Close three EU AI Act regulatory gaps (art. 5 carve-outs, art. 27 FRIA, art. 25 flip)#3
Merged
Merged
Conversation
…rt. 27 FRIA, art. 25 flip) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Rename test description to match what it asserts - Document id vs appliesTo distinction in ART5_CARVEOUTS - Tighten fall-through test with explicit length assertion - Treat unmapped carve-out claims as no-claim (still INTERDIT) + cover with test Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Replace permissive /FRIA|évaluation d'impact/i with /FRIA requise/ - Merge duplicate ./classify.js import Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…tch codebase
Plan and C1 implementation hardcoded English 'deployer' / 'provider', but the
actual values in answers.role are French ('deployeur', 'fournisseur', ...) per
ROLES in ai-act-compass.jsx. computeRoleNotes would have silently returned
friaRequired=false for every real deployer.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…II area Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…switch - DRY the art. 27 filter predicate across screen/print/clipboard paths - Reset deployerKind to null when role changes (prevent stale state linger) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…grators Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… fournisseur + tighter tests - Hoist flipsViaArt25 and broaden isGPAI_RS to cover the flip path (replaces inline disjunction) - Use 'fournisseur' instead of English 'provider' in the French flip label (matches official AI Act terminology + existing ROLES data) - Tighten 'keeps integrator note' tests with explicit RISQUE_MINIMAL assertion - Add negative-flip test asserting native GPAI providers do NOT get the art. 25 justification Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…egrators Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously, toggling a prohibition off left its carve-out key intact in prohibitionCarveOuts, so re-selecting the same prohibition would re-show the carve-out as pre-checked. The classifier ignored orphaned keys (carveOuts[id] only consulted for IDs still in answers.prohibitions), but the UX was surprising. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This was referenced May 15, 2026
abk1969
added a commit
that referenced
this pull request
May 16, 2026
Bug #1 (critical) — Step 7 systemic-risk question was hidden for art. 25 flip Integrators flipping to provider via substantialModification='oui' could never reach GPAI_RS classification because Step 7's gpaiQuestionApplicable check only matched nature==='gpai'. Now also matches the flip path: nature==='systeme_sur_gpai' && substantialModification==='oui'. canNext updated symmetrically. The classifier already supported GPAI_RS for the flip path (PR #3 D1) — this UI fix makes that path reachable. Bug #2 (important) — Prohibition short-circuit ignored carve-out claims goToResultIfProhibited jumped to verdict on ANY prohibition selection, bypassing Annex I/III/50/GPAI steps. A user with prohibition (h) + art. 5(2)-(3) carve-out claim would land on RISQUE_MINIMAL without ever being asked about Annex III §1 biometrics. Now short-circuits only if at least one selected prohibition has no claimed-and-matched carve-out. Bug #3 (copy) — q7Sub / q7NotApplicable mentioned only GPAI providers Updated EN+FR to acknowledge the art. 25 flip path so the "not applicable" message no longer contradicts a flipped integrator's status. UX note — added a cumulativity rappel to q5Sub Reminds the user that art. 5 prohibitions (step 3), Annex III §1 (step 5), and art. 50 transparency (step 6) are cumulative — same underlying tech may need ticking in multiple steps because each tests a distinct legal regime. Tests + build green at 113/113. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
abk1969
added a commit
that referenced
this pull request
May 16, 2026
The previous demo ended on a plain INTERDIT verdict after ticking subliminal techniques. The post-audit narrative is stronger: pick the most-prohibited practice (real-time remote biometric ID by law enforcement, art. 5(1)(h)), then claim the law-enforcement carve-out (art. 5(2)-(3)) — modeled by PR #3 Item A. The frame holds on both cards selected so the viewer reads "even the most-prohibited AI tech has a regulated path". Flow change: - Step 3 pick: Subliminal (art. 5(1)(a)) → Real-time RBI (art. 5(1)(h)) - After-pick: View verdict click → click the art. 5(2)-(3) carve-out card - Hold: 900 ms after verdict → 1100 ms after carve-out reveal Selectors anchor on the unique `sub` text (art. 5(1)(h), art. 5(2)-(3)) since the OptionCard's aria-label composes title + sub + desc — same strategy as e2e/parcours.spec.js. Output unchanged in shape: 1920×1080 H.264 30 fps. New duration ≈11.7 s (was 9.9 s); the extra hold on the carve-out reveal is worth it. To regenerate the MP4 release asset: node make-demo.cjs (linkedin-demo.mp4 stays gitignored — distributed via GitHub releases.) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes three regulatory gaps in
computeCategorysurfaced by the 2026-05-15 audit against Reg. (EU) 2024/1689.Feature A — art. 5(2)–(5) carve-outs (prohibitions h/f/g)
ART5_CARVEOUTSmetadata (3 entries:art. 5(2)-(3)law-enforcement RBI carve-out;art. 5(1)(f)medical/safety;art. 5(1)(g)law-enforcement / legally-acquired-dataset).computeCategorynow partitions selected prohibitions into carved-out vs un-carved-out; INTERDIT short-circuit fires only if at least one prohibition has no valid carve-out claim.Feature C — art. 27(1) FRIA applicability gating
computeRoleNotes(answers, role, lang) → { friaRequired, friaReason }implementing art. 27(1)(a) (public-body / private-public-service deployer + Annex III ≠ §2) and art. 27(1)(b) (Annex III §5 pathway).QUICKWINS.HAUT_RISQUE_ANNEXE_IIIis now hidden (screen, clipboard, PDF) unless actually required.isFriaItemhelper deduplicates the filter predicate across screen/clipboard/print paths.public_body/private_public_service/private_other) added to the role step;deployerKindcleared on role switch.Feature D — art. 25 substantial-modification provider flip
computeCategorydetectssysteme_sur_gpai+substantialModification === 'oui'and reclassifies the integrator as a GPAI (or GPAI_RS) provider.isGPAI_RSdefinition broadened to cover both native GPAI providers and flipped integrators.substantialModificationcleared on nature switch.Tests
classify.test.js, 7 ini18n.test.js).describeblocks.classify.js; 96.3% branch.art. 25flip justification).Regulatory citations verified
Deferred follow-up
Reg. 2024/1689 art. 27(1)(b) specifically names Annex III §5(b) credit-scoring and §5(c) life/health insurance. The current UI exposes Annex III §5 as a single bucket without sub-items (a)/(b)/(c)/(d), so
computeRoleNotestriggers FRIA on any §5 selection — conservative (false-positive) but not strictly precise. Splitting §5 into sub-items requires UI + data changes worth a separate PR.Test plan
art. 27(1)(a)reasonart. 27(1)(b)reasonoui+ systemic risk =oui→ primary = GPAI_RS, art. 25 flip note in justificationsnon→ primary = RISQUE_MINIMAL,art. 25 + art. 53integrator note present (no flip)🤖 Generated with Claude Code