Our review
This skill enforces guardrails when editing core/security/compliance-manager.js to preserve PCI, GDPR, PSD2, SOX, and HIPAA controls.
Strengths
- Protects sensitive data (card numbers, personal data) with strict masking and encryption rules.
- Enforces strong customer authentication (SCA) and mandatory audit logging.
- Prevents accidental or intentional bypass of compliance validators.
- Ensures adherence to multiple regulatory standards in one place.
Limitations
- Only applies to compliance-manager.js, not other security modules.
- Rules are hardcoded and cannot be modified without rewriting the skill itself.
- Does not handle exemptions or approved special cases.
Use this skill when modifying compliance validators, security handling, or audit flows in compliance-manager.js.
Do not use this skill for changes that do not involve compliance rules or for other files in the project.
Security analysis
SafeThe skill contains only static compliance guidelines and code patterns for maintaining security controls. It does not instruct or enable the AI agent to execute any potentially dangerous operations, and there are no declared tools.
No concerns found
Examples
I need to add a new card field (cvv2) to the compliance manager. Ensure it follows PCI-DSS rules: never log it, mask it, and do not store after auth.Update the encryption in compliance-manager.js from AES-256-GCM to AES-256-CBC. Make sure all non-negotiables are preserved.I want to add a debug flag that skips audit logging for certain operations. Apply this compliance skill to assess if it's allowed.name: compliance-manager description: Guardrails for edits to core/security/compliance-manager.js that preserve PCI/GDPR/PSD2/SOX/HIPAA controls (masking, encryption, SCA, consent checks, and audit logging). Use when changing compliance validators, security handling, or audit flows.
Compliance Manager Guardian
Purpose & Scope
Apply this skill when modifying core/security/compliance-manager.js.
The Compliance Manager provides:
- PCI-DSS data protection (card data masking, encryption)
- GDPR compliance (pseudonymization, consent management, data minimization)
- PSD2 compliance (Strong Customer Authentication)
- SOX audit trail requirements
- HIPAA health data protection
- Multi-regulation validation framework
- Secure audit logging
Non-Negotiables (Never Do)
Compliance Validators
- Never disable or bypass compliance validators.
- Never weaken validation rules (for example, making required checks optional).
- Never skip validation for "trusted" sources.
- Never add bypass flags or debug modes that skip compliance.
PCI-DSS Rules
- Never log these PCI fields (even in debug mode):
cvv,cvv2,cvc,cvc2,cid,cav2pin,pinBlocktrack1,track2,magneticStripe
- Never weaken card masking:
- Must show only first 6 and last 4 digits.
- Middle digits must be masked with
*.
- Never reduce encryption below AES-256-GCM.
- Never store CVV/PIN after authorization.
GDPR Rules
- Never process personal data without consent check.
- Never skip pseudonymization for personal identifiers.
- Never retain personal data beyond retention period.
- Never disable data minimization for analytics.
PSD2 Rules
- Never reduce SCA requirements below 2 factors.
- Never bypass SCA for amounts over threshold.
- Never skip transaction monitoring for high-value transactions.
- Never disable cumulative amount tracking.
Audit Logging
- Never skip audit logging for sensitive operations.
- Never delete or modify existing audit entries.
- Never log sensitive data in audit trails (mask first).
- Never disable audit persistence.
Security Rollback
- Never rollback security fixes without security team approval.
- Never lower security levels in production.
Required Patterns (Must Follow)
Card Number Masking
// Must mask showing only first 6 and last 4
maskCardNumber(cardNumber) {
const cleaned = cardNumber.replace(/\D/g, '');
const first6 = cleaned.substring(0, 6);
const last4 = cleaned.substring(cleaned.length - 4);
const masked = '*'.repeat(cleaned.length - 10);
return `${first6}${masked}${last4}`;
}
// Example: 4111111111111111 -> 411111******1111
Data Encryption
// Must use AES-256-GCM
encryptSensitiveData(data) {
const algorithm = 'aes-256-gcm'; // Do not change
const key = process.env.ENCRYPTION_KEY;
if (!key) throw new Error('ENCRYPTION_KEY is required');
// 12-byte IV is recommended for GCM
const iv = crypto.randomBytes(12);
// Prefer @onasis/security-sdk for key handling if available
// If ENCRYPTION_KEY is a passphrase, derive a 32-byte key via scrypt.
const keyBuf = (key.length === 64 && /^[0-9a-f]+$/i.test(key))
? Buffer.from(key, 'hex')
: crypto.scryptSync(key, 'onasis-gateway', 32);
const cipher = crypto.createCipheriv('aes-256-gcm', keyBuf, iv);
cipher.setAAD(Buffer.from('compliance-encryption'));
const plaintext = typeof data === 'string' ? data : JSON.stringify(data);
const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
const authTag = cipher.getAuthTag();
return {
encrypted: ciphertext.toString('base64'),
iv: iv.toString('hex'),
authTag: authTag.toString('hex'),
algorithm
};
}
Strong Customer Authentication
// Must require 2+ factors
validateSCA(data) {
const factors = [];
if (data.password || data.pin) factors.push('knowledge');
if (data.deviceId || data.token) factors.push('possession');
if (data.biometric || data.fingerprint) factors.push('inherence');
return factors.length >= 2; // PSD2 requirement
}
Defense in Depth
// Must apply all applicable protections
enforceDataHandling(serviceId, data, operation) {
let processedData = { ...data };
if (service?.compliance?.pci) {
processedData = this.applyPCIProtections(processedData, operation);
}
if (service?.compliance?.gdpr) {
processedData = this.applyGDPRProtections(processedData, operation);
}
if (service?.compliance?.psd2) {
processedData = this.applyPSD2Protections(processedData, operation);
}
return processedData;
}
Audit Entry Creation
// Must create audit entry for all compliance events
logAuditEntry(action, details) {
const entry = {
timestamp: new Date(),
action,
details,
id: crypto.randomUUID()
};
this.auditLog.push(entry);
this.emit('audit:logged', entry);
this.persistAuditEntry(entry); // Must persist
}
Prohibited Fields Registry
| Field | Regulation | Storage | Logging | Transmission | |-------|------------|---------|---------|--------------| | cvv, cvv2, cvc, cvc2 | PCI-DSS 3.2 | Never | Never | HTTPS only | | pin, pinBlock | PCI-DSS 3.4 | Never | Never | Encrypted | | track1, track2 | PCI-DSS 3.2 | Never | Never | Never | | magneticStripe | PCI-DSS 3.2 | Never | Never | Never | | Full card number | PCI-DSS 3.4 | Encrypted | Masked | Encrypted |
Integration Points
| Component | Integration Method |
|-----------|-------------------|
| Base Client | Data passed through enforceDataHandling() |
| Metrics Collector | compliance_violations_total metric |
| API Routes | Middleware for request validation |
| Database | Audit entries persisted to audit.compliance_log |
Compliance Validation Checklist
Before deploying changes:
- [ ] Card data properly masked (first 6, last 4 only).
- [ ] CVV/PIN never logged or stored.
- [ ] Encryption uses AES-256-GCM.
- [ ] SCA requires 2+ factors.
- [ ] Audit entries created for all operations.
- [ ] GDPR consent check in place.
- [ ] Data minimization applied for analytics.
- [ ] No PII in metric labels.
- [ ] Audit log persisted to secure storage.
Security Audit Scanner
Security
Analyzes code to detect OWASP Top 10 vulnerabilities.
OWASP Security Checklist
Security
Generates application security checklists based on the OWASP Top 10.
Threat Model Generator
Security
Generates threat model documents with STRIDE analysis.