getdoorman 1.0.0

package/src/rules/compliance/regional-international.js

@@ -0,0 +1,903 @@
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java', '.cs', '.php'].some(e => f.endsWith(e)); }
+
+// --- Shared helper functions for common compliance checks ---
+
+function hasUserData(files) {
+  return [...files.values()].some(c =>
+    c.includes('email') || c.includes('password') || c.includes('phone') ||
+    c.includes('address') || c.includes('firstName') || c.includes('lastName') ||
+    c.includes('first_name') || c.includes('last_name') || c.includes('user_name') ||
+    c.includes('username') || c.includes('dateOfBirth') || c.includes('date_of_birth') ||
+    c.includes('personalData') || c.includes('personal_data') || c.includes('cpf') ||
+    c.includes('ssn') || c.includes('national_id')
+  );
+}
+
+function hasConsentMechanism(files) {
+  return [...files.values()].some(c =>
+    c.includes('consent') || c.includes('Consent') || c.includes('CONSENT') ||
+    c.includes('opt-in') || c.includes('optIn') || c.includes('opt_in') ||
+    c.includes('agreeToTerms') || c.includes('agree_to_terms') ||
+    c.includes('acceptTerms') || c.includes('accept_terms') ||
+    c.includes('consentimiento') || c.includes('consentimento')
+  );
+}
+
+function hasPrivacyPolicy(files) {
+  const hasPage = [...files.keys()].some(f =>
+    f.match(/privacy/i) || f.match(/privacypolicy/i) || f.match(/privacy-policy/i)
+  );
+  const hasLink = [...files.values()].some(c =>
+    c.includes('/privacy') || c.includes('privacy-policy') || c.includes('privacy policy') ||
+    c.includes('privacyPolicy') || c.includes('privacy_policy')
+  );
+  return hasPage || hasLink;
+}
+
+function hasDataDeletionEndpoint(files) {
+  return [...files.entries()].some(([f, c]) =>
+    isSourceFile(f) &&
+    (c.includes('delete') || c.includes('DELETE') || c.includes('destroy') || c.includes('erase') || c.includes('purge')) &&
+    (c.includes('user') || c.includes('account') || c.includes('profile') || c.includes('personal'))
+  );
+}
+
+function hasDataAccessEndpoint(files) {
+  return [...files.entries()].some(([f, c]) =>
+    isSourceFile(f) &&
+    (c.includes('export') || c.includes('download') || c.includes('portability') || c.includes('getMyData') || c.includes('get_my_data')) &&
+    (c.includes('user') || c.includes('account') || c.includes('personal') || c.includes('profile'))
+  );
+}
+
+function hasDataRetentionPolicy(files) {
+  return [...files.values()].some(c =>
+    c.includes('retention') || c.includes('ttl') || c.includes('TTL') ||
+    c.includes('expir') || c.includes('cleanup') || c.includes('purge') ||
+    c.includes('data_retention') || c.includes('dataRetention') ||
+    c.includes('retentionPeriod') || c.includes('retention_period')
+  );
+}
+
+function hasCrossBorderTransfer(files) {
+  return [...files.values()].some(c =>
+    c.includes('amazonaws.com') || c.includes('googleapis.com') ||
+    c.includes('azure.') || c.includes('cloudflare') ||
+    c.includes('sendgrid') || c.includes('twilio') ||
+    c.includes('stripe') || c.includes('firebase') ||
+    c.includes('analytics') || c.includes('sentry') ||
+    c.includes('segment') || c.includes('mixpanel')
+  );
+}
+
+function hasBreachNotification(files) {
+  return [...files.values()].some(c =>
+    c.includes('breach') || c.includes('incident') ||
+    c.includes('dataBreachNotif') || c.includes('data_breach') ||
+    c.includes('securityIncident') || c.includes('security_incident') ||
+    c.includes('notifyBreach') || c.includes('notify_breach') ||
+    c.includes('incidentResponse') || c.includes('incident_response')
+  );
+}
+
+function hasDPO(files) {
+  return [...files.values()].some(c =>
+    c.includes('dpo') || c.includes('DPO') ||
+    c.includes('dataProtectionOfficer') || c.includes('data_protection_officer') ||
+    c.includes('privacyOfficer') || c.includes('privacy_officer') ||
+    c.includes('encarregado')
+  );
+}
+
+function hasImpactAssessment(files) {
+  return [...files.values()].some(c =>
+    c.includes('dpia') || c.includes('DPIA') ||
+    c.includes('impactAssessment') || c.includes('impact_assessment') ||
+    c.includes('privacyImpact') || c.includes('privacy_impact') ||
+    c.includes('dataProtectionImpact') || c.includes('data_protection_impact')
+  );
+}
+
+function hasSensitiveData(files) {
+  return [...files.values()].some(c =>
+    c.includes('health') || c.includes('medical') || c.includes('biometric') ||
+    c.includes('genetic') || c.includes('racial') || c.includes('ethnic') ||
+    c.includes('religion') || c.includes('political') || c.includes('sexual') ||
