mikeparcewski/compliance
skills/platform/compliance/SKILL.md
Use when checking code or architecture against a regulatory framework (SOC2, HIPAA, GDPR, PCI) or translating a policy document into actionable controls — detects violations and provides prioritized remediation guidance. NOT for gathering audit evidence artifacts (use platform/audit).
$ install --global
skillsauthnpx skillsauth add mikeparcewski/wicked-garden complianceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 7:48 AM157.9s4 files scanned
SKILL.md
- name:
- compliance
- description:
- |
- # TODO #339:
- When Claude Code supports 'paths' in skill frontmatter for
- # paths:
- ["**/compliance/**", "**/audit/**", "**/policy/**", "**/.hipaa*", "**/.gdpr*"]
- phase_relevance:
- ["build", "review", "operate"]
- archetype_relevance:
- ["*"]
Compliance Skill
Analyze code and systems for regulatory compliance.
When to Use
- Code handles sensitive data (PII, PHI, payment data)
- Pre-deployment compliance verification
- User mentions regulatory frameworks
- User says "is this compliant", "compliance check", "regulatory requirements"
Supported Frameworks
| Framework | Focus | Key Requirements | |-----------|-------|------------------| | SOC2 | Security, Availability | Access controls, encryption, logging, monitoring | | HIPAA | Protected Health Info | PHI safeguards, access logs, encryption, BAA | | GDPR | Personal Data | Consent, minimization, deletion, DPO | | PCI DSS | Payment Card Data | Encryption, network segmentation, access control |
See refs/frameworks.md for detailed framework requirements.
Commands
/wicked-garden:platform:compliance [--framework soc2|hipaa|gdpr|pci] [--quick]
Analysis Process
1. Identify Sensitive Data
Scan for:
- PII: Names, emails, SSN, addresses
- PHI: Medical records, health data
- Payment: Credit cards, bank accounts
- Credentials: Passwords, API keys
2. Verify Controls
Access Control:
- Authentication required
- Authorization checks (RBAC)
- Least privilege
Data Protection:
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.2+)
- Secure key management
Logging & Monitoring:
- Access logs
- Audit trails
- Security events
- Log retention
Data Lifecycle:
- Consent mechanisms (GDPR)
- Retention policies
- Secure deletion
- Data minimization
3. Detect Violations
Common issues:
- PII/PHI in logs or errors
- Hardcoded secrets
- Missing encryption
- Insufficient access controls
- Missing audit trails
See refs/checklists.md for detailed verification checklists.
4. Generate Report
Output:
- Status: COMPLIANT / NEEDS ATTENTION / NON-COMPLIANT
- Findings: Violations by priority (P0, P1, P2)
- Evidence: Code references
- Remediation: Required fixes
Integration
With wicked-crew
Auto-triggered at phase gates
With native tasks
TaskUpdate(
taskId="{task_id}",
description="{previous}\n\n[compliance] {framework}: {status}"
)
With wicked-brain
Skill(skill="wicked-brain:memory", args="recall \"compliance {framework}\"")
With product
/wicked-garden:platform:security {target}
Output Format
## Compliance Analysis: {Framework}
**Target**: {scope}
**Status**: {COMPLIANT|NEEDS ATTENTION|NON-COMPLIANT}
**Framework**: {SOC2|HIPAA|GDPR|PCI}
### Critical (P0)
- {violation} - {file}:{line}
Remediation: {fix}
### High Priority (P1)
- {gap} - {file}:{line}
Recommendation: {guidance}
### Medium Priority (P2)
- {improvement} - {suggestion}
### Controls Verified
- [x] Encryption at rest
- [ ] Data retention policy
### Next Steps
{Recommended actions}
Automation Script
Use compliance checker:
sh "${CLAUDE_PLUGIN_ROOT}/scripts/_python.sh" "${CLAUDE_PLUGIN_ROOT}/scripts/compliance_checker.py" \
--target {path} \
--framework {soc2|hipaa|gdpr|pci}
External Integration Discovery
Compliance checking can leverage available integrations by capability:
| Capability | Discovery Patterns | Provides |
|------------|-------------------|----------|
| Security scanning | snyk, semgrep, sast | Vulnerability detection |
| Secrets | vault, secrets | Credential management audit |
| SBOM | trivy, sbom, cyclonedx | Supply chain compliance |
Discover available integrations via capability detection. Fall back to local compliance_checker.py when none available.
Quality Standards
Good analysis:
- Specific code references
- Clear violation descriptions
- Actionable remediation
- Prioritized by risk
Bad analysis:
- Generic checklists
- No code evidence
- Vague recommendations
Related Skills
mikeparcewski/skills/engineering/large-scale-migration
development
VerifiedTrustedCommunity
--- name: large-scale-migration description: How to execute a LARGE MECHANICAL change across any codebase with LEVERAGE instead of an agent-grind or hand-edits — a cross-cutting migration, refactor, rename, dialect/framework/DB port, library adoption, or bulk transform. The map→transform→gate pattern: a deterministic transform driven by a source-of-truth map, proven by a differential-equivalence gate. Use when the work is "migrate all X to Y", "rename Z everywhere", "port to a new DB/dialect/fra
8SKILL.mdUpdated Jun 3, 2026
mikeparcewski/wicked-garden:classify
testing
VerifiedTrustedCommunity
v11 LLM-based work-shape classifier. Replaces the regex archetype detector with the model's own reasoning. Reads the user's prompt, picks the right archetype(s) from the catalog, identifies signals (blast_radius, novelty, reversibility, etc.), and persists to SessionState so subsequent turns steer correctly. Use when: the prompt_submit hook emitted a `<wg classify-due />` directive, OR explicitly invoked at session start, OR when re-classifying after the user changes scope mid-session.
8SKILL.mdUpdated May 26, 2026
mikeparcewski/wicked-garden:archetype
tools
VerifiedTrustedCommunity
v11 work-shape archetype runner. When a prompt has been routed to one of the 9 archetypes (triage, explore, specify, decide, ship, review, incident, build, migrate), this skill is the entry point. It picks the right per-archetype playbook from refs/ and executes the phase shape declared in `.claude-plugin/archetypes.json`. Use when: a `<wg archetype="X">` or `<wg archetypes>` system-reminder tag appears, an explicit "let's run the X archetype" request, or when one of the per-archetype slash commands resolves to this skill.
8SKILL.mdUpdated May 8, 2026
mikeparcewski/intent
development
VerifiedTrustedCommunity
Show or set the session intent variable. Intent gates how loud the framework is — simple-edit (silent), feature/research (synthesis directive), rigor (full crew context). Auto-detected on turn 1; this skill overrides explicitly. Sticky for the session. Use when: "set intent", "intent override", "/wicked-garden:intent", "make the framework quiet", "force rigor", "what's my intent".
8SKILL.mdUpdated May 6, 2026