1. Product 2. Agents 3. Governance 4. CloudOps 5. FinOps 6. Security

AI + Data + Cloud · Pillar 6

🔒

Security & Quality

Adoption & Scaling

6,298Real Tests

6,298 real tests. 104K lines of mock theater deleted. SOC2 + APRA CPS 234 alignment. Zero testing theater.

⚡ First SAST scan in <2 minutes via container

AI agents build governed & Humans ship trusted. 80% autonomy & 100% accountability.

Section Six (Ch.28-32)

The Keys to Unlock Adoption and Scaling

“For every $1 you spend on developing a digital solution, plan to spend at least another $1 (and sometimes more) to ensure full adoption and scaling. That additional $1 will go toward implementing process changes, user training, change management initiatives.”

Chapter 31: Managing risk and building digital trust. Beware of the new risks introduced by your digital and AI transformation into areas such as cybersecurity, data privacy, and AI biases. ADLC addresses this through deterministic hook enforcement, APRA CPS 234 + SOC2 alignment, supply chain SBOM, and the Testing Theater anti-pattern elimination.

Platform Evolution

AI vulnerability detection improves with model updates. NemoClaw kernel-level sandboxing adds hardware-enforced boundaries. Anti-pattern catalog grows with each incident.

Security & Quality Golden Path

Each phase answers: Who does it, Why it matters, What if you skip it

1Scan

Static analysis, container scanning, secret detection — shift-left

/security:sast

Who: devops-security-engineer scans, security-compliance-engineer reviews findings

Why: Shift-left: 10x cheaper to fix in dev than prod. Zero critical/high vulnerabilities before merge.

Skip? Vulnerabilities ship to production, post-deployment remediation costs 10x more, audit findings

→ SAST report + container scan + secret detection results

2Test

3-tier testing with real APIs — battle tests, not mock theater

/cloudops:theater-check + /cloudops:theater-audit

Who: qa-engineer validates test quality, HITL reviews coverage report

Why: DRYRUN_OVER_READONLY prevented — real API validation with READONLY profiles. 6,298 real tests, 104K lines of mock theater deleted.

Skip? TESTING_THEATER — inflated pass rates, mocks without assertions, production surprises despite green CI

→ Theater score (0-100) + orphan count + mock density + coverage gate status

3Comply

SOC2, APRA CPS 234, ISO 27001 evidence generation and posture check

/aws:security-posture + /security:cert-inventory

Who: security-compliance-engineer gates compliance, HITL reviews evidence package

Why: Regulatory risk caught at design time. Audit evidence auto-generated, not assembled manually over weeks.

Skip? Compliance surprises during quarterly audit, manual evidence collection taking weeks, failed certifications

→ Security Hub findings ranked by severity + cert expiry dashboard + SOC2 mapping

4Harden

Supply chain SBOM, Docker registry enforcement, signed images

/devcontainer:validate-registry

Who: devops-security-engineer hardens supply chain, hooks enforce deterministically

Why: SLSA Level 2+ provenance. Chainguard Wolfi base images are sigstore-signed. Only nnthanh101/* registries allowed.

Skip? Unsigned images in production, dependency confusion attacks, supply chain compromise

→ Registry compliance score + SBOM generated + Trivy clean

5Sustain

Anti-pattern catalog grows, testing theater audits, quality ratchet

/speckit.retrospective + /metrics:sprint-review

Who: developer-experience-engineer extracts patterns from incidents, HITL decides framework improvements

Why: Each anti-pattern cost real sessions to discover. The catalog (64 patterns) prevents repeat failures across all projects.

Skip? Same security mistakes repeated, testing theater creeps back, quality degrades over time

→ Updated anti-pattern catalog + quality metrics + improvement actions

Start Here

Spec-Driven workflow and product skills — copy/paste to start

Security Engineer

You need shift-left security for your CI/CD pipeline. Container + code scanning.

1./security:sast

2./devcontainer:validate-registry

3./aws:security-posture

⚡ First SAST scan in <2 minutes

QA Lead

You manage test quality across the team. Zero testing theater tolerance.

1./cloudops:theater-check

2./cloudops:theater-audit

3./metrics:sprint-review

⚡ Testing theater score in <5 minutes

Compliance Officer

You need audit evidence for SOC2, APRA CPS 234, ISO 27001. Auto-generated.

1./aws:security-posture

2./security:cert-inventory

3.bash scripts/governance-score.sh

⚡ Audit evidence package in 1 hour

Component Map

9 components implementing this pillar

Type	Name	Why	Business Value
Agent	`security-compliance-engineer (opus)`	SOC2, APRA CPS 234, ISO 27001, PCI-DSS compliance gating	Regulatory risk caught at design — not after audit
Agent	`qa-engineer (sonnet)`	3-tier test strategy: snapshot / LocalStack / AWS live	90-100% bug detection before production deployment
Agent	`devops-security-engineer (sonnet)`	CI/CD supply chain hardening, SBOM, Trivy scanning	SLSA Level 2+ provenance on every release
Command	`/security:sast`	SAST + container scanning via nnthanh101/terraform:slim	Zero critical/high vulnerabilities before merge
Skill	`testing/3-mode-validation`	Playwright + AWS MCP combined accuracy gate (>=97%)	Two independent sources — SELF_COMPARISON_VALIDATION prevented
Skill	`testing/battle-conftest`	L1 (--help) / L3 (real READONLY) battle test tiers	DRYRUN_OVER_READONLY prevented — real API validation
Skill	`bdd/feature-coverage`	BDD scenarios with pytest-bdd step definitions	Business language tests that non-engineers can read
Hook	`detect-testing-theater.sh`	Block mocks without assertions, coverage omit expansion	6,298 real tests — 104K lines of mock theater deleted
Hook	`detect-hardcoded-env-data.sh`	Block AWS account IDs, org IDs in product docs	HARDCODED_ENV_IN_PRODUCT_DOCS eliminated from git history

Risk & Scalability

What happens without this pillar, and why ADLC scales from 1 person to enterprise

What if you skip?

Industry research: for every $1 you spend on developing a digital solution, plan to spend at least another $1 (and sometimes more) to ensure full adoption and scaling. Beware of the new risks introduced by digital and AI transformation into areas such as cybersecurity, data privacy, and AI biases. Without security and quality gates, adoption fails because users don’t trust the system.

Scalability

Testing theater detection and supply chain enforcement are automated via hooks. Coverage gates are honest (fail_under measured, not estimated). The quality bar is the same whether shipping a PyPI package or deploying to production AWS accounts.