested, with special priority for data collected from children. Do not soft-delete or archive — GDPR Article 17 requires actual erasure unless a legal retention obligation applies.",
+      "penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin"],
+      "packs": ["gdpr-art8"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://gdpr-info.eu/art-17-gdpr/"
+    },
+    {
+      "id": "dpdp-tracking-ban-001",
+      "name": "Tracking SDK Active for Under-18 Users",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "tracking",
+      "description": "India DPDP Act Section 9(3) imposes a BLANKET BAN on tracking, behavioral monitoring, AND targeted advertising for anyone under 18. No consent override permitted. This is the strictest framework globally.",
+      "patterns": [
+        { "pattern": "(?:import|require|from)\\s+.*(?:google-analytics|@google-analytics|react-ga|ga4|gtag|GoogleAnalytics)", "flags": "gi" },
+        { "pattern": "(?:import|require|from)\\s+.*(?:mixpanel|@mixpanel|amplitude|segment|heap|fullstory|hotjar)", "flags": "gi" },
+        { "pattern": "(?:import|require|from)\\s+.*(?:@facebook\\/pixel|fbq|facebook-pixel|fb-pixel)", "flags": "gi" },
+        { "pattern": "FirebaseAnalytics\\.(?:getInstance|logEvent|setUserId|setUserProperty)", "flags": "gi" },
+        { "pattern": "(?:gtag|ga|_gaq|dataLayer)\\.(?:push|send|event|config)\\s*\\(", "flags": "gi" },
+        { "pattern": "(?:mixpanel|amplitude|analytics|segment)\\.(?:track|identify|init|page|screen)\\s*\\(", "flags": "gi" },
+        { "pattern": "(?:Adjust|AppsFlyer|Branch|Kochava|Singular)\\.(?:trackEvent|logEvent|init|start)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Under India's DPDP Act Section 9(3), ANY tracking or behavioral monitoring for users under 18 is prohibited regardless of consent. Implement age-gating that completely disables all analytics, tracking, and ad SDKs for users under 18 in India.",
+      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["india-dpdp"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
+    },
+    {
+      "id": "dpdp-parental-consent-002",
+      "name": "Data Processing Without Parental Consent for Under-18",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "consent",
+      "description": "India DPDP Act Section 9(1) requires verifiable parental consent for ALL personal data processing of anyone under 18. Unlike COPPA (under 13), this extends to teenagers.",
+      "patterns": [
+        { "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|>=|>|===?|==)\\s*1[3-7](?!\\d)", "flags": "gi" },
+        { "pattern": "(?:isMinor|is_minor|isChild|is_child|isAdult|is_adult)\\s*(?:=|:).*(?:age|years?)\\s*(?:<|>=)\\s*1[3-7](?!\\d)", "flags": "gi" },
+        { "pattern": "(?:MINOR_AGE|CHILD_AGE|CONSENT_AGE)\\s*(?:=|:)\\s*1[3-7](?!\\d)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Under India's DPDP Act, the age of majority for data processing is 18 (not 13). Implement verifiable parental consent for ALL users under 18 when processing personal data for Indian users.",
+      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["india-dpdp"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
+    },
+    {
+      "id": "dpdp-ad-targeting-003",
+      "name": "Targeted Advertising to Under-18 Users",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "advertising",
+      "description": "India DPDP Act Section 9(3) imposes an absolute ban on targeted advertising directed at anyone under 18. This cannot be overridden by parental consent.",
+      "patterns": [
+        { "pattern": "(?:AdMob|adMob|admob|GoogleAds|google_ads)\\.(?:loadAd|showAd|requestAd|initialize)", "flags": "gi" },
+        { "pattern": "(?:import|require|from)\\s+.*(?:react-native-admob|@react-native-google-ads|expo-ads-admob)", "flags": "gi" },
+        { "pattern": "(?:personalized|targeted|behavioral)(?:Ad|_ad|Advertisement|_advertisement)\\s*(?:=|:)\\s*true", "flags": "gi" },
+        { "pattern": "(?:targetAudience|target_audience|adTarget|ad_target)\\s*(?:=|:).*(?:child|minor|kid|teen|youth|student)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Completely disable all targeted/personalized advertising for users under 18 in India. Only contextual (non-personalized) ads are permissible.",
+      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["india-dpdp"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
+    },
+    {
+      "id": "dpdp-behavioral-monitoring-004",
+      "name": "Behavioral Monitoring of Under-18 Users",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "monitoring",
+      "description": "India DPDP Act Section 9(3) prohibits behavioral monitoring of children under 18. This includes session recording, heatmaps, scroll tracking, and engagement analytics.",
