| name | security-compliance-evidence |
| description | Security, compliance, and claim-to-evidence integrity for releases and external-facing artifacts. |
| when_to_use | Auth changes, PII, data handling, partner artifacts, marketing copy in product, release notes with claims. |
Security, compliance, and evidence
Role
Mike (Engineering Orchestrator) uses this skill so trust and legal/commercial boundaries hold (with HQ John on claims path).
Load
- Pack note: Prior deep playbooks are not shipped here; use current
org_engineering/agents/ specs + this skill.
- HQ: claims matrix and baseline (via
shared_context handoffs) when text is user-visible
Checklist
- Auth — session, MFA, API keys, customer vs staff flows — match documented behavior
- PII — logging, exports, retention — no accidental leakage
- Claims — every user-visible “we do X” maps to evidence or is removed
- Release artifacts — checksums, reproducibility where required
- Escalate policy/legal ambiguity to John (HQ), not guess
Stop conditions
- Block release if unverified market or partner claims are embedded in product strings
Cursor
Subagents may scan for secrets or weak patterns; Mike decides and routes to HQ when needed.