bmad-plus 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -407
  2. package/LICENSE +21 -0
  3. package/README.md +555 -446
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -175
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,287 +1,287 @@
1
- # EU AI Act — High-Risk AI System Obligations Reference
2
-
3
- All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
4
-
5
- ---
6
-
7
- ## Art. 9 — Risk Management System
8
-
9
- **Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
10
-
11
- **Requirements:**
12
- - Continuous, iterative process maintained from development through decommissioning
13
- - Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
14
- - **5-step process:**
15
- 1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
16
- 2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
17
- 3. Evaluate risks emerging from post-market monitoring data
18
- 4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
19
- 5. Assess residual risk acceptability; document reasoning
20
- - **Risk mitigation priority hierarchy (Art. 9(4)):**
21
- 1. Design-based risk elimination first
22
- 2. Adequate mitigation measures if elimination not possible
23
- 3. Information provision to deployers and users
24
- - **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
25
- - **Under-18 impact:** Special attention required for systems likely to adversely impact minors
26
-
27
- **Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
28
-
29
- ---
30
-
31
- ## Art. 10 — Data and Data Governance
32
-
33
- **Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
34
-
35
- **Dataset requirements (Art. 10(2)):**
36
- - Relevant to intended purpose
37
- - Sufficiently representative of the persons/contexts the system will encounter
38
- - Free of errors (where appropriate)
39
- - Complete for the intended purpose
40
- - Statistically appropriate for target geographic, contextual, and behavioral population
41
-
42
- **Data governance practices (Art. 10(3)):**
43
- - Design choices documentation
44
- - Data collection method documentation
45
- - Data origin examination and documentation
46
- - Annotation, labeling, cleaning, enrichment, and aggregation procedures
47
- - Bias examination and identification
48
- - Gap identification in relevant properties
49
-
50
- **Special category data (Art. 10(5)) — bias detection exception:**
51
- Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
52
- 1. No adequate alternative data source exists
53
- 2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
54
- 3. Access controls ensure minimum necessary access
55
- 4. No third-party data transfer
56
- 5. Data deleted upon completion of bias detection
57
- 6. Documented justification maintained
58
-
59
- ---
60
-
61
- ## Art. 11 — Technical Documentation
62
-
63
- **Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
64
-
65
- **Content specified in Annex IV:**
66
- - General description: intended purpose, provider identity, version, interactions with other systems
67
- - Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
68
- - Information about training data (including general description, origin, annotation procedures, design choices)
69
- - Assessment of the measures required to interpret outputs and enable human oversight
70
- - Detailed description of the system design (architecture, source code or training code access if applicable)
71
- - Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
72
- - Risk management system documentation (Art. 9)
73
- - Changes made to system over lifecycle
74
- - List of harmonised standards applied (or description of alternative solutions for conformity)
75
- - EU Declaration of Conformity
76
-
77
- **Retention:** 10 years after market placement or putting into service.
78
-
79
- ---
80
-
81
- ## Art. 12 — Record-Keeping / Automatic Logging
82
-
83
- **Who:** Providers must build in automatic logging capability; deployers must retain logs.
84
-
85
- **Provider obligations:**
86
- - High-risk systems must be capable of automatically generating event logs throughout operation
87
- - Logging capability enables post-deployment reconstruction of circumstances surrounding risks
88
- - For biometric identification: logs must enable identification of persons involved and circumstances
89
-
90
- **Deployer obligations (Art. 26(6)):**
91
- - Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
92
- - Public sector deployers: stricter retention may apply under public records obligations
93
-
94
- ---
95
-
96
- ## Art. 13 — Transparency and Provision of Information to Deployers
97
-
98
- **Purpose:** Enable deployers to understand and correctly use the AI system.
