npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.1.0 → 2.2.0 - Mend

@raishin/vanguard-frontier-agentic 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (348) hide show

package/skills/hr/hr-risk-triage-review/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,176 @@
+# Workflow and Output Contract
+## Workflow
+Execute these ten steps in order. Do not skip a step because the input looks
+simple — the steps exist to surface what an HR requester has not said.
+### Step 1 — Define the HR decision or problem in one sentence
+State the proposed HR action or the problem in a single sentence. Examples:
+- "We intend to terminate [role] for repeated performance failures after a three-month PIP."
+- "An employee has filed a harassment complaint against their manager."
+- "We are planning a reduction in force of approximately 40 roles across two business units."
+If the matter cannot be stated in one sentence, ask the user to narrow it before proceeding.
+### Step 2 — Identify population, location, and context
+Collect (or flag as Unknown if not provided):
+- Employee population in scope: count, role(s), employment status (full-time, part-time, fixed-term, contractor, gig/platform)
+- Location(s): country, state/province, local ordinance if relevant
+- Protected-class indicators **only if relevant and volunteered** — do not probe for them
+- Manager chain and decision-makers involved
+- Business unit and entity
+- Policy source(s) the action relies on (handbook, policy number, contract clause, collective agreement)
+- Timeline of events, effective dates, and any deadlines
+- Whether a union, works council, or collective-bargaining agreement applies
+If jurisdiction is not provided, rate all risk domains Unknown and request jurisdiction before proceeding.
+### Step 3 — Separate confirmed facts, allegations, assumptions, hearsay, and missing evidence
+Sort the input into clearly labeled buckets:
+- **Confirmed facts** — established and corroborated
+- **Allegations** — claims made but not yet substantiated; record who made them
+- **Assumptions** — treated as plausible but unverified
+- **Hearsay and opinion** — secondhand accounts and characterizations, not evidence
+- **Missing evidence** — facts that materially affect the assessment and are not provided
+Never assume a manager's or complainant's account is complete. Require corroboration.
+### Step 4 — Identify the HR domain
+Classify the matter against one or more domains: recruiting, onboarding,
+performance, discipline, termination, RIF/reorg, compensation, benefits,
+accommodation, leave, harassment, discrimination, retaliation, workplace
+safety, investigations, employee privacy, labor relations, or culture.
+### Step 5 — Check process integrity
+Test the process behind the decision, not just the outcome. Examine:
+- **Notice** — was the employee given required notice and an opportunity to respond?
+- **Consistency** — does this match how comparable situations were handled?
+- **Documentation** — is there a contemporaneous, non-pretextual record?
+- **Policy alignment** — does the action follow the stated policy and contract?
+- **Prior treatment** — has the employee's prior record been applied evenly?
+- **Decision authority** — does the decision-maker have the authority to act?
+- **Confidentiality** — has sensitive information been contained appropriately?
+- **Appeal / review path** — is there a route for the employee to challenge the decision?
+### Step 6 — Adverse-impact and fairness review
+Ask whether similarly situated employees were treated consistently. Look for
+disparate treatment, disparate impact of facially neutral criteria (especially
+RIF selection criteria), and inconsistency that a fact-finder would read as
+pretext. State explicitly where comparator data is missing.
+### Step 7 — Retaliation analysis
+For any adverse or proposed adverse action, test for retaliation:
+- **Protected activity** — did the employee complain, request leave or accommodation, report safety or wrongdoing, or engage in protected concerted/union activity?
+- **Timing** — how close in time is the adverse action to the protected activity?
+- **Decision-makers** — do the people deciding know about the protected activity?
+- **Documentation** — does the record predate the protected activity, or appear after it?
+- **Alternative explanations** — is there a credible, documented non-retaliatory reason?
+An adverse action following protected activity is the highest-risk finding possible — lead with it.
+### Step 8 — Privacy analysis
+Review handling of employee data:
+- **Minimum necessary** — is only the data needed for the decision being collected and used?
+- **Role-based access** — is access limited to those who need it?
+- **Retention** — is there a defined retention and disposal path?
+- **Consent / notice** — where the jurisdiction requires it, has notice or consent been given?
+- **Sensitive data** — are medical, disability, immigration, and protected-characteristic data segregated and protected?
+### Step 9 — Rate risk
+Assign one of five ratings to each identified risk:
+| Rating | Meaning |
+|---|---|
+| Critical | Immediate legal exposure; do not proceed without counsel sign-off |
+| High | Material litigation, regulatory, or financial exposure; escalation strongly indicated |
+| Medium | Manageable with documented controls; monitor and document |
+| Low | Limited exposure on current evidence; note and monitor |
+| Unknown | Jurisdiction or material facts missing; cannot rate without them |
+Unknown is mandatory — not optional — wherever documentation is incomplete or jurisdiction is absent.
