Add export-control data transfer guard

export-control-data-transfer-guard/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "export-control-data-transfer-guard",
+  "version": "1.0.0",
+  "description": "Deterministic export-control and restricted-data transfer readiness guard for scientific bounty challenges.",
+  "type": "module",
+  "scripts": {
+    "demo": "node scripts/demo.js",
+    "test": "node --test test/*.test.js"
+  },
+  "license": "MIT"
+}

export-control-data-transfer-guard/readme.md

@@ -0,0 +1,58 @@
+# Export-Control Data Transfer Guard
+
+This module adds an export-control and restricted-data transfer readiness guard for the Scientific Bounty System in issue #18.
+
+The slice focuses on a gap that appears before a global scientific challenge is published: whether the sponsor can safely open challenge materials, data rooms, participation, and prize payouts across jurisdictions.
+
+## Why This Matters
+
+Scientific bounty challenges can involve dual-use research, controlled biological material, genomic data, clinical trial data, geolocation data, or cross-border teams. A platform should not release these materials simply because a challenge has a prize and rubric. It needs a deterministic hold/revise/release check before:
+
+- public challenge publication,
+- private data-room access,
+- solver workspace provisioning,
+- reviewer access,
+- payout release,
+- IP handoff after payment.
+
+## Implemented Scope
+
+- Detects sensitive challenge topics such as dual-use, controlled biological agent, encryption research, satellite imagery, advanced semiconductor, and autonomous weapons.
+- Detects high-risk data types such as human-subject data, genomic data, clinical trial data, geolocation precision, and critical infrastructure data.
+- Blocks restricted participant jurisdictions until legal review clears eligibility.
+- Requires export classification for sensitive topics.
+- Requires a data-use agreement for restricted data.
+- Requires auditable cross-border data-room access logs.
+- Requires an NDA workflow when a challenge says an NDA is needed.
+- Requires payout sanctions or payout-eligibility screening before reward release.
+- Generates a deterministic reviewer transfer manifest.
+
+## Decision Model
+
+- `hold`: at least one blocker exists, so publication or data-room access should not open.
+- `revise`: no blockers, but missing audit controls should be remediated before launch.
+- `release`: no blockers or warnings.
+
+## Local Validation
+
+```bash
+npm test
+npm run demo
+```
+
+## Files
+
+- `src/index.js`: no-dependency evaluator and manifest builder.
+- `test/index.test.js`: node:test coverage for hold, revise, release, and manifest generation.
+- `scripts/demo.js`: emits blocked and releasable sample manifests.
+- `reports/export-control-transfer-report.md`: reviewer-facing summary.
+- `reports/export-control-transfer-manifest.json`: deterministic sample manifest output.
+
+## Out of Scope
+
+- Live legal advice.
+- Payment processing.
+- Wallets, Stripe, tax systems, or sanctions APIs.
+- Private challenge data, participant PII, or credentials.
+- Automated publication to external portals.
+

