From 8fe97d1675bd60ae148a6b94c92f8f9972500d50 Mon Sep 17 00:00:00 2001 From: Affaan Mustafa Date: Sun, 5 Apr 2026 16:10:05 -0700 Subject: [PATCH] feat: add HIPAA entrypoint skill --- AGENTS.md | 4 +- README.md | 6 +-- README.zh-CN.md | 2 +- WORKING-CONTEXT.md | 1 + docs/zh-CN/AGENTS.md | 4 +- docs/zh-CN/README.md | 6 +-- manifests/install-modules.json | 2 + skills/hipaa-compliance/SKILL.md | 78 ++++++++++++++++++++++++++++++++ 8 files changed, 92 insertions(+), 11 deletions(-) create mode 100644 skills/hipaa-compliance/SKILL.md diff --git a/AGENTS.md b/AGENTS.md index 545f8737..5ee322f5 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,6 +1,6 @@ # Everything Claude Code (ECC) — Agent Instructions -This is a **production-ready AI coding plugin** providing 39 specialized agents, 163 skills, 72 commands, and automated hook workflows for software development. +This is a **production-ready AI coding plugin** providing 39 specialized agents, 164 skills, 72 commands, and automated hook workflows for software development. **Version:** 1.10.0 @@ -146,7 +146,7 @@ Troubleshoot failures: check test isolation → verify mocks → fix implementat ``` agents/ — 39 specialized subagents -skills/ — 163 workflow skills and domain knowledge +skills/ — 164 workflow skills and domain knowledge commands/ — 72 slash commands hooks/ — Trigger-based automations rules/ — Always-follow guidelines (common + per-language) diff --git a/README.md b/README.md index e5a98943..dcf48633 100644 --- a/README.md +++ b/README.md @@ -236,7 +236,7 @@ For manual install instructions see the README in the `rules/` folder. When copy /plugin list ecc@ecc ``` -**That's it!** You now have access to 39 agents, 163 skills, and 72 legacy command shims. +**That's it!** You now have access to 39 agents, 164 skills, and 72 legacy command shims. ### Multi-model commands require additional setup @@ -1154,7 +1154,7 @@ The configuration is automatically detected from `.opencode/opencode.json`. |---------|-------------|----------|--------| | Agents | PASS: 39 agents | PASS: 12 agents | **Claude Code leads** | | Commands | PASS: 72 commands | PASS: 31 commands | **Claude Code leads** | -| Skills | PASS: 163 skills | PASS: 37 skills | **Claude Code leads** | +| Skills | PASS: 164 skills | PASS: 37 skills | **Claude Code leads** | | Hooks | PASS: 8 event types | PASS: 11 events | **OpenCode has more!** | | Rules | PASS: 29 rules | PASS: 13 instructions | **Claude Code leads** | | MCP Servers | PASS: 14 servers | PASS: Full | **Full parity** | @@ -1263,7 +1263,7 @@ ECC is the **first plugin to maximize every major AI coding tool**. Here's how e |---------|------------|------------|-----------|----------| | **Agents** | 39 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 | | **Commands** | 72 | Shared | Instruction-based | 31 | -| **Skills** | 163 | Shared | 10 (native format) | 37 | +| **Skills** | 164 | Shared | 10 (native format) | 37 | | **Hook Events** | 8 types | 15 types | None yet | 11 types | | **Hook Scripts** | 20+ scripts | 16 scripts (DRY adapter) | N/A | Plugin hooks | | **Rules** | 34 (common + lang) | 34 (YAML frontmatter) | Instruction-based | 13 instructions | diff --git a/README.zh-CN.md b/README.zh-CN.md index 688344a2..ef3c978a 100644 --- a/README.zh-CN.md +++ b/README.zh-CN.md @@ -106,7 +106,7 @@ cp -r everything-claude-code/rules/perl ~/.claude/rules/ /plugin list ecc@ecc ``` -**完成!** 你现在可以使用 39 个代理、163 个技能和 72 个命令。 +**完成!** 你现在可以使用 39 个代理、164 个技能和 72 个命令。 ### multi-* 命令需要额外配置 diff --git a/WORKING-CONTEXT.md b/WORKING-CONTEXT.md index a8250806..d65c5a3f 100644 --- a/WORKING-CONTEXT.md +++ b/WORKING-CONTEXT.md @@ -91,6 +91,7 @@ Keep this file detailed for only the current sprint, blockers, and next actions. ## Latest Execution Notes - 2026-04-05: Fixed the `main` npm CI break after the latest direct ports. `package-lock.json` had drifted behind `package.json` on the `globals` devDependency (`^17.1.0` vs `^17.4.0`), which caused all npm-based GitHub Actions jobs to fail at `npm ci`. Refreshed the lockfile only, verified `npm ci --ignore-scripts`, and kept the mixed-lock workspace otherwise untouched. +- 2026-04-05: Direct-ported the useful discoverability part of `#1221` without duplicating a second healthcare compliance system. Added `skills/hipaa-compliance/SKILL.md` as a thin HIPAA-specific entrypoint that points into the canonical `healthcare-phi-compliance` / `healthcare-reviewer` lane, and wired both healthcare privacy skills into the `security` install module for selective installs. - 2026-04-02: `ECC-Tools/main` shipped `9566637` (`fix: prefer commit lookup over git ref resolution`). The PR-analysis fire is now fixed in the app repo by preferring explicit commit resolution before `git.getRef`, with regression coverage for pull refs and plain branch refs. Mirrored public tracking issue `#1184` in this repo was closed as resolved upstream. - 2026-04-02: Direct-ported the clean native-support core of `#1043` into `main`: `agents/csharp-reviewer.md`, `skills/dotnet-patterns/SKILL.md`, and `skills/csharp-testing/SKILL.md`. This fills the gap between existing C# rule/docs mentions and actual shipped C# review/testing guidance. - 2026-04-02: Direct-ported the clean native-support core of `#1055` into `main`: `agents/dart-build-resolver.md`, `commands/flutter-build.md`, `commands/flutter-review.md`, `commands/flutter-test.md`, `rules/dart/*`, and `skills/dart-flutter-patterns/SKILL.md`. The skill paths were wired into the current `framework-language` module instead of replaying the older PR's separate `flutter-dart` module layout. diff --git a/docs/zh-CN/AGENTS.md b/docs/zh-CN/AGENTS.md index d9d1052d..89fcd7bf 100644 --- a/docs/zh-CN/AGENTS.md +++ b/docs/zh-CN/AGENTS.md @@ -1,6 +1,6 @@ # Everything Claude Code (ECC) — 智能体指令 -这是一个**生产就绪的 AI 编码插件**,提供 39 个专业代理、163 项技能、72 条命令以及自动化钩子工作流,用于软件开发。 +这是一个**生产就绪的 AI 编码插件**,提供 39 个专业代理、164 项技能、72 条命令以及自动化钩子工作流,用于软件开发。 **版本:** 1.10.0 @@ -147,7 +147,7 @@ ``` agents/ — 39 个专业子代理 -skills/ — 163 个工作流技能和领域知识 +skills/ — 164 个工作流技能和领域知识 commands/ — 72 个斜杠命令 hooks/ — 基于触发的自动化 rules/ — 始终遵循的指导方针(通用 + 每种语言) diff --git a/docs/zh-CN/README.md b/docs/zh-CN/README.md index 1778ee21..4babf9e0 100644 --- a/docs/zh-CN/README.md +++ b/docs/zh-CN/README.md @@ -209,7 +209,7 @@ npx ecc-install typescript /plugin list ecc@ecc ``` -**搞定!** 你现在可以使用 39 个智能体、163 项技能和 72 个命令了。 +**搞定!** 你现在可以使用 39 个智能体、164 项技能和 72 个命令了。 *** @@ -1096,7 +1096,7 @@ opencode |---------|-------------|----------|--------| | 智能体 | PASS: 39 个 | PASS: 12 个 | **Claude Code 领先** | | 命令 | PASS: 72 个 | PASS: 31 个 | **Claude Code 领先** | -| 技能 | PASS: 163 项 | PASS: 37 项 | **Claude Code 领先** | +| 技能 | PASS: 164 项 | PASS: 37 项 | **Claude Code 领先** | | 钩子 | PASS: 8 种事件类型 | PASS: 11 种事件 | **OpenCode 更多!** | | 规则 | PASS: 29 条 | PASS: 13 条指令 | **Claude Code 领先** | | MCP 服务器 | PASS: 14 个 | PASS: 完整 | **完全对等** | @@ -1208,7 +1208,7 @@ ECC 是**第一个最大化利用每个主要 AI 编码工具的插件**。以 |---------|------------|------------|-----------|----------| | **智能体** | 39 | 共享 (AGENTS.md) | 共享 (AGENTS.md) | 12 | | **命令** | 72 | 共享 | 基于指令 | 31 | -| **技能** | 163 | 共享 | 10 (原生格式) | 37 | +| **技能** | 164 | 共享 | 10 (原生格式) | 37 | | **钩子事件** | 8 种类型 | 15 种类型 | 暂无 | 11 种类型 | | **钩子脚本** | 20+ 个脚本 | 16 个脚本 (DRY 适配器) | N/A | 插件钩子 | | **规则** | 34 (通用 + 语言) | 34 (YAML 前页) | 基于指令 | 13 条指令 | diff --git a/manifests/install-modules.json b/manifests/install-modules.json index 0b5656b6..dd450c3e 100644 --- a/manifests/install-modules.json +++ b/manifests/install-modules.json @@ -235,6 +235,8 @@ "description": "Security review and security-focused framework guidance.", "paths": [ "skills/django-security", + "skills/healthcare-phi-compliance", + "skills/hipaa-compliance", "skills/laravel-security", "skills/perl-security", "skills/security-review", diff --git a/skills/hipaa-compliance/SKILL.md b/skills/hipaa-compliance/SKILL.md new file mode 100644 index 00000000..be356e39 --- /dev/null +++ b/skills/hipaa-compliance/SKILL.md @@ -0,0 +1,78 @@ +--- +name: hipaa-compliance +description: HIPAA-specific entrypoint for healthcare privacy and security work. Use when a task is explicitly framed around HIPAA, PHI handling, covered entities, BAAs, breach posture, or US healthcare compliance requirements. +origin: ECC direct-port adaptation +version: "1.0.0" +--- + +# HIPAA Compliance + +Use this as the HIPAA-specific entrypoint when a task is clearly about US healthcare compliance. This skill intentionally stays thin and canonical: + +- `healthcare-phi-compliance` remains the primary implementation skill for PHI/PII handling, data classification, audit logging, encryption, and leak prevention. +- `healthcare-reviewer` remains the specialized reviewer when code, architecture, or product behavior needs a healthcare-aware second pass. +- `security-review` still applies for general auth, input-handling, secrets, API, and deployment hardening. + +## When to Use + +- The request explicitly mentions HIPAA, PHI, covered entities, business associates, or BAAs +- Building or reviewing US healthcare software that stores, processes, exports, or transmits PHI +- Assessing whether logging, analytics, LLM prompts, storage, or support workflows create HIPAA exposure +- Designing patient-facing or clinician-facing systems where minimum necessary access and auditability matter + +## How It Works + +Treat HIPAA as an overlay on top of the broader healthcare privacy skill: + +1. Start with `healthcare-phi-compliance` for the concrete implementation rules. +2. Apply HIPAA-specific decision gates: + - Is this data PHI? + - Is this actor a covered entity or business associate? + - Does a vendor or model provider require a BAA before touching the data? + - Is access limited to the minimum necessary scope? + - Are read/write/export events auditable? +3. Escalate to `healthcare-reviewer` if the task affects patient safety, clinical workflows, or regulated production architecture. + +## HIPAA-Specific Guardrails + +- Never place PHI in logs, analytics events, crash reports, prompts, or client-visible error strings. +- Never expose PHI in URLs, browser storage, screenshots, or copied example payloads. +- Require authenticated access, scoped authorization, and audit trails for PHI reads and writes. +- Treat third-party SaaS, observability, support tooling, and LLM providers as blocked-by-default until BAA status and data boundaries are clear. +- Follow minimum necessary access: the right user should only see the smallest PHI slice needed for the task. +- Prefer opaque internal IDs over names, MRNs, phone numbers, addresses, or other identifiers. + +## Examples + +### Example 1: Product request framed as HIPAA + +User request: + +> Add AI-generated visit summaries to our clinician dashboard. We serve US clinics and need to stay HIPAA compliant. + +Response pattern: + +- Activate `hipaa-compliance` +- Use `healthcare-phi-compliance` to review PHI movement, logging, storage, and prompt boundaries +- Verify whether the summarization provider is covered by a BAA before any PHI is sent +- Escalate to `healthcare-reviewer` if the summaries influence clinical decisions + +### Example 2: Vendor/tooling decision + +User request: + +> Can we send support transcripts and patient messages into our analytics stack? + +Response pattern: + +- Assume those messages may contain PHI +- Block the design unless the analytics vendor is approved for HIPAA-bound workloads and the data path is minimized +- Require redaction or a non-PHI event model when possible + +## Related Skills + +- `healthcare-phi-compliance` +- `healthcare-reviewer` +- `healthcare-emr-patterns` +- `healthcare-eval-harness` +- `security-review`