compliance-audit

Compliance and audit-log workflow: immutable audit trail design, SOC 2 / ISO 27001 / HIPAA / PCI-DSS control mapping, access control reviews, data lineage, and compliance automation in CI/CD. Complements gdpr-privacy and security-review.

8 stars

Best use case

compliance-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Compliance and audit-log workflow: immutable audit trail design, SOC 2 / ISO 27001 / HIPAA / PCI-DSS control mapping, access control reviews, data lineage, and compliance automation in CI/CD. Complements gdpr-privacy and security-review.

Teams using compliance-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/compliance-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/marvinrichter/clarc/main/skills/compliance-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/compliance-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How compliance-audit Compares

Feature / Agentcompliance-auditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Compliance and audit-log workflow: immutable audit trail design, SOC 2 / ISO 27001 / HIPAA / PCI-DSS control mapping, access control reviews, data lineage, and compliance automation in CI/CD. Complements gdpr-privacy and security-review.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Compliance & Audit Log

> **Scope**: Audit trails, compliance control implementation, and automated compliance checks.
> For GDPR-specific data subject rights and consent management, see [gdpr-privacy](../gdpr-privacy/SKILL.md).
> For access control and authentication patterns, see [auth-patterns](../auth-patterns/SKILL.md) and [security-review](../security-review/SKILL.md).

## When to Activate

- Designing an audit log for a sensitive feature (admin actions, PII access, financial transactions)
- Preparing for SOC 2 Type II audit
- Implementing HIPAA, PCI-DSS, or ISO 27001 controls
- Adding access control review / privileged action logging
- Setting up compliance checks in CI/CD
- Responding to a compliance audit request (evidence gathering)

---

## Audit Log Design

### What to log

An audit event answers: **Who** did **what** to **which resource** at **when**, and **from where**.

```typescript
interface AuditEvent {
  // Identity
  actor_id:       string;      // authenticated user ID
  actor_email:    string;      // human-readable, for readability in reports
  actor_ip:       string;      // IP address
  actor_role:     string;      // role at time of action

  // Action
  action:         string;      // e.g. "user.password_changed", "record.deleted"
  outcome:        'success' | 'failure';
  failure_reason?: string;

  // Resource
  resource_type:  string;      // e.g. "user", "invoice", "patient_record"
  resource_id:    string;

  // Context
  timestamp:      string;      // ISO 8601, always UTC
  request_id:     string;      // correlation ID for tracing
  session_id:     string;
  service:        string;      // which service/microservice logged this
}
```

### Action naming convention

```
<resource>.<verb>

user.created
user.deleted
user.password_changed
user.mfa_disabled
payment.refunded
record.exported          # data export is high-value for compliance
admin.permission_granted
admin.permission_revoked
api_key.rotated
```

### What NOT to include

- Passwords, secrets, tokens (even hashed)
- Full PII beyond what's required for audit (no SSNs in audit logs)
- Health records content (HIPAA: log access, not content)
- Payment card data (PCI: log the transaction ID, not the card number)

---

## Immutable Audit Log Implementation

### Storage requirements

| Property | Requirement |
|----------|-------------|
| Immutability | Append-only; no UPDATE or DELETE on audit records |
| Retention | Minimum 1 year accessible, 7 years archived (SOC 2 / PCI) |
| Integrity | Hash chaining or WORM storage to detect tampering |
| Encryption | At rest (AES-256) and in transit (TLS 1.2+) |
| Searchability | Index by actor_id, resource_id, timestamp, action |

### PostgreSQL append-only table

```sql
-- Revoke UPDATE/DELETE from application user
CREATE TABLE audit_events (
  id            BIGSERIAL PRIMARY KEY,
  actor_id      TEXT        NOT NULL,
  actor_email   TEXT        NOT NULL,
  actor_ip      INET        NOT NULL,
  actor_role    TEXT        NOT NULL,
  action        TEXT        NOT NULL,
  outcome       TEXT        NOT NULL CHECK (outcome IN ('success', 'failure')),
  failure_reason TEXT,
  resource_type TEXT        NOT NULL,
  resource_id   TEXT        NOT NULL,
  request_id    TEXT        NOT NULL,
  session_id    TEXT        NOT NULL,
  service       TEXT        NOT NULL,
  created_at    TIMESTAMPTZ NOT NULL DEFAULT now(),
  -- Payload for additional context (never PII/secrets)
  metadata      JSONB
);

-- Indexes for common queries
CREATE INDEX idx_audit_actor    ON audit_events(actor_id, created_at DESC);
CREATE INDEX idx_audit_resource ON audit_events(resource_type, resource_id, created_at DESC);
CREATE INDEX idx_audit_action   ON audit_events(action, created_at DESC);

-- Prevent modifications (run as superuser)
REVOKE UPDATE, DELETE ON audit_events FROM app_user;
```

