Automated compliance verification and enforcement for AI tools against 11 mandatory P0 rules covering auth, security, cost tracking, and logging.
Works with
Verifies 11 P0 rules across four domains (Security 40pts, Auth 25pts, Cost 20pts, Logging 15pts) with quantitative compliance scoring and deploy gate verdicts (Green/Yellow/Red)
Three execution modes: quick static scan via grep/glob patterns, full verification with evidence collection, and guided improvement with fix suggestions and re-verific
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionai-tool-complianceExecute the skills CLI command in your project's root directory to begin installation:
Fetches ai-tool-compliance from supercent-io/skills-template and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate ai-tool-compliance. Access via /ai-tool-compliance in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
88
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
88
stars
npx skills add https://github.com/supercent-io/skills-template --skill ai-tool-compliance
| Action | Command | Description |
|---|---|---|
| Project initialization | /compliance-init |
Generate RBAC matrix, Gateway boilerplate, log schema, cost tracking interface |
| Quick scan | /compliance-scan, /compliance-quick, /quick |
Quick inspection of P0 key items (code pattern-based) |
| Full verification | /compliance-verify, /compliance-full, /full |
Full verification of 11 P0 rules + compliance score computation |
| Score check | /compliance-score |
Display current compliance score (security/auth/cost/logging) |
| Deploy gate | /compliance-gate |
Green/Yellow/Red verdict + deploy approve/block decision |
| Improvement guide | /compliance-improve, /improve |
Specific fix suggestions per violation + re-verification loop |
Mode slash commands are mapped as follows.
/quick, /compliance-quick -> Quick Scan (/compliance-scan)/full, /compliance-full -> Full Verify (/compliance-verify)/improve -> Improve (/compliance-improve)quick-scan)Statically analyzes the codebase to quickly identify potential P0 violations.
How to run: /compliance-scan, /compliance-quick, /quick or trigger keywords compliance scan, quick scan
What it does:
Output: List of suspected violations (file path + line number + rule ID)
Duration: 1–3 minutes
full-verify)Fully verifies all 11 P0 rules and computes a quantitative compliance score.
How to run: /compliance-verify, /compliance-full, /full or trigger keywords P0 verification, full verify, deploy verification
What it does:
Output: Compliance report (compliance-report.md)
## Compliance Report
- Date: 2026-03-03
- Project: my-ai-tool
- Score: 92/100 (Green)
### Rule Results
| Rule ID | Rule Name | Result | Evidence |
|---------|-----------|--------|----------|
| AUTH-P0-001 | Force Guest for New Signups | PASS | signup.ts:45 role='guest' |
| AUTH-P0-002 | Block Guest Menu/API Access | PASS | middleware.ts:12 guestBlock |
| ... | ... | ... | ... |
### Score Breakdown
- Security: 33/40
- Auth: 25/25
- Cost: 17/20
- Logging: 12/15
- Total: 92/100
### Gate Decision: GREEN - Deploy Approved
Duration: 5–15 minutes (varies by project size)
improve)Provides specific fix guides for violations and runs a re-verification loop.
How to run: /compliance-improve, /improve or trigger keywords compliance improvement, fix violations
What it does:
Output: Fix proposal + re-verification results
/compliance-improve runs
|
1. Load latest verification-run.json
|
2. Extract FAIL items (rule_id + evidence)
|
3. For each FAIL:
|
a. Read violation code from evidence file:line
b. Derive fix direction from rule.remediation + rule.check_pattern.must_contain
c. Generate before/after code diff
d. Apply fix via Write (after user confirmation)
e. Re-verify only that rule (re-run Grep pattern)
f. Confirm transition to PASS
|
4. Full re-verification (/compliance-verify)
|
5. Output Before/After score comparison
|
6. If no remaining FAILs → present guide for introducing P1 recommended requirements
Fix application priority:
must_not_contain violations (requires immediate removal) → delete the code or replace with server API callmust_contain unmet (pattern needs to be added) → insert code per the remediation guide11 P0 rules based on the internal AI tool mandatory implementation guide v1.1:
| Rule ID | Category | Rule Name | Description | Score |
|---|---|---|---|---|
| AUTH-P0-001 | Auth | Force Guest for New Signups | Automatically assign role=Guest on signup; elevated roles granted only via invitation | Auth 8 |
| AUTH-P0-002 | Auth | Block Guest Menu/API Access | Do not expose tool name, model name, internal infrastructure, cost, or structure to Guest. Only allow access to permitted menus/APIs | Auth 7 |
| AUTH-P0-003 | Auth | Server-side Final Auth Check | Server-side auth verification middleware required for all API requests. Client-side checks alone are insufficient | Auth 10 |
| SEC-P0-004 | Security | Prohibit Direct Firestore Access | Direct read/write to Firestore from client is forbidden. Only via Cloud Functions is allowed | Security 12 |
| SEC-P0-005 | Security | Enforce External API Gateway | Direct calls to external AI APIs (Gemini, OpenAI, etc.) are forbidden. Must route through internal Gateway (Cloud Functions) | Security 18 |
| SEC-P0-009 | Security | Server-side Sensitive Text Processing | Sensitive raw content (prompts, full responses) is processed server-side only. Only reference values (IDs) are sent to clients | Security 10 |
| COST-P0-006 | Cost | Model Call Cost Log | Must record model, inputTokens, outputTokens, estimatedCost for every AI model call | Cost 10 |
| COST-P0-007 | Cost | BQ Scan Cost Log | Must record bytesProcessed, estimatedCost when executing BigQuery queries | Cost 5 |
| COST-P0-011 | Cost | Cache-first Lookup | Cache lookup required before high-cost API calls. Actual call only on cache miss | Cost 5 |
| LOG-P0-008 | Logging | Mandatory Failed Request Logging | Must log all failed requests (4xx, 5xx, timeout). No omissions allowed | Logging 10 |
| LOG-P0-010 | Logging | Auth Change Audit Log | Record all auth-related events: role changes, permission grants/revocations, invitation sends | Logging 5 |
| Domain | Max Score | Included Rules |
|---|---|---|
| Security | 40 | SEC-P0-004, SEC-P0-005, SEC-P0-009 |
| Auth | 25 | AUTH-P0-001, AUTH-P0-002, AUTH-P0-003 |
| Cost | 20 | COST-P0-006, COST-P0-007, COST-P0-011 |
| Logging | 15 | LOG-P0-008, LOG-P0-010 |
| Total | 100 | 11 P0 rules |
Verification for each rule is performed based on the check_pattern defined in rules/p0-catalog.yaml. The core mechanism is Grep/Glob static analysis.
Verdict Algorithm (per rule):
1. Glob(check_targets) → collect target files
2. grep_patterns matching → identify files using that feature
- 0 matches → N/A (feature not used, no penalty)
3. must_not_contain check (excluding exclude_paths)
- Match found → immediate FAIL + record evidence
4. must_contain check
- All satisfied → PASS
- Partially satisfied → WARNING
- Not satisfied → FAIL
Key Grep Patterns per Rule:
| Rule ID | Feature Detection (grep_patterns) | Compliance Check (must_contain) | Violation Detection (must_not_contain) |
|---|---|---|---|
| AUTH-P0-001 | signup|register|createUser |
role.*['"]guest['"] |
role.*['"]admin['"] (on signup) |
| AUTH-P0-002 | guard|middleware|authorize |
guest.*block|guest.*deny |
-- |
| AUTH-P0-003 | router\.(get|post|put|delete) |
auth|verify|authenticate |
-- |
| SEC-P0-004 | -- (all targets) | -- | firebase/firestore|getDocs|setDoc (client paths) |
| SEC-P0-005 | -- (all targets) | -- | fetch\(['"]https?://(?!localhost) (client paths) |
| SEC-P0-009 | -- (all targets) | -- | res\.json\(.*password|console\.log\(.*token |
| COST-P0-006 | openai|vertexai|gemini|anthropic |
cost|token|usage|billing |
-- |
| COST-P0-007 | bigquery|BigQuery|createQueryJob |
totalBytesProcessed|bytesProcessed|cost |
-- |
| COST-P0-011 | openai|vertexai|gemini|anthropic |
cache|Cache|redis|memo |
-- |
| LOG-P0-008 | catch|errorHandler|onError |
logger|log\.error|winston|pino |
-- |
| LOG-P0-010 | updateRole|changeRole|setRole |
audit|auditLog|eventLog |
-- |
Detailed schema: see rules/p0-catalog.yaml and the "Judgment Algorithm" section in REFERENCE.md
5 key verification scenarios run in Full Verify mode (/compliance-verify). Each scenario groups related P0 rules for end-to-end verification.
