getdoorman 1.0.0

package/src/rules/compliance/index.js

@@ -0,0 +1,2714 @@
+import healthcareRules from './healthcare.js';
+import regionalEuRules from './regional-eu.js';
+import regionalIntlRules from './regional-international.js';
+import educationRules from './education.js';
+import financialRules from './financial.js';
+import frameworksRules from './frameworks.js';
+import accessibilityExtRules from './accessibility-ext.js';
+
+const rules = [
+  // COMP-001: No privacy policy
+  {
+    id: 'COMP-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Privacy Policy Page',
+    check({ files }) {
+      const findings = [];
+      const hasPrivacyPage = [...files.keys()].some(f =>
+        f.match(/privacy/i) || f.match(/privacypolicy/i) || f.match(/privacy-policy/i)
+      );
+      const hasPrivacyLink = [...files.values()].some(c =>
+        c.includes('/privacy') || c.includes('privacy-policy') || c.includes('privacy policy')
+      );
+
+      if (!hasPrivacyPage && !hasPrivacyLink) {
+        // Only flag if it looks like a web app with users
+        const hasUserFacing = [...files.values()].some(c =>
+          c.includes('signup') || c.includes('login') || c.includes('register') ||
+          c.includes('<form') || c.includes('email')
+        );
+        if (hasUserFacing) {
+          findings.push({
+            ruleId: 'COMP-001', category: 'compliance', severity: 'high',
+            title: 'No privacy policy page detected',
+            description: 'Required by GDPR, CCPA, and most app stores. Every app collecting user data needs one.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-002: No cookie consent
+  {
+    id: 'COMP-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Cookie Consent Banner',
+    check({ files }) {
+      const findings = [];
+      const hasCookieConsent = [...files.values()].some(c =>
+        c.includes('cookie-consent') || c.includes('cookieConsent') ||
+        c.includes('cookie banner') || c.includes('CookieBanner') ||
+        c.includes('cookie_consent')
+      );
+
+      // Check if cookies or analytics are used
+      const usesCookies = [...files.values()].some(c =>
+        c.includes('document.cookie') || c.includes('setCookie') ||
+        c.includes('analytics') || c.includes('gtag') || c.includes('GA_TRACKING') ||
+        c.includes('google-analytics') || c.includes('mixpanel') || c.includes('segment')
+      );
+
+      if (usesCookies && !hasCookieConsent) {
+        findings.push({
+          ruleId: 'COMP-002', category: 'compliance', severity: 'high',
+          title: 'Using cookies/analytics without consent banner',
+          description: 'GDPR and ePrivacy Directive require user consent before setting non-essential cookies.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-003: No data deletion endpoint
+  {
+    id: 'COMP-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Data Deletion / Right to Erasure',
+    check({ files }) {
+      const findings = [];
+      const hasDeleteEndpoint = [...files.entries()].some(([filepath, content]) =>
+        (filepath.includes('api/') || filepath.includes('route')) &&
+        (content.includes('delete') || content.includes('DELETE')) &&
+        (content.includes('user') || content.includes('account'))
+      );
+
+      const hasUsers = [...files.values()].some(c =>
+        c.includes('signup') || c.includes('register') || c.includes('createUser')
+      );
+
+      if (hasUsers && !hasDeleteEndpoint) {
+        findings.push({
+          ruleId: 'COMP-003', category: 'compliance', severity: 'medium',
+          title: 'No user data deletion endpoint (GDPR right to erasure)',
+          description: 'GDPR requires you to delete user data on request. Add an account deletion feature.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-004: No accessibility basics
+  {
+    id: 'COMP-004',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Accessibility Attributes',
+    check({ files }) {
+      const findings = [];
+      let imgWithoutAlt = 0;
+      let buttonWithoutLabel = 0;
+
+      for (const [filepath, content] of files) {
+        if (!filepath.match(/\.(jsx|tsx|html)$/)) continue;
+
+        // Check for images without alt
+        const imgMatches = content.match(/<img[^>]*>/g) || [];
+        for (const img of imgMatches) {
+          if (!img.includes('alt=') && !img.includes('alt =')) {
+            imgWithoutAlt++;
+          }
+        }
+
+        // Check for buttons without accessible labels
+        const btnMatches = content.match(/<button[^>]*>[^<]*<\/button>/g) || [];
+        for (const btn of btnMatches) {
+          if (btn.match(/<button[^>]*>\s*<\/button>/)) {
+            buttonWithoutLabel++;
+          }
+        }
+      }
+
+      if (imgWithoutAlt > 0) {
+        findings.push({
+          ruleId: 'COMP-004', category: 'compliance', severity: 'medium',
+          title: `${imgWithoutAlt} image(s) missing alt text (accessibility)`,
+          description: 'Screen readers need alt text to describe images. Required for WCAG compliance.',
+          fix: null,
+        });
+      }
+
+      if (buttonWithoutLabel > 0) {
+        findings.push({
+          ruleId: 'COMP-004b', category: 'compliance', severity: 'medium',
+          title: `${buttonWithoutLabel} button(s) without accessible labels`,
+          description: 'Buttons need text content or aria-label for screen reader accessibility.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-005: Terms of Service
+  {
+    id: 'COMP-005',
+    category: 'compliance',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'No Terms of Service Page',
+    check({ files }) {
+      const findings = [];
+      const hasToS = [...files.keys()].some(f =>
+        f.match(/terms/i) || f.match(/tos/i)
+      );
+      const hasToSLink = [...files.values()].some(c =>
+        c.includes('/terms') || c.includes('terms-of-service') || c.includes('terms of service')
+      );
+
+      const hasUsers = [...files.values()].some(c =>
+        c.includes('signup') || c.includes('register')
+      );
+
+      if (hasUsers && !hasToS && !hasToSLink) {
+        findings.push({
+          ruleId: 'COMP-005', category: 'compliance', severity: 'low',
+          title: 'No terms of service page detected',
+          description: 'A ToS protects you legally. Important before accepting payments or user data.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-001: Missing consent checkbox on signup
+  { id: 'COMP-GDPR-001', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Missing Consent Checkbox on Signup',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        if ((c.includes('signup') || c.includes('register') || c.includes('createAccount')) && c.includes('<form')) {
+          if (!c.match(/consent|agree|terms.*checkbox|checkbox.*terms|gdpr/i)) {
+            findings.push({ ruleId: 'COMP-GDPR-001', category: 'compliance', severity: 'high',
+              title: 'Signup form missing explicit consent checkbox (GDPR)', description: 'GDPR requires freely given, specific, informed consent. Add a checkbox for terms/privacy that users must check.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-002: No data export endpoint (right to portability)
+  { id: 'COMP-GDPR-002', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Data Export Endpoint (GDPR Right to Portability)',
+    check({ files }) {
+      const findings = [];
+      const hasExport = [...files.values()].some(c => c.match(/export.*data|data.*export|download.*data|portability/i));
+      const hasUsers = [...files.values()].some(c => c.includes('signup') || c.includes('createUser'));
+      if (hasUsers && !hasExport) {
+        findings.push({ ruleId: 'COMP-GDPR-002', category: 'compliance', severity: 'medium',
+          title: 'No data export endpoint — GDPR right to data portability', description: 'GDPR Article 20 requires you to provide users their data in a machine-readable format on request.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-003: Analytics without consent
+  { id: 'COMP-GDPR-003', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Analytics Loaded Without Consent Check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html|js)$/)) continue;
+        if (c.match(/gtag|google-analytics|GA_MEASUREMENT|mixpanel|segment|amplitude|heap\.io/)) {
+          if (!c.match(/consent|cookie.*accept|cookieBanner|hasConsent|gdpr/i)) {
+            findings.push({ ruleId: 'COMP-GDPR-003', category: 'compliance', severity: 'high',
+              title: 'Analytics loaded without checking user consent', description: 'GDPR requires consent before loading tracking scripts. Check consent before initializing analytics.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-004: IP addresses logged without anonymization
+  { id: 'COMP-GDPR-004', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'IP Addresses Logged Without Anonymization',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(js|ts)$/)) continue;
+        if (c.match(/req\.ip|req\.socket\.remoteAddress|x-forwarded-for/i)) {
+          if (c.match(/log|store|save|insert|record/i) && !c.match(/anonymi[sz]|mask|redact|truncate/i)) {
+            findings.push({ ruleId: 'COMP-GDPR-004', category: 'compliance', severity: 'medium',
+              title: 'IP addresses logged/stored without anonymization', description: 'IP addresses are personal data under GDPR. Anonymize (truncate last octet) before logging or storing.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-005: No data retention policy
+  { id: 'COMP-GDPR-005', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Data Retention Policy',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/retention|purge|expire|ttl|deleteOld/i));
+      if (!has) {
+        return [{ ruleId: 'COMP-GDPR-005', category: 'compliance', severity: 'medium',
+          title: 'No data retention policy detected', description: 'GDPR requires data to be deleted when no longer needed. Implement scheduled deletion jobs and document retention periods.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // COMP-A11Y-001: Form inputs without labels
+  { id: 'COMP-A11Y-001', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Form Inputs Without Labels',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        const inputs = (c.match(/<input[^>]*>/gi) || []);
+        for (const inp of inputs) {
+          if (!inp.match(/aria-label|aria-labelledby/i) && !inp.match(/type=["']hidden["']/i)) {
+            const surroundingCtx = c.substring(Math.max(0, c.indexOf(inp) - 200), c.indexOf(inp));
+            if (!surroundingCtx.match(/<label/i)) {
+              findings.push({ ruleId: 'COMP-A11Y-001', category: 'compliance', severity: 'high',
+                title: 'Input element without associated label (WCAG 1.3.1)', description: 'Every input needs a <label for="id"> or aria-label for screen reader accessibility.', file: fp, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-002: Images without alt text
+  { id: 'COMP-A11Y-002', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Images Missing Alt Text',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        const imgs = (c.match(/<img[^>]*>/gi) || []);
+        let missing = 0;
+        for (const img of imgs) {
+          if (!img.match(/alt\s*=/i)) missing++;
+        }
+        if (missing > 0) {
+          findings.push({ ruleId: 'COMP-A11Y-002', category: 'compliance', severity: 'high',
+            title: `${missing} image(s) missing alt attribute (WCAG 1.1.1)`, description: 'Screen readers require alt text. Use alt="" for decorative images, descriptive text for informational images.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-003: Focus outline removed
+  { id: 'COMP-A11Y-003', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Focus Outline Removed (Keyboard Navigation Broken)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(css|scss|sass|less|jsx|tsx)$/)) continue;
+        if (c.match(/outline\s*:\s*0|outline\s*:\s*none/)) {
+          if (!c.match(/outline-offset|:focus-visible|focus-ring/)) {
+            findings.push({ ruleId: 'COMP-A11Y-003', category: 'compliance', severity: 'high',
+              title: 'outline: none removes keyboard focus indicator (WCAG 2.4.7)', description: 'Never remove focus outlines without providing an alternative. Use :focus-visible to show focus only for keyboard users.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-004: Interactive div without role
+  { id: 'COMP-A11Y-004', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Clickable div Without ARIA Role',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/<div[^>]*onClick/i) && !lines[i].match(/role=["'](?:button|link|menuitem)/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-004', category: 'compliance', severity: 'medium',
+              title: 'Clickable <div> without role="button" (WCAG 4.1.2)', description: 'Use <button> instead of <div onClick>. If div is required, add role="button" tabIndex={0} and keyboard event handlers.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-005: Video without captions
+  { id: 'COMP-A11Y-005', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Video Without Captions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        if (c.includes('<video') && !c.includes('<track') && !c.match(/captions|subtitles/i)) {
+          findings.push({ ruleId: 'COMP-A11Y-005', category: 'compliance', severity: 'medium',
+            title: 'Video element without captions/subtitles (WCAG 1.2.2)', description: 'Add <track kind="captions"> for prerecorded video. Required for WCAG AA compliance.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-006: Missing lang attribute on html
+  { id: 'COMP-A11Y-006', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Missing lang Attribute on HTML Element',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html)$/) && !fp.match(/_document\.(jsx|tsx)$/)) continue;
+        if (c.includes('<html') && !c.match(/<html[^>]*lang=/i)) {
+          findings.push({ ruleId: 'COMP-A11Y-006', category: 'compliance', severity: 'medium',
+            title: 'HTML element missing lang attribute (WCAG 3.1.1)', description: 'Add lang="en" (or appropriate locale) to the <html> element for screen readers and search engines.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-007: Non-descriptive link text
+  { id: 'COMP-A11Y-007', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Non-Descriptive Link Text',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        const matches = c.match(/<a[^>]*>\s*(?:click here|read more|here|more|link|this)\s*<\/a>/gi) || [];
+        if (matches.length > 0) {
+          findings.push({ ruleId: 'COMP-A11Y-007', category: 'compliance', severity: 'medium',
+            title: `${matches.length} link(s) with non-descriptive text ("click here", "read more")`, description: 'Screen reader users navigate by links. Use descriptive text like "Read the privacy policy" instead of "click here".', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-EMAIL-001: No unsubscribe link in email templates
+  { id: 'COMP-EMAIL-001', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Email Template Missing Unsubscribe Link',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/email|mail|template/i)) continue;
+        if (c.match(/<html|text\/html|sendMail|transporter\.send/i)) {
+          if (!c.match(/unsubscribe|opt.?out|manage.*preferences/i)) {
+            findings.push({ ruleId: 'COMP-EMAIL-001', category: 'compliance', severity: 'high',
+              title: 'Email template missing unsubscribe link (CAN-SPAM / GDPR)', description: 'All marketing emails must include an unsubscribe link. CAN-SPAM violations can result in $50k+ fines per email.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-EMAIL-002: No DMARC/SPF/DKIM reference
+  { id: 'COMP-EMAIL-002', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Email Authentication (SPF/DKIM/DMARC)',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/dmarc|spf|dkim|email.*auth/i));
+      if (!has && [...files.values()].some(c => c.match(/sendMail|sendgrid|nodemailer|smtp/i))) {
+        return [{ ruleId: 'COMP-EMAIL-002', category: 'compliance', severity: 'high',
+          title: 'No SPF/DKIM/DMARC email authentication configured', description: 'Without email authentication, your emails will be marked as spam and you are vulnerable to spoofing. Configure SPF, DKIM, and DMARC DNS records.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // COMP-FIN-001: Payment card data stored
