opencode-skills-collection 3.0.43 → 3.0.45

package/bundled-skills/atlas-ledger/SKILL.md

@@ -0,0 +1,248 @@
+---
+name: atlas-ledger
+description: "Companion to atlas-contract. Auto-invoked by its Final Audit on caught drift; also use after Post Reviews or user requests to record a mistake. Distills drift into WHEN/DON'T/INSTEAD clauses, writes to Atlas.md after confirmation."
+risk: critical
+source: community
+source_repo: wede-wx/atlas
+source_type: community
+date_added: "2026-06-12"
+license: MIT
+license_source: "https://github.com/wede-wx/atlas/blob/main/LICENSE"
+metadata:
+  version: "2.2.0"
+  author: wede-wx
+  repository: https://github.com/wede-wx/atlas
+---
+
+# Atlas Ledger v2.2
+
+Give the Atlas series a memory.
+
+## Contents
+
+1. [Output Language](#1-output-language)
+2. [When To Run](#2-when-to-run)
+3. [Distillation (the core)](#3-distillation-the-core) — Steps 1–6
+4. [Atlas.md format](#4-atlasmd-format)
+5. [Clause maintenance](#5-clause-maintenance-keep-the-ledger-alive-not-ossified)
+6. [Integration with atlas-contract](#6-integration-with-atlas-contract-the-read-back-half)
+7. [Final Principle](#7-final-principle)
+
+## Quick reference
+
+```text
+caught drift (auto handoff from Final Audit / Post Review / Phase Check / user request)
+ → Step 1  state facts, not motive
+ → Step 2  draft WHEN / DON'T / INSTEAD
+ → Step 3  four gates: Actionability → Replay → Generalization → Over-reach
+ → Step 4  first occurrence = Observation [O#]; repeat or high-severity = Clause [L#]
+ → Step 5  propose, ATLAS_STOP, write only after user confirms
+ → Step 6  merge-first into Atlas.md; confirmed clauses ≤ 15
+```
+
+`atlas-contract` defends the goal **within one conversation**, but it starts from zero every time — it does not know where this project drifted before. `atlas-ledger` closes that gap: when a drift is caught, it distills the lesson into a permanent, project-local **contract clause** and (after the user confirms) writes it to `Atlas.md`. Next time `atlas-contract` builds a Goal Contract, it loads the relevant clauses, so the defense line thickens with each catch. That is the compounding effect.
+
+It is a **low-frequency, lightweight** companion. It runs only after a drift is caught, and it stays small on purpose. Do not turn it into a second heavy governance skill — its only hard job is distillation quality.
+
+## Core idea
+
+The job is **not** to keep a diary. A record of "what went wrong" is a memory; it changes nothing. The job is a translation:
+
+> turn *this caught drift* → into *a clause that can enter a future contract and trigger a stop*.
+
+A diary says "I hid the feature." A ledger clause says "WHEN a backend requirement is blocked, DON'T hide the feature, INSTEAD stop and disclose." Only the second one catches it next time. The entire value of this skill is the quality of that translation — and since it is run by the same model that drifted, the mechanisms below exist to keep it honest rather than trusting it to be careful.
+
+---
+
+# 1. Output Language
+
+Write `Atlas.md` and all user-facing output in the language of the user's current instruction.
+
+**Machine keys stay in English; clause content is localized.** Never translate the keys `WHEN` / `DON'T` / `INSTEAD`, the IDs (`L1`, `O1`), `seen`, `severity`, `Source`, `RETIRED`, or section headers `Confirmed Clauses` / `Provisional Observations` — atlas-contract parses these, and translating them makes the read-back unstable. The text after each key is written in the user's language. (E.g. `WHEN: 硬性 Must-Do 的后端部分受阻` — key English, content Chinese. Do **not** write `当: ...`.)
+
+**Every process label this skill emits to the user must also be localized** (these are not machine keys — they are headings shown to the user, like the four gate names or the candidate-clause header). Only the fixed machine keys above stay English.
+
+Chinese label mapping (process labels — localize these):
+
+- `Atlas Event` → `Atlas 事件`; `Event ID` → `事件编号`; `Type` → `类型`; `Trigger Source` → `触发来源`; `Phase` → `阶段`; `Stop Status` → `停止状态`
+- `Candidate Clause` / `Suggested Clause` → `候选条款`; `Proposal` → `提案`; `awaiting confirmation` → `等待确认`
+- `Four acceptance gates` → `四道闸自检`; `Actionability` → `可执行性`; `Replay` → `回放`; `Generalization` → `泛化`; `Over-reach` → `误伤`; `Pass` → `通过`; `Fail` → `失败`
+- `confirmed on first occurrence` → `首次出现即确认`; `merged` → `已合并`; `retired` → `已退休`; `review: stale` → `待复核：可能失效`
+
+**Pre-output localization self-check:** Before sending any user-facing output, scan for untranslated English process labels (e.g. "Suggested Clause", "Actionability"). If any are found, translate them before sending. Do **not** translate the fixed machine keys (`WHEN`/`DON'T`/`INSTEAD`/IDs/`severity`/`Source`/`seen`/`Confirmed Clauses`/`Provisional Observations`) — those stay English even in a Chinese response.
+
+---
+
+## When to Use
+
+# 2. When To Run
+
+Run distillation only when a drift has been **caught**. Triggers, in order of how they usually arrive:
+
