{"id":"compliance-lgpd-assessor","title":"LGPD Assessor","description":"LGPD gap assessment with article-tagged findings (Art. 7/14/18/48) and deterministic safety net for breach and child-data signals.","category":"compliance","status":"validated","version":"1.0.0","source":"agentskit-registry","license":"MIT","tags":["compliance","structured-output","v1"],"packages":["@agentskit/core","@agentskit/runtime","@agentskit/tools"],"files":["agent.ts","README.md","eval.ts"],"requires":{"zod":"^3","zod-to-json-schema":"^3"},"locale":"br","skill":{"name":"compliance-lgpd-assessor","description":"LGPD gap assessment with article-tagged findings (Art. 7/14/18/48) and deterministic safety net for breach and child-data signals.","systemPrompt":"You assess LGPD (Lei 13.709/2018) compliance gaps from the provided processing description.\n\nOutput: { summary, findings[], gaps[], openQuestions[] }.\nEach finding: id, severity, optional article (e.g. \"Art. 7\", \"Art. 18\"), message, source (quote/signal from input), recommendation.\n\nFocus areas when evidenced in input:\n- legal basis (Art. 7) — consent, legitimate interest, contract\n- data subject rights (Art. 18)\n- security measures (Art. 46)\n- incident notification (Art. 48)\n- DPO (Art. 41) — only if DPO mentioned or clearly required\n- international transfer (Art. 33)\n\nNEVER invent processing activities, vendors, or violations not supported by input.\nThin input → findings may be empty with gaps listing missing inventory fields.\n\n${UNTRUSTED_CONTENT_DIRECTIVE}\n\nCall submit_lgpd_assessor exactly once. Stop."},"flow":null,"a2a":{"id":"io.agentskit.registry.compliance-lgpd-assessor","name":"LGPD Assessor","description":"LGPD gap assessment with article-tagged findings (Art. 7/14/18/48) and deterministic safety net for breach and child-data signals.","version":"1.0.0","homepage":"https://registry.agentskit.io","skills":[{"name":"compliance-lgpd-assessor","description":"LGPD gap assessment with article-tagged findings (Art. 7/14/18/48) and deterministic safety net for breach and child-data signals.","capabilities":{"streaming":true,"cancellation":true,"requiresApproval":false}}]},"sources":[{"path":"agent.ts","content":"import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'\nimport { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'\nimport { invokeStructured } from '@agentskit/runtime'\nimport { defineZodTool } from '@agentskit/tools'\nimport { z } from 'zod'\nimport { zodToJsonSchema } from 'zod-to-json-schema'\nimport type { JSONSchema7 } from 'json-schema'\n\n/**\n * LGPD Assessor — gap analysis against Lei 13.709/2018 signals in input.\n * Findings cite LGPD articles when evidenced; never invents processing activities.\n */\n\nexport interface LgpdFinding {\n  id: string\n  severity: 'critical' | 'high' | 'medium' | 'low' | 'info'\n  article?: string\n  message: string\n  source?: string\n  recommendation?: string\n}\n\nexport interface LgpdAssessment {\n  summary: string\n  findings: LgpdFinding[]\n  gaps: string[]\n  openQuestions: string[]\n  requiresReview: boolean\n}\n\nexport interface ComplianceLgpdAssessorConfig {\n  adapter: AdapterFactory\n  memory?: ChatMemory\n  observers?: Observer[]\n  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>\n  maxSteps?: number\n}\n\nconst Output = z.object({\n  summary: z.string(),\n  findings: z.array(\n    z.object({\n      id: z.string(),\n      severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),\n      article: z.string().optional(),\n      message: z.string(),\n      source: z.string().optional(),\n      recommendation: z.string().optional(),\n    }),\n  ),\n  gaps: z.array(z.string()).default([]),\n  openQuestions: z.array(z.string()).default([]),\n})\nconst toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7\n\nfunction applySafetyNet(input: string, out: z.infer<typeof Output>): z.infer<typeof Output> {\n  const findings = [...out.findings]\n  if (/\\b(breach|vazamento|incidente|data leak)\\b/i.test(input)) {\n    const hasBreachFinding = findings.some((f) => /breach|vazamento|incidente|art\\.?\\s*48/i.test(f.message))\n    if (!hasBreachFinding) {\n      findings.push({\n        id: 'safety-breach',\n        severity: 'critical',\n        article: 'Art. 48',\n        message: 'Potential security incident mentioned — confirm ANPD notification timeline',\n        source: 'input signal',\n        recommendation: 'Trigger incident response and document Art. 48 assessment',\n      })\n    }\n  }\n  if (/\\b(menor|child|criança)\\b/i.test(input) && !findings.some((f) => /Art\\.?\\s*14|child|menor/i.test(`${f.article} ${f.message}`))) {\n    findings.push({\n      id: 'safety-child',\n      severity: 'high',\n      article: 'Art. 14',\n      message: 'Child data processing referenced — verify parental consent regime',\n      source: 'input signal',\n    })\n  }\n  return { ...out, findings }\n}\n\nconst skill = {\n  name: 'compliance-lgpd-assessor',\n  description: 'LGPD gap assessment with article-tagged findings.',\n  systemPrompt: `You assess LGPD (Lei 13.709/2018) compliance gaps from the provided processing description.