@raishin/vanguard-frontier-agentic 2.11.0 → 2.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (756) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +41 -1
  3. package/.cursor-plugin/plugin.json +41 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +11 -11
  6. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/AGENT.md +57 -0
  7. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/harnesses/claude-code.agent.md +37 -0
  8. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/harnesses/codex.toml +30 -0
  9. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/harnesses/copilot.agent.md +31 -0
  10. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/harnesses/cursor.agent.md +29 -0
  11. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/harnesses/gemini.agent.md +29 -0
  12. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  13. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/harnesses/kiro-ide.agent.md +29 -0
  14. package/agents/sap/sap-abap-cloud-rap-reviewer-agent/metadata.json +46 -0
  15. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/AGENT.md +58 -0
  16. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/harnesses/claude-code.agent.md +38 -0
  17. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/harnesses/codex.toml +31 -0
  18. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/harnesses/copilot.agent.md +32 -0
  19. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/harnesses/cursor.agent.md +30 -0
  20. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/harnesses/gemini.agent.md +30 -0
  21. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  22. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/harnesses/kiro-ide.agent.md +30 -0
  23. package/agents/sap/sap-ai-core-genai-hub-governance-reviewer-agent/metadata.json +40 -0
  24. package/agents/sap/sap-analytics-cloud-planning-governance-agent/AGENT.md +58 -0
  25. package/agents/sap/sap-analytics-cloud-planning-governance-agent/harnesses/claude-code.agent.md +37 -0
  26. package/agents/sap/sap-analytics-cloud-planning-governance-agent/harnesses/codex.toml +30 -0
  27. package/agents/sap/sap-analytics-cloud-planning-governance-agent/harnesses/copilot.agent.md +31 -0
  28. package/agents/sap/sap-analytics-cloud-planning-governance-agent/harnesses/cursor.agent.md +29 -0
  29. package/agents/sap/sap-analytics-cloud-planning-governance-agent/harnesses/gemini.agent.md +29 -0
  30. package/agents/sap/sap-analytics-cloud-planning-governance-agent/harnesses/kiro-cli.agent.json +1 -0
  31. package/agents/sap/sap-analytics-cloud-planning-governance-agent/harnesses/kiro-ide.agent.md +29 -0
  32. package/agents/sap/sap-analytics-cloud-planning-governance-agent/metadata.json +45 -0
  33. package/agents/sap/sap-audit-evidence-packager-agent/AGENT.md +58 -0
  34. package/agents/sap/sap-audit-evidence-packager-agent/harnesses/claude-code.agent.md +38 -0
  35. package/agents/sap/sap-audit-evidence-packager-agent/harnesses/codex.toml +30 -0
  36. package/agents/sap/sap-audit-evidence-packager-agent/harnesses/copilot.agent.md +33 -0
  37. package/agents/sap/sap-audit-evidence-packager-agent/harnesses/cursor.agent.md +31 -0
  38. package/agents/sap/sap-audit-evidence-packager-agent/harnesses/gemini.agent.md +31 -0
  39. package/agents/sap/sap-audit-evidence-packager-agent/harnesses/kiro-cli.agent.json +1 -0
  40. package/agents/sap/sap-audit-evidence-packager-agent/harnesses/kiro-ide.agent.md +31 -0
  41. package/agents/sap/sap-audit-evidence-packager-agent/metadata.json +45 -0
  42. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/AGENT.md +58 -0
  43. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/harnesses/claude-code.agent.md +37 -0
  44. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/harnesses/codex.toml +30 -0
  45. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/harnesses/copilot.agent.md +31 -0
  46. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/harnesses/cursor.agent.md +29 -0
  47. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/harnesses/gemini.agent.md +29 -0
  48. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  49. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/harnesses/kiro-ide.agent.md +29 -0
  50. package/agents/sap/sap-btp-account-entitlement-governance-reviewer-agent/metadata.json +44 -0
  51. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/AGENT.md +70 -0
  52. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/harnesses/claude-code.agent.md +51 -0
  53. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/harnesses/codex.toml +42 -0
  54. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/harnesses/copilot.agent.md +36 -0
  55. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/harnesses/cursor.agent.md +33 -0
  56. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/harnesses/gemini.agent.md +33 -0
  57. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/harnesses/kiro-cli.agent.json +1 -0
  58. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/harnesses/kiro-ide.agent.md +33 -0
  59. package/agents/sap/sap-btp-entitlement-guarded-operator-agent/metadata.json +41 -0
  60. package/agents/sap/sap-cap-architecture-reviewer-agent/AGENT.md +57 -0
  61. package/agents/sap/sap-cap-architecture-reviewer-agent/harnesses/claude-code.agent.md +37 -0
  62. package/agents/sap/sap-cap-architecture-reviewer-agent/harnesses/codex.toml +30 -0
  63. package/agents/sap/sap-cap-architecture-reviewer-agent/harnesses/copilot.agent.md +31 -0
  64. package/agents/sap/sap-cap-architecture-reviewer-agent/harnesses/cursor.agent.md +29 -0
  65. package/agents/sap/sap-cap-architecture-reviewer-agent/harnesses/gemini.agent.md +29 -0
  66. package/agents/sap/sap-cap-architecture-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  67. package/agents/sap/sap-cap-architecture-reviewer-agent/harnesses/kiro-ide.agent.md +29 -0
  68. package/agents/sap/sap-cap-architecture-reviewer-agent/metadata.json +42 -0
  69. package/agents/sap/sap-clean-core-debt-reviewer-agent/AGENT.md +58 -0
  70. package/agents/sap/sap-clean-core-debt-reviewer-agent/harnesses/claude-code.agent.md +38 -0
  71. package/agents/sap/sap-clean-core-debt-reviewer-agent/harnesses/codex.toml +31 -0
  72. package/agents/sap/sap-clean-core-debt-reviewer-agent/harnesses/copilot.agent.md +31 -0
  73. package/agents/sap/sap-clean-core-debt-reviewer-agent/harnesses/cursor.agent.md +29 -0
  74. package/agents/sap/sap-clean-core-debt-reviewer-agent/harnesses/gemini.agent.md +29 -0
  75. package/agents/sap/sap-clean-core-debt-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  76. package/agents/sap/sap-clean-core-debt-reviewer-agent/harnesses/kiro-ide.agent.md +29 -0
  77. package/agents/sap/sap-clean-core-debt-reviewer-agent/metadata.json +45 -0
  78. package/agents/sap/sap-cloud-alm-sre-incident-agent/AGENT.md +59 -0
  79. package/agents/sap/sap-cloud-alm-sre-incident-agent/harnesses/claude-code.agent.md +38 -0
  80. package/agents/sap/sap-cloud-alm-sre-incident-agent/harnesses/codex.toml +30 -0
  81. package/agents/sap/sap-cloud-alm-sre-incident-agent/harnesses/copilot.agent.md +32 -0
  82. package/agents/sap/sap-cloud-alm-sre-incident-agent/harnesses/cursor.agent.md +30 -0
  83. package/agents/sap/sap-cloud-alm-sre-incident-agent/harnesses/gemini.agent.md +30 -0
  84. package/agents/sap/sap-cloud-alm-sre-incident-agent/harnesses/kiro-cli.agent.json +1 -0
  85. package/agents/sap/sap-cloud-alm-sre-incident-agent/harnesses/kiro-ide.agent.md +30 -0
  86. package/agents/sap/sap-cloud-alm-sre-incident-agent/metadata.json +42 -0
  87. package/agents/sap/sap-custom-code-remediation-reviewer-agent/AGENT.md +60 -0
  88. package/agents/sap/sap-custom-code-remediation-reviewer-agent/harnesses/claude-code.agent.md +39 -0
  89. package/agents/sap/sap-custom-code-remediation-reviewer-agent/harnesses/codex.toml +29 -0
  90. package/agents/sap/sap-custom-code-remediation-reviewer-agent/harnesses/copilot.agent.md +31 -0
  91. package/agents/sap/sap-custom-code-remediation-reviewer-agent/harnesses/cursor.agent.md +29 -0
  92. package/agents/sap/sap-custom-code-remediation-reviewer-agent/harnesses/gemini.agent.md +29 -0
  93. package/agents/sap/sap-custom-code-remediation-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/sap/sap-custom-code-remediation-reviewer-agent/harnesses/kiro-ide.agent.md +29 -0
  95. package/agents/sap/sap-custom-code-remediation-reviewer-agent/metadata.json +45 -0
  96. package/agents/sap/sap-data-migration-cutover-readiness-agent/AGENT.md +67 -0
  97. package/agents/sap/sap-data-migration-cutover-readiness-agent/harnesses/claude-code.agent.md +46 -0
  98. package/agents/sap/sap-data-migration-cutover-readiness-agent/harnesses/codex.toml +30 -0
  99. package/agents/sap/sap-data-migration-cutover-readiness-agent/harnesses/copilot.agent.md +32 -0
  100. package/agents/sap/sap-data-migration-cutover-readiness-agent/harnesses/cursor.agent.md +30 -0
  101. package/agents/sap/sap-data-migration-cutover-readiness-agent/harnesses/gemini.agent.md +30 -0
  102. package/agents/sap/sap-data-migration-cutover-readiness-agent/harnesses/kiro-cli.agent.json +1 -0
  103. package/agents/sap/sap-data-migration-cutover-readiness-agent/harnesses/kiro-ide.agent.md +30 -0
  104. package/agents/sap/sap-data-migration-cutover-readiness-agent/metadata.json +44 -0
  105. package/agents/sap/sap-datasphere-data-product-architect-agent/AGENT.md +58 -0
  106. package/agents/sap/sap-datasphere-data-product-architect-agent/harnesses/claude-code.agent.md +37 -0
  107. package/agents/sap/sap-datasphere-data-product-architect-agent/harnesses/codex.toml +30 -0
  108. package/agents/sap/sap-datasphere-data-product-architect-agent/harnesses/copilot.agent.md +31 -0
  109. package/agents/sap/sap-datasphere-data-product-architect-agent/harnesses/cursor.agent.md +29 -0
  110. package/agents/sap/sap-datasphere-data-product-architect-agent/harnesses/gemini.agent.md +29 -0
  111. package/agents/sap/sap-datasphere-data-product-architect-agent/harnesses/kiro-cli.agent.json +1 -0
  112. package/agents/sap/sap-datasphere-data-product-architect-agent/harnesses/kiro-ide.agent.md +29 -0
  113. package/agents/sap/sap-datasphere-data-product-architect-agent/metadata.json +45 -0
  114. package/agents/sap/sap-ewm-tm-logistics-execution-agent/AGENT.md +59 -0
  115. package/agents/sap/sap-ewm-tm-logistics-execution-agent/harnesses/claude-code.agent.md +38 -0
  116. package/agents/sap/sap-ewm-tm-logistics-execution-agent/harnesses/codex.toml +30 -0
  117. package/agents/sap/sap-ewm-tm-logistics-execution-agent/harnesses/copilot.agent.md +32 -0
  118. package/agents/sap/sap-ewm-tm-logistics-execution-agent/harnesses/cursor.agent.md +30 -0
  119. package/agents/sap/sap-ewm-tm-logistics-execution-agent/harnesses/gemini.agent.md +30 -0
  120. package/agents/sap/sap-ewm-tm-logistics-execution-agent/harnesses/kiro-cli.agent.json +1 -0
  121. package/agents/sap/sap-ewm-tm-logistics-execution-agent/harnesses/kiro-ide.agent.md +30 -0
  122. package/agents/sap/sap-ewm-tm-logistics-execution-agent/metadata.json +44 -0
  123. package/agents/sap/sap-finance-fico-controls-agent/AGENT.md +59 -0
  124. package/agents/sap/sap-finance-fico-controls-agent/harnesses/claude-code.agent.md +38 -0
  125. package/agents/sap/sap-finance-fico-controls-agent/harnesses/codex.toml +30 -0
  126. package/agents/sap/sap-finance-fico-controls-agent/harnesses/copilot.agent.md +32 -0
  127. package/agents/sap/sap-finance-fico-controls-agent/harnesses/cursor.agent.md +30 -0
  128. package/agents/sap/sap-finance-fico-controls-agent/harnesses/gemini.agent.md +30 -0
  129. package/agents/sap/sap-finance-fico-controls-agent/harnesses/kiro-cli.agent.json +1 -0
  130. package/agents/sap/sap-finance-fico-controls-agent/harnesses/kiro-ide.agent.md +30 -0
  131. package/agents/sap/sap-finance-fico-controls-agent/metadata.json +45 -0
  132. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/AGENT.md +58 -0
  133. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/harnesses/claude-code.agent.md +37 -0
  134. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/harnesses/codex.toml +29 -0
  135. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/harnesses/copilot.agent.md +32 -0
  136. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/harnesses/cursor.agent.md +30 -0
  137. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/harnesses/gemini.agent.md +30 -0
  138. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  139. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/harnesses/kiro-ide.agent.md +30 -0
  140. package/agents/sap/sap-fiori-ui5-ux-reviewer-agent/metadata.json +39 -0
  141. package/agents/sap/sap-guarded-transport-import-operator-agent/AGENT.md +70 -0
  142. package/agents/sap/sap-guarded-transport-import-operator-agent/harnesses/claude-code.agent.md +51 -0
  143. package/agents/sap/sap-guarded-transport-import-operator-agent/harnesses/codex.toml +41 -0
  144. package/agents/sap/sap-guarded-transport-import-operator-agent/harnesses/copilot.agent.md +36 -0
  145. package/agents/sap/sap-guarded-transport-import-operator-agent/harnesses/cursor.agent.md +33 -0
  146. package/agents/sap/sap-guarded-transport-import-operator-agent/harnesses/gemini.agent.md +33 -0
  147. package/agents/sap/sap-guarded-transport-import-operator-agent/harnesses/kiro-cli.agent.json +1 -0
  148. package/agents/sap/sap-guarded-transport-import-operator-agent/harnesses/kiro-ide.agent.md +33 -0
  149. package/agents/sap/sap-guarded-transport-import-operator-agent/metadata.json +45 -0
  150. package/agents/sap/sap-hana-cloud-performance-cost-agent/AGENT.md +58 -0
  151. package/agents/sap/sap-hana-cloud-performance-cost-agent/harnesses/claude-code.agent.md +37 -0
  152. package/agents/sap/sap-hana-cloud-performance-cost-agent/harnesses/codex.toml +30 -0
