bmad-plus 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -407
  2. package/LICENSE +21 -0
  3. package/README.md +555 -446
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -175
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,174 +1,174 @@
1
- # ITAR Compliance Programme — Penalties, VSD, and TCP
2
-
3
- ## ITAR Compliance Programme Elements
4
-
5
- An effective ITAR compliance programme (recognised by DDTC as a mitigating factor) includes:
6
-
7
- ### 1. Governance and Leadership
8
- - Designated **Empowered Official (EO)** (22 CFR § 120.67): A US person with authority to sign licence applications and ensure ITAR compliance; must be in a senior position with ability to override business decisions for compliance reasons
9
- - Written **ITAR Compliance Policy** signed by senior management
10
- - Clear escalation path for export control questions
11
- - Annual management review of compliance programme effectiveness
12
-
13
- ### 2. Training
14
- - **Initial training** for all employees with ITAR access within 30 days of hire
15
- - **Annual refresher training** covering recent regulatory changes, enforcement actions, and company-specific procedures
16
- - **Role-specific training** for: Empowered Officials, shipping/logistics, engineering/R&D, legal, IT
17
- - Training records retained 5 years
18
-
19
- ### 3. Technology Control Plan (TCP)
20
-
21
- A TCP controls access to ITAR-controlled technical data, especially by foreign nationals.
22
-
23
- **TCP Sections:**
24
- ```
25
- 1. Purpose and Scope
26
- 2. ITAR-controlled items and data inventory
27
- 3. Physical access controls (secure areas, visitor escorts, badging)
28
- 4. IT access controls (network segregation, access lists, encryption)
29
- 5. Foreign national screening procedure
30
- - Collect citizenship information at hire/engagement
31
- - Screen against denied parties lists
32
- - Determine if TAA/licence required before granting access
33
- 6. Visitor and contractor procedures
34
- 7. Annual ITAR training programme
35
- 8. Incident identification, reporting, and response
36
- 9. Records management (5-year retention)
37
- 10. TCP review and update cycle (annual minimum)
38
- ```
39
-
40
- ### 4. Screening and Due Diligence
41
- Screen all parties (customers, suppliers, employees, visitors) against:
42
- - **DDTC Debarred Parties List** (22 CFR § 127.7)
43
- - **OFAC Specially Designated Nationals (SDN) List**
44
- - **BIS Denied Persons List, Entity List, Unverified List**
45
- - **US State Department Watch Lists**
46
-
47
- Screening must be documented and re-run at each transaction.
48
-
49
- ### 5. Jurisdiction and Classification Review
50
- - Formal **product classification process** for every new item, component, and software
51
- - Document classification decisions (USML citation or EAR ECCN) with rationale
52
- - Review classifications when product is modified, use-case changes, or regulations change
53
- - Consider **Commodity Jurisdiction (CJ)** requests for ambiguous items
54
-
55
- ### 6. Licence Management
56
- - Centralised tracking of all active licences, TAAs, MLAs
57
- - Pre-shipment licence review checklist
58
- - Licence condition compliance (quantities, end-users, re-export restrictions)
59
- - Timely licence renewals (track expiry dates with 90-day advance reminders)
60
- - Post-shipment filing (Automated Export System / Electronic Export Information)
61
-
62
- ### 7. Audits
63
- - Annual internal ITAR compliance audit (or third-party audit every 2–3 years)
64
- - Audit scope: registration currency, licence compliance, TCP effectiveness, training records, screening logs, record retention
65
- - Findings documented with corrective action plans and owners
66
-
67
- ---
68
-
69
- ## Penalties — 22 CFR Part 127 and 22 USC § 2778
70
-
71
- ### Civil Penalties
72
- - Up to **$1,369,000 per violation** (amount adjusted annually under the Federal Civil Penalties Inflation Adjustment Act)
73
- - Each unlicensed export, each unlicensed disclosure of technical data, each brokering violation = separate violation
74
- - DDTC may impose civil penalties via Consent Agreement without criminal referral
75
-
76
- ### Criminal Penalties
77
- - Up to **$1,000,000 fine** per violation (22 USC § 2778(c))
78
- - Up to **20 years imprisonment** per violation
79
- - Criminal cases referred to Department of Justice; prosecuted by DOJ National Security Division
80
-
81
- ### Debarment
82
- - DDTC may debar any person from ITAR privileges (22 CFR § 127.7)
83
- - Duration: typically 3 years; can be permanent for egregious violations
84
- - Debarment prevents: registration, licensing, TAA/MLA participation, US government contracting
85
- - Published on the DDTC Debarred Parties List
86
-
87
- ### Other Consequences
88
- - **Seizure and forfeiture** of articles involved in violations (22 USC § 2778(e))
89
- - **Suspension of export privileges** pending investigation
90
- - **Congressional notification** requirements for significant violations involving foreign governments
91
- - **Reputational harm** — consent agreements are publicly disclosed
92
-
93
- ---
94
-
95
- ## Voluntary Self-Disclosure (VSD) — 22 CFR § 127.12
96
-
97
- ### Why Disclose
98
- VSD is the strongest available mitigating factor. DDTC's guidelines recognise that companies with effective compliance programmes that self-discover and promptly disclose violations deserve leniency.