+### Step 10 — Recommend safe next actions and escalation path
+Present a range of safe next actions, not a single directive. For each, state
+what it entails, what supports it, what risk it mitigates, and what residual
+risk remains. Then state the escalation path. Escalate to employment counsel
+when any of the following is true:
+- The matter involves jurisdiction-specific statutory rights or notice periods
+- A claim, complaint, charge, or grievance has been filed or threatened
+- Protected characteristics, protected activity, or whistleblower status are in play
+- The financial or reputational exposure is material
+- A mass-layoff, collective-consultation, or works-council trigger may apply
+- Immigration or work-authorization status is affected
+- The matter involves executive compensation, executive misconduct, or equity
+- There is any ambiguity about whether a retaliatory or discriminatory motive could be attributed to the action
+---
+## Output
+Return findings in this structure:
+```
+## Verdict
+<one of: proceed | proceed with controls | pause | escalate | insufficient evidence>
+<one sentence explaining the verdict>
+## Ruthless challenge
+<2–4 sentences: the weakest part of the current HR thinking — adversarial framing, no softening>
+## Facts, allegations, assumptions, and missing evidence
+- Confirmed facts: <fact>
+- Allegations: <claim — who made it, what is unproven>
+- Assumptions and hearsay: <item and its basis>
+- Missing evidence: <materially relevant fact not provided>
+## Policy and process issues
+- <process gap — notice, consistency, documentation, policy alignment, prior treatment, decision authority, confidentiality, or appeal path — and why it matters>
+## Fairness, consistency, retaliation, and privacy stress test
+- Adverse impact / fairness: <were similarly situated employees treated consistently; where is comparator data missing>
+- Retaliation: <protected activity, timing, decision-maker knowledge, documentation sequence, alternative explanations>
+- Privacy: <minimum-necessary data, role-based access, retention, notice/consent, sensitive-data handling>
+- Adverse lenses: <worst-case framing from employee, plaintiff counsel, regulator/labor authority, works council/union, auditor, board, press>
+## Risk rating table
+| Issue | Severity | Evidence | Employee impact | Enterprise impact | Owner | Mitigation |
+|---|---|---|---|---|---|---|
+| <issue> | Critical/High/Medium/Low/Unknown | <evidence basis> | <impact on the employee> | <impact on the enterprise> | <decision owner> | <mitigation> |
+## Documentation checklist
+- [ ] <record or document that must exist and be verified before action>
+- [ ] <...>
+## Safe next actions
+1. <action — who does it, what it requires>
+2. <action>
+## Required escalation
+<explicit statement of which matters must reach employment counsel, HR, employee relations, privacy, or security before any action is taken>
+## Questions HR and legal must answer before action
+- <question>
+- <question>
+```
+---
+## Security notes
+- Never request or accept employee medical records, disability detail, immigration documents, compensation records, investigation notes, or attorney-client privileged communications. Ask for sanitized summaries with PII and protected-characteristic detail limited to what the question requires.
+- This is a static risk-triage review: do not draft termination letters, settlement agreements, disciplinary notices, or legal communications. Direct the user to employment counsel for those documents.
+- Do not draft retaliatory, discriminatory, intimidating, or misleading employee communications.
+- A proposed action that follows an employee's protected activity (complaint, leave request, accommodation request, safety report, union/labor activity, whistleblower report) is the highest-risk finding possible — lead with it.
+- Pretextual or backdated documentation requests (documenting performance issues retroactively to justify an already-decided termination, or backdating PIPs) must be refused explicitly. State that you will not assist with that and explain why.
+- Do not recommend termination, discipline, denial of leave or accommodation, or adverse action as the outcome — present readiness criteria, options, and escalation paths, and leave the decision to qualified human decision-makers.

package/skills/legal/legal-counsel-review/SKILL.md ADDED Viewed

@@ -0,0 +1,50 @@
+---
+name: legal-counsel-review
+description: Use this skill when reviewing legal, contractual, regulatory, privacy, litigation, compliance, or risk-governance questions for an enterprise legal function. Trigger when a user provides a contract excerpt, a policy, a compliance question, a privacy-risk question, or a legal intake item and wants risks, evidence gaps, decision options, and escalation paths surfaced. This skill is an adversarial risk-review discipline; it does not provide legal advice, form an attorney-client relationship, or issue binding legal conclusions.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-05-18"
+  category: compliance
+  lifecycle: experimental
+---
+# Legal Counsel Review
+## Purpose
+This skill is an adversarial legal-risk review discipline for an enterprise legal and compliance function. It reviews contracts, legal-policy questions, compliance triage, privacy risk, employment-law risk triage, vendor and legal intake, regulatory mapping, M&A and legal due-diligence triage, litigation-risk assessment, legal-ops workflows, and policy-exception reviews. It surfaces risks, assumptions, evidence gaps, decision options, and escalation paths for qualified counsel. It does not provide legal advice, form an attorney-client relationship, or issue binding legal conclusions.
+## Lean operating rules
+- Never conclude "this is legal" or "this is compliant" — rate risk as Critical/High/Medium/Low or Unknown and state the evidence basis. Risk appears lower or higher on the evidence provided; only qualified counsel can conclude compliance.
+- Never invent statutes, case law, regulatory thresholds, penalty amounts, filing deadlines, or jurisdiction-specific rules. Only state a specific figure if it was fetched from an official source in the current session and is cited inline. When in doubt, point to the official regulator and flag as to-be-verified.
+- Rate risk Critical/High/Medium/Low/Unknown. Unknown is mandatory whenever jurisdiction, governing law, material facts, or counterparty identity are missing or ambiguous — do not assign a lower rating to paper over an unknown.
+- Separate facts, assumptions, inferences, and open questions in every response. Label each claim with its basis: document provided, reasonable inference, documentation-based, or stated uncertainty.
+- Work from sanitized excerpts only. Never request secrets, credentials, PII, employee medical detail, trade secrets, privileged communications, or customer data. If such material is offered, decline and ask for a redacted version.
+- Protect privilege: flag all material that appears to have been created in anticipation of litigation or that is subject to attorney-client privilege, and recommend that it be handled only by or with counsel.
+- Treat the following matter types as escalation-grade regardless of apparent severity: retaliation, discrimination, harassment, wage-and-hour violations, whistleblower matters, termination decisions, immigration status, sanctions and export-control issues, bribery and anti-corruption (FCPA/UK Bribery Act/local equivalents), personal-data breaches requiring regulatory notification, and public-company disclosure obligations.
+- Every recommendation must map to evidence in the document, a stated assumption, or a stated uncertainty — no bare conclusions.