99
-
100
- **System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
101
-
102
- **Instructions for use must include:**
103
- - Provider identity, address, registration data
104
- - System characteristics, capabilities, and intended purpose
105
- - Performance metrics: level of accuracy, robustness, cybersecurity
106
- - Known or foreseeable circumstances that may lead to risks
107
- - System performance for specific persons/groups
108
- - Specifications for input data (data types, formats, dimensions)
109
- - Information on changes made vs prior versions
110
- - Human oversight measures (Art. 14) and technical measures to enable oversight
111
- - Computational resources required; expected system lifetime
112
- - Description of logging mechanisms (Art. 12)
113
- - Any predetermined modifications or updates
114
-
115
- **Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
116
-
117
- ---
118
-
119
- ## Art. 14 — Human Oversight
120
-
121
- **Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
122
-
123
- **System design obligations (providers, Art. 14(3)):**
124
- High-risk AI systems must be designed to allow natural persons to:
125
- - Understand system capabilities and limitations
126
- - Recognize **automation bias** (over-reliance on AI outputs)
127
- - Correctly interpret AI outputs (including interpretability features)
128
- - Decide not to use, or disregard, override, or reverse AI outputs
129
- - Intervene through a **stop button** or similar interrupt mechanism
130
-
131
- **Deployer implementation obligations (Art. 14(4)):**
132
- - Assign human oversight to natural persons with necessary competence, authority, and resources
133
- - Train oversight persons on system capabilities/limitations and automation bias risk
134
-
135
- **Biometric identification specific (Art. 14(5)):**
136
- - Minimum **two separate persons** must independently verify and confirm identification before action is taken
137
-
138
- **Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
139
-
140
- ---
141
-
142
- ## Art. 15 — Accuracy, Robustness, and Cybersecurity
143
-
144
- **Accuracy:**
145
- - System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
146
- - Declared accuracy levels and metrics must be in instructions for use (Art. 13)
147
- - Training, validation, and testing data must be statistically appropriate to achieve declared levels
148
-
149
- **Robustness:**
150
- - Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
151
- - Consistent performance throughout operational lifetime
152
- - Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
153
- - For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
154
-
155
- **Cybersecurity:**
156
- Resilience against attempts to alter use, outputs, or performance, including:
157
- - **Data poisoning attacks** (contaminating training data)
158
- - **Model poisoning attacks** (manipulating model weights)
159
- - **Adversarial examples** (crafted inputs causing misclassification)
160
- - **Confidentiality attacks** (extracting training data or model internals)
161
- - **Model flaws exploitation** (taking advantage of design weaknesses)
162
-
163
- **Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
164
-
165
- ---
166
-
167
- ## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
168
-
169
- Before placing on market or putting into service, providers must:
170
-
171
- 1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
172
- 2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
173
- 3. ☐ Establish and implement quality management system (Art. 17)
174
- 4. ☐ Keep technical documentation (Art. 11, Annex IV)
175
- 5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
176
- 6. ☐ Complete required conformity assessment (Art. 43) before market placement
177
- 7. ☐ Draw up EU Declaration of Conformity (Art. 47)
178
- 8. ☐ Affix CE marking (Art. 48)
179
- 9. ☐ Register in EU AI database (Art. 49) before market placement
180
- 10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
181
- 11. ☐ Demonstrate conformity upon request of national competent authority
182
- 12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
183
-
184
- ---
185
-
186
- ## Art. 17 — Quality Management System (13 Required Components)
187
-
188
- Documented policies and procedures covering:
189
-
190
- 1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
191
- 2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
192
- 3. **Development quality control** procedures
193
- 4. **Testing and validation** — before, during, and after development
194
- 5. **Technical standards application** — harmonised standards and common specifications
195
- 6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
196
- 7. **Risk management** per Art. 9
197
- 8. **Post-market monitoring** per Art. 72
198
- 9. **Serious incident reporting** per Art. 73 — communication with national authorities
199
- 10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
200
- 11. **Record-keeping and documentation** — retention periods and access procedures
201
- 12. **Resource management** including supply-chain security measures
202
- 13. **Accountability framework** — clear responsibility assignment for all above components
203
-
204
- **Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
205
-
206
- ---
207
-
208
- ## Art. 26 — Deployer Obligations
209
-
210
- 1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
211
- 2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
212
- 3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
213
- 4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
214
- 5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
215
- 6. **Log retention:** Retain automatically generated logs for **at least 6 months**
216
- 7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
217
- 8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
218
- 9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
219
- 10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
220
-
221
- ---
222
-
223
- ## Arts. 43–49 — Conformity Assessment and CE Marking
224
-
225
- ### Art. 43 — Conformity Assessment Paths
226
-
227
- **Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
228
- - **(A) Self-assessment** — Internal control via Annex VI procedure; OR