+  { id: 'COMP-FIN-001', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Payment Card Data Stored (PCI DSS Violation)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/cardNumber|card_number|creditCard|credit_card|cvv|cvc|expiry|expirationDate/i) &&
+            (c.match(/save|store|insert|create|log/i))) {
+          if (!c.match(/token|stripe|braintree|adyen/i)) {
+            findings.push({ ruleId: 'COMP-FIN-001', category: 'compliance', severity: 'critical',
+              title: 'Possible payment card data being stored (PCI DSS violation)', description: 'Never store raw card numbers, CVV, or expiry dates. Use Stripe/Braintree tokenization — they store card data, you store tokens.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-FIN-002: CVV stored after authorization
+  { id: 'COMP-FIN-002', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'CVV/CVC Stored After Authorization',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/\bcvv\b|\bcvc\b|\bcvc2\b|\bcvv2\b/i) && c.match(/save|store|insert|db\.|redis\./i)) {
+          findings.push({ ruleId: 'COMP-FIN-002', category: 'compliance', severity: 'critical',
+            title: 'CVV/CVC value being stored — prohibited by PCI DSS', description: 'Storing CVV after authorization is a PCI DSS violation regardless of encryption. Remove all CVV storage.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-COPPA-001: No age verification — only fires on apps explicitly targeting children
+  { id: 'COMP-COPPA-001', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Age Verification on Registration',
+    check({ files }) {
+      const findings = [];
+      // Only fire if the app explicitly targets children (COPPA-specific keywords in code, not just any mention)
+      const hasChildrenTargeting = [...files.entries()].some(([fp, c]) =>
+        (fp.endsWith('package.json') || fp.endsWith('.json')) && /coppa|kids.*app|children.*platform|parental.*consent/i.test(c)
+      );
+      if (!hasChildrenTargeting) return findings;
+      const hasUsers = [...files.values()].some(c => c.includes('signup') || c.includes('register'));
+      const hasAgeGate = [...files.values()].some(c => c.match(/age.*gate|age.*verif|under.*13.*check|13.*under.*check/i));
+      if (hasUsers && !hasAgeGate) {
+        findings.push({ ruleId: 'COMP-COPPA-001', category: 'compliance', severity: 'high',
+          title: 'No age verification on user registration (COPPA risk)', description: "COPPA requires parental consent for users under 13. Add age verification or a 'I am over 13' confirmation to your signup flow.", fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-001: No i18n framework
+  { id: 'COMP-INTL-001', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Internationalization Framework',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasI18n = ['next-i18next', 'react-i18next', 'i18next', 'vue-i18n', 'lingui', 'formatjs', '@lingui/core'].some(d => d in allDeps);
+      if (!hasI18n && [...files.keys()].some(f => f.match(/\.(jsx|tsx)$/))) {
+        findings.push({ ruleId: 'COMP-INTL-001', category: 'compliance', severity: 'low',
+          title: 'No i18n framework detected — app cannot be easily localized', description: 'Add react-i18next or similar early. Retrofitting i18n into hardcoded strings is extremely costly.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-002: Hardcoded currency symbol
+  { id: 'COMP-INTL-002', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Hardcoded Currency Symbol',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html|js|ts)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/['"`]\$|['"`]€|['"`]£/) && lines[i].match(/price|amount|cost|total/i)) {
+            findings.push({ ruleId: 'COMP-INTL-002', category: 'compliance', severity: 'low',
+              title: 'Hardcoded currency symbol — not localization-friendly', description: 'Use Intl.NumberFormat with currency option for locale-aware currency formatting.', file: fp, line: i + 1, fix: null });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SOC2-001: No security policy
+  { id: 'COMP-SOC2-001', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Security Policy Documentation',
+    check({ files }) {
+      const has = [...files.keys()].some(f => f.match(/security\.md|SECURITY\.md|security-policy/i));
+      if (!has) {
+        return [{ ruleId: 'COMP-SOC2-001', category: 'compliance', severity: 'low',
+          title: 'No SECURITY.md — missing vulnerability disclosure policy', description: 'Add a SECURITY.md with a responsible disclosure policy and contact information for reporting vulnerabilities.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // COMP-SOC2-002: No penetration testing
+  { id: 'COMP-SOC2-002', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Penetration Testing Reference',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/pentest|penetration.test|security.audit|bug.bounty/i));
+      if (!has) {
+        return [{ ruleId: 'COMP-SOC2-002', category: 'compliance', severity: 'low',
+          title: 'No penetration testing or security audit documentation found', description: 'Schedule annual penetration tests. Document findings and remediations for SOC2/ISO27001 compliance.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // COMP-A11Y-008: No axe-core testing
+  { id: 'COMP-A11Y-008', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Automated Accessibility Testing',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasA11yTest = ['axe-core', '@axe-core/react', 'jest-axe', '@testing-library/jest-axe', 'cypress-axe', 'playwright-axe'].some(d => d in allDeps);
+      if (!hasA11yTest && [...files.keys()].some(f => f.match(/\.(jsx|tsx)$/))) {
+        findings.push({ ruleId: 'COMP-A11Y-008', category: 'compliance', severity: 'medium',
+          title: 'No automated accessibility testing (axe-core, jest-axe)',
+          description: 'Add jest-axe to catch accessibility violations in tests. Automated tools catch 30-40% of WCAG issues.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-009: Input with only placeholder (no label)
+  { id: 'COMP-A11Y-009', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Input Uses Only Placeholder as Label',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        const inputs = c.match(/<input[^>]*placeholder=[^>]*>/gi) || [];
+        for (const inp of inputs) {
+          if (!inp.match(/aria-label|aria-labelledby|id=/i)) {
+            const idx = c.indexOf(inp);
+            if (!c.substring(Math.max(0, idx - 200), idx).match(/<label/i)) {
+              findings.push({ ruleId: 'COMP-A11Y-009', category: 'compliance', severity: 'high',
+                title: 'Input relies on placeholder as the only label (WCAG 1.3.1)',
+                description: 'Placeholders disappear when typing and have low contrast. Use a visible <label> element instead.', file: fp, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-010: Modal without focus trap
+  { id: 'COMP-A11Y-010', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Modal Dialog Without Focus Trap',
+    check({ files, stack }) {
+      const findings = [];
+      if (!['react', 'nextjs', 'vue'].includes(stack.framework)) return findings;
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasFocusTrap = 'focus-trap-react' in allDeps || 'focus-trap' in allDeps || '@headlessui/react' in allDeps || 'radix-ui' in allDeps;
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx)$/) || !c.match(/modal|dialog|overlay|drawer/i)) continue;
+        if (!hasFocusTrap && !c.match(/focusTrap|useFocusTrap|focus-trap|aria-modal/)) {
+          findings.push({ ruleId: 'COMP-A11Y-010', category: 'compliance', severity: 'high',
+            title: 'Modal component without focus trap — keyboard users can navigate behind modal',
+            description: 'Use focus-trap-react or @headlessui/react Dialog to trap focus within open modals (WCAG 2.4.3).', file: fp, fix: null });
+          break;
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-011: No skip navigation link
+  { id: 'COMP-A11Y-011', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Skip Navigation Link',
+    check({ files, stack }) {
+      const findings = [];
+      if (!['react', 'nextjs', 'vue'].includes(stack.framework)) return findings;
+      const hasSkipLink = [...files.values()].some(c => c.match(/skip.*nav|skip.*content|skip.*main/i));
+      if (!hasSkipLink && [...files.keys()].some(f => f.match(/\.(jsx|tsx|html)$/))) {
+        findings.push({ ruleId: 'COMP-A11Y-011', category: 'compliance', severity: 'medium',
+          title: 'No "Skip to main content" link for keyboard navigation (WCAG 2.4.1)',
+          description: 'Add a visually-hidden skip link at the top of the page so keyboard users can bypass repeated navigation.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-006: No GDPR DPA reference
+  { id: 'COMP-GDPR-006', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Data Processing Agreement Reference',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/data.*processing.*agreement|DPA|processor.*agreement/i));
+      if (!has && [...files.values()].some(c => c.includes('signup') || c.includes('register'))) {
+        return [{ ruleId: 'COMP-GDPR-006', category: 'compliance', severity: 'low',
+          title: 'No Data Processing Agreement (DPA) documentation found',
+          description: 'If you process EU user data using third-party processors (AWS, Stripe, etc.), you need a DPA with each processor. Required under GDPR Article 28.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // COMP-GDPR-007: Personal data in URL
+  { id: 'COMP-GDPR-007', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Personal Data Exposed in URL',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/router\.\w+\s*\(\s*['"`][^'"]*:email|router\.\w+.*:name\b|router\.\w+.*:phone/)) {
+          findings.push({ ruleId: 'COMP-GDPR-007', category: 'compliance', severity: 'high',
+            title: 'Personal data (email/name/phone) as URL path parameter',
+            description: 'Personal data in URLs appears in browser history, server logs, and referrer headers. Use opaque IDs (UUIDs) in URLs instead.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-EMAIL-003: No double opt-in
+  { id: 'COMP-EMAIL-003', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Double Opt-In for Email Marketing',
+    check({ files }) {
+      const findings = [];
+      const hasEmailMarketing = [...files.values()].some(c =>
+        c.match(/subscribe|newsletter|mailing.?list|marketing.?email/i)
+      );
+      const hasDoubleOptIn = [...files.values()].some(c =>
+        c.match(/confirm.*email|verify.*email|double.*opt|confirmation.*link|email.*verify/i)
+      );
+      if (hasEmailMarketing && !hasDoubleOptIn) {
+        findings.push({ ruleId: 'COMP-EMAIL-003', category: 'compliance', severity: 'medium',
+          title: 'Email subscription without double opt-in confirmation',
+          description: 'GDPR best practice requires double opt-in for marketing emails. Send a confirmation email before adding users to marketing lists.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-FIN-003: Payment page not on HTTPS
+  { id: 'COMP-FIN-003', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Payment Form Served Over HTTP',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+        if (c.match(/credit.?card|card.*number|payment.*form|checkout/i)) {
+          const hasHTTPS = [...files.values()].some(content =>
+            content.match(/https:\/\/|HTTPS_ONLY|force.*https|http.*redirect.*https/i)
+          );
+          if (!hasHTTPS) {
+            findings.push({ ruleId: 'COMP-FIN-003', category: 'compliance', severity: 'critical',
+              title: 'Payment/checkout form without explicit HTTPS enforcement',
+              description: 'All payment pages must use HTTPS. Configure HSTS and redirect HTTP to HTTPS at the server/CDN level.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SOC2-003: No incident response plan
+  { id: 'COMP-SOC2-003', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Incident Response Plan',
+    check({ files }) {
+      const has = [...files.keys()].some(f => f.match(/incident|runbook|playbook/i)) ||
+        [...files.values()].some(c => c.match(/incident.*response|on.?call|pagerduty|opsgenie/i));
+      if (!has) {
+        return [{ ruleId: 'COMP-SOC2-003', category: 'compliance', severity: 'low',
+          title: 'No incident response plan or runbook detected',
+          description: 'Document your incident response process: how to detect, escalate, communicate, and remediate incidents. Required for SOC2 Type II.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // COMP-INTL-003: Hardcoded English error messages
+  { id: 'COMP-INTL-003', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Hardcoded English Error Messages',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx)$/)) continue;
+        const hardcoded = (c.match(/>(?:[A-Z][^<>{}\n]{5,30})<\//g) || [])
+          .filter(m => !m.match(/^\s*{/) && m.match(/\s/) && !m.match(/^\d/)).length;
+        if (hardcoded > 10) {
+          findings.push({ ruleId: 'COMP-INTL-003', category: 'compliance', severity: 'low',
+            title: `${hardcoded} potentially hardcoded English strings in UI component`,
+            description: 'Extract user-visible strings to i18n translation keys. Hardcoded strings cannot be localized.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-004: No locale-aware number formatting
+  { id: 'COMP-INTL-004', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Locale-Aware Number Formatting',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/\.toFixed\s*\(\s*2\s*\)/) && c.match(/price|amount|cost|total/i)) {
+          if (!c.match(/Intl\.NumberFormat|toLocaleString/)) {
+            findings.push({ ruleId: 'COMP-INTL-004', category: 'compliance', severity: 'low',
+              title: 'Using .toFixed(2) for currency display instead of Intl.NumberFormat',
+              description: 'Use new Intl.NumberFormat(locale, { style: "currency", currency: "USD" }).format(amount) for locale-aware currency display.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-CCPA-001: No "Do Not Sell" link
+  { id: 'COMP-CCPA-001', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No "Do Not Sell My Personal Information" Link',
+    check({ files }) {
+      const findings = [];
+      const servesCalifornia = true; // assume any web app may serve California users
+      const hasDoNotSell = [...files.values()].some(c => c.match(/do not sell|doNotSell|opt.out.*sale|data.*sale/i));
+      const hasUsers = [...files.values()].some(c => c.includes('signup') || c.includes('register'));
+      if (hasUsers && !hasDoNotSell) {
+        findings.push({ ruleId: 'COMP-CCPA-001', category: 'compliance', severity: 'high',
+          title: 'No "Do Not Sell My Personal Information" link (CCPA requirement)',
+          description: 'California businesses that sell personal data must provide a "Do Not Sell" link. Add it to your privacy policy and footer.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-COPPA-002: Age verification — only for children-targeting apps
+  { id: 'COMP-COPPA-002', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Minimum Age Validation',
+    check({ files }) {
+      const findings = [];
+      const hasChildrenTargeting = [...files.entries()].some(([fp, c]) =>
+        (fp.endsWith('package.json') || fp.endsWith('.json')) && /coppa|kids.*app|children.*platform/i.test(c)
+      );
+      if (!hasChildrenTargeting) return findings;
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/birthdate|dateOfBirth|dob|age/i) && c.match(/register|signup|create.*user/i)) {
+          if (!c.match(/age.*>=?\s*13|13.*years|minimumAge|minAge/)) {
+            findings.push({ ruleId: 'COMP-COPPA-002', category: 'compliance', severity: 'high',
+              title: 'Age field collected but no minimum age validation (COPPA requires 13+)',
+              description: 'Validate that users are at least 13. For users under 13, COPPA requires verifiable parental consent before collecting any personal information.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-008: No cookie consent management
+  { id: 'COMP-GDPR-008', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Cookie Consent Management',
+    check({ files }) {
+      const findings = [];
