AgentSkillsCN

compliance-manager

针对 core/security/compliance-manager.js 的编辑设置防护措施,旨在维护 PCI/GDPR/PSD2/SOX/HIPAA 等合规控制(包括数据脱敏、加密、强身份验证、同意校验以及审计日志记录)。适用于更改合规性验证器、安全处理逻辑,或调整审计流程时使用。

SKILL.md
--- frontmatter
name: compliance-manager
description: Guardrails for edits to core/security/compliance-manager.js that preserve PCI/GDPR/PSD2/SOX/HIPAA controls (masking, encryption, SCA, consent checks, and audit logging). Use when changing compliance validators, security handling, or audit flows.

Compliance Manager Guardian

Purpose & Scope

Apply this skill when modifying core/security/compliance-manager.js.

The Compliance Manager provides:

  • PCI-DSS data protection (card data masking, encryption)
  • GDPR compliance (pseudonymization, consent management, data minimization)
  • PSD2 compliance (Strong Customer Authentication)
  • SOX audit trail requirements
  • HIPAA health data protection
  • Multi-regulation validation framework
  • Secure audit logging

Non-Negotiables (Never Do)

Compliance Validators

  • Never disable or bypass compliance validators.
  • Never weaken validation rules (for example, making required checks optional).
  • Never skip validation for "trusted" sources.
  • Never add bypass flags or debug modes that skip compliance.

PCI-DSS Rules

  • Never log these PCI fields (even in debug mode):
    • cvv, cvv2, cvc, cvc2, cid, cav2
    • pin, pinBlock
    • track1, track2, magneticStripe
  • Never weaken card masking:
    • Must show only first 6 and last 4 digits.
    • Middle digits must be masked with *.
  • Never reduce encryption below AES-256-GCM.
  • Never store CVV/PIN after authorization.

GDPR Rules

  • Never process personal data without consent check.
  • Never skip pseudonymization for personal identifiers.
  • Never retain personal data beyond retention period.
  • Never disable data minimization for analytics.

PSD2 Rules

  • Never reduce SCA requirements below 2 factors.
  • Never bypass SCA for amounts over threshold.
  • Never skip transaction monitoring for high-value transactions.
  • Never disable cumulative amount tracking.

Audit Logging

  • Never skip audit logging for sensitive operations.
  • Never delete or modify existing audit entries.
  • Never log sensitive data in audit trails (mask first).
  • Never disable audit persistence.

Security Rollback

  • Never rollback security fixes without security team approval.
  • Never lower security levels in production.

Required Patterns (Must Follow)

Card Number Masking

javascript
// Must mask showing only first 6 and last 4
maskCardNumber(cardNumber) {
    const cleaned = cardNumber.replace(/\D/g, '');
    const first6 = cleaned.substring(0, 6);
    const last4 = cleaned.substring(cleaned.length - 4);
    const masked = '*'.repeat(cleaned.length - 10);
    return `${first6}${masked}${last4}`;
}
// Example: 4111111111111111 -> 411111******1111

Data Encryption

javascript
// Must use AES-256-GCM
encryptSensitiveData(data) {
    const algorithm = 'aes-256-gcm';  // Do not change
    const key = process.env.ENCRYPTION_KEY;
    const iv = crypto.randomBytes(16);

    // Prefer @onasis/security-sdk for encryption primitives.
    const cipher = crypto.createCipher(algorithm, key);
    cipher.setAAD(Buffer.from('compliance-encryption'));

    return {
        encrypted,
        iv: iv.toString('hex'),
        authTag: authTag.toString('hex'),
        algorithm
    };
}

Strong Customer Authentication

javascript
// Must require 2+ factors
validateSCA(data) {
    const factors = [];

    if (data.password || data.pin) factors.push('knowledge');
    if (data.deviceId || data.token) factors.push('possession');
    if (data.biometric || data.fingerprint) factors.push('inherence');

    return factors.length >= 2;  // PSD2 requirement
}

Defense in Depth

javascript
// Must apply all applicable protections
enforceDataHandling(serviceId, data, operation) {
    let processedData = { ...data };

    if (service?.compliance?.pci) {
        processedData = this.applyPCIProtections(processedData, operation);
    }
    if (service?.compliance?.gdpr) {
        processedData = this.applyGDPRProtections(processedData, operation);
    }
    if (service?.compliance?.psd2) {
        processedData = this.applyPSD2Protections(processedData, operation);
    }

    return processedData;
}

Audit Entry Creation

javascript
// Must create audit entry for all compliance events
logAuditEntry(action, details) {
    const entry = {
        timestamp: new Date(),
        action,
        details,
        id: crypto.randomUUID()
    };

    this.auditLog.push(entry);
    this.emit('audit:logged', entry);
    this.persistAuditEntry(entry);  // Must persist
}

Prohibited Fields Registry

FieldRegulationStorageLoggingTransmission
cvv, cvv2, cvc, cvc2PCI-DSS 3.2NeverNeverHTTPS only
pin, pinBlockPCI-DSS 3.4NeverNeverEncrypted
track1, track2PCI-DSS 3.2NeverNeverNever
magneticStripePCI-DSS 3.2NeverNeverNever
Full card numberPCI-DSS 3.4EncryptedMaskedEncrypted

Integration Points

ComponentIntegration Method
Base ClientData passed through enforceDataHandling()
Metrics Collectorcompliance_violations_total metric
API RoutesMiddleware for request validation
DatabaseAudit entries persisted to audit.compliance_log

Compliance Validation Checklist

Before deploying changes:

  • Card data properly masked (first 6, last 4 only).
  • CVV/PIN never logged or stored.
  • Encryption uses AES-256-GCM.
  • SCA requires 2+ factors.
  • Audit entries created for all operations.
  • GDPR consent check in place.
  • Data minimization applied for analytics.
  • No PII in metric labels.
  • Audit log persisted to secure storage.