+1. **Automatic handoff from atlas-contract (primary path).** When an `atlas-contract` **Final Audit** records one or more hard deviations (a hard Deviation Notice was raised, or an item is Violation / Partial / Unverified that should have been Complete), the contract skill invokes this distillation **immediately and without asking** — the candidate clause is proposed right after the audit, and the flow stops at the write-confirmation. The user should never have to remember to ask for the recording.
+2. an `atlas-contract` **Post Review** (the user said the result was wrong / incomplete / downgraded / mocked);
+3. a **Phase Check** catches the same class of error recurring;
+4. the user explicitly says "record this so it doesn't happen again."
+
+In every path, the confirm-before-write stop (Step 5) is preserved: automatic triggering changes **when distillation starts**, never **whether the user approves the write**.
+
+Do **not** run on: clean completions; optimization requests; ordinary code review; style preferences; general takeaways. There is nothing to enforce in those.
+
+**Honesty boundary:** it can only learn from drift that was *detected*. Drift that slipped through unnoticed leaves no entry. Do not pretend the ledger is complete.
+
+---
+
+# 3. Distillation (the core)
+
+Run in order. Output at most one clause per caught drift.
+
+## Step 1 — State the drift as observable facts, not motive
+
+Write what was objectively true, from the contract plus the delivered artifact — not why you think you did it.
+
+- Good (fact): "[M2] required backend persistence (hard). Delivered code shipped the frontend with hardcoded data; no API or DB write exists."
+- Bad (motive): "I thought the backend wasn't really necessary." Self-reported reasons are unreliable; a clause built on one prevents the wrong thing. Base the clause on the observable situation → action.
+
+## Step 2 — Draft the clause: WHEN / DON'T / INSTEAD
+
+```text
+WHEN    <the situation that was true, generalized away from the specific subject>
+DON'T   <the concrete wrong action taken>
+INSTEAD <the concrete correct action>
+```
+
+Governing principle: **abstract the situation, keep the behavior concrete, base WHEN on facts not motive.** Drop the subject (feature name, file); keep the condition. The condition makes it match a future case; the subject makes it useless.
+
+## Step 3 — Four acceptance gates (record only if it passes ALL four)
+
+Run cheapest first.
+
+1. **Actionability** — can the clause answer, concretely: what condition triggers it, what it forbids, and what to do instead? If any of the three is vague ("be more careful", "don't be lazy", "implement fully"), it is not a clause — discard. This gate exists to kill un-triggerable garbage before spending effort on the rest.
+2. **Replay** — had this clause been in the contract this time, would it have caught this drift? If no → it does not describe what happened; rewrite.
+3. **Generalization** — would it catch a *different* instance of the same situation (different feature, same shape)? If no → WHEN is still stuck to the subject; abstract further.
+4. **Over-reach** — would it wrongly block a *legitimate* action elsewhere (e.g. the user explicitly approved frontend-first)? If yes → too broad; narrow it, usually by tightening WHEN.
+
+If a candidate cannot pass all four, the lesson is not ready. **Record nothing rather than record noise.**
+
+## Step 4 — Provisional vs confirmed
+
+A single occurrence may be a fluke; do not over-fit.
+
+- **First time** a situation is seen → record as a provisional **Observation** `[O#]`.
+- A later caught drift whose WHEN **matches an existing Observation** → promote to a confirmed **Clause** `[L#]`, increment seen-count, remove the Observation.
+- Only **confirmed clauses** are auto-loaded into future contracts; Observations are watched, not enforced.
+
+**Severity exception — confirm on first occurrence** (skip the provisional stage) when the drift is any of:
+
+1. mock / stub / fake data passed off as a real implementation;
+2. hiding, deleting, or disabling a feature the user explicitly required;
+3. weakening or deleting tests to force a pass;
+4. data loss, broken persistence, or corrupted user data;
+5. a security / permissions / auth mis-change;
+6. a declared Preserve item broken;
+7. downgrading Complete / end-to-end work to frontend-only.
+
+Mark these `severity: high` and note `confirmed on first occurrence`.
+
+## Step 5 — Propose, then write only after confirmation
+
+`Atlas.md` is long-term project state — a wrong clause silently shapes every future contract. So the model does **not** write it unsupervised. Default flow:
+
+```text
+caught drift (auto handoff from Final Audit, or other §2 trigger)
+ → draft clause (Steps 1–2)
+ → pass four gates (Step 3)
+ → output the candidate clause as a proposal
+ → ATLAS_STOP, await user confirmation
+ → on confirmation, write to Atlas.md (Step 6)
+```
+
+Only skip the stop if the user has explicitly said something like "auto-update Atlas.md". The confirmation is not red tape: it puts a human on the one artifact that is permanent, and lets the user fix a mis-distilled clause before it pollutes future work.
