getdoorman 1.0.0

package/src/rules/compliance/regional-eu.js

@@ -0,0 +1,480 @@
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java', '.cs', '.php'].some(e => f.endsWith(e)); }
+function isWebFile(f) { return ['.html', '.htm', '.jsx', '.tsx', '.vue', '.svelte'].some(e => f.endsWith(e)); }
+
+const rules = [
+  // === ePrivacy Directive Rules ===
+
+  { id: 'COMP-EPRIVACY-001', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Tracking Pixels Without Consent',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isWebFile(fp) && !isSourceFile(fp)) continue;
+        if (/tracking.*pixel|pixel\.gif|beacon|1x1.*img|pixel\.png|web.*beacon/i.test(c)) {
+          if (!/consent|gdpr|cookie.*accept/i.test(c)) {
+            findings.push({ ruleId: 'COMP-EPRIVACY-001', category: 'compliance', severity: 'high',
+              title: 'Tracking pixel/beacon loaded without consent check',
+              description: 'ePrivacy Directive requires consent before deploying tracking pixels. Gate tracking pixels behind user consent.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EPRIVACY-002', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Device Fingerprinting Without Consent',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (/canvas.*fingerprint|getImageData.*toDataURL|AudioContext.*createOscillator|webgl.*getParameter|navigator\.plugins/i.test(c)) {
+          if (!/consent/i.test(c)) {
+            findings.push({ ruleId: 'COMP-EPRIVACY-002', category: 'compliance', severity: 'high',
+              title: 'Device fingerprinting detected without consent mechanism',
+              description: 'Canvas/WebGL/AudioContext fingerprinting requires user consent under ePrivacy Directive. Implement consent before collecting device fingerprints.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EPRIVACY-003', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Email Marketing Without Opt-In',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (/bulk.*email|mass.*mail|newsletter.*send|marketing.*email|email.*campaign|mailchimp|sendgrid.*marketing/i.test(c)) {
+          if (!/opt.in|subscribe|confirm.*email|double.*opt|verified.*consent/i.test(c)) {
+            findings.push({ ruleId: 'COMP-EPRIVACY-003', category: 'compliance', severity: 'high',
+              title: 'Email marketing without opt-in verification',
+              description: 'ePrivacy Directive requires prior consent for marketing emails. Implement double opt-in for email marketing lists.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EPRIVACY-004', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Location Tracking Without Explicit Consent',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/navigator\.geolocation|getCurrentPosition|watchPosition/i.test(lines[i])) {
+            const block = lines.slice(Math.max(0, i - 5), i + 5).join('\n');
+            if (!/consent|permission|allow.*location|ask.*location/i.test(block)) {
+              findings.push({ ruleId: 'COMP-EPRIVACY-004', category: 'compliance', severity: 'high',
+                title: 'Geolocation API used without explicit consent flow',
+                description: 'Location data requires explicit user consent under ePrivacy. While browsers prompt for permission, apps should explain why location is needed before requesting.',
+                file: fp, line: i + 1, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EPRIVACY-005', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Push Notifications Without Consent',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (/pushManager\.subscribe|registerForRemoteNotifications|firebase.*messaging|FCM|push.*notification/i.test(c)) {
+          if (!/consent|opt.in|permission.*request|ask.*permission/i.test(c)) {
+            findings.push({ ruleId: 'COMP-EPRIVACY-005', category: 'compliance', severity: 'medium',
+              title: 'Push notification registration without consent flow',
+              description: 'Implement a clear consent flow before registering for push notifications. Explain what notifications the user will receive.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EPRIVACY-006', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Third-Party Trackers Loaded Before Consent',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isWebFile(fp)) continue;
+        if (/<head[\s>]/i.test(c)) {
+          const headMatch = c.match(/<head[^>]*>([\s\S]*?)<\/head>/i);
+          if (headMatch) {
+            const head = headMatch[1];
