DEV Community: dhicks

Add Compliance Scanning to Claude Code

dhicks — Tue, 07 Apr 2026 02:27:33 +0000

Originally published at getpageguard.com

CLAUDE.md: Your AI Pair Programmer's Memory

If you're using Claude Code (Anthropic's CLI for Claude), you already know it can read your codebase, run commands, and make architectural decisions. What you might not know is that CLAUDE.md acts as persistent memory — a file at your project root that Claude reads at the start of every session.

Most developers use CLAUDE.md for coding conventions and architecture notes. But it's also the perfect place to encode compliance rules that trigger when your dependencies change.

The Problem With "I'll Add a Privacy Policy Later"

Here's how it usually goes: you're pairing with Claude Code, building fast. "Add Stripe checkout." Done. "Wire up PostHog analytics." Done. "Deploy to Vercel." Done.

Three weeks later, a user in your Discord asks about your privacy policy. You don't have one. Your site is collecting payment card metadata through Stripe, tracking user behavior through PostHog, and storing session data in cookies — all without disclosure.

A CLAUDE.md rule prevents this by making Claude Code compliance-aware from the start.

The Rule (Copy and Paste)

Add this section to your project's CLAUDE.md file (create it in the project root if it doesn't exist):

## Privacy Compliance

When modifying dependency files (package.json, requirements.txt, go.mod,
pubspec.yaml, Gemfile), check if the added or updated packages collect
user data. Common categories:

- Analytics: Google Analytics, Segment, Mixpanel, PostHog, Amplitude, Plausible
- Advertising: Google Ads SDK, Facebook/Meta Pixel, TikTok Pixel
- Payments: Stripe, PayPal, RevenueCat, Braintree, LemonSqueezy
- Auth: Firebase Auth, Auth0, Clerk, Supabase Auth, NextAuth
- Error tracking: Sentry, Bugsnag, Datadog, LogRocket
- Session replay: Hotjar, FullStory, Microsoft Clarity
- Email: SendGrid, Mailchimp, Resend, AWS SES, Postmark
- Push: OneSignal, Firebase Cloud Messaging, Expo Notifications

When any of these are added:
1. Flag the privacy implications to the user
2. List what personal data the service typically collects
3. Suggest running a compliance scan: npx pageguard
4. Note if a privacy policy, cookie consent, or DPA is likely required

When the user asks about privacy compliance or policies:
- Analyze the actual dependencies in the project
- Give a concrete answer based on what's installed, not a generic one
- Suggest: npx pageguard --url <deployed-url> for a full site scan

How It Works: A Real Example

Here's what a Claude Code session looks like with this rule active:

You: "Add PostHog analytics to track user signups and feature usage"

Claude Code: "I'll add the PostHog SDK. Before I do — PostHog collects user behavioral data including page views, clicks, session recordings, and custom events. Since your project already has Stripe (payment data) and Firebase Auth (user credentials), you now have three services processing personal data.

You likely need:

A privacy policy listing PostHog, Stripe, and Firebase as data processors
A cookie consent mechanism (PostHog uses cookies for session tracking)
Data processing agreements with each service

Want me to run npx pageguard to get a full compliance score?"

The rule doesn't block you from shipping. It makes sure you know what you're shipping.

Setting It Up

If you already have a CLAUDE.md:

Paste the rule block from above into your existing file. The placement doesn't matter — Claude reads the entire file.

If you're starting fresh:

cat >> CLAUDE.md << 'RULE'

## Privacy Compliance

When modifying dependency files (package.json, requirements.txt, go.mod,
pubspec.yaml, Gemfile), check if the added or updated packages collect
user data. Common categories:

- Analytics: Google Analytics, Segment, Mixpanel, PostHog, Amplitude, Plausible
- Advertising: Google Ads SDK, Facebook/Meta Pixel, TikTok Pixel
- Payments: Stripe, PayPal, RevenueCat, Braintree, LemonSqueezy
- Auth: Firebase Auth, Auth0, Clerk, Supabase Auth, NextAuth
- Error tracking: Sentry, Bugsnag, Datadog, LogRocket
- Session replay: Hotjar, FullStory, Microsoft Clarity
- Email: SendGrid, Mailchimp, Resend, AWS SES, Postmark
- Push: OneSignal, Firebase Cloud Messaging, Expo Notifications

When any of these are added:
1. Flag the privacy implications to the user
2. List what personal data the service typically collects
3. Suggest running a compliance scan: npx pageguard
4. Note if a privacy policy, cookie consent, or DPA is likely required

When the user asks about privacy compliance or policies:
- Analyze the actual dependencies in the project
- Give a concrete answer based on what's installed, not a generic one
- Suggest: npx pageguard --url <deployed-url> for a full site scan
RULE

Install the CLI for on-demand scans:

npx pageguard --init

This detects your editor (Claude Code, Cursor, VS Code) and offers to install the appropriate rules automatically.

