@raishin/vanguard-frontier-agentic 2.1.0 → 2.3.0

package/skills/hr/hr-risk-triage-review/references/jurisdictions/uk.md

@@ -0,0 +1,100 @@
+# UK Employment Law — Jurisdiction Reference Map
+
+> **Review map only.** This file describes the structure of the employment-law regime in Great Britain (England, Scotland, and Wales). Northern Ireland has separate employment legislation administered by the Labour Relations Agency. This file is not legal advice, may be out of date, and must be verified against current official sources. Jurisdiction-specific conclusions require qualified UK employment counsel.
+
+Last verified: 2026-05-18
+
+---
+
+## Regime overview
+
+UK employment law is a statutory framework supplemented by ACAS codes of practice, employment tribunal case law, and contractual rights. Employment protections are primarily statutory; the key battleground is usually procedural fairness (following the ACAS Code and a fair process) alongside the substantive reason for the action. Since Brexit, EU directives no longer directly apply, though the body of retained EU-derived legislation continues to be operative unless expressly amended — verify current status of any EU-derived provision against legislation.gov.uk. The Employment Rights Act 2024 introduced significant changes including reforms to unfair dismissal; the reviewer must verify the current state of implementation against official sources.
+
+Employment status in the UK has three tiers: employee, worker, and self-employed/independent contractor. The protections available differ materially across the three. Confirming status is a threshold question.
+
+---
+
+## Primary regulators and bodies
+
+| Body | Role | Official source |
+|---|---|---|
+| ACAS (Advisory, Conciliation and Arbitration Service) | Codes of practice; pre-claim conciliation; guidance | https://www.acas.org.uk/advice |
+| Employment Tribunals | Primary forum for unfair dismissal, discrimination, wage, and other employment claims | https://www.gov.uk/employment-tribunals |
+| Employment Appeal Tribunal (EAT) | Appeals on points of law from Employment Tribunals | https://www.gov.uk/courts-tribunals/employment-appeal-tribunal |
+| Equality and Human Rights Commission (EHRC) | Equality Act 2010 enforcement and guidance | https://www.equalityhumanrights.com |
+| Health and Safety Executive (HSE) | Workplace health, safety, and wellbeing | https://www.hse.gov.uk |
+| ICO (Information Commissioner's Office) | UK GDPR and data protection enforcement | https://ico.org.uk |
+| HMRC | National minimum wage enforcement; employment status (tax/NICs) | https://www.gov.uk/government/organisations/hm-revenue-customs |
+
+---
+
+## Primary statutes and frameworks
+
+| Statute / framework | Subject | Official source |
+|---|---|---|
+| Employment Rights Act 1996 | Unfair dismissal, redundancy, written particulars, statutory rights | https://www.legislation.gov.uk/ukpga/1996/18 |
+| Equality Act 2010 | Discrimination, harassment, victimisation — nine protected characteristics | https://www.legislation.gov.uk/ukpga/2010/15 |
+| ACAS Code of Practice on Disciplinary and Grievance Procedures | Procedural fairness standard — tribunals adjust awards for non-compliance | https://www.acas.org.uk/acas-code-of-practice-for-disciplinary-and-grievance-procedures |
+| Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) | Employee rights on business transfers and service-provision changes | https://www.legislation.gov.uk/uksi/2006/246 |
+| Trade Union and Labour Relations (Consolidation) Act 1992 (TULRCA) | Collective redundancy consultation; trade union rights; industrial action | https://www.legislation.gov.uk/ukpga/1992/52 |
+| National Minimum Wage Act 1998 | Minimum wage entitlements (rates verified via gov.uk annually) | https://www.gov.uk/national-minimum-wage-rates |
+| Working Time Regulations 1998 | Working hours, rest, annual leave | https://www.legislation.gov.uk/uksi/1998/1833 |
+| UK GDPR / Data Protection Act 2018 | Personal data processing in employment | https://ico.org.uk/for-organisations/guide-to-data-protection |
+| Whistleblowing legislation (PIDA 1998 as amended) | Protected disclosures; detriment and dismissal protection | https://www.gov.uk/whistleblowing |
+| Employment Rights Act 2024 | Day-one unfair dismissal rights (implementation timetable — verify current status) | https://www.legislation.gov.uk/ukpga/2024/15 |
+
+---
+
+## Structural review checkpoints
+
+**Unfair dismissal**
+- Employees with the qualifying service period may claim unfair dismissal. The Employment Rights Act 2024 proposed day-one unfair dismissal rights — verify the current implementation status and effective date before assuming a qualifying period applies.
+- For a dismissal to be fair: (a) there must be a fair reason (conduct, capability, redundancy, statutory illegality, or some other substantial reason); and (b) the employer must have acted reasonably, including following a fair procedure consistent with the ACAS Code.
+- Failure to follow the ACAS Code may lead to an uplift in tribunal compensation of up to the percentage stated in the Code — verify the current figure at https://www.acas.org.uk.
