@grainulation/silo 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CODE_OF_CONDUCT.md +25 -0
- package/CONTRIBUTING.md +103 -0
- package/README.md +67 -59
- package/bin/silo.js +212 -86
- package/lib/analytics.js +26 -11
- package/lib/confluence.js +343 -0
- package/lib/graph.js +414 -0
- package/lib/import-export.js +29 -24
- package/lib/index.js +15 -9
- package/lib/packs.js +60 -36
- package/lib/search.js +24 -16
- package/lib/serve-mcp.js +391 -95
- package/lib/server.js +205 -110
- package/lib/store.js +34 -18
- package/lib/templates.js +28 -17
- package/package.json +7 -3
- package/packs/adr.json +219 -0
- package/packs/api-design.json +67 -14
- package/packs/architecture-decision.json +152 -0
- package/packs/architecture.json +45 -9
- package/packs/ci-cd.json +51 -11
- package/packs/compliance.json +70 -14
- package/packs/data-engineering.json +57 -12
- package/packs/frontend.json +56 -12
- package/packs/hackathon-best-ai.json +179 -0
- package/packs/hackathon-business-impact.json +180 -0
- package/packs/hackathon-innovation.json +210 -0
- package/packs/hackathon-most-innovative.json +179 -0
- package/packs/hackathon-most-rigorous.json +179 -0
- package/packs/hackathon-sprint-boost.json +173 -0
- package/packs/incident-postmortem.json +219 -0
- package/packs/migration.json +45 -9
- package/packs/observability.json +57 -12
- package/packs/security.json +61 -13
- package/packs/team-process.json +64 -13
- package/packs/testing.json +20 -4
- package/packs/vendor-eval.json +219 -0
- package/packs/vendor-evaluation.json +148 -0
package/packs/security.json
CHANGED
|
@@ -8,7 +8,11 @@
|
|
|
8
8
|
"type": "constraint",
|
|
9
9
|
"topic": "SQL injection prevention",
|
|
10
10
|
"content": "All database queries must use parameterized statements or prepared queries. String concatenation for SQL is never acceptable, even for internal tools. ORMs provide this by default but raw queries must be audited. OWASP ranks injection as A03:2021.",
|
|
11
|
-
"source": {
|
|
11
|
+
"source": {
|
|
12
|
+
"origin": "best-practice",
|
|
13
|
+
"artifact": null,
|
|
14
|
+
"connector": null
|
|
15
|
+
},
|
|
12
16
|
"evidence": "documented",
|
|
13
17
|
"status": "active",
|
|
14
18
|
"phase_added": "define",
|
|
@@ -22,7 +26,11 @@
|
|
|
22
26
|
"type": "constraint",
|
|
23
27
|
"topic": "secrets never in source control",
|
|
24
28
|
"content": "Secrets (API keys, database credentials, signing keys) must never appear in source control, including in commit history. Use environment variables, secret managers (Vault, AWS Secrets Manager, 1Password CLI), or encrypted .env files with .gitignore. Rotate any secret that has ever been committed.",
|
|
25
|
-
"source": {
|
|
29
|
+
"source": {
|
|
30
|
+
"origin": "best-practice",
|
|
31
|
+
"artifact": null,
|
|
32
|
+
"connector": null
|
|
33
|
+
},
|
|
26
34
|
"evidence": "documented",
|
|
27
35
|
"status": "active",
|
|
28
36
|
"phase_added": "define",
|
|
@@ -36,7 +44,11 @@
|
|
|
36
44
|
"type": "recommendation",
|
|
37
45
|
"topic": "JWT access token lifetime",
|
|
38
46
|
"content": "JWT access tokens should have a lifetime of 5-15 minutes. Refresh tokens should be opaque (not JWT), stored server-side, rotated on each use, and have a maximum lifetime of 7-30 days. Never store JWTs in localStorage; use httpOnly secure cookies or in-memory storage.",
|
|
39
|
-
"source": {
|
|
47
|
+
"source": {
|
|
48
|
+
"origin": "best-practice",
|
|
49
|
+
"artifact": null,
|
|
50
|
+
"connector": null
|
|
51
|
+
},
|
|
40
52
|
"evidence": "documented",
|
|
41
53
|
"status": "active",
|
|
42
54
|
"phase_added": "define",
|
|
@@ -50,7 +62,11 @@
|
|
|
50
62
|
"type": "risk",
|
|
51
63
|
"topic": "dependency supply chain attacks",
|
|
52
64
|