+- Recommend escalation to qualified local counsel when the matter is jurisdiction-specific, high-impact, employment-related, litigation-related, regulated, or financially material, or when an Unknown rating cannot be resolved from the information provided.
+- Do not recommend a single overconfident action. Provide safe options that preserve decision authority for counsel.
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing a full review or formatting the final answer.
+- [US jurisdiction reference](references/jurisdictions/us.md) — contract, privacy, and regulatory checkpoints for US-law matters.
+- [EU jurisdiction reference](references/jurisdictions/eu.md) — GDPR and EU regulatory checkpoints.
+- [UK jurisdiction reference](references/jurisdictions/uk.md) — UK GDPR, Data Protection Act 2018, and UK regulatory checkpoints.
+- [Singapore jurisdiction reference](references/jurisdictions/singapore.md) — PDPA and Singapore regulatory checkpoints.
+- [Australia jurisdiction reference](references/jurisdictions/australia.md) — Privacy Act 1988 and Australian regulatory checkpoints.
+## Response minimum
+Return, at minimum:
+- Legal question stated in one sentence
+- Jurisdiction and governing law identified (or flagged Unknown)
+- Missing material facts that affect the analysis
+- Risk domain identified (contract, privacy, employment, IP, regulatory, litigation, competition, sanctions, procurement, finance, public-company disclosure, cybersecurity, records retention, other)
+- Decision owner identified
+- Adversarial stress test (worst-case interpretation; regulator, plaintiff, counterparty, employee, auditor, board, or press view)
+- Risk rating per issue (Critical / High / Medium / Low / Unknown) with evidence basis
+- Safe next actions
+- Escalation trigger
+- Questions qualified counsel must answer before approval

package/skills/legal/legal-counsel-review/metadata.json ADDED Viewed

@@ -0,0 +1,22 @@
+{
+  "id": "legal-counsel-review",
+  "name": "Legal Counsel Review",
+  "type": "skill",
+  "provider": "generic",
+  "harnesses": ["codex", "claude-code", "cursor", "gemini", "kiro", "other"],
+  "summary": "Adversarial legal-risk review discipline for contracts, privacy, regulatory, litigation, compliance, and policy-exception questions — surfaces risks, evidence gaps, decision options, and escalation paths for qualified counsel. Does not give legal advice.",
+  "source_type": "original",
+  "official_docs": [
+    "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+    "https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en",
+    "https://www.legislation.gov.uk/ukpga/2018/12/contents",
+    "https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act",
+    "https://www.oaic.gov.au/privacy/the-privacy-act",
+    "https://www.law.cornell.edu/wex"
+  ],
+  "security_notes": "Static review only — works from sanitized excerpts; never requests secrets, credentials, personal data, employee medical detail, or trade secrets. Does not issue binding legal conclusions; flags privileged material and recommends escalation to qualified counsel.",
+  "last_verified": "2026-05-18",
+  "path": "skills/legal/legal-counsel-review",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/legal/legal-counsel-review/references/jurisdictions/australia.md ADDED Viewed

@@ -0,0 +1,86 @@
+# Australia — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified Australian counsel (noting that each state and territory has separate courts and legislation that may also apply).
+Last verified: 2026-05-18
+---
+## Regime overview
+Australia is a federal common-law jurisdiction. Privacy and data protection at the federal level are governed by the Privacy Act 1988, administered by the Office of the Australian Information Commissioner (OAIC). The Australian Government has been conducting a comprehensive review of the Privacy Act; significant amendments may have been enacted since this file was written — the reviewer must verify current law with counsel. Contract law is common law. Employment law is primarily federal (Fair Work Act 2009) with state/territory overlay. Anti-corruption and anti-bribery obligations apply under federal criminal law and the Foreign Bribes schedule.
+---
+## Primary regulators and authorities
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| Office of the Australian Information Commissioner (OAIC) | Privacy Act 1988 enforcement; freedom of information; privacy impact assessments | https://www.oaic.gov.au |
+| Australian Competition and Consumer Commission (ACCC) | Competition Act enforcement; consumer protection; merger review | https://www.accc.gov.au |
+| Australian Securities and Investments Commission (ASIC) | Financial services; corporations law; market conduct; disclosure | https://www.asic.gov.au |
+| Australian Prudential Regulation Authority (APRA) | Banking; insurance; superannuation; operational risk standards (CPS 234 cybersecurity) | https://www.apra.gov.au |
+| Fair Work Commission | Industrial disputes; enterprise agreements; unfair dismissal | https://www.fwc.gov.au |
+| Fair Work Ombudsman | Fair Work Act compliance; underpayment investigations | https://www.fairwork.gov.au |
+| Australian Cyber Security Centre (ACSC) | Cyber incident guidance and reporting; not a general regulator | https://www.cyber.gov.au |
+| Attorney-General's Department | Privacy Act reform; Notifiable Data Breaches scheme; criminal law | https://www.ag.gov.au |
+---
+## Primary statutes and regulations (verify current text at legislation.gov.au)
+| Statute / Instrument | Scope | Official source |
+|---------------------|-------|-----------------|
+| Privacy Act 1988 (Cth) | Personal information handling by Australian Government agencies and private-sector APP entities; 13 Australian Privacy Principles (APPs); Notifiable Data Breaches (NDB) scheme; credit reporting; health information | https://www.oaic.gov.au/privacy/the-privacy-act and https://www.legislation.gov.au |
+| Australian Privacy Principles (APPs) — Schedule 1 to Privacy Act | 13 principles governing open and transparent management, anonymity, collection, use, disclosure, quality, security, access, and correction | https://www.oaic.gov.au/privacy/australian-privacy-principles |
+| Notifiable Data Breaches (NDB) scheme — Part IIIC of Privacy Act | Mandatory notification to OAIC and affected individuals when a data breach is likely to result in serious harm | https://www.oaic.gov.au/privacy/notifiable-data-breaches |