+            if (/gtag|google-analytics|analytics\.js|facebook.*pixel|fbevents|hotjar|mixpanel|segment\.com/i.test(head)) {
+              if (!/consent|cookieConsent|cookie_consent/i.test(head)) {
+                findings.push({ ruleId: 'COMP-EPRIVACY-006', category: 'compliance', severity: 'high',
+                  title: 'Analytics/tracking scripts in <head> without consent gate',
+                  description: 'Third-party tracking scripts must not load before user consent. Use a consent management platform to conditionally load scripts.',
+                  file: fp, fix: null });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EPRIVACY-007', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Cookie Wall Blocking Content Access',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) && !isWebFile(fp)) continue;
+        if (/cookie.*wall|block.*content.*consent|require.*consent.*access|no.*access.*without.*cookie/i.test(c)) {
+          findings.push({ ruleId: 'COMP-EPRIVACY-007', category: 'compliance', severity: 'medium',
+            title: 'Cookie wall detected — blocking access until consent',
+            description: 'EDPB guidelines state cookie walls that deny access to content unless cookies are accepted do not constitute valid consent. Provide a genuine choice.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EPRIVACY-008', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Non-Essential Cookies Set on Page Load',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (/(?:componentDidMount|useEffect|mounted|onMounted|ngOnInit|DOMContentLoaded)/.test(c)) {
+          const lines = c.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            if (/(?:componentDidMount|useEffect|mounted|DOMContentLoaded)/.test(lines[i])) {
+              const block = lines.slice(i, Math.min(i + 15, lines.length)).join('\n');
+              if (/document\.cookie\s*=|setCookie|cookies\.set/i.test(block) && !/consent|essential|necessary|session/i.test(block)) {
+                findings.push({ ruleId: 'COMP-EPRIVACY-008', category: 'compliance', severity: 'high',
+                  title: 'Non-essential cookies set during page initialization',
+                  description: 'Cookies that are not strictly necessary must not be set before obtaining user consent. Defer non-essential cookie setting until after consent.',
+                  file: fp, line: i + 1, fix: null });
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // === Digital Services Act (DSA) Rules ===
+
+  { id: 'COMP-DSA-001', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'No Content Moderation Mechanism',
+    check({ files }) {
+      const findings = [];
+      const hasUGC = [...files.values()].some(c => /user.*content|comment|post|upload|review|forum|message.*board/i.test(c));
+      if (!hasUGC) return findings;
+      const hasModeration = [...files.values()].some(c => /moderate|moderation|report|flag|abuse|content.*review|takedown/i.test(c));
+      if (!hasModeration) {
+        findings.push({ ruleId: 'COMP-DSA-001', category: 'compliance', severity: 'high',
+          title: 'User-generated content platform without content moderation',
+          description: 'DSA requires platforms to implement content moderation mechanisms. Add reporting, flagging, and review workflows for user content.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-DSA-002', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Missing Algorithmic Transparency',
+    check({ files }) {
+      const findings = [];
+      const hasRecommendation = [...files.values()].some(c => /recommend|personali[sz]|feed.*algorithm|ranking.*algorithm|suggestion.*engine/i.test(c));
+      if (!hasRecommendation) return findings;
+      const hasTransparency = [...files.values()].some(c => /algorithm.*explain|transparency|why.*recommended|recommendation.*reason/i.test(c));
+      if (!hasTransparency) {
+        findings.push({ ruleId: 'COMP-DSA-002', category: 'compliance', severity: 'medium',
+          title: 'Recommendation algorithm without transparency mechanism',
+          description: 'DSA requires platforms to explain their recommendation algorithms to users. Provide clear information about why content is recommended.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-DSA-003', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'No Illegal Content Reporting Endpoint',
+    check({ files }) {
+      const findings = [];
+      const hasPlatform = [...files.values()].some(c => /user.*content|comment|post|upload|marketplace|listing/i.test(c));