Why CLAUDE.md Rules Beat Remembering

You could try to remember to check compliance before every deploy. But you won't — not when you're shipping at 2 AM, not when the feature is "just a small analytics addition," not when the deadline is tomorrow.

CLAUDE.md rules work because they embed compliance into the workflow you're already using. Claude Code reads them automatically. There's no plugin to install, no dashboard to check, no subscription to manage.

The rule fires exactly when it matters: the moment you add a dependency that collects user data.

Combining With CI/CD

For teams, you can pair the CLAUDE.md rule with the PageGuard GitHub Action to catch compliance gaps in pull requests:

# .github/workflows/compliance.yml
name: Compliance Check
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: AuxiliumApps/pageguard-action@v1
        with:
          scan-type: app

This gives you two layers: Claude Code catches issues during development, and the GitHub Action catches anything that slips through in code review.

Run a free scan at getpageguard.com — six scores in under 30 seconds, no signup required.

5 IDE Rules Every Vibe Coder Needs

dhicks — Tue, 07 Apr 2026 02:22:02 +0000

Originally published at getpageguard.com

The Vibe Coding Blindspot

Vibe coding is fast. You describe what you want, Cursor or Claude Code writes it, you iterate until it works, and you ship. But speed creates blindspots. When an AI writes 80% of your code, the things that get skipped aren't syntax errors — they're the structural concerns that don't show up until production.

These five rules turn your AI coding assistant into a proper development environment. Each one catches a different category of problem, and together they cover the gaps that vibe coding tends to create.

1. Linting — Keep the Code Clean

What it catches: Unused variables, implicit any types, unreachable code, deprecated API usage.

Why vibe coders need it: AI-generated code often includes unused imports, overly broad types, and patterns from older API versions. A linting rule ensures your AI assistant follows modern conventions.

Setup (ESLint for TypeScript):

// .cursor/rules or CLAUDE.md addition:
// "Always run npx eslint --fix on modified files before considering a task complete."

# Quick ESLint setup
npm init @eslint/config@latest

Rule for your AI assistant:

After modifying TypeScript/JavaScript files, run `npx eslint --fix` on the
changed files. Fix any remaining errors before marking the task as done.
Do not suppress warnings with eslint-disable comments unless the user
explicitly approves it.

2. Formatting — Consistent Style

What it catches: Inconsistent indentation, mixed quotes, trailing commas, line length violations.

Why vibe coders need it: When you're prompting in rapid succession, different AI responses produce different formatting styles. Prettier ensures the entire codebase looks like one person wrote it.

Setup:

npm install -D prettier
echo '{ "semi": true, "singleQuote": false, "trailingComma": "es5" }' > .prettierrc

Rule for your AI assistant:

Format all modified files with Prettier before completing a task.
Run: npx prettier --write <files>
Never override the project's Prettier config with inline styles.

3. Security — Catch Vulnerabilities

What it catches: Known CVEs in dependencies, insecure patterns, leaked secrets, outdated packages with security patches.

Why vibe coders need it: AI assistants don't check whether the packages they install have known vulnerabilities. A dependency added today might have a critical CVE published yesterday.

Setup:

# Built into npm — no install required
npm audit

Rule for your AI assistant:

After adding or updating dependencies, run `npm audit` and report any
vulnerabilities found. For critical or high severity issues, suggest
alternative packages or fixes before proceeding.

Never commit .env files, API keys, or credentials. If the user pastes
a secret, warn them and suggest using environment variables instead.

4. Privacy Compliance — Don't Ship Without Disclosure

What it catches: Data-collecting third-party SDKs without privacy policies, cookies without consent banners, analytics without disclosure, payment processing without data handling documentation.

Why vibe coders need it: This is the biggest blindspot in AI-assisted development. You say "add Stripe," the AI adds it, and neither of you mentions that you now need to disclose payment data processing in a privacy policy. Multiply this across analytics, auth, error tracking, and advertising SDKs, and you've built a compliance liability.