+- Automatically unfair dismissal (no qualifying period required) includes: whistleblowing, asserting a statutory right, pregnancy/maternity, trade union activity, and others — verify the full list at https://www.acas.org.uk/dismissals/unfair-dismissal.
+
+**Protected characteristics (Equality Act 2010)**
+Nine protected characteristics: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, sexual orientation. Confirm which apply to the matter. Harassment and victimisation protections are separate heads of claim.
+
+**Procedural fairness (ACAS Code)**
+The ACAS Code of Practice requires: investigation, invitation to a hearing with notice, right to be accompanied (by a colleague or trade union representative), decision communicated in writing, and right of appeal. Failure at any step raises unfair dismissal risk and may result in a compensation uplift.
+
+**Redundancy**
+- Collective consultation (TULRCA s.188) is required when proposing to dismiss 20 or more employees at one establishment within 90 days. The minimum consultation period varies by the number of redundancies — verify the current statutory periods at https://www.gov.uk/staff-redundant/redundancy-consultations.
+- Notification to the Secretary of State (HR1 form) is required before collective redundancies. Verify at https://www.gov.uk/government/publications/redundancy-payments-hr1-advance-notification-of-redundancies.
+- Selection criteria for redundancy must be objective and consistently applied. Criteria that proxy for protected characteristics (e.g., last-in-first-out applied to a younger/female-skewed population) are discrimination risks.
+- Statutory redundancy pay entitlements apply — verify current rates at https://www.gov.uk/redundancy-your-rights.
+
+**TUPE**
+- Applies on a relevant transfer (business sale, outsourcing, re-tendering). Employees transfer with existing terms; dismissal for a TUPE-related reason is automatically unfair.
+- Employer and employee representatives must be informed and, where measures are envisaged, consulted before the transfer.
+
+**Data protection and investigations**
+- UK GDPR applies to processing employee personal data. Special-category data (health, ethnicity, union membership) requires explicit consent or another Schedule 2 condition under the DPA 2018 — verify with ICO guidance.
+- Workplace investigation records, medical information, and grievance files are personal data; their retention, access, and sharing must comply with UK GDPR.
+
+**Immigration and right to work**
+- Employers must conduct right-to-work checks before employment begins and at specified intervals for time-limited permissions. Employing someone without the right to work is a civil and potentially criminal offence. Verify current check requirements at https://www.gov.uk/check-job-applicant-right-to-work.
+
+---
+
+## Escalation triggers (UK-specific)
+
+- Any proposed dismissal of an employee who has raised a grievance, whistleblowing concern, or protected-characteristic complaint (automatic unfair dismissal risk).
+- Collective redundancy where 20+ dismissals at one establishment within 90 days may be in scope.
+- TUPE transfer or service-provision change in the transaction.
+- Disciplinary action where the ACAS Code has not been followed at any step.
+- Any proposed action affecting an employee on maternity leave, shared parental leave, or a fit note.
+- Day-one unfair dismissal provisions under ERA 2024 — verify current implementation status with employment counsel.
+- Any employment tribunal claim filed or ACAS early conciliation initiated.
+
+---
+
+## Sources
+
+- https://www.acas.org.uk/advice — ACAS advice hub (fetched 2026-05-18, resolved)
+- https://www.acas.org.uk/dismissals/unfair-dismissal — ACAS unfair dismissal guidance (fetched 2026-05-18, resolved)
+- https://www.acas.org.uk/disciplinary-procedure-step-by-step — ACAS disciplinary procedure (fetched 2026-05-18, resolved)
+- https://www.gov.uk/browse/working — GOV.UK working hub (fetched 2026-05-18, resolved)
+- https://www.legislation.gov.uk/ukpga/1996/18 — Employment Rights Act 1996 (confirmed via search 2026-05-18)
+- https://www.legislation.gov.uk/ukpga/2010/15 — Equality Act 2010 (confirmed via search 2026-05-18)

package/skills/hr/hr-risk-triage-review/references/jurisdictions/us.md

@@ -0,0 +1,100 @@
+# US Employment Law — Jurisdiction Reference Map
+
+> **Review map only.** This file describes the structure of the US employment-law regime and where to verify requirements. It is not legal advice, may be out of date, and must be verified against current official sources. Jurisdiction-specific conclusions require qualified US employment counsel.
+
+Last verified: 2026-05-18
+
+---
+
+## Regime overview
+
+The US has a layered employment-law regime: federal floor statutes enforced by federal agencies, supplemented (and often exceeded) by state and local laws. Most private-sector employment is "at-will" — meaning either party may terminate for any lawful reason — but the at-will doctrine is heavily eroded by federal and state anti-discrimination statutes, contract rights, public-policy exceptions, and implied-covenant doctrines that vary by state. The reviewer must confirm the applicable state law; do not assume the federal floor is the only constraint.