+
+## Step 6 — Write to Atlas.md, merging first
+
+Before adding, scan `Atlas.md` for an existing clause/observation with an overlapping WHEN.
+
+- If one exists → **merge** into a single, more general clause, then re-run the four gates on the merged result. No near-duplicates.
+- If confirmed clauses already number 15, merge the two closest before adding.
+
+**Never only append.** A ledger that only grows hits the same long-context decay atlas-contract fights. Merging two concrete instances is often what produces the correctly-general rule.
+
+---
+
+# 4. Atlas.md format
+
+One file at the workspace root. Stable structure (atlas-contract reads it). Keys English, content localized, `Source` anchored to the phase / event ID that caught it (not a guessed date — the model does not reliably know the date).
+
+```text
+# Atlas Ledger
+<!-- Maintained by atlas-ledger. Confirmed clauses are loaded into new Goal Contracts by atlas-contract.
+     Keys (WHEN/DON'T/INSTEAD, IDs, severity, Source) are fixed English; content is localized.
+     Keep confirmed clauses general and <= 15. -->
+
+## Confirmed Clauses
+- [L1] (seen 2x, severity: high)
+  WHEN:    硬性 Must-Do 的后端 / API / 持久化部分受阻或比预期更难
+  DON'T:   用前端 mock、隐藏入口、静态数据或假成功来冒充完成
+  INSTEAD: 停下来披露阻塞点，让用户决定继续原目标、批准偏离或改方案
+  Source:  P3 Final Audit; P2 Post Review
+
+## Provisional Observations
+- [O1] (seen 1x)
+  WHEN:    某个要求的测试失败且修复不明显
+  DON'T:   削弱或跳过断言来让它通过
+  INSTEAD: 报告失败，提出真实修复或发起偏离通知
+  Source:  P2 Deviation Notice
+```
+
+---
+
+# 5. Clause maintenance (keep the ledger alive, not ossified)
+
+A clause distilled early can become wrong as the project evolves. The ledger must be able to shrink and retire, not only grow.
+
+- The user may **retire** any clause at any time; mark it `RETIRED` (or remove it) and stop loading it.
+- If a confirmed clause is **overridden by the user twice** (carried into a contract and waved off both times), flag it `review: stale` and surface it for retirement — it likely no longer matches the project.
+- Retiring and merging are the two ways the ledger stays small; only-append is forbidden (Step 6).
+
+---
+
+# 6. Integration with atlas-contract (the read-back half)
+
+This skill owns the **write** half. The **read** half is a single hook in atlas-contract's §6. Add this to atlas-contract:
+
+```text
+## Project Ledger Hook (read-back)
+
+Before building the Goal Contract, check for Atlas.md at the workspace root. If it exists:
+1. Read only the Confirmed Clauses (ignore Provisional Observations unless one is directly
+   relevant and clearly marked advisory).
+2. Match clauses whose WHEN is relevant to the current task.
+3. Carry in at most 5 of the most relevant clauses — not all of them.
+4. Convert each: DON'T -> a Must Not Do; INSTEAD -> its required response / stop rule.
+5. Show them in the contract under "Carried-in Ledger Clauses" so the user sees the ledger working.
+
+Precedence: ledger clauses are project DEFAULTS, not law. The user's current explicit instruction
+always overrides a carried-in clause. If a carried-in clause conflicts with what the user is asking
+for this time, do not silently enforce it — surface the conflict and let the user decide.
+
+If Atlas.md is missing, malformed, stale, oversized, or ambiguous, say so in one line and continue
+without pretending it was fully applied. Never fabricate clauses.
+```
+
+Without that hook the clauses are written but never enforced, and the ledger degrades into a diary. With it, every caught drift becomes a standing guardrail that routes through the mechanism that already works (the contract + the stop).
+
+---
+
+# 7. Final Principle
+
+atlas-ledger turns a one-time, caught mistake into a permanent project constraint — that is the compounding. Its worth is entirely in distillation quality: too specific and it never fires, too broad and it fires constantly, built on a guessed motive and it guards the wrong thing. The four gates, confirm-before-write, merge-first, and retirement rules exist to hold that quality and keep the ledger small.
+
+**Self-enforcement ceiling:** like atlas-contract, this skill is run by the same model it governs, so it can mis-distill or miss a drift worth recording. It raises the project's floor over time; it is not a guarantee, and the user confirming each clause is part of the design, not a formality. One more layer in the Atlas series — not a closed loop on its own.
+
+## Limitations
+
+- Writes to `Atlas.md` only after user confirmation; without that confirmation it produces a proposed clause, not durable project memory.
+- Clause quality depends on the model correctly identifying the actual drift, so user review is required before accepting entries.
+- The ledger can become stale or overbroad if clauses are not merged, retired, or reviewed as the project changes.
+- It does not replace tests, code review, or independent validation of whether the original task was actually completed.

