Audit Criteria — Acme Notes
Snapshot as of 2026-07-15 · 47 controls across 13 domains (full skill)
Sample data — this page is abbreviated to only the
controls referenced by this sample report's findings. A real audit's
criteria.html lists all ~47 controls in full, as generated fresh per run.
This page shows exactly what each finding in this audit was measured
against. It is a snapshot taken on 2026-07-15 — the standard this
project's audits are judged against may be refined over time, so a later
audit's criteria page may differ slightly from this one. Findings link
here by control ID (e.g. "control 3.4").
3. Repository and source-control safeguards
| ID | Control | Evidence required | Green | Red |
| 3.3 | CI required to pass before merge | Branch protection required status checks, .github/workflows | CI is required and covers build/test at minimum | CI exists but is not required, or doesn't exist at all |
| 3.4 | No secrets committed to history | Standard secret/PII hunt across tracked files and history | No live-looking secrets found in tree or reachable history | A live-looking secret is found — always Red, always immediate blocker |
5. Automated testing and critical behavior coverage
| ID | Control | Evidence required | Green | Amber |
| 5.4 | Integration/e2e coverage on critical flows | Test files exercising a full flow vs. unit tests covering isolated functions only | At least one critical flow has integration/e2e-level coverage | Critical flows have unit coverage only, no integration/e2e layer exists |
9. Operations, monitoring, alerts, backups, and recovery
| ID | Control | Evidence required | Green | Red |
| 9.3 | Alerting configured, not just monitoring installed | Alert-rule config in repo, or project-owner confirmation at intake | Alerting rules defined in-repo or confirmed by the owner | Owner confirms monitoring exists but no alerts are configured |
11. Performance and scalability
| ID | Control | Evidence required | Green | Red / Amber |
| 11.1 | Unbounded queries | Hot-path data access missing pagination/LIMIT | User-facing list endpoints are paginated or bounded | Red: a user-facing endpoint returns an unbounded result set from an unbounded table |
| 11.2 | N+1 query patterns | Database call issued inside a loop over a fetched collection | No such pattern found, or found instances are already batched | Amber: an N+1 shape is found in a critical, user-facing path |
| 11.4 | Caching on read-heavy paths | Caching layer presence cross-checked against expensive aggregate-read endpoints | Caching present where expensive reads exist, or no evidence of an expensive read path | Amber only, never Red: expensive computed reads with no caching AND repo evidence of an acknowledged performance concern |
12. API contract and versioning discipline
| ID | Control | Evidence required | Green | Red |
| 12.1 | API surface is documented | OpenAPI/Swagger spec, GraphQL schema, or typed client vs. handler-code-only routes | The external API surface has a machine-readable or published spec | An externally-consumed API has no documentation of its surface anywhere |
14. Data lifecycle and retention
| ID | Control | Evidence required | Green | Red |
| 14.2 | Deletion actually deletes | Locate and read the account/data-deletion endpoint or flow | Hard delete, or soft delete with a working purge job/process | "Deleted" user PII remains queryable or is still served after a user-facing deletion action, while the product promises deletion |
See the full
control set
in the skill's source for all ~47 controls across all 13 domains.