legal
1
总安装量
1
周安装量
#51264
全站排名
安装命令
npx skills add https://github.com/howells/arc --skill legal
Agent 安装分布
cline
1
opencode
1
codex
1
claude-code
1
gemini-cli
1
Skill 文档
<progress_context>
Use Read tool: docs/progress.md (first 50 lines)
Check for recent feature work that might affect data collection scope. </progress_context>
Legal Pages Workflow
Generate comprehensive legal pages (Privacy Policy, Terms of Service, Cookie Policy) through a guided, interactive process. Combines automatic project detection with user questions to create tailored documents.
These are starting points that MUST be reviewed by a qualified lawyer before publishing.
Process Overview
Step 1: Disclaimer & Scope â Set expectations
Step 2: Project Detection â Scan codebase for data collection
Step 3: Guided Questions â Interactive Q&A to fill gaps (5 rounds)
Step 4: Generate Documents â Create tailored legal pages
Step 5: Implementation â Add to project with proper routing
Step 6: Next Steps â Cookie consent, lawyer review, etc.
Step 1: Disclaimer & Scope
Always start with this disclaimer:
â ï¸ Important: These are template documents, not legal advice.
I’ll generate comprehensive legal pages based on your project and answers, but:
- I am not a lawyer and this is not legal advice
- These templates should be reviewed by a qualified attorney
- Laws vary by jurisdiction and change frequently
- Regulated industries (healthcare, finance, children) have special requirements
These documents will give you a solid starting point that covers common requirements under GDPR, CCPA, and general best practices.
Ask: “Do you want to proceed with generating legal pages for this project?”
Step 2: Project Detection
Perform comprehensive codebase scan for data collection signals.
Detection Checklist
Search for and report on:
AUTHENTICATION
âââ next-auth / NextAuth.js â OAuth providers, session strategy
âââ clerk â User profiles, organizations
âââ supabase auth â Email, OAuth, phone auth
âââ firebase auth â Multiple auth methods
âââ lucia â Session-based auth
âââ auth0 â Enterprise SSO, social login
âââ passport.js â Strategy-based auth
âââ Custom auth â JWT, session cookies
ANALYTICS & TRACKING
âââ Google Analytics (gtag, GA4)
â âââ Cookies: _ga (2 years), _gid (24h), _gat (1 min)
âââ Google Tag Manager â Container for multiple tags
âââ Plausible â Privacy-focused, no cookies
âââ Fathom â Privacy-focused, no cookies
âââ PostHog â Product analytics, session recording
âââ Mixpanel â Event tracking, user profiles
âââ Amplitude â Product analytics
âââ Heap â Auto-capture analytics
âââ Hotjar/FullStory â Session recording, heatmaps
âââ Vercel Analytics â Privacy-focused, no cookies
âââ Segment â Customer data platform
PAYMENTS & BILLING
âââ Stripe
â âââ You store: customer_id, subscription status
â âââ Stripe stores: payment methods, card details
â âââ Cookies: __stripe_mid, __stripe_sid
âââ Paddle â Merchant of record model
âââ LemonSqueezy â Merchant of record model
âââ PayPal â Payment processor
âââ Custom billing â Invoice data, payment history
EMAIL SERVICES
âââ Resend â Transactional email
âââ SendGrid â Email delivery
âââ Postmark â Transactional email
âââ Mailchimp/ConvertKit â Marketing email, subscriber lists
âââ Customer.io â Marketing automation
âââ AWS SES â Email infrastructure
ERROR TRACKING & MONITORING
âââ Sentry â Error tracking, may capture user context
âââ LogRocket â Session replay, error tracking
âââ Bugsnag â Error monitoring
âââ Datadog â APM, logging, traces
âââ New Relic â Application monitoring
CUSTOMER SUPPORT
âââ Intercom â Chat, user data, conversation history
âââ Crisp â Live chat
âââ Zendesk â Support tickets
âââ HelpScout â Customer support
âââ Freshdesk â Support platform
DATABASE & STORAGE
âââ PostgreSQL/MySQL â User data storage
âââ MongoDB â Document storage
âââ Prisma â ORM (check schema for PII)
âââ Drizzle â ORM
âââ Supabase â Database + auth + storage
âââ PlanetScale â MySQL platform
âââ Neon â Serverless Postgres
âââ Cloudinary â Image/video storage
âââ Uploadthing â File uploads
âââ AWS S3 â Object storage
âââ Vercel Blob â File storage
HOSTING & INFRASTRUCTURE
âââ Vercel â Logs IP addresses, request data
âââ Netlify â Similar logging
âââ AWS â CloudFront logs, ALB logs
âââ Cloudflare â CDN, may set cookies
âââ Railway/Render â Platform logs
MARKETING & ADS