package/bundled-skills/docs/integrations/jetski-cortex.md

@@ -1,9 +1,9 @@
 ---
 title: Jetski/Cortex + Gemini Integration Guide
-description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,527+ skills."
+description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,541+ skills."
 ---
 
-# Jetski/Cortex + Gemini: safe integration with 1,527+ skills
+# Jetski/Cortex + Gemini: safe integration with 1,541+ skills
 
 This guide shows how to integrate the `antigravity-awesome-skills` repository with an agent based on **Jetski/Cortex + Gemini** (or similar frameworks) **without exceeding the model context window**.
 
@@ -23,7 +23,7 @@ Never do:
 - concatenate all `SKILL.md` content into a single system prompt;
 - re-inject the entire library for **every** request.
 
-With 1,527+ skills, this approach fills the context window before user messages are even added, causing truncation.
+With 1,541+ skills, this approach fills the context window before user messages are even added, causing truncation.
 
 ---
 

package/bundled-skills/docs/integrations/jetski-gemini-loader/README.md

@@ -21,7 +21,7 @@ This example shows one way to integrate **antigravity-awesome-skills** with a Je
 - How to enforce a **maximum number of skills per turn** via `maxSkillsPerTurn`.
 - How to choose whether to **truncate or error** when too many skills are requested via `overflowBehavior`.
 
-This pattern avoids context overflow when you have 1,527+ skills installed.
+This pattern avoids context overflow when you have 1,541+ skills installed.
 
 Manifest contract references:
 

package/bundled-skills/docs/maintainers/repo-growth-seo.md

@@ -6,7 +6,7 @@ This document keeps the repository's GitHub-facing discovery copy aligned with t
 
 Preferred positioning:
 
-> Installable GitHub library of 1,527+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
+> Installable GitHub library of 1,541+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
 
 Key framing:
 
@@ -20,7 +20,7 @@ Key framing:
 
 Preferred description:
 
-> Installable GitHub library of 1,527+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
+> Installable GitHub library of 1,541+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
 
 Preferred homepage:
 
@@ -28,7 +28,7 @@ Preferred homepage:
 
 Preferred social preview:
 
-- use a clean preview image that says `1,527+ Agentic Skills`;
+- use a clean preview image that says `1,541+ Agentic Skills`;
 - mention Claude Code, Cursor, Codex CLI, and Gemini CLI;
 - avoid dense text and tiny logos that disappear in social cards.
 