+    c.includes('criminal') || c.includes('fingerprint') || c.includes('faceId') ||
+    c.includes('face_id')
+  );
+}
+
+function hasMinorDetection(files) {
+  // Only match if the project explicitly deals with minors (not just any mention of "age" or "child")
+  return [...files.entries()].some(([fp, c]) =>
+    (fp.endsWith('package.json') || fp.endsWith('.json')) &&
+    /coppa|kids.*app|children.*platform|parental.*consent|minor.*protect/i.test(c)
+  );
+}
+
+function hasParentalConsent(files) {
+  return [...files.values()].some(c =>
+    c.includes('parentalConsent') || c.includes('parental_consent') ||
+    c.includes('parentConsent') || c.includes('parent_consent') ||
+    c.includes('guardianConsent') || c.includes('guardian_consent') ||
+    c.includes('verifyParent') || c.includes('verify_parent') ||
+    c.includes('parentVerif') || c.includes('parent_verif')
+  );
+}
+
+function hasMarketingFeatures(files) {
+  return [...files.values()].some(c =>
+    c.includes('newsletter') || c.includes('marketing') || c.includes('promotional') ||
+    c.includes('subscribe') || c.includes('campaign') || c.includes('emailBlast') ||
+    c.includes('email_blast') || c.includes('pushNotif')
+  );
+}
+
+function hasOptOut(files) {
+  return [...files.values()].some(c =>
+    c.includes('opt-out') || c.includes('optOut') || c.includes('opt_out') ||
+    c.includes('unsubscribe') || c.includes('Unsubscribe') || c.includes('UNSUBSCRIBE') ||
+    c.includes('doNotTrack') || c.includes('do_not_track') ||
+    c.includes('removeFromList') || c.includes('remove_from_list')
+  );
+}
+
+function hasGovernmentId(files) {
+  return [...files.values()].some(c =>
+    c.includes('tfn') || c.includes('TFN') ||
+    c.includes('medicare') || c.includes('Medicare') ||
+    c.includes('taxFileNumber') || c.includes('tax_file_number') ||
+    c.includes('governmentId') || c.includes('government_id') ||
+    c.includes('nationalId') || c.includes('national_id') ||
+    c.includes('driverLicense') || c.includes('driver_license') ||
+    c.includes('passportNumber') || c.includes('passport_number')
+  );
+}
+
+function hasGrievanceMechanism(files) {
+  return [...files.values()].some(c =>
+    c.includes('grievance') || c.includes('complaint') || c.includes('Complaint') ||
+    c.includes('redressal') || c.includes('dispute') || c.includes('feedback') ||
+    c.includes('contactDpo') || c.includes('contact_dpo') ||
+    c.includes('grievanceOfficer') || c.includes('grievance_officer') ||
+    c.includes('complaintForm') || c.includes('complaint_form')
+  );
+}
+
+function hasThirdPartySharing(files) {
+  return [...files.values()].some(c =>
+    c.includes('thirdParty') || c.includes('third_party') || c.includes('third-party') ||
+    c.includes('shareWith') || c.includes('share_with') ||
+    c.includes('partnerApi') || c.includes('partner_api') ||
+    c.includes('externalService') || c.includes('external_service') ||
+    c.includes('vendorApi') || c.includes('vendor_api')
+  );
+}
+
+function hasPurposeSpecification(files) {
+  return [...files.values()].some(c =>
+    c.includes('purpose') || c.includes('Purpose') ||
+    c.includes('purposeOfUse') || c.includes('purpose_of_use') ||
+    c.includes('dataUsagePurpose') || c.includes('data_usage_purpose') ||
+    c.includes('collectionPurpose') || c.includes('collection_purpose') ||
+    c.includes('processingPurpose') || c.includes('processing_purpose')
+  );
+}
+
+function hasExplicitConsent(files) {
+  return [...files.values()].some(c =>
+    c.includes('explicitConsent') || c.includes('explicit_consent') ||
+    c.includes('expressConsent') || c.includes('express_consent') ||
+    c.includes('consentExplicit') || c.includes('consent_explicit') ||
+    c.includes('informedConsent') || c.includes('informed_consent')
+  );
+}
+
+function hasUserFacingApp(files) {
+  return [...files.values()].some(c =>
+    c.includes('signup') || c.includes('login') || c.includes('register') ||
+    c.includes('<form') || c.includes('createUser') || c.includes('create_user') ||
+    c.includes('signUp') || c.includes('sign_up') || c.includes('createAccount')
+  );
+}
+
+function hasHealthData(files) {
+  return [...files.values()].some(c =>
+    c.includes('health') || c.includes('Health') || c.includes('medical') ||
+    c.includes('Medical') || c.includes('diagnosis') || c.includes('patient') ||
+    c.includes('prescription') || c.includes('symptom') || c.includes('treatment')
+  );
+}
+
+function hasAdequacyCheck(files) {
+  return [...files.values()].some(c =>