229
- - **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
230
-
231
- Notified body (B) is **mandatory** when:
232
- - No harmonised standards covering the system exist
233
- - Standards exist but provider has not applied them (or only partially)
234
- - Common specifications are unavailable or not used
235
- - Standards published with restrictions that limit presumption of conformity
236
-
237
- **Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
238
-
239
- **Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
240
-
241
- **Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
242
-
243
- **Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
244
-
245
- ### Art. 47 — EU Declaration of Conformity
246
- - Drawn up by provider (or authorised representative); provider assumes full responsibility
247
- - Must confirm compliance with all applicable AI Act requirements (Section 2)
248
- - Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
249
- - Machine-readable format; translation required into languages required by national authorities
250
- - Maintained for **10 years** from market placement
251
-
252
- ### Art. 48 — CE Marking
253
- - Visible, legible, indelible affixation on system, packaging, or documentation
254
- - Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
255
- - Subject to general principles of CE marking (Regulation 765/2008)
256
- - Affixed before market placement; re-affixed if system substantially modified
257
-
258
- ### Arts. 49 and 60 — EU AI Database Registration
259
-
260
- **Provider registration (Art. 49):**
261
- - Before market placement (Annex III systems — Art. 6(2))
262
- - Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
263
- - Provider registration covers all deployers and users of that system
264
-
265
- **Public authority deployer registration (Art. 60):**
266
- - Before deployment of registered high-risk systems
267
- - Additional system-specific information for public authority use
268
-
269
- **Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
270
-
271
- **Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
272
-
273
- ---
274
-
275
- ## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
276
-
277
- **Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
278
-
279
- **Content:**
280
- - Description of the deployer's processes in which the system will be used
281
- - Time period, frequency, and number of persons affected
282
- - The specific categories of persons likely to be affected
283
- - Specific risks of harm to categories of affected persons
284
- - Human oversight measures (Art. 14) planned
285
- - Measures to address fundamental rights risks
286
-
287
- **Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.
1
+ # EU AI Act — High-Risk AI System Obligations Reference
2
+
3
+ All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
4
+
5
+ ---
6
+
7
+ ## Art. 9 — Risk Management System
8
+
9
+ **Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
10
+
11
+ **Requirements:**
12
+ - Continuous, iterative process maintained from development through decommissioning
13
+ - Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
14
+ - **5-step process:**
15
+ 1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
16
+ 2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
17
+ 3. Evaluate risks emerging from post-market monitoring data
18
+ 4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
19
+ 5. Assess residual risk acceptability; document reasoning
20
+ - **Risk mitigation priority hierarchy (Art. 9(4)):**
21
+ 1. Design-based risk elimination first
22
+ 2. Adequate mitigation measures if elimination not possible
23
+ 3. Information provision to deployers and users
24
+ - **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
25
+ - **Under-18 impact:** Special attention required for systems likely to adversely impact minors
26
+
27
+ **Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
28
+
29
+ ---
30
+
31
+ ## Art. 10 — Data and Data Governance
32
+
33
+ **Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
34
+
35
+ **Dataset requirements (Art. 10(2)):**
36
+ - Relevant to intended purpose
37
+ - Sufficiently representative of the persons/contexts the system will encounter
38
+ - Free of errors (where appropriate)
39
+ - Complete for the intended purpose
40
+ - Statistically appropriate for target geographic, contextual, and behavioral population
41
+
42
+ **Data governance practices (Art. 10(3)):**
43
+ - Design choices documentation
44
+ - Data collection method documentation
45
+ - Data origin examination and documentation
46
+ - Annotation, labeling, cleaning, enrichment, and aggregation procedures
47
+ - Bias examination and identification
48
+ - Gap identification in relevant properties
49
+
50
+ **Special category data (Art. 10(5)) — bias detection exception:**
51
+ Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
52
+ 1. No adequate alternative data source exists
53
+ 2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
54
+ 3. Access controls ensure minimum necessary access
55
+ 4. No third-party data transfer
56
+ 5. Data deleted upon completion of bias detection
57
+ 6. Documented justification maintained
58
+
59
+ ---
60
+
61
+ ## Art. 11 — Technical Documentation
62
+
63
+ **Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
64
+
65
+ **Content specified in Annex IV:**
66
+ - General description: intended purpose, provider identity, version, interactions with other systems
67
+ - Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
68
+ - Information about training data (including general description, origin, annotation procedures, design choices)
69
+ - Assessment of the measures required to interpret outputs and enable human oversight
70
+ - Detailed description of the system design (architecture, source code or training code access if applicable)
71
+ - Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
72
+ - Risk management system documentation (Art. 9)
73
+ - Changes made to system over lifecycle
74
+ - List of harmonised standards applied (or description of alternative solutions for conformity)
75
+ - EU Declaration of Conformity
76
+
77
+ **Retention:** 10 years after market placement or putting into service.
