@runhalo/engine 1.0.2 → 1.1.0

package/rules/rules.json

@@ -45,7 +45,7 @@
     "ut-sb142": {
       "id": "ut-sb142",
       "name": "Utah SB 142 (App Store Accountability)",
-      "description": "5 rules for Utah SB 142 compliance \u2014 age assurance, parental consent, minor account defaults, DM restrictions, and supervisory tools.",
+      "description": "5 rules for Utah SB 142 compliance — age assurance, parental consent, minor account defaults, DM restrictions, and supervisory tools.",
       "jurisdiction": "US-UT",
       "jurisdiction_level": "state",
       "is_free": true,
@@ -55,7 +55,7 @@
     "uk-aadc": {
       "id": "uk-aadc",
       "name": "UK Age Appropriate Design Code",
-      "description": "15 rules for the UK ICO Children's Code (AADC) \u2014 the 15 standards for age-appropriate online services.",
+      "description": "15 rules for the UK ICO Children's Code (AADC) — the 15 standards for age-appropriate online services.",
       "jurisdiction": "UK",
       "jurisdiction_level": "national",
       "is_free": false,
@@ -65,7 +65,7 @@
     "eu-dsa": {
       "id": "eu-dsa",
       "name": "EU DSA Article 28 (Minor Protection)",
-      "description": "10 rules for EU Digital Services Act Article 28 \u2014 online protection of minors on platforms.",
+      "description": "10 rules for EU Digital Services Act Article 28 — online protection of minors on platforms.",
       "jurisdiction": "EU",
       "jurisdiction_level": "supranational",
       "is_free": false,
@@ -75,7 +75,7 @@
     "au-osa": {
       "id": "au-osa",
       "name": "AU Online Safety Act",
-      "description": "12 rules for Australia's Online Safety Act 2021 (as amended 2024) \u2014 age verification, content moderation, under-16 social media ban, and eSafety Commissioner compliance.",
+      "description": "12 rules for Australia's Online Safety Act 2021 (as amended 2024) — age verification, content moderation, under-16 social media ban, and eSafety Commissioner compliance.",
       "jurisdiction": "AU-Federal",
       "jurisdiction_level": "federal",
       "is_free": false,
@@ -85,7 +85,7 @@
     "caadca": {
       "id": "caadca",
       "name": "California AADCA",
-      "description": "15 rules for the California Age-Appropriate Design Code Act (AB 2273) \u2014 default privacy, age estimation, profiling restrictions, dark pattern prohibitions, and data minimization for child users.",
+      "description": "15 rules for the California Age-Appropriate Design Code Act (AB 2273) — default privacy, age estimation, profiling restrictions, dark pattern prohibitions, and data minimization for child users.",
       "jurisdiction": "US-CA",
       "jurisdiction_level": "state",
       "is_free": false,
@@ -95,7 +95,7 @@
     "eu-ai-act": {
       "id": "eu-ai-act",
       "name": "EU AI Act (Children)",
-      "description": "30 rules for EU AI Act compliance in children's AI systems \u2014 risk management (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), accuracy & robustness (Art. 15), and constitutional AI principles.",
+      "description": "30 rules for EU AI Act compliance in children's AI systems — risk management (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), accuracy & robustness (Art. 15), and constitutional AI principles.",
       "jurisdiction": "EU",
       "jurisdiction_level": "supranational",
       "is_free": false,
@@ -105,7 +105,7 @@
     "gdpr-art8": {
       "id": "gdpr-art8",
       "name": "EU GDPR Article 8 (Child Consent)",
-      "description": "5 rules for GDPR Article 8 compliance \u2014 child consent age fragmentation across EU member states, legitimate interest restrictions, and data minimization for minors.",
+      "description": "5 rules for GDPR Article 8 compliance — child consent age fragmentation across EU member states, legitimate interest restrictions, and data minimization for minors.",
       "jurisdiction": "EU",
       "jurisdiction_level": "supranational",
       "is_free": false,
@@ -115,7 +115,7 @@
     "india-dpdp": {
       "id": "india-dpdp",
       "name": "India DPDP Act 2023 (Section 9)",
-      "description": "5 rules for India's Digital Personal Data Protection Act \u2014 strictest global framework. Under-18 tracking ban, parental consent for all processing, blanket prohibition on behavioral monitoring.",
+      "description": "5 rules for India's Digital Personal Data Protection Act — strictest global framework. Under-18 tracking ban, parental consent for all processing, blanket prohibition on behavioral monitoring.",
       "jurisdiction": "IN",
       "jurisdiction_level": "national",
       "is_free": false,
@@ -125,7 +125,7 @@
     "brazil-lgpd": {
       "id": "brazil-lgpd",
       "name": "Brazil LGPD Article 14 (Children's Data)",
-      "description": "4 rules for Brazil's LGPD Article 14 \u2014 best interest standard for children under 12, data minimization, and age-appropriate notices.",
+      "description": "4 rules for Brazil's LGPD Article 14 — best interest standard for children under 12, data minimization, and age-appropriate notices.",
       "jurisdiction": "BR",
       "jurisdiction_level": "national",
       "is_free": false,
@@ -135,7 +135,7 @@
     "canada-pipeda": {
       "id": "canada-pipeda",
       "name": "Canada PIPEDA (Children's Consent)",
-      "description": "4 rules for Canada's PIPEDA \u2014 meaningful consent for minors, OPC reasonable purpose test, behavioral advertising restrictions for children.",
+      "description": "4 rules for Canada's PIPEDA — meaningful consent for minors, OPC reasonable purpose test, behavioral advertising restrictions for children.",
       "jurisdiction": "CA",
       "jurisdiction_level": "national",
       "is_free": false,
@@ -145,7 +145,7 @@
     "south-korea-pipa": {
       "id": "south-korea-pipa",
       "name": "South Korea PIPA (Under-14 Protection)",
-      "description": "3 rules for South Korea's Personal Information Protection Act \u2014 parental consent for under-14, clear child-appropriate language, and fines up to 3% global revenue.",
+      "description": "3 rules for South Korea's Personal Information Protection Act — parental consent for under-14, clear child-appropriate language, and fines up to 3% global revenue.",
       "jurisdiction": "KR",
       "jurisdiction_level": "national",
       "is_free": false,
@@ -161,6 +161,16 @@
       "is_free": false,
       "effective_date": null,
       "source_url": "https://runhalo.dev/behavioral-design"
+    },
+    "asaa": {
+      "id": "asaa",
+      "name": "App Store Accountability Act (Multi-State)",
+      "description": "20 rules for ASAA compliance across TX, AL, LA, UT. Age verification for teens (13-17), parental consent for free app downloads, device-to-parent linking, retroactive verification, and audit trail requirements.",
+      "jurisdiction": "US-Multi-State",
+      "jurisdiction_level": "state",
+      "is_free": false,
+      "effective_date": "2026-05-06",
+      "source_url": "https://runhalo.dev/asaa-compliance"
     }
   },
   "rules": [
@@ -443,7 +453,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Add explicit retention period (retentionDays, expiresAt, or TTL index), deleted_at column, and document the purpose limitation for data collection per COPPA 2025 \u00a7 312.10",
+      "fix_suggestion": "Add explicit retention period (retentionDays, expiresAt, or TTL index), deleted_at column, and document the purpose limitation for data collection per COPPA 2025 § 312.10",
       "penalty": "$53,088 per violation (COPPA 2025 indefinite retention prohibition)",
       "languages": [
         "typescript",
@@ -927,7 +937,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Use standard JSX rendering or DOMPurify before setting HTML content. Note: vendor/bundled libraries may trigger this rule \u2014 use .haloignore to suppress.",
+      "fix_suggestion": "Use standard JSX rendering or DOMPurify before setting HTML content. Note: vendor/bundled libraries may trigger this rule — use .haloignore to suppress.",
       "penalty": "Security failure",
       "languages": [
         "typescript",
@@ -1589,7 +1599,7 @@
         }
       ],
       "fix_suggestion": "Move all secrets to environment variables. Use process.env.API_KEY or a secrets manager. Never hardcode credentials.",
-      "penalty": "Security exposure \u2014 credentials in source code",
+      "penalty": "Security exposure — credentials in source code",
       "languages": [
         "typescript",
         "javascript",
@@ -1685,7 +1695,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Remove session recording and analytics initialization unless COPPA consent is obtained. These tools capture keystrokes, mouse movements, and user behavior \u2014 all PII for children.",
+      "fix_suggestion": "Remove session recording and analytics initialization unless COPPA consent is obtained. These tools capture keystrokes, mouse movements, and user behavior — all PII for children.",
       "penalty": "Third-party data collection without consent",
       "languages": [
         "typescript",
@@ -1793,7 +1803,7 @@
       "severity": "high",
       "confidence": "low",
       "category": "safety-by-design",
-      "description": "User profiles default to public or visible. AU Safety by Design requires privacy-by-default for minors \u2014 profiles should be private until explicitly changed by the user or a verified parent.",
+      "description": "User profiles default to public or visible. AU Safety by Design requires privacy-by-default for minors — profiles should be private until explicitly changed by the user or a verified parent.",