99
-
100
- ### VSD Process
101
-
102
- **Step 1 — Initial Notification** (~30 days from discovery)
103
- - Submit brief written notification to DDTC Director of Compliance
104
- - Include: company name, registration number, general description of the potential violation, estimated number of occurrences
105
- - Request a tolling agreement to preserve statute of limitations while investigation proceeds
106
-
107
- **Step 2 — Internal Investigation** (30–90 days)
108
- - Investigate all facts: who knew what, when, what was exported/disclosed, to whom
109
- - Pull all records (licences, shipping docs, emails, TAA files)
110
- - Identify root cause (process failure, training gap, deliberate act)
111
- - Preserve all evidence; place litigation hold if appropriate
112
-
113
- **Step 3 — Final VSD Report** (within ~60–90 days of initial notification)
114
- Submit comprehensive written report including:
115
- - Detailed factual narrative of all violations
116
- - CFR sections violated for each occurrence
117
- - Identification of all parties involved
118
- - Timeline of events
119
- - Root cause analysis
120
- - Corrective actions already implemented
121
- - Proposed additional remediation
122
-
123
- **Step 4 — DDTC Review and Resolution**
124
- - DDTC reviews report; may request additional information
125
- - Outcomes: no action, warning letter, civil penalty (usually reduced), or referral for criminal review
126
- - Most cooperative VSDs resolved within 6–18 months
127
-
128
- ### Mitigating Factors
129
- - Voluntary self-disclosure
130
- - Cooperation with DDTC investigation
131
- - Effective pre-existing compliance programme
132
- - Prompt remediation
133
- - No prior ITAR violations
134
- - Low national security harm
135
- - Relatively low transaction value
136
-
137
- ### Aggravating Factors
138
- - Wilful/deliberate violation
139
- - Senior management involvement or awareness
140
- - Harm to national security
141
- - Pattern of violations
142
- - Obstruction or lack of cooperation
143
- - High-risk end-users (state sponsors of terrorism, arms embargoes)
144
- - Prior violations
145
-
146
- ---
147
-
148
- ## DDTC Blue Lantern End-Use Monitoring
149
-
150
- The **Blue Lantern** programme is DDTC's end-use monitoring initiative. US embassy personnel conduct post-shipment verifications to confirm items reached the stated end-user and are being used as authorised.