### Hash chaining (tamper detection)

```typescript
import crypto from 'crypto';

interface AuditEventWithHash extends AuditEvent {
  prev_hash: string;
  hash:      string;
}

function hashEvent(event: AuditEvent, prevHash: string): string {
  const payload = JSON.stringify({ ...event, prev_hash: prevHash });
  return crypto.createHash('sha256').update(payload).digest('hex');
}

// Verify chain integrity
async function verifyChain(events: AuditEventWithHash[]): Promise<boolean> {
  for (let i = 1; i < events.length; i++) {
    const expected = hashEvent(events[i], events[i - 1].hash);
    if (expected !== events[i].hash) {
      console.error(`Chain broken at event ${events[i].id}`);
      return false;
    }
  }
  return true;
}
```

---

## Framework Control Mapping

### SOC 2 Type II — Trust Services Criteria

| Control | What to log | Evidence |
|---------|------------|---------|
| CC6.1 — Logical access | Login success/failure, MFA events | `user.signed_in`, `user.mfa_failed` |
| CC6.2 — Access provisioning | Permission changes | `admin.permission_granted/revoked` |
| CC6.3 — Access termination | Account deletion/suspension | `user.suspended`, `user.deleted` |
| CC7.2 — System monitoring | Security events, anomalies | Alert logs, SIEM integration |
| CC9.2 — Change management | Deploys, config changes | CI/CD deploy events |
| A1.1 — Availability | Uptime, SLO data | Error budget reports |

### HIPAA (Healthcare)

Must log: access to Protected Health Information (PHI)

```typescript
// Every PHI access must be logged
async function getPatientRecord(actorId: string, patientId: string) {
  const record = await db.patients.findById(patientId);

  await auditLog({
    actor_id: actorId,
    action: 'patient_record.viewed',
    resource_type: 'patient_record',
    resource_id: patientId,
    outcome: 'success',
    metadata: {
      record_type: 'clinical_notes',
      // Do NOT include PHI content in audit log
    }
  });

  return record;
}
```

### PCI-DSS (Payment card)

| Requirement | Log event |
|------------|-----------|
| 10.2.1 — Access to cardholder data | `payment.card_data_accessed` |
| 10.2.2 — Admin actions | `admin.*` |
| 10.2.4 — Invalid access attempts | `user.signed_in` with outcome=failure |
| 10.2.7 — Audit log initialization | Log system startup/shutdown |

---

## Privileged Action Review

High-risk actions requiring additional controls:

```typescript
const PRIVILEGED_ACTIONS = new Set([
  'admin.permission_granted',
  'admin.role_changed',
  'user.deleted',
  'user.impersonated',
  'api_key.created',
  'data.bulk_exported',
  'config.changed',
]);

async function requirePrivilegedActionApproval(action: string, actorId: string) {
  if (!PRIVILEGED_ACTIONS.has(action)) return; // not privileged

  // Require MFA re-confirmation for privileged actions
  const session = await getSession(actorId);
  if (!session.mfa_verified_at || Date.now() - session.mfa_verified_at > 15 * 60 * 1000) {
    throw new Error('MFA re-confirmation required for privileged action');
  }

  // Require second approver for the most critical actions
  const DUAL_APPROVAL_REQUIRED = new Set(['user.deleted', 'data.bulk_exported']);
  if (DUAL_APPROVAL_REQUIRED.has(action)) {
    await requireSecondApprover(actorId, action);
  }
}
```

---

## Compliance Automation in CI/CD

### Secret scanning

```yaml
# .github/workflows/compliance.yml
jobs:
  secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Scan for secrets
        uses: trufflesecurity/trufflehog@main
        with:
          extra_args: --only-verified

  dependency-audit:
    steps:
      - run: npm audit --audit-level=high
      - run: pip-audit --requirement requirements.txt
```

### License compliance

```yaml
  license-check:
    steps:
      - run: npx license-checker --onlyAllow "MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC"
```

### SAST (Static Application Security Testing)

```yaml
  sast:
    steps:
      - uses: github/codeql-action/analyze@v3
        with:
          languages: javascript, python
```