       "patterns": [
         {
           "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|seed|example|test|Test|expect|assert|//|\\*)\\s{0,20})(?:visibility|profile_?visibility|is_?public|isPublic)\\s*[:=]\\s*(?:['\"]public['\"]|true)",
@@ -2027,7 +2037,7 @@
       "severity": "critical",
       "confidence": "low",
       "category": "safety-by-design",
-      "description": "Location data collection or sharing enabled without explicit, informed opt-in. AU SbD and the Privacy Act 1988 require data minimization, especially for children's geolocation data \u2014 location should never be collected by default.",
+      "description": "Location data collection or sharing enabled without explicit, informed opt-in. AU SbD and the Privacy Act 1988 require data minimization, especially for children's geolocation data — location should never be collected by default.",
       "patterns": [
         {
           "pattern": "(?:shareLocation|share_?location|locationSharing|broadcastLocation)\\s*[:=]\\s*true",
@@ -2097,7 +2107,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Add an age assurance step (date-of-birth collection, age estimation, or ID verification) before account creation. If the user is under 18, flag the account as a minor account and require parental consent before activation. See Utah SB 142 \u00a713-72-201.",
+      "fix_suggestion": "Add an age assurance step (date-of-birth collection, age estimation, or ID verification) before account creation. If the user is under 18, flag the account as a minor account and require parental consent before activation. See Utah SB 142 §13-72-201.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
       "languages": [
         "typescript",
@@ -2141,7 +2151,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Before activating any minor account, implement a verifiable parental consent flow: send a verification email/SMS to a parent-linked account, require parental ID verification, or integrate with a COPPA-safe consent provider. See Utah SB 142 \u00a713-72-202.",
+      "fix_suggestion": "Before activating any minor account, implement a verifiable parental consent flow: send a verification email/SMS to a parent-linked account, require parental ID verification, or integrate with a COPPA-safe consent provider. See Utah SB 142 §13-72-202.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
       "languages": [
         "typescript",
@@ -2185,7 +2195,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Set default DM permissions for minor accounts to 'connected-only' or 'friends-only'. Only allow messaging between mutually connected accounts. Provide parental controls to further restrict messaging. See Utah SB 142 \u00a713-72-301.",
+      "fix_suggestion": "Set default DM permissions for minor accounts to 'connected-only' or 'friends-only'. Only allow messaging between mutually connected accounts. Provide parental controls to further restrict messaging. See Utah SB 142 §13-72-301.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
       "languages": [
         "typescript",
@@ -2221,7 +2231,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Implement a parental supervisory dashboard that allows parents to: set daily time limits, schedule mandatory breaks, view usage data and connected account lists, and receive notifications when account settings change. See Utah SB 142 \u00a713-72-302.",
+      "fix_suggestion": "Implement a parental supervisory dashboard that allows parents to: set daily time limits, schedule mandatory breaks, view usage data and connected account lists, and receive notifications when account settings change. See Utah SB 142 §13-72-302.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
       "languages": [
         "typescript",
@@ -2269,7 +2279,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Default minor accounts to non-indexable (noindex, nofollow) and restrict profile visibility to connected/approved users only. Add a robots meta tag or X-Robots-Tag header that blocks search engine crawling for minor profiles. See Utah SB 142 \u00a713-72-301.",
+      "fix_suggestion": "Default minor accounts to non-indexable (noindex, nofollow) and restrict profile visibility to connected/approved users only. Add a robots meta tag or X-Robots-Tag header that blocks search engine crawling for minor profiles. See Utah SB 142 §13-72-301.",
       "penalty": "Up to $2,500 per violation; private right of action for parents",
       "languages": [
         "typescript",
@@ -2369,7 +2379,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Gate push notification token registration behind a parental consent check. Under COPPA 2.0, push tokens are 'online contact information' \u2014 parents must explicitly opt in, and you must provide an opt-out mechanism accessible from a parental dashboard.",
+      "fix_suggestion": "Gate push notification token registration behind a parental consent check. Under COPPA 2.0, push tokens are 'online contact information' — parents must explicitly opt in, and you must provide an opt-out mechanism accessible from a parental dashboard.",
       "penalty": "$53,088 per violation (FTC Final Rule effective April 22, 2026)",
       "languages": [
         "typescript",
@@ -2542,7 +2552,7 @@
         }
       ],
       "fix_suggestion": "Set all privacy defaults to the most restrictive option. Profiles, activity, and content should be private by default. Users (especially children) should actively opt in to share data with others. See ICO AADC Standard 7.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2582,7 +2592,7 @@
         }
       ],
       "fix_suggestion": "Switch from opt-out to opt-in for all tracking, analytics, and personalization. These features must be off by default and require active user consent before activation. See ICO AADC Standard 7.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2623,7 +2633,7 @@
         }
       ],
       "fix_suggestion": "Review which personal data fields are truly required for your service. Make non-essential fields optional. Give children choices over which elements of data they wish to provide. See ICO AADC Standard 8.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2665,7 +2675,7 @@
         }
       ],
       "fix_suggestion": "Before initializing third-party SDKs, check user age and disable data sharing for children. Use child-directed SDK configurations (e.g., tag_for_child_directed_treatment). Do not share children's data with data brokers or ad networks. See ICO AADC Standard 9.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2704,7 +2714,7 @@
         }
       ],
       "fix_suggestion": "Set geolocation to off by default. Require explicit user action to enable location services. When location is active, provide a prominent visible indicator. Location sharing with others should reset to off at end of session. See ICO AADC Standard 10.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2743,7 +2753,7 @@
         }
       ],
       "fix_suggestion": "Use single-point location requests instead of continuous monitoring. Avoid background location tracking. Use the minimum granularity needed (e.g., city-level rather than precise coordinates). See ICO AADC Standard 10.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2785,7 +2795,7 @@
         }
       ],
       "fix_suggestion": "Switch profiling off by default. Provide a chronological or non-personalized feed as the default experience. Only enable algorithmic personalization if the child actively opts in. See ICO AADC Standard 12.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2824,7 +2834,7 @@
         }
       ],
       "fix_suggestion": "If using recommendation algorithms, implement age-appropriate content filtering. Do not amplify harmful, addictive, or age-inappropriate content to children. Provide transparency about why content is recommended. See ICO AADC Standard 12.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2863,7 +2873,7 @@
         }
       ],
       "fix_suggestion": "Remove all pre-checked consent and data-sharing boxes. Consent inputs should start unchecked, requiring active selection by the user. This applies to marketing consent, newsletter signups, data sharing agreements, and privacy preferences. See ICO AADC Standard 13.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2901,7 +2911,7 @@
         }
       ],
       "fix_suggestion": "Present privacy choices neutrally without emotional manipulation. Avoid language that makes children feel bad for choosing privacy. Do not imply social exclusion or loss for choosing restrictive settings. See ICO AADC Standard 13.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2934,7 +2944,7 @@
         }
       ],
       "fix_suggestion": "Do not gate features or rewards behind data sharing or public profile requirements. Core service features should be available regardless of privacy settings. See ICO AADC Standard 13.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -2973,7 +2983,7 @@
         }
       ],
       "fix_suggestion": "Implement a risk-based age assurance approach. For high-risk services, use age estimation technology, identity verification, or neutral age estimation rather than simple self-declaration. If unable to verify age, apply the code's standards to all users. See ICO AADC Standard 3.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -3013,7 +3023,7 @@
         }
       ],
       "fix_suggestion": "Do not serve targeted or personalized advertising to children. Use only contextual advertising (based on page content, not user data) if advertising is necessary. See ICO AADC Standard 5.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -3052,7 +3062,7 @@
