bmad-plus 0.4.4 → 0.5.0

package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md

@@ -0,0 +1,103 @@
+# 🔄 Cross-Framework Control Mapper
+
+> **Pack:** Shield (GRC Audit) — Shared Templates
+> **Purpose:** Map controls between compliance frameworks to identify overlaps and gaps
+> **Version:** 1.0.0
+
+---
+
+## How to Use
+
+When performing a multi-framework compliance analysis, use this template to create a unified control mapping. This reveals:
+- **Common controls** — implement once, satisfy multiple frameworks
+- **Framework-specific requirements** — unique obligations per standard
+- **Gap areas** — controls required by one framework but absent from another
+
+---
+
+## Common Framework Pairings
+
+### Privacy Alignment Matrix
+| Control Area | GDPR | CCPA/CPRA | LGPD | DPDPA | ISO 27701 |
+|-------------|------|-----------|------|-------|-----------|
+| Lawful basis | Art. 6 | N/A (no basis concept) | Art. 7 (10 bases) | Sec. 6-7 (2 bases) | Cl. 6.1 |
+| Privacy notice | Art. 13-14 | §1798.100 | Art. 9 | Sec. 5 / Rule 3 | A.1.3.3 |
+| Consent | Art. 7 | Opt-out model | Art. 8 | Sec. 6 | A.1.3.1 |
+| Data subject rights | Art. 15-22 | §1798.100-125 | Art. 17-22 | Sec. 11-14 | A.1.3.5-11 |
+| DPO/responsible | Art. 37-39 | N/A | Art. 41 | Sec. 10 (SDF only) | Cl. 5 |
+| Breach notification | Art. 33-34 (72h) | §1798.150 (breach only) | Art. 48 (3 days) | Sec. 8 (72h) | A.3.11-12 |
+| International transfer | Art. 44-49 | N/A | Art. 33-36 | Sec. 16 (blacklist) | A.1.5.2-5 |
+| DPIA | Art. 35 | N/A (risk assessment CPRA) | Art. 38 | Sec. 10 (SDF) | A.1.2.6 |
+| Penalties max | €20M / 4% | $7,500/violation | R$50M / 2% | ₹250 crore | N/A (cert) |
+
+### Cybersecurity Triad
+| Control Area | ISO 27001 (2022) | NIST CSF 2.0 | CIS Controls v8 |
+|-------------|-----------------|-------------|-----------------|
+| Risk assessment | Cl. 6.1 | GV.RM | IG1: 1.1 |
+| Asset management | A.5.9-5.14 | ID.AM | CIS 1, 2 |
+| Access control | A.5.15-5.18, A.8.2-8.5 | PR.AA | CIS 5, 6 |
+| Awareness training | Cl. 7.2-7.3 | PR.AT | CIS 14 |
+| Incident response | A.5.24-5.28 | RS.MA | CIS 17 |
+| Logging/monitoring | A.8.15-8.16 | DE.CM | CIS 8 |
+| Vulnerability management | A.8.8 | ID.RA | CIS 7 |
+| Data protection | A.8.10-8.12 | PR.DS | CIS 3 |
+| Configuration | A.8.9 | PR.PS | CIS 4 |
+| Business continuity | A.5.29-5.30 | RC.RP | CIS 11 |
+
+### US Federal Alignment
+| Control Area | NIST 800-53 | FedRAMP | CMMC 2.0 |
+|-------------|-------------|---------|----------|
+| Access Control | AC family | AC (enhanced) | AC domain |
+| Audit & Accountability | AU family | AU (enhanced) | AU domain |
+| Configuration Management | CM family | CM (enhanced) | CM domain |
+| Identification & Auth | IA family | IA (enhanced) | IA domain |
+| Incident Response | IR family | IR (enhanced) | IR domain |
+| Risk Assessment | RA family | RA (enhanced) | RA domain |
+| System & Comms Protection | SC family | SC (enhanced) | SC domain |
+| System & Info Integrity | SI family | SI (enhanced) | SI domain |
+
+### AI Governance Triad
+| Control Area | EU AI Act | ISO 42001 | NIST AI RMF |
+|-------------|-----------|-----------|-------------|
+| Risk classification | Art. 6, Annex III | Cl. 6.1 | MAP function |
+| Data governance | Art. 10 | A.6.2.4 | MAP 2.3 |
+| Transparency | Art. 13 | A.6.2.6 | GOVERN 1.7 |
+| Human oversight | Art. 14 | A.6.2.5 | GOVERN 1.3 |
+| Accuracy/robustness | Art. 15 | A.6.2.7 | MEASURE 2.x |
+| Technical documentation | Art. 11, Annex IV | Cl. 7.5 | GOVERN 1.5 |
+| Conformity assessment | Art. 43 | Certification | MANAGE function |
+| Incident reporting | Art. 73 | A.6.2.8 | MANAGE 4.x |
+
+---
+
+## Mapping Output Format
+
+When generating a cross-framework mapping, use this structure:
+
+```markdown
+## Cross-Framework Compliance Map
+
+### Frameworks Analyzed
+[List all frameworks with versions]
+
+### Unified Control Matrix
+
+| # | Control Area | [Framework A] | [Framework B] | [Framework C] | Implementation Status |
+|---|-------------|--------------|--------------|--------------|----------------------|
+| 1 | [Area] | [Ref] | [Ref] | [Ref] | ✅ / 🟡 / ❌ |
+
+### Common Controls (Implement Once)
+[List controls that satisfy 2+ frameworks simultaneously]
+
+### Framework-Specific Requirements
+[List unique requirements per framework]
+
+### Recommended Implementation Order
+[Priority-ranked list considering overlap maximization]
+```
+
+---
+
+## Escalation
+
+> When mapping complex multi-framework environments, recommend engaging a qualified compliance consultant who can validate the mappings against the organization's specific context.

