npm - @raishin/vanguard-frontier-agentic - Versions diffs - 2.1.0 → 2.3.0 - Mend

@raishin/vanguard-frontier-agentic 2.1.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (508) hide show

package/skills/legal/legal-counsel-review/references/jurisdictions/eu.md ADDED Viewed

@@ -0,0 +1,77 @@
+# European Union — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified EU/member-state counsel.
+Last verified: 2026-05-18
+---
+## Regime overview
+The EU operates a unified legal framework for data protection (GDPR), but many other legal regimes — contract law, employment law, competition enforcement, sector regulation — are implemented at the member-state level within EU-wide harmonizing directives. Any matter involving a specific member state requires counsel admitted in that jurisdiction. Data protection is a fundamental right under Article 8 of the EU Charter of Fundamental Rights.
+---
+## Primary regulators and authorities
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| National Data Protection Authorities (DPAs) | GDPR enforcement in each member state; the lead supervisory authority (LSA) is determined by the controller's main establishment | Varies by state — find via https://www.edpb.europa.eu/about-edpb/about-edpb/members_en |
+| European Data Protection Board (EDPB) | Ensures consistent GDPR application across the EU; issues binding decisions in cross-border cases | https://www.edpb.europa.eu |
+| European Data Protection Supervisor (EDPS) | Supervises EU institutions' own data processing | https://edps.europa.eu |
+| European Commission (DG JUSTICE) | Proposes data protection legislation; adequacy decisions for third-country transfers | https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en |
+| European Competition Network (ECN) | Coordinates antitrust and merger enforcement with national competition authorities | https://competition-policy.ec.europa.eu |
+| National competition authorities (NCAs) | Antitrust enforcement within member states; notify European Commission for mergers above thresholds | Varies by state |
+---
+## Primary statutes and regulations (verify current text and amendments)
+| Instrument | Scope | Official source |
+|-----------|-------|-----------------|
+| General Data Protection Regulation — Regulation (EU) 2016/679 (GDPR) | Personal data processing by controllers and processors established in the EU, or processing personal data of EU data subjects | https://eur-lex.europa.eu/eli/reg/2016/679/oj |
+| Law Enforcement Directive — Directive (EU) 2016/680 | Personal data processing by competent authorities for crime prevention, investigation, prosecution, or execution of criminal penalties | https://eur-lex.europa.eu/eli/dir/2016/680/oj |
+| EUDPR — Regulation (EU) 2018/1725 | Personal data processing by EU institutions and bodies | https://eur-lex.europa.eu/eli/reg/2018/1725/oj |
+| ePrivacy Directive — Directive 2002/58/EC (as amended) | Electronic communications; cookies; direct marketing. Note: the ePrivacy Regulation proposal is pending — verify current status with counsel. | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058 |
+| AI Act — Regulation (EU) 2024/1689 | Risk-based framework for AI systems; high-risk AI obligations for providers and deployers | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202401689 — verify current implementation timeline with counsel |
+| Digital Services Act (DSA) — Regulation (EU) 2022/2065 | Online intermediary obligations; content moderation; transparency | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065 |
+| Digital Markets Act (DMA) — Regulation (EU) 2022/1925 | Obligations for designated "gatekeepers" | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1925 |
+| NIS2 Directive — Directive (EU) 2022/2555 | Cybersecurity requirements for essential and important entities; incident reporting obligations | https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555 |
+---
+## Structural review checkpoints
+1. **Territorial scope** — confirm whether GDPR Article 3 applies: (a) establishment in the EU, or (b) offering goods/services to EU data subjects, or (c) monitoring behaviour occurring in the EU. If yes, full GDPR applies regardless of where the controller is incorporated.
+2. **Legal basis for processing** — identify which GDPR Article 6 basis applies (consent, contract, legal obligation, vital interests, public task, legitimate interests). For special-category data (Article 9), confirm an explicit additional basis. Confirm against current text at https://eur-lex.europa.eu/eli/reg/2016/679/oj.
+3. **Data subject rights** — check whether the document or process has mapped obligations under Articles 12–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making). Flag gaps.
+4. **International transfers** — any personal data transfer outside the EEA requires an Article 46 transfer mechanism (SCCs, BCRs, adequacy decision) or an Article 49 derogation. Verify adequacy decisions at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Note: Schrems II invalidated Privacy Shield; confirm current US transfer mechanism with counsel.
+5. **Data Protection Officer (DPO)** — determine whether the entity is required to appoint a DPO (public authority, large-scale systematic monitoring, or large-scale special-category processing). Flag if absent when required.
+6. **Records of Processing Activities (RoPA)** — Article 30 requires most controllers and processors to maintain a RoPA. Flag absence.
+7. **Data breach notification** — Article 33 requires notification to the competent DPA within 72 hours of awareness, where feasible. Article 34 requires notification to data subjects in high-risk breaches. Confirm thresholds and format with counsel.
+8. **Data Protection Impact Assessment (DPIA)** — Article 35 requires a DPIA for high-risk processing. Review whether one was conducted and documented.
+9. **Processor agreements** — Article 28 requires a written data processing agreement (DPA/DPA agreement) when using processors. Flag missing or inadequate agreements.
+10. **Competition and merger control** — for transactions, assess whether EU Merger Regulation thresholds are met (Article 1 of Regulation (EC) 139/2004). Verify current thresholds with M&A counsel; do not state specific figures here.
+11. **Employment matters** — EU employment law is substantially member-state law (works council rights, consultation obligations, TUPE-equivalent protections under Directive 2001/23/EC on transfers of undertakings). Flag the specific member state(s) and escalate to local employment counsel.
+12. **NIS2 incident reporting** — identify whether the entity is an "essential" or "important" entity under NIS2. Flag reporting timelines and verify member-state implementing legislation with counsel.
+---
+## Escalation triggers (EU-specific)
+- Personal-data breach with risk to individuals — 72-hour DPA notification clock runs from awareness; escalate immediately to privacy counsel and DPO.
+- Cross-border data transfer to a third country without a confirmed, current transfer mechanism — escalate; the absence is an ongoing GDPR violation.
+- GDPR enforcement investigation or DPA inquiry — escalate to qualified EU data-protection counsel; preserve privilege carefully.
+- Special-category data (health, biometric, genetic, political opinions, religious beliefs, trade-union membership, sexual orientation, criminal offences) — heightened legal basis required; escalate.
+- AI Act high-risk AI system deployment — confirm compliance obligations before deployment; consult with counsel.
+- M&A transaction potentially meeting EU Merger Regulation thresholds — escalate to M&A counsel for pre-notification assessment.
+- Works council consultation rights triggered by restructuring or technology deployment — escalate to local employment counsel; breach of consultation rights can void the action.
+- EDPB binding decision or national DPA enforcement action — escalate immediately.
+---
+## Sources (verified in this session)
+- GDPR text: https://eur-lex.europa.eu/eli/reg/2016/679/oj — loaded successfully; confirmed full regulation text.
+- European Commission data protection overview: https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en — loaded successfully; confirmed GDPR, LED, EUDPR framework, EDPB, EDPS roles.
+- EUR-Lex used for all EU legislative citations; verify instrument-specific URLs at https://eur-lex.europa.eu.