+      const allDeps = { ...Object.fromEntries([...files.keys()].filter(f => f.endsWith('package.json')).flatMap(f => { try { return Object.entries(JSON.parse([...files.values()][0])); } catch { return []; } })) };
+      const hasCookieConsent = [...files.values()].some(c => c.match(/cookieconsent|cookie.*consent|CookieBanner|gdpr.*cookie|OneTrust|Cookiebot|Consent.*Manager/i));
+      const hasCookies = [...files.values()].some(c => c.match(/res\.cookie\(|document\.cookie|cookie-parser|cookieSession/i));
+      if (hasCookies && !hasCookieConsent) {
+        findings.push({ ruleId: 'COMP-GDPR-008', category: 'compliance', severity: 'high', title: 'Cookies set without cookie consent management — GDPR ePrivacy Directive violation', description: 'Add a cookie consent banner. Non-essential cookies (analytics, advertising) require explicit consent under GDPR/ePrivacy. Use OneTrust, Cookiebot, or react-cookieconsent.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-009: No privacy policy link
+  { id: 'COMP-GDPR-009', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Privacy Policy Link',
+    check({ files }) {
+      const findings = [];
+      const hasPrivacyLink = [...files.values()].some(c => c.match(/privacy.*policy|privacy-policy|\/privacy/i));
+      const hasHTML = [...files.keys()].some(f => f.match(/\.(html|jsx|tsx|vue)$/));
+      if (hasHTML && !hasPrivacyLink) {
+        findings.push({ ruleId: 'COMP-GDPR-009', category: 'compliance', severity: 'high', title: 'No privacy policy link found — required under GDPR, CCPA, and most privacy laws', description: "Add a link to your privacy policy. GDPR Article 13 requires informing users about data collection. Include in footer, registration, and checkout.", fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-010: No terms of service
+  { id: 'COMP-GDPR-010', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Terms of Service',
+    check({ files }) {
+      const findings = [];
+      const hasTOS = [...files.values()].some(c => c.match(/terms.*of.*service|terms-of-service|\/tos|terms.*conditions|\/terms/i));
+      const hasHTML = [...files.keys()].some(f => f.match(/\.(html|jsx|tsx|vue)$/));
+      if (hasHTML && !hasTOS) {
+        findings.push({ ruleId: 'COMP-GDPR-010', category: 'compliance', severity: 'medium', title: 'No Terms of Service page linked', description: 'Add Terms of Service. Required for enforceability of your service terms and protection against abuse. Link from registration and footer.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-012: Color contrast — inline styles with low contrast colors
+  { id: 'COMP-A11Y-012', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Potential Low Color Contrast (WCAG 2.1)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(css|scss|sass|less|styl)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/color:\s*#[a-fA-F0-9]{3,6}/) && lines[i].match(/#(?:ccc|ddd|eee|f0f0f0|e0e0e0|bbb|aaa|999)/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-012', category: 'compliance', severity: 'medium', title: 'Potentially low contrast color detected — WCAG 2.1 AA requires 4.5:1 ratio', description: 'Use a contrast checker (WebAIM, axe). Text must have 4.5:1 contrast ratio (AA) or 7:1 (AAA). Failing contrast affects low-vision users.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-013: Interactive elements too small (touch target)
+  { id: 'COMP-A11Y-013', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Touch Target Too Small (WCAG 2.5.5)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(css|scss|sass|less)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:button|\.btn|a\s*\{)[^}]*/i)) {
+            const block = lines.slice(i, i + 10).join('\n');
+            if (block.match(/height:\s*(\d+)px/) && parseInt((block.match(/height:\s*(\d+)px/) || ['', '0'])[1]) < 44) {
+              findings.push({ ruleId: 'COMP-A11Y-013', category: 'compliance', severity: 'medium', title: 'Button/link height below 44px — WCAG 2.5.5 minimum touch target size', description: 'Make interactive elements at least 44x44px. Small touch targets cause mis-taps on mobile devices, especially for users with motor disabilities.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-014: No ARIA live regions for dynamic content
+  { id: 'COMP-A11Y-014', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Dynamic Content Without ARIA Live Region',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/toast|notification|alert|snackbar|spinner|loading/i) && !c.match(/aria-live|role="alert"|role="status"|aria-atomic/i)) {
+          findings.push({ ruleId: 'COMP-A11Y-014', category: 'compliance', severity: 'medium', title: 'Dynamic content (notifications/alerts) without aria-live region', description: 'Add aria-live="polite" or role="alert" to notification containers. Screen readers cannot detect content changes without ARIA live regions.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-015: Form without autocomplete attributes
+  { id: 'COMP-A11Y-015', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Form Inputs Without autocomplete Attribute',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/<input[^>]+type=["'](email|tel|name|address)['"]/i) && !lines[i].match(/autocomplete=/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-015', category: 'compliance', severity: 'low', title: 'Input missing autocomplete attribute — harder to use for assistive technology', description: 'Add autocomplete="email", autocomplete="name", etc. Autocomplete helps users with memory and motor disabilities fill forms faster.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-PCI-001: Credit card number in logs
+  { id: 'COMP-PCI-001', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Credit Card Number Potentially Logged',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.|logger\./i) && lines[i].match(/card|cardNumber|card_number|creditCard|pan\b/i)) {
+            findings.push({ ruleId: 'COMP-PCI-001', category: 'compliance', severity: 'critical', title: 'Payment card data potentially logged — PCI DSS Requirement 3 violation', description: 'PCI DSS forbids logging PANs. Remove card data from logs immediately. Violations trigger mandatory breach notification and fines.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-PCI-002: Direct Stripe/Braintree keys in client-side code
+  { id: 'COMP-PCI-002', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Payment Provider Secret Key in Client-Side Code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(js|jsx|ts|tsx)$/) || fp.includes('test') || fp.includes('spec')) continue;
+        if (fp.match(/public|client|frontend|browser/i) || c.match(/window\.|document\.|React/)) {
+          if (c.match(/sk_live_|rk_live_|STRIPE_SECRET|braintree.*privateKey/i)) {
+            findings.push({ ruleId: 'COMP-PCI-002', category: 'compliance', severity: 'critical', title: 'Payment secret key exposed in client-side code — PCI DSS violation', description: 'Never include sk_live_ or other secret keys in client-side code. Secret keys must only be used server-side. Rotate immediately if exposed.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-PCI-003: No TLS on payment endpoints
+  { id: 'COMP-PCI-003', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Payment Endpoint Without TLS Enforcement',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/\/payment|\/checkout|\/charge|\/purchase|stripe\.|braintree\./i)) {
+          if (!c.match(/https|HTTPS|ssl|SSL|tls|TLS|secure.*true/i)) {
+            findings.push({ ruleId: 'COMP-PCI-003', category: 'compliance', severity: 'critical', title: 'Payment processing code without explicit TLS enforcement', description: 'PCI DSS requires TLS 1.2+ for all payment data transmission. Verify all payment endpoints use HTTPS and enforce it in code.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SOC2-004: No access review process
+  { id: 'COMP-SOC2-004', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Access Review or Offboarding Process',
+    check({ files }) {
+      const findings = [];
+      const allPaths = [...files.keys()].join(' ');
+      const allCode = [...files.values()].join('\n');
+      const hasAccessReview = allCode.match(/offboard|access.*review|user.*deactivat|disable.*account|revoke.*access/i) || allPaths.match(/offboard|access-review/i);
+      if (!hasAccessReview) {
+        findings.push({ ruleId: 'COMP-SOC2-004', category: 'compliance', severity: 'medium', title: 'No access review or offboarding process detected — SOC 2 CC6.3 requirement', description: 'Implement user deactivation on employee offboarding. SOC 2 requires periodic access reviews and prompt revocation when employees leave.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SOC2-005: No multi-factor authentication for admin
+  { id: 'COMP-SOC2-005', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No MFA for Admin/Privileged Access',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasAdminRoute = allCode.match(/\/admin|role.*admin|isAdmin|superuser/i);
+      const hasMFA = allCode.match(/totp|speakeasy|mfa|two.*factor|2fa|authenticator/i);
+      if (hasAdminRoute && !hasMFA) {
+        findings.push({ ruleId: 'COMP-SOC2-005', category: 'compliance', severity: 'high', title: 'Admin routes without MFA — SOC 2 CC6.1 and PCI DSS requirement', description: 'Require MFA (TOTP/hardware key) for admin accounts. SOC 2, PCI DSS, and most cyber insurance policies mandate MFA for privileged access.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-001: Health data without encryption
+  { id: 'COMP-HIPAA-001', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Health Information Without Encryption (HIPAA)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const hasPHI = c.match(/diagnosis|medication|prescription|healthRecord|medicalHistory|patientData|ehr|phi\b/i);
+        const hasEncryption = c.match(/encrypt|AES|cipher|kms|vault/i);
+        if (hasPHI && !hasEncryption) {
+          findings.push({ ruleId: 'COMP-HIPAA-001', category: 'compliance', severity: 'critical', title: 'Protected Health Information (PHI) without encryption at rest — HIPAA violation', description: 'Encrypt PHI at rest and in transit. HIPAA requires technical safeguards for PHI. Violations carry fines up to $1.9M per violation category.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-002: PHI logged without redaction
+  { id: 'COMP-HIPAA-002', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Protected Health Information in Logs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.|logger\./i) && lines[i].match(/diagnosis|medication|prescription|patientId|healthRecord/i)) {
+            findings.push({ ruleId: 'COMP-HIPAA-002', category: 'compliance', severity: 'critical', title: 'PHI potentially in application logs — HIPAA violation', description: 'Redact health information from logs. HIPAA Security Rule prohibits storing PHI in log files without proper controls. Use patient IDs instead.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-005: Hardcoded locale-specific phone format
+  { id: 'COMP-INTL-005', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Hardcoded US Phone Format',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/phone.*regex|\\d\{3\}.*\\d\{4\}|[0-9]{3}.*[0-9]{4}/)) {
+            findings.push({ ruleId: 'COMP-INTL-005', category: 'compliance', severity: 'low', title: 'US-format phone number regex — rejects international numbers', description: 'Use libphonenumber-js for phone validation. Hardcoded US format (###-###-####) rejects valid international numbers.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-006: No RTL support
+  { id: 'COMP-INTL-006', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No RTL (Right-to-Left) Language Support',
+    check({ files }) {
+      const findings = [];
+      const hasI18n = [...files.values()].some(c => c.match(/i18n|react-intl|i18next|vue-i18n|linguiJS/i));
+      const hasRTL = [...files.values()].some(c => c.match(/dir=["']rtl|direction.*rtl|rtl-css|stylelint.*rtl/i));
+      if (hasI18n && !hasRTL) {
+        findings.push({ ruleId: 'COMP-INTL-006', category: 'compliance', severity: 'low', title: 'i18n configured but no RTL support — Arabic/Hebrew/Farsi users get broken layout', description: 'Add dir={dir} to root element and test with RTL languages. CSS logical properties (margin-inline-start) handle RTL automatically.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-007: Date format without locale
+  { id: 'COMP-INTL-007', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Date Formatted Without Locale Awareness',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.toLocaleDateString\(\)|\.toLocaleString\(\)/) && !lines[i].match(/locale|language|Intl\./)) {
+            findings.push({ ruleId: 'COMP-INTL-007', category: 'compliance', severity: 'low', title: 'toLocaleDateString() called without locale parameter — uses browser locale, inconsistent', description: "Pass explicit locale: date.toLocaleDateString('en-US', {...}). Without locale, output varies by user's browser settings.", file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-008: No pluralization support
+  { id: 'COMP-INTL-008', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Hardcoded Plural Forms Without i18n',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/count === 1 \? ['"].*['"]\s*:\s*['"]/i) || lines[i].match(/n === 1 \? ['"].*['"]\s*:\s*['"]/i)) {
+            findings.push({ ruleId: 'COMP-INTL-008', category: 'compliance', severity: 'low', title: 'Hardcoded English singular/plural — Arabic/Russian have 6 plural forms', description: "Use Intl.PluralRules or i18n library for pluralization. English has 2 plural forms; many languages have 3-6. Hardcoded English plurals break internationally.", file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-011: No data breach notification procedure
+  { id: 'COMP-GDPR-011', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Data Breach Notification Procedure',
+    check({ files }) {
+      const findings = [];
+      const allPaths = [...files.keys()].join(' ');
+      const allCode = [...files.values()].join('\n');
+      const hasBreachPlan = allCode.match(/breach.*notification|incident.*response|data.*breach|notify.*72.*hours|72h/i) || allPaths.match(/breach|incident/i);
+      if (!hasBreachPlan) {
+        findings.push({ ruleId: 'COMP-GDPR-011', category: 'compliance', severity: 'medium', title: 'No data breach notification procedure detected — GDPR requires 72-hour notification', description: 'Document your breach notification process. GDPR Article 33 requires notifying the supervisory authority within 72 hours of discovering a breach.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-CCPA-002: No opt-out mechanism for data sale
+  { id: 'COMP-CCPA-002', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Data Sale Opt-Out Mechanism',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasAnalytics = allCode.match(/google.*analytics|mixpanel|segment|amplitude|facebook.*pixel|gtag/i);
+      const hasOptOut = allCode.match(/opt.*out|doNotSell|do-not-sell|optOut.*sale/i);
+      if (hasAnalytics && !hasOptOut) {
+        findings.push({ ruleId: 'COMP-CCPA-002', category: 'compliance', severity: 'high', title: 'Analytics/tracking without CCPA opt-out mechanism', description: 'California residents have the right to opt-out of data selling. Add opt-out mechanism and honor Global Privacy Control (GPC) header.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-012: localStorage contains personal data
+  { id: 'COMP-GDPR-012', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Personal Data Stored in localStorage',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/localStorage\.setItem\(/) && lines[i].match(/email|name|phone|address|ssn|dob|passport/i)) {
+            findings.push({ ruleId: 'COMP-GDPR-012', category: 'compliance', severity: 'high', title: 'Personal data stored in localStorage — accessible by any JS on the page', description: 'Avoid storing PII in localStorage. It persists indefinitely and is accessible to XSS. Store user IDs only; fetch profile data from API.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-013: Third-party tracking before consent
+  { id: 'COMP-GDPR-013', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Third-Party Tracking Loaded Unconditionally',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|js)$/)) continue;
+        const hasTracking = c.match(/facebook.*pixel|fbq\(|\_fbq|google.*analytics|gtag\(|ga\(|mixpanel\.init|amplitude\.init/i);