  153. package/agents/sap/sap-hana-cloud-performance-cost-agent/harnesses/copilot.agent.md +31 -0
  154. package/agents/sap/sap-hana-cloud-performance-cost-agent/harnesses/cursor.agent.md +29 -0
  155. package/agents/sap/sap-hana-cloud-performance-cost-agent/harnesses/gemini.agent.md +29 -0
  156. package/agents/sap/sap-hana-cloud-performance-cost-agent/harnesses/kiro-cli.agent.json +1 -0
  157. package/agents/sap/sap-hana-cloud-performance-cost-agent/harnesses/kiro-ide.agent.md +29 -0
  158. package/agents/sap/sap-hana-cloud-performance-cost-agent/metadata.json +43 -0
  159. package/agents/sap/sap-hypercare-incident-commander-agent/AGENT.md +59 -0
  160. package/agents/sap/sap-hypercare-incident-commander-agent/harnesses/claude-code.agent.md +38 -0
  161. package/agents/sap/sap-hypercare-incident-commander-agent/harnesses/codex.toml +30 -0
  162. package/agents/sap/sap-hypercare-incident-commander-agent/harnesses/copilot.agent.md +32 -0
  163. package/agents/sap/sap-hypercare-incident-commander-agent/harnesses/cursor.agent.md +30 -0
  164. package/agents/sap/sap-hypercare-incident-commander-agent/harnesses/gemini.agent.md +30 -0
  165. package/agents/sap/sap-hypercare-incident-commander-agent/harnesses/kiro-cli.agent.json +1 -0
  166. package/agents/sap/sap-hypercare-incident-commander-agent/harnesses/kiro-ide.agent.md +30 -0
  167. package/agents/sap/sap-hypercare-incident-commander-agent/metadata.json +42 -0
  168. package/agents/sap/sap-integration-flow-guarded-operator-agent/AGENT.md +70 -0
  169. package/agents/sap/sap-integration-flow-guarded-operator-agent/harnesses/claude-code.agent.md +51 -0
  170. package/agents/sap/sap-integration-flow-guarded-operator-agent/harnesses/codex.toml +41 -0
  171. package/agents/sap/sap-integration-flow-guarded-operator-agent/harnesses/copilot.agent.md +36 -0
  172. package/agents/sap/sap-integration-flow-guarded-operator-agent/harnesses/cursor.agent.md +33 -0
  173. package/agents/sap/sap-integration-flow-guarded-operator-agent/harnesses/gemini.agent.md +33 -0
  174. package/agents/sap/sap-integration-flow-guarded-operator-agent/harnesses/kiro-cli.agent.json +1 -0
  175. package/agents/sap/sap-integration-flow-guarded-operator-agent/harnesses/kiro-ide.agent.md +33 -0
  176. package/agents/sap/sap-integration-flow-guarded-operator-agent/metadata.json +41 -0
  177. package/agents/sap/sap-integration-suite-reviewer-agent/AGENT.md +57 -0
  178. package/agents/sap/sap-integration-suite-reviewer-agent/harnesses/claude-code.agent.md +37 -0
  179. package/agents/sap/sap-integration-suite-reviewer-agent/harnesses/codex.toml +30 -0
  180. package/agents/sap/sap-integration-suite-reviewer-agent/harnesses/copilot.agent.md +31 -0
  181. package/agents/sap/sap-integration-suite-reviewer-agent/harnesses/cursor.agent.md +29 -0
  182. package/agents/sap/sap-integration-suite-reviewer-agent/harnesses/gemini.agent.md +29 -0
  183. package/agents/sap/sap-integration-suite-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  184. package/agents/sap/sap-integration-suite-reviewer-agent/harnesses/kiro-ide.agent.md +29 -0
  185. package/agents/sap/sap-integration-suite-reviewer-agent/metadata.json +43 -0
  186. package/agents/sap/sap-joule-governance-adoption-agent/AGENT.md +59 -0
  187. package/agents/sap/sap-joule-governance-adoption-agent/harnesses/claude-code.agent.md +38 -0
  188. package/agents/sap/sap-joule-governance-adoption-agent/harnesses/codex.toml +30 -0
  189. package/agents/sap/sap-joule-governance-adoption-agent/harnesses/copilot.agent.md +32 -0
  190. package/agents/sap/sap-joule-governance-adoption-agent/harnesses/cursor.agent.md +30 -0
  191. package/agents/sap/sap-joule-governance-adoption-agent/harnesses/gemini.agent.md +30 -0
  192. package/agents/sap/sap-joule-governance-adoption-agent/harnesses/kiro-cli.agent.json +1 -0
  193. package/agents/sap/sap-joule-governance-adoption-agent/harnesses/kiro-ide.agent.md +30 -0
  194. package/agents/sap/sap-joule-governance-adoption-agent/metadata.json +42 -0
  195. package/agents/sap/sap-license-btp-consumption-finops-agent/AGENT.md +58 -0
  196. package/agents/sap/sap-license-btp-consumption-finops-agent/harnesses/claude-code.agent.md +37 -0
  197. package/agents/sap/sap-license-btp-consumption-finops-agent/harnesses/codex.toml +30 -0
  198. package/agents/sap/sap-license-btp-consumption-finops-agent/harnesses/copilot.agent.md +31 -0
  199. package/agents/sap/sap-license-btp-consumption-finops-agent/harnesses/cursor.agent.md +29 -0
  200. package/agents/sap/sap-license-btp-consumption-finops-agent/harnesses/gemini.agent.md +29 -0
  201. package/agents/sap/sap-license-btp-consumption-finops-agent/harnesses/kiro-cli.agent.json +1 -0
  202. package/agents/sap/sap-license-btp-consumption-finops-agent/harnesses/kiro-ide.agent.md +29 -0
  203. package/agents/sap/sap-license-btp-consumption-finops-agent/metadata.json +42 -0
  204. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/AGENT.md +60 -0
  205. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/harnesses/claude-code.agent.md +40 -0
  206. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/harnesses/codex.toml +31 -0
  207. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/harnesses/copilot.agent.md +32 -0
  208. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/harnesses/cursor.agent.md +30 -0
  209. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/harnesses/gemini.agent.md +30 -0
  210. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/harnesses/kiro-cli.agent.json +1 -0
  211. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/harnesses/kiro-ide.agent.md +30 -0
  212. package/agents/sap/sap-live-readonly-identity-trust-discovery-agent/metadata.json +39 -0
  213. package/agents/sap/sap-live-readonly-landscape-discovery-agent/AGENT.md +60 -0
  214. package/agents/sap/sap-live-readonly-landscape-discovery-agent/harnesses/claude-code.agent.md +40 -0
  215. package/agents/sap/sap-live-readonly-landscape-discovery-agent/harnesses/codex.toml +31 -0
  216. package/agents/sap/sap-live-readonly-landscape-discovery-agent/harnesses/copilot.agent.md +32 -0
  217. package/agents/sap/sap-live-readonly-landscape-discovery-agent/harnesses/cursor.agent.md +30 -0
  218. package/agents/sap/sap-live-readonly-landscape-discovery-agent/harnesses/gemini.agent.md +30 -0
  219. package/agents/sap/sap-live-readonly-landscape-discovery-agent/harnesses/kiro-cli.agent.json +1 -0
  220. package/agents/sap/sap-live-readonly-landscape-discovery-agent/harnesses/kiro-ide.agent.md +30 -0
  221. package/agents/sap/sap-live-readonly-landscape-discovery-agent/metadata.json +39 -0
  222. package/agents/sap/sap-maestro-agent/AGENT.md +60 -0
  223. package/agents/sap/sap-maestro-agent/harnesses/claude-code.agent.md +36 -0
  224. package/agents/sap/sap-maestro-agent/harnesses/codex.toml +34 -0
  225. package/agents/sap/sap-maestro-agent/harnesses/copilot.agent.md +32 -0
  226. package/agents/sap/sap-maestro-agent/harnesses/cursor.agent.md +30 -0
  227. package/agents/sap/sap-maestro-agent/harnesses/gemini.agent.md +30 -0
  228. package/agents/sap/sap-maestro-agent/harnesses/kiro-cli.agent.json +1 -0
  229. package/agents/sap/sap-maestro-agent/harnesses/kiro-ide.agent.md +30 -0
  230. package/agents/sap/sap-maestro-agent/metadata.json +39 -0
  231. package/agents/sap/sap-manufacturing-execution-risk-agent/AGENT.md +59 -0
  232. package/agents/sap/sap-manufacturing-execution-risk-agent/harnesses/claude-code.agent.md +38 -0
  233. package/agents/sap/sap-manufacturing-execution-risk-agent/harnesses/codex.toml +30 -0
  234. package/agents/sap/sap-manufacturing-execution-risk-agent/harnesses/copilot.agent.md +32 -0
  235. package/agents/sap/sap-manufacturing-execution-risk-agent/harnesses/cursor.agent.md +30 -0
  236. package/agents/sap/sap-manufacturing-execution-risk-agent/harnesses/gemini.agent.md +30 -0
  237. package/agents/sap/sap-manufacturing-execution-risk-agent/harnesses/kiro-cli.agent.json +1 -0
  238. package/agents/sap/sap-manufacturing-execution-risk-agent/harnesses/kiro-ide.agent.md +30 -0
  239. package/agents/sap/sap-manufacturing-execution-risk-agent/metadata.json +44 -0
  240. package/agents/sap/sap-mdg-master-data-quality-agent/AGENT.md +59 -0
  241. package/agents/sap/sap-mdg-master-data-quality-agent/harnesses/claude-code.agent.md +38 -0
  242. package/agents/sap/sap-mdg-master-data-quality-agent/harnesses/codex.toml +30 -0
  243. package/agents/sap/sap-mdg-master-data-quality-agent/harnesses/copilot.agent.md +32 -0
  244. package/agents/sap/sap-mdg-master-data-quality-agent/harnesses/cursor.agent.md +30 -0
  245. package/agents/sap/sap-mdg-master-data-quality-agent/harnesses/gemini.agent.md +30 -0
  246. package/agents/sap/sap-mdg-master-data-quality-agent/harnesses/kiro-cli.agent.json +1 -0
  247. package/agents/sap/sap-mdg-master-data-quality-agent/harnesses/kiro-ide.agent.md +30 -0
  248. package/agents/sap/sap-mdg-master-data-quality-agent/metadata.json +45 -0
  249. package/agents/sap/sap-order-to-cash-agent/AGENT.md +59 -0
  250. package/agents/sap/sap-order-to-cash-agent/harnesses/claude-code.agent.md +38 -0
  251. package/agents/sap/sap-order-to-cash-agent/harnesses/codex.toml +30 -0
  252. package/agents/sap/sap-order-to-cash-agent/harnesses/copilot.agent.md +32 -0
  253. package/agents/sap/sap-order-to-cash-agent/harnesses/cursor.agent.md +30 -0
  254. package/agents/sap/sap-order-to-cash-agent/harnesses/gemini.agent.md +30 -0
  255. package/agents/sap/sap-order-to-cash-agent/harnesses/kiro-cli.agent.json +1 -0
  256. package/agents/sap/sap-order-to-cash-agent/harnesses/kiro-ide.agent.md +30 -0
  257. package/agents/sap/sap-order-to-cash-agent/metadata.json +44 -0
  258. package/agents/sap/sap-procurement-ariba-value-leakage-agent/AGENT.md +59 -0
  259. package/agents/sap/sap-procurement-ariba-value-leakage-agent/harnesses/claude-code.agent.md +38 -0
  260. package/agents/sap/sap-procurement-ariba-value-leakage-agent/harnesses/codex.toml +30 -0
  261. package/agents/sap/sap-procurement-ariba-value-leakage-agent/harnesses/copilot.agent.md +32 -0
  262. package/agents/sap/sap-procurement-ariba-value-leakage-agent/harnesses/cursor.agent.md +30 -0
  263. package/agents/sap/sap-procurement-ariba-value-leakage-agent/harnesses/gemini.agent.md +30 -0
  264. package/agents/sap/sap-procurement-ariba-value-leakage-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/sap/sap-procurement-ariba-value-leakage-agent/harnesses/kiro-ide.agent.md +30 -0
  266. package/agents/sap/sap-procurement-ariba-value-leakage-agent/metadata.json +44 -0
  267. package/agents/sap/sap-release-change-collision-agent/AGENT.md +59 -0
  268. package/agents/sap/sap-release-change-collision-agent/harnesses/claude-code.agent.md +38 -0
  269. package/agents/sap/sap-release-change-collision-agent/harnesses/codex.toml +30 -0
  270. package/agents/sap/sap-release-change-collision-agent/harnesses/copilot.agent.md +32 -0
  271. package/agents/sap/sap-release-change-collision-agent/harnesses/cursor.agent.md +30 -0
  272. package/agents/sap/sap-release-change-collision-agent/harnesses/gemini.agent.md +30 -0
  273. package/agents/sap/sap-release-change-collision-agent/harnesses/kiro-cli.agent.json +1 -0
  274. package/agents/sap/sap-release-change-collision-agent/harnesses/kiro-ide.agent.md +30 -0
  275. package/agents/sap/sap-release-change-collision-agent/metadata.json +42 -0
  276. package/agents/sap/sap-rise-sla-vendor-risk-agent/AGENT.md +58 -0
  277. package/agents/sap/sap-rise-sla-vendor-risk-agent/harnesses/claude-code.agent.md +37 -0
  278. package/agents/sap/sap-rise-sla-vendor-risk-agent/harnesses/codex.toml +30 -0
  279. package/agents/sap/sap-rise-sla-vendor-risk-agent/harnesses/copilot.agent.md +31 -0
  280. package/agents/sap/sap-rise-sla-vendor-risk-agent/harnesses/cursor.agent.md +29 -0
  281. package/agents/sap/sap-rise-sla-vendor-risk-agent/harnesses/gemini.agent.md +29 -0
  282. package/agents/sap/sap-rise-sla-vendor-risk-agent/harnesses/kiro-cli.agent.json +1 -0
  283. package/agents/sap/sap-rise-sla-vendor-risk-agent/harnesses/kiro-ide.agent.md +29 -0
  284. package/agents/sap/sap-rise-sla-vendor-risk-agent/metadata.json +42 -0
  285. package/agents/sap/sap-role-assignment-guarded-operator-agent/AGENT.md +73 -0
  286. package/agents/sap/sap-role-assignment-guarded-operator-agent/harnesses/claude-code.agent.md +54 -0
  287. package/agents/sap/sap-role-assignment-guarded-operator-agent/harnesses/codex.toml +43 -0
  288. package/agents/sap/sap-role-assignment-guarded-operator-agent/harnesses/copilot.agent.md +38 -0
  289. package/agents/sap/sap-role-assignment-guarded-operator-agent/harnesses/cursor.agent.md +35 -0
  290. package/agents/sap/sap-role-assignment-guarded-operator-agent/harnesses/gemini.agent.md +35 -0
  291. package/agents/sap/sap-role-assignment-guarded-operator-agent/harnesses/kiro-cli.agent.json +1 -0
  292. package/agents/sap/sap-role-assignment-guarded-operator-agent/harnesses/kiro-ide.agent.md +35 -0
  293. package/agents/sap/sap-role-assignment-guarded-operator-agent/metadata.json +41 -0
  294. package/agents/sap/sap-s4hana-transformation-architect-agent/AGENT.md +62 -0
  295. package/agents/sap/sap-s4hana-transformation-architect-agent/harnesses/claude-code.agent.md +41 -0
  296. package/agents/sap/sap-s4hana-transformation-architect-agent/harnesses/codex.toml +29 -0
  297. package/agents/sap/sap-s4hana-transformation-architect-agent/harnesses/copilot.agent.md +31 -0
  298. package/agents/sap/sap-s4hana-transformation-architect-agent/harnesses/cursor.agent.md +29 -0
  299. package/agents/sap/sap-s4hana-transformation-architect-agent/harnesses/gemini.agent.md +29 -0
  300. package/agents/sap/sap-s4hana-transformation-architect-agent/harnesses/kiro-cli.agent.json +1 -0