package/skills/legal/legal-counsel-review/references/jurisdictions/singapore.md ADDED Viewed

@@ -0,0 +1,76 @@
+# Singapore — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified Singapore-admitted counsel.
+Last verified: 2026-05-18
+---
+## Regime overview
+Singapore is a common-law jurisdiction. Contract law follows English common-law principles as received and developed locally. Data protection is governed by the Personal Data Protection Act 2012 (PDPA), as significantly amended in 2021, with ongoing subsidiary legislation and guidelines issued by the Personal Data Protection Commission (PDPC). Singapore has strict anti-corruption laws, a comprehensive competition framework, and a mandatory data-breach notification regime. Employment law is codified in the Employment Act 1968 and related statutes.
+> Note: The PDPC's official website (pdpc.gov.sg) returned incomplete content during this session's fetch attempts. All PDPA references below point to the official statute at statutes.agc.gov.sg or the Attorney-General's Chambers Singapore Statutes Online portal. Reviewers must verify current subsidiary legislation, PDPC advisory guidelines, and updated penalty figures directly at official sources.
+---
+## Primary regulators and authorities
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| Personal Data Protection Commission (PDPC) | PDPA enforcement; advisory guidelines; data-breach investigations | https://www.pdpc.gov.sg |
+| Competition and Consumer Commission of Singapore (CCCS) | Competition Act enforcement; consumer protection; merger review | https://www.cccs.gov.sg |
+| Monetary Authority of Singapore (MAS) | Financial services regulation; banking; securities; insurance; AML/CFT | https://www.mas.gov.sg |
+| Ministry of Manpower (MOM) | Employment Act; work-pass framework; foreign workers; workplace safety | https://www.mom.gov.sg |
+| Corrupt Practices Investigation Bureau (CPIB) | Prevention of Corruption Act enforcement; anti-bribery investigations | https://www.cpib.gov.sg |
+| Attorney-General's Chambers (AGC) | Legal advice to government; Singapore statutes online | https://www.agc.gov.sg |
+---
+## Primary statutes and regulations (verify current text at statutes.agc.gov.sg)
+| Statute / Instrument | Scope | Official source |
+|---------------------|-------|-----------------|
+| Personal Data Protection Act 2012 (No. 26 of 2012), as amended by the Personal Data Protection (Amendment) Act 2020 | Collection, use, disclosure, and care of personal data by organisations; mandatory data-breach notification; data-portability obligation | https://statutes.agc.gov.sg — search "Personal Data Protection Act" |
+| PDPA subsidiary legislation and PDPC Advisory Guidelines | Detailed rules on consent, notification, access, correction, portability, and Do Not Call registry | https://www.pdpc.gov.sg/guidelines-and-consultation — verify current versions |
+| Employment Act 1968 (Cap. 91) | Core employment terms; salary; rest days; leave entitlements | https://statutes.agc.gov.sg — search "Employment Act" |
+| Prevention of Corruption Act (Cap. 241) | Anti-bribery; extraterritorial reach for Singapore citizens and residents | https://statutes.agc.gov.sg — search "Prevention of Corruption Act" |
+| Competition Act 2004 | Prohibition of anti-competitive agreements, abuse of dominance; merger notification | https://statutes.agc.gov.sg — search "Competition Act" |
+| Computer Misuse Act (Cap. 50A) | Unauthorised computer access and cybercrime | https://statutes.agc.gov.sg — search "Computer Misuse Act" |
+| Electronic Transactions Act 2010 | Electronic signatures; e-commerce; intermediary liability | https://statutes.agc.gov.sg — search "Electronic Transactions Act" |
+| Cybersecurity Act 2018 | Protection of critical information infrastructure (CII); incident reporting | https://statutes.agc.gov.sg — search "Cybersecurity Act" |
+---
+## Structural review checkpoints
+1. **PDPA territorial scope** — PDPA applies to organisations collecting, using, or disclosing personal data in Singapore, regardless of where the organisation is incorporated. Confirm whether the organisation falls within scope or a statutory exemption (e.g., individual personal or domestic use, employee data in employment context — note the employment-data exclusion has specific boundaries; verify with counsel).
+2. **Consent and purpose limitation** — the PDPA requires notification and consent (or a statutory exception) before collection, use, or disclosure. Flag purpose-limitation gaps — data collected for one purpose cannot generally be used for another without fresh consent or a recognised exception.
+3. **Data-breach mandatory notification** — the 2020 amendments introduced mandatory breach notification. Confirm current notification thresholds, timelines, and format against PDPC guidelines (pdpc.gov.sg). The reviewer should not state specific figures without confirming against current official guidance.
+4. **Do Not Call (DNC) registry** — check whether marketing communications have verified against the DNC registry before sending. Non-compliance is an enforcement priority.
+5. **Data portability obligation** — verify whether the organisation is subject to the portability obligation (turned on by ministerial order; confirm current status with counsel).
+6. **Employment and work-pass** — Singapore maintains a mandatory work-pass framework for foreign workers (Employment Pass, S Pass, Work Permit). Flag any staffing arrangement involving non-citizens; immigration breaches carry employer liability.
+7. **Anti-corruption** — the Prevention of Corruption Act covers both public-sector and private-sector corruption. Flag any payment, gift, or benefit that could be construed as inducement. The CPIB is an active enforcement body.
+8. **CII cybersecurity obligations** — if the organisation operates or is a supplier to a CII sector (energy, water, banking, healthcare, infocomm, media, land transport, maritime, aviation, security and emergency), the Cybersecurity Act imposes incident-reporting and audit obligations. Verify with counsel.
+9. **MAS regulatory obligations** — for financial-services entities, MAS issues binding notices and guidelines (e.g., MAS Notice 655 on cybersecurity for banks — verify current notices at mas.gov.sg). Regulatory notices have force of law.
+10. **Contract formation and governing law** — Singapore courts apply English common-law contract principles. Confirm choice-of-law and arbitration clauses; Singapore International Arbitration Centre (SIAC) is a common forum.
+---
+## Escalation triggers (Singapore-specific)
+- Personal-data breach meeting PDPA mandatory notification threshold — escalate immediately to privacy counsel and DPO; notify PDPC within the required timeframe (verify current threshold and timeline with counsel against https://www.pdpc.gov.sg).
+- Prevention of Corruption Act suspicion — escalate before any internal investigation step; self-reporting procedures and cooperation with CPIB can affect outcomes.
+- Work-pass violation or illegal employment — escalate to immigration counsel immediately; employer liability is direct.
+- MAS regulatory investigation or MAS Notice breach — escalate to financial-services regulatory counsel.
+- CII-sector cybersecurity incident — escalate to counsel; Commissioner of Cybersecurity notification obligation applies.
+- CCCS merger pre-notification assessment — confirm whether voluntary or mandatory filing is appropriate; escalate to M&A counsel for threshold assessment.
+- SIAC arbitration commencement — escalate to Singapore-admitted litigation counsel.
+---
+## Sources (verified in this session)
+- PDPC website (pdpc.gov.sg): returned incomplete/loading page in this session — reviewer must access directly. Reviewer should verify all PDPA subsidiary legislation and PDPC guidelines at https://www.pdpc.gov.sg.
+- Singapore statutes: https://statutes.agc.gov.sg — the official Attorney-General's Chambers Singapore Statutes Online portal; all statute citations should be verified here. This URL returned 403 in this session; use the AGC portal directly.
+- Regulator websites (cccs.gov.sg, mas.gov.sg, mom.gov.sg, cpib.gov.sg) confirmed as official government sources; verify individual page availability before citing.