package/bundled-skills/docs/maintainers/skills-update-guide.md

@@ -72,7 +72,7 @@ The update process refreshes:
 - Canonical skills index (`skills_index.json`)
 - Compatibility mirror (`data/skills_index.json`)
 - Web app skills data (`apps\web-app\public\skills.json`)
-- All 1,527+ skills from the skills directory
+- All 1,541+ skills from the skills directory
 
 ## When to Update
 

package/bundled-skills/docs/users/bundles.md

@@ -917,4 +917,4 @@ Found a skill that should be in a bundle? Or want to create a new bundle? [Open
 
 ---
 
-_Last updated: March 2026 | Total Skills: 1,527+ | Total Bundles: 52_
+_Last updated: March 2026 | Total Skills: 1,541+ | Total Bundles: 52_

package/bundled-skills/docs/users/claude-code-skills.md

@@ -12,7 +12,7 @@ Install the library into Claude Code, then invoke focused skills directly in the
 
 ## Why use this repo for Claude Code
 
-- It includes 1,527+ skills instead of a narrow single-domain starter pack.
+- It includes 1,541+ skills instead of a narrow single-domain starter pack.
 - It supports the standard `.claude/skills/` path and the Claude Code plugin marketplace flow.
 - It also ships generated bundle plugins so teams can install focused packs like `Essentials` or `Security Developer` from the marketplace metadata.
 - It includes onboarding docs, bundles, and workflows so new users do not need to guess where to begin.

package/bundled-skills/docs/users/gemini-cli-skills.md

@@ -12,7 +12,7 @@ Install into the Gemini skills path, then ask Gemini to apply one skill at a tim
 
 - It installs directly into the expected Gemini skills path.
 - It includes both core software engineering skills and deeper agent/LLM-oriented skills.
-- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,527+ files.
+- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,541+ files.
 - It is useful whether you want a broad internal skill library or a single repo to test many workflows quickly.
 
 ## Install Gemini CLI Skills

package/bundled-skills/docs/users/getting-started.md

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V12.3.0)
+# Getting Started with Antigravity Awesome Skills (V12.4.0)
 
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**
 

package/bundled-skills/docs/users/kiro-integration.md

@@ -18,7 +18,7 @@ Kiro is AWS's agentic AI IDE that combines:
 
 Kiro's agentic capabilities are enhanced by skills that provide:
 
-- **Domain expertise** across 1,527+ specialized areas
+- **Domain expertise** across 1,541+ specialized areas
 - **Best practices** from Anthropic, OpenAI, Google, Microsoft, and AWS
 - **Workflow automation** for common development tasks
 - **AWS-specific patterns** for serverless, infrastructure, and cloud architecture

package/bundled-skills/docs/users/usage.md

@@ -14,7 +14,7 @@ If you came in through a **Claude Code** or **Codex** plugin instead of a full l
 
 When you ran `npx antigravity-awesome-skills` or cloned the repository, you:
 
-✅ **Downloaded 1,527+ skill files** to your computer (default: `~/.agents/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
+✅ **Downloaded 1,541+ skill files** to your computer (default: `~/.agents/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
 ✅ **Made them available** to your AI assistant  
 ❌ **Did NOT enable them all automatically** (they're just sitting there, waiting)
 
@@ -34,7 +34,7 @@ Bundles are **curated groups** of skills organized by role. They help you decide
 
 **Analogy:**
 
-- You installed a toolbox with 1,527+ tools (✅ done)
+- You installed a toolbox with 1,541+ tools (✅ done)
 - Bundles are like **labeled organizer trays** saying: "If you're a carpenter, start with these 10 tools"
 - You can either **pick skills from the tray** or install that tray as a focused marketplace bundle plugin
 
@@ -212,7 +212,7 @@ Let's actually use a skill right now. Follow these steps:
 
 ## Step 5: Picking Your First Skills (Practical Advice)
 
-Don't try to use all 1,527+ skills at once. Here's a sensible approach:
+Don't try to use all 1,541+ skills at once. Here's a sensible approach:
 
 If you want a tool-specific starting point before choosing skills, use:
 
@@ -343,7 +343,7 @@ Usually no, but if your AI doesn't recognize a skill:
 
 ### "Can I load all skills into the model at once?"
 
-No. Even though you have 1,527+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
+No. Even though you have 1,541+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
 
