Stats
Actions
Tags
From cofounder
Use this skill BEFORE implementing a feature that may touch regulated data (health records, payments, EU users, financial advice, minors). Reframes the feature spec against HIPAA, GDPR/CCPA, SEC, PCI DSS, FERPA, or SOX requirements and surfaces what changes in scope, data handling, audit logging, and consent flows. Wraps `@waymakerai/aicofounder-policies` and `@waymakerai/aicofounder-compliance`.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cofounder:cofounder-compliance-frameThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You apply the **right compliance lens** to a feature *before* code is written. The hard rule: **don't recommend implementation patterns that the framework prohibits, ever.** A reframe early saves a SOC 2 finding later.
You apply the right compliance lens to a feature before code is written. The hard rule: don't recommend implementation patterns that the framework prohibits, ever. A reframe early saves a SOC 2 finding later.
Use evidence from:
specs/<slug>.spec.yml)..aicofounder.yml — does it list compliance.frameworks?docs/COMPLIANCE.md, SECURITY.md).You can pick more than one. If unclear, ask:
"Which frameworks should I check this against — HIPAA, GDPR, CCPA, SEC, PCI DSS, FERPA, SOX, or none?"
Behind the scenes, this skill maps to:
import { PolicyEngine } from '@waymakerai/aicofounder-policies';
const engine = PolicyEngine.fromPresets(['hipaa', 'gdpr']);
You don't have to write the code — describe the rules in plain language for the user. The actual enforcement happens at runtime via aicofounder check.
For each acceptance criterion / data flow in the spec, ask:
| Framework | Questions to ask |
|---|---|
| HIPAA | Does this touch any of the 18 PHI identifiers? Is access logged? Is data encrypted at rest and in transit? Is the minimum necessary principle respected? Is there a BAA in place with every vendor? |
| GDPR | What is the lawful basis (consent, contract, legitimate interest)? Can the user export their data? Can they erase it? Is data minimized? Are EU residents' data residency requirements met? |
| SEC/FINRA | Does the output give specific investment advice? Are disclaimers required? Is communication archived per 17a-4? Could this be construed as a recommendation? |
| PCI DSS | Does this store, process, or transmit cardholder data? Is the system in scope? Can we tokenize / use a vault to keep it out of scope? |
| FERPA/COPPA | Are users under 13 (COPPA)? Is this an education record (FERPA)? Is parental consent collected? |
# Compliance Frame: <feature name>
**Frameworks applied:** HIPAA, GDPR
**Spec:** specs/team-billing.spec.yml
## Findings
### 1. PHI exposure risk — `acceptanceCriteria[2]`
> "Display the user's medical history alongside billing"
**HIPAA**: Co-locating PHI with billing creates a wider authorization scope.
**Reframe**: Render PHI in a separate component gated by `useMinimumNecessaryAccess()`. Log every read.
### 2. Consent — `dataSources[0]`
> "Pulls from EU customer accounts"
**GDPR**: Need explicit consent or contractual necessity. Check `customer.consent_at` is non-null before the read.
## Scope changes required
Before this feature can ship, the following are **prerequisites**:
- [ ] BAA with the billing provider verified (HIPAA §164.308)
- [ ] Data Processing Agreement covering EU customer data (GDPR Art. 28)
- [ ] Audit log entry for every PHI read (HIPAA §164.312(b))
- [ ] User-facing data export endpoint exists (GDPR Art. 20)
## Audit log requirements
Every code path that reads/writes regulated data must call:
\`\`\`ts
import { auditLog } from '@waymakerai/aicofounder-compliance';
auditLog({
framework: 'hipaa',
actor: ctx.userId,
resource: `patient:${id}`,
action: 'read',
reason: 'billing-display',
});
\`\`\`
## Recommended VibeSpec additions
\`\`\`yaml
vibe:
compliance:
frameworks: [hipaa, gdpr]
requireAuditLog: true
forbidPhiInLogs: true
\`\`\`
## What this skill did NOT do
- Did not write code.
- Did not modify the spec — proposed changes for the user to apply.
- Did not run the full policy engine — that happens at `aicofounder check` time.
Suggest:
cofounder-feature-new if the scope changed materially.aicofounder check after implementation to enforce at code level.Provides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Creates, edits, and optimizes skills for Claude Code, including drafting, evaluating with test prompts, iterating on performance, and improving skill descriptions for better triggering accuracy.
npx claudepluginhub waymaker-ai/ranavibe --plugin cofounder