@hdwebsoft/hdcode-ai-darwin-x64 0.0.7 → 0.0.8

package/resources/skills/hd-help/reference/skill-map.md

@@ -1,6 +1,6 @@
 # HD Skills Map
 
-> Last verified: 2026-03-01 | 22 hd-* skills
+> Last verified: 2026-03-05 | 26 hd-* skills
 > Invoke `/hd-help [describe your task]` for an interactive recommendation.
 
 ---
@@ -79,7 +79,7 @@ Worker needs to be run?
 | `hd-issue-resolution` | Something is broken | "fix bug", "error in X", "test failing", "unexpected behavior", "crash" |
 | `hd-changelog` | Work just completed | "log this bead", "update CHANGELOG.md", "generate changelog entry", "what changed in this epic" |
 | `hd-estimation` | Incoming bid or scope request | "estimate effort", "how long will X take", "create a bid", "ballpark quote" |
-| `hd-code-review` | Reviews git diff between branches across 11 aspects. Outputs Approved / Approved with Comments / Changes Requested verdict. Reads `CODING_STANDARDS.md` for project-specific rules. | "review this branch", "code review", "gate merge", "review diff", "review PR" |
+| `hd-code-review` | Reviews git diff between branches across 12 universal aspects. Loads `CODING_STANDARDS.md` (style rules), `REVIEW_STANDARDS.md` (tech-stack presets, aspect escalations, custom aspects), and `KNOWN_ISSUES.md` (accepted debt — annotates matching findings as INFO instead of blocking). Outputs Approved / Approved with Comments / Changes Requested verdict. | "review this branch", "code review", "gate merge", "review diff", "review PR" |
 | `hd-security-review` | Deep security-only analysis: OWASP Top 10, PII audit, auth/authz, tenant isolation, compliance gate. Outputs APPROVED or NOT APPROVED with severity-classified findings. | "security review", "OWASP check", "PII audit", "compliance gate", "pre-launch security", "is this safe to ship?" |
 
 **Disambiguation:**
@@ -87,7 +87,7 @@ Worker needs to be run?
 Something broken that used to work?  → hd-issue-resolution  (not hd-planning)
 Completed beads to document?         → hd-changelog          (not hd-docs-sync)
 New project bid or ETA needed?       → hd-estimation
-Full code review (11 aspects)?       → hd-code-review
+Full code review (12 aspects)?       → hd-code-review
 Deep security-only audit (OWASP)?   → hd-security-review   (can run both)
 ```
 
@@ -169,7 +169,7 @@ hd-look-at vs hd-painter:
   → hd-docs-parse  (text extraction from 75+ formats — not hd-look-at, which analyzes visual content)
 
 "review code changes / review this branch / gate merge"
-  → hd-code-review  (full review across 11 aspects + quick security pass)
+  → hd-code-review  (full review across 12 aspects + quick security pass)
   → hd-security-review  (deep security-only: OWASP, PII audit, compliance gate, APPROVED/NOT APPROVED)
   → can run both
 ```
@@ -207,6 +207,11 @@ hd-look-at vs hd-painter:
 /hd-daily-goals        # Write today's morning goals report
 /hd-daily-goals Today I work on AI Kit 3h: fix login, review PRs  # with inline draft
 /hd-daily-report       # Write today's status report (done / working / blockers)
+/hd-daily-viewer                    # List last 7 days with ✅/❌ availability
+/hd-daily-viewer yesterday          # Single-day view: goals + report + metrics
+/hd-daily-viewer this week          # Weekly summary with per-day breakdown
+/hd-daily-viewer last 30 days       # Monthly aggregates + outstanding activities
+/hd-daily-viewer 2026-03-01         # Specific date
 /hd-tasks <workspace-url>          # List tasks, pick which ones, dispatch hd-task on each
 /hd-tasks --status=todo <url>      # Filter list to Todo only before selecting
 /hd-docs-parse report.pdf                             — extract text to stdout
@@ -217,6 +222,21 @@ hd-look-at vs hd-painter:
 /hd-code-review https://linear.app/.../PROJ-123     — review with task context
 /hd-code-review --source=feat/auth --target=main     — explicit branches
 /hd-security-review                                  — deep security analysis (OWASP, PII, compliance gate)
+/hd-iso-sync https://drive.google.com/drive/folders/<id>  — sync ISO docs from Google Drive
+/hd-iso lookup "password policy"                     — search ISO docs for content
+/hd-iso gap --standard 27001                         — check compliance coverage
+/hd-iso gap --standard 9001 --clause 8               — check specific clause section
+/hd-iso change "update data retention period"        — get impact analysis before editing
+/hd-iso onboard --role developer                     — generate onboarding reading path
+/hd-iso-verify docs/iso/password-policy.md           — verify a specific doc
+/hd-iso-verify --standard 27001                      — verify all docs for ISO 27001
+/hd-iso-verify check if onboarding is valid against ISO 27001  — NL query mode
+/hd-iso ncr log                                              — guided NCR intake
+/hd-iso ncr list --status open                               — view open NCRs
+/hd-iso ncr close NCR-001                                    — close a nonconformity
+/hd-iso records --standard 27001                             — check mandatory records
+/hd-iso-ready --standard 27001                               — full readiness report
+/hd-iso-ready --standard 27001 --brief                       — executive summary
 