âââ Facebook Pixel â Conversion tracking
â âââ Cookies: _fbp, fr
âââ Google Ads â Conversion tracking
â âââ Cookies: _gcl_au, _gcl_aw
âââ LinkedIn Insight Tag â B2B tracking
âââ Twitter/X Pixel â Conversion tracking
âââ TikTok Pixel â Conversion tracking
âââ Pinterest Tag â Conversion tracking
CMS & CONTENT
âââ Sanity â Content management
âââ Contentful â Headless CMS
âââ Payload â Headless CMS
âââ Strapi â Headless CMS
âââ WordPress API â Content source
FORMS & DATA COLLECTION
âââ Contact forms â Name, email, message
âââ Newsletter signup â Email address
âââ User profiles â Various PII
âââ File uploads â User-generated content
âââ Surveys/feedback â User responses
âââ Job applications â Resumes, personal info
Detection Output Format
Present findings to user:
## ð Data Collection Detection Results
### Authentication
**Detected:** NextAuth.js with Google and GitHub OAuth
- **Data collected:** Email, name, profile picture from OAuth providers
- **Data stored:** User record in database, session cookie
- **Session strategy:** JWT / Database sessions
### Analytics
**Detected:** Google Analytics 4
- **Data collected:** Page views, events, device info, IP address
- **Cookies set:**
| Cookie | Purpose | Duration | Type |
|--------|---------|----------|------|
| _ga | Distinguishes users | 2 years | Analytics |
| _gid | Distinguishes users | 24 hours | Analytics |
### Payments
**Detected:** Stripe
- **Data you store:** Customer ID, subscription status, billing address
- **Data Stripe stores:** Payment methods, transaction history
- **Note:** You are NOT a data controller for card numbersâStripe is
### Third-Party Processors
| Service | Data Shared | Purpose | Their Privacy Policy |
|---------|-------------|---------|---------------------|
| Vercel | IP, request logs | Hosting | vercel.com/legal/privacy-policy |
| Resend | Email addresses | Transactional email | resend.com/legal/privacy-policy |
| Sentry | Error data, user context | Error tracking | sentry.io/privacy |
### Cookies Summary
| Category | Count | Examples |
|----------|-------|----------|
| Essential | 2 | Session, CSRF token |
| Analytics | 2 | _ga, _gid |
| Marketing | 0 | None detected |
| Functional | 1 | Theme preference |
Step 3: Guided Questions
Use AskUserQuestion tool for each round. One focused topic at a time.
Round 1: Business Identity
Question: "What are your business details?"
Header: "Business"
Options: [Free text response needed]
Gather:
- Legal business name (e.g., "Acme Inc." or "John Smith trading as Acme")
- Country/state of incorporation or residence
- Business type: Company, LLC, Sole proprietor, etc.
- Website URL
- Contact email for privacy/legal inquiries
- Physical address (required for some jurisdictions, recommended for all)
Round 2: Target Audience & Jurisdiction
Question: "Where are your users located?"
Header: "Jurisdiction"
Options:
- "Worldwide (GDPR + CCPA compliant)" [Recommended]
â Covers EU, California, and general best practices
- "US only"
â CCPA for California, general US practices
- "EU/EEA only"
â GDPR-focused
- "Specific countries"
â Ask follow-up for which countries
Follow-up if needed:
Question: "Do you expect users under 18?"
Header: "Age"
Options:
- "No, adults only (18+)"
- "Yes, 13-17 with parental consent"
- "Yes, under 13" â COPPA applies, special handling required
- "Not sure"
Round 3: Documents Needed
Question: "Which legal documents do you need?"
Header: "Documents"
MultiSelect: true
Options:
- "Privacy Policy" [Required for almost all sites]
â Required if you collect ANY data (even just analytics)
- "Terms of Service"
â Required for apps/SaaS, recommended for all
- "Cookie Policy"
â Required if using non-essential cookies (can be section in Privacy Policy)
- "Acceptable Use Policy"
â Recommended if users can post content or interact
Round 4: Service Type & Features
Question: "What type of service is this?"
Header: "Service type"
Options:
- "SaaS / Web application"
â User accounts, possibly subscriptions
- "E-commerce / Online store"
â Products, checkout, shipping
- "Content / Blog / Marketing site"
â Minimal data collection
- "Marketplace / Platform"
â Multiple user types, transactions between users
- "API / Developer tools"
â API keys, usage data, developer accounts
Follow-up based on selection:
- SaaS: "Do you offer free trials? Refund policy? Subscription billing?"