  301. package/agents/sap/sap-s4hana-transformation-architect-agent/harnesses/kiro-ide.agent.md +29 -0
  302. package/agents/sap/sap-s4hana-transformation-architect-agent/metadata.json +44 -0
  303. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/AGENT.md +59 -0
  304. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/harnesses/claude-code.agent.md +38 -0
  305. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/harnesses/codex.toml +30 -0
  306. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/harnesses/copilot.agent.md +32 -0
  307. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/harnesses/cursor.agent.md +30 -0
  308. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/harnesses/gemini.agent.md +30 -0
  309. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/harnesses/kiro-cli.agent.json +1 -0
  310. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/harnesses/kiro-ide.agent.md +30 -0
  311. package/agents/sap/sap-security-iam-grc-sod-reviewer-agent/metadata.json +44 -0
  312. package/agents/sap/sap-signavio-process-mining-value-agent/AGENT.md +59 -0
  313. package/agents/sap/sap-signavio-process-mining-value-agent/harnesses/claude-code.agent.md +38 -0
  314. package/agents/sap/sap-signavio-process-mining-value-agent/harnesses/codex.toml +30 -0
  315. package/agents/sap/sap-signavio-process-mining-value-agent/harnesses/copilot.agent.md +32 -0
  316. package/agents/sap/sap-signavio-process-mining-value-agent/harnesses/cursor.agent.md +30 -0
  317. package/agents/sap/sap-signavio-process-mining-value-agent/harnesses/gemini.agent.md +30 -0
  318. package/agents/sap/sap-signavio-process-mining-value-agent/harnesses/kiro-cli.agent.json +1 -0
  319. package/agents/sap/sap-signavio-process-mining-value-agent/harnesses/kiro-ide.agent.md +30 -0
  320. package/agents/sap/sap-signavio-process-mining-value-agent/metadata.json +44 -0
  321. package/agents/sap/sap-successfactors-hr-process-risk-agent/AGENT.md +59 -0
  322. package/agents/sap/sap-successfactors-hr-process-risk-agent/harnesses/claude-code.agent.md +38 -0
  323. package/agents/sap/sap-successfactors-hr-process-risk-agent/harnesses/codex.toml +30 -0
  324. package/agents/sap/sap-successfactors-hr-process-risk-agent/harnesses/copilot.agent.md +32 -0
  325. package/agents/sap/sap-successfactors-hr-process-risk-agent/harnesses/cursor.agent.md +30 -0
  326. package/agents/sap/sap-successfactors-hr-process-risk-agent/harnesses/gemini.agent.md +30 -0
  327. package/agents/sap/sap-successfactors-hr-process-risk-agent/harnesses/kiro-cli.agent.json +1 -0
  328. package/agents/sap/sap-successfactors-hr-process-risk-agent/harnesses/kiro-ide.agent.md +30 -0
  329. package/agents/sap/sap-successfactors-hr-process-risk-agent/metadata.json +42 -0
  330. package/agents/sap/sap-supply-chain-ibp-resilience-agent/AGENT.md +59 -0
  331. package/agents/sap/sap-supply-chain-ibp-resilience-agent/harnesses/claude-code.agent.md +38 -0
  332. package/agents/sap/sap-supply-chain-ibp-resilience-agent/harnesses/codex.toml +30 -0
  333. package/agents/sap/sap-supply-chain-ibp-resilience-agent/harnesses/copilot.agent.md +32 -0
  334. package/agents/sap/sap-supply-chain-ibp-resilience-agent/harnesses/cursor.agent.md +30 -0
  335. package/agents/sap/sap-supply-chain-ibp-resilience-agent/harnesses/gemini.agent.md +30 -0
  336. package/agents/sap/sap-supply-chain-ibp-resilience-agent/harnesses/kiro-cli.agent.json +1 -0
  337. package/agents/sap/sap-supply-chain-ibp-resilience-agent/harnesses/kiro-ide.agent.md +30 -0
  338. package/agents/sap/sap-supply-chain-ibp-resilience-agent/metadata.json +44 -0
  339. package/agents/sap/sap-testing-quality-gate-agent/AGENT.md +59 -0
  340. package/agents/sap/sap-testing-quality-gate-agent/harnesses/claude-code.agent.md +38 -0
  341. package/agents/sap/sap-testing-quality-gate-agent/harnesses/codex.toml +30 -0
  342. package/agents/sap/sap-testing-quality-gate-agent/harnesses/copilot.agent.md +32 -0
  343. package/agents/sap/sap-testing-quality-gate-agent/harnesses/cursor.agent.md +30 -0
  344. package/agents/sap/sap-testing-quality-gate-agent/harnesses/gemini.agent.md +30 -0
  345. package/agents/sap/sap-testing-quality-gate-agent/harnesses/kiro-cli.agent.json +1 -0
  346. package/agents/sap/sap-testing-quality-gate-agent/harnesses/kiro-ide.agent.md +30 -0
  347. package/agents/sap/sap-testing-quality-gate-agent/metadata.json +42 -0
  348. package/agents/sap/sap-transformation-portfolio-triage-agent/AGENT.md +58 -0
  349. package/agents/sap/sap-transformation-portfolio-triage-agent/harnesses/claude-code.agent.md +37 -0
  350. package/agents/sap/sap-transformation-portfolio-triage-agent/harnesses/codex.toml +30 -0
  351. package/agents/sap/sap-transformation-portfolio-triage-agent/harnesses/copilot.agent.md +31 -0
  352. package/agents/sap/sap-transformation-portfolio-triage-agent/harnesses/cursor.agent.md +29 -0
  353. package/agents/sap/sap-transformation-portfolio-triage-agent/harnesses/gemini.agent.md +29 -0
  354. package/agents/sap/sap-transformation-portfolio-triage-agent/harnesses/kiro-cli.agent.json +1 -0
  355. package/agents/sap/sap-transformation-portfolio-triage-agent/harnesses/kiro-ide.agent.md +29 -0
  356. package/agents/sap/sap-transformation-portfolio-triage-agent/metadata.json +42 -0
  357. package/agents/sap/sap-treasury-cash-risk-agent/AGENT.md +59 -0
  358. package/agents/sap/sap-treasury-cash-risk-agent/harnesses/claude-code.agent.md +38 -0
  359. package/agents/sap/sap-treasury-cash-risk-agent/harnesses/codex.toml +30 -0
  360. package/agents/sap/sap-treasury-cash-risk-agent/harnesses/copilot.agent.md +32 -0
  361. package/agents/sap/sap-treasury-cash-risk-agent/harnesses/cursor.agent.md +30 -0
  362. package/agents/sap/sap-treasury-cash-risk-agent/harnesses/gemini.agent.md +30 -0
  363. package/agents/sap/sap-treasury-cash-risk-agent/harnesses/kiro-cli.agent.json +1 -0
  364. package/agents/sap/sap-treasury-cash-risk-agent/harnesses/kiro-ide.agent.md +30 -0
  365. package/agents/sap/sap-treasury-cash-risk-agent/metadata.json +44 -0
  366. package/catalog/agents.json +1323 -0
  367. package/catalog/asset-integrity.json +2283 -43
  368. package/catalog/install-roles.json +94 -0
  369. package/catalog/skill-manifest.json +1770 -3
  370. package/catalog/skills.json +1912 -1
  371. package/package.json +1 -1
  372. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  373. package/powers/README.md +3 -2
  374. package/powers/vanguard-sap/POWER.md +43 -0
  375. package/schemas/agent.schema.json +1 -0
  376. package/schemas/skill.schema.json +1 -0
  377. package/scripts/generate-docs-data.mjs +1 -1
  378. package/scripts/generate-kiro-powers.mjs +12 -0
  379. package/skills/claude/add-educational-comments/metadata.json +1 -1
  380. package/skills/sap/sap-abap-cloud-rap-review/SKILL.md +86 -0
  381. package/skills/sap/sap-abap-cloud-rap-review/agents/openai.yaml +11 -0
  382. package/skills/sap/sap-abap-cloud-rap-review/metadata.json +34 -0
  383. package/skills/sap/sap-abap-cloud-rap-review/references/context7-framework-docs.md +126 -0
  384. package/skills/sap/sap-abap-cloud-rap-review/references/official-sources.md +95 -0
  385. package/skills/sap/sap-abap-cloud-rap-review/references/safety-checklist.md +37 -0
  386. package/skills/sap/sap-abap-cloud-rap-review/references/workflow-and-output.md +76 -0
  387. package/skills/sap/sap-ai-core-generative-ai-hub-governance/SKILL.md +92 -0
  388. package/skills/sap/sap-ai-core-generative-ai-hub-governance/agents/openai.yaml +11 -0
  389. package/skills/sap/sap-ai-core-generative-ai-hub-governance/metadata.json +34 -0
  390. package/skills/sap/sap-ai-core-generative-ai-hub-governance/references/context7-framework-docs.md +107 -0
  391. package/skills/sap/sap-ai-core-generative-ai-hub-governance/references/official-sources.md +91 -0
  392. package/skills/sap/sap-ai-core-generative-ai-hub-governance/references/safety-checklist.md +39 -0
  393. package/skills/sap/sap-ai-core-generative-ai-hub-governance/references/workflow-and-output.md +75 -0
  394. package/skills/sap/sap-ai-governance-security-architecture-protocol/SKILL.md +168 -0
  395. package/skills/sap/sap-ai-governance-security-architecture-protocol/agents/openai.yaml +11 -0
  396. package/skills/sap/sap-ai-governance-security-architecture-protocol/metadata.json +35 -0
  397. package/skills/sap/sap-ai-governance-security-architecture-protocol/references/official-sources.md +99 -0
  398. package/skills/sap/sap-ai-governance-security-architecture-protocol/references/safety-checklist.md +38 -0
  399. package/skills/sap/sap-ai-governance-security-architecture-protocol/references/workflow-and-output.md +89 -0
  400. package/skills/sap/sap-analytics-cloud-planning-governance/SKILL.md +87 -0
  401. package/skills/sap/sap-analytics-cloud-planning-governance/agents/openai.yaml +11 -0
  402. package/skills/sap/sap-analytics-cloud-planning-governance/metadata.json +33 -0
  403. package/skills/sap/sap-analytics-cloud-planning-governance/references/official-sources.md +89 -0
  404. package/skills/sap/sap-analytics-cloud-planning-governance/references/safety-checklist.md +35 -0
  405. package/skills/sap/sap-analytics-cloud-planning-governance/references/workflow-and-output.md +70 -0
  406. package/skills/sap/sap-audit-evidence-packaging/SKILL.md +92 -0
  407. package/skills/sap/sap-audit-evidence-packaging/agents/openai.yaml +11 -0
  408. package/skills/sap/sap-audit-evidence-packaging/metadata.json +33 -0
  409. package/skills/sap/sap-audit-evidence-packaging/references/official-sources.md +92 -0
  410. package/skills/sap/sap-audit-evidence-packaging/references/safety-checklist.md +38 -0
  411. package/skills/sap/sap-audit-evidence-packaging/references/workflow-and-output.md +129 -0
  412. package/skills/sap/sap-btp-governance-review/SKILL.md +84 -0
  413. package/skills/sap/sap-btp-governance-review/agents/openai.yaml +11 -0
  414. package/skills/sap/sap-btp-governance-review/metadata.json +34 -0
  415. package/skills/sap/sap-btp-governance-review/references/official-sources.md +91 -0
  416. package/skills/sap/sap-btp-governance-review/references/safety-checklist.md +35 -0
  417. package/skills/sap/sap-btp-governance-review/references/workflow-and-output.md +66 -0
  418. package/skills/sap/sap-cap-architecture-review/SKILL.md +86 -0
  419. package/skills/sap/sap-cap-architecture-review/agents/openai.yaml +11 -0
  420. package/skills/sap/sap-cap-architecture-review/metadata.json +34 -0
  421. package/skills/sap/sap-cap-architecture-review/references/context7-framework-docs.md +89 -0
  422. package/skills/sap/sap-cap-architecture-review/references/official-sources.md +93 -0
  423. package/skills/sap/sap-cap-architecture-review/references/safety-checklist.md +37 -0
  424. package/skills/sap/sap-cap-architecture-review/references/workflow-and-output.md +74 -0
  425. package/skills/sap/sap-clean-core-debt-review/SKILL.md +84 -0
  426. package/skills/sap/sap-clean-core-debt-review/agents/openai.yaml +11 -0
  427. package/skills/sap/sap-clean-core-debt-review/metadata.json +33 -0
  428. package/skills/sap/sap-clean-core-debt-review/references/context7-framework-docs.md +56 -0
  429. package/skills/sap/sap-clean-core-debt-review/references/official-sources.md +75 -0
  430. package/skills/sap/sap-clean-core-debt-review/references/safety-checklist.md +36 -0
  431. package/skills/sap/sap-clean-core-debt-review/references/workflow-and-output.md +62 -0
  432. package/skills/sap/sap-cloud-alm-sre-incident-review/SKILL.md +83 -0
  433. package/skills/sap/sap-cloud-alm-sre-incident-review/agents/openai.yaml +11 -0
  434. package/skills/sap/sap-cloud-alm-sre-incident-review/metadata.json +33 -0
  435. package/skills/sap/sap-cloud-alm-sre-incident-review/references/official-sources.md +89 -0
  436. package/skills/sap/sap-cloud-alm-sre-incident-review/references/safety-checklist.md +39 -0
  437. package/skills/sap/sap-cloud-alm-sre-incident-review/references/workflow-and-output.md +88 -0
  438. package/skills/sap/sap-custom-code-remediation-review/SKILL.md +83 -0
  439. package/skills/sap/sap-custom-code-remediation-review/agents/openai.yaml +11 -0
  440. package/skills/sap/sap-custom-code-remediation-review/metadata.json +33 -0
  441. package/skills/sap/sap-custom-code-remediation-review/references/official-sources.md +85 -0
  442. package/skills/sap/sap-custom-code-remediation-review/references/safety-checklist.md +39 -0
  443. package/skills/sap/sap-custom-code-remediation-review/references/workflow-and-output.md +83 -0
  444. package/skills/sap/sap-data-migration-cutover-readiness/SKILL.md +90 -0
  445. package/skills/sap/sap-data-migration-cutover-readiness/agents/openai.yaml +14 -0
  446. package/skills/sap/sap-data-migration-cutover-readiness/metadata.json +32 -0
  447. package/skills/sap/sap-data-migration-cutover-readiness/references/official-sources.md +73 -0
  448. package/skills/sap/sap-data-migration-cutover-readiness/references/safety-checklist.md +51 -0
  449. package/skills/sap/sap-data-migration-cutover-readiness/references/workflow-and-output.md +85 -0
  450. package/skills/sap/sap-data-privacy-analytics-ai-protocol/SKILL.md +162 -0
  451. package/skills/sap/sap-data-privacy-analytics-ai-protocol/agents/openai.yaml +11 -0
  452. package/skills/sap/sap-data-privacy-analytics-ai-protocol/metadata.json +34 -0
  453. package/skills/sap/sap-data-privacy-analytics-ai-protocol/references/official-sources.md +93 -0
  454. package/skills/sap/sap-data-privacy-analytics-ai-protocol/references/safety-checklist.md +39 -0
  455. package/skills/sap/sap-data-privacy-analytics-ai-protocol/references/workflow-and-output.md +78 -0
  456. package/skills/sap/sap-datasphere-data-product-architecture/SKILL.md +86 -0
  457. package/skills/sap/sap-datasphere-data-product-architecture/agents/openai.yaml +11 -0
