Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From policystack
Finds un-annotated data collection and egress in a codebase and adds PolicyStack collecting/sharing/thirdParty/defineCookie markers so the generated privacy policy reflects actual code behavior.
npx claudepluginhub jamiedavenport/policystack --plugin policystackHow this skill is triggered — by the user, by Claude, or both
Slash command
/policystack:policystack-instrumentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
<!-- Generated by @policystack/sdk renderSkillPack() — do not edit by hand. Run `vp run gen`. -->
Scans codebases for PII exposure, hardcoded sensitive data, unsafe logging, unencrypted storage, insecure transmission, missing consent, and retention issues.
Generates tailored privacy policies by scanning websites or codebases for data collection signals like cookies, forms, payments, analytics, and trackers. For GDPR/CCPA compliance.
Audits a policystack.ts config by running validation, explaining each issue code, and proposing minimal fixes until clean. Use when PolicyStack config has validation errors or warnings.
Share bugs, ideas, or general feedback.
Make the policy reflect reality: annotate real data flows at their call sites
so the @policystack/vite build scans them into the config. The markers are
identity functions — they return their value unchanged and have no runtime
effect; the build reads them statically.
@policystack/sdk)collecting(category, value, labels) — wrap a value at the point it is
stored. labels maps each field to a human label, or Ignore to
exclude it (e.g. password: Ignore).sharing(key, recipient, value) — wrap an outbound payload at a data
egress edge (the CCPA sell/share signal).thirdParty(name, purpose, policyUrl?) — declare a vendor exists; place
next to its initialisation.defineCookie(category) — declare a consent category at its use site.Constraint: category, key, recipient, name and the label
map must be string / object literals. Non-literal arguments are skipped by
the static scanner (it emits a build diagnostic — they are not silently lost,
but no annotation is produced). Never pass a variable.
The scanner already recognises common cookie/vendor surfaces (document.cookie,
js-cookie, cookies-next, react-cookie, server set-cookie, and
~30 known vendor imports) and flags any that are not gated by
<ConsentGate>, a consent.has(...) check, or an accept/set helper. Look
for, in priority order:
collecting().sharing() and no thirdParty().localStorage writes and tracker <script>/SDK init with no
defineCookie() and not consent-gated.DataCategories.AccountInfo, DataCategories.Communications, DataCategories.DeviceInfo, DataCategories.LocationData, DataCategories.PaymentInfo, DataCategories.SessionData, DataCategories.UsageDataLegalBases.Consent, LegalBases.Contract, LegalBases.LegalObligation, LegalBases.LegitimateInterests, LegalBases.PublicTask, LegalBases.VitalInterestsRetention.AsRequiredByLaw, Retention.NinetyDays, Retention.OneYear, Retention.ThirtyDays, Retention.ThreeYears, Retention.UntilAccountDeletion, Retention.UntilSessionExpiryProviders.AWS, Providers.Auth0, Providers.Clerk, Providers.Cloudflare, Providers.Datadog, Providers.GoogleAnalytics, Providers.LemonSqueezy, Providers.Loops, Providers.Mixpanel, Providers.Paddle, Providers.PayPal, Providers.Plausible, Providers.PostHog, Providers.Postmark, Providers.Resend, Providers.SendGrid, Providers.Sentry, Providers.Stripe, Providers.VercelCompliance.CCPA, Compliance.GDPR, Compliance.UK_GDPRdata.context /
cookies.context entry in policystack.ts (the typed config enforces
this).policystack-audit to confirm the config still validates.