+| Security of Critical Infrastructure Act 2018 (SOCI Act), as amended | Obligations for entities responsible for critical infrastructure assets (energy, water, banking, communications, etc.); mandatory incident reporting to the Australian Signals Directorate | https://www.legislation.gov.au — verify current amended version |
+| Corporations Act 2001 (Cth) | Corporate governance; director duties; continuous disclosure; ASIC enforcement | https://www.legislation.gov.au |
+| Fair Work Act 2009 (Cth) | National employment standards; unfair dismissal; general protections (adverse action); enterprise agreements | https://www.legislation.gov.au |
+| Criminal Code Act 1995 (Cth), Division 70 | Foreign bribery offences; equivalent to FCPA for Australian entities and those with Australian nexus | https://www.legislation.gov.au |
+| Competition and Consumer Act 2010 (Cth) | Antitrust; merger review; misleading and deceptive conduct; consumer guarantees | https://www.legislation.gov.au |
+| Spam Act 2003 (Cth) | Unsolicited commercial electronic messages; consent requirements | https://www.legislation.gov.au |
+| Telecommunications (Interception and Access) Act 1979 (Cth) | Lawful interception; stored communications | https://www.legislation.gov.au |
+---
+## Structural review checkpoints
+1. **Privacy Act threshold — APP entity** — confirm whether the entity is an "APP entity" (Australian Government agency, or private-sector organisation with annual turnover above the threshold or in a covered category such as health service providers). Verify the current turnover threshold and any recent amendments with counsel — the Privacy Act review has proposed changes to this threshold.
+2. **Australian Privacy Principles audit** — map the data flow against all 13 APPs. Key checkpoints:
+   - APP 1: Open and transparent management — privacy policy current and accessible?
+   - APP 5: Notification at or before collection — was notice given?
+   - APP 6: Use and disclosure — is secondary use authorised?
+   - APP 11: Security of personal information — reasonable steps taken?
+   - APP 12/13: Access and correction rights — process in place?
+   Verify each APP's current text at https://www.oaic.gov.au/privacy/australian-privacy-principles.
+3. **Notifiable Data Breaches** — confirm whether a breach is likely to result in serious harm. If so, OAIC notification and individual notification obligations apply. Verify current format, timeline, and OAIC reporting portal at https://www.oaic.gov.au/privacy/notifiable-data-breaches.
+4. **SOCI Act critical infrastructure** — determine whether the entity owns, operates, or has a material interest in a critical infrastructure asset. If yes, mandatory incident notification to the Australian Signals Directorate and sector-specific obligations apply.
+5. **APRA CPS 234** — for APRA-regulated entities (banks, insurers, superannuation funds), confirm CPS 234 information security obligations, incident notification to APRA, and third-party service provider controls.
+6. **Foreign bribery** — Criminal Code Act 1995, Division 70 applies to Australian entities and individuals and has extraterritorial reach. Flag any payment to a foreign public official. No facilitation-payment exception post-2024 amendments — verify current law with counsel.
+7. **Employment — Fair Work Act** — confirm National Employment Standards (NES) compliance, general protections (adverse action provisions are broad and apply to most employment decisions), and whether enterprise agreements or modern awards apply. Unfair dismissal requires a minimum employment period; confirm current figure with counsel.
+8. **Continuous disclosure** — listed companies on ASX are subject to continuous disclosure obligations under the Corporations Act and ASX Listing Rules. Flag material information that may not have been disclosed.
+9. **Merger review** — ACCC has jurisdiction to review mergers. The merger control regime has been amended; verify whether a mandatory notification or informal clearance is required with M&A counsel.
+10. **State and territory law** — certain matters (property, workplace health and safety, workers' compensation, some employment conditions) are governed by state/territory law. Flag the relevant jurisdiction(s) and escalate to locally-admitted counsel.
+---
+## Escalation triggers (Australia-specific)
+- NDB mandatory notification triggered — escalate immediately to Australian privacy counsel; prepare OAIC notification and individual notification plan.
+- SOCI Act critical-infrastructure incident — escalate immediately; mandatory reporting to the Australian Signals Directorate applies.
+- APRA CPS 234 material information security incident — escalate to regulatory counsel; APRA notification obligation.
+- Foreign bribery suspicion (Division 70) — escalate to Australian criminal defence counsel before any internal investigation step; consider voluntary disclosure regime (verify current status with counsel).
+- ASIC continuous-disclosure obligation potentially triggered — escalate to securities lawyers and board; trading halt may be required.
+- Adverse action or general protections claim filed under Fair Work Act — escalate to employment counsel; reversed onus of proof applies to the employer.
+- Class-action threatened or filed — escalate to Australian litigation counsel immediately.
+- Privacy Act reform amendments enacted — reviewer must verify whether any changes to the APP entity threshold, enforcement powers, or mandatory requirements apply to the matter at hand.
+---
+## Sources (verified in this session)
+- OAIC Privacy Act overview: https://www.oaic.gov.au/privacy/the-privacy-act — loaded successfully; confirmed Privacy Act 1988 scope, APP entities, 13 APPs, and review status.
+- OAIC Australian Privacy Principles overview: https://www.oaic.gov.au/privacy/australian-privacy-principles — loaded successfully; confirmed 13 APPs, principles-based framework, technology neutrality.
+- All legislation.gov.au statute citations are the official Commonwealth consolidated law database; verify current amended text before relying on any provision.
+- Regulator websites (accc.gov.au, asic.gov.au, apra.gov.au, fwc.gov.au, fairwork.gov.au) confirmed as official government sources; verify individual page availability before citing.

