Columbia-Cloudworks-LLC/evidence-producer
.cursor/skills/evidence-producer/SKILL.md
Use when producing production-backed audit evidence, screenshots, executive compliance reports, and entity-mapping visuals from equipqr.app, production Supabase, and production Vercel.
$ install --global
skillsauthnpx skillsauth add Columbia-Cloudworks-LLC/EquipQR evidence-producerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:46 PM10.6s4 files scanned
SKILL.md
- name:
- evidence-producer
- description:
- Use when producing production-backed audit evidence, screenshots, executive compliance reports, and entity-mapping visuals from equipqr.app, production Supabase, and production Vercel.
Evidence Producer
Purpose
Produce audit-support evidence and reporting from production systems only.
This skill can run from prior auditor output or standalone jurisdiction input, but always enforces production-only boundaries.
Required Inputs
Use inputs.md to determine run mode and checklist source.
Allowed Sources
Use sources.md to enforce production-only scope and provenance.
Reporting Requirements
Use reporting.md to generate evidence outputs, executive reporting, and visual appendix content.
Core Workflow
Copy this checklist and complete in order:
Evidence Producer Progress
- [ ] 1) Determine input mode (auditor-driven preferred)
- [ ] 2) Emit source lock (production only)
- [ ] 3) Map each control/question to evidence source(s)
- [ ] 4) Collect production evidence with provenance
- [ ] 5) Classify each control (`verified`/`failed`/`not verified`/`blocked`)
- [ ] 6) Write required output artifacts
1) Determine input mode
- Prefer prior
auditoroutput when available. - Otherwise run standalone with explicit jurisdiction/regulatory scope.
2) Emit source lock
Before collection, explicitly confirm:
- in-scope:
https://equipqr.app, production Supabase, production Vercel - out-of-scope: preview, staging, local, unpublished, speculative features
3) Map controls to sources
For each control/question, choose strongest production evidence from:
- browser-observed production behavior
- production database evidence (read-only)
- production Vercel evidence (read-only)
- combined evidence
4) Collect with provenance
Every artifact must include:
- control/question mapping
- source system
- UTC timestamp when available
- production confirmation
- reproducibility marker
- concise observation note
5) Classify controls
verified: evidence supports the controlfailed: evidence contradicts the controlnot verified: evidence is inconclusiveblocked: safe/required production access is unavailable
6) Write outputs
Produce all required artifacts using reporting.md.
Output Contract
Always produce, in order:
ScopeSource LockEvidence InventoryEvidence PackageExecutive ReportVisual Appendix
Guardrails
- Production evidence collection is read-only by default.
- Do not perform destructive production actions for this workflow.
- Do not substitute non-production signals for production evidence.
- Do not claim legal advice or legal certification.
- When sources conflict, document both with provenance and classify from strongest relevant evidence.
Example Trigger Phrases
- "Produce Texas audit evidence from production"
- "Create executive compliance report from live production"
- "Capture production evidence and entity diagrams for audit controls"
Related Skills
Columbia-Cloudworks-LLC/react-best-practices
development
VerifiedTrustedCommunity
React performance optimization guidelines from Vercel Engineering, with EquipQR-specific mappings (Vite + React Router + TanStack Query). Use when writing, reviewing, or refactoring React code in this repo, especially around waterfalls, bundle size, and re-renders.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/postgres-best-practices
testing
VerifiedTrustedCommunity
Postgres performance optimization and best practices from Supabase, adapted to EquipQR's Supabase (Postgres + RLS) workflow. Use when editing SQL, migrations, indexes, or RLS policies.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/brand-guidelines
development
VerifiedTrustedCommunity
Applies EquipQR's brand colors and design-system tokens to any artifact that should match EquipQR's look-and-feel. Use it when brand colors, style guidelines, visual formatting, or EquipQR design standards apply.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/trowel
development
VerifiedTrustedCommunity
Use when auditing dependency health, API contract consistency, shared data shapes, or brittle integration seams between modules, services, and packages.
1SKILL.mdUpdated Apr 16, 2026