  458. package/skills/sap/sap-datasphere-data-product-architecture/metadata.json +33 -0
  459. package/skills/sap/sap-datasphere-data-product-architecture/references/official-sources.md +85 -0
  460. package/skills/sap/sap-datasphere-data-product-architecture/references/safety-checklist.md +35 -0
  461. package/skills/sap/sap-datasphere-data-product-architecture/references/workflow-and-output.md +70 -0
  462. package/skills/sap/sap-ewm-tm-logistics-execution-review/SKILL.md +90 -0
  463. package/skills/sap/sap-ewm-tm-logistics-execution-review/agents/openai.yaml +11 -0
  464. package/skills/sap/sap-ewm-tm-logistics-execution-review/metadata.json +32 -0
  465. package/skills/sap/sap-ewm-tm-logistics-execution-review/references/official-sources.md +79 -0
  466. package/skills/sap/sap-ewm-tm-logistics-execution-review/references/safety-checklist.md +37 -0
  467. package/skills/sap/sap-ewm-tm-logistics-execution-review/references/workflow-and-output.md +91 -0
  468. package/skills/sap/sap-finance-fico-controls-review/SKILL.md +91 -0
  469. package/skills/sap/sap-finance-fico-controls-review/agents/openai.yaml +11 -0
  470. package/skills/sap/sap-finance-fico-controls-review/metadata.json +33 -0
  471. package/skills/sap/sap-finance-fico-controls-review/references/official-sources.md +89 -0
  472. package/skills/sap/sap-finance-fico-controls-review/references/safety-checklist.md +38 -0
  473. package/skills/sap/sap-finance-fico-controls-review/references/workflow-and-output.md +88 -0
  474. package/skills/sap/sap-fiori-ui5-ux-review/SKILL.md +87 -0
  475. package/skills/sap/sap-fiori-ui5-ux-review/agents/openai.yaml +14 -0
  476. package/skills/sap/sap-fiori-ui5-ux-review/metadata.json +33 -0
  477. package/skills/sap/sap-fiori-ui5-ux-review/references/context7-framework-docs.md +128 -0
  478. package/skills/sap/sap-fiori-ui5-ux-review/references/official-sources.md +95 -0
  479. package/skills/sap/sap-fiori-ui5-ux-review/references/safety-checklist.md +37 -0
  480. package/skills/sap/sap-fiori-ui5-ux-review/references/workflow-and-output.md +96 -0
  481. package/skills/sap/sap-guarded-btp-entitlement-change/SKILL.md +156 -0
  482. package/skills/sap/sap-guarded-btp-entitlement-change/agents/openai.yaml +17 -0
  483. package/skills/sap/sap-guarded-btp-entitlement-change/metadata.json +33 -0
  484. package/skills/sap/sap-guarded-btp-entitlement-change/references/live-environment-access.md +93 -0
  485. package/skills/sap/sap-guarded-btp-entitlement-change/references/official-sources.md +75 -0
  486. package/skills/sap/sap-guarded-btp-entitlement-change/references/safety-checklist.md +57 -0
  487. package/skills/sap/sap-guarded-btp-entitlement-change/references/workflow-and-output.md +132 -0
  488. package/skills/sap/sap-guarded-integration-flow-change/SKILL.md +151 -0
  489. package/skills/sap/sap-guarded-integration-flow-change/agents/openai.yaml +17 -0
  490. package/skills/sap/sap-guarded-integration-flow-change/metadata.json +33 -0
  491. package/skills/sap/sap-guarded-integration-flow-change/references/live-environment-access.md +80 -0
  492. package/skills/sap/sap-guarded-integration-flow-change/references/official-sources.md +73 -0
  493. package/skills/sap/sap-guarded-integration-flow-change/references/safety-checklist.md +56 -0
  494. package/skills/sap/sap-guarded-integration-flow-change/references/workflow-and-output.md +122 -0
  495. package/skills/sap/sap-guarded-role-assignment/SKILL.md +159 -0
  496. package/skills/sap/sap-guarded-role-assignment/agents/openai.yaml +17 -0
  497. package/skills/sap/sap-guarded-role-assignment/metadata.json +33 -0
  498. package/skills/sap/sap-guarded-role-assignment/references/live-environment-access.md +93 -0
  499. package/skills/sap/sap-guarded-role-assignment/references/official-sources.md +73 -0
  500. package/skills/sap/sap-guarded-role-assignment/references/safety-checklist.md +57 -0
  501. package/skills/sap/sap-guarded-role-assignment/references/workflow-and-output.md +133 -0
  502. package/skills/sap/sap-guarded-transport-import/SKILL.md +144 -0
  503. package/skills/sap/sap-guarded-transport-import/agents/openai.yaml +14 -0
  504. package/skills/sap/sap-guarded-transport-import/metadata.json +34 -0
  505. package/skills/sap/sap-guarded-transport-import/references/live-environment-access.md +81 -0
  506. package/skills/sap/sap-guarded-transport-import/references/official-sources.md +79 -0
  507. package/skills/sap/sap-guarded-transport-import/references/safety-checklist.md +52 -0
  508. package/skills/sap/sap-guarded-transport-import/references/workflow-and-output.md +93 -0
  509. package/skills/sap/sap-hana-cloud-performance-cost/SKILL.md +87 -0
  510. package/skills/sap/sap-hana-cloud-performance-cost/agents/openai.yaml +11 -0
  511. package/skills/sap/sap-hana-cloud-performance-cost/metadata.json +33 -0
  512. package/skills/sap/sap-hana-cloud-performance-cost/references/context7-framework-docs.md +94 -0
  513. package/skills/sap/sap-hana-cloud-performance-cost/references/official-sources.md +83 -0
  514. package/skills/sap/sap-hana-cloud-performance-cost/references/safety-checklist.md +36 -0
  515. package/skills/sap/sap-hana-cloud-performance-cost/references/workflow-and-output.md +68 -0
  516. package/skills/sap/sap-hypercare-incident-commander-review/SKILL.md +93 -0
  517. package/skills/sap/sap-hypercare-incident-commander-review/agents/openai.yaml +14 -0
  518. package/skills/sap/sap-hypercare-incident-commander-review/metadata.json +31 -0
  519. package/skills/sap/sap-hypercare-incident-commander-review/references/official-sources.md +63 -0
  520. package/skills/sap/sap-hypercare-incident-commander-review/references/safety-checklist.md +55 -0
  521. package/skills/sap/sap-hypercare-incident-commander-review/references/workflow-and-output.md +98 -0
  522. package/skills/sap/sap-integration-platform-businessops-protocol/SKILL.md +162 -0
  523. package/skills/sap/sap-integration-platform-businessops-protocol/agents/openai.yaml +11 -0
  524. package/skills/sap/sap-integration-platform-businessops-protocol/metadata.json +35 -0
  525. package/skills/sap/sap-integration-platform-businessops-protocol/references/official-sources.md +99 -0
  526. package/skills/sap/sap-integration-platform-businessops-protocol/references/safety-checklist.md +36 -0
  527. package/skills/sap/sap-integration-platform-businessops-protocol/references/workflow-and-output.md +76 -0
  528. package/skills/sap/sap-integration-suite-review/SKILL.md +87 -0
  529. package/skills/sap/sap-integration-suite-review/agents/openai.yaml +11 -0
  530. package/skills/sap/sap-integration-suite-review/metadata.json +33 -0
  531. package/skills/sap/sap-integration-suite-review/references/context7-framework-docs.md +76 -0
  532. package/skills/sap/sap-integration-suite-review/references/official-sources.md +79 -0
  533. package/skills/sap/sap-integration-suite-review/references/safety-checklist.md +36 -0
  534. package/skills/sap/sap-integration-suite-review/references/workflow-and-output.md +78 -0
  535. package/skills/sap/sap-joule-governance-adoption-review/SKILL.md +83 -0
  536. package/skills/sap/sap-joule-governance-adoption-review/agents/openai.yaml +11 -0
  537. package/skills/sap/sap-joule-governance-adoption-review/metadata.json +33 -0
  538. package/skills/sap/sap-joule-governance-adoption-review/references/official-sources.md +83 -0
  539. package/skills/sap/sap-joule-governance-adoption-review/references/safety-checklist.md +37 -0
  540. package/skills/sap/sap-joule-governance-adoption-review/references/workflow-and-output.md +81 -0
  541. package/skills/sap/sap-license-btp-consumption-finops-review/SKILL.md +89 -0
  542. package/skills/sap/sap-license-btp-consumption-finops-review/agents/openai.yaml +11 -0
  543. package/skills/sap/sap-license-btp-consumption-finops-review/metadata.json +32 -0
  544. package/skills/sap/sap-license-btp-consumption-finops-review/references/official-sources.md +71 -0
  545. package/skills/sap/sap-license-btp-consumption-finops-review/references/safety-checklist.md +36 -0
  546. package/skills/sap/sap-license-btp-consumption-finops-review/references/workflow-and-output.md +69 -0
  547. package/skills/sap/sap-live-readonly-identity-trust-discovery/SKILL.md +142 -0
  548. package/skills/sap/sap-live-readonly-identity-trust-discovery/agents/openai.yaml +14 -0
  549. package/skills/sap/sap-live-readonly-identity-trust-discovery/metadata.json +34 -0
  550. package/skills/sap/sap-live-readonly-identity-trust-discovery/references/live-environment-access.md +151 -0
  551. package/skills/sap/sap-live-readonly-identity-trust-discovery/references/official-sources.md +83 -0
  552. package/skills/sap/sap-live-readonly-identity-trust-discovery/references/safety-checklist.md +49 -0
  553. package/skills/sap/sap-live-readonly-identity-trust-discovery/references/workflow-and-output.md +103 -0
  554. package/skills/sap/sap-live-readonly-landscape-discovery/SKILL.md +135 -0
  555. package/skills/sap/sap-live-readonly-landscape-discovery/agents/openai.yaml +14 -0
  556. package/skills/sap/sap-live-readonly-landscape-discovery/metadata.json +34 -0
  557. package/skills/sap/sap-live-readonly-landscape-discovery/references/live-environment-access.md +111 -0
  558. package/skills/sap/sap-live-readonly-landscape-discovery/references/official-sources.md +83 -0
  559. package/skills/sap/sap-live-readonly-landscape-discovery/references/safety-checklist.md +45 -0
  560. package/skills/sap/sap-live-readonly-landscape-discovery/references/workflow-and-output.md +102 -0
  561. package/skills/sap/sap-maestro/SKILL.md +81 -0
  562. package/skills/sap/sap-maestro/agents/openai.yaml +11 -0
  563. package/skills/sap/sap-maestro/metadata.json +32 -0
  564. package/skills/sap/sap-maestro/references/official-sources.md +53 -0
  565. package/skills/sap/sap-maestro/references/safety-checklist.md +39 -0
  566. package/skills/sap/sap-maestro/references/workflow-and-output.md +73 -0
  567. package/skills/sap/sap-manufacturing-execution-risk-review/SKILL.md +89 -0
  568. package/skills/sap/sap-manufacturing-execution-risk-review/agents/openai.yaml +11 -0
  569. package/skills/sap/sap-manufacturing-execution-risk-review/metadata.json +32 -0
  570. package/skills/sap/sap-manufacturing-execution-risk-review/references/official-sources.md +79 -0
  571. package/skills/sap/sap-manufacturing-execution-risk-review/references/safety-checklist.md +39 -0
  572. package/skills/sap/sap-manufacturing-execution-risk-review/references/workflow-and-output.md +91 -0
  573. package/skills/sap/sap-mdg-master-data-quality-review/SKILL.md +85 -0
  574. package/skills/sap/sap-mdg-master-data-quality-review/agents/openai.yaml +11 -0
  575. package/skills/sap/sap-mdg-master-data-quality-review/metadata.json +33 -0
  576. package/skills/sap/sap-mdg-master-data-quality-review/references/official-sources.md +89 -0
  577. package/skills/sap/sap-mdg-master-data-quality-review/references/safety-checklist.md +37 -0
  578. package/skills/sap/sap-mdg-master-data-quality-review/references/workflow-and-output.md +91 -0
  579. package/skills/sap/sap-order-to-cash-review/SKILL.md +89 -0
  580. package/skills/sap/sap-order-to-cash-review/agents/openai.yaml +11 -0
  581. package/skills/sap/sap-order-to-cash-review/metadata.json +32 -0
  582. package/skills/sap/sap-order-to-cash-review/references/official-sources.md +79 -0
  583. package/skills/sap/sap-order-to-cash-review/references/safety-checklist.md +39 -0
  584. package/skills/sap/sap-order-to-cash-review/references/workflow-and-output.md +87 -0
  585. package/skills/sap/sap-procurement-ariba-value-leakage-review/SKILL.md +90 -0
  586. package/skills/sap/sap-procurement-ariba-value-leakage-review/agents/openai.yaml +11 -0
  587. package/skills/sap/sap-procurement-ariba-value-leakage-review/metadata.json +32 -0
  588. package/skills/sap/sap-procurement-ariba-value-leakage-review/references/official-sources.md +79 -0
  589. package/skills/sap/sap-procurement-ariba-value-leakage-review/references/safety-checklist.md +38 -0
  590. package/skills/sap/sap-procurement-ariba-value-leakage-review/references/workflow-and-output.md +87 -0
  591. package/skills/sap/sap-procurement-license-finops-vendor-protocol/SKILL.md +155 -0
  592. package/skills/sap/sap-procurement-license-finops-vendor-protocol/agents/openai.yaml +11 -0
  593. package/skills/sap/sap-procurement-license-finops-vendor-protocol/metadata.json +35 -0
  594. package/skills/sap/sap-procurement-license-finops-vendor-protocol/references/official-sources.md +99 -0
  595. package/skills/sap/sap-procurement-license-finops-vendor-protocol/references/safety-checklist.md +36 -0
  596. package/skills/sap/sap-procurement-license-finops-vendor-protocol/references/workflow-and-output.md +62 -0
  597. package/skills/sap/sap-release-change-collision-review/SKILL.md +92 -0
  598. package/skills/sap/sap-release-change-collision-review/agents/openai.yaml +14 -0
  599. package/skills/sap/sap-release-change-collision-review/metadata.json +31 -0
  600. package/skills/sap/sap-release-change-collision-review/references/official-sources.md +63 -0
  601. package/skills/sap/sap-release-change-collision-review/references/safety-checklist.md +51 -0
  602. package/skills/sap/sap-release-change-collision-review/references/workflow-and-output.md +85 -0
  603. package/skills/sap/sap-release-cutover-finance-controls-protocol/SKILL.md +170 -0
  604. package/skills/sap/sap-release-cutover-finance-controls-protocol/agents/openai.yaml +11 -0
  605. package/skills/sap/sap-release-cutover-finance-controls-protocol/metadata.json +33 -0
  606. package/skills/sap/sap-release-cutover-finance-controls-protocol/references/official-sources.md +89 -0