| ID | Scenario | Related Rules | Verification Method | Pass Criteria |
|---|---|---|---|---|
| SC-001 | New Signup -> Guest Isolation | AUTH-P0-001, AUTH-P0-002 | Verify role=guest assignment in signup code + confirm 403 return pattern when Guest calls protected API | PASS when role is guest and access-denied pattern exists for protected API |
| SC-002 | AI Call -> Via Gateway + Cost Logged | SEC-P0-005, COST-P0-006, COST-P0-011 | (1) Confirm absence of direct external API calls (2) Confirm routing via Gateway function (3) Confirm cost log fields (model, tokens, cost) recorded (4) Confirm cache lookup logic exists | PASS when Gateway routing + 4 cost log fields recorded + cache layer exists |
| SC-003 | Firestore Access -> Functions-Only | SEC-P0-004, AUTH-P0-003 | (1) Detect direct Firestore SDK import in client code (2) Confirm server-side auth verification middleware exists | PASS when 0 direct client access instances + server middleware exists |
| SC-004 | Failed Requests -> No Log Gaps | LOG-P0-008, LOG-P0-010 | (1) Confirm log call in error handler (2) Confirm no log gaps in catch blocks (3) Confirm audit log exists for auth change events | PASS when all error handlers call log + auth change audit log exists |
| SC-005 | Sensitive Data -> Not Exposed to Client | SEC-P0-009, AUTH-P0-002 | (1) Confirm API responses do not include raw prompts/responses, only reference IDs (2) Confirm Guest responses do not include model name/cost/infrastructure info | PASS when raw content not in response + Guest exposure control confirmed |
SC-001: grep signup/register -> assert role='guest' -> grep guestBlock/guestDeny -> assert exists
SC-002: grep fetch(https://) in client -> assert 0 hits -> grep gateway log -> assert cost fields -> assert cache check
SC-003: grep firebase/firestore in client/ -> assert 0 hits -> grep authMiddleware in functions/ -> assert exists
SC-004: grep catch blocks -> assert logAction in each -> grep roleChange -> assert auditLog
SC-005: grep res.json for raw text -> assert 0 hits -> grep guest response -> assert no model/cost info
After the deploy gate verdict, the role's Go/No-Go checkpoints must be cleared based on the grade. 4 roles × 5 items = 20 checkpoints total.
| # | Checkpoint | Go Condition | No-Go Condition |
|---|---|---|---|
| 1 | SLA Impact Analysis | Confirmed no impact on existing service availability/response-time SLA | SLA impact unanalyzed or degradation expected |
| 2 | Rollback Procedure | Rollback procedure documented + tested | Rollback procedure not established |
| 3 | Performance Test | Load/stress test completed + within threshold | Performance test not run |
| 4 | Incident Alerts | Incident detection alert channels (Slack/PagerDuty, etc.) configured | Alert channels not configured |
| 5 | Monitoring Dashboard | Dashboard for key metrics (error rate, response time, AI cost) exists | Monitoring absent |
| # | Checkpoint | Go Condition | No-Go Condition |
|---|---|---|---|
| 1 | FAIL Rule Root Cause Analysis | Root cause identified + documented for all FAIL rules | Unidentified items exist |
| 2 | Fix Code Verification | Fixed code accurately reflects the intent of the rule | Fix does not match rule intent |
| 3 | Re-verification Pass | Rule transitions to PASS in re-verification after fix | Re-verification not run or still FAIL |
| 4 | No Regression Impact | Fix confirmed to have no negative impact on other P0 rules | Another rule newly FAILs |
| 5 | Code Review Done | Code review approval completed for fixed code | Code review not completed |
| # | Checkpoint | Go Condition | No-Go Condition |
|---|---|---|---|
| 1 | User Impact Assessment | User impact of non-compliant items is acceptable | User impact not assessed |
| 2 | Schedule Risk | Fix timeline is within release schedule | Schedule overrun expected |
| 3 | Scope Agreement | Stakeholder agreement completed for scope changes | Agreement not reached |
| 4 | Cost Impact | AI usage cost within approved budget | Budget overrun expected |
| 5 | Communication | Changes shared with relevant teams | Not shared |
| # | Checkpoint | Go Condition | No-Go Condition |
|---|---|---|---|
| 1 | Cost Cap | Monthly AI cost within pre-approved budget | Budget cap exceeded |
| 2 | Security Risk | All security P0 passed or exception reason is reasonable | P0 security FAIL + insufficient exception justification |
| 3 | Legal/Regulatory Risk | Data processing complies with applicable laws (privacy laws, etc.) | Legal risks not reviewed |
| 4 | Business Continuity | Business impact is limited if deployment fails | Business disruption risk exists |
| 5 | Final Approval | Final approval when all 4 above are Go | Deferred if even 1 is No-Go |
compliance-report.md, generated when /compliance-verify runs, consists of 6 sections.
# Compliance Report
## 1. Summary
- Project name, verification date/time, verification mode (quick-scan / full-verify)
- Total compliance score / 100
- Deploy gate grade (Green / Yellow / Red)
- P0 FAIL count
- Verification duration
## 2. Rule Results
| Rule ID | Category | Rule Name | Result | Score | Evidence |
|---------|----------|Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
supercent-io/skills-template
supercent-io/skills-template
supercent-io/skills-template
supercent-io/skills-template
supercent-io/skills-template
supercent-io/skills-template
I recommend ai-tool-compliance for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: ai-tool-compliance is focused, and the summary matches what you get after install.
Registry listing for ai-tool-compliance matched our evaluation — installs cleanly and behaves as described in the markdown.
We added ai-tool-compliance from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Useful defaults in ai-tool-compliance — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
ai-tool-compliance reduced setup friction for our internal harness; good balance of opinion and flexibility.
ai-tool-compliance is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Keeps context tight: ai-tool-compliance is the kind of skill you can hand to a new teammate without a long onboarding doc.
ai-tool-compliance fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
I recommend ai-tool-compliance for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 33