+        const hasConsentCheck = c.match(/consent|hasConsented|cookieConsent|gdprConsent/i);
+        if (hasTracking && !hasConsentCheck) {
+          findings.push({ ruleId: 'COMP-GDPR-013', category: 'compliance', severity: 'high', title: 'Third-party tracking pixel/analytics loaded without consent check', description: 'Only load tracking after consent: if (hasConsented()) { loadAnalytics(); }. Loading before consent violates GDPR and ePrivacy.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-016: No error summary for form validation
+  { id: 'COMP-A11Y-016', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Error Summary for Form Validation (WCAG 3.3.1)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/onSubmit|handleSubmit/i) && c.match(/error|invalid|validation/i)) {
+          if (!c.match(/aria-describedby|aria-invalid|role=["']alert|error.*summary/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-016', category: 'compliance', severity: 'medium', title: 'Form without accessible error announcements — WCAG 3.3.1', description: 'Use aria-invalid="true" and aria-describedby to link fields to error messages. Screen readers need programmatic error associations.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-017: PDF/documents without accessible text
+  { id: 'COMP-A11Y-017', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'PDF Generation Without Accessibility Tags',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasPDF = ['puppeteer', 'playwright', 'pdfkit', 'jspdf', 'html2pdf.js', '@react-pdf/renderer'].some(d => d in allDeps);
+      const hasA11y = [...files.values()].some(c => c.match(/tagged.*pdf|PDF\/UA|accessibility.*pdf|pdf.*alt/i));
+      if (hasPDF && !hasA11y) {
+        findings.push({ ruleId: 'COMP-A11Y-017', category: 'compliance', severity: 'medium', title: 'PDF generated without accessibility tags (PDF/UA)', description: 'Generate PDFs with tagged structure (headings, alt text, reading order). Required for ADA/Section 508 compliance for public-facing documents.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-018: No keyboard navigation for dropdown menus
+  { id: 'COMP-A11Y-018', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Dropdown Menu Without Keyboard Navigation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/dropdown|menu.*open|toggle.*menu/i) && !c.match(/onKeyDown|onKeyPress|keyCode|ArrowDown|ArrowUp|Escape/i)) {
+          findings.push({ ruleId: 'COMP-A11Y-018', category: 'compliance', severity: 'medium', title: 'Dropdown menu without keyboard navigation — WCAG 2.1.1', description: 'Handle arrow keys, Enter, Escape for menus. WCAG 2.1.1 requires all functionality operable via keyboard. Use WAI-ARIA menu role.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SOC2-006: No change management process
+  { id: 'COMP-SOC2-006', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Change Management Documentation',
+    check({ files }) {
+      const findings = [];
+      const allPaths = [...files.keys()].join(' ');
+      const hasChangeManagement = allPaths.match(/CHANGELOG|change.*log|CHANGES|CONTRIBUTING|change.*control/i) || [...files.values()].some(c => c.match(/change.*management|change.*control|change.*review/i));
+      if (!hasChangeManagement) {
+        findings.push({ ruleId: 'COMP-SOC2-006', category: 'compliance', severity: 'medium', title: 'No CHANGELOG or change management documentation — SOC 2 CC8.1 requirement', description: 'Maintain a CHANGELOG.md and document change management process. SOC 2 requires tracking changes to production systems.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SOC2-007: No vendor security assessment
+  { id: 'COMP-SOC2-007', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Vendor Security Assessment',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const criticalVendors = ['stripe', 'twilio', 'sendgrid', 'aws-sdk', '@aws-sdk/client-s3', 'firebase'];
+      const hasVendor = criticalVendors.some(v => v in allDeps);
+      const hasAssessment = [...files.values()].some(c => c.match(/vendor.*assessment|third.*party.*review|supplier.*security/i));
+      if (hasVendor && !hasAssessment) {
+        findings.push({ ruleId: 'COMP-SOC2-007', category: 'compliance', severity: 'low', title: 'Critical vendor integrations without documented security assessment', description: 'Document security assessments for vendors handling your data (Stripe, Twilio, AWS). SOC 2 Availability CC9.1 requires vendor risk management.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-PCI-004: Weak TLS cipher suites for payment
+  { id: 'COMP-PCI-004', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Weak TLS Ciphers for Payment Processing',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/stripe|braintree|payment|checkout/i) && c.match(/ciphers:/i)) {
+          if (c.match(/RC4|DES|3DES|MD5|NULL|EXPORT|anon/i)) {
+            findings.push({ ruleId: 'COMP-PCI-004', category: 'compliance', severity: 'high', title: 'Weak TLS cipher suite configured for payment endpoint — PCI DSS violation', description: 'PCI DSS 4.0 requires TLS 1.2+ with strong ciphers. Disable RC4, DES, 3DES, EXPORT ciphers. Use modern ECDHE ciphersuites.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-003: Audit log missing for PHI access
+  { id: 'COMP-HIPAA-003', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Audit Log for PHI Access',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasPHI = allCode.match(/diagnosis|medication|prescription|healthRecord|patientData/i);
+      const hasAuditLog = allCode.match(/auditLog|audit_log|audit\.log|accessLog|hipaa.*log/i);
+      if (hasPHI && !hasAuditLog) {
+        findings.push({ ruleId: 'COMP-HIPAA-003', category: 'compliance', severity: 'high', title: 'PHI accessed without audit logging — HIPAA Security Rule 164.312(b)', description: 'Log all PHI access: who accessed, when, what data, from where. HIPAA requires audit controls for all ePHI access. Retain logs for 6 years.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-004: PHI not de-identified before analytics
+  { id: 'COMP-HIPAA-004', category: 'compliance', severity: 'high', confidence: 'likely', title: 'PHI Sent to Analytics Without De-identification',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/diagnosis|medication|prescription|healthRecord/i) && c.match(/analytics|mixpanel|segment|amplitude|gtag/i)) {
+          if (!c.match(/deidentify|anonymize|hash\(|redact/i)) {
+            findings.push({ ruleId: 'COMP-HIPAA-004', category: 'compliance', severity: 'high', title: 'PHI data potentially sent to third-party analytics without de-identification', description: 'De-identify or anonymize health data before sending to analytics platforms. Business associates must have a BAA with your organization.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-009: Currency displayed without formatting
+  { id: 'COMP-INTL-009', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Currency Displayed Without Locale Formatting',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\$\{.*price|amount|total.*\}|\${.*cost.*}/i) && !lines[i].match(/Intl\.|toLocaleString|currency.*format/i)) {
+            findings.push({ ruleId: 'COMP-INTL-009', category: 'compliance', severity: 'low', title: 'Currency interpolated directly — no locale-aware formatting', description: 'Use Intl.NumberFormat: new Intl.NumberFormat(locale, {style:"currency",currency:"USD"}).format(amount). Different locales use different decimal/thousand separators.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-010: Missing timezone handling for global users
+  { id: 'COMP-INTL-010', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Timezone Handling for User Dates',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/schedule|appointment|booking|event.*date|meeting/i) && !c.match(/timezone|timeZone|moment.*tz|date-fns-tz|luxon|dayjs.*timezone/i)) {
+          findings.push({ ruleId: 'COMP-INTL-010', category: 'compliance', severity: 'low', title: 'Date/time scheduling without timezone handling — confusing for global users', description: 'Store dates in UTC, display in user timezone. Use date-fns-tz or Luxon. Ignoring timezones causes scheduling errors for international users.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-CCPA-003: No data subject request process
+  { id: 'COMP-CCPA-003', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Data Subject Request (DSR) Process',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasDSR = allCode.match(/data.*request|subject.*request|dsr\b|data.*access.*request|right.*access|export.*data/i);
+      const hasUserData = allCode.match(/user\.email|user\.name|personal.*data|userData/i);
+      if (hasUserData && !hasDSR) {
+        findings.push({ ruleId: 'COMP-CCPA-003', category: 'compliance', severity: 'medium', title: 'No data subject request process detected — CCPA and GDPR requirement', description: 'Implement data access/deletion request handling. CCPA and GDPR give users the right to know what data you hold and request deletion.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-CHILDREN-001: Behavioral advertising targeting children
+  { id: 'COMP-CHILDREN-001', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Behavioral Advertising on Platform Serving Minors',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasKids = allCode.match(/children|kids|minors|under.*13|age.*13|family.*friendly/i);
+      const hasBehavioral = allCode.match(/behavioral.*ad|targeted.*ad|retargeting|adtech|facebook.*pixel|google.*ads.*remarketing/i);
+      if (hasKids && hasBehavioral) {
+        findings.push({ ruleId: 'COMP-CHILDREN-001', category: 'compliance', severity: 'critical', title: 'Behavioral advertising on platform serving children — COPPA/GDPR-K violation', description: 'COPPA prohibits behavioral advertising to children under 13. The FTC actively enforces this. Remove behavioral advertising or implement age verification.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-014: No right to erasure implementation
+  { id: 'COMP-GDPR-014', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Right to Erasure (GDPR Article 17)',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasDelete = allCode.match(/deleteUser|delete.*account|removeUser|eraseUser|right.*erasure/i);
+      const hasUserData = allCode.match(/user\.email|user\.name|userData|personal.*data/i);
+      if (hasUserData && !hasDelete) {
+        findings.push({ ruleId: 'COMP-GDPR-014', category: 'compliance', severity: 'high', title: 'No user account deletion/erasure endpoint — GDPR Article 17 violation', description: 'Implement DELETE /users/:id that removes all personal data. GDPR gives users the right to erasure. Include anonymization of audit logs.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-015: No data portability export
+  { id: 'COMP-GDPR-015', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Data Portability Export (GDPR Article 20)',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasExport = allCode.match(/exportData|dataExport|download.*data|portability|gdpr.*export/i);
+      const hasUserData = allCode.match(/user\.email|user\.name|userData/i);
+      if (hasUserData && !hasExport) {
+        findings.push({ ruleId: 'COMP-GDPR-015', category: 'compliance', severity: 'medium', title: 'No data export/portability feature — GDPR Article 20 requirement', description: 'Add data export endpoint returning user data in machine-readable format (JSON/CSV). GDPR users have the right to receive their data for transfer.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-019: No skip to main content link
+  { id: 'COMP-A11Y-019', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Skip Navigation Link (WCAG 2.4.1)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        if (!fp.match(/component|partial|layout/i)) continue;
+        const hasNav = c.match(/<nav|<header|navigation/i);
+        const hasSkip = c.match(/skip.*(?:to|nav|main|content)|jump.*main|#main-content|#content/i);
+        if (hasNav && !hasSkip) {
+          findings.push({ ruleId: 'COMP-A11Y-019', category: 'compliance', severity: 'medium', title: 'Navigation without skip-to-main link — keyboard users must tab through all nav items', description: 'Add <a href="#main-content" class="sr-only focus:not-sr-only">Skip to main content</a>. WCAG 2.4.1 requires bypass blocks for keyboard users.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-020: Table without headers
+  { id: 'COMP-A11Y-020', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'HTML Table Without Header Elements (WCAG 1.3.1)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/<table/i)) {
+            const tableContent = lines.slice(i, i + 20).join('\n');
+            if (!tableContent.match(/<th|scope=|role=["']columnheader/i)) {
+              findings.push({ ruleId: 'COMP-A11Y-020', category: 'compliance', severity: 'medium', title: 'HTML table without <th> header elements — screen readers cannot understand data structure', description: 'Add <th scope="col"> or <th scope="row"> headers. Without headers, screen readers read data as a meaningless list.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-A11Y-021: Icon button without accessible name
+  { id: 'COMP-A11Y-021', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Icon-Only Button Without Accessible Name',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/<button[^>]*>[\s]*<(?:svg|i\s|span\s)/i) && !lines[i].match(/aria-label|aria-labelledby|title=/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-021', category: 'compliance', severity: 'high', title: 'Icon-only button without aria-label — screen readers announce "button" with no context', description: 'Add aria-label="Close dialog" to icon buttons. Without a text label, screen reader users cannot determine the button\'s purpose.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-016: Consent mechanism does not reject non-essential
+  { id: 'COMP-GDPR-016', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Cookie Consent Without Reject Option',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/cookieconsent|cookie.*banner|CookieBanner/i)) {
+          if (!c.match(/reject|decline|deny|refuse/i)) {
+            findings.push({ ruleId: 'COMP-GDPR-016', category: 'compliance', severity: 'high', title: 'Cookie consent banner without reject/decline option', description: 'Add "Reject All" button. GDPR requires that consent be as easy to withdraw as to give. Banners with only "Accept" violate this requirement.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-PCI-005: Card number pattern in source code
+  { id: 'COMP-PCI-005', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Payment Card Number Regex in Source',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:\d{4}[\s-]?){4}|4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}/)) {
+            if (!lines[i].match(/\/\/|test|spec|mock|example|xxxx|XXXX/i)) {
+              findings.push({ ruleId: 'COMP-PCI-005', category: 'compliance', severity: 'critical', title: 'Payment card number pattern found in source code', description: 'Never store or process raw card numbers. Use Stripe.js/Braintree.js to tokenize cards client-side so your server never sees the raw PAN.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-SOC2-008: No system description document
+  { id: 'COMP-SOC2-008', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No System Description for SOC 2',
+    check({ files }) {
+      const findings = [];
+      const allPaths = [...files.keys()].join(' ');
+      const hasSystemDesc = allPaths.match(/system.*description|trust.*criteria|soc2|soc-2|compliance.*doc/i) || [...files.values()].some(c => c.match(/trust.*service.*criteria|SOC.*Type/i));
+      if (!hasSystemDesc) {
+        findings.push({ ruleId: 'COMP-SOC2-008', category: 'compliance', severity: 'low', title: 'No SOC 2 system description documentation', description: 'Create system description covering: services, infrastructure, software, personnel, and risk management. Required for SOC 2 Type II audit.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-011: No locale in Accept-Language header handling
+  { id: 'COMP-INTL-011', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'API Does Not Respect Accept-Language Header',
+    check({ files }) {
+      const findings = [];
+      const hasI18n = [...files.values()].some(c => c.match(/i18n|localization|translation/i));
