Audit Criteria — Acme Notes

Snapshot as of 2026-07-15 · 47 controls across 13 domains (full skill)
This page shows exactly what each finding in this audit was measured against. It is a snapshot taken on 2026-07-15 — the standard this project's audits are judged against may be refined over time, so a later audit's criteria page may differ slightly from this one. Findings link here by control ID (e.g. "control 3.4").

3. Repository and source-control safeguards

IDControlEvidence requiredGreenRed
3.3CI required to pass before mergeBranch protection required status checks, .github/workflowsCI is required and covers build/test at minimumCI exists but is not required, or doesn't exist at all
3.4No secrets committed to historyStandard secret/PII hunt across tracked files and historyNo live-looking secrets found in tree or reachable historyA live-looking secret is found — always Red, always immediate blocker

5. Automated testing and critical behavior coverage

IDControlEvidence requiredGreenAmber
5.4Integration/e2e coverage on critical flowsTest files exercising a full flow vs. unit tests covering isolated functions onlyAt least one critical flow has integration/e2e-level coverageCritical flows have unit coverage only, no integration/e2e layer exists

9. Operations, monitoring, alerts, backups, and recovery

IDControlEvidence requiredGreenRed
9.3Alerting configured, not just monitoring installedAlert-rule config in repo, or project-owner confirmation at intakeAlerting rules defined in-repo or confirmed by the ownerOwner confirms monitoring exists but no alerts are configured

11. Performance and scalability

IDControlEvidence requiredGreenRed / Amber
11.1Unbounded queriesHot-path data access missing pagination/LIMITUser-facing list endpoints are paginated or boundedRed: a user-facing endpoint returns an unbounded result set from an unbounded table
11.2N+1 query patternsDatabase call issued inside a loop over a fetched collectionNo such pattern found, or found instances are already batchedAmber: an N+1 shape is found in a critical, user-facing path
11.4Caching on read-heavy pathsCaching layer presence cross-checked against expensive aggregate-read endpointsCaching present where expensive reads exist, or no evidence of an expensive read pathAmber only, never Red: expensive computed reads with no caching AND repo evidence of an acknowledged performance concern

12. API contract and versioning discipline

IDControlEvidence requiredGreenRed
12.1API surface is documentedOpenAPI/Swagger spec, GraphQL schema, or typed client vs. handler-code-only routesThe external API surface has a machine-readable or published specAn externally-consumed API has no documentation of its surface anywhere

14. Data lifecycle and retention

IDControlEvidence requiredGreenRed
14.2Deletion actually deletesLocate and read the account/data-deletion endpoint or flowHard delete, or soft delete with a working purge job/process"Deleted" user PII remains queryable or is still served after a user-facing deletion action, while the product promises deletion

See the full control set in the skill's source for all ~47 controls across all 13 domains.