 # Chaining example: extract requirements from PDF → estimate
 /hd-docs-parse requirements.pdf --markdown -o requirements.md   # 1. extract text
@@ -227,9 +247,38 @@ hd-look-at vs hd-painter:
 
 ---
 
+### Cluster E: ISO & Compliance
+
+> Skills for managing ISO 9001/27001 documentation. Requires Google Docs MCP for sync.
+
+| Skill | What it does | Use when you say… |
+|-------|-------------|-------------------|
+| `hd-iso-sync` | One-way sync from Google Drive → Markdown in Git. Exports docs, injects clause-tagging frontmatter, regenerates index. **Req:** Google Docs MCP. | "sync ISO docs", "import from Google Docs", "refresh iso markdown", "pull ISO docs from Drive" |
+| `hd-iso lookup` | Search ISO docs by query — returns excerpts, clause refs, and Google Doc links. | "find ISO clause for X", "which policy covers Y", "search iso docs" |
+| `hd-iso gap` | Map all ISO clauses against tagged docs. Outputs ✅ Covered / ⚠️ Partial / ❌ Missing. | "compliance gap check", "what clauses are missing", "iso 27001 gap report" |
+| `hd-iso change` | Impact analysis before editing a doc — lists affected clauses + change checklist. | "what changes if I update X", "iso change checklist", "impact of editing this policy" |
+| `hd-iso onboard` | Role-based reading path for new employees — filtered must-read list with time estimates. | "onboard new developer", "iso reading path for QA", "what should new hire read" |
+| `hd-iso-verify` | Content quality audit — checks whether a doc's body actually fulfills ISO requirements for its tagged clauses. Supports file path, clause/standard flags, and natural language queries. Outputs ✅/⚠️/❌ per check + COMPLIANT/REVIEW NEEDED/NON-COMPLIANT verdict. | "is this doc ISO compliant", "verify password policy against ISO 27001", "is our onboarding process ISO valid", "audit document quality" |
+| `hd-iso ncr` | Log, list, close, and view Nonconformity/Corrective Action Records. Stores NCRs as `docs/iso/ncr/NCR-NNN.md` with guided intake and lifecycle tracking. | "log NCR", "track nonconformity", "corrective action", "close NCR-001", "list open NCRs" |
+| `hd-iso records` | Check mandatory documented information exists — verifies all records required by ISO 9001/27001 are present with correct `doc_type: record` and clause tags. | "check mandatory records", "are all ISO records present", "mandatory documented information" |
+| `hd-iso-ready` | Certification readiness report — aggregates gap (30%), document quality (35%), mandatory records (25%), and open NCRs (penalty) into a weighted readiness score. Grade: 🟢 READY / 🟡 PARTIALLY READY / 🔴 NOT READY. | "are we ISO ready", "certification readiness", "pre-audit check", "readiness report" |
+
+**Disambiguation:**
+```
+Syncing from Google Docs?         → hd-iso-sync  (run first, populates docs/iso/)
+Searching content?                → hd-iso lookup <query>
+Checking compliance coverage?     → hd-iso gap --standard 27001
+Editing a doc safely?             → hd-iso change <description>  (get impact first)
+New employee starting?            → hd-iso onboard --role <developer|qa|manager|security|new-hire>
+Verifying doc content quality?    → hd-iso-verify <path|--clause|--standard|NL query>
+Logging a nonconformity?          → hd-iso ncr log
+Checking mandatory records exist? → hd-iso records --standard 27001
+Pre-audit readiness check?        → hd-iso-ready --standard 27001
+```
+
 ---
 