+      if (!hasPlatform) return findings;
+      const hasReporting = [...files.values()].some(c => /report.*illegal|illegal.*content|report.*abuse|notice.*action|law.*enforcement/i.test(c));
+      if (!hasReporting) {
+        findings.push({ ruleId: 'COMP-DSA-003', category: 'compliance', severity: 'high',
+          title: 'No mechanism for reporting illegal content',
+          description: 'DSA requires easy-to-access mechanisms for reporting illegal content. Implement a clear reporting flow with acknowledgment and response timelines.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-DSA-004', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Missing Notice-and-Action Procedure',
+    check({ files }) {
+      const findings = [];
+      const hasPlatform = [...files.values()].some(c => /user.*content|comment|post|upload/i.test(c));
+      if (!hasPlatform) return findings;
+      const hasNoticeAction = [...files.values()].some(c => /notice.*action|takedown|content.*removal|appeal|counter.*notice/i.test(c));
+      if (!hasNoticeAction) {
+        findings.push({ ruleId: 'COMP-DSA-004', category: 'compliance', severity: 'medium',
+          title: 'No notice-and-action procedure for content removal',
+          description: 'DSA requires structured notice-and-action procedures including appeals. Implement content removal workflows with user notification and appeal mechanisms.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-DSA-005', category: 'compliance', severity: 'low', confidence: 'suggestion',
+    title: 'No Transparency Report Reference',
+    check({ files }) {
+      const findings = [];
+      const hasPlatform = [...files.values()].some(c => /user.*content|marketplace|platform/i.test(c));
+      if (!hasPlatform) return findings;
+      const hasTransparency = [...files.values()].some(c => /transparency.*report|annual.*report|moderation.*report|content.*statistics/i.test(c)) ||
+        [...files.keys()].some(f => /transparency/i.test(f));
+      if (!hasTransparency) {
+        findings.push({ ruleId: 'COMP-DSA-005', category: 'compliance', severity: 'low',
+          title: 'No transparency report reference for platform',
+          description: 'DSA requires annual transparency reports on content moderation. Plan for collecting and publishing moderation statistics.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // === EU AI Act Rules ===
+
+  { id: 'COMP-EUAI-001', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'AI System Without Risk Classification',
+    check({ files }) {
+      const findings = [];
+      const hasAI = [...files.values()].some(c => /tensorflow|pytorch|scikit|openai|anthropic|model\.predict|ml.*pipeline|machine.*learning|neural.*network/i.test(c));
+      if (!hasAI) return findings;
+      const hasRisk = [...files.values()].some(c => /risk.*classif|risk.*level|risk.*assess|high.risk|low.risk|ai.*risk/i.test(c));
+      if (!hasRisk) {
+        findings.push({ ruleId: 'COMP-EUAI-001', category: 'compliance', severity: 'high',
+          title: 'AI system deployed without risk classification',
+          description: 'EU AI Act requires AI systems to be classified by risk level (unacceptable, high, limited, minimal). Document the risk classification of your AI system.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EUAI-002', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'No Human Oversight for AI Decisions',
+    check({ files }) {
+      const findings = [];
+      const hasAutoDecision = [...files.values()].some(c => /model\.predict|automat.*decision|ai.*decision|ml.*decision|classification.*result/i.test(c));
+      if (!hasAutoDecision) return findings;
+      const hasHumanOversight = [...files.values()].some(c => /human.*review|manual.*review|human.*oversight|human.*in.*loop|override|escalat/i.test(c));
+      if (!hasHumanOversight) {
+        findings.push({ ruleId: 'COMP-EUAI-002', category: 'compliance', severity: 'high',
+          title: 'Automated AI decisions without human oversight mechanism',
+          description: 'EU AI Act requires human oversight for high-risk AI systems. Implement human-in-the-loop review, override capabilities, and escalation procedures.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EUAI-003', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'AI Training Without Bias Documentation',
+    check({ files }) {
+      const findings = [];