+    c.includes('adequacy') || c.includes('standardContractualClause') ||
+    c.includes('standard_contractual_clause') || c.includes('scc') ||
+    c.includes('bindingCorporateRules') || c.includes('binding_corporate_rules') ||
+    c.includes('dataTransferAgreement') || c.includes('data_transfer_agreement') ||
+    c.includes('crossBorderCompliance') || c.includes('cross_border_compliance')
+  );
+}
+
+function hasLegalBasis(files) {
+  return [...files.values()].some(c =>
+    c.includes('legalBasis') || c.includes('legal_basis') ||
+    c.includes('lawfulBasis') || c.includes('lawful_basis') ||
+    c.includes('legitimateInterest') || c.includes('legitimate_interest') ||
+    c.includes('contractualNecessity') || c.includes('contractual_necessity') ||
+    c.includes('vitalInterest') || c.includes('vital_interest')
+  );
+}
+
+
+const rules = [
+  // ===== Brazil LGPD (Lei Geral de Protecao de Dados) =====
+
+  {
+    id: 'COMP-LGPD-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'LGPD: No Legal Basis for Processing',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasLegalBasis(files) && !hasConsentMechanism(files)) {
+        findings.push({
+          ruleId: 'COMP-LGPD-001', category: 'compliance', severity: 'high',
+          title: 'Collecting personal data without documented legal basis',
+          description: 'Brazil\'s LGPD (Art. 7) requires a legal basis for all personal data processing. Implement consent collection or document another legal basis (contract, legal obligation, legitimate interest, etc.).',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-LGPD-002',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'LGPD: Missing DPO / Encarregado Reference',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasDPO(files)) {
+        findings.push({
+          ruleId: 'COMP-LGPD-002', category: 'compliance', severity: 'medium',
+          title: 'App processing personal data without DPO/encarregado reference',
+          description: 'LGPD (Art. 41) requires appointment of a Data Protection Officer (encarregado). Add DPO contact info or reference in your application.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-LGPD-003',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'LGPD: No Consent Management',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasConsentMechanism(files)) {
+        findings.push({
+          ruleId: 'COMP-LGPD-003', category: 'compliance', severity: 'high',
+          title: 'Personal data processing without consent collection or management',
+          description: 'LGPD (Art. 8) requires that consent be free, informed, and unambiguous. Implement a consent management mechanism that records and tracks user consent.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-LGPD-004',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'LGPD: Cross-Border Transfer Without Adequacy',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasCrossBorderTransfer(files) && !hasAdequacyCheck(files)) {
+        findings.push({
+          ruleId: 'COMP-LGPD-004', category: 'compliance', severity: 'high',
+          title: 'Data transferred to external services without adequacy check',
+          description: 'LGPD (Art. 33) restricts international data transfers to countries with adequate data protection or with specific safeguards (standard contractual clauses, binding corporate rules). Document your transfer basis.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-LGPD-005',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'LGPD: No Data Subject Rights Endpoints',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      const hasAccess = hasDataAccessEndpoint(files);
+      const hasDeletion = hasDataDeletionEndpoint(files);
+      if (!hasAccess || !hasDeletion) {
+        findings.push({
+          ruleId: 'COMP-LGPD-005', category: 'compliance', severity: 'high',
+          title: 'No endpoints for data subject access, correction, or deletion requests',
+          description: 'LGPD (Art. 18) grants data subjects the right to access, correct, anonymize, block, or delete their data. Provide API endpoints or UI flows for these requests.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-LGPD-006',
+    category: 'compliance',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'LGPD: Children\'s Data Without Parental Consent',
+    check({ files }) {
+      const findings = [];
+      if (hasMinorDetection(files) && !hasParentalConsent(files)) {
+        findings.push({
+          ruleId: 'COMP-LGPD-006', category: 'compliance', severity: 'critical',
+          title: 'Age/minor detection without parental consent flow',
