Based on Zendesk ticket analysis (~22K tickets), adds skills for the
top security gaps and expands coverage on existing skills:

New skills:
- managing-tls-certificates (P0, ~1009 tickets): CA certs, client cert
  auth, rotation, TLS troubleshooting, mTLS for CDC
- configuring-private-connectivity (P1, ~309 tickets): PrivateLink,
  Private Service Connect, Azure Private Link, egress endpoints, VPC peering
- configuring-log-export (P2, ~68 tickets): CloudWatch, GCP Cloud
  Logging, Datadog metric export, Terraform setup
- preparing-compliance-documentation (P3, ~100 tickets): SOC 2, PCI DSS,
  ISO 27001, HIPAA, GDPR control mapping and readiness checklists

Enhanced skills:
- enforcing-password-policies: password change/rotation, Cloud Console
  vs SQL passwords, troubleshooting (bcrypt errors, auth failures)
- configuring-sso-and-scim: troubleshooting (SSO lockout, JWT errors,
  OIDC regex, Azure AD/Entra ID), SSO+roles interaction
- configuring-ip-allowlists: allowlist entry limits, when to use
  private endpoints instead

Updated auditing-cloud-cluster-security remediation table with all new skills.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Restructure the skill with three decision points (Cloud Console SSO
protocol, SCIM enablement, database SSO method) so the agent gathers
user preferences before proceeding. Split Cloud Console SSO into
separate SAML and OIDC paths, and split Database SSO into OIDC (JWT)
and LDAP/AD options. Add LDAP/AD authentication coverage including
HBA configuration, LDAPS, group-to-role mapping (v24.3+),
troubleshooting, safety notes, and rollback steps.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Guide the agent to ask about the user's environment (cloud provider,
deployment model, connectivity type) before walking through steps,
matching the pattern established in configuring-sso-and-scim.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Expands the audit skill to support both CockroachDB Cloud and self-hosted
clusters. Adds a context confirmation step (deployment model, environment,
compliance frameworks, data sensitivity) that calibrates which checks run
and how findings are scored. Includes check applicability table, severity
adjustments by environment, compliance override rules, and self-hosted
paths for network (HBA), encryption (Enterprise Encryption, TLS certs),
cryptographic posture (TLS 1.3, PQC, key size), and backup checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add deployment-aware prerequisites tables (tools + credentials by
Cloud vs Self-hosted), a Step 0 that verifies tool availability before
the audit begins (degrading checks gracefully rather than blocking),
and fix the cryptographic posture commands to use -starttls postgres
for correct PostgreSQL wire protocol negotiation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Validated all security-and-governance skills against CockroachDB Cloud
Standard (v25.4.5) and Advanced (v26.1.0) clusters. Fixes:

1. Replace `is_role` column with `options` array in SHOW USERS queries
2. Remove nonexistent `server.tls.min_version` cluster setting
3. Remove `enterprise.encryption.type` from Cloud sections (self-hosted only)
4. Fix IP allowlist CLI syntax: CIDR is a positional arg, not --cidr-address
5. Replace nonexistent ccloud networking subcommands (private-endpoint-*,
   egress-endpoint) with Cloud API, Console, and Terraform alternatives

Also fixes 4 broken cockroachlabs.com documentation URLs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Restructures the skill to clearly separate Cloud Console SSO, DB Console
SSO (OIDC), SQL/Cluster SSO (JWT), and LDAP/AD authentication as distinct
layers. Adds comprehensive LDAP/AD section with HBA configuration, group-
to-role mapping, LDAPS setup, and lockout safety guidance. Expands
troubleshooting, rollback procedures, and IdP-specific reference steps.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>