+      "patterns": [
+        { "pattern": "(?:import|require|from)\\s+.*(?:hotjar|fullstory|logrocket|smartlook|mouseflow|clarity)", "flags": "gi" },
+        { "pattern": "(?:sessionReplay|session_replay|sessionRecording|session_recording|recordSession|record_session)", "flags": "gi" },
+        { "pattern": "(?:heatmap|heat_map|scrollMap|scroll_map|clickMap|click_map)\\.(?:init|start|track|enable)", "flags": "gi" },
+        { "pattern": "(?:dwellTime|dwell_time|timeOnPage|time_on_page|scrollDepth|scroll_depth)\\s*(?:=|:)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Under India's DPDP Act, behavioral monitoring of anyone under 18 is prohibited. Disable session recording, heatmaps, and engagement analytics for users under 18 in India.",
+      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["india-dpdp"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
+    },
+    {
+      "id": "dpdp-wellbeing-detriment-005",
+      "name": "Processing Detrimental to Child's Well-Being",
+      "severity": "high",
+      "confidence": "low",
+      "category": "wellbeing",
+      "description": "India DPDP Act Section 9(2) prohibits any processing of children's data that is 'likely to cause any detrimental effect on the well-being of a child.' This broad provision covers addictive design, manipulative interfaces, and harmful content personalization.",
+      "patterns": [
+        { "pattern": "(?:addictive|gamification|engagement[_-]?loop|retention[_-]?hook)\\s*(?:=|:)\\s*true", "flags": "gi" },
+        { "pattern": "(?:compulsionLoop|compulsion_loop|habitLoop|habit_loop|rewardLoop|reward_loop)", "flags": "gi" },
+        { "pattern": "(?:notificationFrequency|notification_frequency|pushInterval|push_interval)\\s*(?:=|:)\\s*(?:[0-9]+)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Review all data processing that involves children for potential detrimental effects on well-being. This includes addictive design patterns, engagement loops, and excessive notifications.",
+      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["india-dpdp"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://dpdpa.com/dpdpa2023/chapter-2/section9.html"
+    },
+    {
+      "id": "lgpd-best-interest-001",
+      "name": "Non-Essential Data Collection from Children (Under 12)",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "data-minimization",
+      "description": "LGPD Article 14 requires processing of children's (under 12) data to be in their 'best interest.' Collecting non-essential data (location, behavioral tracking, device identifiers) even with consent violates this standard.",
+      "patterns": [
+        { "pattern": "(?:import|require|from)\\s+.*(?:@react-native-community\\/geolocation|expo-location|react-native-geolocation)", "flags": "gi" },
+        { "pattern": "navigator\\.geolocation\\.(?:getCurrentPosition|watchPosition)", "flags": "gi" },
+        { "pattern": "(?:advertisingId|advertising_id|IDFA|GAID|AAID|adId|ad_id)\\s*(?:=|:)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Under LGPD Article 14, only collect data that is strictly necessary and in the child's best interest. Location data, device identifiers, and behavioral tracking are generally not in a child's best interest unless directly required for the service.",
+      "penalty": "Up to 2% of revenue, capped at R$50 million per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["brazil-lgpd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
+    },
+    {
+      "id": "lgpd-data-gated-gameplay-002",
+      "name": "Data Collection Gated Behind Gameplay",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "consent",
+      "description": "LGPD Article 14 \u00a74 prohibits conditioning game/app participation on providing excess personal data. Children must not be required to share data beyond what is necessary to participate.",
+      "patterns": [
+        { "pattern": "(?:requiredToPlay|required_to_play|mustProvide|must_provide|gateContent|gate_content).*(?:email|phone|name|address|school)", "flags": "gi" },
+        { "pattern": "(?:levelLocked|level_locked|contentLocked|content_locked|featureLocked|feature_locked).*(?:register|signup|sign_up|provide|share)", "flags": "gi" },
+        { "pattern": "(?:unlockWithData|unlock_with_data|dataWall|data_wall|registrationWall|registration_wall)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Do not gate game features, levels, or content behind data collection requirements. Under LGPD Article 14 \u00a74, children's participation cannot be conditioned on providing excess personal data.",
