From openrouter-pack
Reviews OpenRouter API integrations for SOC2, GDPR, HIPAA compliance with checklists for data handling, access controls, audit trails, and provider routing to approved models.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin openrouter-packThis skill is limited to using the following tools:
OpenRouter is a proxy that routes requests to upstream providers (OpenAI, Anthropic, Google, etc.). Compliance depends on both OpenRouter's data handling and the selected provider's policies. Key considerations: data transit through OpenRouter infrastructure, provider-specific data retention, model selection for regulated data, and audit trail requirements.
Scans and redacts PII from prompts using regex patterns before OpenRouter API calls. Replaces emails, phones, SSNs, cards, keys, IPs with placeholders for GDPR/CCPA compliance.
Audits code for GDPR, HIPAA, SOC2, PCI-DSS compliance: lawful basis, data subject rights, consent management, safeguards, audit trails, license checks. For regulated data features.
Performs compliance audits for GDPR, HIPAA, SOC2, PCI-DSS in software systems; provides gap analysis, implementation plans, technical controls, policy templates, and monitoring scripts.
Share bugs, ideas, or general feedback.
OpenRouter is a proxy that routes requests to upstream providers (OpenAI, Anthropic, Google, etc.). Compliance depends on both OpenRouter's data handling and the selected provider's policies. Key considerations: data transit through OpenRouter infrastructure, provider-specific data retention, model selection for regulated data, and audit trail requirements.
COMPLIANCE_CHECKLIST = {
"data_handling": [
"Verify OpenRouter does NOT train on your data (confirmed in their privacy policy)",
"Confirm provider-level data policies (OpenAI, Anthropic, Google each differ)",
"Document data flow: your app -> OpenRouter -> provider -> OpenRouter -> your app",
"Identify if prompts contain PII, PHI, or regulated data",
"Implement PII redaction before sending to API",
],
"access_control": [
"Use per-service API keys (not shared keys)",
"Set credit limits per key to isolate blast radius",
"Rotate keys on a 90-day schedule",
"Store keys in secrets manager (not .env files in repos)",
"Enable management keys for programmatic key provisioning",
],
"audit_trail": [
"Log every API call with generation_id, model, user_id, cost",
"Hash prompts (SHA-256) instead of logging raw content",
"Retain audit logs per regulation (90d operational, 7yr financial)",
"Ship logs to append-only storage (S3, immutable DB)",
],
"provider_selection": [
"Route regulated data only to compliant providers",
"Use provider routing to exclude non-compliant providers",
"Document which models are approved for which data classifications",
"Test that fallback routing doesn't route to unapproved providers",
],
}
import os
from openai import OpenAI
client = OpenAI(
base_url="https://openrouter.ai/api/v1",
api_key=os.environ["OPENROUTER_API_KEY"],
default_headers={"HTTP-Referer": "https://my-app.com", "X-Title": "my-app"},
)
# Route ONLY to specific providers (e.g., Anthropic for SOC2)
response = client.chat.completions.create(
model="anthropic/claude-3.5-sonnet",
messages=[{"role": "user", "content": "Analyze this contract..."}],
max_tokens=2048,
extra_body={
"provider": {
"order": ["Anthropic"], # Only Anthropic's infrastructure
"allow_fallbacks": False, # Do NOT fall back to other providers
},
},
)
# Verify which provider actually served the request
print(f"Served by: {response.model}") # Should match anthropic/claude-3.5-sonnet
| Classification | Allowed Providers | Controls |
|---|---|---|
| Public | Any (including :free) | Standard logging |
| Internal | Tier 1 (OpenAI, Anthropic, Google) | Audit logging, key limits |
| Confidential | Anthropic, OpenAI (API-only) | PII redaction, no free models |
| Restricted/PHI | BYOK only or self-hosted | Full audit, encryption at rest |
# Bring Your Own Key -- requests go directly to provider
# OpenRouter acts as router only; data doesn't persist on OpenRouter
response = client.chat.completions.create(
model="openai/gpt-4o",
messages=[{"role": "user", "content": "Process this..."}],
max_tokens=1024,
extra_body={
"provider": {
"order": ["OpenAI"],
"allow_fallbacks": False,
},
},
# With BYOK, configure your provider key in OpenRouter dashboard
# Data flows: your app -> OpenRouter (routing only) -> OpenAI (your account)
)
#!/bin/bash
echo "=== OpenRouter Compliance Audit ==="
# 1. Verify API key has credit limit set
echo "1. Key configuration:"
curl -s https://openrouter.ai/api/v1/auth/key \
-H "Authorization: Bearer $OPENROUTER_API_KEY" | \
jq '{label: .data.label, limit: .data.limit, is_free_tier: .data.is_free_tier}'
# 2. Check if using free tier (not suitable for regulated data)
IS_FREE=$(curl -s https://openrouter.ai/api/v1/auth/key \
-H "Authorization: Bearer $OPENROUTER_API_KEY" | jq -r '.data.is_free_tier')
[ "$IS_FREE" = "true" ] && echo "WARNING: Free tier. Not suitable for regulated data."
# 3. Scan for hardcoded keys in source
FOUND=$(grep -r "sk-or-v1-" --include="*.py" --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | wc -l)
echo "Hardcoded keys found: $FOUND"
| Error | Cause | Fix |
|---|---|---|
| Request routed to unapproved provider | allow_fallbacks: true (default) | Set allow_fallbacks: false with explicit order |
| Key exposed in logs | Raw API key logged | Add PII redaction for sk-or-v1-* pattern |
| No audit trail for request | Logging middleware bypassed | Make audit logging a required wrapper |
| Free model used for regulated data | No model allowlist | Implement model allowlist in client wrapper |
provider.order + allow_fallbacks: false to guarantee data only flows to approved providers