Claude-skill-registry compliance-testing

Regulatory compliance testing for GDPR, CCPA, HIPAA, SOC2, PCI-DSS and industry-specific regulations. Use when ensuring legal compliance, preparing for audits, or handling sensitive data.

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/compliance-testing" ~/.claude/skills/majiayu000-claude-skill-registry-compliance-testing-9634d6 && rm -rf "$T"

manifest: skills/data/compliance-testing/SKILL.md

Compliance Testing

<default_to_action> When validating regulatory compliance:

IDENTIFY applicable regulations (GDPR, HIPAA, PCI-DSS, etc.)
MAP requirements to testable controls
TEST data rights (access, erasure, portability)
VERIFY encryption and access logging
GENERATE audit-ready reports with evidence

Quick Compliance Checklist:

Data subject rights work (access, delete, export)
PII is encrypted at rest and in transit
Access to sensitive data is logged
Consent is tracked with timestamps
Payment card data not stored (only tokenized)

Critical Success Factors:

Non-compliance = €20M or 4% revenue (GDPR)
Audit trail everything
Test continuously, not just before audits </default_to_action>

Quick Reference Card

When to Use

Legal compliance requirements
Before security audits
Handling PII/PHI/PCI data
Entering new markets (EU, CA, healthcare)

Major Regulations

Regulation	Scope	Key Focus
GDPR	EU data	Privacy rights, consent
CCPA	California	Consumer data rights
HIPAA	Healthcare	PHI protection
PCI-DSS	Payments	Card data security
SOC2	SaaS	Security controls

Penalties

Regulation	Maximum Fine
GDPR	€20M or 4% revenue
HIPAA	$1.5M per violation
PCI-DSS	$100k/month
CCPA	$7,500 per violation

GDPR Compliance Testing

// Test data subject rights
test('user can request their data', async () => {
  const response = await api.post('/data-export', { userId });

  expect(response.status).toBe(200);
  expect(response.data.downloadUrl).toBeDefined();

  const data = await downloadFile(response.data.downloadUrl);
  expect(data).toHaveProperty('profile');
  expect(data).toHaveProperty('orders');
});

test('user can delete their account', async () => {
  await api.delete(`/users/${userId}`);

  // All personal data deleted
  expect(await db.users.findOne({ id: userId })).toBeNull();
  expect(await db.orders.find({ userId })).toHaveLength(0);

  // Audit log retained (legal requirement)
  expect(await db.auditLogs.find({ userId })).toBeDefined();
});

test('consent is tracked', async () => {
  await api.post('/consent', {
    userId, type: 'marketing', granted: true,
    timestamp: new Date(), ipAddress: '192.168.1.1'
  });

  const consent = await db.consents.findOne({ userId, type: 'marketing' });
  expect(consent.timestamp).toBeDefined();
  expect(consent.ipAddress).toBeDefined();
});

HIPAA Compliance Testing

// Test PHI security
test('PHI is encrypted at rest', async () => {
  const patient = await db.patients.create({
    ssn: '123-45-6789',
    medicalHistory: 'Diabetes'
  });

  const raw = await db.raw('SELECT * FROM patients WHERE id = ?', patient.id);
  expect(raw.ssn).not.toBe('123-45-6789'); // Should be encrypted
});

test('access to PHI is logged', async () => {
  await api.get('/patients/123', {
    headers: { 'User-Id': 'doctor456' }
  });

  const auditLog = await db.auditLogs.findOne({
    resourceType: 'patient',
    resourceId: '123',
    userId: 'doctor456'
  });

  expect(auditLog.action).toBe('read');
  expect(auditLog.timestamp).toBeDefined();
});

PCI-DSS Compliance Testing

// Test payment card handling
test('credit card numbers not stored', async () => {
  await api.post('/payment', {
    cardNumber: '4242424242424242',
    expiry: '12/25', cvv: '123'
  });

  const payment = await db.payments.findOne({ /* ... */ });
  expect(payment.cardNumber).toBeUndefined();
  expect(payment.last4).toBe('4242'); // Only last 4
  expect(payment.tokenId).toBeDefined(); // Token from gateway
});

test('CVV never stored', async () => {
  const payments = await db.raw('SELECT * FROM payments');
  const hasCVV = payments.some(p =>
    JSON.stringify(p).toLowerCase().includes('cvv')
  );
  expect(hasCVV).toBe(false);
});

Agent-Driven Compliance

// Comprehensive compliance validation
await Task("Compliance Validation", {
  regulations: ['GDPR', 'PCI-DSS'],
  scope: 'full-application',
  generateAuditReport: true
}, "qe-security-scanner");

// Returns:
// {
//   gdpr: { compliant: true, controls: 12, passed: 12 },
//   pciDss: { compliant: false, controls: 8, passed: 7 },
//   violations: [{ control: 'card-storage', severity: 'critical' }],
//   auditReport: 'compliance-audit-2025-12-02.pdf'
// }

Agent Coordination Hints

Memory Namespace

aqe/compliance-testing/
├── regulations/*        - Regulation requirements
├── controls/*           - Control test results
├── audit-reports/*      - Generated audit reports
└── violations/*         - Compliance violations

Fleet Coordination

const complianceFleet = await FleetManager.coordinate({
  strategy: 'compliance-validation',
  agents: [
    'qe-security-scanner',   // Scan for vulnerabilities
    'qe-test-executor',      // Execute compliance tests
    'qe-quality-gate'        // Block non-compliant releases
  ],
  topology: 'sequential'
});

Related Skills

security-testing - Security vulnerabilities
test-data-management - PII handling
accessibility-testing - Legal requirements

Remember

Compliance is mandatory, not optional. Fines are severe: GDPR up to €20M or 4% of revenue, HIPAA up to $1.5M per violation. But beyond fines, non-compliance damages reputation and user trust.

Audit trail everything. Every access to sensitive data, every consent, every deletion must be logged with timestamps and user IDs.

With Agents: Agents validate compliance requirements continuously, detect violations early, and generate audit-ready reports. Catch compliance issues in development, not in audits.