+      "penalty": "Up to 2% of revenue, capped at R$50 million per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["brazil-lgpd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
+    },
+    {
+      "id": "lgpd-parental-consent-003",
+      "name": "Missing Parental Consent for Under-12 Data Processing",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "consent",
+      "description": "LGPD Article 14 \u00a71 requires at least one parent or legal guardian to provide specific and highlighted consent for processing children's (under 12) personal data.",
+      "patterns": [
+        { "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|===?|==)\\s*1[2-3](?!\\d)(?!.*(?:parent|guardian|responsavel))", "flags": "gi" },
+        { "pattern": "(?:childConsent|child_consent|minorConsent|minor_consent)\\s*(?:=|:)\\s*(?:true|false)", "flags": "gi" }
+      ],
+      "fix_suggestion": "For Brazilian users under 12, implement verifiable parental or guardian consent before processing any personal data. LGPD requires this consent to be 'specific and highlighted.'",
+      "penalty": "Up to 2% of revenue, capped at R$50 million per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["brazil-lgpd"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
+    },
+    {
+      "id": "lgpd-adolescent-rights-004",
+      "name": "Adolescent Data Processing Without Rights Safeguards",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "consent",
+      "description": "Brazil's LGPD and supplementary regulations distinguish between children (under 12) and adolescents (12-18). Adolescents have additional rights including being consulted about data processing and receiving age-appropriate explanations.",
+      "patterns": [
+        { "pattern": "(?:teenConsent|teen_consent|adolescentConsent|adolescent_consent)\\s*(?:=|:)\\s*(?:true|false)", "flags": "gi" },
+        { "pattern": "(?:age|userAge)\\s*>=\\s*12\\s*&&\\s*(?:age|userAge)\\s*<\\s*18", "flags": "gi" }
+      ],
+      "fix_suggestion": "For Brazilian adolescents (12-18), ensure data processing includes age-appropriate explanations and respects their right to be consulted. LGPD Article 14 \u00a76 requires notices understandable by the child themselves.",
+      "penalty": "Up to 2% of revenue, capped at R$50 million per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["brazil-lgpd"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://lgpd-brazil.info/chapter_02/article_14"
+    },
+    {
+      "id": "pipeda-behavioral-ads-001",
+      "name": "Behavioral Advertising Tracker in Minor-Facing Code",
+      "severity": "high",
+      "confidence": "high",
+      "category": "advertising",
+      "description": "OPC position: behavioral advertising to children may be deemed inherently inappropriate under PIPEDA Section 5(3) 'reasonable person' test, regardless of consent obtained.",
+      "patterns": [
+        { "pattern": "(?:import|require|from)\\s+.*(?:facebook-pixel|fbq|@facebook|fb-sdk)", "flags": "gi" },
+        { "pattern": "(?:import|require|from)\\s+.*(?:google-ads|@google-ads|doubleclick|dv360)", "flags": "gi" },
+        { "pattern": "(?:import|require|from)\\s+.*(?:amplitude|mixpanel|segment\\/analytics)", "flags": "gi" },
+        { "pattern": "(?:retargeting|remarketing|lookalike|custom[_-]?audience)\\s*(?:=|:)\\s*true", "flags": "gi" }
+      ],
+      "fix_suggestion": "The OPC considers behavioral advertising to children inherently inappropriate. Remove behavioral ad trackers from code paths serving users under 13, and review for users 13-17.",
+      "penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["canada-pipeda"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
+    },
+    {
+      "id": "pipeda-meaningful-consent-002",
+      "name": "Consent Flow Without Simplified Explanation for Teens",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "consent",
+      "description": "PIPEDA meaningful consent guidelines require that teens (13-17) can understand the consequences of consent. Complex multi-step consent flows with dense legal text may fail the meaningful consent test.",
+      "patterns": [
+        { "pattern": "(?:termsOfService|terms_of_service|privacyPolicy|privacy_policy|legalDisclosure|legal_disclosure)\\.(?:length|wordCount|readingLevel)", "flags": "gi" },
+        { "pattern": "(?:consentStep|consent_step|consentFlow|consent_flow|consentWizard|consent_wizard)\\s*(?:=|:)\\s*(?:[3-9]|\\d{2,})", "flags": "gi" },
+        { "pattern": "(?:simplifiedConsent|simplified_consent|easyRead|easy_read|childFriendly|child_friendly)\\s*(?:=|:)\\s*false", "flags": "gi" }
+      ],