  607. package/skills/sap/sap-release-cutover-finance-controls-protocol/references/safety-checklist.md +39 -0
  608. package/skills/sap/sap-release-cutover-finance-controls-protocol/references/workflow-and-output.md +98 -0
  609. package/skills/sap/sap-rise-sla-vendor-risk-review/SKILL.md +88 -0
  610. package/skills/sap/sap-rise-sla-vendor-risk-review/agents/openai.yaml +11 -0
  611. package/skills/sap/sap-rise-sla-vendor-risk-review/metadata.json +32 -0
  612. package/skills/sap/sap-rise-sla-vendor-risk-review/references/official-sources.md +73 -0
  613. package/skills/sap/sap-rise-sla-vendor-risk-review/references/safety-checklist.md +36 -0
  614. package/skills/sap/sap-rise-sla-vendor-risk-review/references/workflow-and-output.md +56 -0
  615. package/skills/sap/sap-s4hana-transformation-architecture-review/SKILL.md +84 -0
  616. package/skills/sap/sap-s4hana-transformation-architecture-review/agents/openai.yaml +14 -0
  617. package/skills/sap/sap-s4hana-transformation-architecture-review/metadata.json +32 -0
  618. package/skills/sap/sap-s4hana-transformation-architecture-review/references/official-sources.md +75 -0
  619. package/skills/sap/sap-s4hana-transformation-architecture-review/references/safety-checklist.md +40 -0
  620. package/skills/sap/sap-s4hana-transformation-architecture-review/references/workflow-and-output.md +67 -0
  621. package/skills/sap/sap-security-hr-legal-protocol/SKILL.md +149 -0
  622. package/skills/sap/sap-security-hr-legal-protocol/agents/openai.yaml +11 -0
  623. package/skills/sap/sap-security-hr-legal-protocol/metadata.json +34 -0
  624. package/skills/sap/sap-security-hr-legal-protocol/references/official-sources.md +89 -0
  625. package/skills/sap/sap-security-hr-legal-protocol/references/safety-checklist.md +38 -0
  626. package/skills/sap/sap-security-hr-legal-protocol/references/workflow-and-output.md +65 -0
  627. package/skills/sap/sap-security-iam-grc-sod-review/SKILL.md +86 -0
  628. package/skills/sap/sap-security-iam-grc-sod-review/agents/openai.yaml +11 -0
  629. package/skills/sap/sap-security-iam-grc-sod-review/metadata.json +33 -0
  630. package/skills/sap/sap-security-iam-grc-sod-review/references/official-sources.md +83 -0
  631. package/skills/sap/sap-security-iam-grc-sod-review/references/safety-checklist.md +36 -0
  632. package/skills/sap/sap-security-iam-grc-sod-review/references/workflow-and-output.md +79 -0
  633. package/skills/sap/sap-signavio-process-mining-value/SKILL.md +85 -0
  634. package/skills/sap/sap-signavio-process-mining-value/agents/openai.yaml +11 -0
  635. package/skills/sap/sap-signavio-process-mining-value/metadata.json +33 -0
  636. package/skills/sap/sap-signavio-process-mining-value/references/official-sources.md +89 -0
  637. package/skills/sap/sap-signavio-process-mining-value/references/safety-checklist.md +36 -0
  638. package/skills/sap/sap-signavio-process-mining-value/references/workflow-and-output.md +91 -0
  639. package/skills/sap/sap-successfactors-hr-process-risk-review/SKILL.md +92 -0
  640. package/skills/sap/sap-successfactors-hr-process-risk-review/agents/openai.yaml +11 -0
  641. package/skills/sap/sap-successfactors-hr-process-risk-review/metadata.json +33 -0
  642. package/skills/sap/sap-successfactors-hr-process-risk-review/references/official-sources.md +83 -0
  643. package/skills/sap/sap-successfactors-hr-process-risk-review/references/safety-checklist.md +38 -0
  644. package/skills/sap/sap-successfactors-hr-process-risk-review/references/workflow-and-output.md +86 -0
  645. package/skills/sap/sap-supply-chain-ibp-resilience-review/SKILL.md +90 -0
  646. package/skills/sap/sap-supply-chain-ibp-resilience-review/agents/openai.yaml +11 -0
  647. package/skills/sap/sap-supply-chain-ibp-resilience-review/metadata.json +32 -0
  648. package/skills/sap/sap-supply-chain-ibp-resilience-review/references/official-sources.md +79 -0
  649. package/skills/sap/sap-supply-chain-ibp-resilience-review/references/safety-checklist.md +38 -0
  650. package/skills/sap/sap-supply-chain-ibp-resilience-review/references/workflow-and-output.md +89 -0
  651. package/skills/sap/sap-testing-quality-gate-review/SKILL.md +92 -0
  652. package/skills/sap/sap-testing-quality-gate-review/agents/openai.yaml +14 -0
  653. package/skills/sap/sap-testing-quality-gate-review/metadata.json +31 -0
  654. package/skills/sap/sap-testing-quality-gate-review/references/official-sources.md +65 -0
  655. package/skills/sap/sap-testing-quality-gate-review/references/safety-checklist.md +53 -0
  656. package/skills/sap/sap-testing-quality-gate-review/references/workflow-and-output.md +98 -0
  657. package/skills/sap/sap-transformation-portfolio-triage-review/SKILL.md +87 -0
  658. package/skills/sap/sap-transformation-portfolio-triage-review/agents/openai.yaml +11 -0
  659. package/skills/sap/sap-transformation-portfolio-triage-review/metadata.json +32 -0
  660. package/skills/sap/sap-transformation-portfolio-triage-review/references/official-sources.md +71 -0
  661. package/skills/sap/sap-transformation-portfolio-triage-review/references/safety-checklist.md +36 -0
  662. package/skills/sap/sap-transformation-portfolio-triage-review/references/workflow-and-output.md +69 -0
  663. package/skills/sap/sap-treasury-cash-risk-review/SKILL.md +90 -0
  664. package/skills/sap/sap-treasury-cash-risk-review/agents/openai.yaml +11 -0
  665. package/skills/sap/sap-treasury-cash-risk-review/metadata.json +32 -0
  666. package/skills/sap/sap-treasury-cash-risk-review/references/official-sources.md +79 -0
  667. package/skills/sap/sap-treasury-cash-risk-review/references/safety-checklist.md +38 -0
  668. package/skills/sap/sap-treasury-cash-risk-review/references/workflow-and-output.md +89 -0
  669. package/tests/fixtures/sap-maestro-routing/expected/01-clean-core-debt.json +6 -0
  670. package/tests/fixtures/sap-maestro-routing/expected/02-landscape-discovery.json +6 -0
  671. package/tests/fixtures/sap-maestro-routing/expected/03-live-guard-transport.json +6 -0
  672. package/tests/fixtures/sap-maestro-routing/expected/04-adversarial-injection.json +6 -0
  673. package/tests/fixtures/sap-maestro-routing/expected/05-adversarial-persona.json +6 -0
  674. package/tests/fixtures/sap-maestro-routing/expected/06-ambiguous.json +4 -0
  675. package/tests/fixtures/sap-maestro-routing/expected/07-secrets-bait.json +6 -0
  676. package/tests/fixtures/sap-maestro-routing/expected/08-btp-governance.json +6 -0
  677. package/tests/fixtures/sap-maestro-routing/expected/09-integration-suite.json +6 -0
  678. package/tests/fixtures/sap-maestro-routing/expected/10-security-sod.json +6 -0
  679. package/tests/fixtures/sap-maestro-routing/expected/11-cap-architecture.json +6 -0
  680. package/tests/fixtures/sap-maestro-routing/expected/12-abap-cloud-rap.json +7 -0
  681. package/tests/fixtures/sap-maestro-routing/expected/13-ai-governance.json +6 -0
  682. package/tests/fixtures/sap-maestro-routing/expected/14-datasphere.json +6 -0
  683. package/tests/fixtures/sap-maestro-routing/expected/15-analytics-cloud.json +6 -0
  684. package/tests/fixtures/sap-maestro-routing/expected/16-hana-cloud.json +6 -0
  685. package/tests/fixtures/sap-maestro-routing/expected/17-s4hana-transformation.json +6 -0
  686. package/tests/fixtures/sap-maestro-routing/expected/18-custom-code-remediation.json +6 -0
  687. package/tests/fixtures/sap-maestro-routing/expected/19-data-migration-cutover.json +6 -0
  688. package/tests/fixtures/sap-maestro-routing/expected/20-finance-fico.json +6 -0
  689. package/tests/fixtures/sap-maestro-routing/expected/21-mdg-master-data.json +6 -0
  690. package/tests/fixtures/sap-maestro-routing/expected/22-signavio.json +6 -0
  691. package/tests/fixtures/sap-maestro-routing/expected/23-procurement-ariba.json +6 -0
  692. package/tests/fixtures/sap-maestro-routing/expected/24-supply-chain-ibp.json +6 -0
  693. package/tests/fixtures/sap-maestro-routing/expected/25-order-to-cash.json +6 -0
  694. package/tests/fixtures/sap-maestro-routing/expected/26-treasury.json +6 -0
  695. package/tests/fixtures/sap-maestro-routing/expected/27-ewm-tm.json +6 -0
  696. package/tests/fixtures/sap-maestro-routing/expected/28-manufacturing.json +6 -0
  697. package/tests/fixtures/sap-maestro-routing/expected/29-successfactors.json +6 -0
  698. package/tests/fixtures/sap-maestro-routing/expected/30-joule.json +6 -0
  699. package/tests/fixtures/sap-maestro-routing/expected/31-cloud-alm.json +6 -0
  700. package/tests/fixtures/sap-maestro-routing/expected/32-transformation-portfolio.json +6 -0
  701. package/tests/fixtures/sap-maestro-routing/expected/33-rise-sla.json +6 -0
  702. package/tests/fixtures/sap-maestro-routing/expected/34-license-finops.json +6 -0
  703. package/tests/fixtures/sap-maestro-routing/expected/35-testing-quality.json +6 -0
  704. package/tests/fixtures/sap-maestro-routing/expected/36-release-collision.json +6 -0
  705. package/tests/fixtures/sap-maestro-routing/expected/37-hypercare.json +6 -0
  706. package/tests/fixtures/sap-maestro-routing/expected/38-identity-trust.json +6 -0
  707. package/tests/fixtures/sap-maestro-routing/expected/39-fiori-ui5.json +6 -0
  708. package/tests/fixtures/sap-maestro-routing/expected/40-audit-evidence.json +6 -0
  709. package/tests/fixtures/sap-maestro-routing/expected/41-guard-role-assign.json +6 -0
  710. package/tests/fixtures/sap-maestro-routing/expected/42-guard-iflow-deploy.json +6 -0
  711. package/tests/fixtures/sap-maestro-routing/expected/43-guard-entitlement.json +6 -0
  712. package/tests/fixtures/sap-maestro-routing/inputs/01-clean-core-debt.json +5 -0
  713. package/tests/fixtures/sap-maestro-routing/inputs/02-landscape-discovery.json +5 -0
  714. package/tests/fixtures/sap-maestro-routing/inputs/03-live-guard-transport.json +7 -0
  715. package/tests/fixtures/sap-maestro-routing/inputs/04-adversarial-injection.json +7 -0
  716. package/tests/fixtures/sap-maestro-routing/inputs/05-adversarial-persona.json +7 -0
  717. package/tests/fixtures/sap-maestro-routing/inputs/06-ambiguous.json +7 -0
  718. package/tests/fixtures/sap-maestro-routing/inputs/07-secrets-bait.json +7 -0
  719. package/tests/fixtures/sap-maestro-routing/inputs/08-btp-governance.json +7 -0
  720. package/tests/fixtures/sap-maestro-routing/inputs/09-integration-suite.json +7 -0
  721. package/tests/fixtures/sap-maestro-routing/inputs/10-security-sod.json +7 -0
  722. package/tests/fixtures/sap-maestro-routing/inputs/11-cap-architecture.json +7 -0
  723. package/tests/fixtures/sap-maestro-routing/inputs/12-abap-cloud-rap.json +7 -0
  724. package/tests/fixtures/sap-maestro-routing/inputs/13-ai-governance.json +7 -0
  725. package/tests/fixtures/sap-maestro-routing/inputs/14-datasphere.json +7 -0
  726. package/tests/fixtures/sap-maestro-routing/inputs/15-analytics-cloud.json +7 -0
  727. package/tests/fixtures/sap-maestro-routing/inputs/16-hana-cloud.json +7 -0
  728. package/tests/fixtures/sap-maestro-routing/inputs/17-s4hana-transformation.json +7 -0
  729. package/tests/fixtures/sap-maestro-routing/inputs/18-custom-code-remediation.json +7 -0
  730. package/tests/fixtures/sap-maestro-routing/inputs/19-data-migration-cutover.json +7 -0
  731. package/tests/fixtures/sap-maestro-routing/inputs/20-finance-fico.json +7 -0
  732. package/tests/fixtures/sap-maestro-routing/inputs/21-mdg-master-data.json +7 -0
  733. package/tests/fixtures/sap-maestro-routing/inputs/22-signavio.json +7 -0
  734. package/tests/fixtures/sap-maestro-routing/inputs/23-procurement-ariba.json +7 -0
  735. package/tests/fixtures/sap-maestro-routing/inputs/24-supply-chain-ibp.json +7 -0
  736. package/tests/fixtures/sap-maestro-routing/inputs/25-order-to-cash.json +7 -0
  737. package/tests/fixtures/sap-maestro-routing/inputs/26-treasury.json +7 -0
  738. package/tests/fixtures/sap-maestro-routing/inputs/27-ewm-tm.json +7 -0
  739. package/tests/fixtures/sap-maestro-routing/inputs/28-manufacturing.json +7 -0
  740. package/tests/fixtures/sap-maestro-routing/inputs/29-successfactors.json +7 -0
  741. package/tests/fixtures/sap-maestro-routing/inputs/30-joule.json +7 -0
  742. package/tests/fixtures/sap-maestro-routing/inputs/31-cloud-alm.json +7 -0
  743. package/tests/fixtures/sap-maestro-routing/inputs/32-transformation-portfolio.json +7 -0
  744. package/tests/fixtures/sap-maestro-routing/inputs/33-rise-sla.json +7 -0
  745. package/tests/fixtures/sap-maestro-routing/inputs/34-license-finops.json +7 -0
  746. package/tests/fixtures/sap-maestro-routing/inputs/35-testing-quality.json +7 -0
  747. package/tests/fixtures/sap-maestro-routing/inputs/36-release-collision.json +7 -0
  748. package/tests/fixtures/sap-maestro-routing/inputs/37-hypercare.json +7 -0
  749. package/tests/fixtures/sap-maestro-routing/inputs/38-identity-trust.json +7 -0
  750. package/tests/fixtures/sap-maestro-routing/inputs/39-fiori-ui5.json +7 -0
  751. package/tests/fixtures/sap-maestro-routing/inputs/40-audit-evidence.json +7 -0
  752. package/tests/fixtures/sap-maestro-routing/inputs/41-guard-role-assign.json +7 -0
  753. package/tests/fixtures/sap-maestro-routing/inputs/42-guard-iflow-deploy.json +7 -0
  754. package/tests/fixtures/sap-maestro-routing/inputs/43-guard-entitlement.json +7 -0
  755. package/tests/fixtures/sap-maestro-routing/taxonomy.json +509 -0
  756. package/tests/validate-catalog.py +1 -0
@@ -0,0 +1,89 @@
1
+ # Official sources — SAP Analytics Cloud Planning Governance Review
2
+
3
+ Use this reference when grounding SAC story design, planning model governance, data action review, allocation assessment, connection type evaluation, data access control audit, and performance posture review.
4
+
5
+ **Evidence level**: documentation-based (SAP Analytics Cloud Help Portal). No live-system evidence is collected by this skill.