151
-
152
- **Implications for exporters:**
153
- - Cooperate fully with Blue Lantern checks (failure to cooperate can trigger licence suspension)
154
- - Maintain accurate shipping records to facilitate verification
155
- - Include cooperation obligations in contracts with foreign distributors
156
- - Report if you discover items have been diverted or misused
157
-
158
- ---
159
-
160
- ## Checklist — ITAR Compliance Programme Readiness
161
-
162
- | Area | ✅ | Key Questions |
163
- |------|----|--------------|
164
- | Registration | | Is registration current? Renewal filed on time? |
165
- | Empowered Official | | Named EO with written authority? |
166
- | Policy | | IS Policy signed by senior management? |
167
- | TCP | | Written TCP? Reviewed in last 12 months? |
168
- | Training | | All ITAR-access employees trained in last 12 months? Records retained? |
169
- | Classification | | All products/components formally classified? CJ obtained where needed? |
170
- | Screening | | SDN/debarment screening at every transaction? Documented? |
171
- | Licence tracking | | All licences logged? Expiry alerts set? Conditions tracked? |
172
- | Record retention | | 5-year retention in place? Accessible for audit? |
173
- | Internal audit | | Annual ITAR audit completed? Findings tracked? |
174
- | Incident response | | VSD procedure documented and communicated? |
1
+ # ITAR Compliance Programme — Penalties, VSD, and TCP
2
+
3
+ ## ITAR Compliance Programme Elements
4
+
5
+ An effective ITAR compliance programme (recognised by DDTC as a mitigating factor) includes:
6
+
7
+ ### 1. Governance and Leadership
8
+ - Designated **Empowered Official (EO)** (22 CFR § 120.67): A US person with authority to sign licence applications and ensure ITAR compliance; must be in a senior position with ability to override business decisions for compliance reasons
9
+ - Written **ITAR Compliance Policy** signed by senior management
10
+ - Clear escalation path for export control questions
11
+ - Annual management review of compliance programme effectiveness
12
+
13
+ ### 2. Training
14
+ - **Initial training** for all employees with ITAR access within 30 days of hire
15
+ - **Annual refresher training** covering recent regulatory changes, enforcement actions, and company-specific procedures
16
+ - **Role-specific training** for: Empowered Officials, shipping/logistics, engineering/R&D, legal, IT
17
+ - Training records retained 5 years
18
+
19
+ ### 3. Technology Control Plan (TCP)
20
+
21
+ A TCP controls access to ITAR-controlled technical data, especially by foreign nationals.
22
+
23
+ **TCP Sections:**
24
+ ```
25
+ 1. Purpose and Scope
26
+ 2. ITAR-controlled items and data inventory
27
+ 3. Physical access controls (secure areas, visitor escorts, badging)
28
+ 4. IT access controls (network segregation, access lists, encryption)
29
+ 5. Foreign national screening procedure
30
+ - Collect citizenship information at hire/engagement
31
+ - Screen against denied parties lists
32
+ - Determine if TAA/licence required before granting access
33
+ 6. Visitor and contractor procedures
34
+ 7. Annual ITAR training programme
35
+ 8. Incident identification, reporting, and response
36
+ 9. Records management (5-year retention)
37
+ 10. TCP review and update cycle (annual minimum)
38
+ ```
39
+
40
+ ### 4. Screening and Due Diligence
41
+ Screen all parties (customers, suppliers, employees, visitors) against:
42
+ - **DDTC Debarred Parties List** (22 CFR § 127.7)
43
+ - **OFAC Specially Designated Nationals (SDN) List**
44
+ - **BIS Denied Persons List, Entity List, Unverified List**
45
+ - **US State Department Watch Lists**
46
+
47
+ Screening must be documented and re-run at each transaction.