package/skills/legal/legal-counsel-review/references/jurisdictions/uk.md ADDED Viewed

@@ -0,0 +1,81 @@
+# United Kingdom — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified UK-qualified counsel (England and Wales, Scotland, and Northern Ireland have distinct legal systems).
+Last verified: 2026-05-18
+---
+## Regime overview
+Following Brexit, the UK operates its own data-protection regime distinct from the EU's, centred on the UK GDPR (a retained version of EU GDPR) and the Data Protection Act 2018 (DPA 2018). The Information Commissioner's Office (ICO) is the independent regulator. Contract law is common law (England and Wales: Contract Act principles; Scots law differs). Employment law combines statutory rights and common law. The UK Bribery Act 2010 has wide extraterritorial reach.
+The DPA 2018 is confirmed up to date as of 18 May 2026 at legislation.gov.uk (verified in this session). Recent amendments through 2025–2026 affect automated decision-making and international transfers — verify current text with counsel.
+---
+## Primary regulators and authorities
+| Regulator | Role | Official source |
+|-----------|------|-----------------|
+| Information Commissioner's Office (ICO) | UK GDPR and DPA 2018 enforcement; guidance; international transfer adequacy | https://ico.org.uk |
+| Competition and Markets Authority (CMA) | Antitrust; merger control; consumer law | https://www.gov.uk/government/organisations/competition-and-markets-authority |
+| Financial Conduct Authority (FCA) | Financial services regulation; consumer duty; market conduct | https://www.fca.org.uk |
+| Prudential Regulation Authority (PRA) | Prudential supervision of banks, insurers | https://www.bankofengland.co.uk/prudential-regulation |
+| Employment Tribunal system | Statutory employment claims; unfair dismissal; discrimination | https://www.gov.uk/courts-tribunals/employment-tribunal |
+| Serious Fraud Office (SFO) | Fraud; bribery; corruption — including UK Bribery Act investigations | https://www.sfo.gov.uk |
+| National Cyber Security Centre (NCSC) | Cyber incident guidance; not a regulator but key resource | https://www.ncsc.gov.uk |
+---
+## Primary statutes and regulations (verify current text and amendments at legislation.gov.uk)
+| Statute / Instrument | Scope | Official source |
+|---------------------|-------|-----------------|
+| UK GDPR (retained Regulation (EU) 2016/679, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and subsequent instruments) | Personal data processing; supplements and must be read with DPA 2018 | Verify current consolidated text via ICO guidance at https://ico.org.uk or legislation.gov.uk |
+| Data Protection Act 2018 (c. 12) | Supplements UK GDPR; law enforcement processing (Part 3); intelligence services processing (Part 4); exemptions and schedules | https://www.legislation.gov.uk/ukpga/2018/12/contents |
+| Privacy and Electronic Communications Regulations 2003 (PECR) | Electronic marketing; cookies; traffic data; electronic communications services | https://www.legislation.gov.uk/uksi/2003/2426/contents |
+| UK Bribery Act 2010 | Anti-bribery; adequate-procedures defence for commercial organisations; wide extraterritorial reach | https://www.legislation.gov.uk/ukpga/2010/23/contents |
+| Equality Act 2010 | Employment discrimination; harassment; nine protected characteristics | https://www.legislation.gov.uk/ukpga/2010/15/contents |
+| Employment Rights Act 1996 (as amended) | Unfair dismissal; wrongful dismissal; statutory rights | https://www.legislation.gov.uk/ukpga/1996/18/contents |
+| National Minimum Wage Act 1998 | Minimum wage obligations | https://www.legislation.gov.uk/ukpga/1998/39/contents |
+| Enterprise Act 2002 | Merger control; market investigations; antitrust offences | https://www.legislation.gov.uk/ukpga/2002/40/contents |
+| Computer Misuse Act 1990 (as amended) | Unauthorised computer access; cybercrime | https://www.legislation.gov.uk/ukpga/1990/18/contents |
+| Network and Information Systems (NIS) Regulations 2018 (as amended) | Cybersecurity obligations for operators of essential services and digital service providers — verify NIS2 UK equivalent status with counsel | https://www.legislation.gov.uk/uksi/2018/506/contents |
+---
+## Structural review checkpoints
