@grainulation/silo 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/CODE_OF_CONDUCT.md +25 -0
  2. package/CONTRIBUTING.md +103 -0
  3. package/README.md +67 -59
  4. package/bin/silo.js +212 -86
  5. package/lib/analytics.js +26 -11
  6. package/lib/confluence.js +343 -0
  7. package/lib/graph.js +414 -0
  8. package/lib/import-export.js +29 -24
  9. package/lib/index.js +15 -9
  10. package/lib/packs.js +60 -36
  11. package/lib/search.js +24 -16
  12. package/lib/serve-mcp.js +391 -95
  13. package/lib/server.js +205 -110
  14. package/lib/store.js +34 -18
  15. package/lib/templates.js +28 -17
  16. package/package.json +6 -3
  17. package/packs/adr.json +219 -0
  18. package/packs/api-design.json +67 -14
  19. package/packs/architecture-decision.json +152 -0
  20. package/packs/architecture.json +45 -9
  21. package/packs/ci-cd.json +51 -11
  22. package/packs/compliance.json +70 -14
  23. package/packs/coverage-ramp.json +180 -0
  24. package/packs/data-engineering.json +57 -12
  25. package/packs/frontend.json +56 -12
  26. package/packs/hackathon-best-ai.json +179 -0
  27. package/packs/hackathon-business-impact.json +180 -0
  28. package/packs/hackathon-innovation.json +210 -0
  29. package/packs/hackathon-most-innovative.json +179 -0
  30. package/packs/hackathon-most-rigorous.json +179 -0
  31. package/packs/hackathon-sprint-boost.json +173 -0
  32. package/packs/incident-postmortem.json +219 -0
  33. package/packs/migration.json +45 -9
  34. package/packs/observability.json +57 -12
  35. package/packs/security.json +61 -13
  36. package/packs/team-process.json +64 -13
  37. package/packs/testing.json +20 -4
  38. package/packs/vendor-eval.json +219 -0
  39. package/packs/vendor-evaluation.json +148 -0
package/packs/vendor-eval.json ADDED
@@ -0,0 +1,219 @@
1
+ {
2
+ "name": "Vendor Evaluation Framework",
3
+ "description": "Enterprise due diligence framework for evaluating vendors and third-party tools. Covers security posture, compliance, pricing, integration, and operational risk. Drop into any vendor assessment sprint.",
4
+ "version": "1.0.0",
5
+ "claims": [
6
+ {
7
+ "id": "vend-001",
8
+ "type": "constraint",
9
+ "topic": "security posture assessment",
10
+ "content": "Vendor must hold SOC 2 Type II certification with a clean audit report from the most recent period. Request the full report, not just the bridge letter. If no SOC 2, require ISO 27001 or equivalent third-party security attestation.",
11
+ "source": {
12
+ "origin": "best-practice",
13
+ "artifact": "AICPA Trust Services Criteria",
14
+ "connector": null
15
+ },
16
+ "evidence": "documented",
17
+ "status": "active",
18
+ "phase_added": "define",
19
+ "timestamp": "2026-01-01T00:00:00.000Z",
20
+ "conflicts_with": [],
21
+ "resolved_by": null,
22
+ "tags": ["vendor", "security", "soc2", "due-diligence"]
23
+ },
24
+ {
25
+ "id": "vend-002",
26
+ "type": "constraint",
27
+ "topic": "data residency and sovereignty",
28
+ "content": "Vendor must disclose all data processing locations. For EU customers: data must reside in EEA or be covered by Standard Contractual Clauses. For regulated industries: verify no data leaves approved jurisdictions.",
29
+ "source": {
30
+ "origin": "regulation",
31
+ "artifact": "GDPR Articles 44-49",
32
+ "connector": null
33
+ },
34
+ "evidence": "documented",
35
+ "status": "active",
36
+ "phase_added": "define",
37
+ "timestamp": "2026-01-01T00:00:00.000Z",
38
+ "conflicts_with": [],
39
+ "resolved_by": null,
40
+ "tags": ["vendor", "data-residency", "gdpr", "sovereignty"]