+      const hasTraining = [...files.values()].some(c => /model\.fit|train.*model|training.*data|fine.*tun|dataset.*load/i.test(c));
+      if (!hasTraining) return findings;
+      const hasBiasCheck = [...files.values()].some(c => /bias|fairness|disparate.*impact|demographic.*parity|equalized.*odds|protected.*class/i.test(c));
+      if (!hasBiasCheck) {
+        findings.push({ ruleId: 'COMP-EUAI-003', category: 'compliance', severity: 'medium',
+          title: 'AI model training without bias/fairness assessment',
+          description: 'EU AI Act requires high-risk AI systems to be tested for bias. Implement fairness metrics and document bias assessment results for training data and model outputs.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EUAI-004', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing AI System Transparency Disclosure',
+    check({ files }) {
+      const findings = [];
+      const hasAI = [...files.values()].some(c => /openai|anthropic|model\.predict|chatbot|ai.*assist|llm|gpt|claude/i.test(c));
+      if (!hasAI) return findings;
+      const hasDisclosure = [...files.values()].some(c => /ai.*disclosure|powered.*by.*ai|ai.*generated|artificial.*intelligence.*notice|ai.*transparency/i.test(c));
+      if (!hasDisclosure) {
+        findings.push({ ruleId: 'COMP-EUAI-004', category: 'compliance', severity: 'high',
+          title: 'AI features without user-facing transparency disclosure',
+          description: 'EU AI Act requires users to be informed when interacting with AI systems. Add clear disclosure that AI/ML is being used.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EUAI-005', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Automated Decision Without Explanation Endpoint',
+    check({ files }) {
+      const findings = [];
+      const hasAutoDecision = [...files.values()].some(c => /model\.predict|automat.*decision|risk.*score|credit.*score|eligib/i.test(c));
+      if (!hasAutoDecision) return findings;
+      const hasExplain = [...files.values()].some(c => /explain|shap|lime|feature.*importance|decision.*reason|interpretab/i.test(c));
+      if (!hasExplain) {
+        findings.push({ ruleId: 'COMP-EUAI-005', category: 'compliance', severity: 'medium',
+          title: 'AI-powered decisions without explanation mechanism',
+          description: 'Provide explanations for automated decisions. Use explainability tools (SHAP, LIME) or provide feature importance to help users understand AI decisions.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EUAI-006', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'AI-Generated Content Without Disclosure',
+    check({ files }) {
+      const findings = [];
+      const hasGenAI = [...files.values()].some(c => /generate.*text|generate.*image|ai.*generat|completion|chat.*completion|dall-e|stable.*diffusion|midjourney/i.test(c));
+      if (!hasGenAI) return findings;
+      const hasLabel = [...files.values()].some(c => /ai.*generated|generated.*by.*ai|synthetic|machine.*generated|ai.*label|watermark/i.test(c));
+      if (!hasLabel) {
+        findings.push({ ruleId: 'COMP-EUAI-006', category: 'compliance', severity: 'medium',
+          title: 'AI-generated content without disclosure/labeling',
+          description: 'EU AI Act requires AI-generated content (text, images, audio, video) to be clearly labeled. Add AI-generated labels or watermarks to synthetic content.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-EUAI-007', category: 'compliance', severity: 'critical', confidence: 'likely',
+    title: 'Emotion Recognition Without Safeguards',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (/emotion.*detect|facial.*expression|sentiment.*analy|affect.*recognition|emotion.*recognition|mood.*detect/i.test(c)) {
+          if (!/consent|opt.in|safeguard|disable|exempt/i.test(c)) {
+            findings.push({ ruleId: 'COMP-EUAI-007', category: 'compliance', severity: 'critical',
+              title: 'Emotion/sentiment recognition without consent and safeguards',
+              description: 'EU AI Act restricts emotion recognition in workplaces and education. Implement explicit consent, allow opt-out, and document the purpose and safeguards.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // === NIS2 Directive Rules ===
+
+  { id: 'COMP-NIS2-001', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing Incident Reporting Mechanism',
+    check({ files }) {
+      const findings = [];
+      const hasApp = [...files.keys()].some(f => /package\.json|requirements\.txt|go\.mod|Gemfile/i.test(f));