+1. **UK GDPR territorial scope** — confirm whether UK GDPR applies: (a) establishment in the UK, or (b) offering goods/services to UK data subjects, or (c) monitoring behaviour in the UK.
+2. **Legal basis for processing** — identify UK GDPR Article 6 basis. For special-category data (Article 9 + DPA 2018 Schedule 1), confirm the additional condition and any statutory instrument. Verify against current ICO guidance at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/.
+3. **International data transfers** — post-Brexit, EU-to-UK transfers rely on the EU adequacy decision for the UK (verify current status — adequacy decisions have finite terms). UK-to-other-country transfers require UK-approved transfer mechanisms (UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs). Verify current approved mechanisms via ICO.
+4. **Data breach notification** — UK GDPR Article 33 requires notification to the ICO within 72 hours of awareness where feasible. Confirm current ICO reporting portal at https://ico.org.uk/for-organisations/report-a-breach/.
+5. **PECR compliance** — check cookie consent, electronic marketing consent, and soft opt-in rules. ICO has enforcement history in this area.
+6. **UK Bribery Act adequate procedures** — if commercial organisation, confirm whether documented adequate-procedures defence exists. Hospitality, facilitation payments (no facilitation-payment exception in UK Bribery Act — unlike FCPA), and payments to foreign officials are all in scope.
+7. **Employment baseline** — confirm worker classification (employee / worker / independent contractor — the UK three-category system differs from US two-category). Check day-one rights (written statement of particulars), unfair-dismissal qualifying period (verify current threshold with counsel), and TUPE applicability for business transfers.
+8. **Discrimination and harassment** — nine protected characteristics under Equality Act 2010 (age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, sexual orientation). Employers have a duty to prevent sexual harassment (Worker Protection (Amendment of Equality Act 2010) Act 2023 — verify current obligations with counsel).
+9. **Merger control** — CMA has jurisdiction over transactions meeting UK share-of-supply or turnover thresholds. Verify current thresholds with M&A counsel; Brexit means separate UK and EU filings may both be required.
+10. **DPA 2018 exemptions** — flag use of research, journalism, legal professional privilege, or national-security exemptions; each has conditions that must be verified with counsel.
+---
+## Escalation triggers (UK-specific)
+- UK GDPR personal-data breach with risk to individuals — 72-hour ICO notification clock; escalate immediately to UK privacy counsel.
+- UK Bribery Act suspicion (including facilitation payments, which have no exception under UK law) — escalate before any internal investigation step; SFO deferred-prosecution agreement regime applies.
+- SFO investigation or dawn raid — escalate to UK criminal defence and white-collar counsel immediately; do not destroy documents.
+- TUPE transfer triggered by outsourcing or acquisition — escalate to UK employment counsel; failure to inform and consult is a strict-liability claim.
+- Redundancy / collective dismissal — statutory collective consultation obligations (verify current thresholds with employment counsel); failure triggers unlimited compensation.
+- UK adequacy decision for EU-to-UK transfers — monitor for renewal or lapse; transfer mechanism failures are ongoing violations.
+- FCA consumer duty or conduct-of-business breach — escalate to UK financial-services regulatory counsel.
+- NIS Regulations incident notification obligation triggered — escalate; verify applicable competent authority and timeline with counsel.
+---
+## Sources (verified in this session)
+- Data Protection Act 2018 full text: https://www.legislation.gov.uk/ukpga/2018/12/contents — loaded successfully; confirmed four-part structure and up-to-date status as of 18 May 2026.
+- Data Protection Act 2018 Part 2: https://www.legislation.gov.uk/ukpga/2018/12/part/2 — loaded successfully; confirmed UK GDPR supplementation, controller definitions, lawfulness provisions, and 2025–2026 amendments.
+- ICO URLs (ico.org.uk) returned 403 in this session — reviewer must access ICO guidance directly at https://ico.org.uk; do not rely on cached content.
+- All legislation.gov.uk statute URLs are official UK government sources.