41
+ },
42
+ {
43
+ "id": "vend-003",
44
+ "type": "constraint",
45
+ "topic": "SSO and identity integration",
46
+ "content": "Vendor must support SAML 2.0 or OIDC for SSO. SCIM provisioning required for teams > 50 users. Verify: does SSO work with your IdP (Okta, Azure AD, Google Workspace)? Test before signing.",
47
+ "source": {
48
+ "origin": "best-practice",
49
+ "artifact": null,
50
+ "connector": null
51
+ },
52
+ "evidence": "documented",
53
+ "status": "active",
54
+ "phase_added": "define",
55
+ "timestamp": "2026-01-01T00:00:00.000Z",
56
+ "conflicts_with": [],
57
+ "resolved_by": null,
58
+ "tags": ["vendor", "sso", "identity", "integration"]
59
+ },
60
+ {
61
+ "id": "vend-004",
62
+ "type": "risk",
63
+ "topic": "vendor lock-in assessment",
64
+ "content": "Evaluate data export capabilities before signing. Key questions: (1) Can you export all your data in standard formats? (2) What's the export process and timeline? (3) Is there an API for continuous data extraction? (4) What happens to your data after contract termination?",
65
+ "source": {
66
+ "origin": "best-practice",
67
+ "artifact": null,
68
+ "connector": null
69
+ },
70
+ "evidence": "documented",
71
+ "status": "active",
72
+ "phase_added": "define",
73
+ "timestamp": "2026-01-01T00:00:00.000Z",
74
+ "conflicts_with": [],
75
+ "resolved_by": null,
76
+ "tags": ["vendor", "lock-in", "data-portability", "risk"]
77
+ },
78
+ {
79
+ "id": "vend-005",
80
+ "type": "constraint",
81
+ "topic": "pricing model analysis",
82
+ "content": "Analyze total cost of ownership: base license + per-seat + overage + implementation + training + integration. Get pricing in writing for current headcount AND 2x growth. Negotiate multi-year for 20-40% discount. Compare against at least 2 alternatives.",
83
+ "source": {
84
+ "origin": "best-practice",
85
+ "artifact": null,
86
+ "connector": null
87
+ },
88
+ "evidence": "documented",
89
+ "status": "active",
90
+ "phase_added": "define",
91
+ "timestamp": "2026-01-01T00:00:00.000Z",
92
+ "conflicts_with": [],
93
+ "resolved_by": null,
94
+ "tags": ["vendor", "pricing", "tco", "negotiation"]
95
+ },
96
+ {
97
+ "id": "vend-006",
98
+ "type": "risk",
99
+ "topic": "vendor financial viability",
100
+ "content": "Assess vendor financial health: funding stage, runway, revenue trajectory, customer count. For startups: what happens if they shut down? For public companies: check last 2 quarterly earnings. A vendor going bankrupt mid-contract is an operational risk.",
101
+ "source": {
102
+ "origin": "best-practice",
103
+ "artifact": null,
104
+ "connector": null
105
+ },
106
+ "evidence": "documented",
107
+ "status": "active",
108
+ "phase_added": "define",
109
+ "timestamp": "2026-01-01T00:00:00.000Z",
110
+ "conflicts_with": [],
111
+ "resolved_by": null,
112
+ "tags": ["vendor", "financial", "viability", "risk"]
113
+ },
114
+ {
115
+ "id": "vend-007",
116
+ "type": "constraint",
117
+ "topic": "SLA and support requirements",
118
+ "content": "Define minimum SLA: uptime guarantee (99.9% = 8.76h downtime/year), response times by severity (P1: 15min, P2: 1h, P3: 4h, P4: 24h), communication channels, escalation path, and financial penalties for SLA breach.",
119
+ "source": {
120
+ "origin": "best-practice",
121
+ "artifact": null,
122
+ "connector": null
123
+ },
124
+ "evidence": "documented",
125
+ "status": "active",
126
+ "phase_added": "define",
127
+ "timestamp": "2026-01-01T00:00:00.000Z",
128
+ "conflicts_with": [],
129
+ "resolved_by": null,
130
