// Pattern-table mapping from unified findings to regulatory citations (PCI-DSS, GDPR, HIPAA, SOC2). LLM edge annotator invoked only for llm_review_trigger=true rows.
Conventions, anti-patterns, and meta-patterns for writing skills (and the shared agent/skill philosophy). Use when creating or editing a SKILL.md file, or when reviewing the agent-vs-skill separation. For the procedural workflow that generates a new agent file, use the agent-create skill (invoked by /agent-add).
Create new Claude Code sub-agent files following the official schema and token-efficiency budgets. Handles both review agents (JSON output, read-only tools, ≤ 40-line body) and team agents (prose output, action tools, ≤ 75-line body). Use when the user says "add an agent", "create a reviewer for X", "new team agent for Y", or when /agent-add is invoked. Validates against /agent-audit before writing. Updates the agent registry and CLAUDE.md after success.
Detect business logic reimplemented in multiple architectural layers. Builds a persistent computation-register.json by annotating non-trivial computation functions with structured semantic descriptions, then clusters entries to surface duplicate domain concepts. Runs in full-scan mode on first use, incremental (git-diff-based) mode on subsequent runs. Use when the user wants to find logical duplication that linters and diff-scoped review agents miss — the same domain calculation independently reimplemented across layers.
Hybrid FP-reduction — joern when present, LLM fallback when absent. Six-stage rubric (Stage 0 + Stages 1-5) applied to every finding; emits the disposition register.
Declarative phase graph for /security-assessment. Phases run in fixed order with dependency enforcement; per-phase artifacts land in memory/ and feed the next phase.
Collaborative workflow for producing the four specification artifacts (intent, BDD scenarios, architecture notes, acceptance criteria) before any implementation begins. Use when starting any new feature or behavior change — do not write code until artifacts pass the consistency gate.
| name | compliance-mapping |
| description | Pattern-table mapping from unified findings to regulatory citations (PCI-DSS, GDPR, HIPAA, SOC2). LLM edge annotator invoked only for llm_review_trigger=true rows. |
| role | worker |
| user-invocable | false |
| version | 1.0.0 |
| maintainers | ["bdfinst","unassigned"] |
| required-primitives-contract | ^1.0.0 |
Map unified findings to regulatory control citations so executive-audience reports can name the specific regulations at risk. Designed to be deterministic first — a pattern table handles the bulk; LLM judgment is invoked ONLY for cases the table flags as ambiguous.
This is explicitly informational, not audit-grade. No report produced by this pipeline substitutes for a certified auditor's opinion. The disclaimer is mandatory and exact-wording.
knowledge/compliance-patterns.yaml (this plugin) — the pattern tableA compliance-annotations.json file per the following shape:
{
"schema_version": "1.0",
"generated_at": "2026-04-21T10:00:00Z",
"disclaimer": "<verbatim text from knowledge/disclaimers.md § Compliance mapping disclaimer>",
"annotations": [
{
"finding_rule_id": "semgrep.python.hardcoded-password",
"finding_file": "config/prod.py",
"finding_line": 42,
"regulations": [
{"regulation": "PCI-DSS", "control_id": "3.2.1", "citation": "PCI-DSS v4.0 §3.2.1"},
{"regulation": "GDPR", "control_id": "Art. 32", "citation": "GDPR Article 32 — Security of Processing"}
],
"annotator": "pattern-table" // or "llm" if llm_review_trigger fired
}
]
}
knowledge/compliance-patterns.yaml)Each row maps a finding pattern to one or more regulatory citations.