+      "fix_suggestion": "Ensure consent flows for teen users include simplified, age-appropriate explanations. The OPC requires that the individual can understand what they are consenting to — complex legal language fails this test for teens.",
+      "penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["canada-pipeda"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
+    },
+    {
+      "id": "pipeda-under13-consent-003",
+      "name": "Missing Parental Consent for Under-13 Data Collection",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "consent",
+      "description": "OPC position: children under 13 cannot provide meaningful consent. Parental consent is required for all personal data collection from users under 13.",
+      "patterns": [
+        { "pattern": "(?:createAccount|create_account|signUp|sign_up|registerUser|register_user|userRegistration|user_registration)\\s*\\((?!.*(?:parent|guardian|verif))", "flags": "gi" },
+        { "pattern": "(?:collectData|collect_data|saveProfile|save_profile|storeUser|store_user)\\s*\\((?!.*(?:consent|parent|guardian))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement verifiable parental consent before collecting any personal data from users under 13 in Canada.",
+      "penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["canada-pipeda"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": "https://www.priv.gc.ca/en/privacy-topics/business-privacy/bus_kids/02_05_d_62_tips/"
+    },
+    {
+      "id": "pipeda-reasonable-purpose-004",
+      "name": "Data Collection Beyond Reasonable Purpose for Minors",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "purpose-limitation",
+      "description": "PIPEDA Section 5(3) requires that data collection serve purposes a 'reasonable person' would consider appropriate. For minors, the OPC applies a higher standard — marketing, profiling, and engagement optimization may fail this test.",
+      "patterns": [
+        { "pattern": "(?:marketingConsent|marketing_consent|promotionalEmails|promotional_emails)\\s*(?:=|:)\\s*true.*(?:child|minor|kid|teen|student|youth)", "flags": "gi" },
+        { "pattern": "(?:engagementOptimization|engagement_optimization|retentionOptimization|retention_optimization).*(?:child|minor|kid|teen|student)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Review all data collection purposes for minors against the 'reasonable person' test. Marketing, profiling, and engagement optimization for children may be deemed inappropriate under PIPEDA.",
+      "penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["canada-pipeda"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/"
+    },
+    {
+      "id": "pipa-parental-consent-001",
+      "name": "Missing Parental Consent for Under-14 Data Collection",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "consent",
+      "description": "South Korea PIPA Article 22-2 requires parental/guardian consent for processing personal data of children under 14. This extends COPPA's threshold by one year — children aged 13 need parental consent in South Korea.",
+      "patterns": [
+        { "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|===?|==)\\s*13(?!\\d)(?!.*(?:parent|guardian|legal))", "flags": "gi" },
+        { "pattern": "(?:CONSENT_AGE|MINOR_AGE|CHILD_AGE)\\s*(?:=|:)\\s*13(?!\\d)", "flags": "gi" },
+        { "pattern": "(?:isMinor|is_minor|isChild|is_child)\\s*(?:=|:).*age\\s*<\\s*13(?!\\d)", "flags": "gi" }
+      ],
+      "fix_suggestion": "For South Korean users, parental consent is required for children under 14 (not under 13 as in COPPA). Update age thresholds to 14 for Korean deployments.",
+      "penalty": "Up to 3% of global revenue",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["south-korea-pipa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": "https://iclg.com/practice-areas/data-protection-laws-and-regulations/korea"
+    },
+    {
+      "id": "pipa-child-notice-002",
+      "name": "Privacy Notice Without Child-Appropriate Language (Under 14)",
+      "severity": "high",
+      "confidence": "low",
+      "category": "transparency",
+      "description": "South Korea PIPA Article 39-3 \u00a75 requires privacy information to be presented in clear, understandable language for children under 14. Generic adult privacy policies fail this requirement.",
+      "patterns": [
+        { "pattern": "(?:privacyPolicy|privacy_policy|termsUrl|terms_url|privacyUrl|privacy_url)\\s*(?:=|:)\\s*['\"](?:https?:\\/\\/|\\/)(?!.*(?:child|kid|minor|simple|easy))", "flags": "gi" },
+        { "pattern": "(?:showPrivacyPolicy|show_privacy_policy|displayTerms|display_terms)\\s*\\((?!.*(?:simplified|childFriendly|child_friendly|easyRead))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Provide a separate, simplified privacy notice written in clear language understandable by children under 14. Do not present adult legal text as the sole privacy information.",