78
+
79
+ ---
80
+
81
+ ## Art. 12 — Record-Keeping / Automatic Logging
82
+
83
+ **Who:** Providers must build in automatic logging capability; deployers must retain logs.
84
+
85
+ **Provider obligations:**
86
+ - High-risk systems must be capable of automatically generating event logs throughout operation
87
+ - Logging capability enables post-deployment reconstruction of circumstances surrounding risks
88
+ - For biometric identification: logs must enable identification of persons involved and circumstances
89
+
90
+ **Deployer obligations (Art. 26(6)):**
91
+ - Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
92
+ - Public sector deployers: stricter retention may apply under public records obligations
93
+
94
+ ---
95
+
96
+ ## Art. 13 — Transparency and Provision of Information to Deployers
97
+
98
+ **Purpose:** Enable deployers to understand and correctly use the AI system.
99
+
100
+ **System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
101
+
102
+ **Instructions for use must include:**
103
+ - Provider identity, address, registration data
104
+ - System characteristics, capabilities, and intended purpose
105
+ - Performance metrics: level of accuracy, robustness, cybersecurity
106
+ - Known or foreseeable circumstances that may lead to risks
107
+ - System performance for specific persons/groups
108
+ - Specifications for input data (data types, formats, dimensions)
109
+ - Information on changes made vs prior versions
110
+ - Human oversight measures (Art. 14) and technical measures to enable oversight
111
+ - Computational resources required; expected system lifetime
112
+ - Description of logging mechanisms (Art. 12)
113
+ - Any predetermined modifications or updates
114
+
115
+ **Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
116
+
117
+ ---
118
+
119
+ ## Art. 14 — Human Oversight
120
+
121
+ **Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
122
+
123
+ **System design obligations (providers, Art. 14(3)):**
124
+ High-risk AI systems must be designed to allow natural persons to:
125
+ - Understand system capabilities and limitations
126
+ - Recognize **automation bias** (over-reliance on AI outputs)
127
+ - Correctly interpret AI outputs (including interpretability features)
128
+ - Decide not to use, or disregard, override, or reverse AI outputs
129
+ - Intervene through a **stop button** or similar interrupt mechanism
130
+
131
+ **Deployer implementation obligations (Art. 14(4)):**
132
+ - Assign human oversight to natural persons with necessary competence, authority, and resources
133
+ - Train oversight persons on system capabilities/limitations and automation bias risk
134
+
135
+ **Biometric identification specific (Art. 14(5)):**
136
+ - Minimum **two separate persons** must independently verify and confirm identification before action is taken
137
+
138
+ **Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
139
+
140
+ ---
141
+
142
+ ## Art. 15 — Accuracy, Robustness, and Cybersecurity
143
+
144
+ **Accuracy:**
145
+ - System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
146
+ - Declared accuracy levels and metrics must be in instructions for use (Art. 13)
147
+ - Training, validation, and testing data must be statistically appropriate to achieve declared levels
148
+
149
+ **Robustness:**
150
+ - Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
151
+ - Consistent performance throughout operational lifetime
152
+ - Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
153
+ - For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
154
+
155
+ **Cybersecurity:**
156
+ Resilience against attempts to alter use, outputs, or performance, including:
157
+ - **Data poisoning attacks** (contaminating training data)
158
+ - **Model poisoning attacks** (manipulating model weights)
159
+ - **Adversarial examples** (crafted inputs causing misclassification)
160
+ - **Confidentiality attacks** (extracting training data or model internals)
161
+ - **Model flaws exploitation** (taking advantage of design weaknesses)
162
+
163
+ **Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
164
+
165
+ ---
166
+
167
+ ## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
168
+
169
+ Before placing on market or putting into service, providers must:
170
+
171
+ 1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
172
+ 2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
173
+ 3. ☐ Establish and implement quality management system (Art. 17)
174
+ 4. ☐ Keep technical documentation (Art. 11, Annex IV)
175
+ 5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
176
+ 6. ☐ Complete required conformity assessment (Art. 43) before market placement
177
+ 7. ☐ Draw up EU Declaration of Conformity (Art. 47)
178
+ 8. ☐ Affix CE marking (Art. 48)
179
+ 9. ☐ Register in EU AI database (Art. 49) before market placement
180
+ 10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
181
+ 11. ☐ Demonstrate conformity upon request of national competent authority