"content": "npm, PyPI, and other registries are vectors for supply chain attacks (typosquatting, maintainer account takeover, malicious postinstall scripts). Pin exact dependency versions, use lockfiles, audit with npm audit / pip-audit, and consider running install with --ignore-scripts in CI.",
|
|
53
|
-
"source": {
|
|
65
|
+
"source": {
|
|
66
|
+
"origin": "best-practice",
|
|
67
|
+
"artifact": null,
|
|
68
|
+
"connector": null
|
|
69
|
+
},
|
|
54
70
|
"evidence": "production",
|
|
55
71
|
"status": "active",
|
|
56
72
|
"phase_added": "define",
|
|
@@ -64,7 +80,11 @@
|
|
|
64
80
|
"type": "factual",
|
|
65
81
|
"topic": "bcrypt cost factor",
|
|
66
82
|
"content": "bcrypt with a cost factor of 10 takes approximately 100ms to hash on modern hardware. Increase to 12 (roughly 400ms) for high-security contexts. Argon2id is the current OWASP recommendation for new projects, with minimum parameters: 19 MiB memory, 2 iterations, 1 parallelism.",
|
|
67
|
-
"source": {
|
|
83
|
+
"source": {
|
|
84
|
+
"origin": "best-practice",
|
|
85
|
+
"artifact": null,
|
|
86
|
+
"connector": null
|
|
87
|
+
},
|
|
68
88
|
"evidence": "documented",
|
|
69
89
|
"status": "active",
|
|
70
90
|
"phase_added": "define",
|
|
@@ -78,7 +98,11 @@
|
|
|
78
98
|
"type": "constraint",
|
|
79
99
|
"topic": "CORS allowlist",
|
|
80
100
|
"content": "CORS Access-Control-Allow-Origin must never be set to * for authenticated endpoints. Maintain an explicit allowlist of permitted origins. Reflect the Origin header only if it matches the allowlist. Misconfigured CORS is OWASP A01:2021 (Broken Access Control).",
|
|
81
|
-
"source": {
|
|
101
|
+
"source": {
|
|
102
|
+
"origin": "best-practice",
|
|
103
|
+
"artifact": null,
|
|
104
|
+
"connector": null
|
|
105
|
+
},
|
|
82
106
|
"evidence": "documented",
|
|
83
107
|
"status": "active",
|
|
84
108
|
"phase_added": "define",
|
|
@@ -92,7 +116,11 @@
|
|
|
92
116
|
"type": "recommendation",
|
|
93
117
|
"topic": "CSP header configuration",
|
|
94
118
|
"content": "Content-Security-Policy should start strict and loosen as needed: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'. Avoid 'unsafe-inline' and 'unsafe-eval'. Use nonces for inline scripts if unavoidable. Report violations with report-uri or report-to.",
|
|
95
|
-
"source": {
|
|
119
|
+
"source": {
|
|
120
|
+
"origin": "best-practice",
|
|
121
|
+
"artifact": null,
|
|
122
|
+
"connector": null
|
|
123
|
+
},
|
|
96
124
|
"evidence": "documented",
|
|
97
125
|
"status": "active",
|
|
98
126
|
"phase_added": "define",
|
|
@@ -106,7 +134,11 @@
|
|
|
106
134
|
"type": "risk",
|
|
107
135
|
"topic": "SSRF in internal services",
|
|
108
136
|
"content": "Server-Side Request Forgery (SSRF) allows attackers to make requests from your server to internal networks, cloud metadata endpoints (169.254.169.254), or localhost services. Validate and allowlist all URLs that originate from user input. Block requests to private IP ranges and link-local addresses.",
|
|
109
|
-
"source": {
|
|
137
|
+
"source": {
|
|
138
|
+
"origin": "best-practice",
|
|
139
|
+
"artifact": null,
|
|
140
|
+
"connector": null
|
|
141
|
+
},
|
|
110
142
|
"evidence": "production",
|
|
111
143
|
"status": "active",
|
|
112
144
|
"phase_added": "define",
|
|
@@ -120,7 +152,11 @@
|
|
|
120
152
|
"type": "recommendation",
|
|
121
153
|
"topic": "rate limiting auth endpoints",
|
|
122
154
|
"content": "Login endpoints must be rate-limited to no more than 10 attempts per IP per minute and 5 attempts per account per minute. After 5 consecutive failures for an account, enforce exponential backoff or temporary lockout (15-30 minutes). Log all failed attempts with IP and timestamp for anomaly detection.",
|
|
123
|
-
"source": {
|
|
155
|
+
"source": {
|
|
156
|
+
"origin": "best-practice",
|
|
157
|
+
"artifact": null,
|
|
158
|
+
"connector": null
|
|
159
|
+
},
|
|
124
160
|
"evidence": "documented",