+      const hasLangHeader = [...files.values()].some(c => c.match(/Accept-Language|accept-language|req\.headers.*language/i));
+      if (hasI18n && !hasLangHeader) {
+        findings.push({ ruleId: 'COMP-INTL-011', category: 'compliance', severity: 'low', title: 'i18n configured but API does not read Accept-Language header', description: 'Read Accept-Language header: const lang = req.headers["accept-language"]?.split(",")[0]. Use it to return localized error messages and content.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-INTL-012: Number formatted without locale
+  { id: 'COMP-INTL-012', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Numbers Formatted Without Locale Awareness',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.toFixed\(\d\)/) && lines[i].match(/price|amount|cost|total|balance/i)) {
+            findings.push({ ruleId: 'COMP-INTL-012', category: 'compliance', severity: 'low', title: 'Number formatted with toFixed() — use Intl.NumberFormat for locale-aware formatting', description: 'Replace toFixed() with Intl.NumberFormat. In German, 1,234.56 is written 1.234,56 — toFixed always uses English decimal format.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-GDPR-017: User password change without notification
+  { id: 'COMP-GDPR-017', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Password Change Without Security Notification',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/password.*update|updatePassword|changePassword/i)) {
+          if (!c.match(/sendEmail|notify|notification|email.*password.*changed/i)) {
+            findings.push({ ruleId: 'COMP-GDPR-017', category: 'compliance', severity: 'medium', title: 'Password change without notifying user via email', description: 'Send an email when password changes: "Your password was changed. If this wasn\'t you, contact us." This is a security best practice and satisfies GDPR Article 34 breach notification requirement.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-A11Y-022: No aria-expanded on toggle buttons
+  { id: 'COMP-A11Y-022', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Toggle Button Without aria-expanded',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/toggle|accordion|collapse|expand/i) && c.match(/<button|onClick/i)) {
+          if (!c.match(/aria-expanded|aria-controls/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-022', category: 'compliance', severity: 'medium', title: 'Toggle/accordion button without aria-expanded state', description: 'Add aria-expanded={isOpen}. Screen readers announce "button collapsed/expanded" to indicate state. Without it, users cannot determine if the panel is open.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-A11Y-023: Use of tabindex > 0
+  { id: 'COMP-A11Y-023', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Positive tabindex Disrupts Focus Order',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/tabIndex=["'][1-9]\d*["']|tabindex=["'][1-9]\d*["']/)) {
+            findings.push({ ruleId: 'COMP-A11Y-023', category: 'compliance', severity: 'medium', title: 'Positive tabindex value — disrupts natural focus order (WCAG 2.4.3)', description: 'Use tabIndex={0} or tabIndex={-1}. Positive tabindex values override the natural DOM order, creating confusing keyboard navigation.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-SOC2-009: No background check process
+  { id: 'COMP-SOC2-009', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No Personnel Security Process Documentation',
+    check({ files }) {
+      const findings = [];
+      const allPaths = [...files.keys()].join(' ');
+      const hasPersonnel = allPaths.match(/background.*check|personnel.*security|hr.*policy|employee.*security/i);
+      if (!hasPersonnel) {
+        findings.push({ ruleId: 'COMP-SOC2-009', category: 'compliance', severity: 'low', title: 'No personnel security policy documentation — SOC 2 CC1.4 requirement', description: 'Document background check and security onboarding procedures. SOC 2 requires evidence of personnel security controls for employees with system access.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COMP-HIPAA-005: PHI transmitted over HTTP
+  { id: 'COMP-HIPAA-005', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'Health Data Transmitted Over HTTP',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/health|medical|patient|phi\b/i) && c.match(/http:\/\/(?!localhost)/i)) {
+          findings.push({ ruleId: 'COMP-HIPAA-005', category: 'compliance', severity: 'critical', title: 'Health data endpoint using HTTP — HIPAA requires TLS for PHI transmission', description: 'Use HTTPS for all endpoints handling health data. HIPAA Security Rule §164.312(e)(1) mandates encryption for ePHI in transit.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-PCI-006: No intrusion detection system
+  { id: 'COMP-PCI-006', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Intrusion Detection System (PCI DSS 10.7)',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasPayment = allCode.match(/stripe|braintree|payment|checkout|PCI/i);
+      const hasIDS = allCode.match(/guardduty|ids\b|intrusion.*detection|snort|suricata|ossec|wazuh/i);
+      if (hasPayment && !hasIDS) {
+        findings.push({ ruleId: 'COMP-PCI-006', category: 'compliance', severity: 'medium', title: 'Payment processing without intrusion detection — PCI DSS Requirement 10.7', description: 'Implement file integrity monitoring and intrusion detection. PCI DSS requires detecting and responding to security system failures within 24 hours.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COMP-CCPA-004: No privacy notice at data collection
+  { id: 'COMP-CCPA-004', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Privacy Notice at Point of Collection (CCPA)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        if (c.match(/\bform\b|signup|register|create.*account/i)) {
+          if (!c.match(/privacy.*notice|privacy.*policy|we.*collect|personal.*information/i)) {
+            findings.push({ ruleId: 'COMP-CCPA-004', category: 'compliance', severity: 'high', title: 'Registration/form without privacy notice at point of data collection', description: 'CCPA requires informing users of data collection at the time of collection. Add a link to privacy policy near data collection forms.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-INTL-013: Hardcoded address format
+  { id: 'COMP-INTL-013', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Hardcoded Address Format (US-Centric)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        if (c.match(/zipCode|zip_code|postalCode/i) && c.match(/\d{5}(-\d{4})?/)) {
+          if (!c.match(/country|international|locale/i)) {
+            findings.push({ ruleId: 'COMP-INTL-013', category: 'compliance', severity: 'low', title: 'US ZIP code format without international postal code support', description: 'Support international postal codes (UK: SW1A 1AA, Canada: K1A 0A9). Add country selector and validate by country using a postal code library.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-GDPR-018: Consent pre-checked
+  { id: 'COMP-GDPR-018', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Pre-Checked Marketing Consent Checkbox',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue|js|ts)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/checkbox|type=["']checkbox["']/i) && lines[i].match(/marketing|newsletter|consent|subscribe/i)) {
+            if (lines[i].match(/checked|defaultChecked|value=["']true["']/i)) {
+              findings.push({ ruleId: 'COMP-GDPR-018', category: 'compliance', severity: 'high', title: 'Marketing consent checkbox pre-checked — GDPR requires opt-in not opt-out', description: 'Consent must be freely given — do not pre-check consent boxes. GDPR Article 7 requires unambiguous, active consent for marketing communications.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-GDPR-019: No age verification for age-restricted content
+  { id: 'COMP-GDPR-019', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Age-Restricted Content Without Age Verification',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/adult|alcohol|gambling|tobacco|cannabis/i) && !c.match(/ageVerif|age_verif|dateOfBirth|dob.*verif|isAdult|verifyAge/i)) {
+          findings.push({ ruleId: 'COMP-GDPR-019', category: 'compliance', severity: 'high', title: 'Age-restricted content served without age verification', description: 'Implement age verification before serving age-restricted content. GDPR and national laws require age gates for alcohol, gambling, and adult content to protect minors.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-A11Y-024: No keyboard navigation support
+  { id: 'COMP-A11Y-024', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Interactive Elements Not Keyboard Accessible',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html|vue)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/onClick\s*=|@click\s*=/i) && lines[i].match(/<div|<span|<li/) && !lines[i].match(/role=|tabIndex|tabindex|onKeyDown|onKeyPress|onKeyUp/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-024', category: 'compliance', severity: 'medium', title: 'div/span with onClick but no keyboard handler — not keyboard accessible', description: 'Add tabIndex={0} and onKeyDown handler, or use a <button> element. WCAG 2.1 SC 2.1.1: All functionality must be available via keyboard.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-A11Y-025: Missing role attribute on custom interactive elements
+  { id: 'COMP-A11Y-025', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Custom Interactive Widget Missing ARIA Role',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html|vue)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/<div[^>]*tabIndex|<div[^>]*tabindex/i) && !lines[i].match(/role=/)) {
+            findings.push({ ruleId: 'COMP-A11Y-025', category: 'compliance', severity: 'medium', title: 'Focusable div without role attribute — assistive technology cannot identify its purpose', description: 'Add an appropriate role (button, tab, listitem, etc.) to focusable divs. WCAG 2.1 SC 4.1.2 requires interactive elements to have programmatically determinable roles.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-SOC2-010: No data encryption at rest documentation
+  { id: 'COMP-SOC2-010', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Encryption at Rest Configuration Documented',
+    check({ files }) {
+      const findings = [];
+      const hasSensitiveStorage = [...files.values()].some(c => c.match(/aws_rds|aws_s3|aws_dynamodb|aws_elasticache/i));
+      const hasEncryption = [...files.values()].some(c => c.match(/storage_encrypted\s*=\s*true|encrypted\s*=\s*true|kms_key|sse_algorithm/i));
+      if (hasSensitiveStorage && !hasEncryption) {
+        findings.push({ ruleId: 'COMP-SOC2-010', category: 'compliance', severity: 'medium', title: 'Cloud storage resources without encryption at rest', description: 'Enable encryption at rest for all data storage (RDS, S3, DynamoDB). SOC 2 CC6.1 requires logical and physical access controls including encryption for sensitive data.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COMP-CCPA-005: No opt-out mechanism for sale of personal data
+  { id: 'COMP-CCPA-005', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No "Do Not Sell My Personal Information" Mechanism',
+    check({ files }) {
+      const findings = [];
+      const hasSellData = [...files.values()].some(c => c.match(/segment|mixpanel|amplitude|facebook.*pixel|google.*analytics|third.*party.*data/i));
+      const hasOptOut = [...files.values()].some(c => c.match(/doNotSell|do_not_sell|opt.?out.*sell|CCPA|data.*sale/i));
+      if (hasSellData && !hasOptOut) {
+        findings.push({ ruleId: 'COMP-CCPA-005', category: 'compliance', severity: 'high', title: 'Data shared with third parties without CCPA opt-out option', description: 'Add "Do Not Sell or Share My Personal Information" link as required by CCPA. California residents have the right to opt out of sale/sharing of personal data.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COMP-HIPAA-006: PHI in URL parameters
+  { id: 'COMP-HIPAA-006', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'PHI in URL Parameters',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/[?&](patient|patient_id|mrn|ssn|diagnosis|medication|dob)=/i) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'COMP-HIPAA-006', category: 'compliance', severity: 'critical', title: 'PHI passed in URL parameters — logged in server logs and browser history', description: 'Use POST body or session for PHI. HIPAA requires safeguards to prevent unauthorized disclosure of PHI. URL parameters are logged in web server logs, proxy logs, and browser history.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-PCI-007: Storing CVV after authorization
+  { id: 'COMP-PCI-007', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'CVV/CVV2 Value Stored in Database',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/cvv|cvv2|cvc|security_code/i) && lines[i].match(/save\s*\(|insert|create|update|set\s*\(/i) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'COMP-PCI-007', category: 'compliance', severity: 'critical', title: 'CVV/CVV2 value being stored — PCI DSS Requirement 3 violation', description: 'Never store CVV after authorization. PCI DSS Requirement 3.3 strictly prohibits storing card validation codes. Use tokenization via your payment processor instead.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-INTL-014: No timezone handling for user dates
+  { id: 'COMP-INTL-014', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'User-Facing Dates Without Timezone Consideration',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/new Date\s*\(|Date\.now\s*\(\s*\)/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 5)).join('\n');
+            if (ctx.match(/res\.json|res\.send|return.*date/i) && !ctx.match(/timezone|toISOString|UTC|Intl\.DateTimeFormat/i)) {
+              findings.push({ ruleId: 'COMP-INTL-014', category: 'compliance', severity: 'medium', title: 'Date returned to client without timezone context', description: 'Always use ISO 8601 format with timezone (toISOString()) or include timezone info. Server-side dates without timezone context are interpreted in the user\'s local timezone, causing date display errors.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-A11Y-026: Images in CSS (background-image) for content
+  { id: 'COMP-A11Y-026', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Informational Content as CSS Background Image',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(css|scss|sass|less)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/background-image:\s*url\s*\(/) && !lines[i].match(/decoration|ornament|pattern|gradient/i)) {
+            findings.push({ ruleId: 'COMP-A11Y-026', category: 'compliance', severity: 'low', title: 'Informational image in CSS background — invisible to screen readers', description: 'Use <img> with alt text for informational images. CSS background images cannot have alt text and are invisible to screen readers (WCAG 2.1 SC 1.1.1).', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-GDPR-020: Data exported without access control check
+  { id: 'COMP-GDPR-020', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Data Export Endpoint Without Authorization Check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/export.*csv|export.*excel|download.*data|export.*report/i) && lines[i].match(/router\.(get|post)\s*\(/)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+            if (!ctx.match(/auth|permission|role|admin|isAuthenticated|requireAuth/i)) {
+              findings.push({ ruleId: 'COMP-GDPR-020', category: 'compliance', severity: 'high', title: 'Data export endpoint without authentication/authorization check', description: 'Require authentication and authorization for data export endpoints. GDPR Article 5 requires access controls on personal data. Unprotected export endpoints enable bulk PII theft.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COMP-SOC2-011: No penetration testing evidence
+  { id: 'COMP-SOC2-011', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'No Penetration Testing Process Documented',
+    check({ files }) {
+      const findings = [];
+      const hasPentest = [...files.keys()].some(f => f.match(/pentest|penetration|security.?test|security.?audit/i)) || [...files.values()].some(c => c.match(/pentest|penetration.?test|security.?assessment/i));