---

## Compliance Evidence Package

For an audit, collect:

```bash
# Generate audit evidence report
scripts/compliance-report.sh \
  --from 2024-01-01 \
  --to 2024-12-31 \
  --controls soc2-cc6,soc2-cc7 \
  --output audit-evidence-2024.zip
```

Evidence package includes:
1. User access list (current) with roles
2. Access change log (who was granted/revoked what, when)
3. Failed login report (with source IPs)
4. Privileged action log (admin actions with approvals)
5. Deploy log (what was deployed, when, by whom)
6. Vulnerability scan reports
7. Penetration test results (if applicable)

---

## Related

- [gdpr-privacy](../gdpr-privacy/SKILL.md) — data subject rights, consent, right to erasure
- [security-review](../security-review/SKILL.md) — access control patterns and security review checklist
- [auth-patterns](../auth-patterns/SKILL.md) — authentication, MFA, session management
- [observability](../observability/SKILL.md) — log aggregation and alerting infrastructure

Related Skills

dependency-audit

8
from marvinrichter/clarc

Dependency security and compliance: per-language vulnerability scanning (npm audit, cargo audit, pip-audit, govulncheck, OWASP Dependency-Check), license compliance (FOSSA, license-checker), transitive dependency risk, dependency confusion attacks, and Renovate/Dependabot setup.

zero-trust-patterns

8
from marvinrichter/clarc

Zero-Trust security patterns — mTLS between microservices (Istio/SPIFFE), SPIRE workload identity, OPA/Envoy authorization, NetworkPolicy default-deny-all, short-lived credentials, service mesh security, and Kubernetes RBAC hardening.

wireframing

8
from marvinrichter/clarc

Wireframing and prototyping workflow: fidelity levels (lo-fi sketch → mid-fi wireframe → hi-fi prototype), tool selection (Figma, Excalidraw, Balsamiq), user flow diagrams, wireframe annotation standards, information architecture (IA) mapping, and the handoff from wireframe to visual design. For developers who need to communicate UI structure before writing code.

webrtc-patterns

8
from marvinrichter/clarc

WebRTC patterns — peer connection setup, ICE/STUN/TURN configuration, signaling server design, SFU vs mesh topology, screen sharing, media track management, and reconnect/ICE restart handling.

webhook-patterns

8
from marvinrichter/clarc

Webhook patterns for receiving, verifying (HMAC), and idempotently processing third-party events. Covers Stripe, GitHub, and generic webhook patterns, delivery guarantees, retry handling, and testing.

web-performance

8
from marvinrichter/clarc

Web performance optimization: Core Web Vitals (LCP, CLS, INP), Lighthouse CI with budget configuration, bundle analysis (webpack-bundle-analyzer, vite-bundle-visualizer), hydration performance, network waterfall reading, image optimization (WebP/AVIF, srcset), and font performance.

wasm-performance

8
from marvinrichter/clarc

WebAssembly performance: wasm-opt binary optimization, size reduction (panic=abort, LTO, strip), profiling WASM in Chrome DevTools, memory management (linear memory, avoiding GC pressure), SIMD, and multi-threading with SharedArrayBuffer.

wasm-patterns

8
from marvinrichter/clarc

WebAssembly patterns: wasm-pack, wasm-bindgen (JS↔Wasm interop), WASI, Component Model, wasm-opt, Rust-to-WASM compilation, JS integration (web workers, streaming instantiation), and production deployment (CDN, Content-Type headers).

visual-testing

8
from marvinrichter/clarc

Visual Regression Testing: tool comparison (Chromatic/Percy/Playwright screenshots/BackstopJS), pixel-diff vs AI-based comparison, baseline management, flakiness strategies (masks, tolerances, waitForLoadState), CI integration with GitHub Actions, and Storybook integration.

visual-identity

8
from marvinrichter/clarc

Brand identity development: color palette construction (primary/secondary/semantic/neutral), logo concept brief writing, typeface pairings, brand voice definition, mood board direction, and Brand Guidelines document structure. Use when establishing or evolving a visual brand — not for implementing existing tokens.

ux-micro-patterns

8
from marvinrichter/clarc

UX micro-patterns for every product state: Empty States, Loading States (skeleton screens, spinners, optimistic UI), Error States, Success States, Confirmation Dialogs, Onboarding Flows, and Progressive Disclosure. These patterns apply to every feature — done wrong, they're the biggest source of user confusion.

typography-design

8
from marvinrichter/clarc

Typography as a creative discipline: typeface selection criteria, type pairing (serif + sans, display + body), modular scale systems, line-height and tracking ratios, hierarchy construction, and web/mobile rendering considerations. The decisions behind design tokens, not the tokens themselves.