+ "tags": ["vendor", "sla", "support", "uptime"]
131
+ },
132
+ {
133
+ "id": "vend-008",
134
+ "type": "constraint",
135
+ "topic": "API and integration capabilities",
136
+ "content": "Vendor must provide a documented REST or GraphQL API with: versioning policy, rate limits, webhook support, and sandbox/staging environment. SDKs for your primary languages are a strong positive signal.",
137
+ "source": {
138
+ "origin": "best-practice",
139
+ "artifact": null,
140
+ "connector": null
141
+ },
142
+ "evidence": "documented",
143
+ "status": "active",
144
+ "phase_added": "define",
145
+ "timestamp": "2026-01-01T00:00:00.000Z",
146
+ "conflicts_with": [],
147
+ "resolved_by": null,
148
+ "tags": ["vendor", "api", "integration", "developer-experience"]
149
+ },
150
+ {
151
+ "id": "vend-009",
152
+ "type": "risk",
153
+ "topic": "subprocessor chain risk",
154
+ "content": "Vendor's subprocessors inherit your data risk. Request the full subprocessor list. Evaluate: (1) How many subprocessors? (2) What data does each access? (3) Are they SOC 2 compliant? (4) Does the vendor notify you of subprocessor changes?",
155
+ "source": {
156
+ "origin": "regulation",
157
+ "artifact": "GDPR Article 28",
158
+ "connector": null
159
+ },
160
+ "evidence": "documented",
161
+ "status": "active",
162
+ "phase_added": "define",
163
+ "timestamp": "2026-01-01T00:00:00.000Z",
164
+ "conflicts_with": [],
165
+ "resolved_by": null,
166
+ "tags": ["vendor", "subprocessors", "supply-chain", "gdpr"]
167
+ },
168
+ {
169
+ "id": "vend-010",
170
+ "type": "recommendation",
171
+ "topic": "vendor evaluation process",
172
+ "content": "Structured evaluation process: (1) Define requirements as constraints before evaluating. (2) Score each vendor against constraints independently. (3) Run a proof-of-concept with top 2 candidates. (4) Check references — talk to customers at similar scale. (5) Negotiate contract with clear exit clauses.",
173
+ "source": {
174
+ "origin": "best-practice",
175
+ "artifact": null,
176
+ "connector": null
177
+ },
178
+ "evidence": "documented",
179
+ "status": "active",
180
+ "phase_added": "define",
181
+ "timestamp": "2026-01-01T00:00:00.000Z",
182
+ "conflicts_with": [],
183
+ "resolved_by": null,
184
+ "tags": ["vendor", "process", "evaluation", "recommendation"]
185
+ },
186
+ {
187
+ "id": "vend-011",
188
+ "type": "factual",
189
+ "topic": "vendor due diligence timeline",
190
+ "content": "Enterprise vendor due diligence averages 45 days for onboarding. Security questionnaires take days to weeks (400+ questions common). Legal review cycles run 8-12 weeks without pre-prepared documentation. Compressed timelines are possible when vendors provide complete compliance documentation upfront.",
191
+ "source": { "origin": "research", "artifact": null, "connector": null },
192
+ "evidence": "web",
193
+ "status": "active",
194
+ "phase_added": "research",
195
+ "timestamp": "2026-01-01T00:00:00.000Z",
196
+ "conflicts_with": [],
197
+ "resolved_by": null,
198
+ "tags": ["vendor", "timeline", "due-diligence", "enterprise"]
199
+ },
200
+ {
201
+ "id": "vend-012",
202
+ "type": "constraint",
203
+ "topic": "IP indemnification",
204
+ "content": "For AI/ML vendors: require IP indemnification clause covering generated output. Verify: does the vendor indemnify against IP claims from training data? GitHub Copilot Enterprise includes this; many competitors do not.",
205
+ "source": {
206
+ "origin": "best-practice",
207
+ "artifact": null,
208
+ "connector": null
209
+ },
210
+ "evidence": "web",
211