48
+
49
+ ### 5. Jurisdiction and Classification Review
50
+ - Formal **product classification process** for every new item, component, and software
51
+ - Document classification decisions (USML citation or EAR ECCN) with rationale
52
+ - Review classifications when product is modified, use-case changes, or regulations change
53
+ - Consider **Commodity Jurisdiction (CJ)** requests for ambiguous items
54
+
55
+ ### 6. Licence Management
56
+ - Centralised tracking of all active licences, TAAs, MLAs
57
+ - Pre-shipment licence review checklist
58
+ - Licence condition compliance (quantities, end-users, re-export restrictions)
59
+ - Timely licence renewals (track expiry dates with 90-day advance reminders)
60
+ - Post-shipment filing (Automated Export System / Electronic Export Information)
61
+
62
+ ### 7. Audits
63
+ - Annual internal ITAR compliance audit (or third-party audit every 2–3 years)
64
+ - Audit scope: registration currency, licence compliance, TCP effectiveness, training records, screening logs, record retention
65
+ - Findings documented with corrective action plans and owners
66
+
67
+ ---
68
+
69
+ ## Penalties — 22 CFR Part 127 and 22 USC § 2778
70
+
71
+ ### Civil Penalties
72
+ - Up to **$1,369,000 per violation** (amount adjusted annually under the Federal Civil Penalties Inflation Adjustment Act)
73
+ - Each unlicensed export, each unlicensed disclosure of technical data, each brokering violation = separate violation
74
+ - DDTC may impose civil penalties via Consent Agreement without criminal referral
75
+
76
+ ### Criminal Penalties
77
+ - Up to **$1,000,000 fine** per violation (22 USC § 2778(c))
78
+ - Up to **20 years imprisonment** per violation
79
+ - Criminal cases referred to Department of Justice; prosecuted by DOJ National Security Division
80
+
81
+ ### Debarment
82
+ - DDTC may debar any person from ITAR privileges (22 CFR § 127.7)
83
+ - Duration: typically 3 years; can be permanent for egregious violations
84
+ - Debarment prevents: registration, licensing, TAA/MLA participation, US government contracting
85
+ - Published on the DDTC Debarred Parties List
86
+
87
+ ### Other Consequences
88
+ - **Seizure and forfeiture** of articles involved in violations (22 USC § 2778(e))
89
+ - **Suspension of export privileges** pending investigation
90
+ - **Congressional notification** requirements for significant violations involving foreign governments
91
+ - **Reputational harm** — consent agreements are publicly disclosed
92
+
93
+ ---
94
+
95
+ ## Voluntary Self-Disclosure (VSD) — 22 CFR § 127.12
96
+
97
+ ### Why Disclose
98
+ VSD is the strongest available mitigating factor. DDTC's guidelines recognise that companies with effective compliance programmes that self-discover and promptly disclose violations deserve leniency.
99
+
100
+ ### VSD Process
101
+
102
+ **Step 1 — Initial Notification** (~30 days from discovery)
103
+ - Submit brief written notification to DDTC Director of Compliance
104
+ - Include: company name, registration number, general description of the potential violation, estimated number of occurrences
105
+ - Request a tolling agreement to preserve statute of limitations while investigation proceeds
106
+
107
+ **Step 2 — Internal Investigation** (30–90 days)
108
+ - Investigate all facts: who knew what, when, what was exported/disclosed, to whom
109
+ - Pull all records (licences, shipping docs, emails, TAA files)
110
+ - Identify root cause (process failure, training gap, deliberate act)
111
+ - Preserve all evidence; place litigation hold if appropriate
112
+
113
+ **Step 3 — Final VSD Report** (within ~60–90 days of initial notification)
114
+ Submit comprehensive written report including:
115
+ - Detailed factual narrative of all violations
116
+ - CFR sections violated for each occurrence
117
+ - Identification of all parties involved
118
+ - Timeline of events
119
+ - Root cause analysis
120
+ - Corrective actions already implemented
121
+ - Proposed additional remediation
122
+
123
+ **Step 4 — DDTC Review and Resolution**
124
+ - DDTC reviews report; may request additional information
125
+ - Outcomes: no action, warning letter, civil penalty (usually reduced), or referral for criminal review
126
+ - Most cooperative VSDs resolved within 6–18 months
127
+
128
+ ### Mitigating Factors
129
+ - Voluntary self-disclosure
130
+ - Cooperation with DDTC investigation
131
+ - Effective pre-existing compliance programme
132
+ - Prompt remediation
133
+ - No prior ITAR violations
134
+ - Low national security harm
135
+ - Relatively low transaction value
136
+
137
+ ### Aggravating Factors
138
+ - Wilful/deliberate violation
139
+ - Senior management involvement or awareness
140
+ - Harm to national security
141
+ - Pattern of violations
142
+ - Obstruction or lack of cooperation
143
+ - High-risk end-users (state sponsors of terrorism, arms embargoes)
144
+ - Prior violations
145
+
146
+ ---
147
+
148
+ ## DDTC Blue Lantern End-Use Monitoring
149
+
150
+ The **Blue Lantern** programme is DDTC's end-use monitoring initiative. US embassy personnel conduct post-shipment verifications to confirm items reached the stated end-user and are being used as authorised.