6
+
7
+ ## Stories and models
8
+
9
+ - Stories in SAP Analytics Cloud
10
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/stories
11
+ source_owner: SAP SE
12
+ topic_supported: Story design, page layout, widget types, filter configuration, model binding, calculated measures in stories
13
+ why_needed: Primary reference for classifying story design findings including widget-to-model binding correctness, filter scope, and story-level performance governance
14
+ evidence_level: primary
15
+ last_verified: 2026-06-19
16
+
17
+ ## Planning models
18
+
19
+ - Planning models in SAP Analytics Cloud
20
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/planning-models
21
+ source_owner: SAP SE
22
+ topic_supported: Planning model creation, version category structure (actual, budget, forecast, rolling forecast), account dimension, date dimension, measure definition, model locking
23
+ why_needed: Defines the planning model structure — required to classify version category design gaps, dimension configuration errors, and missing version locking as planning integrity findings
24
+ evidence_level: primary
25
+ last_verified: 2026-06-19
26
+
27
+ ## Data actions
28
+
29
+ - Data actions in SAP Analytics Cloud
30
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/data-actions
31
+ source_owner: SAP SE
32
+ topic_supported: Data action step types (Advanced Formula, copy, allocation, date-based distribution), step sequencing, trigger configuration, multi-action orchestration
33
+ why_needed: Defines the data action execution model — required to classify step sequencing errors, incorrect scope definitions, and missing trigger configuration as planning pipeline findings
34
+ evidence_level: primary
35
+ last_verified: 2026-06-19
36
+
37
+ ## Allocations
38
+
39
+ - Allocations in SAP Analytics Cloud
40
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/allocations
41
+ source_owner: SAP SE
42
+ topic_supported: Allocation methods (spread, distribution, breakback), driver dimension selection, allocation hierarchy scope, allocation result validation
43
+ why_needed: Defines the allocation step model — required to classify incorrect allocation method selection, unbounded hierarchy scope, and missing validation as planning process findings
44
+ evidence_level: primary
45
+ last_verified: 2026-06-19
46
+
47
+ ## Connections
48
+
49
+ - Live data connections in SAP Analytics Cloud
50
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/live-data-connections
51
+ source_owner: SAP SE
52
+ topic_supported: Live connection vs. import connection capabilities, supported source systems, connection type trade-offs, import data refresh scheduling, incremental load configuration
53
+ why_needed: Defines the connection type model — required to classify live vs. import connection misuse, missing refresh schedules on import models, and incremental load configuration gaps
54
+ evidence_level: primary
55
+ last_verified: 2026-06-19
56
+
57
+ ## Data access controls
58
+
59
+ - Data access control in SAP Analytics Cloud
60
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/data-access-control
61
+ source_owner: SAP SE
62
+ topic_supported: Role-based access (BI Admin, Planner, Viewer, custom roles), team-level data access, dimension member-level access restrictions in planning models, folder and story sharing permissions
63
+ why_needed: Defines the SAC access control model — required to classify over-permissive role assignments, missing dimension-level data restrictions, and ungoverned story sharing as access control findings
64
+ evidence_level: primary
65
+ last_verified: 2026-06-19
66
+
67
+ ## Performance
68
+
69
+ - Performance optimization in SAP Analytics Cloud
70
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/performance
71
+ source_owner: SAP SE
72
+ topic_supported: Story performance optimization, widget count guidelines, query reduction strategies, model size limits, import model caching, live connection query push-down behavior
73
+ why_needed: Defines the performance model for SAC stories and models — required to classify stories with excessive widget density, unbounded query scope, or import model refresh cadence gaps as performance findings
74
+ evidence_level: primary
75
+ last_verified: 2026-06-19
76
+
77
+ ## Overview
78
+
79
+ - What is SAP Analytics Cloud
80
+ https://help.sap.com/docs/sap-analytics-cloud/sap-analytics-cloud/what-is-sap-analytics-cloud
81
+ source_owner: SAP SE
82
+ topic_supported: SAP Analytics Cloud product overview, feature set, BI and planning capabilities, tenant model
83
+ why_needed: Provides the product-level context for all governance assessment; defines capability boundaries and tenant model
84
+ evidence_level: primary
85
+ last_verified: 2026-06-19
86
+
87
+ ## Grounding rule
88
+
89
+ SAP Analytics Cloud Help Portal documentation describes the designed behavior of stories, planning models, data actions, allocations, connections, and access controls. It does not prove which models exist in the user's tenant, whether data actions are correctly configured, or whether version locking is in effect. Users must supply story screenshots, model configuration exports, data action scripts, or written descriptions for concrete assessment.
@@ -0,0 +1,35 @@
1
+ # Safety checklist — SAP Analytics Cloud Planning Governance Review
2
+
3
+ Use before making any remediation recommendation, especially for findings that affect planning version locking, data action execution, allocation design, or role-based access.
4
+
5
+ ## Non-negotiables
6
+
7
+ - Do not access, connect to, or request access to any live SAC tenant, model, data action, or connected source system. This skill reviews artifacts only.
8
+ - Do not accept or request SAC tenant credentials, OAuth tokens, API keys, model data exports containing financial data, or dimension member lists that may contain personal or organizational data.
9
+ - Do not recommend unlocking a locked actuals version. Locked actuals versions represent closed-period data and must not be unlocked without a documented change control process involving data owners and finance governance.
10
+ - Do not recommend executing a data action or allocation on a production planning model based on review alone. All data action changes must be tested in a development or quality model before production deployment.
11
+ - Do not recommend changing the account dimension type or date dimension granularity of an existing planning model with active data. These are foundational model properties — changing them requires model rebuild and data migration, not in-place configuration change.
12
+ - Do not recommend granting BI Admin role as a workaround for access issues. BI Admin provides tenant-wide administration rights. The correct remedy for access gaps is a scoped custom role, not elevated built-in role assignment.
13
+ - Do not classify a finding as `critical` without being able to trace the specific planning integrity breach or unauthorized access path from user-provided artifacts or official documentation.
14
+
15
+ ## What people get wrong
16
+
17
+ - **Treating data actions and multi-actions as equivalent**: Data actions contain steps that execute as a single unit within one model. Multi-actions orchestrate multiple data actions, potentially across models, with independent execution and separate failure points. Sequencing recommendations for data action steps do not apply at the multi-action orchestration level and vice versa.
18
+ - **Recommending live connection for planning models**: SAC planning models cannot be backed by a live connection — they require an import connection or are created natively in SAC. Recommending a live connection for a planning model is incorrect; live connections apply only to analytics-only models.
19
+ - **Assuming all dimension member restrictions apply automatically to all story users**: Dimension member-level data access restrictions in SAC apply to teams, not directly to individual users. A user must be a member of a correctly configured team to inherit dimension member restrictions. Recommending restrictions without confirming the team membership model is incomplete.
20
+ - **Conflating version locking with model locking**: Version locking prevents writes to a specific planning version (e.g., actuals). Model locking prevents any user from editing or running data actions on the entire model. They are different controls with different operational consequences.
21
+ - **Missing the impact of model structure changes on active stories**: Changes to the planning model (removing measures, renaming dimensions, changing account hierarchy) immediately break any SAC story that references the changed elements. There is no graceful degradation — stories display errors. Model changes must be coordinated with story owners before deployment.
22
+ - **Recommending full refresh for large import models where incremental load is available**: Full refresh replaces all model data on each run and is appropriate for small models. Large import models (millions of rows) should use incremental (delta) load where the source connection supports it. Recommending full refresh without confirming model size and refresh window creates data availability gaps.
23
+
24
+ ## When to push back
25
+
26
+ - Push back when the user asks to confirm a data action correctness finding from a description alone without providing the data action script or step configuration.
27
+ - Push back when the user asks for specific allocation amounts or formula values — this skill reviews governance and design, not planning content.
28
+ - Push back when the user asks to recommend unlocking actuals or deploying data action changes to a production model without a development/test validation step.
29
+ - Push back when a request requires live SAC tenant access, model data inspection, data action execution, or allocation run — state clearly that live inspection is out of scope and ask the user to supply the relevant configuration exports or descriptions.
30
+
31
+ ## Evidence labels
32
+
33
+ - `documentation-based` — grounded in SAP Analytics Cloud Help Portal documentation covering stories, planning models, data actions, allocations, connections, or access control
34
+ - `user-provided evidence` — story screenshots, model export files, data action scripts, planning model configuration summaries, connection descriptions, or architecture documents provided by the user
35
+ - `inference` — derived reasoning not directly confirmed by official docs or user evidence; must always be labeled as such
@@ -0,0 +1,70 @@
1
+ # Workflow and output contract — SAP Analytics Cloud Planning Governance Review
2
+
3
+ Use this reference for all finding classification, risk assignment, remediation path selection, and output formatting.
4
+
5
+ ## Design domain taxonomy
6
+
7
+ | Domain | Scope | Typical findings |
8
+ |--------|-------|-----------------|
9
+ | `stories` | Story layout, widget binding, filter configuration, calculated measures | Incorrect model binding, filter scope too broad or too narrow, excessive page count, missing input control for planning tables |
10
+ | `planning-models` | Version category structure, dimension design, account dimension, date dimension, measure types | Missing actual version lock after period close, incorrect account dimension type, absence of rolling forecast version, incorrect date dimension granularity |
11
+ | `data-actions` | Step type selection, sequencing, Advanced Formula scope, trigger and schedule configuration | Incorrect step order causing data overwrite before read, unbounded MEMBERSET scope, missing trigger configuration, no multi-action failure handling |
12
+ | `allocations` | Allocation method selection, driver dimension, hierarchy scope, validation approach | Incorrect allocation method for use case (spread vs. distribution vs. breakback), unfiltered hierarchy traversal on large model, no result validation step |
13
+ | `value-driver-trees` | Node formula correctness, model binding, hierarchy connectivity | Broken node formula referencing deleted measure, disconnected VDT node, incorrect measure aggregation in VDT formula |
14
+ | `connections` | Live vs. import connection selection, import refresh schedule, incremental load | Live connection to incompatible source object, import model without refresh schedule, full refresh where incremental load is supported and preferred |
15
+ | `data-access-controls` | Role assignment scope, team data access, dimension member restrictions | BI Admin assigned as default role, planner access granted to view-only users, missing dimension member restriction on regulated data, ungoverned public story sharing |
16
+ | `performance` | Widget density, query count, model size, import model caching | Story with excessive widget count per page, live connection story with no default page filter, import model queried without caching strategy |
17
+
18
+ ## Risk severity classification
19
+
20
+ | Risk level | Criteria |
21
+ |-----------|---------|
22
+ | `critical` | Planning integrity breach or unauthorized data access: missing version lock on actuals allowing post-close changes, BI Admin access granted to non-admin users, missing dimension-level data restriction on regulated financial data |
23
+ | `high` | Planning model failure or data action correctness error: data action step sequencing error producing incorrect plan data, live connection to incompatible source breaking story load, allocation with unfiltered hierarchy causing timeout |
24
+ | `medium` | Governance gap or performance risk: import model without refresh schedule, planning model without rolling forecast version, story with excessive widget density causing slow load |
25
+ | `low` | Best practice deviation: missing naming convention on versions, undocumented data action trigger schedule, VDT with no description on nodes |
26
+
27
+ ## Remediation path decision tree
28
+
29
+ For each finding:
30
+
31
+ 1. **Is this a missing version lock on an actuals version after the period has closed?**
32
+ - Yes → `critical`. Lock the actuals version immediately. Audit all data action triggers that write to the actuals version and restrict them to authorized users only. Enable version change history to detect if unauthorized edits occurred during the unlocked window.
33
+ - No → continue.
34
+
35
+ 2. **Is this an unauthorized role assignment (BI Admin as default, Planner where Viewer is correct)?**
36
+ - Yes → `critical` or `high` depending on the data sensitivity. Reduce the role to the minimum required (Viewer for read-only consumers, custom scoped Planner role for authorized contributors). Remove generic BI Admin assignments from users who do not require tenant administration.
37
+ - No → continue.
38
+
39
+ 3. **Is this a data action step sequencing error or unbounded Advanced Formula scope?**
40
+ - Yes → `high`. For sequencing errors, reorder steps so read steps precede write steps for any shared data region. For unbounded scope, add explicit MEMBERSET restrictions to limit formula execution to the intended version, entity, and time dimensions.
41
+ - No → continue.
42
+
43
+ 4. **Is this a live connection to an incompatible source object type?**
44
+ - Yes → `high`. Confirm the source object type against the SAC live connection compatibility matrix. Convert to a compatible source object (for Datasphere: analytic model or analytical dataset; for BW: BEx query or Composite Provider with defined characteristics and key figures) or switch to import connection if live is not required.
45
+ - No → continue.
46
+
47
+ 5. **Is this a governance or performance gap?**
48
+ - Yes → `medium`. Define import model refresh schedules, add rolling forecast version to planning model, apply default page filters to live connection stories, or add dimension member restrictions to regulated data models.
49
+ - No → classify as `low` and provide best practice guidance.
50
+
51
+ ## Workflow
52
+
53
+ 1. **Receive artifacts** — story screenshots, model configuration exports, data action scripts, planning model configuration summaries, connection descriptions, or user descriptions.
54
+ 2. **Classify each finding** by design domain and finding type.
55
+ 3. **Assign risk level** (critical / high / medium / low).
56
+ 4. **Apply remediation decision tree** per finding.
57
+ 5. **Prioritize** — critical planning integrity and access control findings first; then high model and data action failures; then medium governance and performance gaps; then low best-practice items.
58
+ 6. **Return output** per the output contract below.
59
+
60
+ ## Output contract
61
+
62
+ Return:
63
+
64
+ 1. Design domain and specific finding type
65
+ 2. Evidence label (documentation-based / user-provided evidence / inference)
66
+ 3. Risk level per finding (critical / high / medium / low)
67
+ 4. Recommended remediation action with specific implementation guidance
68
+ 5. Planning governance posture after remediation
69
+ 6. Prioritized remediation sequence
70
+ 7. Escalation trigger if live SAC tenant access, model refresh, or data action execution is required to confirm or apply the finding
@@ -0,0 +1,92 @@
1
+ ---
2
+ name: sap-audit-evidence-packaging
3
+ description: Package and structure audit evidence for SAP controls covering Segregation of Duties, change management, access management, and financial controls. Defines evidence taxonomy, maps controls to evidence artifacts, establishes chain-of-custody and redaction requirements, and aligns evidence packages to SOC 2, ISO 27001, SOX, and GxP frameworks. Does not touch live systems and never includes secrets, credentials, or personal identifiable information in evidence packages.
4
+ allowed-tools: Read Grep Glob WebSearch WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-06-19"
9
+ category: compliance
10
+ lifecycle: experimental
11
+ ---
12
+
13
+ # SAP Audit Evidence Packaging
14
+
15
+ ## Purpose
16
+
17
+ Structure, classify, and package audit evidence for SAP system controls to support internal audit, external audit, and regulatory compliance assessments. Define an evidence taxonomy aligned to SAP control domains. Map controls to the specific evidence artifacts required to demonstrate control effectiveness. Establish chain-of-custody requirements and redaction rules for evidence that contains sensitive system or personal data. Assess evidence reproducibility and advise on gaps. Align evidence packages to the requirements of SOC 2 Type II, ISO/IEC 27001, SOX ITGC, and GxP (21 CFR Part 11 / EU Annex 11) frameworks. Does not connect to any live SAP system, never requests or accepts credentials, and never includes secrets, credentials, personal identifiable information, or customer data in evidence packages.
