// Generate a public-facing security trust page from scan data. Produces a single deployable index.html that shows compliance framework scores, security policies, infrastructure overview, and data protection posture. Deployable to S3, Vercel, Netlify, or GitHub Pages.
| name | trust-center |
| description | Generate a public-facing security trust page from scan data. Produces a single deployable index.html that shows compliance framework scores, security policies, infrastructure overview, and data protection posture. Deployable to S3, Vercel, Netlify, or GitHub Pages. |
| user-invocable | true |
Generate a deployable security trust page for your company.
Read shasta.config.json for python_cmd and company_name. Use that for all commands (shown as <PYTHON_CMD>).
<PYTHON_CMD> -c "
from shasta.db.schema import ShastaDB
db = ShastaDB(); db.initialize()
scan = db.get_latest_scan()
if scan:
print(f'SCAN_FOUND|{scan.completed_at}|{scan.summary.total_findings if scan.summary else 0} findings')
else:
print('NO_SCAN')
"
If NO_SCAN, tell the user: "No scan data found. The trust center will generate with placeholder content. Run /scan first for real compliance scores."
Ask the user:
"Generate the trust center with defaults, or customize? I can set:
- Company name and tagline
- Contact email and DPO email
- Which frameworks to show (SOC 2, ISO 27001, HIPAA)
- Subprocessors list
- Theme colors
Default generates a clean page with SOC 2 + ISO 27001 badges, all 8 policies, and your scan scores."
If they say "defaults" or similar, proceed with step 3 using just the company name from shasta.config.json.
If they want customization, build the config object from their answers.
For defaults:
<PYTHON_CMD> -c "
from shasta.trustcenter.generator import generate_trust_center
path = generate_trust_center()
print(f'Trust center generated at: {path}')
"
For custom config:
<PYTHON_CMD> -c "
from shasta.trustcenter.config import TrustCenterConfig
from shasta.trustcenter.generator import generate_trust_center
config = TrustCenterConfig(
company_name='<COMPANY_NAME>',
company_tagline='<TAGLINE>',
contact_email='<EMAIL>',
show_hipaa=<True|False>,
subprocessors=[
{'name': 'AWS', 'purpose': 'Cloud infrastructure', 'location': 'US'},
],
)
path = generate_trust_center(config)
print(f'Trust center generated at: {path}')
"
Tell the user:
data/trust-center/index.html)start data/trust-center/index.html (Windows) or open data/trust-center/index.html (Mac)Deploy options:
- S3:
aws s3 cp data/trust-center/index.html s3://your-trust-bucket/index.html --content-type text/html- GitHub Pages: Copy to your
docs/folder orgh-pagesbranch- Vercel/Netlify: Set build output directory to
data/trust-center/- Custom domain: Point trust.yourcompany.com at the hosting bucket/project
The page is a single self-contained HTML file — no build step, no dependencies, no asset files to manage. It uses Tailwind CDN and Chart.js CDN.
/scan then /trust-center to update.Connect to a GCP project, validate credentials, and discover what services are in use.
Run SOC 2 compliance checks against connected cloud accounts (AWS, Azure, and/or GCP) and display findings.
Deep code scan for AI security issues — prompt injection, PII in prompts, hardcoded keys, unguarded agents.
Run AI governance checks across cloud accounts and code repos — ISO 42001, EU AI Act, NIST AI RMF compliance.
Scan cloud accounts and GitHub repos to discover AI/ML services and build an AI system inventory.
Walk staged changes against the engineering principles checklist and report pass/fail per principle. Run before any non-trivial commit. Catches doc drift, stub functions, single-region defaults, missing framework mappings, and other regressions before they ship.