151
+
152
+ **Implications for exporters:**
153
+ - Cooperate fully with Blue Lantern checks (failure to cooperate can trigger licence suspension)
154
+ - Maintain accurate shipping records to facilitate verification
155
+ - Include cooperation obligations in contracts with foreign distributors
156
+ - Report if you discover items have been diverted or misused
157
+
158
+ ---
159
+
160
+ ## Checklist — ITAR Compliance Programme Readiness
161
+
162
+ | Area | ✅ | Key Questions |
163
+ |------|----|--------------|
164
+ | Registration | | Is registration current? Renewal filed on time? |
165
+ | Empowered Official | | Named EO with written authority? |
166
+ | Policy | | IS Policy signed by senior management? |
167
+ | TCP | | Written TCP? Reviewed in last 12 months? |
168
+ | Training | | All ITAR-access employees trained in last 12 months? Records retained? |
169
+ | Classification | | All products/components formally classified? CJ obtained where needed? |
170
+ | Screening | | SDN/debarment screening at every transaction? Documented? |
171
+ | Licence tracking | | All licences logged? Expiry alerts set? Conditions tracked? |
172
+ | Record retention | | 5-year retention in place? Accessible for audit? |
173
+ | Internal audit | | Annual ITAR audit completed? Findings tracked? |
174
+ | Incident response | | VSD procedure documented and communicated? |
@@ -1,146 +1,146 @@
1
- # ITAR Licensing Guide — 22 CFR Parts 123–125
2
-
3
- ## License Types at a Glance
4
-
5
- | License / Agreement | CFR Reference | Purpose | Typical Use |
6
- |--------------------|---------------|---------|-------------|
7
- | DSP-5 | 22 CFR § 123.1 | Permanent export of defense articles | Hardware sale/transfer to foreign end-user |
8
- | DSP-73 | 22 CFR § 123.5 | Temporary export | Trade shows, testing, repair abroad |
9
- | DSP-94 | 22 CFR § 123.6 | Temporary import | Foreign defense article entering US temporarily |
10
- | DSP-61 | 22 CFR § 123.9 | Import license | Permanent import from certain countries |
11
- | Technical Assistance Agreement (TAA) | 22 CFR § 124.1 | Export of technical data / defense services | Engineering support, training, design assistance |
12
- | Manufacturing License Agreement (MLA) | 22 CFR § 124.2 | Licensed foreign manufacture | Overseas production of US defense articles |
13
- | Warehouse/Distribution Agreement | 22 CFR § 124.14 | Stocking items abroad for resale | Distributor model |
14
-
15
- ---
16
-
17
- ## DSP-5 (Permanent Export License)
18
-
19
- ### When Required
20
- Any export of USML hardware not covered by an exemption.
21
-
22
- ### Application Requirements
23
- Submit via DDTC's D-Trade portal:
24
- - **Block 1**: Applicant (DDTC registration number)
25
- - **Block 2**: Country of ultimate destination
26
- - **Block 3**: Foreign end-user name and address
27
- - **Block 4**: Description of articles (USML category, quantity, value)
28
- - **Block 5**: End-use statement (intended use, no re-export without US government approval)
29
- - **Supporting docs**: Purchase order, end-user certificate, import certificate if required by destination country
30
-
31
- ### Processing Times
32
- - Standard: 30–60 days
33
- - Significant Military Equipment (SME): may require Congressional notification (22 USC § 2776) for sales ≥$14M
34
-
35
- ### License Conditions (common)
36
- - Items may not be re-exported without prior DDTC authorisation
37
- - End-user restrictions apply
38
- - US government access rights for audits
39
- - 4-year validity; extendable
40
-
41
- ---
42
-
43
- ## DSP-73 (Temporary Export)
44
-
45
- ### When Required
46
- Hardware leaving the US temporarily (not for resale/transfer to foreign ownership).
