@kaademos/secure-sdlc 1.0.2 → 1.2.0

package/.claude/agents/grc-analyst.md

@@ -29,7 +29,9 @@ Maintain awareness of applicable controls from:
 - **PCI DSS v4.0** (if payment card data is in scope)
 - **OWASP ASVS** (as the technical requirements anchor)
 - **GDPR / UK GDPR** (if personal data is processed)
-- **DORA** (if applicable to financial services)
+- **HIPAA** (Security & Privacy Rules — if protected health information is in scope)
+- **DORA** (if applicable to EU financial services)
+- **FedRAMP** (NIST SP 800-53 baseline — if selling to US federal agencies)
 
 ---
 
@@ -54,10 +56,14 @@ When invoked at the start of a project or feature:
 ```markdown
 ## Control Mapping
 
-| ASVS Ref | Requirement | SOC 2 | ISO 27001 | NIST CSF | PCI DSS |
-|----------|-------------|-------|-----------|----------|---------|
-| V2.1.1 | Password complexity | CC6.1 | A.8.5 | PR.AC-1 | Req 8.3 |
-| V6.1.1 | Encryption at rest | CC6.7 | A.8.24 | PR.DS-1 | Req 3.5 |
+| ASVS Ref | Requirement | SOC 2 | ISO 27001 | NIST CSF | PCI DSS | HIPAA | DORA | FedRAMP |
+|----------|-------------|-------|-----------|----------|---------|-------|------|---------|
+| V6.2.1 | Password complexity | CC6.1 | A.8.5 | PR.AC-1 | Req 8.3 | §164.312(d) | Art. 9 | IA-5 |
+| V14.1.1 | Encryption at rest | CC6.7 | A.8.24 | PR.DS-1 | Req 3.5 | §164.312(a)(2)(iv) | Art. 9 | SC-28 |
+
+> Only populate columns for frameworks selected in `secure-sdlc.yaml`. Add HIPAA when
+> protected health information is processed, DORA for EU financial entities, and FedRAMP
+> (NIST SP 800-53 control families: AC, AU, IA, SC, …) when targeting US federal agencies.
 ```
 
 ---

package/.claude/agents/product-manager.md

@@ -51,9 +51,9 @@ For each feature, produce a `docs/security-requirements.md` using this structure
 
 | ID | Requirement | ASVS Ref | Priority | Acceptance Criteria |
 |----|-------------|----------|----------|---------------------|
-| SR-001 | All API endpoints require authentication | V4.1.1 | MUST | Unauthenticated requests return HTTP 401 |
-| SR-002 | Passwords must meet complexity requirements | V2.1.1 | MUST | Passwords < 8 chars or common passwords rejected |
-| SR-003 | Sensitive data encrypted at rest | V6.1.1 | MUST | AES-256 or equivalent; key management documented |
+| SR-001 | All API endpoints require authentication | V8.3.1 | MUST | Unauthenticated requests return HTTP 401 |
+| SR-002 | Passwords must meet complexity requirements | V6.2.1 | MUST | Passwords < 8 chars or common passwords rejected |
+| SR-003 | Sensitive data encrypted at rest | V14.1.1 | MUST | AES-256 or equivalent; key management documented |
 
 ### Privacy Requirements
 - [ ] Data minimisation: only collect fields required for this feature

package/.claude-plugin/marketplace.json

@@ -0,0 +1,51 @@
+{
+  "name": "secure-sdlc-agents",
+  "owner": {
+    "name": "Kaademos",
+    "email": "kaademos@github.com"
+  },
+  "metadata": {
+    "description": "A team of 8 AI security specialists embedded in your coding workflow — covering every phase of the Secure SDLC from requirements to release gating.",
+    "version": "1.2.0"
+  },
+  "plugins": [
+    {
+      "name": "secure-sdlc-agents",
+      "source": {
+        "source": "github",
+        "repo": "Kaademos/secure-sdlc-agents"
+      },
+      "description": "8 AI security specialist agents for the full Secure SDLC: threat modelling, AppSec, GRC, IaC review, AI/LLM security, and release gating. Works with Claude Code, Cursor, Windsurf, and any MCP-compatible tool.",
+      "version": "1.2.0",
+      "author": {
+        "name": "Kaademos"
+      },
+      "homepage": "https://github.com/Kaademos/secure-sdlc-agents",
+      "repository": "https://github.com/Kaademos/secure-sdlc-agents",
+      "license": "MIT",
+      "keywords": [
+        "security",
+        "appsec",
+        "sdlc",
+        "owasp",
+        "asvs",
+        "compliance",
+        "threat-modeling",
+        "secure-coding",
+        "devsecops",
+        "grc"
+      ],
+      "category": "security",
+      "tags": [
+        "security",
+        "appsec",
+        "devsecops",
+        "owasp",
+        "compliance",
+        "threat-modeling",
+        "agent-skills"
+      ],
+      "strict": true
+    }
+  ]
+}