+      const hasCI = [...files.keys()].some(f => f.match(/\.github\/workflows|\.gitlab-ci/));
+      if (hasCI && !hasPentest) {
+        findings.push({ ruleId: 'COMP-SOC2-011', category: 'compliance', severity: 'medium', title: 'No penetration testing evidence in repository', description: 'Document penetration testing schedule and remediation process. SOC 2 CC7.1 requires that security testing be performed and findings remediated. Annual pen tests are standard.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COMP-CHILDREN-002: Collecting children's location data — only for apps explicitly targeting children
+  { id: 'COMP-CHILDREN-002', category: 'compliance', severity: 'critical', confidence: 'definite', title: "Location Data Collected That May Apply to Children's Platforms",
+    check({ files }) {
+      const findings = [];
+      // Only fire if package.json or config explicitly mentions COPPA/children targeting
+      const hasChildrenTargeting = [...files.entries()].some(([fp, c]) =>
+        (fp.endsWith('package.json') || fp.endsWith('.json')) && /coppa|kids.*app|children.*platform/i.test(c)
+      );
+      if (!hasChildrenTargeting) return findings;
+      const hasLocation = [...files.values()].some(c => c.match(/geolocation|navigator\.geolocation|latitude|longitude|location.*tracking/i));
+      if (hasLocation) {
+        findings.push({ ruleId: 'COMP-CHILDREN-002', category: 'compliance', severity: 'critical', title: 'Platform targeting children may be collecting location data', description: 'COPPA and GDPR-K prohibit collecting precise geolocation from children under 13 without verifiable parental consent. Remove location tracking or implement strict age verification with parental consent flow.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COMP-INTL-015: Currency displayed without ISO code
+  { id: 'COMP-INTL-015', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Currency Amount Displayed Without ISO Currency Code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(jsx|tsx|html|vue|js|ts)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Match literal $ currency display: $12.99 or "$" + amount, but NOT ${...} template literals
+          if (lines[i].match(/\$\s*[0-9]|\"\$\"|'\$'/) && !lines[i].match(/\$\{/) && !lines[i].match(/currency.*USD|ISO|Intl\.NumberFormat.*currency/i)) {
+            findings.push({ ruleId: 'COMP-INTL-015', category: 'compliance', severity: 'low', title: 'Currency displayed with $ symbol but no ISO code', description: 'Use Intl.NumberFormat with currency option. Display currency as "USD" or "EUR" in addition to symbol for international users and compliance with financial display regulations.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+// allComplianceRules is constructed at end of file after all rules.push() calls
+
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].some(e => f.endsWith(e)); }
+
+// COMP-016: HIPAA - PHI in log statements
+rules.push({
+  id: 'COMP-016', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'HIPAA: Protected Health Information (PHI) logged',
+  check({ files }) {
+    const findings = [];
+    const phiFields = /(?:diagnosis|condition|medication|treatment|prescription|patient.*name|dob|date_of_birth|ssn|medical_record|insurance|health_plan)/i;
+    const logPattern = /(?:console\.|logger\.|log\.)\w*\s*\([^)]*(?:patient|health|medical|diagnosis|medication)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (logPattern.test(lines[i]) || (phiFields.test(lines[i]) && /console\.|logger\./.test(lines[i]))) {
+          findings.push({ ruleId: 'COMP-016', category: 'compliance', severity: 'critical', title: 'Potential PHI logged — HIPAA violation', description: 'Logging Protected Health Information violates HIPAA. Mask or exclude PHI from all log output. Use structured logging with field-level redaction.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-017: HIPAA - Unencrypted health data storage
+rules.push({
+  id: 'COMP-017', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'HIPAA: Health data field stored without encryption annotation',
+  check({ files }) {
+    const findings = [];
+    const phiField = /(?:diagnosis|condition|medication|prescription|health_data|medical_history|lab_result)\s*[:=]/i;
+    const encryptMarker = /encrypt|@Encrypted|@Column.*encrypted|cipher/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (phiField.test(lines[i]) && /String|TEXT|VARCHAR|string:/i.test(lines[i]) && !encryptMarker.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-017', category: 'compliance', severity: 'critical', title: 'Health data field stored without encryption — HIPAA requires encryption at rest', description: 'PHI must be encrypted at rest under HIPAA. Use application-level encryption or database column encryption for health data fields.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-018: PCI-DSS - Full card number stored
+rules.push({
+  id: 'COMP-018', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'PCI-DSS: Full credit card number stored or logged',
+  check({ files }) {
+    const findings = [];
+    const cardField = /(?:card_number|cardNumber|pan|credit_card|cc_number)\s*[:=]/i;
+    const fullPAN = /(?:card_number|cardNumber|pan|full.*card)\s*[:=]\s*(?:req\.|body\.|input\.|String|TEXT|VARCHAR)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (fullPAN.test(lines[i]) && !/mask|truncat|last.*4|token|vault/i.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-018', category: 'compliance', severity: 'critical', title: 'Full PAN stored — PCI-DSS prohibits storing full card numbers', description: 'PCI-DSS prohibits storing full Primary Account Numbers. Store only the last 4 digits or use a payment tokenization service (Stripe, Braintree).', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-019: PCI-DSS - CVV stored
+rules.push({
+  id: 'COMP-019', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'PCI-DSS: CVV/CVV2 security code stored',
+  check({ files }) {
+    const findings = [];
+    const cvvField = /(?:cvv|cvv2|cvc|security_code|card_verification)\s*[:=]/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (cvvField.test(lines[i]) && /save|store|insert|create|String|TEXT|VARCHAR/i.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-019', category: 'compliance', severity: 'critical', title: 'CVV stored — PCI-DSS strictly prohibits storing CVV after authorization', description: 'PCI-DSS Requirement 3.2 prohibits storing CVV/CVC after transaction authorization. Remove CVV storage immediately.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-020: PCI-DSS - Unmasked PAN in logs
+rules.push({
+  id: 'COMP-020', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'PCI-DSS: Card number or PAN in log output',
+  check({ files }) {
+    const findings = [];
+    const pattern = /(?:console\.|logger\.|log\.)\w*\s*\([^)]*(?:cardNumber|card_number|pan|creditCard|credit_card)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (pattern.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-020', category: 'compliance', severity: 'critical', title: 'Card number logged — PCI-DSS violation', description: 'PCI-DSS requires masking card numbers in logs (show only last 4 digits). Logging full PANs is a reportable violation.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-021: GDPR - No cookie consent mechanism
+rules.push({
+  id: 'COMP-021', category: 'compliance', severity: 'high', confidence: 'likely', title: 'GDPR: No cookie consent mechanism found',
+  check({ files }) {
+    const findings = [];
+    const hasCookies = [...files.values()].some(c => /document\.cookie|setCookie|cookie-parser|Set-Cookie/i.test(c));
+    const hasConsent = [...files.values()].some(c => /cookie.*consent|cookieConsent|gdpr.*cookie|acceptCookies|cookieBanner|cookie.*policy|CookieYes|Cookiebot|OneTrust/i.test(c));
+    if (hasCookies && !hasConsent) {
+      findings.push({ ruleId: 'COMP-021', category: 'compliance', severity: 'high', title: 'Cookies set without consent mechanism — GDPR Article 7 violation', description: 'GDPR requires explicit consent before setting non-essential cookies. Implement a cookie consent banner with opt-in/opt-out controls.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-022: GDPR - Third-party scripts without consent
+rules.push({
+  id: 'COMP-022', category: 'compliance', severity: 'high', confidence: 'likely', title: 'GDPR: Third-party tracking scripts loaded without consent check',
+  check({ files }) {
+    const findings = [];
+    const trackingScripts = /(?:google-analytics|gtag|ga\s*\(|fbq\s*\(|analytics\.js|segment\.com|mixpanel|hotjar|heap\.io)/i;
+    const consentCheck = /cookie.*consent|hasConsent|gdprConsent|analyticsEnabled|trackingAllowed/i;
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(js|ts|jsx|tsx|html)$/)) continue;
+      if (!trackingScripts.test(c)) continue;
+      if (!consentCheck.test(c)) {
+        findings.push({ ruleId: 'COMP-022', category: 'compliance', severity: 'high', title: 'Third-party analytics loaded without consent gate — GDPR violation', description: 'Load analytics and tracking scripts only after user consent. Wrap script loading in consent check: if (hasAnalyticsConsent()) { loadAnalytics(); }', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-023: GDPR - No data retention policy
+rules.push({
+  id: 'COMP-023', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'GDPR: No data retention or deletion mechanism',
+  check({ files }) {
+    const findings = [];
+    const storesPII = [...files.values()].some(c => /email.*save|user.*create|profile.*insert|personal.*data/i.test(c));
+    const hasRetention = [...files.values()].some(c => /deleteAfter|retention|purge|ttl|expiresAt|deleteOldRecords|data.*cleanup/i.test(c));
+    if (storesPII && !hasRetention) {
+      findings.push({ ruleId: 'COMP-023', category: 'compliance', severity: 'medium', title: 'PII stored without data retention policy — GDPR requires data minimization', description: 'GDPR Article 5(1)(e) requires data not be kept longer than necessary. Implement automated deletion for expired user data.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-024: Accessibility - Missing aria-label on interactive elements
+rules.push({
+  id: 'COMP-024', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Accessibility: Interactive element without accessible label',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx|html|vue)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/<(?:button|a|input|select)\b/.test(lines[i]) && !/aria-label|aria-labelledby|title=|alt=/.test(lines[i])) {
+          const nextLines = lines.slice(i, Math.min(lines.length, i + 3)).join(' ');
+          if (!/aria-label|aria-labelledby/.test(nextLines)) {
+            findings.push({ ruleId: 'COMP-024', category: 'compliance', severity: 'medium', title: 'Interactive element without accessible label — WCAG 2.1 violation', description: 'Buttons, links, and form inputs need accessible labels for screen readers. Add aria-label, aria-labelledby, or visible text content.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-025: Accessibility - Image without alt text
+rules.push({
+  id: 'COMP-025', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Accessibility: <img> without alt attribute',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx|html|vue)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/<img\b/.test(lines[i]) && !/alt=/.test(lines[i])) {
+          const ctx = lines.slice(i, Math.min(lines.length, i + 3)).join(' ');
+          if (!/alt=/.test(ctx)) {
+            findings.push({ ruleId: 'COMP-025', category: 'compliance', severity: 'medium', title: '<img> without alt attribute — WCAG 2.1 Level A failure', description: 'Images must have alt text for screen readers. Use alt="" for decorative images and a descriptive alt for informational images.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-026: COPPA - No age verification
+rules.push({
+  id: 'COMP-026', category: 'compliance', severity: 'high', confidence: 'likely', title: 'COPPA: No age verification before collecting user data',
+  check({ files }) {
+    const findings = [];
+    const collectsData = [...files.values()].some(c => /register|signup|createAccount|createUser/i.test(c));
+    const hasAgeCheck = [...files.values()].some(c => /age.*verif|dateOfBirth|dob|ageGate|coppa|under.*13|age.*13|birthdate/i.test(c));
+    if (collectsData && !hasAgeCheck) {
+      findings.push({ ruleId: 'COMP-026', category: 'compliance', severity: 'high', title: 'No age verification — COPPA requires consent for users under 13', description: 'COPPA requires verifiable parental consent before collecting personal information from children under 13. Add age gate or date-of-birth check to registration.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-027: Missing privacy policy link
+rules.push({
+  id: 'COMP-027', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Registration/signup form without privacy policy link',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx|html|vue)$/)) continue;
+      if (!/register|signup|createAccount/i.test(c)) continue;
+      if (!/privacy.*policy|privacyPolicy|privacy-policy/i.test(c)) {
+        findings.push({ ruleId: 'COMP-027', category: 'compliance', severity: 'medium', title: 'Signup form without privacy policy link — required by GDPR, CCPA, COPPA', description: 'Registration forms must link to a privacy policy explaining what data is collected. GDPR, CCPA, and COPPA all require this disclosure at point of data collection.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-028: SOC2 - Audit logging missing
+rules.push({
+  id: 'COMP-028', category: 'compliance', severity: 'medium', confidence: 'definite', title: 'SOC2: No audit logging for sensitive operations',
+  check({ files }) {
+    const findings = [];
+    const hasSensitiveOps = [...files.values()].some(c => /delete.*user|update.*role|admin.*action|permission.*change/i.test(c));
+    const hasAuditLog = [...files.values()].some(c => /auditLog|audit_log|AuditTrail|audit\.log|writeAudit/i.test(c));
+    if (hasSensitiveOps && !hasAuditLog) {
+      findings.push({ ruleId: 'COMP-028', category: 'compliance', severity: 'medium', title: 'Sensitive operations without audit logging — SOC2 CC7.2 requires audit trail', description: 'SOC2 requires audit trails for access changes, privilege escalations, and data deletions. Implement an audit log that records who did what and when.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-029: WCAG - Color-only information
+rules.push({
+  id: 'COMP-029', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Accessibility: Information conveyed by color only',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx|html|vue|css|scss)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Look for status/error indicators that only use color
+        if (/color.*red|color.*green|color.*error|color.*success/i.test(lines[i]) && !/icon|text|label|aria/i.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 2)).join('\n');
+          if (!/text|icon|label|aria-label/.test(ctx)) {
+            findings.push({ ruleId: 'COMP-029', category: 'compliance', severity: 'medium', title: 'Status indicated by color only — inaccessible to color-blind users (WCAG 1.4.1)', description: 'Use icons, text, or patterns in addition to color to convey information. Color alone fails WCAG 1.4.1 (Use of Color).', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-030: Missing HTTPS in production config
+rules.push({
+  id: 'COMP-030', category: 'compliance', severity: 'high', confidence: 'likely', title: 'Production config using HTTP instead of HTTPS URLs',
+  check({ files }) {
+    const findings = [];
+    const prodConfig = /(?:production|prod).*(?:url|endpoint|api|base)/i;
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(json|env|ya?ml|ts|js)$/)) continue;
+      if (!fp.match(/prod|config|env/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/http:\/\/(?!localhost|127\.|0\.0\.0)/.test(lines[i]) && !/^\s*(#|\/\/)/.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-030', category: 'compliance', severity: 'high', title: 'HTTP (not HTTPS) URL in production configuration', description: 'Production services must use HTTPS. Plain HTTP exposes data in transit. Change all production URLs to use https://.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-031 through COMP-055: Additional compliance rules
+
+// COMP-031: GDPR - Right to erasure not implemented
+rules.push({