         }
       ],
       "fix_suggestion": "When parental monitoring or tracking is active, display a clear, prominent indicator visible to the child. Provide age-appropriate explanations of what monitoring is active. Respect the child's growing autonomy. See ICO AADC Standard 11.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -3091,7 +3101,7 @@
         }
       ],
       "fix_suggestion": "Add prominent report, flag, and block mechanisms alongside all user-generated content features. Implement content moderation for user communications. Provide children with easy ways to report harmful content. See ICO AADC Standards 6 and 15.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -3130,7 +3140,7 @@
         }
       ],
       "fix_suggestion": "Before showing monetization prompts (in-app purchases, upsells, premium gates), check if the user is a child and suppress or gate these flows accordingly. The best interests of the child must take priority over commercial interests. See ICO AADC Standard 1.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -3165,7 +3175,7 @@
         }
       ],
       "fix_suggestion": "Conduct a DPIA before processing children's data and reference it in your codebase. Add DPIA completion checks or documentation links where child data is processed. See ICO AADC Standard 2 and ICO DPIA guidance.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -3201,7 +3211,7 @@
         }
       ],
       "fix_suggestion": "Provide age-appropriate, bite-sized privacy notices alongside standard privacy policies. At the point of data collection, show concise explanations a child can understand. Consider using icons, animations, or short sentences instead of legal language. See ICO AADC Standard 4.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -3238,7 +3248,7 @@
         }
       ],
       "fix_suggestion": "Connected toys and IoT devices must include privacy modes that limit data collection, hardware mute capabilities for microphones/cameras, and clear indicators when data is being collected. Ensure parental controls are built into the device software. See ICO AADC Standard 14.",
-      "penalty": "Up to \u00a317.5 million or 4% of annual global turnover (UK GDPR)",
+      "penalty": "Up to £17.5 million or 4% of annual global turnover (UK GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -4009,7 +4019,7 @@
       "severity": "high",
       "confidence": "low",
       "category": "data-minimization",
-      "description": "CAADCA Section 31(b)(3) requires data minimization \u2014 only collect personal information that is reasonably necessary. Code that collects extensive personal data fields beyond what the service needs may violate this requirement.",
+      "description": "CAADCA Section 31(b)(3) requires data minimization — only collect personal information that is reasonably necessary. Code that collects extensive personal data fields beyond what the service needs may violate this requirement.",
       "patterns": [
         {
           "pattern": "(?:collectData|collect_data|gatherInfo|gather_info|harvestData|harvest_data)\\s*\\(",
@@ -4236,7 +4246,7 @@
       "severity": "critical",
       "confidence": "medium",
       "category": "online-safety",
-      "description": "Account creation or signup flow detected without age verification. The AU Online Safety Act 2021 (as amended 2024) s.63B requires social media platforms to take reasonable steps to verify that users are aged 16 or over before allowing account creation. Registration flows must include age assurance mechanisms \u2014 not just self-declaration.",
+      "description": "Account creation or signup flow detected without age verification. The AU Online Safety Act 2021 (as amended 2024) s.63B requires social media platforms to take reasonable steps to verify that users are aged 16 or over before allowing account creation. Registration flows must include age assurance mechanisms — not just self-declaration.",
       "patterns": [
         {
           "pattern": "(?:createAccount|create_account|registerUser|register_user)\\s*\\((?![^)]*(?:age|dob|dateOfBirth|date_of_birth|birthDate|birth_date|ageVerif|ageCheck|age_check|verifyAge|verify_age))[^)]*\\)",
@@ -4259,7 +4269,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Add an age verification step before account creation. Under AU OSA s.63B, social media services must use reasonably effective age assurance to prevent under-16s from creating accounts. Implement identity-based verification (document check, biometric estimation, or digital ID) \u2014 not just self-declaration.",
+      "fix_suggestion": "Add an age verification step before account creation. Under AU OSA s.63B, social media services must use reasonably effective age assurance to prevent under-16s from creating accounts. Implement identity-based verification (document check, biometric estimation, or digital ID) — not just self-declaration.",
       "penalty": "Up to AUD $49.5M (body corporate) or AUD $2.475M (individual)",
       "languages": [
         "typescript",
@@ -4283,7 +4293,7 @@
       "severity": "high",
       "confidence": "medium",
       "category": "online-safety",
-      "description": "Reliance on self-declared age (checkbox, simple DOB field without verification) detected. The AU Online Safety Act 2021 (as amended 2024) s.63C requires 'reasonably effective' age assurance \u2014 simple self-declaration (e.g., 'I am over 16' checkbox or unverified date-of-birth entry) does not meet this threshold. Platforms must use technology-based age assurance methods.",
+      "description": "Reliance on self-declared age (checkbox, simple DOB field without verification) detected. The AU Online Safety Act 2021 (as amended 2024) s.63C requires 'reasonably effective' age assurance — simple self-declaration (e.g., 'I am over 16' checkbox or unverified date-of-birth entry) does not meet this threshold. Platforms must use technology-based age assurance methods.",
       "patterns": [
         {
           "pattern": "(?:isOver16|is_over_16|isOver18|is_over_18|isAdult|is_adult|ageConfirmed|age_confirmed)\\s*[:=]\\s*(?:true|false|checkbox|input)",
@@ -4717,7 +4727,7 @@
       "severity": "high",
       "confidence": "medium",
       "category": "online-safety",
-      "description": "Access to age-restricted, mature, or harmful content categories detected without re-authentication or age re-verification. The AU Online Safety Act 2021 s.109 BOSE expectations and the Restricted Access System Declaration require platforms to implement stepped access controls \u2014 users must re-verify their age or identity before viewing restricted content, even if previously authenticated.",
+      "description": "Access to age-restricted, mature, or harmful content categories detected without re-authentication or age re-verification. The AU Online Safety Act 2021 s.109 BOSE expectations and the Restricted Access System Declaration require platforms to implement stepped access controls — users must re-verify their age or identity before viewing restricted content, even if previously authenticated.",
       "patterns": [
         {
           "pattern": "(?:restrictedContent|restricted_content|matureContent|mature_content|adultContent|adult_content|ageGatedContent|age_gated_content|nsfw)\\s*(?:=|:|\\()(?![^\\n]*(?:reAuth|re_auth|reVerify|re_verify|confirmAge|confirm_age|ageCheck|age_check|verifyAge|verify_age|stepUp|step_up))",
@@ -4776,7 +4786,7 @@
         }
       ],
       "fix_suggestion": "Gate user identification behind explicit consent: if (hasParentalConsent) { analytics.identify(...) }",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac35M or 7% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -4812,7 +4822,7 @@
         }
       ],
       "fix_suggestion": "Add audit logging to recommendation functions: log input features, output ranking, and model version for each recommendation served.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -4856,7 +4866,7 @@
         }
       ],
       "fix_suggestion": "Add fairness testing to ML pipeline: run bias audits (demographic parity, equalized odds) before deploying models that affect children.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -4908,7 +4918,7 @@
         }
       ],
       "fix_suggestion": "Add visible AI-generated content labels: include 'AI Generated' badge/watermark on all synthetic media shown to children.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -4944,7 +4954,7 @@
         }
       ],
       "fix_suggestion": "Add human appeal mechanism: implement an appeal/review endpoint and surface it in the moderation notification to the user.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac35M or 7% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -4980,7 +4990,7 @@
         }
       ],
       "fix_suggestion": "Add AI disclosure: show 'You are chatting with an AI' before first interaction and in the UI header.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5034,7 +5044,7 @@
         }
       ],
       "fix_suggestion": "Create a model card documenting training data sources, intended use, limitations, and bias considerations.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5070,7 +5080,7 @@
         }
       ],
       "fix_suggestion": "Add explainability: include a 'reason' parameter in automated decisions and surface it to affected users.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5106,7 +5116,7 @@
         }
       ],