export-control-data-transfer-guard/reports/export-control-transfer-manifest.json

@@ -0,0 +1,98 @@
+{
+  "blocked": {
+    "challengeId": "bio-agent-open-prize",
+    "generatedAt": "2026-06-05T12:40:00.000Z",
+    "decision": "hold",
+    "dataRoom": {
+      "crossBorder": true,
+      "dataTypes": [
+        "genomic-data",
+        "clinical-trial-data"
+      ],
+      "accessLogRequired": true
+    },
+    "eligibility": {
+      "participantCountries": [
+        "US",
+        "DE",
+        "IR"
+      ],
+      "restrictedJurisdictionPresent": true,
+      "payoutScreeningRequired": true
+    },
+    "controls": {
+      "exportClassification": "",
+      "dataUseAgreement": false,
+      "dataRoomAccessLog": false,
+      "ndaWorkflow": false,
+      "payoutSanctionsScreening": false
+    },
+    "findings": [
+      {
+        "severity": "blocker",
+        "code": "missing-export-classification",
+        "message": "Sensitive challenge topics require export classification before release: controlled-biological-agent.",
+        "remediation": "Hold publication until a responsible reviewer records export-control classification or confirms the challenge is not controlled."
+      },
+      {
+        "severity": "blocker",
+        "code": "restricted-participant-jurisdiction",
+        "message": "Participant country list includes restricted jurisdictions: IR.",
+        "remediation": "Do not open the challenge to these participants until legal review approves eligibility and payout routing."
+      },
+      {
+        "severity": "blocker",
+        "code": "missing-data-use-agreement",
+        "message": "Restricted or privacy-sensitive data types require a data-use agreement: genomic-data, clinical-trial-data.",
+        "remediation": "Require a signed data-use agreement before granting access to challenge data or submission workspaces."
+      },
+      {
+        "severity": "warning",
+        "code": "missing-transfer-audit-log",
+        "message": "Cross-border participation or shared data rooms require an auditable access log.",
+        "remediation": "Enable immutable data-room access logging before releasing controlled datasets."
+      },
+      {
+        "severity": "warning",
+        "code": "missing-nda-workflow",
+        "message": "Challenge requires NDA handling, but no NDA workflow is attached.",
+        "remediation": "Attach NDA routing, acceptance timestamps, and revocation steps before submissions open."
+      },
+      {
+        "severity": "warning",
+        "code": "missing-payout-screening",
+        "message": "Prize payout is configured without sanctions or payout-eligibility screening.",
+        "remediation": "Screen recipients before reward release and record the screening decision with the payout manifest."
+      }
+    ]
+  },
+  "releasable": {
+    "challengeId": "open-climate-forecast",
+    "generatedAt": "2026-06-05T12:40:00.000Z",
+    "decision": "release",
+    "dataRoom": {
+      "crossBorder": false,
+      "dataTypes": [
+        "public-weather-data"
+      ],
+      "accessLogRequired": false
+    },
+    "eligibility": {
+      "participantCountries": [
+        "US",
+        "CA",
+        "GB"
+      ],
+      "restrictedJurisdictionPresent": false,
+      "payoutScreeningRequired": true
+    },
+    "controls": {
+      "exportClassification": "public-ear99-confirmed",
+      "dataUseAgreement": true,
+      "dataRoomAccessLog": true,
+      "ndaWorkflow": true,
+      "payoutSanctionsScreening": true
+    },
+    "findings": []
+  }
+}

export-control-data-transfer-guard/reports/export-control-transfer-report.md

@@ -0,0 +1,51 @@
+# Export-Control Data Transfer Guard Report
+
+Generated: 2026-06-05T12:40:00.000Z
+
+## Reviewer Summary
+
+This guard prevents a Scientific Bounty System challenge from opening data-room access, solver workspaces, or reward release before export-control and restricted-data transfer risks are cleared.
+
+## Blocked Sample
+
+Challenge: `bio-agent-open-prize`
+
+Decision: `hold`
+
+Blockers:
+
+- Missing export classification for `controlled-biological-agent`.
+- Restricted participant jurisdiction present: `IR`.
+- Missing data-use agreement for `genomic-data` and `clinical-trial-data`.
+
+Warnings:
+
+- Missing cross-border transfer audit log.
+- Missing NDA workflow.
+- Missing payout sanctions or payout-eligibility screening.
+
+Required action:
+
+Resolve all blocker findings before challenge publication or data-room access. Add audit controls before opening private workspaces or payout routing.
+
+## Releasable Sample
+
+Challenge: `open-climate-forecast`
+
+Decision: `release`
+
+Reason:
+
+The challenge uses public weather data, has no restricted topic hits, records export classification, includes a data-use agreement, enables access logging, and screens payout eligibility.
+
+## Issue #18 Fit
+
+This maps to the Scientific Bounty System requirements by adding a pre-publication trust gate for:
+
+- challenge posting readiness,
+- secure submission workspaces,
+- private data-room access,
+- arbitration evidence,
+- prize payout routing,
+- IP handoff after payment.
+

export-control-data-transfer-guard/scripts/demo.js

@@ -0,0 +1,13 @@
+import {
+  buildTransferManifest,
+  evaluateExportControlReadiness,
+  sampleChallenges,
+} from '../src/index.js';
+
+const blockedEvaluation = evaluateExportControlReadiness(sampleChallenges.blocked);
+const releasableEvaluation = evaluateExportControlReadiness(sampleChallenges.releasable);
+
+console.log(JSON.stringify({
+  blocked: buildTransferManifest(sampleChallenges.blocked, blockedEvaluation),
+  releasable: buildTransferManifest(sampleChallenges.releasable, releasableEvaluation),
+}, null, 2));