+          description: 'LGPD (Art. 14) requires that processing of children\'s and adolescents\' personal data be done with specific and prominent consent from a parent or legal guardian. Implement a parental consent verification flow.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-LGPD-007',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'LGPD: No Data Impact Assessment',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasSensitiveData(files) && !hasImpactAssessment(files)) {
+        findings.push({
+          ruleId: 'COMP-LGPD-007', category: 'compliance', severity: 'medium',
+          title: 'Processing sensitive data without DPIA/impact assessment reference',
+          description: 'LGPD (Art. 38) allows the ANPD to require a Data Protection Impact Assessment for processing that may generate risks to civil liberties. Conduct a DPIA when processing sensitive personal data.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-LGPD-008',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'LGPD: Missing Data Breach Notification',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasBreachNotification(files)) {
+        findings.push({
+          ruleId: 'COMP-LGPD-008', category: 'compliance', severity: 'high',
+          title: 'No breach/incident notification mechanism',
+          description: 'LGPD (Art. 48) requires the controller to communicate to the ANPD and affected data subjects any security incident that may result in risk or damage. Implement breach detection and notification procedures.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // ===== Canada PIPEDA =====
+
+  {
+    id: 'COMP-PIPEDA-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'PIPEDA: Collection Without Knowledge and Consent',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasConsentMechanism(files) && !hasPrivacyPolicy(files)) {
+        findings.push({
+          ruleId: 'COMP-PIPEDA-001', category: 'compliance', severity: 'high',
+          title: 'Collecting personal information without informing users or obtaining consent',
+          description: 'PIPEDA Principle 3 requires knowledge and consent for the collection, use, or disclosure of personal information. Implement clear notice and consent mechanisms.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-PIPEDA-002',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'PIPEDA: Data Retained Beyond Purpose',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasDataRetentionPolicy(files)) {
+        findings.push({
+          ruleId: 'COMP-PIPEDA-002', category: 'compliance', severity: 'medium',
+          title: 'No data retention or cleanup policy detected',
+          description: 'PIPEDA Principle 5 requires that personal information be retained only as long as necessary for the identified purposes. Implement data retention policies with TTL or scheduled cleanup.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-PIPEDA-003',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'PIPEDA: No Individual Access Mechanism',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasDataAccessEndpoint(files)) {
+        findings.push({
+          ruleId: 'COMP-PIPEDA-003', category: 'compliance', severity: 'high',
+          title: 'No endpoint for individuals to access their personal data',
+          description: 'PIPEDA Principle 9 gives individuals the right to access their personal information held by an organization. Provide a data access or export endpoint.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-PIPEDA-004',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'PIPEDA: Cross-Border Transfer Without Protection',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasCrossBorderTransfer(files) && !hasAdequacyCheck(files) && !hasPrivacyPolicy(files)) {
+        findings.push({
+          ruleId: 'COMP-PIPEDA-004', category: 'compliance', severity: 'high',
+          title: 'Data sent to external services without documented safeguards',
+          description: 'PIPEDA requires that transfers to third parties (including cross-border) maintain a comparable level of protection. Document your safeguards and notify individuals of foreign transfers in your privacy policy.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-PIPEDA-005',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'PIPEDA: No Accountability Officer',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasDPO(files)) {
+        findings.push({
+          ruleId: 'COMP-PIPEDA-005', category: 'compliance', severity: 'medium',
+          title: 'No privacy officer or accountability designation found',