|
|
125
161
|
"status": "active",
|
|
126
162
|
"phase_added": "define",
|
|
@@ -134,7 +170,11 @@
|
|
|
134
170
|
"type": "factual",
|
|
135
171
|
"topic": "HTTPS and HSTS requirements",
|
|
136
172
|
"content": "All production traffic must use TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated (RFC 8996). Set Strict-Transport-Security header with max-age of at least 31536000 (1 year) and includeSubDomains. Submit to the HSTS preload list for public-facing domains.",
|
|
137
|
-
"source": {
|
|
173
|
+
"source": {
|
|
174
|
+
"origin": "best-practice",
|
|
175
|
+
"artifact": null,
|
|
176
|
+
"connector": null
|
|
177
|
+
},
|
|
138
178
|
"evidence": "documented",
|
|
139
179
|
"status": "active",
|
|
140
180
|
"phase_added": "define",
|
|
@@ -148,7 +188,11 @@
|
|
|
148
188
|
"type": "risk",
|
|
149
189
|
"topic": "insecure deserialization",
|
|
150
190
|
"content": "Never deserialize untrusted data with language-native serialization (Java ObjectInputStream, Python pickle, PHP unserialize). These allow arbitrary code execution. Use JSON or Protocol Buffers with schema validation instead. OWASP A08:2021 (Software and Data Integrity Failures).",
|
|
151
|
-
"source": {
|
|
191
|
+
"source": {
|
|
192
|
+
"origin": "best-practice",
|
|
193
|
+
"artifact": null,
|
|
194
|
+
"connector": null
|
|
195
|
+
},
|
|
152
196
|
"evidence": "documented",
|
|
153
197
|
"status": "active",
|
|
154
198
|
"phase_added": "define",
|
|
@@ -162,7 +206,11 @@
|
|
|
162
206
|
"type": "recommendation",
|
|
163
207
|
"topic": "least privilege for service accounts",
|
|
164
208
|
"content": "Service accounts and IAM roles must follow least privilege: grant only the specific actions on the specific resources needed. Audit permissions quarterly. AWS policies should never use Resource: * with Action: *. Use IAM Access Analyzer to identify unused permissions.",
|
|
165
|
-
"source": {
|
|
209
|
+
"source": {
|
|
210
|
+
"origin": "best-practice",
|
|
211
|
+
"artifact": null,
|
|
212
|
+
"connector": null
|
|
213
|
+
},
|
|
166
214
|
"evidence": "documented",
|
|
167
215
|
"status": "active",
|
|
168
216
|
"phase_added": "define",
|
|
@@ -172,4 +220,4 @@
|
|
|
172
220
|
"tags": ["security", "iam", "least-privilege", "cloud"]
|
|
173
221
|
}
|
|
174
222
|
]
|
|
175
|
-
}
|
|
223
|
+
}
|
package/packs/team-process.json
CHANGED
|
@@ -8,14 +8,23 @@
|
|
|
8
8
|
"type": "constraint",
|
|
9
9
|
"topic": "code review turnaround time",
|
|
10
10
|
"content": "Code reviews should receive first-pass feedback within 4 business hours. Reviews taking longer than 24 hours are the top-cited blocker for developer productivity (Google Developer Survey 2023). Set team norms: reviews under 400 lines get same-day response, larger PRs should be split or paired on.",
|
|
11
|
-
"source": {
|
|
11
|
+
"source": {
|
|
12
|
+
"origin": "best-practice",
|
|
13
|
+
"artifact": null,
|
|
14
|
+
"connector": null
|
|
15
|
+
},
|
|
12
16
|
"evidence": "documented",
|
|
13
17
|
"status": "active",
|
|
14
18
|
"phase_added": "define",
|
|
15
19
|
"timestamp": "2025-01-01T00:00:00.000Z",
|
|
16
20
|
"conflicts_with": [],
|
|
17
21
|
"resolved_by": null,
|
|
18
|
-
"tags": [
|
|
22
|
+
"tags": [
|
|
23
|
+
"team-process",
|
|
24
|
+
"code-review",
|
|
25
|
+
"developer-experience",
|
|
26
|
+
"productivity"
|
|
27
|
+
]
|
|
19
28
|
},
|
|
20
29
|
{
|
|
21
30
|
"id": "team-002",
|
|
@@ -36,7 +45,11 @@
|
|
|
36
45
|
"type": "recommendation",
|
|
37
46
|
"topic": "on-call rotation design",
|
|
38
47
|
"content": "On-call rotations should be 1 week per engineer, with a minimum of 6 people in the rotation (no more than 1 week in 6 on primary). Provide a secondary on-call who shadows. Compensate on-call with either extra pay (10-15% of base for the week) or time off (1 day per week on-call). On-call without compensation breeds resentment and attrition.",