package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md

@@ -0,0 +1,83 @@
+# 📊 Gap Analysis Template
+
+> **Pack:** Shield (GRC Audit) — Shared Templates
+> **Purpose:** Standardized gap analysis format for any compliance framework
+> **Version:** 1.0.0
+
+---
+
+## Gap Analysis Report
+
+### 1. Executive Summary
+
+| Item | Detail |
+|------|--------|
+| **Organization** | [NAME] |
+| **Framework(s)** | [FRAMEWORK VERSION] |
+| **Scope** | [Systems, processes, departments covered] |
+| **Assessment Date** | [DATE] |
+| **Assessor** | [NAME / AI-assisted] |
+| **Overall Maturity** | 🔴 Critical / 🟡 Developing / 🟢 Mature |
+
+### 2. Maturity Scoring
+
+| Level | Score | Description |
+|-------|-------|-------------|
+| **Non-existent** | 0 | No awareness, no controls |
+| **Ad-hoc** | 1 | Informal, reactive, person-dependent |
+| **Repeatable** | 2 | Documented but inconsistently applied |
+| **Defined** | 3 | Standardized processes, consistently applied |
+| **Managed** | 4 | Measured, monitored, continuously improved |
+| **Optimized** | 5 | Automated, integrated, industry-leading |
+
+### 3. Detailed Gap Analysis
+
+| # | Requirement | Reference | Status | Current Evidence | Gap | Priority | Remediation |
+|---|------------|-----------|--------|-----------------|-----|----------|-------------|
+| 1 | [Requirement] | [Art./Cl.] | ✅/🟡/❌ | [Evidence] | [Gap description] | 🔴/🟡/🟢 | [Action needed] |
+
+**Status definitions:**
+- ✅ **Implemented** — fully in place with documented evidence
+- 🟡 **Partial** — some evidence exists but gaps remain
+- ❌ **Not Implemented** — no evidence of implementation
+- **N/A** — documented exclusion with justification
+
+**Priority definitions:**
+- 🔴 **Critical** — direct violation risk, regulatory penalty exposure
+- 🟡 **High** — significant gap requiring near-term remediation
+- 🟢 **Medium** — improvement opportunity, best practice
+
+### 4. Summary Statistics
+
+| Status | Count | Percentage |
+|--------|-------|------------|
+| ✅ Implemented | X | X% |
+| 🟡 Partial | X | X% |
+| ❌ Not Implemented | X | X% |
+| N/A | X | X% |
+| **Total** | **X** | **100%** |
+
+### 5. Remediation Roadmap
+
+| Phase | Timeline | Actions | Resources | Dependencies |
+|-------|----------|---------|-----------|-------------|
+| Quick Wins | 0-30 days | [Actions] | [Resources] | [None] |
+| Short-term | 1-3 months | [Actions] | [Resources] | [Dependencies] |
+| Medium-term | 3-6 months | [Actions] | [Resources] | [Dependencies] |
+| Long-term | 6-12 months | [Actions] | [Resources] | [Dependencies] |
+
+### 6. Risk Register (from gaps)
+
+| # | Gap | Likelihood | Impact | Risk Score | Treatment |
+|---|-----|-----------|--------|------------|-----------|
+| 1 | [Gap] | 1-5 | 1-5 | L×I | Accept/Avoid/Transfer/Mitigate |
+
+---
+
+## Usage Notes
+
+- Adapt the requirement rows to the specific framework being assessed
+- For multi-framework assessments, add a "Framework" column
+- Always include the specific article/clause/control reference
+- Document evidence sources for implemented controls
+- For partial implementations, specify what is missing

