compliance-testing

The compliance-testing skill is a specialized QE engine designed for software teams operating in regulated environments. It streamlines the validation of complex legal and security requirements by mapping business logic to testable controls for major global regulations including GDPR, CCPA, HIPAA, SOC2, and PCI-DSS. This skill is intended for QA engineers, security officers, and DevOps teams tasked with maintaining audit-ready systems while handling PII (Personally Identifiable Information), PHI (Protected Health Information), and PCI payment card data.

By leveraging this agentic skill, teams move away from reactive compliance checking toward continuous verification. It integrates directly into the development lifecycle, ensuring that data subject rights, encryption standards, and access logging are validated during every build or deployment cycle. The skill excels at identifying gaps in data handling and ensuring that audit trails are consistently maintained, effectively reducing the risk of significant financial penalties and reputation damage associated with non-compliance.

• Automatically generates test suites for data subject rights (access, deletion, portability) as required by GDPR and CCPA.

• Validates encryption-at-rest and in-transit protocols, specifically for sensitive PHI fields in HIPAA-regulated applications.

• Performs automated checks to ensure payment card data is never stored in plain text and adheres to PCI-DSS tokenization requirements.

• Facilitates continuous audit logging verification, confirming that every access event is recorded with appropriate metadata.

• Supports the generation of audit-ready reports with concrete evidence logs, drastically reducing manual preparation time before official security reviews.

• Integrates seamlessly with qe-security-scanner and qe-quality-gate agents to block non-compliant code from reaching production.

• Users should define their scope (e.g., 'full-application' or specific modules) and list the applicable regulations to activate the correct validation logic.

• Expected inputs include application API schemas, database access configurations for log verification, and specific user consent models.

• Outputs typically consist of test execution summaries, compliance dashboards, and downloadable PDF reports containing structured evidence of passed/failed controls.

• Remember that compliance is a continuous process; integrate these checks early in the CI/CD pipeline to identify violations long before a formal audit occurs.

• Note that this skill requires careful configuration of the testing environment to safely mimic production data structures without violating privacy policies themselves.