package/skills/legal/legal-counsel-review/references/jurisdictions/us.md ADDED Viewed

@@ -0,0 +1,100 @@
+# United States — Legal Review Reference Map
+> **Disclaimer.** This file is a review map — a structured checklist of where to look, not a statement of current law. Content may be out of date. Every point must be verified against current official sources. Jurisdiction-specific conclusions require qualified US counsel.
+Last verified: 2026-05-18
+---
+## Regime overview
+The US has no single federal omnibus privacy or data-protection statute. The legal landscape is a patchwork of federal sectoral laws, state comprehensive privacy acts, and state consumer-protection regimes. Contract law is primarily state common law (Restatement of Contracts; UCC Article 2 for goods). Federal and state regulatory bodies each have independent enforcement authority.
+---
+## Primary regulators and authorities
+| Regulator | Jurisdiction / Focus | Official source |
+|-----------|---------------------|-----------------|
+| Federal Trade Commission (FTC) | Unfair or deceptive trade practices; privacy and security enforcement for most commercial entities | https://www.ftc.gov |
+| Department of Justice (DOJ) | Criminal enforcement; FCPA; antitrust (with FTC); export controls | https://www.justice.gov |
+| Securities and Exchange Commission (SEC) | Public-company disclosure; cybersecurity incident disclosure; insider trading | https://www.sec.gov |
+| Department of Labor (DOL) | Wage-and-hour (FLSA); ERISA; OSHA | https://www.dol.gov |
+| Equal Employment Opportunity Commission (EEOC) | Employment discrimination; harassment | https://www.eeoc.gov |
+| Office for Civil Rights (OCR), HHS | HIPAA health-data enforcement | https://www.hhs.gov/hipaa |
+| Office of Foreign Assets Control (OFAC) | Sanctions compliance | https://ofac.treas.gov |
+| Bureau of Industry and Security (BIS) | Export Administration Regulations (EAR) | https://www.bis.gov |
+| State Attorneys General | State privacy acts (CCPA/CPRA, etc.); consumer protection; data-breach notification | Varies by state |
+| California Privacy Protection Agency (CPPA) | CCPA/CPRA enforcement | https://cppa.ca.gov |
+---
+## Primary statutes and regulations (verify current text and amendments)
+### Federal — sectoral
+| Statute / Regulation | Scope | Official source |
+|---------------------|-------|-----------------|
+| Federal Trade Commission Act, § 5 | Unfair or deceptive acts; primary privacy enforcement lever for non-covered entities | https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act |
+| Health Insurance Portability and Accountability Act (HIPAA) + HITECH | Health information — covered entities and business associates | https://www.hhs.gov/hipaa/for-professionals/index.html |
+| Gramm-Leach-Bliley Act (GLBA) | Financial institutions — consumer financial data | https://www.ftc.gov/legal-library/browse/statutes/gramm-leach-bliley-act |
+| Family Educational Rights and Privacy Act (FERPA) | Student education records | https://studentprivacy.ed.gov |
+| Children's Online Privacy Protection Act (COPPA) | Online data collection from children under 13 | https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa |
+| Fair Credit Reporting Act (FCRA) | Consumer reporting agencies; background checks | https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act |
+| Electronic Communications Privacy Act (ECPA) | Interception; stored communications; pen registers | https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119 |
+| Computer Fraud and Abuse Act (CFAA) | Unauthorized computer access; cybercrime | https://www.law.cornell.edu/uscode/text/18/1030 |
+| Foreign Corrupt Practices Act (FCPA) | Anti-bribery; books-and-records | https://www.justice.gov/criminal/criminal-fraud/fcpa |
+| Fair Labor Standards Act (FLSA) | Minimum wage; overtime; child labor | https://www.dol.gov/agencies/whd/flsa |
+| SEC Cybersecurity Disclosure Rules (2023) | Material cybersecurity incident disclosure; risk-management governance | https://www.sec.gov/corpfin/cybersecurity |
+### State — privacy (representative; verify full list against current enactments)
+| Statute | State | Official source |
+|---------|-------|-----------------|
+| California Consumer Privacy Act / CPRA (Cal. Civ. Code § 1798.100 et seq.) | California | https://oag.ca.gov/privacy/ccpa |