|
|
39
|
-
"source": {
|
|
48
|
+
"source": {
|
|
49
|
+
"origin": "best-practice",
|
|
50
|
+
"artifact": null,
|
|
51
|
+
"connector": null
|
|
52
|
+
},
|
|
40
53
|
"evidence": "production",
|
|
41
54
|
"status": "active",
|
|
42
55
|
"phase_added": "define",
|
|
@@ -50,7 +63,11 @@
|
|
|
50
63
|
"type": "recommendation",
|
|
51
64
|
"topic": "RFC process for decisions",
|
|
52
65
|
"content": "Use RFCs (Request for Comments) for decisions that are: cross-team, hard to reverse, or affect more than 3 people. RFC template: Context (why now), Proposal (what), Alternatives considered (at least 2), Tradeoffs, Migration plan. Set a review period of 5 business days. Silence is not consent; require explicit approvals from stakeholders. Archive accepted RFCs as ADRs.",
|
|
53
|
-
"source": {
|
|
66
|
+
"source": {
|
|
67
|
+
"origin": "best-practice",
|
|
68
|
+
"artifact": null,
|
|
69
|
+
"connector": null
|
|
70
|
+
},
|
|
54
71
|
"evidence": "documented",
|
|
55
72
|
"status": "active",
|
|
56
73
|
"phase_added": "define",
|
|
@@ -78,7 +95,11 @@
|
|
|
78
95
|
"type": "factual",
|
|
79
96
|
"topic": "estimation accuracy ranges",
|
|
80
97
|
"content": "Software estimation accuracy follows the Cone of Uncertainty: at project inception, estimates are 0.25x-4x actual. After requirements, 0.5x-2x. After detailed design, 0.67x-1.5x. After code complete, 0.9x-1.1x. Communicate estimates as ranges, never single points. Use relative sizing (story points) for prioritization and historical velocity for date forecasting.",
|
|
81
|
-
"source": {
|
|
98
|
+
"source": {
|
|
99
|
+
"origin": "best-practice",
|
|
100
|
+
"artifact": null,
|
|
101
|
+
"connector": null
|
|
102
|
+
},
|
|
82
103
|
"evidence": "documented",
|
|
83
104
|
"status": "active",
|
|
84
105
|
"phase_added": "define",
|
|
@@ -92,21 +113,34 @@
|
|
|
92
113
|
"type": "recommendation",
|
|
93
114
|
"topic": "postmortem action item tracking",
|
|
94
115
|
"content": "Postmortem action items must have: a single owner (not a team), a due date within 30 days, and a tracking ticket. Review incomplete action items at the start of every postmortem meeting. Teams that do not track action items to completion repeat the same incidents. 60% of incidents are caused by previously identified but unresolved issues.",
|
|
95
|
-
"source": {
|
|
116
|
+
"source": {
|
|
117
|
+
"origin": "best-practice",
|
|
118
|
+
"artifact": null,
|
|
119
|
+
"connector": null
|
|
120
|
+
},
|
|
96
121
|
"evidence": "production",
|
|
97
122
|
"status": "active",
|
|
98
123
|
"phase_added": "define",
|
|
99
124
|
"timestamp": "2025-01-01T00:00:00.000Z",
|
|
100
125
|
"conflicts_with": [],
|
|
101
126
|
"resolved_by": null,
|
|
102
|
-
"tags": [
|
|
127
|
+
"tags": [
|
|
128
|
+
"team-process",
|
|
129
|
+
"postmortem",
|
|
130
|
+
"incident-response",
|
|
131
|
+
"accountability"
|
|
132
|
+
]
|
|
103
133
|
},
|
|
104
134
|
{
|
|
105
135
|
"id": "team-008",
|
|
106
136
|
"type": "constraint",
|
|
107
137
|
"topic": "meeting hygiene for engineers",
|
|
108
138
|
"content": "Protect maker time: engineers need 4-hour uninterrupted blocks for complex work. Meeting-free mornings or meeting-free days (e.g., no meetings on Tuesday/Thursday) measurably increase output. Context-switching between meetings costs 15-25 minutes of recovery time per switch. Batch meetings into afternoon blocks.",
|
|
109
|
-
"source": {
|
|
139
|
+
"source": {
|
|
140
|
+
"origin": "best-practice",
|
|
141
|
+
"artifact": null,
|
|
142
|
+
"connector": null
|
|
143
|
+
},
|
|
110
144
|
"evidence": "web",
|
|
111
145
|
"status": "active",
|
|
112
146
|
"phase_added": "define",
|
|
@@ -120,7 +154,11 @@
|
|
|
120
154
|
"type": "recommendation",
|
|
121
155
|
"topic": "runbook-driven operations",
|
|
122
156
