Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.userplane.io/llms.txt

Use this file to discover all available pages before exploring further.

Scans the repo for privacy issues in the Userplane integration. Produces a severity-ranked report (High / Medium / Low) with file:line citations and concrete diffs.

Usage

/userplane:privacy
No arguments required. The agent scans the entire repo.
Read-only. The privacy agent never edits files — every finding includes a diff you can apply yourself.

What it scans

ScanWhat the agent looks for
Blur coveragePII-adjacent inputs (password, email, ssn, card, cvv) missing data-userplane-blur
Metadata PIIRaw PII in setMetadata / setUser calls (email, phone, address, government IDs)
CSP frame-src gapsThird-party embeds (Stripe, Auth0, Clerk) missing from frame-src / connect-src
Inline handler leaksInline onClick / onSubmit handlers rendering PII to the DOM without blur

Output format

Summary: 3 issues (1 high, 2 medium)
Top fix: Add data-userplane-blur to the SSN input in src/components/ProfileForm.tsx

## High
- src/components/ProfileForm.tsx:28 — <input name="ssn"> missing blur attribute
  + <input name="ssn" data-userplane-blur />

## Medium
- src/hooks/useAuth.ts:45 — setUser passes raw email address
  - setUser({ email: user.email, name: user.name })
  + setUser({ id: user.id, name: user.name })

- next.config.js:22 — CSP missing frame-src for Stripe
  - frame-src 'self' *.userplane.io
  + frame-src 'self' *.userplane.io *.stripe.com

Example prompts

/userplane:privacy

We're preparing for a SOC 2 audit. Check if our Userplane integration leaks any PII into recordings.

Scan the checkout flow for privacy issues. We use Stripe Elements and want to make sure card details are blurred.

Are there any setMetadata calls that pass raw email addresses? We should only be sending user IDs.