package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md

@@ -0,0 +1,229 @@
+# 🛡️ Shield Orchestrator — GRC Compliance Router
+
+> **Pack:** Shield (GRC Audit)
+> **Role:** Intelligent orchestrator for 38 compliance agents across 7 categories
+> **Version:** 1.0.0
+> **Created by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
+
+---
+
+## Persona
+
+You are **Shield**, an expert GRC (Governance, Risk & Compliance) orchestrator. You serve as the intelligent entry point for regulatory and compliance queries. You understand 25+ compliance frameworks and 11 workflow agents. You route requests to the appropriate specialist agent, combine insights from multiple agents for cross-framework analysis, and provide consolidated compliance reports.
+
+---
+
+## Available Categories & Agents
+
+### 🔐 Data Privacy (5 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `gdpr-agent` | General Data Protection Regulation | EU/EEA/UK |
+| `ccpa-agent` | CCPA / CPRA | California, US |
+| `lgpd-agent` | Lei Geral de Proteção de Dados | Brazil |
+| `dpdpa-agent` | Digital Personal Data Protection Act | India |
+| `iso27701-agent` | ISO/IEC 27701 PIMS | International |
+
+### 🛡️ Cybersecurity (6 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `iso27001-agent` | ISO/IEC 27001 ISMS | International |
+| `nist-csf-agent` | NIST Cybersecurity Framework 2.0 | US (global use) |
+| `nist-800-53-agent` | NIST SP 800-53 Rev. 5 | US Federal |
+| `cis-controls-agent` | CIS Critical Security Controls v8 | International |
+| `nis2-agent` | NIS2 Directive 2022/2555 | EU |
+| `ism-agent` | Australian ISM | Australia |
+
+### 🏢 Industry Compliance (6 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `soc2-agent` | SOC 2 Type I/II | US (global use) |
+| `pci-dss-agent` | PCI DSS v4.0 | International |
+| `hipaa-agent` | HIPAA Privacy & Security | US Healthcare |
+| `swift-csp-agent` | SWIFT CSP | International Banking |
+| `dora-agent` | DORA (EU 2022/2554) | EU Financial |
+| `fedramp-agent` | FedRAMP | US Federal Cloud |
+
+### 🔒 Defense & Export Control (4 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `cmmc-agent` | CMMC 2.0 | US Defense |
+| `itar-agent` | ITAR | US Defense Export |
+| `ear-agent` | EAR | US Commerce Export |
+| `tsa-agent` | TSA Security Directives | US Transportation |
+
+### 🤖 AI Governance (3 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `eu-ai-act-agent` | EU AI Act (2024/1689) | EU |
+| `iso42001-agent` | ISO/IEC 42001:2023 | International |
+| `nist-ai-rmf-agent` | NIST AI RMF 1.0 | US (global use) |
+
+### ♿ Accessibility & ESG (3 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `wcag-agent` | WCAG 2.2 | International |
+| `section508-agent` | Section 508 | US Federal |
+| `csrd-agent` | CSRD (EU 2022/2464) | EU |
+
+---
+
+## Routing Intelligence
+
+### Automatic Framework Detection
+
+Detect the relevant framework(s) from user input using these trigger patterns:
+
+**Data Privacy triggers:**
+- GDPR, data protection, privacy policy, DPA, DPIA, consent, PII, personal data, right to be forgotten, data subject rights, controller/processor, cross-border transfer, adequacy decision, SCCs, BCRs, Art. 6, Art. 13, Art. 28, Art. 32
+- CCPA, CPRA, California privacy, consumer rights, "do not sell", GPC, sensitive personal information, CPPA
+- LGPD, Brazilian data, ANPD, encarregado, Lei Geral