|
"content": "Every alert and recurring operational task should have a runbook: what the alert means, how to diagnose, step-by-step remediation, escalation criteria, and who to contact. Runbooks reduce MTTR by 40-60% for on-call engineers encountering unfamiliar alerts. Store runbooks alongside alert definitions, linked by alert name. Review and update runbooks after every incident.",
|
|
123
|
-
"source": {
|
|
157
|
+
"source": {
|
|
158
|
+
"origin": "best-practice",
|
|
159
|
+
"artifact": null,
|
|
160
|
+
"connector": null
|
|
161
|
+
},
|
|
124
162
|
"evidence": "production",
|
|
125
163
|
"status": "active",
|
|
126
164
|
"phase_added": "define",
|
|
@@ -134,7 +172,11 @@
|
|
|
134
172
|
"type": "risk",
|
|
135
173
|
"topic": "bus factor for critical systems",
|
|
136
174
|
"content": "Bus factor (number of people who could be hit by a bus before the project stalls) of 1 is a critical risk. Mitigate with: pair programming or rotation on critical systems, mandatory documentation for system architecture and runbooks, cross-training sessions quarterly, and code review requirements that expose at least 2 people to every area of the codebase.",
|
|
137
|
-
"source": {
|
|
175
|
+
"source": {
|
|
176
|
+
"origin": "best-practice",
|
|
177
|
+
"artifact": null,
|
|
178
|
+
"connector": null
|
|
179
|
+
},
|
|
138
180
|
"evidence": "documented",
|
|
139
181
|
"status": "active",
|
|
140
182
|
"phase_added": "define",
|
|
@@ -162,14 +204,23 @@
|
|
|
162
204
|
"type": "recommendation",
|
|
163
205
|
"topic": "retrospective action limits",
|
|
164
206
|
"content": "Limit retrospective action items to 2-3 per sprint. Teams that generate 8-10 action items per retro complete fewer than 20% of them, creating learned helplessness. Pick the highest-impact items, assign owners, and carry forward only incomplete items from the previous retro. If the same item appears 3 retros in a row, escalate it.",
|
|
165
|
-
"source": {
|
|
207
|
+
"source": {
|
|
208
|
+
"origin": "best-practice",
|
|
209
|
+
"artifact": null,
|
|
210
|
+
"connector": null
|
|
211
|
+
},
|
|
166
212
|
"evidence": "documented",
|
|
167
213
|
"status": "active",
|
|
168
214
|
"phase_added": "define",
|
|
169
215
|
"timestamp": "2025-01-01T00:00:00.000Z",
|
|
170
216
|
"conflicts_with": [],
|
|
171
217
|
"resolved_by": null,
|
|
172
|
-
"tags": [
|
|
218
|
+
"tags": [
|
|
219
|
+
"team-process",
|
|
220
|
+
"retrospective",
|
|
221
|
+
"agile",
|
|
222
|
+
"continuous-improvement"
|
|
223
|
+
]
|
|
173
224
|
}
|
|
174
225
|
]
|
|
175
|
-
}
|
|
226
|
+
}
|
package/packs/testing.json
CHANGED
|
@@ -8,7 +8,11 @@
|
|
|
8
8
|
"type": "constraint",
|
|
9
9
|
"topic": "test framework",
|
|
10
10
|
"content": "All tests must use node:test and node:assert/strict with zero external dependencies. No Jest, Mocha, Vitest, or other frameworks.",
|
|
11
|
-
"source": {
|
|
11
|
+
"source": {
|
|
12
|
+
"origin": "architecture",
|
|
13
|
+
"artifact": null,
|
|
14
|
+
"connector": null
|
|
15
|
+
},
|
|
12
16
|
"evidence": "documented",
|
|
13
17
|
"status": "active",
|
|
14
18
|
"phase_added": "define",
|
|
@@ -22,7 +26,11 @@
|
|
|
22
26
|
"type": "constraint",
|
|
23
27
|
"topic": "test isolation",
|
|
24
28
|
"content": "Tests must use real filesystem (mkdtempSync), real processes (child_process.spawn), and real HTTP. No mocks, no spies, no test doubles.",
|
|
25
|
-
"source": {
|
|
29
|
+
"source": {
|
|
30
|
+
"origin": "architecture",
|
|
31
|
+
"artifact": null,
|
|
32
|
+
"connector": null
|
|
33
|
+
},
|
|
26
34
|
"evidence": "documented",
|
|
27
35
|
"status": "active",
|
|
28
36
|
"phase_added": "define",
|
|
@@ -78,7 +86,11 @@
|
|
|
78
86
|
"type": "constraint",
|
|
79
87
|
"topic": "CI matrix",
|
|
80
88
|
"content": "CI must test on Node 18, 20, and 22. Every CI run verifies zero runtime dependencies, runs all tests, checks CLI --help, and performs a dry-run npm publish.",