+| Virginia Consumer Data Protection Act (VCDPA) | Virginia | Verify at https://law.lis.virginia.gov |
+| Colorado Privacy Act (CPA) | Colorado | Verify at https://coag.gov/resources/data-privacy-laws/ |
+| Connecticut Data Privacy Act (CTDPA) | Connecticut | Verify at https://portal.ct.gov |
+| Texas Data Privacy and Security Act (TDPSA) | Texas | Verify at https://capitol.texas.gov |
+> Many additional state acts have been enacted or amended since mid-2024. The reviewer must verify the current list of enacted state privacy laws against official state sources or a current legal-counsel summary before any compliance conclusion.
+### Data-breach notification
+All 50 US states have data-breach notification laws. Timelines, covered data types, and thresholds vary. Verify the applicable state law(s) for each breach scenario at the state attorney general's official website.
+---
+## Structural review checkpoints
+1. **Governing law and forum selection** — identify the stated choice of law and venue. Flag if the clause conflicts with mandatory local law in either party's jurisdiction.
+2. **Entity and regulator mapping** — determine which federal and state regulators have jurisdiction over the entity, the data types processed, and the sector.
+3. **Privacy and data protection** — identify data types (health, financial, children's, biometric, precise geolocation, credentials). Map to applicable sectoral or state law. Flag if cross-border transfers are involved.
+4. **Employment matters** — classify the worker (employee, independent contractor, gig). Check state classification rules (California AB 5 criteria differ from federal FLSA). Flag wage-and-hour, non-compete enforceability (FTC rule status — verify current status with counsel), and restrictive covenants.
+5. **Sanctions and export controls** — flag any counterparty, transaction, technology, or geography that could touch OFAC SDN lists or BIS EAR/ITAR controls. Verify against official lists at https://ofac.treas.gov and https://www.bis.gov.
+6. **Anti-bribery** — flag any payment to a foreign government official or intermediary. Apply FCPA analysis; confirm whether UK Bribery Act or local law also applies.
+7. **Public-company disclosure** — flag material cybersecurity incidents (SEC 8-K 4-business-day rule), material contract changes, and related-party transactions.
+8. **Dispute resolution** — note arbitration clauses, class-action waivers, and jury-trial waivers. Check enforceability under applicable state law (some states limit these in employment and consumer contexts).
+9. **Limitation of liability and indemnification** — verify whether caps apply to IP indemnity, data-breach indemnity, or gross-negligence/willful-misconduct carve-outs.
+10. **Records and retention** — identify applicable retention obligations under the matter's sector, litigation hold status, and state destruction requirements.
+---
+## Escalation triggers (US-specific)
+- Any matter touching OFAC-designated parties, countries, or transactions — escalate immediately; penalties are strict liability.
+- FCPA suspicion — escalate to counsel before any internal investigation step that could impair privilege or obstruct.
+- HIPAA breach with more than 500 individuals affected — 60-day HHS OCR notification clock; confirm current rule with counsel.
+- SEC material cybersecurity incident — 4-business-day 8-K disclosure clock; confirm current rule and materiality threshold with counsel.
+- Class-action demand, PAGA notice (California), EEOC charge, or DOL investigation — escalate immediately.
+- Non-compete or trade-secret matter in California — California's near-total ban on non-competes is well-established; confirm current FTC rule status with counsel.
+- Immigration / work-authorization issue for any employee — escalate to immigration counsel.
+- Proposed acquisition or investment touching US critical infrastructure or technology — flag for CFIUS review; verify thresholds with M&A counsel.
+---
+## Sources (verified in this session)
+- California AG CCPA page: https://oag.ca.gov/privacy/ccpa — loaded successfully; confirmed CCPA/CPRA scope, business thresholds, and enforcement structure.
+- Cornell LII Wex legal dictionary: https://www.law.cornell.edu/wex — loaded successfully; confirmed as free US legal reference.
+- FTC, DOJ, SEC, DOL, EEOC, HHS official domain URLs confirmed accessible in prior sessions; verify individual pages before citing in advice.

