Conversation
Add plain-english.json with human-readable descriptions and why_it_matters for all HIPAA-mapped NIST controls. New /comply-explain skill looks up any control by ID, CFR section, or keyword. Enriches comply-db control --json with plain English context. Updates comply-assess and comply-auto to show why_it_matters during interviews. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Greptile SummaryThis PR adds plain-English explanations for all 59 HIPAA-mapped NIST 800-53 controls and surfaces them through a new Key changes:
Confidence Score: 4/5Safe to merge after addressing the git-failure silent-pass in comply-check; existing functionality is not regressed One P1 finding remains: the new comply-check CI gate exits 0 when bin/comply-check — the git exit-code check (P1) and optional refactor of loadCodeChecks (P2) Important Files Changed
Sequence DiagramsequenceDiagram
actor User
participant Skill as /comply-explain skill
participant DB as comply-db control --json
participant PE as nist/plain-english.json
participant NIST as NIST catalog
participant TB as nist/tool-bindings.json
participant HF as nist/hipaa-filter.json
participant SQLite as SQLite DB
User->>Skill: /comply-explain SC-28 (or CFR or keyword)
Skill->>DB: comply-db control SC-28 --json
DB->>NIST: findControlInCatalog(SC-28)
NIST-->>DB: control prose, guidance, related links
DB->>PE: loadPlainEnglish(SC-28)
PE-->>DB: plain_english, why_it_matters
DB->>HF: reverse-map SC-28 → CFR sections
HF-->>DB: [164.312(a)(2)(iv)]
DB->>TB: normalizeVerification(SC-28)
TB-->>DB: tools, checks, interview_only
DB->>SQLite: status, evidence_count, vendor_registry
SQLite-->>DB: status=pending, evidenceCount=0
DB-->>Skill: enriched JSON payload
Skill-->>User: plain-English explanation + stack context + sources
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| const jsonMode = args.includes('--json'); | ||
| const simpleMode = args.includes('--simple'); | ||
|
|
||
| // CFR resolution: if input looks like a HIPAA CFR section, resolve to NIST control IDs | ||
| let controlIds: string[]; | ||
| let resolvedFrom: string | null = null; | ||
| if (isCFRSection(inputId)) { | ||
| controlIds = resolveFromCFR(inputId); | ||
| if (controlIds.length === 0) { | ||
| console.error(`CFR section ${inputId} not found in hipaa-filter.json.`); | ||
| process.exit(1); | ||
| } | ||
| resolvedFrom = inputId; | ||
| } else { | ||
| controlIds = [inputId]; | ||
| } | ||
|
|
||
| const db = openDb(); | ||
| // If multiple controls resolved from CFR, output each | ||
| if (jsonMode && controlIds.length > 1) { | ||
| const results = controlIds.map(id => buildControlData(id, resolvedFrom, simpleMode)); | ||
| console.log(JSON.stringify(results, null, 2)); | ||
| return; | ||
| } | ||
|
|
||
| // Single control (or first from CFR resolution for text mode) | ||
| const oscalId = controlIds[0]; |
There was a problem hiding this comment.
buildControlData silently returns null plain-English fields for non-HIPAA controls
loadPlainEnglish only covers the 59 HIPAA-mapped controls defined in nist/plain-english.json. When --json is used with any non-HIPAA control (e.g., from a SOC 2 or ISO 27001 project), pe is null and both plain_english and why_it_matters are null in the output — with no indication to the caller that the data simply doesn't exist for this framework.
The _sources.plain_english field already captures 'not_found', but the comply-explain skill doc tells users to call comply-db control <ID> --json for any control, implying coverage is complete. Consider adding a plain_english_coverage note in the output (e.g., 'hipaa_only') so consumers of the JSON can distinguish "no data" from "data not available for this framework."
Fix journey skip/complete identical status, normalize control ID casing, error on invalid ID in --json mode, extract findControlInCatalog helper (DRY), merge dual DB connections, reject unknown config keys, split getDbPath read/write, revert premature comply-auto deprecation, add journey + config + invalid-ID tests, fix skill counts to 14, add plain-english.test.ts to test script. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…w skills - /comply v3.0: rewritten as journey engine with persona detection, Framework Advisor (3 questions), milestone routing, and persona-aware recommendations for founders, engineers, and compliance officers - bin/comply-check: new PR gate CLI that checks diffs for PHI patterns, sensitive data, removed security controls, and BAA-requiring dependencies - nist/baa-vendors.json: curated list of 13 services requiring BAAs - /comply-policy: new skill for generating personalized policy documents - /comply-deal: new skill for answering prospect security questionnaires - /soc2 v3.0: 3 domain-specific questions (trust criteria, audit type, driver) - /gdpr v3.0: 4 domain-specific questions (role, locations, lawful basis, DPO) - /pci-dss v3.0: 3 domain-specific questions (card handling, CDE scope, SAQ) - /comply-auto v3.0: deprecated, points to /comply Autopilot mode - Updated all comply-auto references across skill templates - Tests updated: 14 → 16 skills (added comply-deal, comply-policy) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 participant
Summary
nist/plain-english.jsonwith human-readable descriptions andwhy_it_mattersfor all HIPAA-mapped NIST controls/comply-explainskill: look up any control by NIST ID, HIPAA CFR section, or keywordcomply-db control --jsonoutput with plain English context, verification info, and related controls/comply-assessand/comply-autoto showwhy_it_mattersduring interviewsTest plan
bun test test/plain-english.test.tsbun test test/bin-smoke.test.tsbun test test/architecture.test.tsbun test test/skill-validation.test.tsbin/comply-db control SC-28 --jsonreturns plain_english and why_it_matters fields🤖 Generated with Claude Code