+ "status": "active",
212
+ "phase_added": "define",
213
+ "timestamp": "2026-01-01T00:00:00.000Z",
214
+ "conflicts_with": [],
215
+ "resolved_by": null,
216
+ "tags": ["vendor", "ip-indemnity", "ai", "legal"]
217
+ }
218
+ ]
219
+ }
package/packs/vendor-evaluation.json ADDED
@@ -0,0 +1,148 @@
1
+ {
2
+ "name": "Vendor Evaluation (Enterprise)",
3
+ "description": "Extended enterprise vendor due diligence framework. Covers security posture, compliance, pricing, integration, operational risk, and exit planning. Use for vendor assessment sprints alongside the base vendor-eval pack.",
4
+ "version": "1.0.0",
5
+ "extends": "vendor-eval",
6
+ "claims": [
7
+ {
8
+ "id": "veval-001",
9
+ "type": "constraint",
10
+ "topic": "enterprise procurement checklist",
11
+ "content": "Enterprise vendor evaluation must cover 7 pillars: (1) Security posture (SOC 2, pen tests), (2) Compliance alignment (GDPR, HIPAA, industry-specific), (3) Integration capabilities (API, SSO, SCIM), (4) Financial viability (funding, revenue, customer base), (5) Total cost of ownership (3-year projection), (6) Exit strategy (data portability, contract termination), (7) Operational resilience (SLA, disaster recovery, incident response).",
12
+ "source": {
13
+ "origin": "best-practice",
14
+ "artifact": null,
15
+ "connector": null
16
+ },
17
+ "evidence": "documented",
18
+ "status": "active",
19
+ "phase_added": "define",
20
+ "timestamp": "2026-03-21T00:00:00.000Z",
21
+ "conflicts_with": [],
22
+ "resolved_by": null,
23
+ "tags": ["vendor", "enterprise", "procurement", "checklist"]
24
+ },
25
+ {
26
+ "id": "veval-002",
27
+ "type": "constraint",
28
+ "topic": "security questionnaire",
29
+ "content": "Send the vendor a standardized security questionnaire (SIG Lite or CAIQ v4) before technical evaluation. Require responses within 10 business days. Red flags: vendor refuses to complete, gives evasive answers, or lacks basic controls (MFA, encryption, logging).",
30
+ "source": {
31
+ "origin": "best-practice",
32
+ "artifact": "Shared Assessments SIG",
33
+ "connector": null
34
+ },
35
+ "evidence": "documented",
36
+ "status": "active",
37
+ "phase_added": "define",
38
+ "timestamp": "2026-03-21T00:00:00.000Z",
39
+ "conflicts_with": [],
40
+ "resolved_by": null,
41
+ "tags": ["vendor", "security-questionnaire", "sig", "caiq"]
42
+ },
43
+ {
44
+ "id": "veval-003",
45
+ "type": "risk",
46
+ "topic": "contract auto-renewal traps",
47
+ "content": "Many enterprise SaaS contracts auto-renew 60-90 days before expiration with price escalation clauses (3-7% annual increase typical). Mitigation: set calendar reminders 120 days before renewal, negotiate caps on annual increases, and require written opt-in for renewal rather than opt-out.",
48
+ "source": {
49
+ "origin": "best-practice",
50
+ "artifact": null,
51
+ "connector": null
52
+ },
53
+ "evidence": "documented",
54
+ "status": "active",
55
+ "phase_added": "define",
56
+ "timestamp": "2026-03-21T00:00:00.000Z",
57
+ "conflicts_with": [],
58
+ "resolved_by": null,
59
+ "tags": ["vendor", "contract", "auto-renewal", "risk", "negotiation"]
60
+ },
61
+ {
62
+ "id": "veval-004",
63
+ "type": "constraint",
64
+ "topic": "proof of concept evaluation",
65
+ "content": "Run a structured POC with top 2 vendor candidates before signing. POC must cover: (1) integration with existing stack, (2) performance under realistic load, (3) admin/user experience with real users, (4) support responsiveness during evaluation. Define pass/fail criteria before POC starts.",
66
+ "source": {
67