# plugins/agentic-security-assessment/knowledge/compliance-patterns.yaml
patterns:
- id: pan-at-log
pattern_regex: 'log\.(debug|info).*(pan|card_number|primary_account)'
field_type: "pii.pan"
applies_to_rules:
- "semgrep.*.pii-log"
- "business-logic.fraud.tokenization-skip-under-flag"
regulations:
- regulation: "PCI-DSS"
control_id: "3.4"
citation: "PCI-DSS v4.0 §3.4 — PAN must be rendered unreadable in storage and in logs"
- regulation: "PCI-DSS"
control_id: "10.2"
citation: "PCI-DSS v4.0 §10.2 — Audit logs must not contain sensitive authentication data"
llm_review_trigger: false
- id: unencrypted-db-transit
pattern_regex: "(mongodb|postgres|mysql)://[^@]+@[^/]+/[^?]+($|(?!.*ssl|.*tls))"
field_type: "db.transit"
applies_to_rules:
- "semgrep.*.unencrypted-database-connection"
- "trivy.iac.*"
regulations:
- regulation: "PCI-DSS"
control_id: "4.1"
citation: "PCI-DSS v4.0 §4.1 — Strong cryptography and security protocols on open public networks"
- regulation: "GDPR"
control_id: "Art. 32"
citation: "GDPR Article 32 — Security of Processing"
llm_review_trigger: false
- id: auth-bypass-admin
pattern_regex: ".*admin.*"
field_type: "auth.missing"
applies_to_rules:
- "semgrep.*.missing-csrf"
- "semgrep.*.unauthenticated-endpoint"
- "business-logic.fraud.*"
regulations:
- regulation: "PCI-DSS"
control_id: "8.3"
citation: "PCI-DSS v4.0 §8.3 — Multi-factor authentication for admin access"
- regulation: "SOC2"
control_id: "CC6.1"
citation: "SOC2 Trust Services Criteria CC6.1 — Logical access controls"
llm_review_trigger: true # rules in this class often need case-specific judgment
- id: insecure-random
pattern_regex: ".*"
field_type: "crypto.random"
applies_to_rules:
- "semgrep.*.insecure-random"
regulations:
- regulation: "PCI-DSS"
control_id: "3.6.1"
citation: "PCI-DSS v4.0 §3.6.1 — Cryptographic key generation practices"
llm_review_trigger: false
Schema fields per row:
| Field | Required | Type | Purpose |
|---|---|---|---|
id | yes | string | Stable identifier |
pattern_regex | yes | string | Regex applied to the finding's message / file / context |
field_type | yes | string | Categorical tag (pii.pan, auth.missing, crypto.random, etc.) for audit traceability |
applies_to_rules | yes | list[string] | Rule-id glob patterns this row matches |
regulations | yes | list[object] | One or more citation objects |
llm_review_trigger | no | bool (default false) | If true, LLM edge annotator is invoked for findings matched by this row |
Parse YAML. Every row MUST have the required fields. An invalid row fails the run with a named error pointing to the row id.
Apply rows in file-declaration order:
applies_to_rules globs against finding.rule_id. No match → skip row.pattern_regex against finding.message + finding.file (concatenated). No match → skip row.annotator: "pattern-table".llm_review_trigger: true, invoke the compliance-edge-annotator agent for this finding only. The agent can refine citations, add or remove regulations, or add a judgment note. Set annotator: "llm" if the agent modified anything.A finding with zero matching rows gets no annotation and does NOT appear in the output.
The skill exposes an optional LLMCallCounter interface for eval assertions:
class LLMCallCounter:
def invoke(self, prompt: str, context: dict) -> str: ...
def count(self) -> int: ...
def reset(self) -> None: ...
Production dispatches go through a real LLM. Eval runs inject a mock counter and assert the count matches the expected number of llm_review_trigger: true matches in the fixture.
Write memory/compliance-<slug>.json with the disclaimer at the root. The exec-report-generator includes the disclaimer verbatim in the report header.
Use the exact wording in knowledge/disclaimers.md § "Compliance mapping disclaimer". Required on every report.
llm_review_trigger: true. No loops, no recursion.annotator: "pattern-table" | "llm" for audit.agents/compliance-edge-annotator.md — the sonnet-tier agent invoked for llm_review_trigger: true matchesknowledge/compliance-patterns.yaml — the pattern table itselfplugins/agentic-dev-team/knowledge/security-primitives-contract.md — unified finding envelope