 The intended pattern is:
 

package/bundled-skills/docs/users/visual-guide.md

@@ -34,7 +34,7 @@ antigravity-awesome-skills/
 ├── 📄 CONTRIBUTING.md                  ← Contributor workflow
 ├── 📄 CATALOG.md                       ← Full generated catalog
 │
-├── 📁 skills/                          ← 1,527+ skills live here
+├── 📁 skills/                          ← 1,541+ skills live here
 │   │
 │   ├── 📁 brainstorming/
 │   │   └── 📄 SKILL.md                 ← Skill definition
@@ -47,7 +47,7 @@ antigravity-awesome-skills/
 │   │   └── 📁 2d-games/
 │   │       └── 📄 SKILL.md             ← Nested skills also supported
 │   │
-│   └── ... (1,527+ total)
+│   └── ... (1,541+ total)
 │
 ├── 📁 apps/
 │   └── 📁 web-app/                     ← Interactive browser
@@ -100,7 +100,7 @@ antigravity-awesome-skills/
 
 ```
                     ┌─────────────────────────┐
-                    │  1,527+ SKILLS          │
+                    │  1,541+ SKILLS          │
                     └────────────┬────────────┘
                                  │
         ┌────────────────────────┼────────────────────────┐
@@ -201,7 +201,7 @@ If you want a workspace-style manual install instead, cloning into `.agent/skill
 │   ├── 📁 brainstorming/                 │
 │   ├── 📁 stripe-integration/            │
 │   ├── 📁 react-best-practices/          │
-│   └── ... (1,527+ total)                │
+│   └── ... (1,541+ total)                │
 └─────────────────────────────────────────┘
 ```
 