package/.claude-plugin/plugin.json

@@ -0,0 +1,31 @@
+{
+  "name": "secure-sdlc-agents",
+  "version": "1.2.0",
+  "description": "A team of AI security specialists embedded in your coding workflow. 8 agents covering every phase of the Secure SDLC: requirements, threat modelling, code review, IaC security, compliance, and release gating. Works with Claude Code, Cursor, Windsurf, and any MCP-compatible tool.",
+  "author": {
+    "name": "Kaademos",
+    "url": "https://github.com/Kaademos"
+  },
+  "repository": "https://github.com/Kaademos/secure-sdlc-agents",
+  "license": "MIT",
+  "keywords": [
+    "security",
+    "appsec",
+    "sdlc",
+    "owasp",
+    "asvs",
+    "compliance",
+    "threat-modeling",
+    "secure-coding"
+  ],
+  "agents": [
+    ".claude/agents/product-manager.md",
+    ".claude/agents/appsec-engineer.md",
+    ".claude/agents/grc-analyst.md",
+    ".claude/agents/cloud-platform-engineer.md",
+    ".claude/agents/dev-lead.md",
+    ".claude/agents/release-manager.md",
+    ".claude/agents/security-champion.md",
+    ".claude/agents/ai-security-engineer.md"
+  ]
+}

package/.github/workflows/secure-sdlc-gate.yml

@@ -241,7 +241,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['javascript-typescript', 'python']
+        language: ['javascript-typescript', 'python', 'ruby', 'go', 'java-kotlin']
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -250,25 +250,64 @@ jobs:
         id: check-lang
         run: |
           LANG="${{ matrix.language }}"
+          # EXISTS gates every downstream step so absent languages skip cleanly.
+          # BUILD_MODE tells CodeQL how to build: interpreted languages need no
+          # build ("none"); Go must be built ("autobuild"); java-kotlin can use
+          # "none" for pure-Java repos but MUST build when Kotlin is present
+          # (Kotlin analysis has no build-mode: none support).
+          EXISTS=false
+          BUILD_MODE=none
           if [ "$LANG" = "javascript-typescript" ]; then
-            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -q . && echo "EXISTS=true" >> $GITHUB_OUTPUT || echo "EXISTS=false" >> $GITHUB_OUTPUT
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -q . && EXISTS=true
           elif [ "$LANG" = "python" ]; then
-            find . -name "*.py" | grep -q . && echo "EXISTS=true" >> $GITHUB_OUTPUT || echo "EXISTS=false" >> $GITHUB_OUTPUT
+            find . -name "*.py" | grep -q . && EXISTS=true
+          elif [ "$LANG" = "ruby" ]; then
+            find . -name "*.rb" | grep -q . && EXISTS=true
+          elif [ "$LANG" = "go" ]; then
+            find . -name "*.go" | grep -q . && EXISTS=true
+            BUILD_MODE=autobuild
+          elif [ "$LANG" = "java-kotlin" ]; then
+            find . -name "*.java" -o -name "*.kt" | grep -q . && EXISTS=true
+            # Kotlin requires a build; pure-Java repos skip it for reliability.
+            if find . -name "*.kt" | grep -q .; then
+              BUILD_MODE=autobuild
+            fi
           else
-            echo "EXISTS=true" >> $GITHUB_OUTPUT
+            EXISTS=true
           fi
+          echo "EXISTS=$EXISTS" >> $GITHUB_OUTPUT
+          echo "BUILD_MODE=$BUILD_MODE" >> $GITHUB_OUTPUT
+          echo "Language=$LANG Exists=$EXISTS BuildMode=$BUILD_MODE"
+
+      # Set up the toolchain BEFORE CodeQL so autobuild can resolve the build.
+      # Without a matching toolchain, autobuild is the #1 cause of CodeQL CI
+      # failures on enterprise Go/Maven/Gradle projects.
+      - name: Set up Go
+        if: steps.check-lang.outputs.EXISTS == 'true' && matrix.language == 'go'
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false  # no go.sum path assumptions; CodeQL only needs a build
+
+      - name: Set up JDK
+        if: steps.check-lang.outputs.EXISTS == 'true' && matrix.language == 'java-kotlin' && steps.check-lang.outputs.BUILD_MODE == 'autobuild'
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          # Latest LTS. If your project targets an older JDK (11/17) and the
+          # build fails, change this to match — that's the one knob to turn.
+          java-version: '21'
 