-### Cluster E: QA & Testing
+### Cluster F: QA & Testing
 
 > Skills for QC teams to generate, manage, and verify test cases. No developer access required for the main skill.
 
@@ -252,7 +301,7 @@ hd-qa-test-cases-verify requires:
 
 ---
 
-### Cluster F: Project Setup & Configuration
+### Cluster G: Project Setup & Configuration
 
 > Skills that configure the project environment for Claude Code.
 
@@ -267,7 +316,7 @@ Project stack changed, need to add MCPs?    → /hd-mcp sync
 Developer joining, need to set up locally?  → /hd-mcp  (no args)
 ```
 
-### Cluster G: Daily Reporting
+### Cluster H: Daily Reporting
 
 > Skills for team members to write structured daily reports via a guided HITL loop.
 
@@ -275,6 +324,7 @@ Developer joining, need to set up locally?  → /hd-mcp  (no args)
 |-------|-------------|-------------------|
 | `hd-daily-goals` | Write the daily morning goals report. Guides you through projects, hours, and goals — enforces outcome + temporal marker + confidence per goal before outputting a copy-ready Discord report. | "write my daily goals", "morning report", "daily goals", "write today's goals", "hd-daily-goals" |
 | `hd-daily-report` | Write the daily status report (what was done, what's in progress, blockers). Enforces all required fields per section before outputting. | "write my daily report", "daily standup", "end of day report", "what I worked on today" |
+| `hd-daily-viewer` | View, navigate, and summarize past daily goals and reports from `~/.hd/`. Single-day detail view (goals + report + metrics), time-window summaries (per-day breakdown or high-level aggregates), and list mode. Always surfaces at least 7 outstanding in-progress/blocked activities. | "show me yesterday's report", "view past goals", "this week summary", "what did I do last week", "daily history" |
 
 **Disambiguation:**
 ```
@@ -283,10 +333,75 @@ Morning, before work starts → plan what you WILL do?
 