|
|
81
|
-
"source": {
|
|
89
|
+
"source": {
|
|
90
|
+
"origin": "architecture",
|
|
91
|
+
"artifact": ".github/workflows/ci.yml",
|
|
92
|
+
"connector": null
|
|
93
|
+
},
|
|
82
94
|
"evidence": "documented",
|
|
83
95
|
"status": "active",
|
|
84
96
|
"phase_added": "define",
|
|
@@ -92,7 +104,11 @@
|
|
|
92
104
|
"type": "factual",
|
|
93
105
|
"topic": "test coverage baseline",
|
|
94
106
|
"content": "Baseline: 191 tests across 5 repos (wheat 25, barn 58, mill 30, silo 21, ranch 44). After adding server, UI smoke, and cross-tool tests: ~260 tests total.",
|
|
95
|
-
"source": {
|
|
107
|
+
"source": {
|
|
108
|
+
"origin": "measurement",
|
|
109
|
+
"artifact": null,
|
|
110
|
+
"connector": null
|
|
111
|
+
},
|
|
96
112
|
"evidence": "tested",
|
|
97
113
|
"status": "active",
|
|
98
114
|
"phase_added": "research",
|
|
@@ -0,0 +1,219 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "Vendor Evaluation Framework",
|
|
3
|
+
"description": "Enterprise due diligence framework for evaluating vendors and third-party tools. Covers security posture, compliance, pricing, integration, and operational risk. Drop into any vendor assessment sprint.",
|
|
4
|
+
"version": "1.0.0",
|
|
5
|
+
"claims": [
|
|
6
|
+
{
|
|
7
|
+
"id": "vend-001",
|
|
8
|
+
"type": "constraint",
|
|
9
|
+
"topic": "security posture assessment",
|
|
10
|
+
"content": "Vendor must hold SOC 2 Type II certification with a clean audit report from the most recent period. Request the full report, not just the bridge letter. If no SOC 2, require ISO 27001 or equivalent third-party security attestation.",
|
|
11
|
+
"source": {
|
|
12
|
+
"origin": "best-practice",
|
|
13
|
+
"artifact": "AICPA Trust Services Criteria",
|
|
14
|
+
"connector": null
|
|
15
|
+
},
|
|
16
|
+
"evidence": "documented",
|
|
17
|
+
"status": "active",
|
|
18
|
+
"phase_added": "define",
|
|
19
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
20
|
+
"conflicts_with": [],
|
|
21
|
+
"resolved_by": null,
|
|
22
|
+
"tags": ["vendor", "security", "soc2", "due-diligence"]
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"id": "vend-002",
|
|
26
|
+
"type": "constraint",
|
|
27
|
+
"topic": "data residency and sovereignty",
|
|
28
|
+
"content": "Vendor must disclose all data processing locations. For EU customers: data must reside in EEA or be covered by Standard Contractual Clauses. For regulated industries: verify no data leaves approved jurisdictions.",
|
|
29
|
+
"source": {
|
|
30
|
+
"origin": "regulation",
|
|
31
|
+
"artifact": "GDPR Articles 44-49",
|
|
32
|
+
"connector": null
|
|
33
|
+
},
|
|
34
|
+
"evidence": "documented",
|
|
35
|
+
"status": "active",
|
|
36
|
+
"phase_added": "define",
|
|
37
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
38
|
+
"conflicts_with": [],
|
|
39
|
+
"resolved_by": null,
|
|
40
|
+
"tags": ["vendor", "data-residency", "gdpr", "sovereignty"]
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
"id": "vend-003",
|
|
44
|
+
"type": "constraint",
|
|
45
|
+
"topic": "SSO and identity integration",
|
|
46
|
+
"content": "Vendor must support SAML 2.0 or OIDC for SSO. SCIM provisioning required for teams > 50 users. Verify: does SSO work with your IdP (Okta, Azure AD, Google Workspace)? Test before signing.",
|
|
47
|
+
"source": {
|
|
48
|
+
"origin": "best-practice",
|
|
49
|
+
"artifact": null,
|
|
50
|
+
"connector": null
|
|
51
|
+
},
|
|
52
|
+
"evidence": "documented",
|
|
53
|
+
"status": "active",
|
|
54
|
+
"phase_added": "define",
|
|
55
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
56
|
+
"conflicts_with": [],
|
|
57
|
+
"resolved_by": null,
|
|
58
|
+
"tags": ["vendor", "sso", "identity", "integration"]
|
|
59
|
+
},
|
|
60
|
+
{
|
|
61
|
+