+  id: 'COMP-031', category: 'compliance', severity: 'high', confidence: 'likely', title: 'GDPR: No data deletion/erasure functionality',
+  check({ files }) {
+    const findings = [];
+    const storesUserData = [...files.values()].some(c => /user\.create|createUser|registerUser/i.test(c));
+    const hasDeleteUser = [...files.values()].some(c => /deleteUser|removeUser|user\.delete|account.*delete|gdpr.*delete|erasure|right.*forget/i.test(c));
+    if (storesUserData && !hasDeleteUser) {
+      findings.push({ ruleId: 'COMP-031', category: 'compliance', severity: 'high', title: 'User data stored without deletion capability — GDPR Right to Erasure (Article 17)', description: 'GDPR requires you to delete personal data upon user request. Implement a user data deletion flow that removes all PII from your systems.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-032: PCI-DSS - Unencrypted transmission
+rules.push({
+  id: 'COMP-032', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'PCI-DSS: Payment data transmitted over unencrypted connection',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/http:\/\/(?!localhost)/.test(lines[i]) && /card|payment|pan|credit/i.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-032', category: 'compliance', severity: 'critical', title: 'Payment data sent over HTTP — PCI-DSS requires TLS for cardholder data', description: 'PCI-DSS Requirement 4.1 mandates strong cryptography for cardholder data in transit. Always use HTTPS/TLS for payment data transmission.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-033: HIPAA - Audit log for PHI access
+rules.push({
+  id: 'COMP-033', category: 'compliance', severity: 'high', confidence: 'likely', title: 'HIPAA: PHI accessed without audit log entry',
+  check({ files }) {
+    const findings = [];
+    const hasPHIAccess = [...files.values()].some(c => /patient|diagnosis|medication|health_record/i.test(c) && /findOne|findById|SELECT/i.test(c));
+    const hasAuditLog = [...files.values()].some(c => /auditLog|hipaa.*log|phi.*access|accessLog/i.test(c));
+    if (hasPHIAccess && !hasAuditLog) {
+      findings.push({ ruleId: 'COMP-033', category: 'compliance', severity: 'high', title: 'PHI accessed without HIPAA audit trail — HIPAA 164.312(b) violation', description: 'HIPAA requires audit controls that record and examine activity in systems containing PHI. Log who accessed what PHI data and when.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-034: CCPA - No opt-out mechanism
+rules.push({
+  id: 'COMP-034', category: 'compliance', severity: 'high', confidence: 'likely', title: 'CCPA: No opt-out of data sale mechanism',
+  check({ files }) {
+    const findings = [];
+    const hasUserData = [...files.values()].some(c => /user.*data|personal.*info|analytics|tracking/i.test(c));
+    const hasOptOut = [...files.values()].some(c => /opt-out|optOut|do.*not.*sell|ccpa|doNotSell/i.test(c));
+    if (hasUserData && !hasOptOut) {
+      findings.push({ ruleId: 'COMP-034', category: 'compliance', severity: 'high', title: 'No "Do Not Sell My Personal Information" opt-out — CCPA requirement for CA residents', description: 'CCPA requires businesses that sell personal information to provide a clear opt-out mechanism. Add a "Do Not Sell My Personal Information" link to your privacy page.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-035: Accessibility - Form without label
+rules.push({
+  id: 'COMP-035', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Accessibility: Form input without associated label',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx|html|vue)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/<input\b/.test(lines[i]) && !/type\s*=\s*["']hidden["']/.test(lines[i]) && !/aria-label|aria-labelledby/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join('\n');
+          if (!/<label|aria-label|aria-labelledby/.test(ctx)) {
+            findings.push({ ruleId: 'COMP-035', category: 'compliance', severity: 'medium', title: '<input> without label — screen readers cannot identify the field', description: 'Associate form inputs with labels using <label for="id">, aria-label, or aria-labelledby. WCAG 2.1 Success Criterion 1.3.1 (Info and Relationships).', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-036: SOC2 - Plaintext passwords in configuration
+rules.push({
+  id: 'COMP-036', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'SOC2: Plaintext credentials in configuration files',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(?:json|yaml|yml|toml|ini|env)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*[#;]/.test(lines[i])) continue;
+        if (/(?:password|passwd|secret|api_key)\s*[:=]\s*["']?[A-Za-z0-9!@#$%^&*]{8,}["']?/i.test(lines[i]) && !/\$\{|\$\(|process\.env/i.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-036', category: 'compliance', severity: 'critical', title: 'Plaintext credential in config file — SOC2 CC6 control failure', description: 'SOC2 CC6 requires protecting logical access. Plaintext credentials in config files fail this control. Use environment variables or a secrets manager.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-037: WCAG - Missing keyboard navigation support
+rules.push({
+  id: 'COMP-037', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'Accessibility: onClick handler on non-interactive element without keyboard support',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/<(?:div|span|p)\s[^>]*onClick\s*=/.test(lines[i]) && !/onKeyDown|onKeyPress|tabIndex|role\s*=/.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-037', category: 'compliance', severity: 'medium', title: 'Clickable div/span without keyboard handler — inaccessible to keyboard users', description: 'Non-interactive elements with onClick need onKeyDown/onKeyPress and tabIndex="0" for keyboard accessibility. Or use <button> which has built-in keyboard support.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-038: GDPR - Data processed without legal basis
+rules.push({
+  id: 'COMP-038', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'GDPR: No terms of service or consent check before data collection',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx|html|vue)$/)) continue;
+      if (!c.match(/register|signup|sign.?up/i)) continue;
+      if (!c.match(/terms|consent|agree|privacy/i)) {
+        findings.push({ ruleId: 'COMP-038', category: 'compliance', severity: 'medium', title: 'Registration form without terms/consent checkbox — GDPR Article 6 legal basis', description: 'GDPR requires a lawful basis for processing personal data. Include a consent checkbox linking to terms of service and privacy policy on registration forms.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-039: PCI-DSS - Logging card data
+rules.push({
+  id: 'COMP-039', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'PCI-DSS: Full card data logged — compliance violation',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:console\.|logger\.)\w*\s*\([^)]*(?:card|pan|cvv|expiry|expirationDate)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-039', category: 'compliance', severity: 'critical', title: 'Card data logged — PCI-DSS prohibits logging of card data', description: 'PCI-DSS requires that card data never be written to logs. Remove all logging of card numbers, CVVs, and expiration dates immediately.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-040: ISO 27001 - No change management documentation
+rules.push({
+  id: 'COMP-040', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No CHANGELOG or change management documentation',
+  check({ files }) {
+    const findings = [];
+    const hasRelease = [...files.values()].some(c => /npm.*publish|release|deploy/i.test(c));
+    const hasChangelog = [...files.keys()].some(f => f.match(/CHANGELOG|CHANGES|HISTORY/i));
+    if (hasRelease && !hasChangelog) {
+      findings.push({ ruleId: 'COMP-040', category: 'compliance', severity: 'low', title: 'No CHANGELOG — ISO 27001 A.12.1.2 recommends change management documentation', description: 'Maintain a CHANGELOG documenting changes between versions for compliance audit trails and user communication.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-041 through COMP-060: More compliance rules
+
+// COMP-041: WCAG - Insufficient color contrast indication
+rules.push({
+  id: 'COMP-041', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Accessibility: Potential low color contrast ratio',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(css|scss|sass|less)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*\/\/|\/\*/.test(lines[i])) continue;
+        if (/color\s*:\s*#(?:ccc|ddd|eee|aaa|bbb|999|888|777)\b/i.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join('\n');
+          if (!/background.*#(?:000|111|222|333)|aria|placeholder/i.test(ctx)) {
+            findings.push({ ruleId: 'COMP-041', category: 'compliance', severity: 'low', title: 'Light gray text color — may fail WCAG 1.4.3 contrast ratio (4.5:1)', description: 'Light gray text (#ccc, #ddd) on white backgrounds typically fails WCAG AA contrast requirements. Use a contrast checker to verify 4.5:1 ratio for normal text.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-042: NIST - No multi-factor authentication
+rules.push({
+  id: 'COMP-042', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No multi-factor authentication implementation',
+  check({ files }) {
+    const findings = [];
+    const hasAuth = [...files.values()].some(c => /login|signin|authenticate/i.test(c));
+    const hasMFA = [...files.values()].some(c => /mfa|2fa|totp|otp|authenticator|two.?factor|second.?factor|speakeasy|otpauth/i.test(c));
+    if (hasAuth && !hasMFA) {
+      findings.push({ ruleId: 'COMP-042', category: 'compliance', severity: 'high', title: 'No MFA implementation — NIST 800-63B recommends MFA for all accounts', description: 'NIST 800-63B recommends multi-factor authentication. Implement TOTP, SMS, or hardware key second factors for user authentication.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-043: GDPR - Data export not implemented
+rules.push({
+  id: 'COMP-043', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'GDPR: No data portability/export feature',
+  check({ files }) {
+    const findings = [];
+    const storesUserData = [...files.values()].some(c => /user\.create|createUser/i.test(c));
+    const hasExport = [...files.values()].some(c => /exportData|data.*export|portability|downloadMyData|gdpr.*export/i.test(c));
+    if (storesUserData && !hasExport) {
+      findings.push({ ruleId: 'COMP-043', category: 'compliance', severity: 'medium', title: 'No data portability feature — GDPR Article 20 (Right to Data Portability)', description: 'GDPR Article 20 gives users the right to receive their personal data in a machine-readable format. Implement a data export endpoint.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-044: HIPAA - PHI sent via email without encryption
+rules.push({
+  id: 'COMP-044', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'HIPAA: Health data potentially sent via email without encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/sendMail|sendEmail|nodemailer|ses\.sendEmail/i.test(c)) {
+        if (/patient|diagnosis|medication|health|medical/i.test(c) && !/encrypt|tls|starttls/i.test(c)) {
+          findings.push({ ruleId: 'COMP-044', category: 'compliance', severity: 'critical', title: 'PHI potentially included in email without encryption', description: 'HIPAA prohibits transmitting PHI via unencrypted email. Use S/MIME encryption or a HIPAA-compliant messaging service. Never include PHI in email body.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-045: PCI-DSS - Cross-frame scripting protection missing
+rules.push({
+  id: 'COMP-045', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'PCI-DSS: No Content-Security-Policy for payment pages',
+  check({ files }) {
+    const findings = [];
+    const hasPaymentPage = [...files.values()].some(c => /checkout|payment|card.*form|stripe|braintree/i.test(c));
+    const hasCSP = [...files.values()].some(c => /Content-Security-Policy|contentSecurityPolicy|helmetCsp|cspHeader/i.test(c));
+    if (hasPaymentPage && !hasCSP) {
+      findings.push({ ruleId: 'COMP-045', category: 'compliance', severity: 'medium', title: 'Payment page without Content-Security-Policy — PCI-DSS 6.4.3 requires strict CSP', description: 'PCI-DSS v4.0 Requirement 6.4.3 requires a CSP to be implemented on payment pages to prevent unauthorized scripts from stealing card data.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-046: SOC2 - No incident response plan indicators
+rules.push({
+  id: 'COMP-046', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'SOC2: No incident response contact or runbook found',
+  check({ files }) {
+    const findings = [];
+    const hasProduction = [...files.values()].some(c => /NODE_ENV.*production|ENVIRONMENT.*prod/i.test(c));
+    const hasIncidentResponse = [...files.keys()].some(f => f.match(/INCIDENT|RUNBOOK|ON_CALL|ESCALATION|incident-response|runbook/i));
+    if (hasProduction && !hasIncidentResponse) {
+      findings.push({ ruleId: 'COMP-046', category: 'compliance', severity: 'low', title: 'No incident response runbook — SOC2 CC7.3 requires defined incident response', description: 'SOC2 CC7.3 requires documented incident response procedures. Create an INCIDENT_RESPONSE.md or runbook documenting escalation paths and response steps.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-047: GDPR - No data breach notification plan
+rules.push({
+  id: 'COMP-047', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'GDPR: No data breach notification mechanism',
+  check({ files }) {
+    const findings = [];
+    const storesPII = [...files.values()].some(c => /email.*save|createUser|userRecord/i.test(c));
+    const hasBreachNotification = [...files.values()].some(c => /breach.*notif|dataBreachReport|security.*incident|GDPR.*72.*hour|notify.*dpa/i.test(c));
+    if (storesPII && !hasBreachNotification) {
+      findings.push({ ruleId: 'COMP-047', category: 'compliance', severity: 'medium', title: 'No data breach notification procedure — GDPR Article 33 requires 72-hour notification to DPA', description: 'GDPR requires notifying the supervisory authority within 72 hours of a data breach. Document and implement breach detection and notification procedures.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-048: Accessibility - Missing skip navigation link
+rules.push({
+  id: 'COMP-048', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Accessibility: No skip navigation link for keyboard users',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx|html)$/)) continue;
+      if (/<nav\b/.test(c) && !/<a[^>]*skip|skip.*navigation|skip.*main|skip.*content/i.test(c)) {
+        findings.push({ ruleId: 'COMP-048', category: 'compliance', severity: 'low', title: 'Navigation without skip link — keyboard users must tab through all nav items', description: 'Add a "Skip to main content" link as the first focusable element. This allows keyboard users to bypass repetitive navigation. WCAG 2.4.1.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-049: FERPA - Student records without access control
+rules.push({
+  id: 'COMP-049', category: 'compliance', severity: 'high', confidence: 'likely', title: 'FERPA: Student data accessed without role-based access control',
+  check({ files }) {
+    const findings = [];
+    const hasStudentData = [...files.values()].some(c => /student|enrollment|grade|transcript|course_record/i.test(c));
+    const hasAccessControl = [...files.values()].some(c => /role.*admin|instructor.*permission|authorize|FERPA|educationRecord/i.test(c));
+    if (hasStudentData && !hasAccessControl) {
+      findings.push({ ruleId: 'COMP-049', category: 'compliance', severity: 'high', title: 'Student education records without FERPA access controls', description: 'FERPA requires restricting access to student education records. Implement role-based access control to ensure only authorized users (instructors, admins) can access student data.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-050: Missing security.txt file
+rules.push({
+  id: 'COMP-050', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No security.txt file — no responsible disclosure channel',
+  check({ files }) {
+    const findings = [];
+    const hasWebServer = [...files.values()].some(c => /express|fastify|koa|hapi/i.test(c));
+    const hasSecurityTxt = [...files.keys()].some(f => f.match(/security\.txt$/i));