 During or end of day → report what you DID / are doing / blocked on?
   YES → hd-daily-report
+
+Reviewing past days, comparing goals vs results, or getting a summary?
+  YES → hd-daily-viewer
 ```
 
 ---
 
+---
+
+## Project Configuration Conventions
+
+> One-time setup for each project, not skill-specific.
+
+### Multi-Repo Projects (Polyrepo)
+
+When a project spans multiple repositories (e.g., frontend + API), two additions help
+Claude and skills find related code without needing full paths in every prompt.
+
+**Step 1 — `AGENTS.md` (committed)**
+
+Add a `## Related Projects` section declaring related repos by alias:
+
+```markdown
+## Related Projects
+| Alias | Role |
+|-------|------|
+| project-b-api | REST API backend |
+| project-b-story-android | Story branch worktree checkout of API |
+```
+
+**Step 2 — `additionalDirectories` (native file access + path registry)**
+
+Use the same `additionalDirectories` key in both settings files:
+
+```json
+// .claude/settings.json  ← committed; team-shared paths (if paths are stable)
+{
+  "additionalDirectories": [
+    "/shared/path/to/project-b-api"
+  ]
+}
+
+// .claude/settings.local.json  ← gitignored; developer-local paths
+{
+  "additionalDirectories": [
+    "/my/local/path/to/project-b-api",
+    "/my/local/worktrees/story-android"
+  ]
+}
+```
+
+Both files are merged at runtime. Gives Claude native Glob/Grep/Read access across repos.
+Skills (e.g., `hd-docs-sync`) read `additionalDirectories` from both files and
+cross-reference with AGENTS.md aliases to know which directories are related repos.
+
+In prompts, mention the alias — `"also check project-b-api"` — instead of the full path.
+
+**Git worktrees**: Worktrees don't inherit `.claude/`. Fix with a symlink:
+
+```bash
+ln -s /project/a/.claude /project/a/worktrees/story-android/.claude
+```
+
+**`hd-docs-sync` integration**: When `## Related Projects` is in AGENTS.md AND
+matching paths exist in `additionalDirectories`, docs-sync automatically includes related
+repos' git history (Stream D) so API changes that implicate frontend docs are detected.
+
+---
+
 ## Other Skill Sets
 
 > This section is intentionally empty.

package/resources/skills/hd-iso/SKILL.md

@@ -0,0 +1,409 @@
+---
+name: hd-iso
+description: >
+  ISO 9001/27001 document intelligence skill. Lookup content, detect compliance gaps,
+  guide document changes, and generate role-based onboarding paths.
+  Use when: searching ISO docs, checking compliance coverage, planning a doc change,
+  onboarding a new employee, "hd-iso", "iso compliance check", "what ISO clause covers X".
+license: proprietary
+metadata:
+  version: "1.0.0"
+  copyright: "© HDWEBSOFT. All rights reserved."
+---
+
+# ISO Document Intelligence
+
+> **[IMPORTANT]** This skill reads from `docs/iso/*.md` — run `hd-iso-sync` first to populate. All output is advisory; humans own all changes to Google Docs.
+
+## Sub-commands
+
+```
+hd-iso lookup <query>                     Search ISO docs for content
+hd-iso gap [--standard 9001|27001]        Detect missing/incomplete clause coverage
+hd-iso change <description>              Get change impact + checklist before editing a doc
+hd-iso onboard [--role <role>]           Generate role-based reading path for new employee
+hd-iso ncr log                            Log a new nonconformity (guided intake)
+hd-iso ncr list [--status open|closed]   List NCRs with summary table
+hd-iso ncr close <NCR-NNN>               Mark NCR closed with evidence
+hd-iso ncr show <NCR-NNN>                Show full NCR details
+hd-iso records [--standard 9001|27001]   Check mandatory ISO records exist
+```
+
+## Prerequisites
+
+- `docs/iso/*.md` populated (run `hd-iso-sync` first)
+- `docs/iso/index.md` exists
+- For `hd-iso gap`: frontmatter `clauses` and `iso_standard` tagged on docs
+
+---
+
+## `hd-iso lookup <query>`
+
+**Purpose**: Find ISO documents and clauses relevant to a search query.
+
+### Steps
+
+1. Search `docs/iso/` in order of priority:
+   - **Clause match**: query matches a clause ID in frontmatter `clauses` field