+
+---
+
+## Primary regulators
+
+| Regulator | Jurisdiction | Official source |
+|---|---|---|
+| Equal Employment Opportunity Commission (EEOC) | Federal anti-discrimination enforcement | https://www.eeoc.gov/laws-guidance |
+| Department of Labor — Wage and Hour Division (WHD) | FLSA, FMLA, WARN, and other federal wage/leave laws | https://www.dol.gov/agencies/whd |
+| National Labor Relations Board (NLRB) | Private-sector collective bargaining and unfair labor practices | https://www.nlrb.gov/about-nlrb |
+| OSHA (DOL) | Workplace safety and anti-retaliation (whistleblower programs) | https://www.osha.gov/workers/file-complaint |
+| State labor agencies | Minimum wage, state discrimination, leave, and wage laws | Varies — verify for the specific state |
+| State attorneys general | State wage theft, discrimination, and consumer protection enforcement | Varies — verify for the specific state |
+
+---
+
+## Primary statutes and frameworks
+
+| Statute / framework | Coverage | Official source |
+|---|---|---|
+| Title VII of the Civil Rights Act of 1964 | Prohibits discrimination based on race, color, religion, sex, national origin | https://www.eeoc.gov/statutes/title-vii-civil-rights-act-1964 |
+| Americans with Disabilities Act (ADA) | Disability discrimination; reasonable accommodation duty | https://www.eeoc.gov/statutes/americans-disabilities-act-1990 |
+| Age Discrimination in Employment Act (ADEA) | Protects workers 40+ from age discrimination | https://www.eeoc.gov/statutes/age-discrimination-employment-act-1967 |
+| Pregnancy Discrimination Act / PWFA | Sex discrimination including pregnancy, childbirth, related conditions | https://www.eeoc.gov/laws-guidance |
+| Fair Labor Standards Act (FLSA) | Minimum wage, overtime, child labor, recordkeeping | https://www.dol.gov/agencies/whd/flsa |
+| Family and Medical Leave Act (FMLA) | Unpaid protected leave for qualifying medical and family reasons | https://www.dol.gov/agencies/whd/fmla |
+| WARN Act | Advance notice for mass layoffs and plant closings (federal threshold) | https://www.dol.gov/agencies/eta/layoffs/warn |
+| National Labor Relations Act (NLRA) | Protected concerted activity; collective bargaining; unfair labor practices | https://www.nlrb.gov/guidance/key-reference-materials/national-labor-relations-act |
+| Title IX / VAWA (workplace context) | Sex-based harassment in contexts with federal funding | https://www.eeoc.gov/laws-guidance |
+| State equivalents | State anti-discrimination, leave, wage, and WARN-equivalent statutes | Verify with state agency for the applicable state |
+
+---
+
+## Structural review checkpoints
+
+**At-will vs. statutory protection**
+- Confirm whether employment is at-will in the applicable state and whether any contract, offer letter, handbook, or CBA modifies at-will status.
+- Identify all protected classes under federal law (race, color, religion, sex, national origin, age 40+, disability, genetic information) and additional protected classes under applicable state or local law — which frequently expand the federal list.
+- Verify whether any public-policy or implied-covenant exception to at-will applies in the state.
+
+**Notice and consultation duties**
+- Federal WARN Act applies to employers with 100 or more full-time employees for qualifying mass layoffs or plant closings. Verify the headcount threshold and the triggering layoff size against the current statutory text and WHD guidance — do not rely on memory for specific numbers.
+- Many states have mini-WARN statutes with lower headcount thresholds and longer notice periods. Verify against the applicable state law.
+- Reviewer should confirm current thresholds at https://www.dol.gov/agencies/eta/layoffs/warn and the relevant state labor agency.
+
+**Anti-discrimination grounds**
+- Federal protected classes: race, color, religion, sex (including pregnancy, sexual orientation per Bostock v. Clayton County, gender identity), national origin, age (40+), disability, genetic information.
+- State and local law often adds: marital status, family responsibilities, source of income, credit history, criminal history (ban-the-box), and others. Verify for the applicable jurisdiction.
+
+**Wage and hour**
+- Confirm FLSA exempt/non-exempt classification for affected workers. As of May 2026, WHD restored the 2019 salary threshold of $684/week for EAP exemptions after a 2024 rule was judicially vacated — verify the current effective threshold at https://www.dol.gov/agencies/whd/overtime/salary-levels before relying on any specific figure.
+- Confirm state minimum wage if higher than federal.
+- Independent-contractor classification: verify against the applicable federal and state multi-factor tests. Misclassification is an escalation-grade risk.
+
+**Accommodation and leave**
+- ADA reasonable accommodation duty: confirm an interactive process occurred before any adverse action against an employee with a known or suspected disability.
+- FMLA: confirm eligibility (12 months tenure, 1,250 hours worked, 50-employee threshold at the worksite) — verify thresholds at https://www.dol.gov/agencies/whd/fmla.
+- State leave laws may impose additional or broader obligations. Verify for the applicable state.
+
+**Collective and union matters**
+- NLRA protects concerted activity even for non-unionized workers. Adverse action following protected concerted activity (e.g., complaints about wages or working conditions) is an unfair labor practice.
+- If a CBA is in scope, confirm just-cause requirements and grievance/arbitration procedures before any disciplinary or termination action.