+      if (!hasApp) return findings;
+      const hasIncident = [...files.values()].some(c => /incident.*report|security.*incident|incident.*response|alert.*security|pagerduty|opsgenie/i.test(c)) ||
+        [...files.keys()].some(f => /incident/i.test(f));
+      if (!hasIncident) {
+        findings.push({ ruleId: 'COMP-NIS2-001', category: 'compliance', severity: 'high',
+          title: 'No security incident reporting mechanism',
+          description: 'NIS2 requires significant incidents to be reported within 24 hours. Implement incident detection, classification, and reporting workflows.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-NIS2-002', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'No Supply Chain Security Assessment',
+    check({ files }) {
+      const findings = [];
+      const hasDeps = [...files.keys()].some(f => /package\.json|requirements\.txt|go\.mod|Gemfile|pom\.xml/i.test(f));
+      if (!hasDeps) return findings;
+      const hasSBOM = [...files.values()].some(c => /sbom|software.*bill.*of.*materials|supply.*chain|dependency.*audit|snyk|dependabot|renovate/i.test(c)) ||
+        [...files.keys()].some(f => /sbom|supply.chain/i.test(f));
+      if (!hasSBOM) {
+        findings.push({ ruleId: 'COMP-NIS2-002', category: 'compliance', severity: 'medium',
+          title: 'No supply chain security assessment or SBOM',
+          description: 'NIS2 requires supply chain security measures. Generate Software Bill of Materials (SBOM) and implement dependency vulnerability scanning.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-NIS2-003', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing MFA for Critical Systems',
+    check({ files }) {
+      const findings = [];
+      const hasAdmin = [...files.values()].some(c => /admin|dashboard|management.*panel|backoffice|internal.*tool/i.test(c));
+      if (!hasAdmin) return findings;
+      const hasMFA = [...files.values()].some(c => /mfa|multi.factor|2fa|two.factor|totp|authenticator|otp|second.*factor/i.test(c));
+      if (!hasMFA) {
+        findings.push({ ruleId: 'COMP-NIS2-003', category: 'compliance', severity: 'high',
+          title: 'Admin/critical system access without multi-factor authentication',
+          description: 'NIS2 requires multi-factor authentication for critical system access. Implement MFA for all administrative and privileged operations.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-NIS2-004', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'No Vulnerability Disclosure Policy',
+    check({ files }) {
+      const findings = [];
+      const hasSecurityTxt = [...files.keys()].some(f => /security\.txt|\.well-known\/security/i.test(f));
+      const hasPolicy = [...files.values()].some(c => /vulnerability.*disclosure|responsible.*disclosure|bug.*bounty|security.*report/i.test(c)) ||
+        [...files.keys()].some(f => /SECURITY\.md/i.test(f));
+      if (!hasSecurityTxt && !hasPolicy) {
+        const hasApp = [...files.keys()].some(f => /package\.json|requirements\.txt|go\.mod/i.test(f));
+        if (hasApp) {
+          findings.push({ ruleId: 'COMP-NIS2-004', category: 'compliance', severity: 'medium',
+            title: 'No vulnerability disclosure policy or security.txt',
+            description: 'NIS2 requires coordinated vulnerability disclosure. Add a SECURITY.md or .well-known/security.txt with reporting instructions.',
+            fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  { id: 'COMP-NIS2-005', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Missing Business Continuity Plan',
+    check({ files }) {
+      const findings = [];
+      const hasInfra = [...files.keys()].some(f => /\.tf$|docker|kubernetes|k8s|helm|cloudformation/i.test(f));
+      if (!hasInfra) return findings;
+      const hasBCP = [...files.values()].some(c => /business.*continuity|disaster.*recovery|failover|redundan|high.*availability|backup.*strategy|recovery.*point|recovery.*time/i.test(c)) ||
+        [...files.keys()].some(f => /disaster|recovery|continuity|bcp/i.test(f));
+      if (!hasBCP) {
+        findings.push({ ruleId: 'COMP-NIS2-005', category: 'compliance', severity: 'medium',
+          title: 'Infrastructure without business continuity planning',
+          description: 'NIS2 requires business continuity management. Document recovery time objectives (RTO), recovery point objectives (RPO), and failover procedures.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;