+          description: 'PIPEDA Principle 1 (Accountability) requires an organization to designate a person responsible for compliance. Designate a privacy officer and make their contact information available.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-PIPEDA-006',
+    category: 'compliance',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'PIPEDA: Sensitive Data Without Explicit Consent',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasSensitiveData(files) && !hasExplicitConsent(files)) {
+        const hasAnyConsent = hasConsentMechanism(files);
+        if (!hasAnyConsent) {
+          findings.push({
+            ruleId: 'COMP-PIPEDA-006', category: 'compliance', severity: 'critical',
+            title: 'Processing health/financial/biometric data without explicit consent',
+            description: 'PIPEDA requires express (explicit) consent for sensitive personal information such as health, financial, or biometric data. Implement an explicit consent flow for sensitive data categories.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ===== Australia Privacy Act (APPs) =====
+
+  {
+    id: 'COMP-APL-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Australian Privacy: No Privacy Policy for APP Entities',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasPrivacyPolicy(files)) {
+        findings.push({
+          ruleId: 'COMP-APL-001', category: 'compliance', severity: 'high',
+          title: 'App collecting data without a privacy policy',
+          description: 'Australian Privacy Principle 1 (APP 1) requires APP entities to have a clearly expressed and up-to-date privacy policy about how they manage personal information. Add a privacy policy page or link.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APL-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Australian Privacy: Cross-Border Disclosure Without Consent',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasCrossBorderTransfer(files) && !hasConsentMechanism(files) && !hasAdequacyCheck(files)) {
+        findings.push({
+          ruleId: 'COMP-APL-002', category: 'compliance', severity: 'high',
+          title: 'Sending data overseas without user notification or safeguards',
+          description: 'APP 8 requires that before disclosing personal information to an overseas recipient, the entity must take reasonable steps to ensure the recipient complies with the APPs, or obtain consent after informing of risks.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APL-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Australian Privacy: Direct Marketing Without Opt-Out',
+    check({ files }) {
+      const findings = [];
+      if (hasMarketingFeatures(files) && !hasOptOut(files)) {
+        findings.push({
+          ruleId: 'COMP-APL-003', category: 'compliance', severity: 'medium',
+          title: 'Marketing or promotional features without unsubscribe/opt-out',
+          description: 'APP 7 restricts use/disclosure of personal information for direct marketing and requires a simple opt-out mechanism. Add an unsubscribe or opt-out mechanism for all marketing communications.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APL-004',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Australian Privacy: No Data Breach Notification',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasBreachNotification(files)) {
+        findings.push({
+          ruleId: 'COMP-APL-004', category: 'compliance', severity: 'high',
+          title: 'No notifiable data breach scheme compliance',
+          description: 'The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act requires entities to notify the OAIC and affected individuals of eligible data breaches. Implement breach detection and notification procedures.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APL-005',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Australian Privacy: Government Identifiers Collected',
+    check({ files }) {
+      const findings = [];
+      if (hasGovernmentId(files)) {
+        // Check if there is a stated necessity or lawful purpose
+        const hasNecessity = [...files.values()].some(c =>
+          c.includes('verification') || c.includes('identity') || c.includes('kyc') ||
+          c.includes('KYC') || c.includes('identityVerif')
+        );
+        if (!hasNecessity) {
+          findings.push({
+            ruleId: 'COMP-APL-005', category: 'compliance', severity: 'high',
+            title: 'Storing government ID numbers (TFN, Medicare, etc.) without demonstrated necessity',
