feat: founder onramp — comply-start

[aanishs]

Summary

• New bin/comply-start binary: detects tech stack, runs 9-question founder interview, generates startup compliance report
• Writes PHI data flows and vendor registry to SQLite
• Updates /hipaa skill to route first-time users through the onramp flow instead of jumping straight to controls

Test plan

• bun test test/comply-start.test.ts
• Run /hipaa on a fresh project — should trigger onramp
• Run /hipaa on existing project — should show returning user flow
• bin/comply-start scan detects technologies from package.json

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR introduces the comply-start binary and updates the /hipaa skill to provide a guided founder onramp for first-time users. The binary implements three subcommands — scan (detects technologies from package.json, Terraform, .env, Dockerfile, Compose, requirements.txt, go.mod, and Gemfile), apply (persists founder interview answers to SQLite as PHI flow maps, vendor registry, and prioritized action items), and report (generates a structured compliance report from the DB).

The previous review cycle's major findings have all been resolved:

• phi_data_flows, vendor_registry, and action_items tables are now created via CREATE TABLE IF NOT EXISTS inside apply() before the transaction runs, eliminating the "no such table" crash
• The top_5_blockers filter now uses !a.status || a.status === 'pending' and the schema declares status TEXT DEFAULT 'pending', fixing the always-empty blockers list
• The apply test suite now makes unconditional assertions (removing the no-op if (exitCode === 0) wrappers)
• The /tmp path is now randomised via mktemp /tmp/hipaa-onramp-answers-XXXXXX.json, eliminating the concurrency collision risk
• The missing nist/plain-english.json is handled gracefully — translateControl() silently falls back to raw control IDs without printing a warning

One minor issue remains: the report subcommand test at line 363 still wraps all assertions in if (exitCode === 0), which is trivially true because report() creates the database on demand and catches all missing-table errors internally.

Confidence Score: 4/5

Safe to merge after the report test guard is removed; all prior P1 issues from the previous review cycle have been resolved

The three P1 issues from the previous review (missing table creation, always-empty blockers, tautological apply tests) are fully addressed. The one remaining finding — the if (exitCode === 0) wrapper in the report test — is P2: it is misleading but does not produce false CI passes because report() always exits 0 and the assertions still execute. Score 4 rather than 5 reflects this open item.

test/comply-start.test.ts lines 360–373 — the conditional guard in the report test should be removed to match the unconditional pattern now used in all apply tests

Important Files Changed

Filename	Overview
bin/comply-start	New 770-line binary implementing scan/apply/report; all prior issues (missing table creation, null-status filter, test tautologies) have been addressed in this revision
test/comply-start.test.ts	New test suite with solid scan coverage and fixed unconditional apply assertions; report test still wraps assertions in a trivially-true if-guard
skills/hipaa/SKILL.md	Updated to v3.0 with full first-time onramp flow; uses mktemp for a unique per-session temp file path, resolving the prior concurrency concern
skills/hipaa/SKILL.md.tmpl	Template source for SKILL.md; mirrors the same onramp changes and is in sync with the generated file
package.json	Adds comply-start.test.ts to the default test suite so the new binary is covered by CI

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([User runs /hipaa]) --> B[Step 1: comply-db summary]
    B --> C{DB exists with controls?}
    C -- No: first-time --> D[Step 2: comply-start scan]
    D --> E[Present detected technologies]
    E --> F[AskUserQuestion: confirm stack]
    F --> G[Step 3: 9-question interview\none question at a time]
    G --> H{Q9: B2B2C?}
    H -- Yes --> I[Q9a–d: covered entities,\nsubcontractors, breach,\nBAA templates]
    H -- No --> J[Step 4: Build answers JSON]
    I --> J
    J --> K[comply-start apply --answers file]
    K --> L[CREATE TABLE IF NOT EXISTS\nphi_data_flows / vendor_registry / action_items]
    L --> M[Transaction: DELETE existing rows]
    M --> N[INSERT phi_data_flows\nINSERT vendor_registry\nINSERT action_items]
    N --> O[comply-start report]
    O --> P[Present PHI Flow Map,\nVendor Inventory,\nTop 5 Blockers,\n30-Day Action Plan]
    P --> Q[rm temp answers file]
    C -- Yes: returning user --> R[Step 5: comply-db init + status]
    R --> S[Step 6: Recommend next step\nauto / assess / scan / fix / report]

Loading

_{Reviews (5): Last reviewed commit: "fix: apply idempotency and deduplicate f..." | Re-trigger Greptile}