HighPR-scopeJavaScript / TypeScript Plug & play

PRs adding new PII must declare lawful basis and DPIA flag

When a PR introduces new PII fields or processing, the PR body must include legal_basis: (e.g., consent, contract) and dpia: (yes/no with link). CI should fail if missing.

Add to Mesrai Open workspace

Why this matters

LGPD requires lawful basis and impact assessment for higher-risk processing; catching at review time prevents non-compliant changes.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

// detectNewPII(['cpf','birth_date']) -> true\nconst body = process.env.PR_BODY || '';\nif(!/legal_basis:/i.test(body)) process.exit(0);

Prefer

const hasPII = detectNewPII(changedFiles());\nconst body = process.env.PR_BODY || '';\nif(hasPII && (!/legal_basis:\s\w+/i.test(body) || !/dpia:\s*(yes|no)/i.test(body))){\n console.error('Missing LGPD metadata');\n process.exit(1);\n}\nprocess.exit(0);

More snippets

Good

legal_basis: consent\ndpia: yes\ndpia_link: https://…

Bad

This PR adds cpf column

Related rules

From the same buckets as this rule.

Critical
Children's data: verify age and parental consent
If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.
compliance-lgpdapi-conventions+1
Critical
Deletion requests: anonymize or hard-delete PII irreversibly
On LGPD deletion, remove or irreversibly anonymize PII and purge dependent caches. Keep minimal audit metadata (timestamp, request ID) not linkable back to the subject.
compliance-lgpdmigrations-backward-compat+1
Critical
Encrypt PII at rest with AES-GCM and managed keys
For fields like CPF, birth_date, and address, use AES-256-GCM with envelope encryption. Keys must come from a managed KMS; rotate data keys at least annually and store key IDs with the ciphertext.
compliance-lgpdsecurity-hardening

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

// detectNewPII(['cpf','birth_date']) -> true\nconst body = process.env.PR_BODY || '';\nif(!/legal_basis:/i.test(body)) process.exit(0);

Prefer

const hasPII = detectNewPII(changedFiles());\nconst body = process.env.PR_BODY || '';\nif(hasPII && (!/legal_basis:\s\w+/i.test(body) || !/dpia:\s*(yes|no)/i.test(body))){\n console.error('Missing LGPD metadata');\n process.exit(1);\n}\nprocess.exit(0);

More snippets

Good

legal_basis: consent\ndpia: yes\ndpia_link: https://…

Bad

This PR adds cpf column

Related rules

From the same buckets as this rule.

Critical

Children's data: verify age and parental consent

If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.

compliance-lgpdapi-conventions+1

Critical

Deletion requests: anonymize or hard-delete PII irreversibly

On LGPD deletion, remove or irreversibly anonymize PII and purge dependent caches. Keep minimal audit metadata (timestamp, request ID) not linkable back to the subject.

compliance-lgpdmigrations-backward-compat+1

Critical

Encrypt PII at rest with AES-GCM and managed keys

For fields like CPF, birth_date, and address, use AES-256-GCM with envelope encryption. Keys must come from a managed KMS; rotate data keys at least annually and store key IDs with the ciphertext.

compliance-lgpdsecurity-hardening