Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: soc2-gap
Skill path: skills/compliance/soc2-gap/

What Was Wrong

The SOC 2 gap skill covered vendor inventories, risk assessments, SOC report collection, and DPAs/BAAs under CC9.2, but it did not require audit-ready evidence for critical vendor concentration risk or exit readiness.

That leaves a practical SOC 2 readiness gap: a company can collect annual SOC reports while still having a sole-source vendor dependency, no tested data export/restore path, no termination/deletion evidence, no subservice dependency monitoring, and no owner or risk acceptance for unresolved concentration risk.

Related review issue: #2239

What This PR Fixes

• Bumps soc2-gap to 1.0.1.
• Extends CC9.2 questions, evidence, and common gaps for:
  • critical vendor tiering
  • concentration analysis
  • exit and fallback procedures
  • portability/export/restore test evidence
  • termination and deletion evidence
  • subservice organization monitoring
  • owner, cadence, trigger events, expiry, and risk acceptance
• Adds a dedicated CC9.2 Critical Vendor Concentration and Exit Evidence Gate with an evidence matrix.
• Adds controlled example evidence for a critical cloud vendor.
• Extends the CC9.2 evidence artifact reference.
• Adds a Critical Vendor Exit Matrix deliverable to the main output format.
• Adds roadmap and ongoing-review actions for critical vendor concentration and exit readiness.

Evidence

Before: CC9.2 could be scored primarily from vendor policy, questionnaires, SOC report review, inventory, and contract terms.

After: Critical vendors now require explicit evidence for dependency concentration, fallback/exit owner, tested export or restore, subservice review, and formal risk acceptance for unresolved concentration risk before the control is treated as fully managed.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

This compliance skill does not currently have a fixture/test directory; the change keeps scope to the existing SOC 2 guidance files.

Validation

• git diff --check
• Frontmatter required-field check matching .github/workflows/lint-skills.yml
• index.yaml file-existence check matching .github/workflows/validate-index.yml
• Markdown code fence balance check for changed files
• Workflow-equivalent prompt-injection scan over skills/ and roles/
• Marker check for version 1.0.1, Critical Vendor Exit Matrix, concentration analysis, portability test, subservice dependency monitoring, risk acceptance, and CC9.2 critical vendor gate text

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance

Fixes #2239