       - name: Initialize CodeQL
         if: steps.check-lang.outputs.EXISTS == 'true'
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
+          build-mode: ${{ steps.check-lang.outputs.BUILD_MODE }}
           queries: security-and-quality
 
-      - name: Autobuild
-        if: steps.check-lang.outputs.EXISTS == 'true'
-        uses: github/codeql-action/autobuild@v3
-
+      # No standalone Autobuild step: build-mode "autobuild" runs the autobuilder
+      # during analysis, and build-mode "none" needs no build at all.
       - name: Perform CodeQL Analysis
         if: steps.check-lang.outputs.EXISTS == 'true'
         uses: github/codeql-action/analyze@v3

package/CHANGELOG.md

@@ -6,8 +6,52 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ---
 
+## [1.2.0] — 2026-06-26
+
+### Added
+- **Go stack profile** (`stacks/golang.md`) — dense, code-driven security guidance for Go (net/http, Gin, Echo, Fiber): `html/template` XSS, `database/sql`/GORM parameterisation, CORS, security headers, `gosec`/`govulncheck`
+- **Go security notes** in `getStackSecurityNotes()` plus a `getStackProfile()` resolver so detected `gin`/`echo`/`fiber` projects map to the `golang` profile and notes
+- **Worked example `04-oauth-flow`** — OAuth 2.0 / OIDC social login (authorization-code + PKCE); `redirect_uri` exact matching, `state` vs `nonce`, ID-token validation, anchored to ASVS 5.0 V10 and RFC 9700
+- **Worked example `05-payment-processing`** — redirect-based hosted checkout (PCI DSS SAQ A); webhook signature verification, idempotency, server-side amount, reflecting the Jan 2025 SAQ A changes
+- **HIPAA, DORA, and FedRAMP** control tables in `compliance-attestation.md` and the GRC agent's control-mapping example
+- **Automated test suite** (`test/`, Node built-in runner, zero new dependencies) — guards version sync across manifests, agent frontmatter, and the stack-detection ↔ `stacks/*.md` mapping
+- **CI workflow** (`.github/workflows/ci.yml`) — runs the suite on Node 18, 20, and 22 plus an `npm pack` content check
+- **Release workflow** (`.github/workflows/release.yml`) — publishes to npm with provenance and creates a GitHub Release on `v*` tags
+- **`CODE_OF_CONDUCT.md`** (Contributor Covenant 2.1), **`.editorconfig`**, npm/CI/Node README badges, and a committed `package-lock.json`
+
+### Changed
+- **CodeQL SAST** (`secure-sdlc-gate.yml`) — matrix expanded to `ruby`, `go`, and `java-kotlin`; per-language `build-mode` with toolchain setup so compiled-language scans are reliable on enterprise repos (pure-Java uses `build-mode: none`)
+- **ASVS references migrated from 4.0 to 5.0** repo-wide using the official OWASP `mapping_v4.0.3_to_v5.0.0` mapping (stack profiles, examples, agents, templates, skill, PR template)
+- **`secure-sdlc init`** only prints a `stacks/<name>.md` pointer when that profile actually ships
+
+### Fixed
+- Pre-existing CSRF control mislabel in the Django, Express, Rails, and Go stack profiles (`V14.4.5`/HSTS → real CSRF control `V3.5.1`)
+- Broken `stacks/<gin|echo|fiber>.md` reference — Go framework projects now resolve to `stacks/golang.md`
+
+---
+
 ## [1.0.2]
 