+      "penalty": "Up to 3% of global revenue",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["south-korea-pipa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://www.kimchang.com/en/insights/detail.kc?sch_section=4&idx=25476"
+    },
+    {
+      "id": "pipa-data-retention-003",
+      "name": "Data Retained Beyond Service Period for Minors",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "retention",
+      "description": "South Korea PIPA requires that personal information of children be deleted without delay when the purpose of collection has been achieved. Extended retention of children's data requires justification.",
+      "patterns": [
+        { "pattern": "(?:retentionPeriod|retention_period|dataRetention|data_retention|keepFor|keep_for)\\s*(?:=|:)\\s*(?:['\"](?:forever|indefinite|unlimited)['\"]|(?:365|730|1095|\\d{4,}))", "flags": "gi" },
+        { "pattern": "(?:neverDelete|never_delete|permanentStore|permanent_store|archiveForever|archive_forever)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Delete children's personal data promptly when the purpose of collection is achieved. Do not retain children's data indefinitely. Implement automatic retention limits.",
+      "penalty": "Up to 3% of global revenue",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["south-korea-pipa"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": "https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2026/south-korea/trends-and-developments"
+    },
+    {
+      "id": "behavioral-social-metrics-001",
+      "name": "Social Comparison Metrics Visible to Minors",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "social-comparison",
+      "description": "Displaying like counts, follower counts, or leaderboard rankings to children enables social comparison, which the AAP and WHO link to anxiety, depression, and self-esteem issues in minors.",
+      "patterns": [
+        { "pattern": "(?<![a-zA-Z_])(?:likeCount|like_count|likesCount|likes_count|numLikes|num_likes|totalLikes|total_likes)\\s*(?:=|:)", "flags": "gi" },
+        { "pattern": "(?<![a-zA-Z_])(?:followerCount|follower_count|followersCount|followers_count|numFollowers|num_followers)\\s*(?:=|:)", "flags": "gi" },
+        { "pattern": "(?<![a-zA-Z_])(?:leaderboard|leader_board|leaderboardRank|leaderboard_rank|globalRank|global_rank)\\s*(?:=|:)", "flags": "gi" },
+        { "pattern": "(?<![a-zA-Z_])(?:viewCount|view_count|viewsCount|views_count|numViews|num_views|totalViews|total_views)\\s*(?:=|:)", "flags": "gi" },
+        { "pattern": "(?<![a-zA-Z_])(?:shareCount|share_count|repostCount|repost_count|retweetCount|retweet_count)\\s*(?:=|:)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Hide or disable social comparison metrics (likes, followers, view counts, leaderboards) for users under 18. Consider removing public metrics entirely or showing them only to the content creator.",
+      "penalty": "Ethical design advisory \u2014 correlates with AADC Standard 5 (detrimental use), DSA Article 28, CAADCA dark pattern provisions",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["behavioral-design"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "behavioral-stopping-cues-002",
+      "name": "Missing Natural Stopping Cues in Content Feed",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "stopping-cues",
+      "description": "Content feeds, playlists, or game sessions without natural stopping points (end screens, session limits, break prompts) encourage compulsive use. AAP guidelines recommend built-in stopping cues for children's products.",
+      "patterns": [
+        { "pattern": "(?:fetchNextPage|fetch_next_page|loadNextPage|load_next_page|getNextBatch|get_next_batch)\\s*\\((?!.*(?:limit|max|stop|break|pause|endOf|pagination|paginated|pageSize|page_size|LoadMore|loadMore|onClick|button))", "flags": "gi" },
+        { "pattern": "(?:hasNextPage|has_next_page|hasMore|has_more|canLoadMore|can_load_more)\\s*(?:&&|\\|\\||\\?)(?!.*(?:sessionLimit|session_limit|maxPages|max_pages|breakTime|break_time|pagination|paginated|pageSize|page_size|LoadMore|loadMore|button))", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement natural stopping cues: end-of-content screens, session time limits, break prompts ('You've been watching for 30 minutes'), or 'Good Night' modes. Do not allow infinite content consumption without intervention.",
+      "penalty": "Ethical design advisory \u2014 correlates with DSA Article 28 (addictive design), AADC Standard 5",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["behavioral-design"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "behavioral-parent-dashboard-003",