"id": "vend-004",
|
|
62
|
+
"type": "risk",
|
|
63
|
+
"topic": "vendor lock-in assessment",
|
|
64
|
+
"content": "Evaluate data export capabilities before signing. Key questions: (1) Can you export all your data in standard formats? (2) What's the export process and timeline? (3) Is there an API for continuous data extraction? (4) What happens to your data after contract termination?",
|
|
65
|
+
"source": {
|
|
66
|
+
"origin": "best-practice",
|
|
67
|
+
"artifact": null,
|
|
68
|
+
"connector": null
|
|
69
|
+
},
|
|
70
|
+
"evidence": "documented",
|
|
71
|
+
"status": "active",
|
|
72
|
+
"phase_added": "define",
|
|
73
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
74
|
+
"conflicts_with": [],
|
|
75
|
+
"resolved_by": null,
|
|
76
|
+
"tags": ["vendor", "lock-in", "data-portability", "risk"]
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"id": "vend-005",
|
|
80
|
+
"type": "constraint",
|
|
81
|
+
"topic": "pricing model analysis",
|
|
82
|
+
"content": "Analyze total cost of ownership: base license + per-seat + overage + implementation + training + integration. Get pricing in writing for current headcount AND 2x growth. Negotiate multi-year for 20-40% discount. Compare against at least 2 alternatives.",
|
|
83
|
+
"source": {
|
|
84
|
+
"origin": "best-practice",
|
|
85
|
+
"artifact": null,
|
|
86
|
+
"connector": null
|
|
87
|
+
},
|
|
88
|
+
"evidence": "documented",
|
|
89
|
+
"status": "active",
|
|
90
|
+
"phase_added": "define",
|
|
91
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
92
|
+
"conflicts_with": [],
|
|
93
|
+
"resolved_by": null,
|
|
94
|
+
"tags": ["vendor", "pricing", "tco", "negotiation"]
|
|
95
|
+
},
|
|
96
|
+
{
|
|
97
|
+
"id": "vend-006",
|
|
98
|
+
"type": "risk",
|
|
99
|
+
"topic": "vendor financial viability",
|
|
100
|
+
"content": "Assess vendor financial health: funding stage, runway, revenue trajectory, customer count. For startups: what happens if they shut down? For public companies: check last 2 quarterly earnings. A vendor going bankrupt mid-contract is an operational risk.",
|
|
101
|
+
"source": {
|
|
102
|
+
"origin": "best-practice",
|
|
103
|
+
"artifact": null,
|
|
104
|
+
"connector": null
|
|
105
|
+
},
|
|
106
|
+
"evidence": "documented",
|
|
107
|
+
"status": "active",
|
|
108
|
+
"phase_added": "define",
|
|
109
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
110
|
+
"conflicts_with": [],
|
|
111
|
+
"resolved_by": null,
|
|
112
|
+
"tags": ["vendor", "financial", "viability", "risk"]
|
|
113
|
+
},
|
|
114
|
+
{
|
|
115
|
+
"id": "vend-007",
|
|
116
|
+
"type": "constraint",
|
|
117
|
+
"topic": "SLA and support requirements",
|
|
118
|
+
"content": "Define minimum SLA: uptime guarantee (99.9% = 8.76h downtime/year), response times by severity (P1: 15min, P2: 1h, P3: 4h, P4: 24h), communication channels, escalation path, and financial penalties for SLA breach.",
|
|
119
|
+
"source": {
|
|
120
|
+
"origin": "best-practice",
|
|
121
|
+
"artifact": null,
|
|
122
|
+
"connector": null
|
|
123
|
+
},
|
|
124
|
+
"evidence": "documented",
|
|
125
|
+
"status": "active",
|
|
126
|
+
"phase_added": "define",
|
|
127
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
128
|
+
"conflicts_with": [],
|
|
129
|
+
"resolved_by": null,
|
|
130
|
+
"tags": ["vendor", "sla", "support", "uptime"]
|
|
131
|
+
},
|
|
132
|
+
{
|
|
133
|
+
"id": "vend-008",
|
|
134
|
+
"type": "constraint",
|
|
135
|
+
"topic": "API and integration capabilities",
|
|
136
|
+
"content": "Vendor must provide a documented REST or GraphQL API with: versioning policy, rate limits, webhook support, and sandbox/staging environment. SDKs for your primary languages are a strong positive signal.",
|
|
137
|
+
"source": {
|
|
138
|
+
"origin": "best-practice",
|
|
139
|
+
"artifact": null,
|
|
140
|
+
"connector": null