+---
+
+## [1.1.0] — 2026-04-06
+
+### Added
+- **`.claude-plugin/plugin.json`** — Claude Code plugin marketplace manifest; agents now installable with a single `/plugin marketplace add Kaademos/secure-sdlc-agents` command (zero-dependency, no npm, no cloning)
+- **`skills/` directory** — 4 SKILL.md files in the agent-skills–compatible format for cross-ecosystem discoverability:
+  - `skills/security-and-hardening/` — secure coding, PR review, OWASP Top 10 prevention, severity gating
+  - `skills/threat-modeling/` — STRIDE + LINDDUN structured threat model workflow
+  - `skills/ai-security/` — OWASP LLM Top 10 2025, prompt injection, excessive agency, output validation
+  - `skills/compliance-and-audit/` — risk register, framework mapping (SOC 2, ISO 27001, GDPR, PCI DSS), audit evidence
+- **README — "Option 0"** plugin marketplace as the first and fastest install path (before git clone and npm)
+- **README — "The 4-Minute Problem"** concrete breach table replacing the generic problem statement — 5 real vulnerabilities a vibe-coded file upload misses, each mapped to the catching agent
+- **README — "Who Do You Call?"** ASCII decision tree covering every SDLC moment → correct agent → exact command
+
+### Changed
+- **README.md** — title tagline tightened to be specific and direct ("8 AI security specialists. Invoked at the exact phase where each vulnerability would have been caught.")
+- **`package.json` `files`** — added `skills/` and `.claude-plugin/` to the npm publish manifest
+
+
 ### Added
 - **npm package** `@kaademos/secure-sdlc` (root `package.json`) — global install via `npm install -g @kaademos/secure-sdlc`, `npx @kaademos/secure-sdlc`, semver releases;
 - **`secure-sdlc paths`** — prints `PACKAGE_ROOT` and MCP server path after install

package/CLAUDE.md

@@ -175,6 +175,7 @@ If the project uses one of these stacks, reference the relevant profile in `stac
 | Django | `stacks/django.md` |
 | Express.js | `stacks/express.md` |
 | Ruby on Rails | `stacks/rails.md` |
+| Go (net/http, Gin, Echo, Fiber) | `stacks/golang.md` |
 
 Stack profiles contain framework-specific vulnerability patterns, secure coding examples,
 and recommended libraries. Reference them when the dev-lead or appsec-engineer agents

package/README.md

@@ -1,27 +1,35 @@
-![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)
-![Claude Code](https://img.shields.io/badge/Claude_Code-Sub--Agents-blueviolet)
-![Cursor MCP](https://img.shields.io/badge/Cursor-MCP%20Ready-blue)
-![OWASP ASVS](https://img.shields.io/badge/OWASP-ASVS%20L2-orange)
+[![CI](https://github.com/Kaademos/secure-sdlc-agents/actions/workflows/ci.yml/badge.svg)](https://github.com/Kaademos/secure-sdlc-agents/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/@kaademos/secure-sdlc?logo=npm)](https://www.npmjs.com/package/@kaademos/secure-sdlc)
+[![node](https://img.shields.io/node/v/@kaademos/secure-sdlc)](https://nodejs.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+![OWASP ASVS](https://img.shields.io/badge/OWASP-ASVS%205.0-orange)
 ![Works With](https://img.shields.io/badge/Works%20With-Claude%20%7C%20Cursor%20%7C%20Windsurf%20%7C%20Warp-brightgreen)
 
 # Secure SDLC Agents
 
-A team of AI security specialists — embedded directly in your vibe coding workflow.
+**8 AI security specialists. Invoked at the exact phase where each vulnerability would have been caught.**
 
-They cover every phase of the Software Development Lifecycle: requirements, architecture,
-code review, infrastructure, compliance, and release gating. They work wherever you work:
-Claude Code, Cursor, Windsurf, Warp, and any tool that supports MCP.
+Requirements → threat modelling → code review → IaC → compliance → release gate.  
+
+Works in Claude Code, Cursor, Windsurf, Warp, and any MCP-compatible tool.
 