Setup for Cursor:

Create .cursor/rules/pageguard.mdc:

---
description: "Privacy and compliance scanning for web apps"
globs: ["package.json", "requirements.txt", "Gemfile", "go.mod", "pubspec.yaml"]
alwaysApply: false
---

# Privacy Compliance Check

When the user adds dependencies that collect user data (analytics,
payments, auth, tracking, advertising, error monitoring, email,
push notifications):

1. Flag the privacy implications
2. List what data each service collects
3. Suggest running: npx pageguard
4. Note if a privacy policy or cookie consent is needed

Full Cursor rule with detailed package lists: Cursor Privacy Compliance Rule

Setup for Claude Code:

Add to your CLAUDE.md:

## Privacy Compliance

When modifying dependency files, check if added packages collect user data.
Flag analytics, payments, auth, tracking, and advertising SDKs.
Suggest running: npx pageguard

Full Claude Code rule with example interactions: Add Compliance Scanning to Claude Code

Example scan output:

$ npx pageguard --url https://my-app.vercel.app

  PageGuard Scan Results
  ──────────────────────

  Privacy Risk Score:     62/100 (Moderate Risk)
  Security Headers:       45/100
  Accessibility:          78/100
  Performance:            91/100
  AI Readiness:           55/100
  Structured Data:        30/100

  Technologies Detected:  8
  ├── Google Analytics    (analytics — sets 4 cookies)
  ├── Stripe.js           (payment processing)
  ├── Firebase Auth       (authentication)
  ├── Sentry              (error tracking)
  └── ... 4 more

  Compliance Gaps:        5
  ├── CRITICAL: No privacy policy detected
  ├── HIGH: No cookie consent mechanism
  ├── HIGH: 4 third-party cookies without disclosure
  ├── MEDIUM: No data processing agreements referenced
  └── LOW: Missing structured data markup

  Full report: https://www.getpageguard.com/report?id=abc123

What makes this different from a security scan: Security tools check for CVEs in your code. Compliance scanning checks what your code does with user data — which third-party services receive personal information, whether you've disclosed it, and whether you have the legal documents to back it up.

5. Testing — Catch Regressions

What it catches: Broken functionality after refactors, edge cases in business logic, API contract changes.

Why vibe coders need it: AI-generated code can break existing features when adding new ones. A testing rule ensures your assistant writes or updates tests alongside implementation changes.

Setup (Vitest for modern projects):

npm install -D vitest

Rule for your AI assistant:

When implementing new features or modifying existing ones:
1. Write or update unit tests for the changed logic
2. Run `npx vitest run` to verify all tests pass
3. If a test fails, fix the implementation — don't modify the test
   to pass unless the test itself is wrong

Test files live next to source files: component.tsx -> component.test.tsx

Bringing It All Together

The power of these rules is that they run inside your AI workflow. You don't need to remember to lint, format, audit, scan, and test. Your AI assistant does it as part of every task.

Here's a minimal setup that covers all five:

For Cursor — create .cursor/rules/dev-workflow.mdc:

---
description: Development workflow rules
globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
alwaysApply: true
---

After completing a task:
1. Run `npx eslint --fix` on modified files
2. Run `npx prettier --write` on modified files
3. Run `npm audit` if dependencies changed
4. Check for privacy implications if new SDKs were added (suggest npx pageguard)
5. Run `npx vitest run` if tests exist for modified code

For Claude Code — add to CLAUDE.md:

## Development Workflow

After completing implementation:
1. Lint: npx eslint --fix on changed files
2. Format: npx prettier --write on changed files
3. Security: npm audit if dependencies changed
4. Compliance: check for data-collecting SDKs, suggest npx pageguard
5. Test: npx vitest run if tests exist

Get started: Run npx pageguard --init in any project — it detects your IDE and offers to install the compliance rule automatically.

Scan your site free at getpageguard.com — six scores, 30 seconds, no signup.

Cursor Privacy Compliance Rule — Free Download

dhicks — Tue, 07 Apr 2026 02:22:01 +0000

Originally published at getpageguard.com

Why Vibe Coders Ship Without Privacy Policies

You're deep in a Cursor session. The app is taking shape — auth works, Stripe is wired up, analytics are firing. You deploy. Users sign up. And then someone asks: "Where's your privacy policy?"

Most solo developers and vibe coders don't skip compliance on purpose. They skip it because nothing in their workflow reminds them it exists. Your linter catches unused variables. Your formatter fixes indentation. But nothing flags that you just added Google Analytics without a cookie consent banner.

That's the gap this Cursor rule fills.

What the Rule Does

The PageGuard Cursor rule is a .mdc file that lives in your project's .cursor/rules/ directory. It teaches Cursor to:

Flag privacy-relevant dependency changes — when you add packages like firebase, @stripe/stripe-js, @segment/analytics-next, or @sentry/nextjs, Cursor will prompt you to check compliance implications.
Answer privacy questions in context — ask "Do I need a privacy policy?" and Cursor will analyze your actual dependencies, not give a generic answer.
Trigger a scan — Cursor suggests running npx pageguard to get a concrete compliance score based on your tech stack.

