Compliance Trestle Engineering

Compliance Trestle Engineering

Use this skill when an agent needs to operate a Compliance Trestle workspace, import or validate OSCAL models, assemble markdown, regenerate OSCAL, or turn legacy SSP content into a traceable Trestle-managed workflow.

Non-negotiable guardrails

• Preserve source traceability for every generated OSCAL field that came from a legacy PDF, DOCX, Markdown, TXT file, interview note, spreadsheet, ticket, or evidence package.
• Never invent control mappings. If the source does not clearly support a mapping, set status to needs_review and explain the uncertainty.
• Schema-valid OSCAL is not a statement of compliance effectiveness.
• Keep reviewer-owned decisions in review queues or traceability maps, not hidden in generated prose.
• Prefer small, reversible Trestle operations over large opaque rewrites.

Standard workflow

1. Initialize or inspect the workspace.
   • trestle init
   • trestle version
   • find . -maxdepth 3 -type d | sort
2. Import or create OSCAL artifacts.
   • catalogs under catalogs/
   • profiles under profiles/
   • component definitions under component-definitions/
   • SSPs under system-security-plans/
3. Resolve the applicable profile before writing control implementations.
4. Author or update markdown with source references.
5. Assemble markdown back into OSCAL.
6. Validate with Compliance Trestle and any available OSCAL validator.
7. Generate review outputs for needs_review, unmapped, or low-confidence items.

Typical commands

Use the wrapper when you want consistent reports:

bash scripts/trestle-workflow.sh init workspaces/acme/trestle-workspace
bash scripts/trestle-workflow.sh validate workspaces/acme/trestle-workspace
bash scripts/trestle-workflow.sh assemble workspaces/acme/trestle-workspace system-security-plans/acme-ssp
bash scripts/trestle-workflow.sh status workspaces/acme/trestle-workspace

Use raw Trestle when the reviewer needs exact CLI control:

trestle init
trestle validate -a
trestle author ssp-generate -n acme-ssp -p profiles/fedramp-moderate/profile.json
trestle author ssp-assemble -m markdown/system-security-plans/acme-ssp -o system-security-plans/acme-ssp.json

Output expectations

Every Trestle-backed document import should leave behind:

• source-map.csv with source IDs, target OSCAL fields, status, and notes.
• reports/import-summary.md explaining source counts and known gaps.
• reports/review-queue.md for needs_review and unmapped items.
• validation output from trestle validate or a documented skipped/missing-tool status.

See:

• references/trestle-workspace-lifecycle.md
• references/trestle-oscal-operations.md
• templates/trestle-workflow-checklist.md
• templates/trestle-command-log.md