182
+ 12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
183
+
184
+ ---
185
+
186
+ ## Art. 17 — Quality Management System (13 Required Components)
187
+
188
+ Documented policies and procedures covering:
189
+
190
+ 1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
191
+ 2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
192
+ 3. **Development quality control** procedures
193
+ 4. **Testing and validation** — before, during, and after development
194
+ 5. **Technical standards application** — harmonised standards and common specifications
195
+ 6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
196
+ 7. **Risk management** per Art. 9
197
+ 8. **Post-market monitoring** per Art. 72
198
+ 9. **Serious incident reporting** per Art. 73 — communication with national authorities
199
+ 10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
200
+ 11. **Record-keeping and documentation** — retention periods and access procedures
201
+ 12. **Resource management** including supply-chain security measures
202
+ 13. **Accountability framework** — clear responsibility assignment for all above components
203
+
204
+ **Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
205
+
206
+ ---
207
+
208
+ ## Art. 26 — Deployer Obligations
209
+
210
+ 1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
211
+ 2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
212
+ 3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
213
+ 4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
214
+ 5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
215
+ 6. **Log retention:** Retain automatically generated logs for **at least 6 months**
216
+ 7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
217
+ 8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
218
+ 9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
219
+ 10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
220
+
221
+ ---
222
+
223
+ ## Arts. 43–49 — Conformity Assessment and CE Marking
224
+
225
+ ### Art. 43 — Conformity Assessment Paths
226
+
227
+ **Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
228
+ - **(A) Self-assessment** — Internal control via Annex VI procedure; OR
229
+ - **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
230
+
231
+ Notified body (B) is **mandatory** when:
232
+ - No harmonised standards covering the system exist
233
+ - Standards exist but provider has not applied them (or only partially)
234
+ - Common specifications are unavailable or not used
235
+ - Standards published with restrictions that limit presumption of conformity
236
+
237
+ **Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
238
+
239
+ **Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
240
+
241
+ **Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
242
+
243
+ **Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
244
+
245
+ ### Art. 47 — EU Declaration of Conformity
246
+ - Drawn up by provider (or authorised representative); provider assumes full responsibility
247
+ - Must confirm compliance with all applicable AI Act requirements (Section 2)
248
+ - Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
249
+ - Machine-readable format; translation required into languages required by national authorities
250
+ - Maintained for **10 years** from market placement
251
+
252
+ ### Art. 48 — CE Marking
253
+ - Visible, legible, indelible affixation on system, packaging, or documentation
254
+ - Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
255
+ - Subject to general principles of CE marking (Regulation 765/2008)
256
+ - Affixed before market placement; re-affixed if system substantially modified
257
+
258
+ ### Arts. 49 and 60 — EU AI Database Registration
259
+
260
+ **Provider registration (Art. 49):**
261
+ - Before market placement (Annex III systems — Art. 6(2))
262
+ - Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
263
+ - Provider registration covers all deployers and users of that system
264
+
265
+ **Public authority deployer registration (Art. 60):**
266
+ - Before deployment of registered high-risk systems
267
+ - Additional system-specific information for public authority use
268
+
269
+ **Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
270
+
271
+ **Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
272
+
273
+ ---
274
+
275
+ ## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
276
+
277
+ **Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
278
+
279
+ **Content:**
280
+ - Description of the deployer's processes in which the system will be used
281
+ - Time period, frequency, and number of persons affected
282
+ - The specific categories of persons likely to be affected
283
+ - Specific risks of harm to categories of affected persons
284
+ - Human oversight measures (Art. 14) planned
285
+ - Measures to address fundamental rights risks
286
+
287
+ **Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.