       "fix_suggestion": "Disclose age-based personalization: add a visible notice that 'Content is adapted for your age group' when age-specific filtering is active.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5144,7 +5154,7 @@
         }
       ],
       "fix_suggestion": "Add dedicated AI terms of service: create an /ai-terms page explaining how AI features work, their limitations, and child-specific protections.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5236,7 +5246,7 @@
       "severity": "medium",
       "confidence": "medium",
       "category": "constitutional-ai",
-      "description": "AI-generated content shown to children must have labels comprehensible to the child's age group. Abstract disclaimers are insufficient \u2014 use visual indicators.",
+      "description": "AI-generated content shown to children must have labels comprehensible to the child's age group. Abstract disclaimers are insufficient — use visual indicators.",
       "patterns": [
         {
           "pattern": "(?:generateForChild|childContent|kidsGenerate)\\(",
@@ -5310,7 +5320,7 @@
       "severity": "medium",
       "confidence": "low",
       "category": "constitutional-ai",
-      "description": "AI systems learning child preferences must offer periodic identity/preference reset capability. Children's interests change rapidly \u2014 stale profiles can create filter bubbles.",
+      "description": "AI systems learning child preferences must offer periodic identity/preference reset capability. Children's interests change rapidly — stale profiles can create filter bubbles.",
       "patterns": [
         {
           "pattern": "(?:userPreferences|learningProfile|interestProfile|userModel)\\.(?:save|persist|update)",
@@ -5346,7 +5356,7 @@
       "severity": "high",
       "confidence": "medium",
       "category": "constitutional-ai",
-      "description": "AI systems processing children's data must implement data minimization \u2014 collecting only what is strictly necessary. Broad collection scopes, wildcard field selection, or indefinite retention violate the data minimization principle (GDPR Art. 5(1)(c), IEEE 7010-2020).",
+      "description": "AI systems processing children's data must implement data minimization — collecting only what is strictly necessary. Broad collection scopes, wildcard field selection, or indefinite retention violate the data minimization principle (GDPR Art. 5(1)(c), IEEE 7010-2020).",
       "patterns": [
         {
           "pattern": "(?:collectUserData|gatherData|harvestData|scrapeUser)\\((?![^)]*(?:fields|only|select))",
@@ -5428,7 +5438,7 @@
       "severity": "high",
       "confidence": "medium",
       "category": "constitutional-ai",
-      "description": "High-impact AI decisions about children (content restrictions, learning path changes, behavioral assessments) must include a parental co-regulation mechanism \u2014 parents must be notified and given override capability (IEEE 2089-2021 Section 6.4, UN CRC Art. 5).",
+      "description": "High-impact AI decisions about children (content restrictions, learning path changes, behavioral assessments) must include a parental co-regulation mechanism — parents must be notified and given override capability (IEEE 2089-2021 Section 6.4, UN CRC Art. 5).",
       "patterns": [
         {
           "pattern": "(?:setContentRestriction|restrictAccess|blockContent|limitUsage)\\((?![^)]*parent)",
@@ -5508,7 +5518,7 @@
       "severity": "high",
       "confidence": "low",
       "category": "ai-governance",
-      "description": "EU AI Act Art. 10(2) requires training data sets to be subject to data governance practices \u2014 including documentation of data sources, collection methodology, and quality metrics. ML pipelines without data provenance tracking violate this requirement.",
+      "description": "EU AI Act Art. 10(2) requires training data sets to be subject to data governance practices — including documentation of data sources, collection methodology, and quality metrics. ML pipelines without data provenance tracking violate this requirement.",
       "patterns": [
         {
           "pattern": "(?:loadDataset|readTrainingData|importDataset|fetchTrainingSet)\\((?![^)]*(?:provenance|source|documentation|metadata))",
@@ -5524,7 +5534,7 @@
         }
       ],
       "fix_suggestion": "Add data governance documentation: create a data card for each training dataset documenting source, collection method, size, demographics, known biases, and quality metrics.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5560,7 +5570,7 @@
         }
       ],
       "fix_suggestion": "Add bias testing to the training pipeline: run demographic parity checks, compute equalized odds metrics, and document bias audit results before deployment.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5596,7 +5606,7 @@
         }
       ],
       "fix_suggestion": "Validate data representativeness: use stratified sampling, verify demographic coverage across age groups, and document gaps between training data and target child population.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5632,7 +5642,7 @@
         }
       ],
       "fix_suggestion": "Verify consent before using children's data for training: implement opt-in parental consent for data use in ML training, maintain consent audit trail, and provide data deletion mechanisms.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac35M or 7% of global annual turnover (combined with GDPR)",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover (combined with GDPR)",
       "languages": [
         "typescript",
         "javascript",
@@ -5668,7 +5678,7 @@
         }
       ],
       "fix_suggestion": "Add human-in-the-loop: implement review queues for consequential AI decisions, add manual override capabilities, and require human approval for actions affecting child accounts.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5704,7 +5714,7 @@
         }
       ],
       "fix_suggestion": "Implement emergency stop: add a kill switch endpoint (/api/ai/stop), monitoring alerts for anomalous behavior, and immediate halt capability accessible to human overseers.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac35M or 7% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €35M or 7% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5740,7 +5750,7 @@
         }
       ],
       "fix_suggestion": "Add interpretability: attach explanation metadata (SHAP values, feature importance, confidence scores, or natural language reasoning) to every AI output served to overseers.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5776,7 +5786,7 @@
         }
       ],
       "fix_suggestion": "Add oversight audit trail: log every human review, override, and approval action with timestamp, reviewer ID, original AI output, and human decision rationale.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5812,7 +5822,7 @@
         }
       ],
       "fix_suggestion": "Add accuracy monitoring: implement real-time error rate tracking, declare expected accuracy levels in model documentation, and set up alerts when accuracy degrades below thresholds.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5860,7 +5870,7 @@
         }
       ],
       "fix_suggestion": "Add AI failure fallback: wrap all AI calls in try/catch with timeouts, implement graceful degradation (e.g., static content when AI unavailable), and log all failures for review.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -5900,7 +5910,7 @@
         }
       ],
       "fix_suggestion": "Add adversarial robustness: implement input sanitization for all user-provided text before passing to AI models, add prompt injection detection, and run periodic adversarial testing.",
-      "penalty": "EU AI Act Art. 99: Up to \u20ac15M or 3% of global annual turnover",
+      "penalty": "EU AI Act Art. 99: Up to €15M or 3% of global annual turnover",
       "languages": [
         "typescript",
         "javascript",
@@ -6046,7 +6056,7 @@
       "severity": "high",
       "confidence": "medium",
       "category": "data-minimization",
-      "description": "GDPR Article 5(1)(c) requires data minimization \u2014 only collecting data that is adequate, relevant, and limited to what is necessary. For children's services, this standard is applied more strictly.",
+      "description": "GDPR Article 5(1)(c) requires data minimization — only collecting data that is adequate, relevant, and limited to what is necessary. For children's services, this standard is applied more strictly.",
       "patterns": [
         {
           "pattern": "(?:collectAll|collect_all|gatherAll|gather_all|fetchAll|fetch_all)(?:Data|Info|UserData|Profile)",
@@ -6101,7 +6111,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Implement a complete data erasure endpoint that deletes all personal data when requested, with special priority for data collected from children. Do not soft-delete or archive \u2014 GDPR Article 17 requires actual erasure unless a legal retention obligation applies.",
+      "fix_suggestion": "Implement a complete data erasure endpoint that deletes all personal data when requested, with special priority for data collected from children. Do not soft-delete or archive — GDPR Article 17 requires actual erasure unless a legal retention obligation applies.",
       "penalty": "Up to 4% of global annual turnover (GDPR Art. 83)",
       "languages": [
         "typescript",
@@ -6158,7 +6168,7 @@
         }
       ],
