compliance-testing

The compliance-testing skill provides a comprehensive framework for validating software against major regulatory standards including GDPR, CCPA, HIPAA, SOC2, and PCI-DSS. Designed for QE teams, security engineers, and DevOps professionals, this skill helps organizations mitigate the severe financial and reputational risks associated with non-compliance. By shifting compliance validation to the left, it allows teams to identify regulatory gaps during the development lifecycle rather than waiting for formal audits, effectively turning compliance into a continuous, observable quality metric.

• Automatically maps high-level regulatory requirements to specific, testable technical controls and assertions.

• Executes validation tests for data subject rights, including access, erasure, and portability mechanisms.

• Verifies technical security implementations such as encryption at rest and in transit, access logging, and consent tracking.

• Generates audit-ready reports with evidence, timestamps, and metadata required for compliance documentation and industry certifications.

• Integrates with the broader agentic-qe fleet to perform cross-domain security scans, API contract validation, and dependency mapping.

• Supports advanced data handling tests, such as ensuring credit card numbers are tokenized rather than stored and that PII/PHI is shielded from unauthorized access.

• When invoking the skill, specify the regulations in scope to ensure the agent selects the appropriate control mapping.

• Ensure database and API endpoints are exposed for testing, as the skill requires active verification of data state and logging behaviors.

• Use this skill in conjunction with the qe-security-scanner and qe-test-executor agents for a full-stack compliance posture.

• Be aware that audit trails are mandatory; the skill expects standardized logging patterns to effectively verify compliance status.

• The tool is best utilized in pre-deployment CI/CD stages to prevent regressions in privacy controls and data protection mechanisms.

• Designed for high-stakes environments where penalties for non-compliance, such as GDPR's 4% revenue fine or HIPAA's multi-million dollar penalties, represent significant business risk.