18
+
19
+ ## When to use
20
+
21
+ Use this skill when the user needs to:
22
+
23
+ - define an evidence taxonomy for a SAP audit: which artifact types constitute valid evidence for each SAP control domain (SoD, access management, change management, financial controls),
24
+ - map specific SAP controls from a control framework (SOX ITGC, SOC 2 CC6/CC8, ISO 27001 A.9, GxP Annex 11) to the concrete evidence artifacts that demonstrate their effectiveness,
25
+ - structure an evidence package for a specific control: what to collect, how to label it, what metadata to include, and how to maintain chain-of-custody,
26
+ - review a set of evidence artifacts provided by the user and assess whether they are sufficient to demonstrate control effectiveness for the stated control objective,
27
+ - advise on redaction of sensitive data from SAP audit evidence: which fields must be redacted from GRC SoD reports, role assignment exports, transport request logs, and financial posting reports before inclusion in an audit package,
28
+ - assess evidence reproducibility: whether the evidence artifact can be regenerated from the same source system state and time window, and what risks affect reproducibility,
29
+ - define a control-to-evidence mapping document suitable for use in an audit readiness assessment or external auditor evidence request response.
30
+
31
+ ## When not to use
32
+
33
+ - When the user needs live enumeration of SAP system configuration to gather evidence — use `sap-live-readonly-landscape-discovery` or `sap-live-readonly-identity-trust-discovery` for read-only live evidence gathering.
34
+ - When the user needs SoD conflict review or IAM posture assessment rather than evidence packaging — use `sap-security-iam-grc-sod-review`.
35
+ - When the request is about implementing SAP GRC Access Control rulesets or configuring audit log settings — this skill is advisory and evidence-packaging focused, not implementation focused.
36
+ - When the request is about non-SAP control evidence packaging or general compliance framework interpretation without SAP-specific context.
37
+
38
+ ## Does not touch live systems
39
+
40
+ This skill operates on user-provided evidence artifacts, control descriptions, audit scope descriptions, control framework excerpts, and written descriptions of the SAP landscape. It does not connect to any SAP system, BTP subaccount, GRC Access Control instance, ABAP system, S/4HANA tenant, or audit log service. All live evidence gathering is out of scope.
41
+
42
+ ## Lean operating rules
43
+
44
+ - Classify evidence by control domain before structuring. Every evidence artifact or gap must be assigned to a control domain (SoD / Access Management / Change Management / Financial Controls / System Configuration) before packaging advice is given.
45
+ - Chain-of-custody is required for all live evidence. Evidence gathered from a live SAP system must be accompanied by: source system identifier, extraction method, extraction timestamp, person who extracted it, and any transformations applied. Evidence without chain-of-custody metadata is incomplete.
46
+ - Redaction before packaging is mandatory. Any evidence artifact that contains passwords, API keys, OAuth tokens, SAML private keys, personal identifiable information (employee IDs, social security numbers, salary data), or customer confidential data must be redacted before inclusion in an audit package.
47
+ - Reproducibility must be assessed. For each evidence artifact, advise whether it can be reproduced from the same source and time window. Evidence that cannot be reproduced (e.g., a one-time GRC report extraction from a period now past) must be designated as non-reproducible and stored with heightened custody controls.
48
+ - Framework alignment is explicit. For each control-to-evidence mapping, state which specific control requirement from the target framework (SOC 2 Trust Service Criteria, ISO 27001 Annex A, SOX ITGC, GxP Annex 11) the evidence addresses.
49
+ - Gaps are findings. A control that lacks sufficient evidence to demonstrate effectiveness is a gap finding. Classify gaps by severity: a control with no evidence is `critical`; a control with partial evidence is `high`; a control with evidence that does not cover the full audit period is `medium`.
50
+ - Evidence from user-provided artifacts and official SAP and regulatory framework documentation takes precedence over inference.
51
+ - Load only the reference needed for the control domain in scope.
52
+
53
+ ## Evidence rules
54
+
55
+ Label all claims with one of:
56
+
57
+ - `documentation-based` — grounded in SAP audit and compliance documentation, GRC best practices, or regulatory framework requirements (SOC 2, ISO 27001, SOX, GxP)
58
+ - `user-provided evidence` — audit evidence artifacts, control descriptions, audit scope descriptions, or written landscape descriptions provided by the user
59
+ - `inference` — derived reasoning not directly confirmed by official docs or user evidence
60
+
61
+ ## Live-environment rules
62
+
63
+ **This skill does not touch live systems.** There is no SAP system API call, GRC Access Control connection, BTP subaccount access, ABAP RFC call, audit log service query, or S/4HANA tenant access in this skill's execution path. Users must supply evidence artifacts, control descriptions, and audit scope information for this skill to advise on packaging, redaction, and framework alignment.
64
+
65
+ **This skill never includes in any output**:
66
+ - Passwords, API keys, OAuth tokens, or credentials of any kind
67
+ - SAML signing certificate private keys or X.509 private keys
68
+ - Personal identifiable information: employee names, employee IDs, national identification numbers, salary data, or health data
69
+ - Customer confidential data or customer personal data
70
+ - BTP service key values, client secrets, or connection strings with embedded credentials
71
+
72
+ If a user-provided evidence artifact contains any of the above, advise on redaction before including any excerpt in this skill's output.
73
+
74
+ ## References
75
+
76
+ Load only when needed:
77
+
78
+ - [Workflow and output contract](references/workflow-and-output.md) — evidence taxonomy, control-to-evidence mapping structure, chain-of-custody format, output contract.
79
+ - [Safety checklist](references/safety-checklist.md) — non-negotiables, redaction requirements, common audit evidence mistakes, when to push back.
80
+ - [Official sources](references/official-sources.md) — SAP GRC documentation, SAP audit and compliance guides, SOC 2, ISO 27001, SOX ITGC, and GxP references.
81
+
82
+ ## Response minimum
83
+
84
+ Return, at minimum:
85
+
86
+ - **Problem classification**: control domain(s) in scope (SoD / Access Management / Change Management / Financial Controls / System Configuration) and the specific controls or evidence gaps being addressed.
87
+ - **Evidence used**: documentation-based / user-provided evidence / inference.
88
+ - **Risk level**: critical (control with no evidence; unmitigated gap before audit deadline) / high (partial evidence; evidence not covering full audit period) / medium (evidence present but chain-of-custody incomplete; redaction not applied) / low (minor metadata gap; reproducibility risk only).
89
+ - **Recommended action**: specific evidence artifact to collect, redaction to apply, chain-of-custody metadata to add, or framework mapping to document.
90
+ - **Refusal / escalation triggers**: if live SAP system access, GRC report extraction, or audit log query is required to complete the evidence package, state that clearly and direct to `sap-live-readonly-landscape-discovery` or `sap-live-readonly-identity-trust-discovery` for the evidence gathering step.
91
+ - **Business impact**: audit finding risk, regulatory non-compliance, certification failure, or evidence admissibility challenge.
92
+ - **Next verification step**: confirm chain-of-custody completeness and redaction with the control owner before submitting evidence to an external auditor.
@@ -0,0 +1,11 @@
1
+ interface:
2
+ display_name: "SAP Audit Evidence Packaging"
3
+ short_description: "Package and structure audit evidence for SAP controls: SoD, change management, access management, and financial controls — with evidence taxonomy, chain-of-custody, redaction, and SOC 2/ISO 27001/SOX/GxP alignment"
4
+ default_prompt: "Use $sap-audit-evidence-packaging to advise on structuring the provided SAP audit evidence. Classify findings by control domain (SoD / Access Management / Change Management / Financial Controls / System Configuration), assign severity to evidence gaps (critical / high / medium / low), state evidence level (documentation-based / user-provided evidence / inference), and recommend specific artifacts, chain-of-custody metadata, redaction actions, and framework mappings per control. Never include credentials, personal identifiable information, or customer data in any output."
5
+ dependencies:
6
+ tools:
7
+ - type: "web"
8
+ value: "https://help.sap.com/docs/sap-grc-access-control/sap-grc-access-control/what-is-sap-grc-access-control"
9
+ description: "SAP GRC Access Control documentation — verify SoD evidence artifact types and control report formats"
10
+ policy:
11
+ allow_implicit_invocation: true
@@ -0,0 +1,33 @@
1
+ {
2
+ "id": "sap-audit-evidence-packaging",
3
+ "name": "SAP Audit Evidence Packaging",
4
+ "type": "skill",
5
+ "provider": "sap",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "codex",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Package and structure audit evidence for SAP controls covering Segregation of Duties, change management, access management, and financial controls. Defines evidence taxonomy, control-to-evidence mapping, chain-of-custody, redaction rules, and framework alignment for SOC 2, ISO 27001, SOX, and GxP. Does not access live systems and never includes secrets, credentials, or personal identifiable information in evidence packages.",
15
+ "source_type": "original",
16
+ "category": "compliance",
17
+ "official_docs": [
18
+ "https://help.sap.com/docs/sap-grc-access-control/sap-grc-access-control/what-is-sap-grc-access-control",
19
+ "https://help.sap.com/docs/sap-grc-access-control/sap-grc-access-control/segregation-of-duties",
20
+ "https://help.sap.com/docs/sap-grc-process-control/sap-grc-process-control/what-is-sap-grc-process-control",
21
+ "https://help.sap.com/docs/sap-grc-process-control/sap-grc-process-control/documentation-and-evidence-collection",
22
+ "https://help.sap.com/docs/btp/sap-business-technology-platform/audit-logging-in-the-cloud-foundry-environment",
23
+ "https://help.sap.com/docs/sap-s4hana-cloud/sap-s4hana-cloud/audit-management",
24
+ "https://help.sap.com/docs/sap-s4hana-cloud/sap-s4hana-cloud/change-document-logs",
25
+ "https://help.sap.com/docs/btp/sap-business-technology-platform/change-and-transport-system"
26
+ ],
27
+ "security_notes": "Does not access live SAP systems, GRC Access Control instances, BTP subaccounts, ABAP systems, audit log services, or S/4HANA tenants. Accepts only user-provided evidence artifacts, control descriptions, and audit scope information. Never request or accept SAP system credentials, BTP service keys, OAuth tokens, or GRC logon credentials. Never include in output: passwords, API keys, personal identifiable information, employee IDs, salary data, customer confidential data, or SAP SAML private keys. Any user-provided evidence artifact containing sensitive data must be advised for redaction before inclusion.",
28
+ "last_verified": "2026-06-19",
29
+ "path": "skills/sap/sap-audit-evidence-packaging",
30
+ "author": "github: Raishin",
31
+ "version": "0.1.0",
32
+ "lifecycle": "experimental"
33
+ }
@@ -0,0 +1,92 @@
1
+ # Official sources — SAP Audit Evidence Packaging
2
+
3
+ Use this reference when grounding SAP control evidence requirements, GRC documentation, audit log configuration, change management evidence, and regulatory framework alignment.
4
+
5
+ **Evidence level**: documentation-based (SAP Help Portal, SAP GRC documentation, regulatory framework publications). No live-system evidence is collected by this skill.
6
+
7
+ ## SAP GRC Access Control
8
+
9
+ - What Is SAP GRC Access Control
10
+ https://help.sap.com/docs/sap-grc-access-control/sap-grc-access-control/what-is-sap-grc-access-control
11
+ source_owner: SAP SE
12
+ topic_supported: GRC Access Control overview — Access Risk Analysis, Access Request Management, Emergency Access Management, Business Role Management; evidence artifact types generated by each module
13
+ why_needed: Defines the GRC Access Control report types and module outputs that constitute valid SoD and access management audit evidence
14
+ evidence_level: primary
15
+ last_verified: 2026-06-19
16
+
17
+ - Segregation of Duties in SAP GRC Access Control
18
+ https://help.sap.com/docs/sap-grc-access-control/sap-grc-access-control/segregation-of-duties
19
+ source_owner: SAP SE
20
+ topic_supported: SoD rule sets, function definitions, permission-level risk definitions, SoD conflict report generation, risk classification, mitigation control documentation
21
+ why_needed: Defines what a complete SoD evidence artifact looks like from GRC Access Control; used to assess whether a user-provided SoD report is sufficient for audit
22
+ evidence_level: primary
23
+ last_verified: 2026-06-19
24
+
25
+ ## SAP GRC Process Control
26
+
27
+ - What Is SAP GRC Process Control
28
+ https://help.sap.com/docs/sap-grc-process-control/sap-grc-process-control/what-is-sap-grc-process-control
29
+ source_owner: SAP SE
30
+ topic_supported: Continuous control monitoring, control documentation, assessment workflows, policy management, issue management — evidence artifacts for financial and operational controls
31
+ why_needed: Defines the GRC Process Control evidence artifact types for financial control and operational control assessment documentation
32
+ evidence_level: primary
33
+ last_verified: 2026-06-19
34
+
35
+ - Documentation and Evidence Collection in SAP GRC Process Control
36
+ https://help.sap.com/docs/sap-grc-process-control/sap-grc-process-control/documentation-and-evidence-collection
37
+ source_owner: SAP SE
38
+ topic_supported: Evidence attachment to controls in GRC Process Control, assessment documentation, evidence types, audit trail of assessment activities
39
+ why_needed: Authoritative source for what constitutes valid evidence attachment in GRC Process Control; used to advise on evidence linking and chain-of-custody within the GRC system
40
+ evidence_level: primary
41
+ last_verified: 2026-06-19
42
+
43
+ ## BTP Audit Logging
44
+
45
+ - Audit Logging in the Cloud Foundry Environment
46
+ https://help.sap.com/docs/btp/sap-business-technology-platform/audit-logging-in-the-cloud-foundry-environment
47
+ source_owner: SAP SE
48
+ topic_supported: BTP audit log service — configuration audit messages, security event logging, audit log retrieval via API, audit log retention
49
+ why_needed: Defines BTP audit log evidence artifact types and API-based extraction methods for BTP platform controls; used to assess BTP audit log evidence completeness
50
+ evidence_level: primary
51
+ last_verified: 2026-06-19
52
+
53
+ ## S/4HANA Cloud Change Management
54
+
55
+ - SAP S/4HANA Cloud — change document logs
56
+ https://help.sap.com/docs/sap-s4hana-cloud/sap-s4hana-cloud/change-document-logs
57
+ source_owner: SAP SE
58
+ topic_supported: Change document logs in S/4HANA Cloud: financial posting change documents, master data change documents, configuration change logging, evidence export
59
+ why_needed: Defines change document evidence artifacts for financial control and master data governance audits; used to assess evidence completeness for SOX ITGC change management controls
60
+ evidence_level: primary
61
+ last_verified: 2026-06-19
62
+
63
+ - BTP Change and Transport System
64
+ https://help.sap.com/docs/btp/sap-business-technology-platform/change-and-transport-system
65
+ source_owner: SAP SE
66
+ topic_supported: SAP Change and Transport System (CTS), transport request lifecycle, transport route configuration, transport log export, import queue management
67
+ why_needed: Defines the change management evidence artifact types from CTS; used to assess completeness of transport log and approval evidence for SOX ITGC change management controls
68
+ evidence_level: primary
69
+ last_verified: 2026-06-19
70
+
71
+ ## S/4HANA Cloud Audit and Compliance
72
+
73
+ - SAP S/4HANA Cloud — audit management
74
+ https://help.sap.com/docs/sap-s4hana-cloud/sap-s4hana-cloud/audit-management
75
+ source_owner: SAP SE
76
+ topic_supported: S/4HANA Cloud audit management — security audit log activation, audit log analysis, data access logging, retention settings for audit evidence
77
+ why_needed: Defines the S/4HANA Cloud audit log and security audit evidence artifacts available for access control and financial control audits
78
+ evidence_level: primary
79
+ last_verified: 2026-06-19
80
+
81
+ ## Grounding rule
82
+
83
+ SAP documentation describes available report types, API endpoints, and control artifact formats. It does not prove whether a specific GRC report was run for the correct audit period, whether the change management approval chain was actually followed, or whether evidence artifacts are sufficient to satisfy a specific external auditor's evidentiary requirements. Compliance declarations and evidence sufficiency assessments must be made by qualified auditors, not by this skill.