       "fix_suggestion": "Under India's DPDP Act Section 9(3), ANY tracking or behavioral monitoring for users under 18 is prohibited regardless of consent. Implement age-gating that completely disables all analytics, tracking, and ad SDKs for users under 18 in India.",
-      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "penalty": "Up to ₹250 crore (~$30M USD)",
       "languages": [
         "typescript",
         "javascript",
@@ -6199,7 +6209,7 @@
         }
       ],
       "fix_suggestion": "Under India's DPDP Act, the age of majority for data processing is 18 (not 13). Implement verifiable parental consent for ALL users under 18 when processing personal data for Indian users.",
-      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "penalty": "Up to ₹250 crore (~$30M USD)",
       "languages": [
         "typescript",
         "javascript",
@@ -6244,7 +6254,7 @@
         }
       ],
       "fix_suggestion": "Completely disable all targeted/personalized advertising for users under 18 in India. Only contextual (non-personalized) ads are permissible.",
-      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "penalty": "Up to ₹250 crore (~$30M USD)",
       "languages": [
         "typescript",
         "javascript",
@@ -6289,7 +6299,7 @@
         }
       ],
       "fix_suggestion": "Under India's DPDP Act, behavioral monitoring of anyone under 18 is prohibited. Disable session recording, heatmaps, and engagement analytics for users under 18 in India.",
-      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "penalty": "Up to ₹250 crore (~$30M USD)",
       "languages": [
         "typescript",
         "javascript",
@@ -6330,7 +6340,7 @@
         }
       ],
       "fix_suggestion": "Review all data processing that involves children for potential detrimental effects on well-being. This includes addictive design patterns, engagement loops, and excessive notifications.",
-      "penalty": "Up to \u20b9250 crore (~$30M USD)",
+      "penalty": "Up to ₹250 crore (~$30M USD)",
       "languages": [
         "typescript",
         "javascript",
@@ -6396,7 +6406,7 @@
       "severity": "high",
       "confidence": "medium",
       "category": "consent",
-      "description": "LGPD Article 14 \u00a74 prohibits conditioning game/app participation on providing excess personal data. Children must not be required to share data beyond what is necessary to participate.",
+      "description": "LGPD Article 14 §4 prohibits conditioning game/app participation on providing excess personal data. Children must not be required to share data beyond what is necessary to participate.",
       "patterns": [
         {
           "pattern": "(?:requiredToPlay|required_to_play|mustProvide|must_provide|gateContent|gate_content).*(?:email|phone|name|address|school)",
@@ -6411,7 +6421,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Do not gate game features, levels, or content behind data collection requirements. Under LGPD Article 14 \u00a74, children's participation cannot be conditioned on providing excess personal data.",
+      "fix_suggestion": "Do not gate game features, levels, or content behind data collection requirements. Under LGPD Article 14 §4, children's participation cannot be conditioned on providing excess personal data.",
       "penalty": "Up to 2% of revenue, capped at R$50 million per violation",
       "languages": [
         "typescript",
@@ -6437,7 +6447,7 @@
       "severity": "critical",
       "confidence": "medium",
       "category": "consent",
-      "description": "LGPD Article 14 \u00a71 requires at least one parent or legal guardian to provide specific and highlighted consent for processing children's (under 12) personal data.",
+      "description": "LGPD Article 14 §1 requires at least one parent or legal guardian to provide specific and highlighted consent for processing children's (under 12) personal data.",
       "patterns": [
         {
           "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|===?|==)\\s*1[2-3](?!\\d)(?!.*(?:parent|guardian|responsavel))",
@@ -6485,7 +6495,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "For Brazilian adolescents (12-18), ensure data processing includes age-appropriate explanations and respects their right to be consulted. LGPD Article 14 \u00a76 requires notices understandable by the child themselves.",
+      "fix_suggestion": "For Brazilian adolescents (12-18), ensure data processing includes age-appropriate explanations and respects their right to be consulted. LGPD Article 14 §6 requires notices understandable by the child themselves.",
       "penalty": "Up to 2% of revenue, capped at R$50 million per violation",
       "languages": [
         "typescript",
@@ -6571,7 +6581,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "Ensure consent flows for teen users include simplified, age-appropriate explanations. The OPC requires that the individual can understand what they are consenting to \u2014 complex legal language fails this test for teens.",
+      "fix_suggestion": "Ensure consent flows for teen users include simplified, age-appropriate explanations. The OPC requires that the individual can understand what they are consenting to — complex legal language fails this test for teens.",
       "penalty": "OPC compliance orders; Federal Court orders up to $100K CAD per violation",
       "languages": [
         "typescript",
@@ -6634,7 +6644,7 @@
       "severity": "medium",
       "confidence": "low",
       "category": "purpose-limitation",
-      "description": "PIPEDA Section 5(3) requires that data collection serve purposes a 'reasonable person' would consider appropriate. For minors, the OPC applies a higher standard \u2014 marketing, profiling, and engagement optimization may fail this test.",
+      "description": "PIPEDA Section 5(3) requires that data collection serve purposes a 'reasonable person' would consider appropriate. For minors, the OPC applies a higher standard — marketing, profiling, and engagement optimization may fail this test.",
       "patterns": [
         {
           "pattern": "(?:marketingConsent|marketing_consent|promotionalEmails|promotional_emails)\\s*(?:=|:)\\s*true.*(?:child|minor|kid|teen|student|youth)",
@@ -6671,7 +6681,7 @@
       "severity": "critical",
       "confidence": "medium",
       "category": "consent",
-      "description": "South Korea PIPA Article 22-2 requires parental/guardian consent for processing personal data of children under 14. This extends COPPA's threshold by one year \u2014 children aged 13 need parental consent in South Korea.",
+      "description": "South Korea PIPA Article 22-2 requires parental/guardian consent for processing personal data of children under 14. This extends COPPA's threshold by one year — children aged 13 need parental consent in South Korea.",
       "patterns": [
         {
           "pattern": "(?:age|userAge|childAge)\\s*(?:<|<=|===?|==)\\s*13(?!\\d)(?!.*(?:parent|guardian|legal))",
@@ -6712,7 +6722,7 @@
       "severity": "high",
       "confidence": "low",
       "category": "transparency",
-      "description": "South Korea PIPA Article 39-3 \u00a75 requires privacy information to be presented in clear, understandable language for children under 14. Generic adult privacy policies fail this requirement.",
+      "description": "South Korea PIPA Article 39-3 §5 requires privacy information to be presented in clear, understandable language for children under 14. Generic adult privacy policies fail this requirement.",
       "patterns": [
         {
           "pattern": "(?:privacyPolicy|privacy_policy|termsUrl|terms_url|privacyUrl|privacy_url)\\s*(?:=|:)\\s*['\"](?:https?:\\/\\/|\\/)(?!.*(?:child|kid|minor|simple|easy))",
@@ -6810,7 +6820,7 @@
         }
       ],
       "fix_suggestion": "Hide or disable social comparison metrics (likes, followers, view counts, leaderboards) for users under 18. Consider removing public metrics entirely or showing them only to the content creator.",
-      "penalty": "Ethical design advisory \u2014 correlates with AADC Standard 5 (detrimental use), DSA Article 28, CAADCA dark pattern provisions",
+      "penalty": "Ethical design advisory — correlates with AADC Standard 5 (detrimental use), DSA Article 28, CAADCA dark pattern provisions",
       "languages": [
         "typescript",
         "javascript",
@@ -6847,7 +6857,7 @@
         }
       ],
       "fix_suggestion": "Implement natural stopping cues: end-of-content screens, session time limits, break prompts ('You've been watching for 30 minutes'), or 'Good Night' modes. Do not allow infinite content consumption without intervention.",
-      "penalty": "Ethical design advisory \u2014 correlates with DSA Article 28 (addictive design), AADC Standard 5",
+      "penalty": "Ethical design advisory — correlates with DSA Article 28 (addictive design), AADC Standard 5",
       "languages": [
         "typescript",
         "javascript",
@@ -6888,7 +6898,7 @@
         }
       ],
       "fix_suggestion": "Implement a PIN-protected parent dashboard showing usage time, content accessed, and activity summaries. Ensure the dashboard provides oversight without invasive psychometric profiling of the child.",
-      "penalty": "Positive design advisory \u2014 correlates with AADC Standard 11 (parental controls), AADCA parental tools requirement",
+      "penalty": "Positive design advisory — correlates with AADC Standard 11 (parental controls), AADCA parental tools requirement",
       "languages": [
         "typescript",
         "javascript",
@@ -6937,7 +6947,7 @@
         }
       ],
       "fix_suggestion": "Do not combine randomized rewards with real-money purchases in children's products. Show exact contents before purchase, or use fixed reward systems. Multiple jurisdictions classify loot boxes as gambling when targeting children.",
