Regulatory Guardrail Checker

When to invoke

• "Run compliance review on this PRD."
• "Does this feature touch PHI / PII?"
• "What guardrails do we need before launching in EU?"

Inputs needed

1. Spec text — PRD or design doc (file or stdin).
2. Regimes to check — default: GDPR, CCPA, SOC2; opt-in: HIPAA, PCI, WCAG.
3. Geographies / industries (optional).

Workflow

1. Extract signals from the spec: data types, third parties, user controls, retention, automation/AI use.
2. Map signals to regime obligations (lawful basis, DSR, BAAs, encryption, audit logging).
3. Score risk — High / Medium / Low per regime.
4. Output a risk register + required-controls checklist with owners.