+   - **Title match**: query found in doc `title` frontmatter
+   - **Body match**: query found in document body text
+
+2. For each match, extract and return:
+   ```
+   📄 [Doc Title]
+      Standard: ISO 27001  |  Clauses: A.9.4.3, A.5.15
+      Type: procedure  |  Roles: developer, security
+      Source: https://docs.google.com/document/d/...
+
+      > ...relevant excerpt (2-3 sentences containing the query)...
+   ```
+
+3. Sort results: clause matches first → title matches → body matches
+
+4. If no results found:
+   - Suggest broader search terms
+   - Note if `docs/iso/` is empty (prompt to run `hd-iso-sync`)
+
+### Example
+
+```
+User: hd-iso lookup "password policy"
+
+Results (3 found):
+
+📄 Password and Authentication Policy
+   Standard: ISO 27001  |  Clauses: A.5.17, A.8.5
+   Type: policy  |  Roles: all
+   Source: https://docs.google.com/document/d/1abc...
+
+   > "Passwords must be at least 12 characters, include uppercase, lowercase,
+     numbers and symbols. Shared accounts are prohibited..."
+
+📄 Access Control Procedure
+   Standard: ISO 27001  |  Clauses: A.5.15, A.5.18
+   Type: procedure  |  Roles: developer, security
+   Source: https://docs.google.com/document/d/2def...
+
+   > "...password resets must be initiated via the IT helpdesk. Temporary passwords
+     expire after 24 hours..."
+```
+
+---
+
+## `hd-iso gap [--standard 9001|27001] [--clause <id>]`
+
+**Purpose**: Map ISO requirements against tagged documents. Find what's covered, partial, or missing.
+
+### Steps
+
+1. Load requirement list:
+   - `--standard 27001` → `reference/iso-27001-requirements.md`
+   - `--standard 9001` → `reference/iso-9001-requirements.md`
+   - No flag → run both standards
+
+2. For each requirement clause, check `docs/iso/`:
+   - Query: any doc with matching clause ID in `clauses` frontmatter
+   - **`✅ Covered`**: 1+ docs with this clause, and at least one is `doc_type: policy` or `procedure`
+   - **`⚠️ Partial`**: clause found but only in `record` or `guideline` type docs (no policy/procedure)
+   - **`❌ Missing`**: no docs tagged with this clause
+
+3. Calculate summary stats:
+   ```
+   ISO 27001 Gap Report
+   Covered: 61/93 controls (66%)
+   Partial:  12/93 controls (13%)
+   Missing:  20/93 controls (22%)
+   ```
+
+4. Print full table grouped by section (A.5, A.6, A.7, A.8 for 27001):
+   ```
+   ## A.5 — Organizational Controls
+   ✅  A.5.1   Policies for information security
+   ✅  A.5.2   IS roles and responsibilities
+   ⚠️  A.5.9   Inventory of assets (only a record, needs a procedure)
+   ❌  A.5.23  Security for use of cloud services
+   ...
+   ```
+
+5. Save full report to `reports/gap-<standard>-<YYYYMMDD>.md`
+
+6. For `⚠️ Partial` and `❌ Missing` items, suggest action:
+   ```
+   Recommended actions:
+   ❌ A.5.23 — Create a Cloud Security Policy document in Google Docs
+               Tag it: iso_standard: [27001], clauses: ["A.5.23"], doc_type: policy
+   ⚠️ A.5.9  — Existing "Asset List" record is insufficient. Add an Asset Management Procedure.
+   ```
+
+### Scope Filtering
+
+```
+hd-iso gap --standard 27001 --clause A.8
+  → Only check A.8.x controls (Technological Controls)
+
+hd-iso gap --standard 9001 --clause 8
+  → Only check clause 8.x (Operations)
+```
+
+---
+
+## `hd-iso change <description>`
+
+**Purpose**: Before editing any ISO document, understand what compliance impact the change has and follow the correct process.
+
+### Steps
+
+1. **Find relevant docs**: semantic search in `docs/iso/` for docs related to the described change
+   - Show top 3-5 matches with confidence level
+
+2. **Map clause impact**: for each matched doc, list all `clauses` from frontmatter
+   - These are the ISO clauses the change may affect
+
+3. **Output impact warning**:
+   ```
+   ⚠️  Change Impact Analysis: "update data retention period"
+
+   Affected documents (2):
+     📄 Data Retention Policy     — clauses: A.8.10, A.5.33, 7.5
+     📄 Data Classification Guide — clauses: A.5.12, A.5.13
+
+   ISO clauses at risk:
+     A.8.10  Information deletion