+
+**Retaliation and whistleblower**
+- Retaliation for filing an EEOC charge, participating in an investigation, or opposing discriminatory practices is independently prohibited under federal statutes.
+- OSHA administers 25+ whistleblower protection statutes covering reporting on safety, securities, tax, environment, and other regulated domains. Verify at https://www.osha.gov/whistleblower-protection-programs.
+- Temporal proximity between protected activity and adverse action is a primary factor in establishing retaliation claims.
+
+---
+
+## Escalation triggers (US-specific)
+
+- Any action taken within weeks or months of a complaint, accommodation request, leave request, or OSHA/SEC/IRS report.
+- WARN-threshold proximity in a RIF — if headcount at or near the threshold, escalate before finalizing.
+- Independent-contractor reclassification exposure.
+- Multi-state workforce where different state laws apply concurrently.
+- Executive or senior employee terminations (arbitration agreements, equity, D&O exposure).
+- Any EEOC charge, DOL audit, or NLRB petition already filed or threatened.
+
+---
+
+## Sources
+
+- https://www.eeoc.gov/laws-guidance — EEOC laws, regulations, and guidance (fetched 2026-05-18, resolved)
+- https://www.dol.gov/agencies/whd/flsa — WHD FLSA overview (confirmed via search 2026-05-18)
+- https://www.dol.gov/agencies/whd/overtime/salary-levels — current EAP salary thresholds (confirmed via search 2026-05-18)
+- https://www.dol.gov/agencies/eta/layoffs/warn — WARN Act (DOL)
+- https://www.nlrb.gov/about-nlrb — NLRB overview (fetched 2026-05-18, resolved)
+- https://www.osha.gov/whistleblower-protection-programs — OSHA whistleblower programs

package/skills/hr/hr-risk-triage-review/references/workflow-and-output.md

@@ -0,0 +1,176 @@
+# Workflow and Output Contract
+
+## Workflow
+
+Execute these ten steps in order. Do not skip a step because the input looks
+simple — the steps exist to surface what an HR requester has not said.
+
+### Step 1 — Define the HR decision or problem in one sentence
+
+State the proposed HR action or the problem in a single sentence. Examples:
+- "We intend to terminate [role] for repeated performance failures after a three-month PIP."
+- "An employee has filed a harassment complaint against their manager."
+- "We are planning a reduction in force of approximately 40 roles across two business units."
+
+If the matter cannot be stated in one sentence, ask the user to narrow it before proceeding.
+
+### Step 2 — Identify population, location, and context
+
+Collect (or flag as Unknown if not provided):
+- Employee population in scope: count, role(s), employment status (full-time, part-time, fixed-term, contractor, gig/platform)
+- Location(s): country, state/province, local ordinance if relevant
+- Protected-class indicators **only if relevant and volunteered** — do not probe for them
+- Manager chain and decision-makers involved
+- Business unit and entity
+- Policy source(s) the action relies on (handbook, policy number, contract clause, collective agreement)
+- Timeline of events, effective dates, and any deadlines
+- Whether a union, works council, or collective-bargaining agreement applies
+
+If jurisdiction is not provided, rate all risk domains Unknown and request jurisdiction before proceeding.
+
+### Step 3 — Separate confirmed facts, allegations, assumptions, hearsay, and missing evidence
+
+Sort the input into clearly labeled buckets:
+- **Confirmed facts** — established and corroborated
+- **Allegations** — claims made but not yet substantiated; record who made them
+- **Assumptions** — treated as plausible but unverified
+- **Hearsay and opinion** — secondhand accounts and characterizations, not evidence
+- **Missing evidence** — facts that materially affect the assessment and are not provided
+
+Never assume a manager's or complainant's account is complete. Require corroboration.
+
+### Step 4 — Identify the HR domain
+
+Classify the matter against one or more domains: recruiting, onboarding,
+performance, discipline, termination, RIF/reorg, compensation, benefits,
+accommodation, leave, harassment, discrimination, retaliation, workplace
+safety, investigations, employee privacy, labor relations, or culture.
+
+### Step 5 — Check process integrity
+
+Test the process behind the decision, not just the outcome. Examine:
+- **Notice** — was the employee given required notice and an opportunity to respond?
+- **Consistency** — does this match how comparable situations were handled?
+- **Documentation** — is there a contemporaneous, non-pretextual record?
+- **Policy alignment** — does the action follow the stated policy and contract?
+- **Prior treatment** — has the employee's prior record been applied evenly?
+- **Decision authority** — does the decision-maker have the authority to act?
+- **Confidentiality** — has sensitive information been contained appropriately?
+- **Appeal / review path** — is there a route for the employee to challenge the decision?
+
+### Step 6 — Adverse-impact and fairness review
+
+Ask whether similarly situated employees were treated consistently. Look for
+disparate treatment, disparate impact of facially neutral criteria (especially
+RIF selection criteria), and inconsistency that a fact-finder would read as
+pretext. State explicitly where comparator data is missing.
+
+### Step 7 — Retaliation analysis
+
+For any adverse or proposed adverse action, test for retaliation:
+- **Protected activity** — did the employee complain, request leave or accommodation, report safety or wrongdoing, or engage in protected concerted/union activity?