+            description: 'APP 9 restricts adoption, use, or disclosure of government-related identifiers. Only collect government identifiers when required by law or for identity verification purposes, and document the necessity.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APL-006',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Australian Privacy: Health Info Without Extra Safeguards',
+    check({ files }) {
+      const findings = [];
+      if (hasHealthData(files) && !hasExplicitConsent(files)) {
+        const hasHealthSafeguard = [...files.values()].some(c =>
+          c.includes('healthConsent') || c.includes('health_consent') ||
+          c.includes('medicalConsent') || c.includes('medical_consent') ||
+          c.includes('sensitiveConsent') || c.includes('sensitive_consent')
+        );
+        if (!hasHealthSafeguard && !hasConsentMechanism(files)) {
+          findings.push({
+            ruleId: 'COMP-APL-006', category: 'compliance', severity: 'high',
+            title: 'Health data processing without additional protections',
+            description: 'Health information is classified as sensitive information under the Privacy Act and requires explicit consent (APP 3) and additional safeguards. Implement explicit consent for health data collection and enhanced security measures.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ===== India DPDPA (Digital Personal Data Protection Act) =====
+
+  {
+    id: 'COMP-DPDPA-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'DPDPA: Processing Without Consent or Notice',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasConsentMechanism(files) && !hasPrivacyPolicy(files)) {
+        findings.push({
+          ruleId: 'COMP-DPDPA-001', category: 'compliance', severity: 'high',
+          title: 'Collecting personal data without clear notice or consent',
+          description: 'India\'s DPDPA (Sec. 5-6) requires that personal data be processed only with the consent of the data principal, preceded by a clear and itemized notice. Implement a consent flow with an accompanying notice describing the data collected and its purpose.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-DPDPA-002',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'DPDPA: No Grievance Redressal Mechanism',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasGrievanceMechanism(files)) {
+        findings.push({
+          ruleId: 'COMP-DPDPA-002', category: 'compliance', severity: 'medium',
+          title: 'No complaint or grievance mechanism for data principals',
+          description: 'DPDPA (Sec. 13) requires data fiduciaries to provide a readily available means for data principals to make grievances. Implement a grievance redressal mechanism or complaint form.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-DPDPA-003',
+    category: 'compliance',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'DPDPA: Children\'s Data Without Verifiable Parental Consent',
+    check({ files }) {
+      const findings = [];
+      if (hasMinorDetection(files) && !hasParentalConsent(files)) {
+        findings.push({
+          ruleId: 'COMP-DPDPA-003', category: 'compliance', severity: 'critical',
+          title: 'Processing minor\'s data without verifiable parental consent',
+          description: 'DPDPA (Sec. 9) requires verifiable consent of a parent or lawful guardian before processing a child\'s personal data. Implement age verification and a parental consent flow.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-DPDPA-004',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'DPDPA: No Data Principal Rights',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      const hasAccess = hasDataAccessEndpoint(files);
+      const hasDeletion = hasDataDeletionEndpoint(files);
+      if (!hasAccess || !hasDeletion) {
+        findings.push({
+          ruleId: 'COMP-DPDPA-004', category: 'compliance', severity: 'high',
+          title: 'No mechanism for data principal access, correction, or erasure',
+          description: 'DPDPA (Sec. 11-12) grants data principals the right to access, correct, and erase their personal data. Provide endpoints or UI flows for these rights.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-DPDPA-005',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'DPDPA: Cross-Border Transfer to Non-Approved Country',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasCrossBorderTransfer(files)) {
+        const hasGovApproval = [...files.values()].some(c =>
+          c.includes('approvedCountry') || c.includes('approved_country') ||