+     A.5.33  Protection of records
+     7.5     Documented information
+   ```
+
+4. **Generate change checklist**:
+   ```
+   Change Checklist — Data Retention Policy Update
+
+   Before editing:
+   [ ] Confirm which ISO clauses this change affects (see above)
+   [ ] Identify approver: Manager / Security Officer review required for policy changes
+   [ ] Check if related procedures also need updating (e.g. Data Classification Guide)
+
+   During editing (in Google Docs):
+   [ ] Update version number in document header
+   [ ] Add change description in revision history table
+   [ ] Date the change
+
+   After editing:
+   [ ] Get required approval signatures
+   [ ] Run hd-iso-sync to refresh Markdown layer
+   [ ] Run hd-iso gap --standard 27001 to confirm coverage maintained
+   [ ] Notify relevant roles: security, all (based on doc roles field)
+   ```
+
+5. Save checklist to `reports/change-guide-<YYYYMMDD>.md`
+
+---
+
+## `hd-iso onboard [--role <role>]`
+
+**Purpose**: Generate a personalized reading path for a new employee based on their role.
+
+### Supported Roles
+
+| Role | Description |
+|------|-------------|
+| `developer` | Software engineers, DevOps, tech leads |
+| `qa` | Quality assurance, testers |
+| `manager` | Team leads, department heads, project managers |
+| `security` | CISO, security team, security engineers |
+| `new-hire` | All employees — company-wide policies only |
+
+If no `--role` provided: ask user which role.
+
+### Steps
+
+1. Load role profile from `reference/role-profiles.md` → get relevant clause list
+
+2. Filter `docs/iso/` for docs where:
+   - `roles` frontmatter contains the specified role OR `all`
+   - OR `clauses` frontmatter intersects with role's clause list
+
+3. Categorize docs:
+   - **Must-read**: `doc_type: policy` or `procedure` that directly apply to this role
+   - **Reference**: `doc_type: record` or `guideline` — useful but not required reading
+   - **Awareness only**: other company-wide policies for context
+
+4. Estimate reading time per doc: `word_count / 200` (words per minute), round up to nearest 5 min
+
+5. Output reading path:
+   ```
+   🎯 ISO Onboarding Path — Developer
+   Total estimated reading time: 45 minutes
+
+   ## Must-Read (30 min)
+   1. [15 min] Information Security Policy → https://docs.google.com/...
+      Covers: A.5.1 | Why: Sets your security obligations as a developer
+   2. [10 min] Access Control Procedure → https://docs.google.com/...
+      Covers: A.5.15, A.8.3 | Why: How to request and manage system access
+   3. [5 min]  Secure Development Policy → https://docs.google.com/...
+      Covers: A.8.25, A.8.28 | Why: Coding standards you must follow
+
+   ## Reference (15 min — read when relevant)
+   4. [10 min] Vulnerability Management Procedure → https://docs.google.com/...
+      Covers: A.8.8 | When: When you discover or report a vulnerability
+   5. [5 min]  Change Management Procedure → https://docs.google.com/...
+      Covers: A.8.32 | When: Before deploying to production
+
+   ## Awareness (skim when you have time)
+   6. Quality Policy — company-wide quality commitments
+   7. Data Classification Guide — how to label data you handle
+
+   ## Key Rules for Developers (quick summary)
+   - All code must go through code review before merge
+   - Report security vulnerabilities immediately to security@company.com
+   - Never commit credentials or secrets to Git
+   - Production access requires approval — request via IT helpdesk
+   ```
+
+6. Save to `reports/onboarding-<role>-<YYYYMMDD>.md`
+
+---
+
+## Common Patterns
+
+### First-time setup check
+Before any command, verify `docs/iso/` exists and has content:
+```
+If docs/iso/ is empty or missing:
+  → "Run hd-iso-sync first to import your ISO documents from Google Drive."
+```
+
+### Untagged docs warning
+If many docs lack `clauses` frontmatter:
+```
+⚠️  38 of 42 docs are untagged. Gap analysis will be incomplete.
+    Run hd-iso-sync and complete the tagging step for accurate results.
+```
+
+---
+
+## Report Output Paths
+
+| Command | Output file |