 ---
 
-## The problem this solves
+## The 4-Minute Problem
+
+You asked Claude Code to build a file upload feature. It wrote working code in 4 minutes.
 
-When developers use AI tools to build fast, security becomes the thing that gets bolted on
-at the end — or skipped entirely. Threat models don't happen. ASVS requirements are never
-written. Compliance evidence is scrambled together the night before an audit.
+It missed:
 
-This project makes the security team part of the build process from day one. Not a gate
-at the end, but a set of specialists you summon at the exact moment their expertise is needed.
+| Vulnerability | Severity | Which agent catches it |
+|---|---|---|
+| SVG file with embedded `<script>` stored and served without sanitisation | **CRITICAL** | `appsec-engineer` — MIME type validation, output encoding |
+| No file size limit or type allowlist | **HIGH** | `appsec-engineer` — input validation, magic byte checks |
+| S3 bucket provisioned with `public-read` ACL | **CRITICAL** | `cloud-platform-engineer` — IaC security review |
+| No rate limiting on the upload endpoint | **HIGH** | `appsec-engineer` — anti-automation controls |
+| Upload URL in API response leaks internal bucket path | **MEDIUM** | `dev-lead` — information disclosure review |
+
+Every one of these has appeared in real breach post-mortems. AI agents optimise for *working code*, not *secure code*. This project embeds the specialists that close that gap — at the exact phase where each issue would have been caught.
 
 ---
 
@@ -57,9 +65,48 @@ at the end, but a set of specialists you summon at the exact moment their expert
 
 ---
 
+## Who Do You Call?
+
+```
+What are you working on?
+│
+├── Starting a new feature?
+│   ├── product-manager  →  "Define security requirements for X using ASVS L2"
+│   └── grc-analyst      →  "Initialise risk register, map to SOC2 / GDPR / PCI-DSS"
+│
+├── Designing the architecture?
+│   ├── appsec-engineer          →  "Threat model this design using STRIDE"
+│   ├── cloud-platform-engineer  →  "Review IaC for this feature"
+│   └── ai-security-engineer     →  "Security review — feature calls an LLM"  ← always include this
+│
+├── Writing or merging code?
+│   ├── dev-lead       →  "Review PR #N for secure coding issues and dependency risks"
+│   └── appsec-engineer  →  "Triage SAST findings for PR #N"
+│
+├── Quick security question (any phase)?
+│   └── security-champion  →  "Is this pattern / library safe? Context: ..."
+│
+└── Ready to ship?
+    └── release-manager  →  "Run pre-release security checklist for vX.Y.Z"
+```
+
+---
+
 ## Quick start
 