+- **Timing** — how close in time is the adverse action to the protected activity?
+- **Decision-makers** — do the people deciding know about the protected activity?
+- **Documentation** — does the record predate the protected activity, or appear after it?
+- **Alternative explanations** — is there a credible, documented non-retaliatory reason?
+
+An adverse action following protected activity is the highest-risk finding possible — lead with it.
+
+### Step 8 — Privacy analysis
+
+Review handling of employee data:
+- **Minimum necessary** — is only the data needed for the decision being collected and used?
+- **Role-based access** — is access limited to those who need it?
+- **Retention** — is there a defined retention and disposal path?
+- **Consent / notice** — where the jurisdiction requires it, has notice or consent been given?
+- **Sensitive data** — are medical, disability, immigration, and protected-characteristic data segregated and protected?
+
+### Step 9 — Rate risk
+
+Assign one of five ratings to each identified risk:
+
+| Rating | Meaning |
+|---|---|
+| Critical | Immediate legal exposure; do not proceed without counsel sign-off |
+| High | Material litigation, regulatory, or financial exposure; escalation strongly indicated |
+| Medium | Manageable with documented controls; monitor and document |
+| Low | Limited exposure on current evidence; note and monitor |
+| Unknown | Jurisdiction or material facts missing; cannot rate without them |
+
+Unknown is mandatory — not optional — wherever documentation is incomplete or jurisdiction is absent.
+
+### Step 10 — Recommend safe next actions and escalation path
+
+Present a range of safe next actions, not a single directive. For each, state
+what it entails, what supports it, what risk it mitigates, and what residual
+risk remains. Then state the escalation path. Escalate to employment counsel
+when any of the following is true:
+- The matter involves jurisdiction-specific statutory rights or notice periods
+- A claim, complaint, charge, or grievance has been filed or threatened
+- Protected characteristics, protected activity, or whistleblower status are in play
+- The financial or reputational exposure is material
+- A mass-layoff, collective-consultation, or works-council trigger may apply
+- Immigration or work-authorization status is affected
+- The matter involves executive compensation, executive misconduct, or equity
+- There is any ambiguity about whether a retaliatory or discriminatory motive could be attributed to the action
+
+---
+
+## Output
+
+Return findings in this structure:
+
+```
+## Verdict
+<one of: proceed | proceed with controls | pause | escalate | insufficient evidence>
+<one sentence explaining the verdict>
+
+## Ruthless challenge
+<2–4 sentences: the weakest part of the current HR thinking — adversarial framing, no softening>
+
+## Facts, allegations, assumptions, and missing evidence
+- Confirmed facts: <fact>
+- Allegations: <claim — who made it, what is unproven>
+- Assumptions and hearsay: <item and its basis>
+- Missing evidence: <materially relevant fact not provided>
+
+## Policy and process issues
+- <process gap — notice, consistency, documentation, policy alignment, prior treatment, decision authority, confidentiality, or appeal path — and why it matters>
+
+## Fairness, consistency, retaliation, and privacy stress test
+- Adverse impact / fairness: <were similarly situated employees treated consistently; where is comparator data missing>
+- Retaliation: <protected activity, timing, decision-maker knowledge, documentation sequence, alternative explanations>
+- Privacy: <minimum-necessary data, role-based access, retention, notice/consent, sensitive-data handling>
+- Adverse lenses: <worst-case framing from employee, plaintiff counsel, regulator/labor authority, works council/union, auditor, board, press>
+
+## Risk rating table
+| Issue | Severity | Evidence | Employee impact | Enterprise impact | Owner | Mitigation |
+|---|---|---|---|---|---|---|
+| <issue> | Critical/High/Medium/Low/Unknown | <evidence basis> | <impact on the employee> | <impact on the enterprise> | <decision owner> | <mitigation> |
+
+## Documentation checklist
+- [ ] <record or document that must exist and be verified before action>
+- [ ] <...>
+
+## Safe next actions
+1. <action — who does it, what it requires>
+2. <action>
+
+## Required escalation
+<explicit statement of which matters must reach employment counsel, HR, employee relations, privacy, or security before any action is taken>
+
+## Questions HR and legal must answer before action
+- <question>
+- <question>
+```
+
+---
+
+## Security notes
+
+- Never request or accept employee medical records, disability detail, immigration documents, compensation records, investigation notes, or attorney-client privileged communications. Ask for sanitized summaries with PII and protected-characteristic detail limited to what the question requires.
+- This is a static risk-triage review: do not draft termination letters, settlement agreements, disciplinary notices, or legal communications. Direct the user to employment counsel for those documents.
+- Do not draft retaliatory, discriminatory, intimidating, or misleading employee communications.
+- A proposed action that follows an employee's protected activity (complaint, leave request, accommodation request, safety report, union/labor activity, whistleblower report) is the highest-risk finding possible — lead with it.
+- Pretextual or backdated documentation requests (documenting performance issues retroactively to justify an already-decided termination, or backdating PIPs) must be refused explicitly. State that you will not assist with that and explain why.