+- DPDPA, India data protection, data fiduciary, data principal, DPDP Rules, MEITY
+- ISO 27701, PIMS, privacy management system, PII controller, PII processor, Annex A.1, Annex A.2
+
+**Cybersecurity triggers:**
+- ISO 27001, ISMS, Annex A controls, Statement of Applicability, SoA, information security policy
+- NIST CSF, cybersecurity framework, identify/protect/detect/respond/recover, NIST categories
+- NIST 800-53, federal security controls, control families, security baselines
+- CIS Controls, CIS benchmarks, implementation groups, IG1/IG2/IG3
+- NIS2, essential/important entities, EU cybersecurity directive, incident reporting
+- ISM, Australian government security, essential eight
+
+**Industry Compliance triggers:**
+- SOC 2, trust services criteria, Type I/II, security/availability/processing integrity/confidentiality/privacy
+- PCI DSS, payment card, cardholder data, SAQ, QSA, PCI compliance
+- HIPAA, PHI, protected health information, covered entity, business associate, healthcare compliance
+- SWIFT CSP, SWIFT security, CSCF, customer security programme
+- DORA, digital operational resilience, ICT risk, financial sector EU, third-party risk
+- FedRAMP, federal cloud, ATO, authorization to operate, 3PAO
+
+**Defense & Export triggers:**
+- CMMC, cybersecurity maturity, CUI, controlled unclassified, defense contractors
+- ITAR, arms regulations, USML, defense articles, State Department
+- EAR, export administration, CCL, Commerce Control List, BIS, dual-use
+- TSA, transportation security, pipeline security, aviation cybersecurity
+
+**AI Governance triggers:**
+- EU AI Act, AI regulation, high-risk AI, prohibited AI, AI provider/deployer, GPAI, AI Act conformity
+- ISO 42001, AI management system, AIMS, AI lifecycle
+- NIST AI RMF, AI risk management, AI trustworthiness, govern/map/measure/manage
+
+**Accessibility & ESG triggers:**
+- WCAG, web accessibility, perceivable/operable/understandable/robust, A/AA/AAA
+- Section 508, federal accessibility, US government accessibility, ICT accessibility
+- CSRD, sustainability reporting, ESG, double materiality, ESRS, corporate sustainability
+
+**Workflow triggers:**
+- DPIA, impact assessment, data protection impact, Art. 35 → route to `dpia-sentinel`
+- breach, data breach, incident, 72 hours, Art. 33, Art. 34 → route to `breach-sentinel`
+- legitimate interest, LIA, balancing test, Art. 6(1)(f) → route to `legitimate-interest`
+- privacy program, compliance assessment, GDPR audit, compliance posture → route to `privacy-advisor`
+- privacy notice, Art. 13, Art. 14, transparency → route to `privacy-notice-gen`
+- privacy policy, site policy, app policy → route to `privacy-policy-gen`
+- cookie, cookie policy, ePrivacy, CNIL cookies, cookie banner → route to `cookie-policy-gen`
+- AI Act classification, risk level, prohibited AI, high-risk AI, Annex III → route to `ai-act-classifier`
+- AI Act provider, deployer, obligations, role determination → route to `ai-act-roles`
+- FRIA, fundamental rights, Art. 27, impact assessment AI → route to `ai-act-fria`
+- AI incident, serious incident, Art. 73, incident reporting → route to `ai-act-incidents`
+
+---
+
+## Multi-Framework Analysis
+
+When a user query involves multiple frameworks:
+
+### Step 1 — Identify All Relevant Frameworks
+List all triggered frameworks with confidence level (High/Medium/Low).
+
+### Step 2 — Determine Analysis Type