package/skills/legal/legal-counsel-review/references/jurisdictions/eu.md ADDED Viewed

@@ -0,0 +1,77 @@
+# European Union — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified EU/member-state counsel.
+Last verified: 2026-05-18
+---
+## Regime overview
+The EU operates a unified legal framework for data protection (GDPR), but many other legal regimes — contract law, employment law, competition enforcement, sector regulation — are implemented at the member-state level within EU-wide harmonizing directives. Any matter involving a specific member state requires counsel admitted in that jurisdiction. Data protection is a fundamental right under Article 8 of the EU Charter of Fundamental Rights.
+---
+## Primary regulators and authorities
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| National Data Protection Authorities (DPAs) | GDPR enforcement in each member state; the lead supervisory authority (LSA) is determined by the controller's main establishment | Varies by state — find via https://www.edpb.europa.eu/about-edpb/about-edpb/members_en |
+| European Data Protection Board (EDPB) | Ensures consistent GDPR application across the EU; issues binding decisions in cross-border cases | https://www.edpb.europa.eu |
+| European Data Protection Supervisor (EDPS) | Supervises EU institutions' own data processing | https://edps.europa.eu |
+| European Commission (DG JUSTICE) | Proposes data protection legislation; adequacy decisions for third-country transfers | https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en |
+| European Competition Network (ECN) | Coordinates antitrust and merger enforcement with national competition authorities | https://competition-policy.ec.europa.eu |
+| National competition authorities (NCAs) | Antitrust enforcement within member states; notify European Commission for mergers above thresholds | Varies by state |
+---
+## Primary statutes and regulations (verify current text and amendments)
+| Instrument | Scope | Official source |
+|-----------|-------|-----------------|
+| General Data Protection Regulation — Regulation (EU) 2016/679 (GDPR) | Personal data processing by controllers and processors established in the EU, or processing personal data of EU data subjects | https://eur-lex.europa.eu/eli/reg/2016/679/oj |
+| Law Enforcement Directive — Directive (EU) 2016/680 | Personal data processing by competent authorities for crime prevention, investigation, prosecution, or execution of criminal penalties | https://eur-lex.europa.eu/eli/dir/2016/680/oj |
+| EUDPR — Regulation (EU) 2018/1725 | Personal data processing by EU institutions and bodies | https://eur-lex.europa.eu/eli/reg/2018/1725/oj |
+| ePrivacy Directive — Directive 2002/58/EC (as amended) | Electronic communications; cookies; direct marketing. Note: the ePrivacy Regulation proposal is pending — verify current status with counsel. | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058 |
+| AI Act — Regulation (EU) 2024/1689 | Risk-based framework for AI systems; high-risk AI obligations for providers and deployers | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202401689 — verify current implementation timeline with counsel |
+| Digital Services Act (DSA) — Regulation (EU) 2022/2065 | Online intermediary obligations; content moderation; transparency | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065 |
+| Digital Markets Act (DMA) — Regulation (EU) 2022/1925 | Obligations for designated "gatekeepers" | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1925 |
+| NIS2 Directive — Directive (EU) 2022/2555 | Cybersecurity requirements for essential and important entities; incident reporting obligations | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555 |
+---
+## Structural review checkpoints
+1. **Territorial scope** — confirm whether GDPR Article 3 applies: (a) establishment in the EU, or (b) offering goods/services to EU data subjects, or (c) monitoring behaviour occurring in the EU. If yes, full GDPR applies regardless of where the controller is incorporated.
+2. **Legal basis for processing** — identify which GDPR Article 6 basis applies (consent, contract, legal obligation, vital interests, public task, legitimate interests). For special-category data (Article 9), confirm an explicit additional basis. Confirm against current text at https://eur-lex.europa.eu/eli/reg/2016/679/oj.
+3. **Data subject rights** — check whether the document or process has mapped obligations under Articles 12–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making). Flag gaps.
+4. **International transfers** — any personal data transfer outside the EEA requires an Article 46 transfer mechanism (SCCs, BCRs, adequacy decision) or an Article 49 derogation. Verify adequacy decisions at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Note: Schrems II invalidated Privacy Shield; confirm current US transfer mechanism with counsel.
+5. **Data Protection Officer (DPO)** — determine whether the entity is required to appoint a DPO (public authority, large-scale systematic monitoring, or large-scale special-category processing). Flag if absent when required.
+6. **Records of Processing Activities (RoPA)** — Article 30 requires most controllers and processors to maintain a RoPA. Flag absence.
+7. **Data breach notification** — Article 33 requires notification to the competent DPA within 72 hours of awareness, where feasible. Article 34 requires notification to data subjects in high-risk breaches. Confirm thresholds and format with counsel.
+8. **Data Protection Impact Assessment (DPIA)** — Article 35 requires a DPIA for high-risk processing. Review whether one was conducted and documented.
+9. **Processor agreements** — Article 28 requires a written data processing agreement (DPA/DPA agreement) when using processors. Flag missing or inadequate agreements.
+10. **Competition and merger control** — for transactions, assess whether EU Merger Regulation thresholds are met (Article 1 of Regulation (EC) 139/2004). Verify current thresholds with M&A counsel; do not state specific figures here.
+11. **Employment matters** — EU employment law is substantially member-state law (works council rights, consultation obligations, TUPE-equivalent protections under Directive 2001/23/EC on transfers of undertakings). Flag the specific member state(s) and escalate to local employment counsel.
+12. **NIS2 incident reporting** — identify whether the entity is an "essential" or "important" entity under NIS2. Flag reporting timelines and verify member-state implementing legislation with counsel.
