Add SOC 2 subservice and CUEC evidence gates

[ASUKAAAAA1204]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: soc2-gap
Skill path: skills/compliance/soc2-gap/

What Was Wrong

The skill asked reviewers to collect and review vendor SOC 2 reports, but it did not require the SOC 2 scoping mechanics that make those reports audit-useful. A readiness packet could look green while critical providers had no subservice method, no CUEC/CSOC mapping, and no report-period coverage for the observation period.

Specific gaps from #1124:

• Critical providers were not classified as vendors, carved-out subservice organizations, or included subservice organizations.
• Vendor SOC 2 CUECs/CSOCs were not required to be extracted and mapped to internal control owners, frequencies, and evidence artifacts.
• Vendor report periods, bridge letters, opinions, exceptions, relevant criteria, and nested subservice carve-outs were not part of CC9.2 evidence expectations.

What This PR Fixes

Refs #1124.

This PR updates the SOC 2 readiness workflow to add:

• A Subservice Organization Scope Matrix in the main scope step.
• Readiness calibration that marks vendor-management readiness provisional when subservice method, CUEC/CSOC mapping, or report-period coverage is missing.
• CC9.2 questions for provider classification, CUEC/CSOC extraction, report-period coverage, bridge letters, opinions, exceptions, criteria coverage, and nested subservice carve-outs.
• CC9.2 evidence requirements for subservice scope matrix, complementary-control worksheet, bridge letters/current assurance alternatives, and residual-risk notes.
• CC9.2 common gaps for vendor SOC 2 PDFs without subservice treatment, unmapped CUECs/CSOCs, report-period gaps, and cloud shared-responsibility assumptions.
• Output deliverables for the subservice matrix and CUEC/CSOC mapping worksheet.
• Evidence artifact mapping updates for CC9.2.

Evidence

Before (skill misses this / false positive on this):

vendors:
  - name: AWS
    soc2_report_collected: true
    report_period: "2025-01-01 to 2025-12-31"
    subservice_method: "not documented"
    complementary_subservice_controls: []
    cuecs_mapped_to_internal_controls: false
controls:
  cc9_2_vendor_reviews: "Vendor SOC 2 reports collected annually"

The prior workflow could score vendor management as substantially complete because the vendor report existed.

After (now correctly handled):

The reviewer must classify each critical provider as vendor, carved-out
subservice, or included subservice; verify report-period coverage or bridge
letters; extract CUECs/CSOCs; map each complementary control to an internal owner,
frequency, and evidence artifact; and mark readiness provisional/incomplete when
those pieces are missing.

Test Cases Added/Updated

• Added inline evidence gates, matrix fields, and explicit gap conditions in SKILL.md and tsc-criteria.md.
• Existing documentation structure still validates.
• Did not add a separate tests/ directory because this skill currently uses Markdown guidance files.

Validation

• git diff --check -> no whitespace errors; Windows Git emitted only the existing LF/CRLF warning.
• Marker grep confirmed Subservice Organization Scope Matrix, CUEC, CSOC, bridge letter, carved-out, included subservice, report period coverage, and provisional are present.
• Markdown fence balance check -> SKILL.md fence_count=2, tsc-criteria.md fence_count=2, both even.
• Frontmatter smoke check confirmed name, version, allowed-tools, and injection-hardened remain present.
• git diff --stat -> two files changed, 35 insertions, 3 deletions.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto; details can be provided privately after maintainer acceptance.