47
-
48
- ### Key Requirements
49
- - Describe items precisely; document serial numbers
50
- - State duration and purpose (e.g., "air show display," "field test," "repair and return")
51
- - Items must return to the US by the license expiry date
52
- - License conditions prohibit use in combat, operational deployment
53
-
54
- ---
55
-
56
- ## Technical Assistance Agreement (TAA)
57
-
58
- ### Purpose
59
- Authorises the export of **technical data** and/or **defense services** to specific foreign persons/entities. Required even for oral disclosure of ITAR-controlled technical data to a foreign national.
60
-
61
- ### Required TAA Clauses (22 CFR § 124.9)
62
- 1. **Scope of agreement**: Precise description of technical data / defense services
63
- 2. **Parties**: US licensor + all foreign licensees, authorised sub-licensees
64
- 3. **Retransfer prohibition**: No further disclosure/transfer without prior written DDTC approval
65
- 4. **US government rights**: US government may review all records; terminate agreement
66
- 5. **Record-keeping**: 5-year retention
67
- 6. **Audit rights**: US licensor right to audit foreign licensee compliance
68
- 7. **Term**: Normally 5 years; must renew before expiry
69
- 8. **Security classification handling** (if applicable)
70
-
71
- ### Amendment Requirements
72
- Any change to scope, parties, or authorised countries requires a formal amendment approved by DDTC.
73
-
74
- ### Common TAA Uses
75
- - Sharing engineering drawings with foreign manufacturer
76
- - Providing maintenance training to foreign military
77
- - Technical support under FMS (Foreign Military Sales) cases
78
- - Joint development programmes with foreign partners
79
-
80
- ---
81
-
82
- ## Manufacturing License Agreement (MLA)
83
-
84
- ### Purpose
85
- Allows a foreign person to manufacture a defense article under US licence — typically for local production under an FMS programme or commercial arrangement.
86
-
87
- ### Key Differences from TAA
88
- | Feature | TAA | MLA |
89
- |---------|-----|-----|
90
- | What is transferred | Technical data / services | Manufacturing rights + technical data |
91
- | Foreign party produces? | No | Yes |
92
- | Sub-licensing allowed? | Conditional | Usually yes, with restrictions |
93
- | Offset programs | Not typical | Common |
94
-
95
- ### Required MLA Clauses
96
- - Licence to manufacture (specific quantities, articles, versions)
97
- - Quality assurance provisions
98
- - US government rights (inspection, audit, terminate)
99
- - Retransfer and re-export controls
100
- - Royalty / fee structure
101
- - End-of-programme disposition of tooling and data
102
-
103
- ---
104
-
105
- ## ITAR Exemptions (Selected)
106
-
107
- Certain transfers do not require a licence if all conditions are met. **Exemptions are NOT blanket authorisations — verify conditions every time.**
108
-
109
- ### Key Exemptions (22 CFR Part 123–126)
110
-
111
- | Exemption | CFR Reference | Conditions |
112
- |-----------|--------------|-----------|
113
- | US government | § 126.4 | Export by/for US Dept of Defense, State, etc. with government orders |
114
- | Canada exemption | § 126.5 | Certain unclassified hardware to Canada only; does not apply to all categories |
115
- | Australian/UK exemption | § 126.7 | Limited scope for certain Gov-to-Gov and industry-to-industry transfers; requires eligibility verification |
116
- | Intra-company | § 125.4(b)(9) | Technical data to wholly owned US subsidiary abroad; limited scope |
117
- | Beta test software | § 125.4(b)(10) | Unclassified software for beta testing by foreign person; narrow conditions |
118
- | Beta hardware | § 123.16 | Temporary export of unclassified hardware for demonstration; strict limits |
119
-
120
- **Australia, UK, Canada Defence Trade Cooperation Treaties**: Provide streamlined licensing for covered defence articles between treaty partners; not a blanket exemption.