-      "penalty": "Varies by jurisdiction \u2014 Belgium banned (criminal sanctions), Netherlands fined (up to \u20ac10M), Australia under review",
+      "penalty": "Varies by jurisdiction — Belgium banned (criminal sanctions), Netherlands fined (up to €10M), Australia under review",
       "languages": [
         "typescript",
         "javascript",
@@ -6977,7 +6987,7 @@
           "flags": "gi"
         }
       ],
-      "fix_suggestion": "For Australian deployments, set minimum registration age to 16. Parental consent cannot override this requirement. Implement robust age verification \u2014 simple self-declaration is insufficient under the Act.",
+      "fix_suggestion": "For Australian deployments, set minimum registration age to 16. Parental consent cannot override this requirement. Implement robust age verification — simple self-declaration is insufficient under the Act.",
       "penalty": "Up to A$49.5 million (150,000 penalty units)",
       "languages": [
         "typescript",
@@ -6996,6 +7006,798 @@
       "transform_type": null,
       "scaffold_id": "age-gate-auth",
       "guidance_url": "https://www.esafety.gov.au/about-us/industry-regulation/social-media-age-restrictions"
+    },
+    {
+      "id": "asaa-av-001",
+      "name": "Missing Platform Age API Integration",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "age-verification",
+      "description": "ASAA requires app stores and developers to integrate platform-native age APIs (Apple Declared Age Range API, Google Play Age Verification) during account creation and onboarding. Account creation flows that do not call these APIs leave teen users (13-17) unverified, violating TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:createUser|signUp|createAccount|registerUser|onboardUser)\\s*\\([^)]*\\)(?!.*(?:declaredAgeRange|ageRangeAPI|AgeVerification|PlayIntegrity|ageAssurance))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:create_user|sign_up|create_account|register_user|onboard_user)\\s*\\([^)]*\\)(?!.*(?:declared_age_range|age_range_api|age_verification|play_integrity|age_assurance))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:AuthService|UserService|AccountService)\\.(?:create|register|signUp)\\s*\\((?!.*(?:ageAPI|ageRange|AgeVerification|ageAssurance))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Integrate Apple's Declared Age Range API (DeviceCheck framework) or Google Play Age Verification API into your account creation flow. Query the platform age signal before completing registration and branch logic for users identified as under 18.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-av-002",
+      "name": "Raw DOB Storage Instead of Age Tokens",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "age-verification",
+      "description": "ASAA and data minimization principles require apps to store age verification tokens or age bands rather than raw dates of birth. Storing date_of_birth or dob fields directly exposes sensitive PII and creates unnecessary liability under TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:date_of_birth|dateOfBirth|dob|birthDate|birth_date)\\s*[:=]\\s*(?:req\\.|request\\.|params\\.|body\\.|input\\.|data\\.)",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:INSERT|UPDATE)\\s+(?:INTO\\s+)?\\w+.*(?:date_of_birth|dob|birth_date)\\s*[,)]",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})\\buser\\.(?:dob|dateOfBirth|date_of_birth|birthDate|birth_date)\\s*=",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Replace raw DOB storage with an age verification token or age band (e.g., 'under-13', '13-17', '18+'). Compute the age category at verification time and discard the raw date. Store only the verification result and method.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-av-003",
+      "name": "Missing Fallback Age Verification",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "age-verification",
+      "description": "ASAA requires robust age verification that does not rely solely on self-declaration. When platform-native age APIs are unavailable or inconclusive, apps must fall back to a third-party age verification provider (e.g., Ondato, Veriff, Yoti). Age check flows without a fallback path leave gaps in compliance.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:verifyAge|checkAge|ageGate|ageCheck|age_verify|age_gate|age_check)\\s*\\([^)]*\\)(?!.*(?:ondato|Ondato|veriff|Veriff|yoti|Yoti|jumio|Jumio|fallback|Fallback|thirdParty|third_party))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:ageVerification|age_verification)\\s*(?:=|:)\\s*(?:self_declared|selfDeclared|checkbox|user_input|userInput)",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})if\\s*\\(\\s*(?:age|userAge|user_age)\\s*(?:>=?|<=?|===?)\\s*\\d+\\s*\\)(?!.*(?:verify|ondato|veriff|yoti|fallback|thirdParty|third_party))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Add a fallback age verification path using a certified third-party provider (Ondato, Veriff, Yoti, or equivalent). When platform age APIs return inconclusive results, redirect to the fallback provider before granting access.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-av-004",
+      "name": "Inadequate Age Category Assignment",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "age-verification",
+      "description": "COPPA only requires checks for users under 13, but ASAA extends protections to teens aged 13-17. Code that checks only for <13 (COPPA threshold) without a separate 13-17 category fails to apply ASAA teen protections required by TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:age|userAge|user_age)\\s*<\\s*13(?!.*(?:teen|minor|17|18|youngAdult|young_adult|ageBand|age_band))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:isChild|is_child|isMinor|is_minor)\\s*(?:=|:)\\s*(?:age|userAge|user_age)\\s*<\\s*13(?!.*(?:teen|isTeen|is_teen|under18|under_18))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})COPPA_AGE\\s*(?:=|:)\\s*13(?!.*(?:ASAA|TEEN|teen_age|teenAge|MINOR_AGE|minor_age))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Add a teen age category (13-17) alongside the existing COPPA child category (<13). Implement separate permission levels: children (<13) require full COPPA compliance, teens (13-17) require ASAA parental consent and device linking, adults (18+) have standard access.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-av-005",
+      "name": "Missing Retroactive Account Verification (Alabama)",
+      "severity": "critical",
+      "confidence": "low",
+      "category": "age-verification",
+      "description": "Alabama HB 161 uniquely requires retroactive age verification for existing user accounts by Oct 1, 2027. Apps must implement a re-verification flow for their existing user base, not just new signups. Lack of a retroactive verification migration or batch process violates this requirement.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:existingUsers|existing_users|legacyUsers|legacy_users|currentUsers|current_users)(?!.*(?:reverify|reVerify|re_verify|ageCheck|age_check|retroactive|migration|batch))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:userMigration|user_migration|accountUpgrade|account_upgrade)(?!.*(?:age|verify|ageVerif|age_verif))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:SELECT|query)\\s+.*\\bFROM\\s+(?:users|accounts)\\b.*WHERE(?!.*(?:age_verified|ageVerified|verification_status|verificationStatus))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Implement a retroactive age verification flow for existing accounts. Create a migration that flags unverified accounts and prompts users to complete age verification on next login. Set a compliance deadline (Oct 1, 2027 for Alabama HB 161) and restrict unverified accounts after that date.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-vpc-001",
+      "name": "Free App Without Consent Flow",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "parental-consent",
+      "description": "ASAA requires verifiable parental consent before a minor (under 18) can download or install a free app. Download and install handlers that do not gate on parental consent violate TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:downloadApp|installApp|startDownload|beginInstall|download_app|install_app|start_download|begin_install)\\s*\\([^)]*\\)(?!.*(?:parentalConsent|parental_consent|guardianApproval|guardian_approval|consentCheck|consent_check))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:AppStore|PlayStore|appStore|playStore)\\.(?:download|install|purchase)\\s*\\((?!.*(?:consent|parental|guardian))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:price|cost)\\s*(?:===?|==)\\s*(?:0|'free'|\"free\"|null).*(?:download|install)(?!.*(?:consent|parental|guardian))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Add a parental consent gate before allowing free app downloads for users identified as minors. The consent mechanism must be verifiable (not just a checkbox). Consider using platform-native parental consent flows (Ask to Buy on iOS, Family Link on Android).",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-vpc-002",
+      "name": "Missing In-App Consent Triggers",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "parental-consent",