+      "name": "Missing Parent Usage Dashboard",
+      "severity": "low",
+      "confidence": "low",
+      "category": "parental-oversight",
+      "description": "Children's products should include a parent-facing dashboard showing usage statistics, time spent, and content accessed. This dashboard should be PIN-protected and not invasively profile the child.",
+      "patterns": [
+        { "pattern": "(?:parentDashboard|parent_dashboard|parentalDashboard|parental_dashboard|parentPortal|parent_portal|familyDashboard|family_dashboard)", "flags": "gi" },
+        { "pattern": "(?:parentalControls|parental_controls|parentalSettings|parental_settings|familySettings|family_settings)\\s*(?:=|:)", "flags": "gi" },
+        { "pattern": "(?:usageReport|usage_report|screenTime|screen_time|activityLog|activity_log)\\s*(?:=|:).*(?:parent|guardian|family)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Implement a PIN-protected parent dashboard showing usage time, content accessed, and activity summaries. Ensure the dashboard provides oversight without invasive psychometric profiling of the child.",
+      "penalty": "Positive design advisory \u2014 correlates with AADC Standard 11 (parental controls), AADCA parental tools requirement",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["behavioral-design"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "behavioral-loot-boxes-004",
+      "name": "Randomized Reward with Real-Money Purchase",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "gambling-mechanics",
+      "description": "Loot boxes and gacha mechanics that combine randomized rewards with real-money purchases exploit variable-ratio reinforcement schedules. Multiple jurisdictions (Belgium, Netherlands, Australia) have classified these as gambling when targeting children.",
+      "patterns": [
+        { "pattern": "(?:lootBox|loot_box|lootCrate|loot_crate|mysteryBox|mystery_box|gachapon|gacha)", "flags": "gi" },
+        { "pattern": "Math\\.random\\s*\\(\\s*\\).*(?:reward|prize|loot|gem|coin|crystal|diamond)(?!.*(?:backdrop|background|color|theme|sample|shuffle|select|choose))", "flags": "gi" },
+        { "pattern": "(?:rarityTable|rarity_table|dropRate|drop_rate|lootTable|loot_table)\\s*(?:=|:)", "flags": "gi" },
+        { "pattern": "(?:spinWheel|spin_wheel|wheelOfFortune|wheel_of_fortune|slotMachine|slot_machine|luckyDraw|lucky_draw)", "flags": "gi" },
+        { "pattern": "(?:purchase|buy|spend|deduct).*(?:\\$|price|cost|gem|coin|crystal|diamond|currency).*(?:random|chance|luck|rare|legendary|epic)", "flags": "gi" }
+      ],
+      "fix_suggestion": "Do not combine randomized rewards with real-money purchases in children's products. Show exact contents before purchase, or use fixed reward systems. Multiple jurisdictions classify loot boxes as gambling when targeting children.",
+      "penalty": "Varies by jurisdiction \u2014 Belgium banned (criminal sanctions), Netherlands fined (up to \u20ac10M), Australia under review",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["behavioral-design"],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "AU-OSA-013",
+      "name": "Social Media Account Allowing Under-16 Registration (Australia)",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "age-gating",
+      "description": "Australia's Social Media Minimum Age Act 2024 prohibits users under 16 from holding social media accounts, effective December 10, 2025. Parental consent CANNOT override this ban. Platforms must take 'reasonable steps' to prevent under-16 registration.",
+      "patterns": [
+        { "pattern": "(?:minimumAge|minimum_age|minAge|min_age|ageLimit|age_limit)\\s*(?:=|:)\\s*(?:13|14|15)(?!\\d)", "flags": "gi" },
+        { "pattern": "(?:age|userAge)\\s*(?:>=|>)\\s*(?:13|14|15)(?!\\d).*(?:allow|register|create|signup|sign_up)", "flags": "gi" },
+        { "pattern": "(?:ageCheck|age_check|verifyAge|verify_age|ageGate|age_gate).*(?:13|14|15)(?!\\d)", "flags": "gi" }
+      ],
+      "fix_suggestion": "For Australian deployments, set minimum registration age to 16. Parental consent cannot override this requirement. Implement robust age verification \u2014 simple self-declaration is insufficient under the Act.",
+      "penalty": "Up to A$49.5 million (150,000 penalty units)",
+      "languages": ["typescript", "javascript", "python", "php", "ruby", "java", "kotlin", "swift"],
+      "packs": ["au-osa"],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": "age-gate-auth",
+      "guidance_url": "https://www.esafety.gov.au/about-us/industry-regulation/social-media-age-restrictions"
     }
   ]
 }