Certification & Audit Standard (CAS-001)
Use this skill when defining or implementing certification gates and the deterministic certification report artifact.
When to Use
- •Designing audit categories and PASS/FAIL semantics for Harmony artifacts
- •Implementing
nx audit/nx certifytargets (later phase) - •Defining evidence requirements for security-sensitive behavior (RESTRICTED approvals, secrets, network allowlists)
Instructions
- •Include required audit categories (identity, versioning, OCS/WCS compliance, envelope semantics, classification, observability, secrets).
- •Define deterministic output: write report to
dist/certification/CERTIFICATION.json, stable ordering. - •Report semantics: any FAIL ⇒ overall FAIL; WARNs are reported but don’t fail.
- •Capture evidence for threat model hooks without leaking secrets.
See references/certification-and-audit.md for the normative specification.