- E-commerce: "Physical or digital products? Return policy? Shipping regions?"
- Marketplace: "Do you facilitate payments between users? Take commission?"
Round 5: Specific Policies
Question: "What are your data practices?"
Header: "Practices"
MultiSelect: true
Options:
- "We use data only for providing our service"
- "We send marketing emails (with consent)"
- "We share anonymized/aggregated data"
- "We use AI/ML to process user data"
- "We allow third-party integrations"
Question: "What is your refund/cancellation policy?"
Header: "Refunds"
Options:
- "14-day money-back guarantee"
- "30-day money-back guarantee"
- "Pro-rated refunds for annual plans"
- "No refunds (for digital goods)"
- "Custom policy" â Ask for details
Step 4: Generate Documents
Based on detection + user answers, generate fully personalized documents.
CRITICAL: No Placeholders
DO NOT generate documents with [PLACEHOLDER] markers. The documents must be:
- Filled in with actual company name, URLs, emails from user answers
- Populated with actual detected services (Stripe, Vercel, etc.) by name
- Include real cookie names and durations from detection
- Have actual data categories based on what was detected
- Remove sections that don’t apply (e.g., no Payments section if no payments detected)
Example â WRONG:
We share data with [SERVICE_PROVIDERS].
Contact us at [EMAIL].
Example â CORRECT:
We share data with Vercel (hosting), Stripe (payments), and Resend (email).
Contact us at privacy@acme.com.
The templates below show the structure. When generating, replace ALL bracketed items with real values from detection and user answers. If a section doesn’t apply to this project, omit it entirely.
Structure Reference Templates
The template structures for each document are maintained in separate files. Read these templates at runtime to use as the structure reference when generating personalized documents:
- Privacy Policy:
${CLAUDE_PLUGIN_ROOT}/templates/privacy-policy.md - Terms of Service:
${CLAUDE_PLUGIN_ROOT}/templates/terms-of-service.md - Cookie Policy:
${CLAUDE_PLUGIN_ROOT}/templates/cookie-policy.md
Use Read tool to load each template before generating. The templates show the structure â when generating, replace ALL bracketed items with real values from detection and user answers. If a section doesn’t apply to this project, omit it entirely.
Step 5: Implementation
Create the Pages
For Next.js App Router:
app/
âââ (legal)/
â âââ layout.tsx # Shared layout for legal pages
â âââ privacy/page.tsx # Privacy Policy
â âââ terms/page.tsx # Terms of Service
â âââ cookies/page.tsx # Cookie Policy (or section in privacy)
Example layout:
// app/(legal)/layout.tsx
export default function LegalLayout({ children }: { children: React.ReactNode }) {
return (
<div className="container mx-auto max-w-3xl px-4 py-12">
<article className="prose prose-gray dark:prose-invert max-w-none">
{children}
</article>
</div>
)
}
Offer to create:
- The page files with generated content
- Footer links to the legal pages
- Cookie consent banner component (if needed)
Step 6: Next Steps
Present to user after generation:
## â
Legal Pages Generated
**Created:**
- `/privacy` â Privacy Policy
- `/terms` â Terms of Service
- `/cookies` â Cookie Policy
## Required Next Steps
1. **Add footer links**
- Link to Privacy Policy, Terms, and Cookies from your site footer
2. **Cookie consent banner** (if using non-essential cookies)
- Required before setting analytics/marketing cookies
- Must offer "Reject All" option for GDPR compliance
- Consider: [CookieConsent](https://github.com/orestbida/cookieconsent), [Osano](https://www.osano.com/), or custom
3. **Legal review**
- Have these documents reviewed by a lawyer, especially if:
- You handle sensitive data (health, financial)
- You have users in multiple jurisdictions
- You're in a regulated industry
- You process children's data
4. **Keep updated**
- Update "Last updated" date when you make changes
- Review annually at minimum
- Update when you add new data collection or third-party services
5. **Data Subject Requests**
- Set up a process to handle privacy requests (access, deletion, etc.)
- Aim to respond within 30 days (GDPR requirement)
<arc_log>
After completing this skill, append to the activity log.
See: ${CLAUDE_PLUGIN_ROOT}/references/arc-log.md
Entry: /arc:legal â Generated Privacy Policy, Terms, Cookie Policy
</arc_log>
Interop
- Invoked by /arc:letsgo when legal documents are missing
- May invoke cookie consent implementation after generating Cookie Policy
- References project detection patterns shared with /arc:letsgo