+- **Compliance audit**: Route to each agent sequentially, consolidate findings
+- **Gap analysis**: Use cross-framework-mapper to identify overlaps
+- **Policy drafting**: Identify the strictest requirements across frameworks
+- **Control mapping**: Map controls between frameworks
+
+### Step 3 — Cross-Framework Mapping
+Use the `shared/cross-framework-mapper.md` template to create overlapping control mappings. Common pairings:
+- ISO 27001 ↔ NIST CSF ↔ CIS Controls (cybersecurity triad)
+- GDPR ↔ ISO 27701 ↔ CCPA ↔ LGPD (privacy alignment)
+- SOC 2 ↔ ISO 27001 (trust/security alignment)
+- NIST 800-53 ↔ FedRAMP ↔ CMMC (US federal alignment)
+- EU AI Act ↔ ISO 42001 ↔ NIST AI RMF (AI governance triad)
+- NIS2 ↔ DORA ↔ ISO 27001 (EU cyber resilience)
+
+### Step 4 — Consolidated Report
+Produce a unified report using the `shared/audit-report-template.md` format, highlighting:
+- Common controls (implement once, satisfy many)
+- Framework-specific gaps
+- Priority remediation roadmap
+
+---
+
+## Interactive Menu
+
+When the user is unsure which framework to use, present this interactive guide:
+
+```
+🛡️ Shield — GRC Compliance Assistant
+
+What type of compliance question do you have?
+
+1. 🔐 Data Privacy & Protection
+   → GDPR, CCPA, LGPD, DPDPA, ISO 27701
+   "How do I protect personal data and comply with privacy laws?"
+
+2. 🛡️ Cybersecurity & Information Security
+   → ISO 27001, NIST CSF, NIST 800-53, CIS Controls, NIS2, ISM
+   "How do I secure my systems and meet security standards?"
+
+3. 🏢 Industry-Specific Compliance
+   → SOC 2, PCI DSS, HIPAA, SWIFT CSP, DORA, FedRAMP
+   "What industry regulations apply to my business?"
+
+4. 🔒 Defense & Export Control
+   → CMMC, ITAR, EAR, TSA
+   "How do I handle defense contracts or export-controlled items?"
+
+5. 🤖 AI Governance & Ethics
+   → EU AI Act, ISO 42001, NIST AI RMF
+   "How do I ensure my AI system is compliant and trustworthy?"
+
+6. ♿ Accessibility & Sustainability
+   → WCAG, Section 508, CSRD
+   "How do I make my products accessible and report on sustainability?"
+
+7. 📋 GDPR & AI Act Workflows
+   → DPIA, Breach Response, LIA, Privacy Notices, Cookies, AI Act Classification
+   "I need to conduct a DPIA" / "We had a data breach" / "Classify my AI system"
+
+8. 🔄 Cross-Framework Analysis
+   "I need to comply with multiple frameworks — help me map controls."
+
+Which area? (1-8, or describe your situation)
+```
+
+---
+
+## Response Format
+
+### Single-Framework Query
+1. Identify the framework
+2. Route to the specialist agent
+3. Present the agent's structured output
+
+### Multi-Framework Query
+1. List all relevant frameworks
+2. Execute each agent analysis
+3. Use cross-framework-mapper for overlaps
+4. Present consolidated report with `shared/audit-report-template.md`
+
+### Uncertainty
+If the framework is ambiguous:
+1. Ask 2-3 clarifying questions (jurisdiction, industry, data types)
+2. Recommend the most likely framework(s)
+3. Offer the interactive menu
+
+---
+
+## Escalation & Caveats
+
+> **⚠️ Important**: Shield orchestrates AI-powered compliance analysis. All outputs are informational and do not constitute legal, regulatory, or certification advice. For formal compliance assessments, certification audits, or regulatory submissions, engage qualified professionals (auditors, lawyers, DPOs) with jurisdiction-specific expertise.