121
-
122
- ---
123
-
124
- ## Foreign Military Sales (FMS) vs Direct Commercial Sales (DCS)
125
-
126
- | Aspect | FMS | DCS |
127
- |--------|-----|-----|
128
- | Contract party | US Government (DSCA) | US company directly |
129
- | ITAR licence | Not required (US Gov exemption) | DSP-5 / TAA required |
130
- | End-use assurance | US Government provides | US company responsible |
131
- | Price | Government + administrative fees | Market rate |
132
- | Delivery risk | US Government manages | US company manages |
133
-
134
- ---
135
-
136
- ## Record-Keeping Requirements (22 CFR § 122.5)
137
-
138
- All ITAR registrants must maintain for **5 years**:
139
- - All export/import licences and shipping documents
140
- - All TAA/MLA agreements and associated records
141
- - End-user certificates and purchase orders
142
- - Records of all disclosures of technical data
143
- - Commodity Jurisdiction requests and determinations
144
- - Voluntary disclosure records
145
-
146
- Records must be available for inspection by DDTC, US Customs, DoD, or other US government agencies.
1
+ # ITAR Licensing Guide — 22 CFR Parts 123–125
2
+
3
+ ## License Types at a Glance
4
+
5
+ | License / Agreement | CFR Reference | Purpose | Typical Use |
6
+ |--------------------|---------------|---------|-------------|
7
+ | DSP-5 | 22 CFR § 123.1 | Permanent export of defense articles | Hardware sale/transfer to foreign end-user |
8
+ | DSP-73 | 22 CFR § 123.5 | Temporary export | Trade shows, testing, repair abroad |
9
+ | DSP-94 | 22 CFR § 123.6 | Temporary import | Foreign defense article entering US temporarily |
10
+ | DSP-61 | 22 CFR § 123.9 | Import license | Permanent import from certain countries |
11
+ | Technical Assistance Agreement (TAA) | 22 CFR § 124.1 | Export of technical data / defense services | Engineering support, training, design assistance |
12
+ | Manufacturing License Agreement (MLA) | 22 CFR § 124.2 | Licensed foreign manufacture | Overseas production of US defense articles |
13
+ | Warehouse/Distribution Agreement | 22 CFR § 124.14 | Stocking items abroad for resale | Distributor model |
14
+
15
+ ---
16
+
17
+ ## DSP-5 (Permanent Export License)
18
+
19
+ ### When Required
20
+ Any export of USML hardware not covered by an exemption.
21
+
22
+ ### Application Requirements
23
+ Submit via DDTC's D-Trade portal:
24
+ - **Block 1**: Applicant (DDTC registration number)
25
+ - **Block 2**: Country of ultimate destination
26
+ - **Block 3**: Foreign end-user name and address
27
+ - **Block 4**: Description of articles (USML category, quantity, value)
28
+ - **Block 5**: End-use statement (intended use, no re-export without US government approval)
29
+ - **Supporting docs**: Purchase order, end-user certificate, import certificate if required by destination country
30
+
31
+ ### Processing Times
32
+ - Standard: 30–60 days
33
+ - Significant Military Equipment (SME): may require Congressional notification (22 USC § 2776) for sales ≥$14M
34
+
35
+ ### License Conditions (common)
36
+ - Items may not be re-exported without prior DDTC authorisation
37
+ - End-user restrictions apply
38
+ - US government access rights for audits
39
+ - 4-year validity; extendable
40
+
41
+ ---
42
+
43
+ ## DSP-73 (Temporary Export)
44
+
45
+ ### When Required
46
+ Hardware leaving the US temporarily (not for resale/transfer to foreign ownership).
47
+
48
+ ### Key Requirements
49
+ - Describe items precisely; document serial numbers
50
+ - State duration and purpose (e.g., "air show display," "field test," "repair and return")
51
+ - Items must return to the US by the license expiry date
52
+ - License conditions prohibit use in combat, operational deployment
53
+
54
+ ---
55
+
56
+ ## Technical Assistance Agreement (TAA)
57
+
58
+ ### Purpose
59
+ Authorises the export of **technical data** and/or **defense services** to specific foreign persons/entities. Required even for oral disclosure of ITAR-controlled technical data to a foreign national.
60
+
61
+ ### Required TAA Clauses (22 CFR § 124.9)
62
+ 1. **Scope of agreement**: Precise description of technical data / defense services
63
+ 2. **Parties**: US licensor + all foreign licensees, authorised sub-licensees
64
+ 3. **Retransfer prohibition**: No further disclosure/transfer without prior written DDTC approval
65
+ 4. **US government rights**: US government may review all records; terminate agreement
66
+ 5. **Record-keeping**: 5-year retention
67
+ 6. **Audit rights**: US licensor right to audit foreign licensee compliance
68
+ 7. **Term**: Normally 5 years; must renew before expiry
69
+ 8. **Security classification handling** (if applicable)
70
+
71
+ ### Amendment Requirements
72
+ Any change to scope, parties, or authorised countries requires a formal amendment approved by DDTC.