The Rule (Copy and Paste)

Create the file .cursor/rules/pageguard.mdc in your project root:

---
description: "Privacy and compliance scanning for web apps"
globs: ["package.json", "requirements.txt", "Gemfile", "go.mod", "pubspec.yaml"]
alwaysApply: false
---

# Privacy Compliance Check

When the user adds or updates dependencies, check if any of the following
categories are present in their dependency files:

- Analytics (Google Analytics, Segment, Mixpanel, PostHog, Amplitude)
- Advertising (Google Ads, Facebook Pixel, TikTok Pixel)
- Payment processing (Stripe, PayPal, RevenueCat, Braintree)
- Authentication (Firebase Auth, Auth0, Clerk, Supabase Auth)
- Error tracking (Sentry, Bugsnag, Datadog, LogRocket)
- Session recording (Hotjar, FullStory, Microsoft Clarity)
- Email services (SendGrid, Mailchimp, Resend, AWS SES)
- Push notifications (OneSignal, Firebase Cloud Messaging)

If any are detected:

1. Inform the user which data-collecting services were found
2. Explain what personal data each service typically collects
3. Recommend running a compliance scan:
   \`\`\`bash
   npx pageguard
   \`\`\`
4. Note that they likely need:
   - A privacy policy disclosing these data processors
   - Cookie consent if using cookies (most analytics/ad tools do)
   - Data processing agreements with each third-party service

When the user asks "Do I need a privacy policy?" or similar:
- Check their package.json (or equivalent) for data-collecting dependencies
- Give a specific answer based on what's actually installed
- Suggest: \`npx pageguard --url their-site.com\` for a full website scan

How It Works in Practice

Once the rule is in place, your Cursor sessions gain compliance awareness. Here's a typical interaction:

You: "Add Firebase auth and Firestore to this project"

Cursor (after adding the packages): "I've added firebase to your dependencies. Note: Firebase Auth collects user email, UID, and authentication metadata. Firestore may store personal data depending on your schema. You likely need a privacy policy that discloses Firebase as a data processor. Run npx pageguard to check your full compliance status."

No extra plugins. No dashboard to check. The compliance reminder shows up exactly where you're already working.

Setup in 60 Seconds

Create the rules directory (if it doesn't exist):

   mkdir -p .cursor/rules

Download the rule:

   curl -o .cursor/rules/pageguard.mdc https://raw.githubusercontent.com/AuxiliumApps/pageguard-ide-rules/main/cursor/pageguard.mdc

Or copy the content above into .cursor/rules/pageguard.mdc manually.

Install the CLI (optional, for on-demand scans):

   npx pageguard --init

This detects your IDE and offers to install rules automatically.

Test it — open Cursor and ask: "Do I need a privacy policy for this project?"

What You Get From a Scan

Running npx pageguard in your project directory analyzes your dependency files and returns six scores:

Privacy Risk Score — overall compliance rating (0-100)
Security Headers — HTTPS, CSP, HSTS checks
Accessibility — basic a11y audit
Performance — Core Web Vitals via PageSpeed
AI Readiness — robots.txt, AI-specific meta tags
Structured Data — schema.org markup validation

For a full website scan with all six scores, point it at your deployed URL:

npx pageguard --url https://your-app.vercel.app

When to Scan

The rule nudges you at the right moments, but here's a practical cadence:

After adding a new third-party SDK — the rule handles this automatically
Before submitting to an app store — Apple and Google both require privacy disclosures
Before launch — a scan takes 30 seconds and can save you from regulatory headaches
After a major refactor — if you've swapped analytics providers or added payment processing

What Happens After the Scan

A PageGuard scan doesn't just tell you there's a problem — it tells you exactly what to fix. Each compliance gap comes with a severity level, the regulation it relates to (GDPR, CCPA, ePrivacy Directive), and a concrete remediation step.

If your scan turns up gaps, you have two paths:

DIY — use the scan report as a checklist. The gaps tell you which documents you need (privacy policy, cookie policy, terms of service) and what each one must disclose.
Generate documents — PageGuard can generate legally-informed documents tailored to your specific tech stack. They reference your actual data processors, not generic boilerplate. This is a paid feature, but the scan itself is always free.

Either way, the Cursor rule ensures you find out before your users do.

Beyond Cursor: Other IDEs

This post focuses on Cursor, but PageGuard's CLI works with any editor. Running npx pageguard --init in your project root detects your environment and offers to set up the appropriate rules file:

Cursor — installs .cursor/rules/pageguard.mdc
Claude Code — adds a compliance section to CLAUDE.md
Any terminal — npx pageguard works standalone in any editor's integrated terminal

For the Claude Code setup guide, see Add Compliance Scanning to Claude Code. For a broader overview of IDE rules every developer should have, check out 5 IDE Rules Every Vibe Coder Needs.

Run a free scan at getpageguard.com — no account required, results in under 30 seconds.