+---
+## Escalation triggers (EU-specific)
+- Personal-data breach with risk to individuals — 72-hour DPA notification clock runs from awareness; escalate immediately to privacy counsel and DPO.
+- Cross-border data transfer to a third country without a confirmed, current transfer mechanism — escalate; the absence is an ongoing GDPR violation.
+- GDPR enforcement investigation or DPA inquiry — escalate to qualified EU data-protection counsel; preserve privilege carefully.
+- Special-category data (health, biometric, genetic, political opinions, religious beliefs, trade-union membership, sexual orientation, criminal offences) — heightened legal basis required; escalate.
+- AI Act high-risk AI system deployment — confirm compliance obligations before deployment; consult with counsel.
+- M&A transaction potentially meeting EU Merger Regulation thresholds — escalate to M&A counsel for pre-notification assessment.
+- Works council consultation rights triggered by restructuring or technology deployment — escalate to local employment counsel; breach of consultation rights can void the action.
+- EDPB binding decision or national DPA enforcement action — escalate immediately.
+---
+## Sources (verified in this session)
+- GDPR text: https://eur-lex.europa.eu/eli/reg/2016/679/oj — loaded successfully; confirmed full regulation text.
+- European Commission data protection overview: https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en — loaded successfully; confirmed GDPR, LED, EUDPR framework, EDPB, EDPS roles.
+- EUR-Lex used for all EU legislative citations; verify instrument-specific URLs at https://eur-lex.europa.eu.

package/skills/legal/legal-counsel-review/references/jurisdictions/singapore.md ADDED Viewed

@@ -0,0 +1,76 @@
+# Singapore — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified Singapore-admitted counsel.
+Last verified: 2026-05-18
+---
+## Regime overview
+Singapore is a common-law jurisdiction. Contract law follows English common-law principles as received and developed locally. Data protection is governed by the Personal Data Protection Act 2012 (PDPA), as significantly amended in 2021, with ongoing subsidiary legislation and guidelines issued by the Personal Data Protection Commission (PDPC). Singapore has strict anti-corruption laws, a comprehensive competition framework, and a mandatory data-breach notification regime. Employment law is codified in the Employment Act 1968 and related statutes.
+> Note: The PDPC's official website (pdpc.gov.sg) returned incomplete content during this session's fetch attempts. All PDPA references below point to the official statute at statutes.agc.gov.sg or the Attorney-General's Chambers Singapore Statutes Online portal. Reviewers must verify current subsidiary legislation, PDPC advisory guidelines, and updated penalty figures directly at official sources.
+---
+## Primary regulators and authorities
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| Personal Data Protection Commission (PDPC) | PDPA enforcement; advisory guidelines; data-breach investigations | https://www.pdpc.gov.sg |
+| Competition and Consumer Commission of Singapore (CCCS) | Competition Act enforcement; consumer protection; merger review | https://www.cccs.gov.sg |
+| Monetary Authority of Singapore (MAS) | Financial services regulation; banking; securities; insurance; AML/CFT | https://www.mas.gov.sg |
+| Ministry of Manpower (MOM) | Employment Act; work-pass framework; foreign workers; workplace safety | https://www.mom.gov.sg |
+| Corrupt Practices Investigation Bureau (CPIB) | Prevention of Corruption Act enforcement; anti-bribery investigations | https://www.cpib.gov.sg |
+| Attorney-General's Chambers (AGC) | Legal advice to government; Singapore statutes online | https://www.agc.gov.sg |
+---
+## Primary statutes and regulations (verify current text at statutes.agc.gov.sg)
+| Statute / Instrument | Scope | Official source |
+|---------------------|-------|-----------------|
+| Personal Data Protection Act 2012 (No. 26 of 2012), as amended by the Personal Data Protection (Amendment) Act 2020 | Collection, use, disclosure, and care of personal data by organisations; mandatory data-breach notification; data-portability obligation | https://statutes.agc.gov.sg — search "Personal Data Protection Act" |
+| PDPA subsidiary legislation and PDPC Advisory Guidelines | Detailed rules on consent, notification, access, correction, portability, and Do Not Call registry | https://www.pdpc.gov.sg/guidelines-and-consultation — verify current versions |
+| Employment Act 1968 (Cap. 91) | Core employment terms; salary; rest days; leave entitlements | https://statutes.agc.gov.sg — search "Employment Act" |
+| Prevention of Corruption Act (Cap. 241) | Anti-bribery; extraterritorial reach for Singapore citizens and residents | https://statutes.agc.gov.sg — search "Prevention of Corruption Act" |
+| Competition Act 2004 | Prohibition of anti-competitive agreements, abuse of dominance; merger notification | https://statutes.agc.gov.sg — search "Competition Act" |
+| Computer Misuse Act (Cap. 50A) | Unauthorised computer access and cybercrime | https://statutes.agc.gov.sg — search "Computer Misuse Act" |
+| Electronic Transactions Act 2010 | Electronic signatures; e-commerce; intermediary liability | https://statutes.agc.gov.sg — search "Electronic Transactions Act" |
+| Cybersecurity Act 2018 | Protection of critical information infrastructure (CII); incident reporting | https://statutes.agc.gov.sg — search "Cybersecurity Act" |
+---
+## Structural review checkpoints
+1. **PDPA territorial scope** — PDPA applies to organisations collecting, using, or disclosing personal data in Singapore, regardless of where the organisation is incorporated. Confirm whether the organisation falls within scope or a statutory exemption (e.g., individual personal or domestic use, employee data in employment context — note the employment-data exclusion has specific boundaries; verify with counsel).
+2. **Consent and purpose limitation** — the PDPA requires notification and consent (or a statutory exception) before collection, use, or disclosure. Flag purpose-limitation gaps — data collected for one purpose cannot generally be used for another without fresh consent or a recognised exception.