+ "origin": "best-practice",
68
+ "artifact": null,
69
+ "connector": null
70
+ },
71
+ "evidence": "documented",
72
+ "status": "active",
73
+ "phase_added": "define",
74
+ "timestamp": "2026-03-21T00:00:00.000Z",
75
+ "conflicts_with": [],
76
+ "resolved_by": null,
77
+ "tags": ["vendor", "poc", "evaluation", "enterprise"]
78
+ },
79
+ {
80
+ "id": "veval-005",
81
+ "type": "recommendation",
82
+ "topic": "reference check process",
83
+ "content": "Request 3 customer references at similar scale and industry. Ask references: (1) What surprised you after purchase? (2) How responsive is support for P1 issues? (3) Have you had data migration or integration issues? (4) Would you renew at current pricing? (5) What would you change about the product?",
84
+ "source": {
85
+ "origin": "best-practice",
86
+ "artifact": null,
87
+ "connector": null
88
+ },
89
+ "evidence": "documented",
90
+ "status": "active",
91
+ "phase_added": "define",
92
+ "timestamp": "2026-03-21T00:00:00.000Z",
93
+ "conflicts_with": [],
94
+ "resolved_by": null,
95
+ "tags": ["vendor", "references", "due-diligence", "enterprise"]
96
+ },
97
+ {
98
+ "id": "veval-006",
99
+ "type": "risk",
100
+ "topic": "AI vendor data usage",
101
+ "content": "For AI/ML vendors: verify data usage policy. Key questions: (1) Is customer data used to train models? (2) Can you opt out of training data contribution? (3) Where is data processed — on-prem option available? (4) What happens to prompts/inputs after processing? (5) Is there a DPA that covers AI-specific data flows?",
102
+ "source": {
103
+ "origin": "best-practice",
104
+ "artifact": null,
105
+ "connector": null
106
+ },
107
+ "evidence": "documented",
108
+ "status": "active",
109
+ "phase_added": "define",
110
+ "timestamp": "2026-03-21T00:00:00.000Z",
111
+ "conflicts_with": [],
112
+ "resolved_by": null,
113
+ "tags": ["vendor", "ai", "data-usage", "privacy", "risk"]
114
+ },
115
+ {
116
+ "id": "veval-007",
117
+ "type": "estimate",
118
+ "topic": "vendor evaluation timeline",
119
+ "content": "Typical enterprise vendor evaluation timeline: Week 1-2: requirements gathering and RFP. Week 3-4: vendor demos and shortlisting. Week 5-8: POC with top 2. Week 9-10: reference checks and security review. Week 11-14: contract negotiation and legal review. Total: 3-4 months for a thorough evaluation.",
120
+ "source": { "origin": "research", "artifact": null, "connector": null },
121
+ "evidence": "web",
122
+ "status": "active",
123
+ "phase_added": "research",
124
+ "timestamp": "2026-03-21T00:00:00.000Z",
125
+ "conflicts_with": [],
126
+ "resolved_by": null,
127
+ "tags": ["vendor", "timeline", "enterprise", "planning"]
128
+ },
129
+ {
130
+ "id": "veval-008",
131
+ "type": "factual",
132
+ "topic": "negotiation leverage points",
133
+ "content": "Enterprise negotiation leverage: (1) End of quarter/year — vendors discount 20-40% to hit targets. (2) Multi-year commitment — 15-30% discount typical. (3) Case study participation — 5-10% discount for logo rights. (4) Early adopter pricing — lock in lower rates before GA. (5) Competitive bake-off — having a credible alternative is the strongest lever.",
134
+ "source": {
135
+ "origin": "best-practice",
136
+ "artifact": null,
137
+ "connector": null
138
+ },
139
+ "evidence": "web",
140
+ "status": "active",
141
+ "phase_added": "research",
142
+ "timestamp": "2026-03-21T00:00:00.000Z",
143
+ "conflicts_with": [],
144
+ "resolved_by": null,
145
+ "tags": ["vendor", "negotiation", "pricing", "enterprise"]
146
+ }
147
+ ]
148
+ }