+    if (hasWebServer && !hasSecurityTxt) {
+      findings.push({ ruleId: 'COMP-050', category: 'compliance', severity: 'low', title: 'No security.txt (RFC 9116) — no standard way for researchers to report vulnerabilities', description: 'Create /.well-known/security.txt following RFC 9116 to provide contact information for security researchers to report vulnerabilities responsibly.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-051: Missing CCPA opt-out mechanism
+rules.push({
+  id: 'COMP-051', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'CCPA: No "Do Not Sell" opt-out link found',
+  check({ files }) {
+    const findings = [];
+    const hasCalifornia = [...files.keys()].some(f => /california|ccpa|donotsell|do-not-sell/i.test(f));
+    const hasOptOut = [...files.values()].some(c => /do.not.sell|doNotSell|opt.out|optout/i.test(c));
+    if (!hasCalifornia && !hasOptOut) {
+      const jsFiles = [...files.keys()].filter(f => f.endsWith('.js') || f.endsWith('.jsx') || f.endsWith('.ts') || f.endsWith('.tsx'));
+      if (jsFiles.length > 0) findings.push({ ruleId: 'COMP-051', category: 'compliance', severity: 'medium', title: 'CCPA: No "Do Not Sell My Personal Information" opt-out mechanism', description: 'California CCPA requires a clear "Do Not Sell My Personal Information" link for businesses that sell consumer data.', file: jsFiles[0], fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-052: Missing accessibility for error messages
+rules.push({
+  id: 'COMP-052', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'WCAG: Form error messages not associated with fields (aria-describedby)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.[jt]sx?$|\.html$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/error|invalid|required/i.test(lines[i]) && /<(?:p|span|div)[^>]*class[^>]*error/i.test(lines[i]) && !/aria-describedby|role="alert"/.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-052', category: 'compliance', severity: 'medium', title: 'Error message without aria-describedby or role="alert" — screen readers may miss it', description: 'Add role="alert" to error messages or use aria-describedby on the input field to link it to the error.', file: fp, line: i + 1, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-053: Hardcoded strings in UI (i18n violations)
+rules.push({
+  id: 'COMP-053', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'Hardcoded UI strings without i18n support',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.[jt]sx$/) || fp.includes('test') || fp.includes('spec')) continue;
+      if (/<[a-z]+[^>]*>[A-Z][a-zA-Z\s]{5,}<\//.test(c) && !/i18n|useTranslation|intl|t\(|formatMessage/.test(c)) {
+        findings.push({ ruleId: 'COMP-053', category: 'compliance', severity: 'low', title: 'Hardcoded UI text without internationalization — accessibility/compliance issue for global apps', description: 'Use an i18n library (react-intl, i18next) to externalize user-facing strings for localization.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-054: Missing data processing agreement indicator
+rules.push({
+  id: 'COMP-054', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'GDPR: Third-party data processor used without DPA indication',
+  check({ files }) {
+    const findings = [];
+    const thirdParties = ['segment', 'amplitude', 'mixpanel', 'intercom', 'hubspot', 'salesforce'];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      for (const tp of thirdParties) {
+        if (new RegExp(`require.*${tp}|from.*${tp}|${tp}\\.track|${tp}\.identify`, 'i').test(c) && !/dpa|data.processing|gdpr/i.test(c)) {
+          findings.push({ ruleId: 'COMP-054', category: 'compliance', severity: 'medium', title: `GDPR: ${tp} integration without DPA documentation`, description: `Ensure a Data Processing Agreement is in place with ${tp} and document data flows for GDPR compliance.`, file: fp, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-055: Accessibility - missing lang attribute
+rules.push({
+  id: 'COMP-055', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'WCAG 3.1.1: HTML document without lang attribute',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.html')) continue;
+      if (/<html[^>]*>/i.test(c) && !/<html[^>]*lang=/i.test(c)) findings.push({ ruleId: 'COMP-055', category: 'compliance', severity: 'medium', title: 'HTML document without lang attribute — screen readers use wrong language', description: 'Add lang attribute to the <html> element: <html lang="en">.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-056: HIPAA - medical data without audit trail
+rules.push({
+  id: 'COMP-056', category: 'compliance', severity: 'high', confidence: 'likely', title: 'HIPAA: Medical record access without audit logging',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/(?:diagnosis|prescription|medical.record|patient.data|health.record)/i.test(c) && !/audit|log\.\w+|logger\.\w+/i.test(c)) {
+        findings.push({ ruleId: 'COMP-056', category: 'compliance', severity: 'high', title: 'HIPAA: Medical data access without audit trail', description: 'Log all access to medical records with user identity, timestamp, and action for HIPAA audit requirements.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-057: PCI-DSS - card data in memory longer than needed
+rules.push({
+  id: 'COMP-057', category: 'compliance', severity: 'high', confidence: 'likely', title: 'PCI-DSS: Card data stored in variable after processing',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:cardNumber|card_number|creditCard|credit_card)\s*=/.test(lines[i]) && !/null|undefined|delete|void/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (!/delete\s+\w+|= null|= undefined/.test(block)) findings.push({ ruleId: 'COMP-057', category: 'compliance', severity: 'high', title: 'PCI-DSS: Card number stored in variable without explicit clearing', description: 'Clear card data from memory immediately after use. Set variable to null and avoid storing in state.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-058: Missing cookie notice
+rules.push({
+  id: 'COMP-058', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'GDPR/ePrivacy: No cookie consent mechanism found',
+  check({ files }) {
+    const findings = [];
+    const hasCookieConsent = [...files.values()].some(c => /cookie.consent|cookieConsent|cookie-consent|cookieBanner|cookie.notice|CookiePolicy/i.test(c));
+    const hasCookieSet = [...files.values()].some(c => /document\.cookie\s*=|res\.cookie\s*\(|setCookie/i.test(c));
+    if (hasCookieSet && !hasCookieConsent) {
+      const cookieFile = [...files.keys()].find(fp => /document\.cookie\s*=|res\.cookie\s*\(/.test(files.get(fp) || ''));
+      if (cookieFile) findings.push({ ruleId: 'COMP-058', category: 'compliance', severity: 'medium', title: 'Cookies set without consent mechanism — GDPR/ePrivacy compliance required', description: 'Implement a cookie consent banner and only set non-essential cookies after user consent.', file: cookieFile, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-059: Accessibility - interactive elements not keyboard accessible
+rules.push({
+  id: 'COMP-059', category: 'compliance', severity: 'high', confidence: 'likely', title: 'WCAG 2.1.1: onClick handler on non-interactive element without keyboard support',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.[jt]sx?$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/<(?:div|span)[^>]*onClick/.test(lines[i]) && !/onKeyDown|onKeyPress|onKeyUp|role=|tabIndex/.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-059', category: 'compliance', severity: 'high', title: 'div/span with onClick but no keyboard handler — not keyboard accessible', description: 'Add onKeyDown handler, role="button", and tabIndex={0} to make clickable divs keyboard accessible.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-060: SOC2 - missing data encryption in transit
+rules.push({
+  id: 'COMP-060', category: 'compliance', severity: 'high', confidence: 'likely', title: 'SOC2: HTTP connection to external service without TLS',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:fetch|axios\.get|axios\.post|http\.get|http\.request)\s*\(\s*['"]http:\/\//i.test(lines[i]) && !/localhost|127\.0\.0\.1|test|spec/.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-060', category: 'compliance', severity: 'high', title: 'HTTP (non-TLS) connection to external endpoint — data in transit unencrypted', description: 'Use HTTPS for all external service connections to ensure data in transit encryption.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-061: COPPA - no age gate on sign-up
+rules.push({
+  id: 'COMP-061', category: 'compliance', severity: 'high', confidence: 'likely', title: 'COPPA: User registration without age verification',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts') && !fp.match(/\.[jt]sx?$/)) continue;
+      if (/register|signup|sign.up/i.test(c) && !/age|birthdate|birth.date|dob|dateOfBirth|coppa|13/i.test(c)) {
+        findings.push({ ruleId: 'COMP-061', category: 'compliance', severity: 'high', title: 'COPPA: Registration form without age verification', description: 'If your service may be used by children under 13, implement COPPA-compliant age verification.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-062: Missing Terms of Service acceptance tracking
+rules.push({
+  id: 'COMP-062', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'User registration without Terms of Service acceptance',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/(?:router|app)\.post\s*\([^)]*(?:register|signup)/i.test(c) && !/tos|terms|termsAccepted|terms_accepted|acceptTerms/i.test(c)) {
+        findings.push({ ruleId: 'COMP-062', category: 'compliance', severity: 'medium', title: 'Registration endpoint without ToS acceptance tracking', description: 'Record user acceptance of Terms of Service with timestamp for legal compliance.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-063: GDPR - no data export endpoint
+rules.push({
+  id: 'COMP-063', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'GDPR Article 20: No data portability/export endpoint',
+  check({ files }) {
+    const findings = [];
+    const hasExport = [...files.keys()].some(f => /export|download|portab/i.test(f)) ||
+      [...files.values()].some(c => /(?:router|app)\.get\s*\([^)]*(?:export|download|portab)/i.test(c));
+    if (!hasExport) {
+      const routerFiles = [...files.keys()].filter(f => f.endsWith('.js') || f.endsWith('.ts'));
+      if (routerFiles.length > 0) findings.push({ ruleId: 'COMP-063', category: 'compliance', severity: 'medium', title: 'GDPR Article 20: No data export/portability endpoint found', description: 'Implement a data export endpoint allowing users to download their personal data in a portable format.', file: routerFiles[0], fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-064: HIPAA - PHI in debug logs
+rules.push({
+  id: 'COMP-064', category: 'compliance', severity: 'critical', confidence: 'definite', title: 'HIPAA: PHI fields may appear in debug logs',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/console\.(?:log|debug|info)\s*\([^)]*(?:patient|diagnosis|medication|ssn|dob|dateOfBirth)/i.test(lines[i])) {
+          findings.push({ ruleId: 'COMP-064', category: 'compliance', severity: 'critical', title: 'HIPAA: PHI logged to console — PHI must not appear in logs', description: 'Remove PHI from log statements. Mask or omit health information from all log output.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-065: ISO 27001 - no vulnerability disclosure policy
+rules.push({
+  id: 'COMP-065', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'ISO 27001: No SECURITY.md or vulnerability disclosure policy',
+  check({ files }) {
+    const findings = [];
+    const hasSecurity = [...files.keys()].some(f => /SECURITY\.md|security\.txt/i.test(f));
+    if (!hasSecurity) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'COMP-065', category: 'compliance', severity: 'low', title: 'No SECURITY.md or security.txt — no vulnerability disclosure channel', description: 'Add a SECURITY.md file with instructions for reporting security vulnerabilities responsibly.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-066: Missing content security policy
+rules.push({
+  id: 'COMP-066', category: 'compliance', severity: 'high', confidence: 'likely', title: 'No Content-Security-Policy header configured',
+  check({ files }) {
+    const findings = [];
+    const hasCSP = [...files.values()].some(c => /Content-Security-Policy|contentSecurityPolicy|helmet\s*\(/i.test(c));
+    if (!hasCSP) {
+      const serverFiles = [...files.keys()].filter(f => /server|app|index/.test(f) && (f.endsWith('.js') || f.endsWith('.ts')));
+      if (serverFiles.length > 0) findings.push({ ruleId: 'COMP-066', category: 'compliance', severity: 'high', title: 'No Content-Security-Policy header — XSS attacks not mitigated', description: 'Configure CSP headers using helmet or manually setting Content-Security-Policy response header.', file: serverFiles[0], fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-067: GDPR - sensitive data used for analytics without consent
+rules.push({
+  id: 'COMP-067', category: 'compliance', severity: 'high', confidence: 'likely', title: 'GDPR: Email/name sent to analytics without consent check',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts') && !fp.match(/\.[jt]sx?$/)) continue;
+      if (/(?:analytics|gtag|ga|segment)\s*\.\s*(?:track|identify)\s*\([^)]*(?:email|name|phone)/i.test(c) && !/consent|hasConsent|gdpr|analyticsEnabled/i.test(c)) {
+        findings.push({ ruleId: 'COMP-067', category: 'compliance', severity: 'high', title: 'PII sent to analytics without consent check — GDPR violation', description: 'Only send personal data to analytics services after obtaining explicit user consent.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COMP-068: Missing WCAG focus indicator
+rules.push({
+  id: 'COMP-068', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'WCAG 2.4.7: CSS outline:none removes keyboard focus indicator',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.css') && !fp.endsWith('.scss') && !fp.endsWith('.sass')) continue;
+      if (/outline\s*:\s*none|outline\s*:\s*0/.test(c) && !/focus-visible/.test(c)) findings.push({ ruleId: 'COMP-068', category: 'compliance', severity: 'medium', title: 'CSS outline:none removes focus indicator — keyboard users cannot see focus', description: 'Replace outline:none with :focus-visible styles to maintain keyboard navigation accessibility.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-069: SOC2 - no log retention policy
+rules.push({
+  id: 'COMP-069', category: 'compliance', severity: 'medium', confidence: 'likely', title: 'SOC2: No log retention configuration found',
+  check({ files }) {
+    const findings = [];
+    const hasRetention = [...files.values()].some(c => /retention|log.*ttl|logRetention|retentionDays/i.test(c)) ||
+      [...files.keys()].some(f => /cloudwatch|logging\.ya?ml|log4j|logback/.test(f));
+    if (!hasRetention) {
+      const tfFiles = [...files.keys()].filter(f => f.endsWith('.tf'));
+      if (tfFiles.length > 0) findings.push({ ruleId: 'COMP-069', category: 'compliance', severity: 'medium', title: 'SOC2: No log retention policy configured', description: 'Configure log retention periods (typically 90-365 days) to meet SOC2 audit evidence requirements.', file: tfFiles[0], fix: null });
+    }
+    return findings;
+  },
+});
+
+// COMP-070: Missing robots.txt to protect sensitive paths
+rules.push({
+  id: 'COMP-070', category: 'compliance', severity: 'low', confidence: 'suggestion', title: 'No robots.txt to restrict search engine crawling of sensitive paths',
+  check({ files }) {
+    const findings = [];
+    const hasRobots = [...files.keys()].some(f => /robots\.txt/.test(f));
+    if (!hasRobots) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'COMP-070', category: 'compliance', severity: 'low', title: 'No robots.txt file — admin/api paths may be indexed by search engines', description: 'Create a robots.txt file to prevent search engines from indexing sensitive application paths.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// Aggregate all compliance rules (after all rules.push() calls above)
+const allComplianceRules = [
+  ...rules,
+  ...healthcareRules,
+  ...regionalEuRules,
+  ...regionalIntlRules,
+  ...educationRules,
+  ...financialRules,
+  ...frameworksRules,
+  ...accessibilityExtRules,
+];
+
+export default allComplianceRules;