package/skills/legal/legal-counsel-review/references/workflow-and-output.md ADDED Viewed

@@ -0,0 +1,148 @@
+# Workflow and Output Contract
+## Workflow
+### Step 1 — Define the legal question
+State the legal question in one sentence before doing anything else. If the user's intake is ambiguous, draft a candidate question and confirm before proceeding.
+### Step 2 — Identify context
+Collect from the provided material (do not ask for more than necessary):
+- Jurisdiction(s) and governing-law clause, if stated
+- Entity type, business unit, and counterparty identity (redacted if needed)
+- Document type (contract, policy, regulatory filing, intake memo, other)
+- Effective dates, notice periods, and material deadlines
+- Any regulatory regime named or implied
+Flag any of these as Unknown if not provided — do not assume.
+### Step 3 — List missing material facts
+Before analysis, identify every fact whose absence materially changes the risk rating. Label these "open questions". Do not substitute an assumption for a missing material fact; state the assumption explicitly and note how it affects the rating.
+### Step 4 — Separate facts, assumptions, inferences, and open questions
+Organize all claims into four labelled buckets:
+- **Facts provided** — directly stated in the supplied material
+- **Assumptions** — plausible but unverified; state the basis
+- **Inferences** — logical conclusions drawn from facts; state the reasoning
+- **Open questions** — material facts not provided; escalate or flag Unknown until resolved
+### Step 5 — Identify the risk domain
+Select the primary domain(s) from:
+contract | privacy | employment | IP | regulatory | litigation | competition | sanctions | procurement | finance | public-company disclosure | cybersecurity | records retention | other
+Note when a matter spans multiple domains — multi-domain matters almost always require multi-discipline counsel.
+### Step 6 — Identify the decision owner
+Map the matter to the appropriate owner(s):
+legal counsel | compliance | HR | security | procurement | finance | board / audit committee | privacy office / DPO | executive sponsor
+Where ownership is unclear, flag it — unowned risk items are not actioned.
+### Step 7 — Adversarial stress test
+Analyze adverse scenarios from every realistic vantage point:
+- **Worst-case legal interpretation** — how would the most aggressive opposing counsel read this?
+- **Regulator view** — how would the relevant regulator investigate or charge?
+- **Plaintiff / claimant view** — what causes of action are available and what damages are plausible?
+- **Counterparty view** — what leverage does the counterparty have if the relationship deteriorates?
+- **Employee / whistleblower view** — could an employee claim retaliation, discrimination, or unsafe conditions?
+- **Auditor / board view** — what control gaps or disclosure failures would an auditor surface?
+- **Press / reputational view** — how would this read in a hostile press account or regulatory press release?
+### Step 8 — Rate risk
+Assign a severity to each identified issue:
+| Rating | Meaning |
+|--------|---------|
+| Critical | Immediate legal exposure, regulatory violation, or safety risk requiring escalation before any action |
+| High | Significant legal or financial exposure; proceed only with counsel review and documented controls |
+| Medium | Manageable exposure with documented mitigations; flag for counsel awareness |
+| Low | Minor or speculative; document and monitor |
+| Unknown | Insufficient jurisdiction or material facts to rate — escalate or obtain facts before proceeding |
+**Unknown is mandatory** when jurisdiction, governing law, or material facts are missing or ambiguous. Do not assign a lower rating to paper over an unknown.
+### Step 9 — Provide safe options
+Do not recommend a single overconfident action. Offer two or more options that:
+- Preserve decision authority for counsel
+- Are graded by risk tolerance
+- Identify what additional information would change the recommendation
+### Step 10 — Specify evidence that would change the conclusion
+For each rated issue, state explicitly what additional facts, documents, or expert input would move the rating up or down. This drives the escalation and due-diligence checklist.
+### Step 11 — Recommend escalation
+Recommend escalation to qualified local counsel when any of the following apply:
+- The matter is jurisdiction-specific and the applicable law has not been verified in this session
+- The matter involves employment, termination, retaliation, discrimination, harassment, wage-and-hour, or immigration
+- Litigation is threatened, pending, or reasonably foreseeable
+- A regulatory notification or filing obligation may be triggered
+- The matter is financially material or involves board-level disclosure
+- Any issue is rated Critical or Unknown and cannot be resolved from the provided material
+- Privilege needs to be established or protected
+---
+## Output
+Return findings in this structure:
+```
+## Verdict
+<one of: proceed | proceed with controls | pause | escalate | insufficient evidence>
+<one sentence explaining the verdict>
+## Brutal assessment
+<2-4 sentences — the hardest honest read of the risk, without softening>
+## Facts provided
+- <fact directly stated in the supplied material>
+## Assumptions and unsupported claims
+- <assumption — basis stated>
+## Legal and risk issues
+- [Issue ID] <issue name>: <description> — <evidence or assumption basis>
+## Adversarial stress test
+- Regulator: <view>
+- Plaintiff / claimant: <view>
+- Counterparty: <view>
+- Employee / whistleblower: <view>
+- Auditor / board: <view>
+- Press: <view>
+## Risk rating table
+| Issue | Severity | Evidence | Consequence | Owner | Mitigation |
+|-------|----------|----------|-------------|-------|------------|
+| <issue> | Critical/High/Medium/Low/Unknown | <basis> | <consequence> | <owner> | <mitigation> |
+## Safe next actions
+1. <action — maps to evidence or stated assumption>
+2. <action>
+## Escalation trigger
+<condition(s) under which this matter must be escalated to qualified counsel before any further action>
+## Questions counsel must answer before approval
+- <question>
+```
+---
+## Security notes
+- Never request or accept secrets, credentials, PII, employee medical detail, trade secrets, or customer data. Ask for redacted or sanitized excerpts with placeholders.
+- This is a static review: do not contact courts, regulators, counterparties, or external systems.
+- Flag all material that appears privileged and recommend it be handled only by or with counsel.
+- Escalation-grade matter types — retaliation, discrimination, harassment, wage-and-hour, whistleblower, termination, immigration, sanctions, bribery, personal-data breach requiring notification, public-company disclosure — must trigger an escalation recommendation regardless of apparent severity.
+- Never issue a verdict of "proceed" on an Unknown-rated issue. Unknown means escalate or gather facts first.