-### Option A — Claude Code (zero dependencies)
+### Option 0 — Claude Code Plugin Marketplace
+
+```bash
+/plugin marketplace add Kaademos/secure-sdlc-agents
+
+/plugin install secure-sdlc-agents@secure-sdlc-agents
+```
+
+All 8 agents are immediately available in your session. No cloning, no npm, no file copying.
+
+---
+
+### Option A — Git clone (zero dependencies)
 
 ```bash
 git clone https://github.com/Kaademos/secure-sdlc-agents.git
@@ -288,6 +335,7 @@ Deep, framework-specific security guidance in `stacks/`:
 | Django | [`stacks/django.md`](stacks/django.md) — CSRF, strong params, ORM injection, production settings |
 | Express.js | [`stacks/express.md`](stacks/express.md) — helmet, rate limiting, CSRF, Zod validation |
 | Ruby on Rails | [`stacks/rails.md`](stacks/rails.md) — Brakeman, Pundit, strong parameters, credentials |
+| Go (net/http, Gin, Echo, Fiber) | [`stacks/golang.md`](stacks/golang.md) — html/template XSS, database/sql & GORM injection, CORS, gosec/govulncheck |
 
 ---
 
@@ -329,6 +377,8 @@ In `warp-workflows/` — import into Warp for one-click SDLC automation:
 | [`01-login-feature/`](examples/01-login-feature/) | Auth flow (bcrypt, MFA, sessions) | JWT alg:none, hardcoded secrets, cost factor |
 | [`02-api-endpoint/`](examples/02-api-endpoint/) | Public REST API | IDOR via UUID path param, IAM over-privilege |
 | [`03-file-upload/`](examples/03-file-upload/) | File upload to S3 | SVG XSS, magic byte validation, public bucket |
+| [`04-oauth-flow/`](examples/04-oauth-flow/) | OAuth 2.0 / OIDC social login | redirect_uri exact match, PKCE, state vs nonce, ID-token validation |
+| [`05-payment-processing/`](examples/05-payment-processing/) | Card checkout (hosted page) | PCI DSS SAQ A scoping, webhook signature, idempotency, amount tampering |
 
 ---
 

package/cli/src/commands/init.js

@@ -163,12 +163,17 @@ export default async function init(options) {
   console.log(chalk.dim(`     secure-sdlc kickoff\n`));
 
   if (stack.name !== "unknown") {
-    const { getStackSecurityNotes } = await import("../utils/stack-detect.js");
+    const { getStackSecurityNotes, getStackProfile } = await import("../utils/stack-detect.js");
     const notes = getStackSecurityNotes(stack.name);
     if (notes.length) {
       console.log(chalk.bold(`\n${stack.display} security notes for your team:\n`));
       notes.slice(0, 3).forEach((n) => console.log(chalk.dim(`  • ${n}`)));
-      console.log(chalk.dim(`  (see stacks/${stack.name}.md for full guidance)\n`));
+      // Only point to a profile that actually ships — avoids a broken reference
+      // for stacks that have notes but no dedicated stacks/<name>.md (e.g. terraform).
+      const profile = getStackProfile(stack.name);
+      if (existsSync(join(REPO_ROOT, "stacks", `${profile}.md`))) {
+        console.log(chalk.dim(`  (see stacks/${profile}.md for full guidance)\n`));
+      }
     }
   }
 }

package/cli/src/utils/stack-detect.js

@@ -79,10 +79,29 @@ export function detectStack(projectRoot) {
   return { name: "unknown", display: "Unknown", language: "Unknown" };
 }
 
+/**
+ * Maps a detected stack name to the stack that owns its security guidance.
+ * Framework variants (e.g. Gin/Echo/Fiber) share their language's profile and notes.
+ */
+const STACK_ALIASES = {
+  gin: "golang",
+  echo: "golang",
+  fiber: "golang",
+};
+
+/**
+ * Resolves the stack profile (notes key + stacks/<name>.md) for a detected stack.
+ * Falls back to the stack name itself when no alias applies.
+ */
+export function getStackProfile(stackName) {
+  return STACK_ALIASES[stackName] || stackName;
+}
+
 /**
  * Returns the top security considerations for a given stack.
  */
 export function getStackSecurityNotes(stackName) {
+  stackName = getStackProfile(stackName);
   const notes = {
     nextjs: [
       "Review Server Actions for CSRF and authorisation — they're POST endpoints by default",
@@ -120,6 +139,13 @@ export function getStackSecurityNotes(stackName) {
       "Audit before_action filters for auth — ensure every controller action is covered",
       "Brakeman is the standard Rails SAST tool — run on every PR",
     ],
+    golang: [
+      "Render HTML with html/template (context-aware escaping) — never text/template, and avoid template.HTML on user input",
+      "Use database/sql placeholders ($1/?) or GORM's ? conditions — never fmt.Sprintf user input into queries",
+      "CORS: set an explicit AllowedOrigins list — never combine wildcard/AllowAllOrigins with AllowCredentials:true",
