compliant-logginglisted

# Compliant logging (control keys `log.audit` / `hygiene.no-secrets`) — authoring-time guidance > Scope: this skill helps you *implement* the audit-logging and log-hygiene controls in code. > It does **not** make a system "compliant" — certification is the auditor's call. It makes the > code satisfy the technical control and produces machine-detectable evidence of that. > > **Framework-neutral by design.** Code emits a stable Throughproof *control key* > (`log.audit`), not a framework id. The crosswalk (`compliance/control-keys.yaml` + > `compliance/frameworks/*.yaml`) resolves that key to every framework at once — SOC 2 `CC7.2`, > ISO 27001 `A.8.15`, PCI-DSS v4 `Req 10.2`, HIPAA `164.312(b)`. Write the event once; it counts as > evidence for all of them. > Legacy events that still emit `control: "CC7.2"` keep working — the verifier aliases them to > `log.audit`. ## When this applies Apply this skill whenever the code under edit performs a **sensitive action**: - **AuthN / AuthZ**: login, logout, failed login, password/MFA change, token issue/revoke, role or permission change, impersonation, SSO/account link. - **Sensitive data mutation**: create / update / **delete** of records containing personal, financial, health, or credential data (users, payments, PHI, API keys, billing). - **Access to sensitive data**: bulk read / **export** / download of the above. - **Privileged / admin operations**: config changes, feature-flag overrides, data migrations, destructive jobs