Rule packs

Six frameworks. Thirty rules.

Each rule pack maps a concrete code pattern to a legal article, a severity, and a paste-ready fix. Six packs ship today (five rules each); two more are open for contribution. Every pack is plain TypeScript under src/lib/rules/frameworks/.

Shipped · alpha

GDPR

5 rules

EU data protection — lawful processing, security of personal data, and breach exposure.

GDPR-001 – GDPR-005 Regulation ↗

EU AI Act

5 rules

Obligations for AI systems — risk classification, transparency, and prohibited practices.

AI-ACT-001 – AI-ACT-005 Regulation ↗

MiCA

5 rules

Markets in Crypto-Assets — safeguards for crypto-asset services and token issuers.

MICA-001 – MICA-005 Regulation ↗

HIPAA

5 rules

US health data — protection of electronic protected health information (ePHI).

HIPAA-001 – HIPAA-005 Regulation ↗

OWASP Top 10

5 rules

The most critical web application security risks — injection, broken access control, and more.

OWASP-001 – OWASP-005 Regulation ↗

PCI DSS

5 rules

Payment card data security — storage, transmission, and access to cardholder data.

PCI-001 – PCI-005 Regulation ↗

Planned · contributions welcome

Not shipped yet — each is a single framework pack away. Open an issue if you'd like to take one on.

SOC 2
ISO 27001

How a rule pack works

A pack is a folder with a meta.json and a set of rules. Each rule pairs a detectable code pattern with the legal article it implicates, a severity, and a suggested fix. The shipping set is declared in one registry file, and the docs table is generated from it — so the site, the docs, and the code never drift apart.

Browse the rule packs Add a framework

# scan only specific frameworks
pnpm dev:scan --path . \
  --frameworks gdpr,owasp

# a finding, line-level
src/auth/login.ts:41
  CRITICAL  GDPR Art. 5(1)(f)
  MD5 password hash
  Fix → bcrypt cost 12+, or Argon2id