+3. **Data-breach mandatory notification** — the 2020 amendments introduced mandatory breach notification. Confirm current notification thresholds, timelines, and format against PDPC guidelines (pdpc.gov.sg). The reviewer should not state specific figures without confirming against current official guidance.
+4. **Do Not Call (DNC) registry** — check whether marketing communications have verified against the DNC registry before sending. Non-compliance is an enforcement priority.
+5. **Data portability obligation** — verify whether the organisation is subject to the portability obligation (turned on by ministerial order; confirm current status with counsel).
+6. **Employment and work-pass** — Singapore maintains a mandatory work-pass framework for foreign workers (Employment Pass, S Pass, Work Permit). Flag any staffing arrangement involving non-citizens; immigration breaches carry employer liability.
+7. **Anti-corruption** — the Prevention of Corruption Act covers both public-sector and private-sector corruption. Flag any payment, gift, or benefit that could be construed as inducement. The CPIB is an active enforcement body.
+8. **CII cybersecurity obligations** — if the organisation operates or is a supplier to a CII sector (energy, water, banking, healthcare, infocomm, media, land transport, maritime, aviation, security and emergency), the Cybersecurity Act imposes incident-reporting and audit obligations. Verify with counsel.
+9. **MAS regulatory obligations** — for financial-services entities, MAS issues binding notices and guidelines (e.g., MAS Notice 655 on cybersecurity for banks — verify current notices at mas.gov.sg). Regulatory notices have force of law.
+10. **Contract formation and governing law** — Singapore courts apply English common-law contract principles. Confirm choice-of-law and arbitration clauses; Singapore International Arbitration Centre (SIAC) is a common forum.
+---
+## Escalation triggers (Singapore-specific)
+- Personal-data breach meeting PDPA mandatory notification threshold — escalate immediately to privacy counsel and DPO; notify PDPC within the required timeframe (verify current threshold and timeline with counsel against https://www.pdpc.gov.sg).
+- Prevention of Corruption Act suspicion — escalate before any internal investigation step; self-reporting procedures and cooperation with CPIB can affect outcomes.
+- Work-pass violation or illegal employment — escalate to immigration counsel immediately; employer liability is direct.
+- MAS regulatory investigation or MAS Notice breach — escalate to financial-services regulatory counsel.
+- CII-sector cybersecurity incident — escalate to counsel; Commissioner of Cybersecurity notification obligation applies.
+- CCCS merger pre-notification assessment — confirm whether voluntary or mandatory filing is appropriate; escalate to M&A counsel for threshold assessment.
+- SIAC arbitration commencement — escalate to Singapore-admitted litigation counsel.
+---
+## Sources (verified in this session)
+- PDPC website (pdpc.gov.sg): returned incomplete/loading page in this session — reviewer must access directly. Reviewer should verify all PDPA subsidiary legislation and PDPC guidelines at https://www.pdpc.gov.sg.
+- Singapore statutes: https://statutes.agc.gov.sg — the official Attorney-General's Chambers Singapore Statutes Online portal; all statute citations should be verified here. This URL returned 403 in this session; use the AGC portal directly.
+- Regulator websites (cccs.gov.sg, mas.gov.sg, mom.gov.sg, cpib.gov.sg) confirmed as official government sources; verify individual page availability before citing.

package/skills/legal/legal-counsel-review/references/jurisdictions/uk.md ADDED Viewed

@@ -0,0 +1,81 @@
+# United Kingdom — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified UK-qualified counsel (England and Wales, Scotland, and Northern Ireland have distinct legal systems).
+Last verified: 2026-05-18
+---
+## Regime overview
+Following Brexit, the UK operates its own data-protection regime distinct from the EU's, centred on the UK GDPR (a retained version of EU GDPR) and the Data Protection Act 2018 (DPA 2018). The Information Commissioner's Office (ICO) is the independent regulator. Contract law is common law (England and Wales: Contract Act principles; Scots law differs). Employment law combines statutory rights and common law. The UK Bribery Act 2010 has wide extraterritorial reach.
+The DPA 2018 is confirmed up to date as of 18 May 2026 at legislation.gov.uk (verified in this session). Recent amendments through 2025–2026 affect automated decision-making and international transfers — verify current text with counsel.