package/tests/fixtures/dotnet-maestro-routing/expected/01-csharp-runtime.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-csharp-runtime-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/02-aspnetcore-api.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-aspnetcore-api-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/03-identity-authz.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-aspnetcore-identity-authz-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/04-efcore-data.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-efcore-data-access-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/05-testing-quality.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-testing-quality-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/06-supply-chain.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-supply-chain-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/07-performance-aot.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-performance-aot-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/08-observability-otel.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-observability-otel-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/09-aspire-cloud-native.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-aspire-cloud-native-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/10-multi-domain.json ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "route": [
+    "dotnet-aspnetcore-identity-authz-review-agent",
+    "dotnet-efcore-data-access-review-agent"
+  ],
+  "mode": "parallel (2)"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/11-ambiguous.json ADDED Viewed

@@ -0,0 +1,4 @@
+{
+  "route": [],
+  "mode": "unclassified"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/adv-ambiguous-near-miss.json ADDED Viewed

@@ -0,0 +1,4 @@
+{
+  "route": [],
+  "mode": "unclassified"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/adv-instruction-injection.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-csharp-runtime-review-agent"
+  ],
+  "mode": "single"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/adv-live-guard-bypass.json ADDED Viewed

@@ -0,0 +1,4 @@
+{
+  "route": [],
+  "mode": "live-guard-gate"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/adv-parallel-saturation.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "route": [
+    "dotnet-aspire-cloud-native-review-agent",
+    "dotnet-aspnetcore-api-review-agent",
+    "dotnet-csharp-runtime-review-agent",
+    "dotnet-efcore-data-access-review-agent"
+  ],
+  "mode": "parallel (4)"
+}

package/tests/fixtures/dotnet-maestro-routing/expected/adv-persona-replacement.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "route": [
+    "dotnet-efcore-data-access-review-agent"
+  ],
+  "mode": "single"
+}