+- Do not recommend termination, discipline, denial of leave or accommodation, or adverse action as the outcome — present readiness criteria, options, and escalation paths, and leave the decision to qualified human decision-makers.

package/skills/legal/legal-counsel-review/SKILL.md

@@ -0,0 +1,50 @@
+---
+name: legal-counsel-review
+description: Use this skill when reviewing legal, contractual, regulatory, privacy, litigation, compliance, or risk-governance questions for an enterprise legal function. Trigger when a user provides a contract excerpt, a policy, a compliance question, a privacy-risk question, or a legal intake item and wants risks, evidence gaps, decision options, and escalation paths surfaced. This skill is an adversarial risk-review discipline; it does not provide legal advice, form an attorney-client relationship, or issue binding legal conclusions.
+allowed-tools: Read Grep Glob
+metadata:
+  author: "github: Raishin"
+  version: "0.1.0"
+  updated: "2026-05-18"
+  category: compliance
+  lifecycle: experimental
+---
+
+# Legal Counsel Review
+
+## Purpose
+This skill is an adversarial legal-risk review discipline for an enterprise legal and compliance function. It reviews contracts, legal-policy questions, compliance triage, privacy risk, employment-law risk triage, vendor and legal intake, regulatory mapping, M&A and legal due-diligence triage, litigation-risk assessment, legal-ops workflows, and policy-exception reviews. It surfaces risks, assumptions, evidence gaps, decision options, and escalation paths for qualified counsel. It does not provide legal advice, form an attorney-client relationship, or issue binding legal conclusions.
+
+## Lean operating rules
+- Never conclude "this is legal" or "this is compliant" — rate risk as Critical/High/Medium/Low or Unknown and state the evidence basis. Risk appears lower or higher on the evidence provided; only qualified counsel can conclude compliance.
+- Never invent statutes, case law, regulatory thresholds, penalty amounts, filing deadlines, or jurisdiction-specific rules. Only state a specific figure if it was fetched from an official source in the current session and is cited inline. When in doubt, point to the official regulator and flag as to-be-verified.
+- Rate risk Critical/High/Medium/Low/Unknown. Unknown is mandatory whenever jurisdiction, governing law, material facts, or counterparty identity are missing or ambiguous — do not assign a lower rating to paper over an unknown.
+- Separate facts, assumptions, inferences, and open questions in every response. Label each claim with its basis: document provided, reasonable inference, documentation-based, or stated uncertainty.
+- Work from sanitized excerpts only. Never request secrets, credentials, PII, employee medical detail, trade secrets, privileged communications, or customer data. If such material is offered, decline and ask for a redacted version.
+- Protect privilege: flag all material that appears to have been created in anticipation of litigation or that is subject to attorney-client privilege, and recommend that it be handled only by or with counsel.
+- Treat the following matter types as escalation-grade regardless of apparent severity: retaliation, discrimination, harassment, wage-and-hour violations, whistleblower matters, termination decisions, immigration status, sanctions and export-control issues, bribery and anti-corruption (FCPA/UK Bribery Act/local equivalents), personal-data breaches requiring regulatory notification, and public-company disclosure obligations.
+- Every recommendation must map to evidence in the document, a stated assumption, or a stated uncertainty — no bare conclusions.
+- Recommend escalation to qualified local counsel when the matter is jurisdiction-specific, high-impact, employment-related, litigation-related, regulated, or financially material, or when an Unknown rating cannot be resolved from the information provided.
+- Do not recommend a single overconfident action. Provide safe options that preserve decision authority for counsel.
+
+## References
+Load these only when needed:
+- [Workflow and output contract](references/workflow-and-output.md) — use when executing a full review or formatting the final answer.
+- [US jurisdiction reference](references/jurisdictions/us.md) — contract, privacy, and regulatory checkpoints for US-law matters.
+- [EU jurisdiction reference](references/jurisdictions/eu.md) — GDPR and EU regulatory checkpoints.
+- [UK jurisdiction reference](references/jurisdictions/uk.md) — UK GDPR, Data Protection Act 2018, and UK regulatory checkpoints.
+- [Singapore jurisdiction reference](references/jurisdictions/singapore.md) — PDPA and Singapore regulatory checkpoints.
+- [Australia jurisdiction reference](references/jurisdictions/australia.md) — Privacy Act 1988 and Australian regulatory checkpoints.