+      "net/http ships no security headers — add CSP, HSTS, X-Content-Type-Options via middleware (e.g. unrolled/secure)",
+      "Run gosec (SAST) and govulncheck (vulnerable deps) in CI; hash passwords with bcrypt (cost ≥ 12) or argon2id",
+    ],
     terraform: [
       "Pin provider versions with ~> constraints, not latest",
       "Use terraform-aws-modules/terraform-google-modules — don't write IAM from scratch",

package/docs/templates/compliance-attestation.md

@@ -3,7 +3,7 @@
 **Release version:** v[X.Y.Z]
 **Date:** [YYYY-MM-DD]
 **Author:** GRC Analyst Agent + [Human GRC lead]
-**Frameworks in scope:** [SOC 2 / ISO 27001 / NIST CSF / PCI DSS / GDPR — delete inapplicable]
+**Frameworks in scope:** [SOC 2 / ISO 27001 / NIST CSF / PCI DSS / GDPR / HIPAA / DORA / FedRAMP — delete inapplicable]
 **Status:** Draft / Review / Approved
 
 ---
@@ -110,6 +110,45 @@ ISO/IEC 27001:2022 Annex A, NIST CSF 2.0]
 
 ---
 
+### HIPAA *(complete only if protected health information (PHI) is in scope)*
+
+| Standard / Rule | Safeguard | Status | Evidence Reference | Notes |
+|-----------------|-----------|--------|--------------------|-------|
+| §164.308(a)(1) | Security Rule — Security management process (risk analysis) | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| §164.312(a)(1) | Security Rule — Access control (technical safeguards) | | | |
+| §164.312(b) | Security Rule — Audit controls | | | |
+| §164.312(e)(1) | Security Rule — Transmission security (encryption in transit) | | | |
+| §164.502(b) | Privacy Rule — Minimum necessary use and disclosure | | | |
+
+*Extend with additional Security/Privacy Rule standards (e.g. §164.308 administrative, §164.310 physical) relevant to the systems in scope.*
+
+---
+
+### DORA *(complete only if an EU financial entity or critical ICT third-party provider)*
+
+| Article / Pillar | Requirement | Status | Evidence Reference | Notes |
+|------------------|-------------|--------|--------------------|-------|
+| Art. 5–15 | ICT risk management framework | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| Art. 17–23 | ICT-related incident management, classification & reporting | | | |
+| Art. 24–27 | Digital operational resilience testing (incl. TLPT) | | | |
+| Art. 28–30 | ICT third-party risk management | | | |
+
+---
+
+### FedRAMP *(complete only if selling to US federal agencies — NIST SP 800-53 baseline)*
+
+| Control Family | Control | Status | Evidence Reference | Notes |
+|----------------|---------|--------|--------------------|-------|
+| AC — Access Control | AC-2 Account management | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| AU — Audit & Accountability | AU-2 Event logging | | | |
+| IA — Identification & Authentication | IA-2 Identification and authentication (organisational users) | | | |
+| SC — System & Communications Protection | SC-7 Boundary protection | | | |
+| SC — System & Communications Protection | SC-28 Protection of information at rest | | | |
+
+*Select the impact baseline (Low / Moderate / High) and extend with the corresponding 800-53 control families (CM, CP, IR, RA, SI, …).*
+
+---
+
 ## Gaps
 
 Controls that are not fully met at the time of this attestation:

package/docs/templates/threat-model.md

@@ -116,7 +116,7 @@ Priority list of mitigations to carry into the build phase:
 
 | Priority | Threat ID(s) | Mitigation | Owner | ASVS Ref |
 |----------|-------------|------------|-------|----------|
-| 1 | T-001, T-004 | Implement account lockout and generic error responses | Dev Lead | V2.2.1, V8.3.4 |
+| 1 | T-001, T-004 | Implement account lockout and generic error responses | Dev Lead | V6.3.1, V14.1.1 |
 | 2 | | | | |
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kaademos/secure-sdlc",
-  "version": "1.0.2",
+  "version": "1.2.0",
   "description": "Secure SDLC agent team — CLI to scaffold docs, hooks, CI, and MCP-ready security workflows",
   "type": "module",
   "bin": {
@@ -15,6 +15,8 @@
     "docs/templates",
     "hooks",
     "stacks",
+    "skills",
+    ".claude-plugin",
     "warp-workflows",
     ".github/workflows/secure-sdlc-gate.yml",
     ".cursor/rules",
@@ -27,6 +29,7 @@
   "scripts": {
     "prepack": "node cli/bin/secure-sdlc.js --version",
     "sdlc": "node cli/bin/secure-sdlc.js",
+    "test": "node --test test/*.test.js",
     "test:pack": "npm pack --dry-run --ignore-scripts 2>&1"
   },
   "keywords": [