+          c.includes('whitelistedCountry') || c.includes('whitelisted_country') ||
+          c.includes('allowedJurisdiction') || c.includes('allowed_jurisdiction') ||
+          c.includes('transferApproval') || c.includes('transfer_approval')
+        );
+        if (!hasGovApproval && !hasAdequacyCheck(files)) {
+          findings.push({
+            ruleId: 'COMP-DPDPA-005', category: 'compliance', severity: 'high',
+            title: 'Data transfer without government approval reference for destination country',
+            description: 'DPDPA (Sec. 16) permits cross-border transfer of personal data only to countries notified by the Central Government. Document compliance with approved transfer destinations or obtain government approval.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ===== Japan APPI (Act on the Protection of Personal Information) =====
+
+  {
+    id: 'COMP-APPI-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'APPI: No Purpose of Use Specification',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (!hasPurposeSpecification(files) && !hasPrivacyPolicy(files)) {
+        findings.push({
+          ruleId: 'COMP-APPI-001', category: 'compliance', severity: 'high',
+          title: 'Collecting data without stated purpose of use',
+          description: 'Japan\'s APPI (Art. 17-18) requires a business operator to specify the purpose of use of personal information as concretely as possible and to notify or publicize it. Clearly state the purpose of data collection.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APPI-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'APPI: Third-Party Provision Without Consent',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasThirdPartySharing(files) && !hasConsentMechanism(files)) {
+        findings.push({
+          ruleId: 'COMP-APPI-002', category: 'compliance', severity: 'high',
+          title: 'Sharing data with third parties without obtaining user consent',
+          description: 'APPI (Art. 27) requires prior consent of the individual before providing personal data to a third party (with limited exceptions). Obtain consent before sharing data with third-party services.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APPI-003',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'APPI: Cross-Border Transfer Without Consent',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasCrossBorderTransfer(files) && !hasConsentMechanism(files) && !hasAdequacyCheck(files)) {
+        findings.push({
+          ruleId: 'COMP-APPI-003', category: 'compliance', severity: 'high',
+          title: 'International data transfer without user agreement or adequacy basis',
+          description: 'APPI (Art. 28) restricts cross-border transfers of personal data unless the recipient is in a country with equivalent protections, the recipient has adequate safeguards, or the individual has consented. Implement appropriate safeguards.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APPI-004',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'APPI: No Opt-Out Mechanism',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserFacingApp(files) || !hasUserData(files)) return findings;
+      if (hasThirdPartySharing(files) && !hasOptOut(files)) {
+        findings.push({
+          ruleId: 'COMP-APPI-004', category: 'compliance', severity: 'medium',
+          title: 'No mechanism to opt out of data sharing with third parties',
+          description: 'APPI (Art. 27) provides an opt-out exception for third-party provision, but requires providing an opt-out mechanism and notifying the PPC. Implement an opt-out mechanism for data sharing.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-APPI-005',
+    category: 'compliance',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'APPI: Sensitive Personal Info Without Explicit Consent',
+    check({ files }) {
+      const findings = [];
+      if (!hasUserData(files)) return findings;
+      if (hasSensitiveData(files) && !hasExplicitConsent(files)) {
+        const hasAnyConsent = hasConsentMechanism(files);
+        if (!hasAnyConsent) {
+          findings.push({
+            ruleId: 'COMP-APPI-005', category: 'compliance', severity: 'critical',
+            title: 'Processing special care-required personal info (race, creed, health, criminal record) without explicit consent',
+            description: 'APPI (Art. 20) prohibits acquiring special care-required personal information without the prior consent of the individual. Implement explicit consent for any sensitive data categories.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;