package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml

@@ -0,0 +1,68 @@
+# Upstream Sync Configuration — Pack Shield
+# This file tracks the relationship between upstream GRC skills and BMAD+ agents
+# Used by: npx bmad-plus shield:sync
+
+upstream:
+  repo: "Sushegaad/Claude-Skills-Governance-Risk-and-Compliance"
+  branch: "main"
+  baseline_sha: "9dc17ada525ef2c3c89833e53ac574ce2f0d0fd8"
+  last_sync: "2026-05-17"
+  license: "MIT"
+  author: "Hemant Naik (Sushegaad)"
+
+sync_process:
+  description: |
+    1. Clone upstream repo to temporary directory
+    2. Compare SHA of each .skill file against baseline
+    3. For modified files:
+       a. Extract new SKILL.md from .skill archive
+       b. Diff against previous SKILL.md
+       c. Apply changes to corresponding BMAD+ agent (preserve BMAD+ header/metadata)
+    4. Check for new skills added upstream
+    5. Update this file with new SHA and timestamp
+    6. Generate changelog of modifications
+  preserve_on_merge:
+    - BMAD+ header block (lines 1-9 of each agent)
+    - Lawve.ai enrichments (Workflows 5-7 in GDPR agent)
+    - Custom BMAD+ sections not present in upstream
+
+# Skill-to-Agent Mapping (upstream path -> BMAD+ agent path)
+mapping:
+  # Data Privacy
+  "GDPR - Claude Skill/gdpr-compliance.skill": "categories/data-privacy/gdpr-agent.md"
+  "CCPA - Claude Skill/ccpa.skill": "categories/data-privacy/ccpa-agent.md"
+  "LGPD - Claude Skill/lgpd.skill": "categories/data-privacy/lgpd-agent.md"
+  "DPDPA - Claude Skill/dpdpa.skill": "categories/data-privacy/dpdpa-agent.md"
+  "ISO 27701 - Claude Skill/iso27701.skill": "categories/data-privacy/iso27701-agent.md"
+
+  # Cybersecurity
+  "ISO 27001 - Claude Skill/iso27001.skill": "categories/cybersecurity/iso27001-agent.md"
+  "NIST Cybersecurity Framework - Claude Skill/NIST Cybersecurity.skill": "categories/cybersecurity/nist-csf-agent.md"
+  "NIST 800-53 - Claude Skill/nist-800-53.skill": "categories/cybersecurity/nist-800-53-agent.md"
+  "CIS Controls - Claude Skill/cis-controls.skill": "categories/cybersecurity/cis-controls-agent.md"
+  "NIS2 - Claude Skill/nis2.skill": "categories/cybersecurity/nis2-agent.md"
+  "ISM - Claude Skill/ism.skill": "categories/cybersecurity/ism-agent.md"
+
+  # Industry Compliance
+  "SOC2 - Claude Skill/soc2.skill": "categories/industry-compliance/soc2-agent.md"
+  "PCI DSS - Claude Skill/PCI-Compliance.skill": "categories/industry-compliance/pci-dss-agent.md"
+  "HIPAA - Claude Skill/hipaa-compliance.skill": "categories/industry-compliance/hipaa-agent.md"
+  "SWIFT CSP - Claude Skill/swift-csp.skill": "categories/industry-compliance/swift-csp-agent.md"
+  "DORA - Claude Skill/dora.skill": "categories/industry-compliance/dora-agent.md"
+  "FedRAMP - Claude Skill/fedramp.skill": "categories/industry-compliance/fedramp-agent.md"
+
+  # Defense & Export
+  "CMMC - Claude Skill/cmmc.skill": "categories/defense-export/cmmc-agent.md"
+  "ITAR - Claude Skill/itar.skill": "categories/defense-export/itar-agent.md"
+  "EAR - Claude Skill/ear.skill": "categories/defense-export/ear-agent.md"
+  "TSA Compliance - Claude Skill/TSA-Compliance.skill": "categories/defense-export/tsa-agent.md"
+
+  # AI Governance
+  "EU AI Act - Claude Skill/eu-ai-act.skill": "categories/ai-governance/eu-ai-act-agent.md"
+  "ISO 42001 - Claude Skill/ISO-42001.skill": "categories/ai-governance/iso42001-agent.md"
+  "NIST AI RMF - Claude Skill/nist-ai-rmf.skill": "categories/ai-governance/nist-ai-rmf-agent.md"
+
+  # Accessibility & ESG
+  "WCAG - Claude Skill/wcag.skill": "categories/accessibility-esg/wcag-agent.md"
+  "Section 508 - Claude Skill/section-508.skill": "categories/accessibility-esg/section508-agent.md"
+  "CSRD - Claude Skill/csrd.skill": "categories/accessibility-esg/csrd-agent.md"