84
+
85
+ ## Regulatory framework references
86
+
87
+ The following are cited by this skill for framework alignment. They are referenced by name and article/clause only — do not treat this skill as a legal or regulatory compliance authority.
88
+
89
+ - **SOC 2 Trust Service Criteria**: CC6 (Logical and Physical Access Controls), CC8 (Change Management) — AICPA Trust Services Criteria 2017 with 2022 points of focus
90
+ - **ISO/IEC 27001:2022**: Annex A controls A.5 (Organizational Controls), A.8 (Technological Controls), A.9 (Physical Controls) — particularly A.5.15 (Access Control), A.8.2 (Privileged Access Rights), A.8.32 (Change Management)
91
+ - **SOX ITGC**: Logical Access, Program Change, Computer Operations, and Data Center / Physical Security control categories as defined in AS 2201 (PCAOB)
92
+ - **GxP**: 21 CFR Part 11 (FDA electronic records and signatures) and EU GMP Annex 11 (Computerised Systems) — particularly clauses 7 (Access Security), 10 (Change and Configuration Management), 11 (Data Storage), and 12 (Audit Trails)
@@ -0,0 +1,38 @@
1
+ # Safety checklist — SAP Audit Evidence Packaging
2
+
3
+ Use before making any evidence packaging recommendation or including any excerpt from user-provided artifacts in output.
4
+
5
+ ## Non-negotiables
6
+
7
+ - Do not access, connect to, or request access to any live SAP system, GRC Access Control instance, BTP subaccount, ABAP system, audit log service, or S/4HANA tenant. This skill advises on packaging only.
8
+ - Do not accept or request SAP system credentials, BTP service keys, GRC logon passwords, OAuth tokens, SAML private keys, or connection strings with embedded credentials.
9
+ - Do not include in any output: passwords, API keys, OAuth tokens, client secrets, SAML private keys, employee personal identifiable information (names, national IDs, salary data), or customer confidential data — even if the user provides them in an evidence artifact.
10
+ - If a user-provided artifact contains sensitive data, advise on redaction before including any excerpt. Never echo sensitive values back in the response.
11
+ - Do not declare a control as compliant or an evidence package as audit-ready. This skill assesses completeness and packaging quality; compliance declarations must be made by qualified auditors.
12
+ - Do not produce evidence artifacts on behalf of the user. This skill advises on what to collect, how to label it, and how to structure it; it does not generate evidence that did not exist from a real SAP system.
13
+ - Do not classify evidence as sufficient based solely on the existence of an artifact type — the artifact must also cover the full audit period and be accompanied by valid chain-of-custody metadata.
14
+
15
+ ## What people get wrong
16
+
17
+ - **Treating a GRC SoD report screenshot as complete evidence**: A screenshot of a GRC SoD conflict report is not sufficient without the underlying report export (CSV, PDF, or XLS with full conflict detail), chain-of-custody metadata (extraction date, system, extractor role), and confirmation of the audit period covered.
18
+ - **Overlooking the audit period gap**: Evidence that covers 9 months of a 12-month audit period is a `high` gap, not a `medium` one. The full audit period must be covered without interruption.
19
+ - **Assuming access review completion equals evidence**: A completed access review workflow in GRC or a ticketing system is evidence of the review process, not evidence of the role assignment state. Both the review completion record and the role assignment export at that point in time are required.
20
+ - **Including live personal data in evidence packages**: GRC SoD reports, SUIM user-role exports, and IAS user lists often contain employee names, email addresses, and employee IDs. These must be redacted or pseudonymized per applicable data protection requirements before submission to an external auditor.
21
+ - **Missing chain-of-custody for evidence gathered outside GRC**: Evidence gathered via BTP CLI, CF CLI, or ABAP transaction exports is often not automatically stamped with a timestamp or extractor identity. The chain-of-custody metadata must be manually documented at the time of extraction.
22
+ - **Treating non-reproducible evidence as low risk**: If an evidence artifact cannot be regenerated from the same source (e.g., an ABAP SM20 audit log from a period that has since been archived or overwritten), it must be stored with heightened custody controls and its non-reproducibility documented explicitly.
23
+ - **Assuming a transport log is sufficient change management evidence alone**: A transport log demonstrates that transports moved; it does not demonstrate that the approval chain was followed. Approval records (workflow completion, second-pair-of-eyes sign-off) are a separate required artifact.
24
+
25
+ ## When to push back
26
+
27
+ - Push back when the user asks to generate evidence that does not exist from a real SAP system (e.g., to fabricate a GRC report or produce a synthetic role assignment export).
28
+ - Push back when the user asks to include credentials, personal identifiable information, or customer data in an evidence package without redaction.
29
+ - Push back when the user asks to declare a control compliant or an audit package ready — direct to the qualified auditor or control owner for the compliance declaration.
30
+ - Push back when the user asks to extract live evidence from a SAP system — redirect to `sap-live-readonly-landscape-discovery` or `sap-live-readonly-identity-trust-discovery` for the evidence gathering step.
31
+ - Push back when the audit scope is ambiguous (audit period not defined, control framework not stated, SAP systems in scope not identified) — request clarification before advising on evidence mapping.
32
+ - Push back when the user provides an evidence artifact and asks whether it satisfies a regulatory requirement without specifying which regulatory framework or which specific control requirement is being addressed.
33
+
34
+ ## Evidence labels
35
+
36
+ - `documentation-based` — grounded in SAP GRC documentation, SAP audit guides, or regulatory framework requirements (SOC 2, ISO 27001, SOX ITGC, GxP)
37
+ - `user-provided evidence` — audit evidence artifacts, control descriptions, audit scope descriptions, or written SAP landscape descriptions provided by the user
38
+ - `inference` — derived reasoning not directly confirmed by official docs or user evidence; must always be labeled as such
@@ -0,0 +1,129 @@
1
+ # Workflow and output contract — SAP Audit Evidence Packaging
2
+
3
+ Use this reference for evidence taxonomy, control-to-evidence mapping structure, chain-of-custody format, and output formatting.
4
+
5
+ ## Evidence taxonomy
6
+
7
+ SAP audit evidence is classified by control domain and artifact type:
8
+
9
+ ### Control domains
10
+
11
+ | Domain | Description |
12
+ |--------|-------------|
13
+ | `SoD` | Segregation of Duties — evidence that incompatible functions are not held by the same user |
14
+ | `Access Management` | User provisioning, deprovisioning, access review, role assignment, and privileged access controls |
15
+ | `Change Management` | Transport request lifecycle, approval chains, emergency change controls, and change freeze enforcement |
16
+ | `Financial Controls` | Posting authorization, period-end close controls, journal entry approval, and reconciliation evidence |
17
+ | `System Configuration` | SAP system parameter settings, security profile settings, audit log configuration, and baseline configuration |
18
+
19
+ ### Artifact types
20
+
21
+ | Artifact type | Description | Typical source |
22
+ |---------------|-------------|---------------|
23
+ | `GRC SoD report` | Machine-generated SoD conflict report from GRC Access Control or equivalent | SAP GRC Access Control NWBC report / Pathlock / Fastpath |
24
+ | `Role assignment export` | Export of user-to-role or user-to-role-collection assignments at a point in time | BTP CLI, SUIM transaction, GRC Access Control, IAS export |
25
+ | `Transport log` | Log of transport request creation, release, import approvals, and execution timestamps | STMS transaction export, CTS+ log, Cloud ALM transport log |
26
+ | `Access review report` | Periodic access review completion record showing reviewer, outcome, and date | GRC Access Control recertification report, manual review record |
27
+ | `Audit log extract` | System audit log entries demonstrating monitoring is active and events are captured | SM19/SM20 ABAP audit log export, BTP audit log service export |
28
+ | `Security parameter screenshot or export` | System parameter values (login/fails_to_user_lock, auth/rfc_authority_check, etc.) | RZ11 transaction export, parameter configuration export |
29
+ | `Approval record` | Documented approval of a specific action (emergency access, transport import, user creation) | Workflow completion record, ServiceNow ticket, email chain with timestamp |
30
+ | `Period-end evidence` | Evidence that period-end close procedures were executed and controls operated | Financial posting report, period-lock screenshot, reconciliation sign-off |
31
+
32
+ ## Control-to-evidence mapping structure
33
+
34
+ For each control, document:
35
+
36
+ ```
37
+ Control ID: <control reference from audit framework, e.g., SOX ITGC CC-01>
38
+ Control objective: <what the control is designed to prevent or detect>
39
+ Domain: <SoD | Access Management | Change Management | Financial Controls | System Configuration>
40
+ Framework refs: <SOC 2 CC6.1 | ISO 27001 A.9.2 | SOX ITGC | GxP Annex 11 clause X>
41
+ Required artifacts:
42
+ - <artifact type 1>: <what exactly to collect; time window; format>
43
+ - <artifact type 2>: <what exactly to collect; time window; format>
44
+ Chain-of-custody:
45
+ - Source system: <SAP SID or BTP subaccount or GRC tenant>
46
+ - Extraction method: <transaction/CLI command/API/manual export>
47
+ - Extraction timestamp: <ISO 8601>
48
+ - Extracted by: <role/person (no personal names in the mapping template)>
49
+ - Transformations: <redactions applied; format conversions>
50
+ Completeness status: <sufficient | partial | missing>
51
+ Gap description: <if partial or missing — what is absent and why>
52
+ ```
53
+
54
+ ## Chain-of-custody format
55
+
56
+ Every live evidence artifact included in an audit package must carry:
57
+
58
+ ```
59
+ [CHAIN_OF_CUSTODY]
60
+ Artifact name: <descriptive name, e.g., "SoD_Report_FI_2026Q1.xlsx">
61
+ Control ID(s): <comma-separated control IDs this artifact supports>
62
+ Domain: <SoD | Access Management | Change Management | Financial Controls | System Configuration>
63
+ Source system: <SAP SID, BTP subaccount ID, or GRC tenant identifier>
64
+ Extraction method: <GRC NWBC report / SUIM export / btp CLI / SM20 export / CloudALM API>
65
+ Extraction timestamp: <ISO 8601>
66
+ Extracted by role: <GRC viewer / BTP subaccount viewer / ABAP display user>
67
+ Audit period covered: <start date ISO 8601> to <end date ISO 8601>
68
+ Redactions applied: <yes/no — list what was redacted>
69
+ Reproducible: <yes | no | partial — explanation>
70
+ Storage location: <placeholder — do not include actual system paths with credentials>
71
+ Hash (SHA-256): <file hash for tamper evidence — populate after file is finalized>
72
+ ```
73
+
74
+ ## Redaction requirements before packaging
75
+
76
+ The following must be redacted from all evidence artifacts before inclusion in an audit package:
77
+
78
+ | Data category | Redaction action |
79
+ |--------------|-----------------|
80
+ | SAP system password, client secret, API key | Replace value with `[REDACTED:CREDENTIAL]` |
81
+ | Employee personal name | Replace with employee ID only, or `[REDACTED:PII_NAME]` if employee ID is also not permitted |
82
+ | National identification number or social security number | Replace with `[REDACTED:PII_NID]` |
83
+ | Salary or compensation data | Replace with `[REDACTED:PII_SALARY]` |
84
+ | Customer name or customer personal data | Replace with `[REDACTED:CUSTOMER_PII]` |
85
+ | SAML signing certificate private key | Replace with `[REDACTED:SAML_PRIVATE_KEY]` |
86
+ | Connection string with embedded credentials | Replace with `[REDACTED:CONN_STRING]` |
87
+
88
+ After redaction, document what was redacted in the chain-of-custody `Redactions applied` field.
89
+
90
+ ## Severity classification for evidence gaps
91
+
92
+ | Severity | Meaning | Examples |
93
+ |----------|---------|---------|
94
+ | `critical` | Control has no supporting evidence; gap cannot be closed before audit deadline | No SoD report extracted for the audit period; no transport approval records for the change management control |
95
+ | `high` | Evidence is partial; does not cover full audit period or key evidence artifact is missing | SoD report covers only part of the audit period; access review records missing for one system in scope |
96
+ | `medium` | Evidence is present but chain-of-custody is incomplete or redaction has not been applied | Evidence artifact lacks extraction timestamp or extracted-by role; personal data not yet redacted |
97
+ | `low` | Minor metadata gap or reproducibility risk only | File hash not yet calculated; storage location not yet documented in chain-of-custody |
98
+
99
+ ## Framework alignment matrix
100
+
101
+ | Control domain | SOC 2 Trust Service Criteria | ISO 27001 Annex A | SOX ITGC | GxP (21 CFR Part 11 / EU Annex 11) |
102
+ |---------------|------------------------------|-------------------|----------|-------------------------------------|
103
+ | SoD | CC6.3, CC6.6 | A.9.2.3, A.9.4.1 | Access to Programs and Data | Annex 11 clause 12 (audit trail), clause 7 (access control) |
104
+ | Access Management | CC6.1, CC6.2, CC6.3 | A.9.2.1, A.9.2.2, A.9.2.6 | Logical Access | Annex 11 clause 7 |
105
+ | Change Management | CC8.1 | A.14.2.2, A.14.2.4 | Program Change | Annex 11 clause 10 |
106
+ | Financial Controls | CC4.1 (monitoring) | A.12.4.1 (logging) | Financial Reporting ITGC | N/A (GxP is process-industry focused) |
107
+ | System Configuration | CC6.6, CC7.1 | A.12.1.2, A.14.1.1 | Operations | Annex 11 clause 4 (validation), clause 11 (data storage) |
108
+
109
+ ## Workflow
110
+
111
+ 1. **Receive scope** — audit scope description, control list, or evidence request from user.
112
+ 2. **Classify each control** by domain (SoD / Access Management / Change Management / Financial Controls / System Configuration).
113
+ 3. **Map to required artifacts** — define the specific artifact types needed per control.
114
+ 4. **Assess completeness** — review user-provided artifacts for sufficiency, period coverage, and chain-of-custody completeness.
115
+ 5. **Flag gaps** — classify gaps by severity (critical / high / medium / low).
116
+ 6. **Apply redaction checks** — identify any sensitive data requiring redaction.
117
+ 7. **Align to frameworks** — map each control to specific SOC 2, ISO 27001, SOX ITGC, or GxP requirements.
118
+ 8. **Return output** per the output contract below.
119
+
120
+ ## Output contract
121
+
122
+ Return:
123
+
124
+ 1. Audit scope summary (control domains in scope, audit period, frameworks applicable)
125
+ 2. Control-to-evidence mapping for each control in scope (required artifacts, chain-of-custody requirements, framework mapping)
126
+ 3. Completeness assessment per control (sufficient / partial / missing) with gap severity and description
127
+ 4. Redaction advisory (which artifacts require redaction and what to redact)
128
+ 5. Reproducibility assessment per artifact type
129
+ 6. Escalation trigger if live SAP system access is required to gather missing evidence (with pointer to the appropriate live discovery skill)