+
+## Response minimum
+Return, at minimum:
+- Legal question stated in one sentence
+- Jurisdiction and governing law identified (or flagged Unknown)
+- Missing material facts that affect the analysis
+- Risk domain identified (contract, privacy, employment, IP, regulatory, litigation, competition, sanctions, procurement, finance, public-company disclosure, cybersecurity, records retention, other)
+- Decision owner identified
+- Adversarial stress test (worst-case interpretation; regulator, plaintiff, counterparty, employee, auditor, board, or press view)
+- Risk rating per issue (Critical / High / Medium / Low / Unknown) with evidence basis
+- Safe next actions
+- Escalation trigger
+- Questions qualified counsel must answer before approval

package/skills/legal/legal-counsel-review/metadata.json

@@ -0,0 +1,29 @@
+{
+  "id": "legal-counsel-review",
+  "name": "Legal Counsel Review",
+  "type": "skill",
+  "provider": "legal",
+  "harnesses": [
+    "codex",
+    "claude-code",
+    "cursor",
+    "gemini",
+    "kiro",
+    "other"
+  ],
+  "summary": "Adversarial legal-risk review discipline for contracts, privacy, regulatory, litigation, compliance, and policy-exception questions — surfaces risks, evidence gaps, decision options, and escalation paths for qualified counsel. Does not give legal advice.",
+  "source_type": "original",
+  "official_docs": [
+    "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+    "https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en",
+    "https://www.legislation.gov.uk/ukpga/2018/12/contents",
+    "https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act",
+    "https://www.oaic.gov.au/privacy/the-privacy-act",
+    "https://www.law.cornell.edu/wex"
+  ],
+  "security_notes": "Static review only — works from sanitized excerpts; never requests secrets, credentials, personal data, employee medical detail, or trade secrets. Does not issue binding legal conclusions; flags privileged material and recommends escalation to qualified counsel.",
+  "last_verified": "2026-05-18",
+  "path": "skills/legal/legal-counsel-review",
+  "author": "github: Raishin",
+  "version": "0.1.0"
+}

package/skills/legal/legal-counsel-review/references/jurisdictions/australia.md

@@ -0,0 +1,86 @@
+# Australia — Legal Review Reference Map
+
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified Australian counsel (noting that each state and territory has separate courts and legislation that may also apply).
+
+Last verified: 2026-05-18
+
+---
+
+## Regime overview
+
+Australia is a federal common-law jurisdiction. Privacy and data protection at the federal level are governed by the Privacy Act 1988, administered by the Office of the Australian Information Commissioner (OAIC). The Australian Government has been conducting a comprehensive review of the Privacy Act; significant amendments may have been enacted since this file was written — the reviewer must verify current law with counsel. Contract law is common law. Employment law is primarily federal (Fair Work Act 2009) with state/territory overlay. Anti-corruption and anti-bribery obligations apply under federal criminal law and the Foreign Bribes schedule.
+
+---
+
+## Primary regulators and authorities
+
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| Office of the Australian Information Commissioner (OAIC) | Privacy Act 1988 enforcement; freedom of information; privacy impact assessments | https://www.oaic.gov.au |
+| Australian Competition and Consumer Commission (ACCC) | Competition Act enforcement; consumer protection; merger review | https://www.accc.gov.au |
+| Australian Securities and Investments Commission (ASIC) | Financial services; corporations law; market conduct; disclosure | https://www.asic.gov.au |
+| Australian Prudential Regulation Authority (APRA) | Banking; insurance; superannuation; operational risk standards (CPS 234 cybersecurity) | https://www.apra.gov.au |
+| Fair Work Commission | Industrial disputes; enterprise agreements; unfair dismissal | https://www.fwc.gov.au |
+| Fair Work Ombudsman | Fair Work Act compliance; underpayment investigations | https://www.fairwork.gov.au |
+| Australian Cyber Security Centre (ACSC) | Cyber incident guidance and reporting; not a general regulator | https://www.cyber.gov.au |
+| Attorney-General's Department | Privacy Act reform; Notifiable Data Breaches scheme; criminal law | https://www.ag.gov.au |
+
+---
+
+## Primary statutes and regulations (verify current text at legislation.gov.au)
+
+| Statute / Instrument | Scope | Official source |
+|---------------------|-------|-----------------|
+| Privacy Act 1988 (Cth) | Personal information handling by Australian Government agencies and private-sector APP entities; 13 Australian Privacy Principles (APPs); Notifiable Data Breaches (NDB) scheme; credit reporting; health information | https://www.oaic.gov.au/privacy/the-privacy-act and https://www.legislation.gov.au |
+| Australian Privacy Principles (APPs) — Schedule 1 to Privacy Act | 13 principles governing open and transparent management, anonymity, collection, use, disclosure, quality, security, access, and correction | https://www.oaic.gov.au/privacy/australian-privacy-principles |
+| Notifiable Data Breaches (NDB) scheme — Part IIIC of Privacy Act | Mandatory notification to OAIC and affected individuals when a data breach is likely to result in serious harm | https://www.oaic.gov.au/privacy/notifiable-data-breaches |
+| Security of Critical Infrastructure Act 2018 (SOCI Act), as amended | Obligations for entities responsible for critical infrastructure assets (energy, water, banking, communications, etc.); mandatory incident reporting to the Australian Signals Directorate | https://www.legislation.gov.au — verify current amended version |
+| Corporations Act 2001 (Cth) | Corporate governance; director duties; continuous disclosure; ASIC enforcement | https://www.legislation.gov.au |
+| Fair Work Act 2009 (Cth) | National employment standards; unfair dismissal; general protections (adverse action); enterprise agreements | https://www.legislation.gov.au |
+| Criminal Code Act 1995 (Cth), Division 70 | Foreign bribery offences; equivalent to FCPA for Australian entities and those with Australian nexus | https://www.legislation.gov.au |
+| Competition and Consumer Act 2010 (Cth) | Antitrust; merger review; misleading and deceptive conduct; consumer guarantees | https://www.legislation.gov.au |
+| Spam Act 2003 (Cth) | Unsolicited commercial electronic messages; consent requirements | https://www.legislation.gov.au |
+| Telecommunications (Interception and Access) Act 1979 (Cth) | Lawful interception; stored communications | https://www.legislation.gov.au |
+
+---
+
+## Structural review checkpoints
+
+1. **Privacy Act threshold — APP entity** — confirm whether the entity is an "APP entity" (Australian Government agency, or private-sector organisation with annual turnover above the threshold or in a covered category such as health service providers). Verify the current turnover threshold and any recent amendments with counsel — the Privacy Act review has proposed changes to this threshold.