+      "description": "ASAA extends parental consent requirements to in-app purchases made by minors. Purchase flows that do not check for parental consent when the user is under 18 violate TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:purchaseItem|buyItem|makePurchase|completePurchase|purchase_item|buy_item|make_purchase|complete_purchase)\\s*\\([^)]*\\)(?!.*(?:parentalConsent|parental_consent|guardianApproval|guardian_approval|isMinor|is_minor))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:InAppPurchase|StoreKit|BillingClient)\\.(?:purchase|buy|initiate)\\s*\\((?!.*(?:consent|parental|guardian|minor))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:checkout|processPayment|process_payment|chargeUser|charge_user)\\s*\\((?!.*(?:consent|parental|guardian|minor|ageCheck|age_check))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Add a parental consent verification step to in-app purchase flows when the buyer is identified as a minor (under 18). Use platform-native purchase approval (Ask to Buy, Family Link) or implement a custom consent flow with verifiable parental identity.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-vpc-003",
+      "name": "Data Sharing Without Parental Approval",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "parental-consent",
+      "description": "ASAA requires parental consent before sharing a minor's data with third parties. Features that enable data sharing, analytics opt-in, or social sharing without checking parental consent status violate TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:shareData|share_data|enableSharing|enable_sharing|optInAnalytics|opt_in_analytics|thirdPartyShare|third_party_share)\\s*\\((?!.*(?:consent|parental|guardian|minor|ageCheck|age_check))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:socialShare|social_share|shareProfile|share_profile|exportData|export_data)\\s*\\((?!.*(?:consent|parental|guardian|minor))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:dataSharing|data_sharing|shareWithPartners|share_with_partners)\\s*(?:=|:)\\s*(?:true|enabled)(?!.*(?:consent|parental|guardian))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Gate all data sharing features behind a parental consent check for minor accounts. Require verifiable parental approval before enabling analytics opt-in, social sharing, or third-party data transfers. Log the consent decision with timestamp and method.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-vpc-004",
+      "name": "Inadequate Consent Verification Method",
+      "severity": "critical",
+      "confidence": "high",
+      "category": "parental-consent",
+      "description": "ASAA requires verifiable parental consent, meaning a simple checkbox or click-through is insufficient. Consent flows that rely solely on a checkbox, toggle, or single-click confirmation do not meet the verifiable consent standard required by TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:parentalConsent|parental_consent|guardianConsent|guardian_consent)\\s*(?:=|:)\\s*(?:checkbox|toggle|isChecked|is_checked|clicked|accepted)",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})<(?:input|checkbox)\\s[^>]*(?:parentalConsent|parental-consent|guardian-consent)[^>]*(?:type\\s*=\\s*[\"']checkbox[\"'])",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:consentMethod|consent_method|verificationMethod|verification_method)\\s*(?:=|:)\\s*(?:[\"']checkbox[\"']|[\"']click[\"']|[\"']toggle[\"']|[\"']self-declared[\"'])",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Replace checkbox-based consent with a verifiable method: credit card transaction, government ID verification, video call verification, or signed consent form. The FTC's COPPA verifiable consent methods are the minimum standard. Store the verification method used alongside the consent record.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-vpc-005",
+      "name": "Missing Consent Record Persistence",
+      "severity": "critical",
+      "confidence": "medium",
+      "category": "parental-consent",
+      "description": "ASAA requires apps to maintain proof of verifiable parental consent. Consent flows that do not persist the consent record (timestamp, method, parent identity) to durable storage fail audit requirements under TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:parentalConsent|parental_consent|consentGranted|consent_granted)\\s*=\\s*true(?!.*(?:save|store|persist|log|record|insert|write|db|database|redis|dynamo))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:setConsent|set_consent|grantConsent|grant_consent)\\s*\\([^)]*\\)(?!.*(?:save|store|persist|log|record|insert|write|db|database))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:consentStatus|consent_status)\\s*=\\s*(?:true|'granted'|\"granted\")(?!.*(?:timestamp|createdAt|created_at|method|verifiedBy|verified_by))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Persist all consent records to durable storage with: timestamp, consent method (e.g., credit card, ID verification), parent/guardian identifier, minor account identifier, and consent scope. Records must be retained for the lifetime of the account plus 3 years.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-dpl-001",
+      "name": "Missing Parent Account Linking",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "device-parent-linking",
+      "description": "ASAA requires minor accounts to be linked to a verified parent or guardian account. Account creation flows for minors that do not bind to a parent/guardian account violate the device-to-parent linking requirements of TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:createMinorAccount|createChildAccount|create_minor_account|create_child_account|registerMinor|register_minor)\\s*\\((?!.*(?:parent|guardian|family|linked|binding))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:accountType|account_type|userType|user_type)\\s*(?:=|:)\\s*(?:[\"']minor[\"']|[\"']child[\"']|[\"']teen[\"'])(?!.*(?:parent|guardian|family|linked))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:isMinor|is_minor|isTeen|is_teen)\\s*(?:=|:)\\s*true(?!.*(?:parentId|parent_id|guardianId|guardian_id|familyId|family_id))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Require a parent/guardian account link during minor account creation. Store parentId or guardianId as a required foreign key on minor accounts. Use platform family APIs (Apple Family Sharing, Google Family Link) where available.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-dpl-002",
+      "name": "No Cross-Platform Family Linking",
+      "severity": "high",
+      "confidence": "low",
+      "category": "device-parent-linking",
+      "description": "ASAA device-to-parent linking must work across platforms. Family linking implementations that are hardcoded to a single platform (iOS-only or Android-only) leave users on other platforms without required parental oversight, violating the multi-platform intent of TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:FamilySharing|familySharing|family_sharing)(?!.*(?:FamilyLink|familyLink|family_link|android|Android|crossPlatform|cross_platform))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:FamilyLink|familyLink|family_link)(?!.*(?:FamilySharing|familySharing|family_sharing|ios|iOS|apple|Apple|crossPlatform|cross_platform))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:parentLink|parent_link|familyBinding|family_binding)\\s*(?:=|:).*(?:platform\\s*(?:===?|==)\\s*[\"'](?:ios|android)[\"'])(?!.*(?:else|fallback|other))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Implement cross-platform family linking that works on both iOS (Family Sharing) and Android (Family Link). Provide a platform-agnostic fallback (email/SMS verification) for web and other platforms. Store family relationships in your backend, not just platform-native APIs.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-dpl-003",
+      "name": "Missing Parental Dashboard API",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "device-parent-linking",
+      "description": "ASAA requires that parents have oversight of their minor's account activity. Apps managing minor accounts without API endpoints for parental monitoring (activity feed, usage stats, content review) fail the supervisory tool requirements of TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:minorAccount|minor_account|childAccount|child_account|teenAccount|teen_account)(?!.*(?:parentDashboard|parent_dashboard|parentalView|parental_view|guardianPortal|guardian_portal|oversight|monitor))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:router|app)\\.(?:get|post|route)\\s*\\(\\s*[\"']/(?:api/)?(?:minor|child|teen|family)(?!.*(?:parent|guardian|dashboard|oversight|monitor|activity))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:getChildActivity|get_child_activity|minorUsage|minor_usage)(?!.*(?:parent|guardian|dashboard|endpoint|api|route))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Create parental dashboard API endpoints that expose: minor's activity summary, usage statistics, content interaction history, and account settings. Authenticate parent access via the established parent-child account link. Include real-time and historical views.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-dpl-004",
+      "name": "No Remote Pause/Audit Capability",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "device-parent-linking",