+|---------|-------------|
+| `hd-iso gap` | `reports/gap-<standard>-<YYYYMMDD>.md` |
+| `hd-iso change` | `reports/change-guide-<YYYYMMDD>.md` |
+| `hd-iso onboard` | `reports/onboarding-<role>-<YYYYMMDD>.md` |
+| `hd-iso records` | `reports/records-<standard>-<YYYYMMDD>.md` |
+
+Reports folder is created automatically if it doesn't exist.
+
+---
+
+## hd-iso ncr — Nonconformity & Corrective Action Tracking
+
+NCR files live in `docs/iso/ncr/NCR-NNN.md` (auto-numbered, 3-digit zero-padded).
+
+### NCR File Format
+
+```yaml
+---
+id: NCR-001
+title: "Password policy missing shared account prohibition"
+date_raised: 2026-03-05
+raised_by: "hd-iso-verify / manual"
+doc_ref: docs/iso/procedures/password-policy.md
+clause: A.5.17
+severity: minor                    # major | minor | observation
+status: open                       # open | in-progress | closed
+root_cause: ""
+corrective_action: ""
+target_date: ""
+closed_date: ""
+closed_by: ""
+---
+
+## Details
+
+<free text description of the nonconformity>
+```
+
+### ncr log
+
+Guided intake:
+1. Ask: title, doc_ref, clause, severity (major/minor/observation)
+2. Auto-assign ID from highest NCR-NNN in `docs/iso/ncr/` (create dir if needed)
+3. Create file with frontmatter preset: status: open, date_raised: today, raised_by: "manual"
+
+### ncr list [--status open|closed]
+
+Scan `docs/iso/ncr/*.md`, render summary table:
+
+```
+Open NCRs (3)
+
+| ID      | Title                                    | Clause  | Severity | Status      | Age   |
+|---------|------------------------------------------|---------|----------|-------------|-------|
+| NCR-001 | Password policy missing shared account   | A.5.17  | minor    | open        | 5d    |
+| NCR-002 | Incident response missing SLA            | A.5.24  | major    | in-progress | 12d   |
+| NCR-003 | Backup policy has no restoration test    | A.8.13  | minor    | open        | 2d    |
+```
+
+- Default: show all open + in-progress NCRs
+- `--status closed` → show closed NCRs only
+- `--status all` → show all
+
+### ncr close <NCR-NNN>
+
+Show current NCR details. Ask: corrective_action, closed_by (name/role). Update frontmatter: `status: closed`, `closed_date: today`.
+
+### ncr show <NCR-NNN>
+
+Pretty-print the full NCR:
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+NCR-001 — minor | open
+Title:   Password policy missing shared account prohibition
+Clause:  A.5.17
+Doc ref: docs/iso/procedures/password-policy.md
+Raised:  2026-03-05 by manual
+Target:  (not set)
+
+Details:
+The password policy does not prohibit shared accounts. ISO 27001 A.5.17
+requires explicit prohibition of shared credentials.
+
+Root cause:    (not yet set)
+Corrective action: (not yet set)
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+```
+
+---
+
+## hd-iso records — Mandatory Records Existence Check
+
+```
+hd-iso records [--standard 9001|27001]
+```
+
+For each required record in the reference file ("Mandatory Documented Information" section):
+- Search `docs/iso/` for a doc with `doc_type: record` + matching clause tag
+- Grade: ✅ Present | ⚠️ Wrong type (clause found, wrong doc_type) | ❌ Missing
+- Default (no flag): check both standards
+
+### Output
+
+```
+Mandatory Records Check — ISO 27001:2022
+Run: 2026-03-05
+
+✅ Risk assessment results            (docs/iso/records/risk-register.md)
+✅ Risk treatment plan                (docs/iso/records/risk-treatment.md)
+⚠️ Statement of Applicability        (docs/iso/policies/soa.md) — doc_type is 'policy', expected 'record'
+❌ Internal audit results             — no record tagged 9.2.2
+❌ Nonconformities and CARs           — no record tagged 10.2.2
+✅ Management review results          (docs/iso/records/mgmt-review-minutes.md)
+
+Summary: 3/6 mandatory records present  |  2 missing  |  1 wrong type
+
+Next: Create missing records in Google Docs → sync → tag with correct clause + doc_type: record
+```
+
+Save to `reports/records-<standard>-<YYYYMMDD>.md`.
+
+If `--standard` not provided, run both standards and combine output under separate headings.