+2. **Australian Privacy Principles audit** — map the data flow against all 13 APPs. Key checkpoints:
+   - APP 1: Open and transparent management — privacy policy current and accessible?
+   - APP 5: Notification at or before collection — was notice given?
+   - APP 6: Use and disclosure — is secondary use authorised?
+   - APP 11: Security of personal information — reasonable steps taken?
+   - APP 12/13: Access and correction rights — process in place?
+   Verify each APP's current text at https://www.oaic.gov.au/privacy/australian-privacy-principles.
+3. **Notifiable Data Breaches** — confirm whether a breach is likely to result in serious harm. If so, OAIC notification and individual notification obligations apply. Verify current format, timeline, and OAIC reporting portal at https://www.oaic.gov.au/privacy/notifiable-data-breaches.
+4. **SOCI Act critical infrastructure** — determine whether the entity owns, operates, or has a material interest in a critical infrastructure asset. If yes, mandatory incident notification to the Australian Signals Directorate and sector-specific obligations apply.
+5. **APRA CPS 234** — for APRA-regulated entities (banks, insurers, superannuation funds), confirm CPS 234 information security obligations, incident notification to APRA, and third-party service provider controls.
+6. **Foreign bribery** — Criminal Code Act 1995, Division 70 applies to Australian entities and individuals and has extraterritorial reach. Flag any payment to a foreign public official. No facilitation-payment exception post-2024 amendments — verify current law with counsel.
+7. **Employment — Fair Work Act** — confirm National Employment Standards (NES) compliance, general protections (adverse action provisions are broad and apply to most employment decisions), and whether enterprise agreements or modern awards apply. Unfair dismissal requires a minimum employment period; confirm current figure with counsel.
+8. **Continuous disclosure** — listed companies on ASX are subject to continuous disclosure obligations under the Corporations Act and ASX Listing Rules. Flag material information that may not have been disclosed.
+9. **Merger review** — ACCC has jurisdiction to review mergers. The merger control regime has been amended; verify whether a mandatory notification or informal clearance is required with M&A counsel.
+10. **State and territory law** — certain matters (property, workplace health and safety, workers' compensation, some employment conditions) are governed by state/territory law. Flag the relevant jurisdiction(s) and escalate to locally-admitted counsel.
+
+---
+
+## Escalation triggers (Australia-specific)
+
+- NDB mandatory notification triggered — escalate immediately to Australian privacy counsel; prepare OAIC notification and individual notification plan.
+- SOCI Act critical-infrastructure incident — escalate immediately; mandatory reporting to the Australian Signals Directorate applies.
+- APRA CPS 234 material information security incident — escalate to regulatory counsel; APRA notification obligation.
+- Foreign bribery suspicion (Division 70) — escalate to Australian criminal defence counsel before any internal investigation step; consider voluntary disclosure regime (verify current status with counsel).
+- ASIC continuous-disclosure obligation potentially triggered — escalate to securities lawyers and board; trading halt may be required.
+- Adverse action or general protections claim filed under Fair Work Act — escalate to employment counsel; reversed onus of proof applies to the employer.
+- Class-action threatened or filed — escalate to Australian litigation counsel immediately.
+- Privacy Act reform amendments enacted — reviewer must verify whether any changes to the APP entity threshold, enforcement powers, or mandatory requirements apply to the matter at hand.
+
+---
+
+## Sources (verified in this session)
+
+- OAIC Privacy Act overview: https://www.oaic.gov.au/privacy/the-privacy-act — loaded successfully; confirmed Privacy Act 1988 scope, APP entities, 13 APPs, and review status.
+- OAIC Australian Privacy Principles overview: https://www.oaic.gov.au/privacy/australian-privacy-principles — loaded successfully; confirmed 13 APPs, principles-based framework, technology neutrality.
+- All legislation.gov.au statute citations are the official Commonwealth consolidated law database; verify current amended text before relying on any provision.
+- Regulator websites (accc.gov.au, asic.gov.au, apra.gov.au, fwc.gov.au, fairwork.gov.au) confirmed as official government sources; verify individual page availability before citing.