+      "description": "ASAA requires parents to have remote pause and review capabilities for their minor's accounts. Minor account management without parental pause, lock, or activity review functionality violates the supervisory requirements of TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:minorAccount|minor_account|childAccount|child_account|teenProfile|teen_profile)\\s*(?:=|:)\\s*\\{(?!.*(?:pause|suspend|lock|remotePause|remote_pause|parentControl|parent_control))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:AccountSettings|accountSettings|account_settings).*(?:minor|child|teen)(?!.*(?:pause|suspend|lock|freeze|review|audit))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Implement remote parental controls: account pause/unpause, session termination, activity log review, and content audit. These controls must be accessible from the parent's device without requiring access to the minor's device. Provide push notifications to parents for flagged activity.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-dpl-005",
+      "name": "Missing Guardian Verification in Linking",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "device-parent-linking",
+      "description": "ASAA requires that parent-child account linking includes verification of the guardian's identity. Linking flows that connect accounts without verifying the parent's identity allow unauthorized adults to link to minor accounts, violating TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:linkParent|link_parent|addGuardian|add_guardian|setParent|set_parent|bindParent|bind_parent)\\s*\\((?!.*(?:verify|identity|idCheck|id_check|authenticate|credential))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:parentLink|parent_link|guardianLink|guardian_link)\\s*(?:=|:)\\s*(?:req\\.|request\\.|params\\.|body\\.)(?!.*(?:verify|identity|idCheck|id_check|authenticate))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:familyInvite|family_invite|parentInvite|parent_invite)\\s*\\((?!.*(?:verify|identity|idCheck|id_check|authenticate|credential))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Verify guardian identity before completing parent-child account linking. Use multi-factor verification: email confirmation to a verified adult account, plus identity verification (government ID, credit card charge, or knowledge-based authentication). Log the verification method used.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-ar-001",
+      "name": "Missing Consent Timestamp Logging",
+      "severity": "high",
+      "confidence": "high",
+      "category": "audit-retention",
+      "description": "ASAA requires audit trails for all consent actions. Consent flows that do not log a timestamp and method of consent cannot demonstrate compliance during state attorney general inquiries. Required by TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:grantConsent|grant_consent|recordConsent|record_consent|saveConsent|save_consent)\\s*\\((?!.*(?:timestamp|createdAt|created_at|Date\\.now|datetime|time\\.time|Instant\\.now))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:consent)\\s*(?:=|:)\\s*\\{(?!.*(?:timestamp|createdAt|created_at|date|time|recordedAt|recorded_at))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})INSERT\\s+INTO\\s+(?:consent|consents|consent_log|consent_records)\\s*\\((?![^)]*(?:timestamp|created_at|recorded_at|consent_date))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Add timestamp and method logging to all consent recording flows. Each consent record must include: ISO 8601 timestamp, consent method (e.g., 'credit-card-verification', 'id-check'), parent identifier, minor identifier, and consent scope. Use server-side timestamps, not client-provided values.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-ar-002",
+      "name": "Inadequate Retention Period",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "audit-retention",
+      "description": "ASAA audit trail requirements mandate that consent and verification records are retained for the lifetime of the account plus 3 years. Data retention policies with shorter periods (e.g., 90 days, 1 year) fail to meet the retention requirements of TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:retentionPeriod|retention_period|dataRetention|data_retention|ttl|TTL|expiresIn|expires_in)\\s*(?:=|:)\\s*(?:\\d+\\s*\\*\\s*)?(?:86400|2592000|7776000|31536000|365|90|180|30)(?!.*(?:consent|verification|audit|compliance).*(?:lifetime|forever|permanent|indefinite))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:DELETE|PURGE|EXPUNGE|cleanup|clean_up)\\s+.*(?:consent|verification|audit|compliance).*(?:older_than|olderThan|before|prior)",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:consentExpiry|consent_expiry|verificationExpiry|verification_expiry)\\s*(?:=|:)\\s*(?!.*(?:lifetime|accountLifetime|account_lifetime|permanent|indefinite|never))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Set retention period for consent and age verification records to account lifetime + 3 years minimum. Do not apply automatic TTL or cleanup policies to compliance records. Implement a separate retention policy for ASAA audit data that overrides general data retention schedules.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-ar-003",
+      "name": "No Audit Trail Endpoint",
+      "severity": "medium",
+      "confidence": "low",
+      "category": "audit-retention",
+      "description": "ASAA requires apps to provide compliance data to state attorneys general upon request. Apps storing consent and verification data without an API endpoint to export this data for regulatory inquiries cannot efficiently respond to AG requests, risking non-compliance with TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:consentLog|consent_log|verificationLog|verification_log|auditLog|audit_log)(?!.*(?:endpoint|api|route|controller|handler|export|query))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:router|app)\\.(?:get|post|route)\\s*\\(\\s*[\"']/(?:api/)?(?:compliance|audit)(?!.*(?:consent|verification|export|report|attorney|ag-request))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Create an authenticated API endpoint (e.g., /api/compliance/audit-trail) that exports consent records, age verification logs, and parental linking history in a structured format (JSON/CSV). Restrict access to authorized compliance officers. Include filtering by date range, user ID, and record type.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "flag-only",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-ar-004",
+      "name": "Missing Age Verification Method Logging",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "audit-retention",
+      "description": "ASAA audit requirements mandate recording which age verification method was used for each user. Age verification flows that do not log the specific method (platform API, ID verification, third-party provider) cannot demonstrate compliance methodology to state attorneys general.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:verifyAge|verify_age|checkAge|check_age|ageVerification|age_verification)\\s*\\([^)]*\\)(?!.*(?:method|provider|source|verifiedBy|verified_by|verificationType|verification_type))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:ageVerified|age_verified|isVerified|is_verified)\\s*(?:=|:)\\s*true(?!.*(?:method|provider|source|verifiedBy|verified_by|verificationType|verification_type))",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})INSERT\\s+INTO\\s+(?:age_verification|verification_log|age_check)\\s*\\((?![^)]*(?:method|provider|source|verification_type))",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Log the age verification method alongside the verification result. Record: method type (platform-api, id-verification, third-party-provider), provider name (Apple, Google, Ondato, Veriff), confidence score, and timestamp. Store in the same audit trail as consent records.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
+    },
+    {
+      "id": "asaa-ar-005",
+      "name": "Mutable Consent Records",
+      "severity": "high",
+      "confidence": "medium",
+      "category": "audit-retention",
+      "description": "ASAA audit trail integrity requires consent records to be append-only and immutable. Consent logs that allow UPDATE or DELETE operations compromise the evidentiary value of the audit trail and violate the record integrity requirements implied by TX HB 18, AL HB 161, LA Act 440, and UT SB 142.",
+      "patterns": [
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:UPDATE|DELETE)\\s+(?:FROM\\s+)?(?:consent|consents|consent_log|consent_records|verification_log|audit_trail)",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:consentLog|consent_log|auditTrail|audit_trail|verificationLog|verification_log)\\.(?:update|delete|remove|destroy|edit|modify)",
+          "flags": "gi"
+        },
+        {
+          "pattern": "(?<!(?:mock|Mock|fake|stub|fixture|test|Test|expect|assert|//|\\*)\\s{0,20})(?:ConsentRecord|ConsentLog|AuditEntry|VerificationRecord)\\.(?:update|delete|destroy|findOneAndUpdate|findAndModify|updateOne|deleteOne|remove)",
+          "flags": "gi"
+        }
+      ],
+      "fix_suggestion": "Make consent and verification records append-only. Remove UPDATE and DELETE operations from consent log models. Use soft-delete with a revocation record instead of hard deletes. Consider an immutable ledger pattern (event sourcing) for maximum audit integrity. Add database-level constraints to prevent mutation.",
+      "penalty": "Up to $2,500 per violation per state; Alabama HB 161 includes retroactive compliance requirement by Oct 1, 2027",
+      "languages": [
+        "typescript",
+        "javascript",
+        "python",
+        "go",
+        "java",
+        "kotlin",
+        "swift"
+      ],
+      "packs": [
+        "asaa"
+      ],
+      "fixability": "guided",
+      "transform_type": null,
+      "scaffold_id": null,
+      "guidance_url": null
     }
   ]
 }