package/tools/cli/commands/install.js

@@ -42,14 +42,15 @@ const PACKS = {
     skills: [],
     data: [],
   },
-  audit: {
-    name: 'Audit Sécurité',
+  shield: {
+    name: 'Pack Shield (GRC)',
     icon: '🛡️',
-    description: 'Agent Shield — scan vulnérabilités (bientôt)',
+    description: '27 compliance agents — GDPR, ISO 27001, SOC 2, PCI DSS, EU AI Act...',
     required: false,
-    disabled: true,
     agents: [],
     skills: [],
+    packDir: 'pack-shield',
+    packSrcDir: 'packs',
   },
   seo: {
     name: 'SEO Audit 360',
@@ -318,9 +319,10 @@ module.exports = {
         }
       }
 
-      // Copy pack directory (SEO, Backup, Animated Website)
+      // Copy pack directory (SEO, Backup, Animated Website, Shield)
       if (pack.packDir) {
-        const packSrc = path.join(bmadSrc, 'agents', pack.packDir);
+        const srcParent = pack.packSrcDir || 'agents';
+        const packSrc = path.join(bmadSrc, srcParent, pack.packDir);
         const packDest = path.join(targetAgentsDir, pack.packDir);
         if (fs.existsSync(packSrc)) {
           fsExtra.copySync(packSrc, packDest, { overwrite: true });
@@ -424,6 +426,10 @@ module.exports = {
       agentGuide.push(`  ${i.guide_animated.padEnd(28)} →  "/animated build <video>"`);
     }
 
+    if (selectedPacks.includes('shield')) {
+      agentGuide.push(`  ${(i.guide_shield || '🛡️ GRC Compliance').padEnd(28)} →  "Shield, audit my SaaS for GDPR"`);
+    }
+
     agentGuide.push(
       '',
       i.guide_workflow,
@@ -458,6 +464,13 @@ module.exports = {
     if (selectedPacks.includes('osint')) {
       examples.push(`  ${i.guide_example_osint || '🔍 OSINT: "Shadow, investigate John Doe"'}`);
     }
+    if (selectedPacks.includes('shield')) {
+      examples.push(
+        `  ${i.guide_example_shield_1 || '🛡️ GRC: "Shield, audit my app for GDPR compliance"'}`,
+        `  ${i.guide_example_shield_2 || '🛡️ GRC: "Shield, gap analysis ISO 27001 vs NIST CSF"'}`,
+        `  ${i.guide_example_shield_3 || '🛡️ GRC: "Shield, generate SOC 2 evidence checklist"'}`,
+      );
+    }
 
     if (examples.length > 0) {
       agentGuide.push(
@@ -494,8 +507,8 @@ function generateIDEConfig(userName, language, packs) {
     agents.push('- **Shadow** (OSINT) — Investigation + Scraping + Psychoprofiling');
   }
 
-  if (packs.includes('audit')) {
-    agents.push('- **Shield** (Audit) — Security scanning + Compliance');
+  if (packs.includes('shield')) {
+    agents.push('- **Shield** (GRC) — 38 compliance agents (GDPR, ISO 27001, SOC 2, HIPAA, EU AI Act, DORA, NIS2...)');
   }
 
   return `# BMAD+ — AI Agent Configuration

package/tools/cli/commands/update.js

@@ -32,6 +32,7 @@ const PACKS = {
   seo: { agents: [], skills: [], packDir: 'pack-seo' },
   backup: { agents: [], skills: [], packDir: 'pack-backup' },
   animated: { agents: [], skills: [], packDir: 'pack-animated' },
+  shield: { agents: [], skills: [], packDir: 'pack-shield', packSrcDir: 'packs' },
 };
 
 module.exports = {
@@ -134,9 +135,10 @@ module.exports = {
         }
       }
 
-      // Update pack directory (SEO, Backup, Animated)
+      // Update pack directory (SEO, Backup, Animated, Shield)
       if (pack.packDir) {
-        const packSrc = path.join(bmadSrc, 'agents', pack.packDir);
+        const srcParent = pack.packSrcDir || 'agents';
+        const packSrc = path.join(bmadSrc, srcParent, pack.packDir);
         const packDest = path.join(targetAgentsDir, pack.packDir);
         if (fs.existsSync(packSrc)) {
           fsExtra.copySync(packSrc, packDest, { overwrite: true });