73
+
74
+ ### Common TAA Uses
75
+ - Sharing engineering drawings with foreign manufacturer
76
+ - Providing maintenance training to foreign military
77
+ - Technical support under FMS (Foreign Military Sales) cases
78
+ - Joint development programmes with foreign partners
79
+
80
+ ---
81
+
82
+ ## Manufacturing License Agreement (MLA)
83
+
84
+ ### Purpose
85
+ Allows a foreign person to manufacture a defense article under US licence — typically for local production under an FMS programme or commercial arrangement.
86
+
87
+ ### Key Differences from TAA
88
+ | Feature | TAA | MLA |
89
+ |---------|-----|-----|
90
+ | What is transferred | Technical data / services | Manufacturing rights + technical data |
91
+ | Foreign party produces? | No | Yes |
92
+ | Sub-licensing allowed? | Conditional | Usually yes, with restrictions |
93
+ | Offset programs | Not typical | Common |
94
+
95
+ ### Required MLA Clauses
96
+ - Licence to manufacture (specific quantities, articles, versions)
97
+ - Quality assurance provisions
98
+ - US government rights (inspection, audit, terminate)
99
+ - Retransfer and re-export controls
100
+ - Royalty / fee structure
101
+ - End-of-programme disposition of tooling and data
102
+
103
+ ---
104
+
105
+ ## ITAR Exemptions (Selected)
106
+
107
+ Certain transfers do not require a licence if all conditions are met. **Exemptions are NOT blanket authorisations — verify conditions every time.**
108
+
109
+ ### Key Exemptions (22 CFR Part 123–126)
110
+
111
+ | Exemption | CFR Reference | Conditions |
112
+ |-----------|--------------|-----------|
113
+ | US government | § 126.4 | Export by/for US Dept of Defense, State, etc. with government orders |
114
+ | Canada exemption | § 126.5 | Certain unclassified hardware to Canada only; does not apply to all categories |
115
+ | Australian/UK exemption | § 126.7 | Limited scope for certain Gov-to-Gov and industry-to-industry transfers; requires eligibility verification |
116
+ | Intra-company | § 125.4(b)(9) | Technical data to wholly owned US subsidiary abroad; limited scope |
117
+ | Beta test software | § 125.4(b)(10) | Unclassified software for beta testing by foreign person; narrow conditions |
118
+ | Beta hardware | § 123.16 | Temporary export of unclassified hardware for demonstration; strict limits |
119
+
120
+ **Australia, UK, Canada Defence Trade Cooperation Treaties**: Provide streamlined licensing for covered defence articles between treaty partners; not a blanket exemption.
121
+
122
+ ---
123
+
124
+ ## Foreign Military Sales (FMS) vs Direct Commercial Sales (DCS)
125
+
126
+ | Aspect | FMS | DCS |
127
+ |--------|-----|-----|
128
+ | Contract party | US Government (DSCA) | US company directly |
129
+ | ITAR licence | Not required (US Gov exemption) | DSP-5 / TAA required |
130
+ | End-use assurance | US Government provides | US company responsible |
131
+ | Price | Government + administrative fees | Market rate |
132
+ | Delivery risk | US Government manages | US company manages |
133
+
134
+ ---
135
+
136
+ ## Record-Keeping Requirements (22 CFR § 122.5)
137
+
138
+ All ITAR registrants must maintain for **5 years**:
139
+ - All export/import licences and shipping documents
140
+ - All TAA/MLA agreements and associated records
141
+ - End-user certificates and purchase orders
142
+ - Records of all disclosures of technical data
143
+ - Commodity Jurisdiction requests and determinations
144
+ - Voluntary disclosure records
145
+
146
+ Records must be available for inspection by DDTC, US Customs, DoD, or other US government agencies.