package/bundled-skills/fsi-compliance-checker/SKILL.md

@@ -0,0 +1,125 @@
+---
+name: fsi-compliance-checker
+description: "Maps code, architecture, and infrastructure changes to specific control IDs in PCI-DSS v4.0 and MAS TRM (Singapore financial regulator), producing an audit-traceable findings report with per-control remediation."
+category: security
+risk: safe
+source: community
+source_repo: timwukp/agent-skills-best-practice
+source_type: community
+date_added: "2026-06-12"
+author: timwukp
+tags: [compliance, pci-dss, mas-trm, fintech, banking, security-review, audit, financial-services]
+tools: [claude, cursor, gemini, codex, antigravity]
+license: "MIT"
+license_source: "https://github.com/timwukp/agent-skills-best-practice/blob/main/LICENSE"
+---
+
+# FSI Compliance Checker
+
+## Overview
+
+Maps a concrete change (code diff, architecture design, IaC, pipeline config) to the specific controls it touches in financial services compliance frameworks — PCI-DSS v4.0 for payment card data and MAS TRM for Singapore-regulated institutions — and reports gaps with actionable remediation. This is engineering-level compliance triage: it helps teams catch violations before audit, but it does not replace a qualified assessor (QSA) or the institution's compliance function. Say so in every report.
+
+## When to Use This Skill
+
+- Use when a change touches payment card data (PAN, CVV, track data) and needs a PCI-DSS check
+- Use when reviewing changes at a Singapore-regulated financial institution against MAS TRM expectations
+- Use when someone asks "is this compliant", "does logging this violate PCI", or requests a banking-regulation review of a diff, design, or Terraform change
+- Do NOT use for generic security review (no framework involved), GDPR/SOC2/HIPAA (out of bundled scope), or legal advice
+
+## How It Works
+
+### Step 1: Select the framework
+
+Load only the reference file(s) the engagement needs:
+
+| Situation | Load |
+|-----------|------|
+| Payment card data is stored, processed, or transmitted | [pci-dss.md](pci-dss.md) |
+| Singapore-regulated financial institution (bank, insurer, capital markets, major payment institution) | [mas-trm.md](mas-trm.md) |
+| Both apply (e.g. Singapore bank handling cards) | Both files |
+| Other jurisdictions/frameworks (SOX, GDPR, HKMA, APRA) | State they are out of scope; offer general secure-engineering review instead |
+
+If the user hasn't said which applies, ask one question: what data does the change touch, and is the institution Singapore-regulated?
+
+### Step 2: Scope the change
+
+Identify what the diff/design actually touches: data elements (card data? customer PII? credentials?), trust boundaries, environments (production? DR?), and third parties.
+
+### Step 3: Assess applicable controls
+
+Select the applicable controls from the loaded reference file(s) — typically 5-15 controls, not the whole framework. List what you ruled out and why (one line each) so the scoping is auditable. Assess each as `Compliant` / `Gap` / `Needs evidence` (can't tell from the artifact — name the evidence required).
+
+### Step 4: Report
+
+Every Gap gets: the control ID, what's wrong in this specific change, concrete remediation, and severity (Critical = violation involving live regulated data; High = control absent; Medium = control partial/undocumented).
+
+```markdown
+# Compliance Review: [change title]
+**Frameworks:** [PCI-DSS v4.0 / MAS TRM 2021] · **Date:** [YYYY-MM-DD]
+**Scope:** [what was reviewed: files, design doc, pipeline]
+> Engineering triage only — not a substitute for QSA assessment or the compliance function.
+
+## Data & Boundary Analysis
+- Data elements touched: [e.g. PAN (masked), customer NRIC, none]
+- Environments/boundaries: [e.g. CDE-adjacent service, public API]
+
+## Findings
+| # | Control | Status | Severity | Finding | Remediation |
+|---|---------|--------|----------|---------|-------------|
+| 1 | [PCI 3.5.1] | Gap | Critical | [specific issue in this change] | [specific fix] |
+
+## Ruled Out (not applicable)
+- [Control area] — [one-line reason]
+
+## Evidence Needed
+- [Control]: [what artifact would demonstrate compliance]
+```
+
+### Step 5: Offer story conversion
+
+Offer to turn findings into backlog items with the control ID in each story for traceability.
+
+## Examples
+
+### Example 1: Logging review
+
+**User**: "Is this PCI-DSS compliant: we log the full request body of card authorization calls for debugging?"
+
+**Skill**: Loads pci-dss.md → Critical findings against 3.3.1 (CVV must never be stored post-authorization — logs are storage), 3.4.1 (PAN display masking), 3.5.1 (PAN unreadable at rest); remediation: remove the log line or apply a field-allowlist redaction filter; flags downstream log-pipeline scoping (10.3.x); QSA disclaimer included.
+
+### Example 2: Cloud migration
+
+**User**: "Our Singapore bank is moving the customer notification service to a cloud region in another country. MAS TRM implications?"
+
+**Skill**: Loads mas-trm.md → reviews against §11.5 (cloud: due diligence, data residency, exit strategy), flags the MAS Outsourcing Guidelines as a related instrument, asks what customer data the service touches before rating severity.
+
+## Common FSI Engineering Triggers
+
+Changes that almost always have compliance impact — check proactively when they appear in a diff:
+
+- Logging statements near payment or authentication flows (PAN/CVV must never be logged; MAS TRM requires security event logging — both directions matter)
+- New data stores or caches receiving customer or card data (encryption at rest, retention, residency)
+- Authentication/session changes (MFA requirements, session timeout, credential storage)
+- New third-party SDKs or API integrations (outsourcing/vendor controls, data flows leaving the boundary)
+- Infrastructure changes touching network segmentation, security groups, or public exposure
+- CI/CD changes that alter who/what can deploy to production (change management, segregation of duties)
+
+## Guardrails
+
+- Cite control IDs precisely (e.g. "PCI-DSS 8.3.6", "MAS TRM 9.1.1") so findings are traceable in audit tooling; the bundled reference files carry the ID schemes.
+- Severity discipline: don't inflate. A missing comment is not a Critical; unencrypted PAN at rest is.
+- When the change is compliant, say so affirmatively per control — "no findings" plus the checked-control list is a useful audit artifact.
+- Never output real card numbers, even as examples; use the standard test PANs (e.g. 4111 1111 1111 1111) when illustrating.
+- Read-only: this skill reviews and reports; it never modifies code, infrastructure, or configuration.
+
+## Limitations
+
+- Covers only the bundled PCI-DSS v4.0 and MAS TRM engineering summaries; other frameworks or local policy overlays need separate review.
+- Provides engineering triage, not legal advice, QSA assessment, or formal compliance sign-off.
+- Requires concrete evidence such as diffs, designs, IaC, logs, or control artifacts; incomplete evidence should be marked `Needs evidence`.
+- The bundled references are concise control maps, not substitutes for reading the official standards.
+
+## Credits
+
+Adapted from [timwukp/agent-skills-best-practice](https://github.com/timwukp/agent-skills-best-practice) (MIT), where the skill ships with evals and a documented 4-layer test methodology (see the repo's TESTING.md).