\n\nOutput: { summary, findings[], gaps[], openQuestions[] }.\nEach finding: id, severity, optional article (e.g. \"Art. 7\", \"Art. 18\"), message, source (quote/signal from input), recommendation.\n\nFocus areas when evidenced in input:\n- legal basis (Art. 7) — consent, legitimate interest, contract\n- data subject rights (Art. 18)\n- security measures (Art. 46)\n- incident notification (Art. 48)\n- DPO (Art. 41) — only if DPO mentioned or clearly required\n- international transfer (Art. 33)\n\nNEVER invent processing activities, vendors, or violations not supported by input.\nThin input → findings may be empty with gaps listing missing inventory fields.\n\n${UNTRUSTED_CONTENT_DIRECTIVE}\n\nCall submit_lgpd_assessor exactly once. Stop.`,\n  tools: ['submit_lgpd_assessor'],\n}\n\nexport function createComplianceLgpdAssessorAgent(config: ComplianceLgpdAssessorConfig) {\n  const submit = (): ToolDefinition =>\n    defineZodTool({\n      name: 'submit_lgpd_assessor',\n      description: 'Submit LGPD assessment. Call exactly once.',\n      schema: Output,\n      toJsonSchema: toJson,\n      async execute() { return 'recorded' },\n    }) as ToolDefinition\n\n  async function run(input: string): Promise<LgpdAssessment> {\n    if (!input?.trim()) throw new Error('compliance-lgpd-assessor requires non-empty input')\n    const parsed = await invokeStructured({\n      adapter: config.adapter,\n      tool: submit(),\n      task: `PROCESSING DESCRIPTION:\\n${fenceUntrustedContent(input)}`,\n      parse: (a) => applySafetyNet(input, Output.parse(a)),\n      skill,\n      memory: config.memory,\n      observers: config.observers,\n      onConfirm: config.onConfirm,\n      maxSteps: config.maxSteps ?? 4,\n    })\n    return { ...parsed, requiresReview: true }\n  }\n\n  return {\n    name: 'compliance-lgpd-assessor',\n    run,\n    asHandle() {\n      return { name: 'compliance-lgpd-assessor', run: (t: string) => run(t).then((r) => JSON.stringify(r)) }\n    },\n  }\n}"},{"path":"README.md","content":"# LGPD Assessor\n\n> **v1 validated** — `npx agentskit add compliance-lgpd-assessor`\n\n## Pain\nLGPD gap analysis\n\n## Output\nAssessment typed\n"},{"path":"eval.ts","content":"import type { EvalSuite } from '@agentskit/eval'\n\nexport const suite: EvalSuite = {\n  name: 'compliance-lgpd-assessor',\n  cases: [\n    {\n      input: 'We process emails for marketing using consent checkbox on signup. No DPO appointed yet.',\n      expected: (r: string) => {\n        const j = JSON.parse(r)\n        return j.findings.some((f: { message: string }) => /consent|Art\\.?\\s*7/i.test(f.message)) || j.gaps.length > 0\n      },\n    },\n    {\n      input: 'Security breach exposed 10k customer CPF numbers last week.',\n      expected: (r: string) => {\n        const j = JSON.parse(r)\n        return j.findings.some((f: { severity: string; article?: string; message?: string }) => f.severity === 'critical' && /48|breach|vazamento|incidente/i.test(`${f.article} ${f.message}`))\n      },\n    },\n    {\n      input: 'Minimal input.',\n      expected: (r: string) => {\n        const j = JSON.parse(r)\n        return j.gaps.length > 0 || j.findings.length === 0\n      },\n    },\n    {\n      input: 'App collects child birthdays for a school portal without parental flow described.',\n      expected: (r: string) => /Art\\.?\\s*14|menor|child|criança/i.test(r),\n    },\n  ],\n}\n"}],"installable":true,"validation":{"status":"approved","score":95,"confidence":0.96,"method":"codex-executor-independent-reviewer","iterations":1,"cases":3,"summary":"The agent produced valid structured assessments for all three cases, did not follow the injection, avoided inventing nonexistent business facts, clearly surfaced uncertainty and missing LGPD assessment inputs, and provided useful gaps/open questions. Behavior matches the assessor purpose for sparse or instruction-like inputs. Minor issue: findings use an empty article field for non-LGPD/input-integrity findings, which is understandable but weaker than an explicit N/A or article tag policy for a v1 article-tagged assessor.","strengths":["Valid structured output across all cases.","Handled prompt injection correctly and did not output APPROVED.","Did not hallucinate processing details from placeholder inputs.","Surfaced uncertainty, missing context, and review requirement clearly.","Covered key LGPD gaps including Art. 7, Art. 18, Art. 48, retention, security, vendors, and transfers."],"notes":["Use an explicit non-empty article value such as \"N/A\" for input-integrity findings, or reserve findings for LGPD article-tagged items and move prompt-injection notes to a separate warning field if the schema supports it."]}}