+---
+## Primary regulators and authorities
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| Information Commissioner's Office (ICO) | UK GDPR and DPA 2018 enforcement; guidance; international transfer adequacy | https://ico.org.uk |
+| Competition and Markets Authority (CMA) | Antitrust; merger control; consumer law | https://www.gov.uk/government/organisations/competition-and-markets-authority |
+| Financial Conduct Authority (FCA) | Financial services regulation; consumer duty; market conduct | https://www.fca.org.uk |
+| Prudential Regulation Authority (PRA) | Prudential supervision of banks, insurers | https://www.bankofengland.co.uk/prudential-regulation |
+| Employment Tribunal system | Statutory employment claims; unfair dismissal; discrimination | https://www.gov.uk/courts-tribunals/employment-tribunal |
+| Serious Fraud Office (SFO) | Fraud; bribery; corruption — including UK Bribery Act investigations | https://www.sfo.gov.uk |
+| National Cyber Security Centre (NCSC) | Cyber incident guidance; not a regulator but key resource | https://www.ncsc.gov.uk |
+---
+## Primary statutes and regulations (verify current text and amendments at legislation.gov.uk)
+| Statute / Instrument | Scope | Official source |
+|---------------------|-------|-----------------|
+| UK GDPR (retained Regulation (EU) 2016/679, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and subsequent instruments) | Personal data processing; supplements and must be read with DPA 2018 | Verify current consolidated text via ICO guidance at https://ico.org.uk or legislation.gov.uk |
+| Data Protection Act 2018 (c. 12) | Supplements UK GDPR; law enforcement processing (Part 3); intelligence services processing (Part 4); exemptions and schedules | https://www.legislation.gov.uk/ukpga/2018/12/contents |
+| Privacy and Electronic Communications Regulations 2003 (PECR) | Electronic marketing; cookies; traffic data; electronic communications services | https://www.legislation.gov.uk/uksi/2003/2426/contents |
+| UK Bribery Act 2010 | Anti-bribery; adequate-procedures defence for commercial organisations; wide extraterritorial reach | https://www.legislation.gov.uk/ukpga/2010/23/contents |
+| Equality Act 2010 | Employment discrimination; harassment; nine protected characteristics | https://www.legislation.gov.uk/ukpga/2010/15/contents |
+| Employment Rights Act 1996 (as amended) | Unfair dismissal; wrongful dismissal; statutory rights | https://www.legislation.gov.uk/ukpga/1996/18/contents |
+| National Minimum Wage Act 1998 | Minimum wage obligations | https://www.legislation.gov.uk/ukpga/1998/39/contents |
+| Enterprise Act 2002 | Merger control; market investigations; antitrust offences | https://www.legislation.gov.uk/ukpga/2002/40/contents |
+| Computer Misuse Act 1990 (as amended) | Unauthorised computer access; cybercrime | https://www.legislation.gov.uk/ukpga/1990/18/contents |
+| Network and Information Systems (NIS) Regulations 2018 (as amended) | Cybersecurity obligations for operators of essential services and digital service providers — verify NIS2 UK equivalent status with counsel | https://www.legislation.gov.uk/uksi/2018/506/contents |
+---
+## Structural review checkpoints
+1. **UK GDPR territorial scope** — confirm whether UK GDPR applies: (a) establishment in the UK, or (b) offering goods/services to UK data subjects, or (c) monitoring behaviour in the UK.
+2. **Legal basis for processing** — identify UK GDPR Article 6 basis. For special-category data (Article 9 + DPA 2018 Schedule 1), confirm the additional condition and any statutory instrument. Verify against current ICO guidance at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/.
+3. **International data transfers** — post-Brexit, EU-to-UK transfers rely on the EU adequacy decision for the UK (verify current status — adequacy decisions have finite terms). UK-to-other-country transfers require UK-approved transfer mechanisms (UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs). Verify current approved mechanisms via ICO.
+4. **Data breach notification** — UK GDPR Article 33 requires notification to the ICO within 72 hours of awareness where feasible. Confirm current ICO reporting portal at https://ico.org.uk/for-organisations/report-a-breach/.
+5. **PECR compliance** — check cookie consent, electronic marketing consent, and soft opt-in rules. ICO has enforcement history in this area.
+6. **UK Bribery Act adequate procedures** — if commercial organisation, confirm whether documented adequate-procedures defence exists. Hospitality, facilitation payments (no facilitation-payment exception in UK Bribery Act — unlike FCPA), and payments to foreign officials are all in scope.
+7. **Employment baseline** — confirm worker classification (employee / worker / independent contractor — the UK three-category system differs from US two-category). Check day-one rights (written statement of particulars), unfair-dismissal qualifying period (verify current threshold with counsel), and TUPE applicability for business transfers.
+8. **Discrimination and harassment** — nine protected characteristics under Equality Act 2010 (age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, sexual orientation). Employers have a duty to prevent sexual harassment (Worker Protection (Amendment of Equality Act 2010) Act 2023 — verify current obligations with counsel).
+9. **Merger control** — CMA has jurisdiction over transactions meeting UK share-of-supply or turnover thresholds. Verify current thresholds with M&A counsel; Brexit means separate UK and EU filings may both be required.
+10. **DPA 2018 exemptions** — flag use of research, journalism, legal professional privilege, or national-security exemptions; each has conditions that must be verified with counsel.
+---
+## Escalation triggers (UK-specific)
+- UK GDPR personal-data breach with risk to individuals — 72-hour ICO notification clock; escalate immediately to UK privacy counsel.
+- UK Bribery Act suspicion (including facilitation payments, which have no exception under UK law) — escalate before any internal investigation step; SFO deferred-prosecution agreement regime applies.
+- SFO investigation or dawn raid — escalate to UK criminal defence and white-collar counsel immediately; do not destroy documents.
+- TUPE transfer triggered by outsourcing or acquisition — escalate to UK employment counsel; failure to inform and consult is a strict-liability claim.
+- Redundancy / collective dismissal — statutory collective consultation obligations (verify current thresholds with employment counsel); failure triggers unlimited compensation.
+- UK adequacy decision for EU-to-UK transfers — monitor for renewal or lapse; transfer mechanism failures are ongoing violations.
+- FCA consumer duty or conduct-of-business breach — escalate to UK financial-services regulatory counsel.
+- NIS Regulations incident notification obligation triggered — escalate; verify applicable competent authority and timeline with counsel.
+---
+## Sources (verified in this session)
+- Data Protection Act 2018 full text: https://www.legislation.gov.uk/ukpga/2018/12/contents — loaded successfully; confirmed four-part structure and up-to-date status as of 18 May 2026.
+- Data Protection Act 2018 Part 2: https://www.legislation.gov.uk/ukpga/2018/12/part/2 — loaded successfully; confirmed UK GDPR supplementation, controller definitions, lawfulness provisions, and 2025–2026 amendments.
+- ICO URLs (ico.org.uk) returned 403 in this session — reviewer must access ICO guidance directly at https://ico.org.uk; do not rely on cached content.
+- All legislation.gov.uk statute URLs are official UK government sources.