|
|
141
|
+
},
|
|
142
|
+
"evidence": "documented",
|
|
143
|
+
"status": "active",
|
|
144
|
+
"phase_added": "define",
|
|
145
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
146
|
+
"conflicts_with": [],
|
|
147
|
+
"resolved_by": null,
|
|
148
|
+
"tags": ["vendor", "api", "integration", "developer-experience"]
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"id": "vend-009",
|
|
152
|
+
"type": "risk",
|
|
153
|
+
"topic": "subprocessor chain risk",
|
|
154
|
+
"content": "Vendor's subprocessors inherit your data risk. Request the full subprocessor list. Evaluate: (1) How many subprocessors? (2) What data does each access? (3) Are they SOC 2 compliant? (4) Does the vendor notify you of subprocessor changes?",
|
|
155
|
+
"source": {
|
|
156
|
+
"origin": "regulation",
|
|
157
|
+
"artifact": "GDPR Article 28",
|
|
158
|
+
"connector": null
|
|
159
|
+
},
|
|
160
|
+
"evidence": "documented",
|
|
161
|
+
"status": "active",
|
|
162
|
+
"phase_added": "define",
|
|
163
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
164
|
+
"conflicts_with": [],
|
|
165
|
+
"resolved_by": null,
|
|
166
|
+
"tags": ["vendor", "subprocessors", "supply-chain", "gdpr"]
|
|
167
|
+
},
|
|
168
|
+
{
|
|
169
|
+
"id": "vend-010",
|
|
170
|
+
"type": "recommendation",
|
|
171
|
+
"topic": "vendor evaluation process",
|
|
172
|
+
"content": "Structured evaluation process: (1) Define requirements as constraints before evaluating. (2) Score each vendor against constraints independently. (3) Run a proof-of-concept with top 2 candidates. (4) Check references — talk to customers at similar scale. (5) Negotiate contract with clear exit clauses.",
|
|
173
|
+
"source": {
|
|
174
|
+
"origin": "best-practice",
|
|
175
|
+
"artifact": null,
|
|
176
|
+
"connector": null
|
|
177
|
+
},
|
|
178
|
+
"evidence": "documented",
|
|
179
|
+
"status": "active",
|
|
180
|
+
"phase_added": "define",
|
|
181
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
182
|
+
"conflicts_with": [],
|
|
183
|
+
"resolved_by": null,
|
|
184
|
+
"tags": ["vendor", "process", "evaluation", "recommendation"]
|
|
185
|
+
},
|
|
186
|
+
{
|
|
187
|
+
"id": "vend-011",
|
|
188
|
+
"type": "factual",
|
|
189
|
+
"topic": "vendor due diligence timeline",
|
|
190
|
+
"content": "Enterprise vendor due diligence averages 45 days for onboarding. Security questionnaires take days to weeks (400+ questions common). Legal review cycles run 8-12 weeks without pre-prepared documentation. Compressed timelines are possible when vendors provide complete compliance documentation upfront.",
|
|
191
|
+
"source": { "origin": "research", "artifact": null, "connector": null },
|
|
192
|
+
"evidence": "web",
|
|
193
|
+
"status": "active",
|
|
194
|
+
"phase_added": "research",
|
|
195
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
196
|
+
"conflicts_with": [],
|
|
197
|
+
"resolved_by": null,
|
|
198
|
+
"tags": ["vendor", "timeline", "due-diligence", "enterprise"]
|
|
199
|
+
},
|
|
200
|
+
{
|
|
201
|
+
"id": "vend-012",
|
|
202
|
+
"type": "constraint",
|
|
203
|
+
"topic": "IP indemnification",
|
|
204
|
+
"content": "For AI/ML vendors: require IP indemnification clause covering generated output. Verify: does the vendor indemnify against IP claims from training data? GitHub Copilot Enterprise includes this; many competitors do not.",
|
|
205
|
+
"source": {
|
|
206
|
+
"origin": "best-practice",
|
|
207
|
+
"artifact": null,
|
|
208
|
+
"connector": null
|
|
209
|
+
},
|
|
210
|
+
"evidence": "web",
|
|
211
|
+
"status": "active",
|
|
212
|
+
"phase_added": "define",
|
|
213
|
+
"timestamp": "2026-01-01T00:00:00.000Z",
|
|
214
|
+
"conflicts_with": [],
|
|
215
|
+
"resolved_by": null,
|
|
216
|
+
"tags": ["vendor", "ip-indemnity", "ai", "legal"]
|
|
217
|
+
}
|
|
218
|
+
]
|
|
219
|
+
}
|