bmad-plus 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -407
  2. package/LICENSE +21 -0
  3. package/README.md +555 -446
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -175
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,135 +1,135 @@
1
- # NIST CSF 2.0 — Implementation Tiers
2
-
3
- Source: NIST Cybersecurity Framework 2.0, Section 3.2 (February 2024)
4
-
5
- ---
6
-
7
- ## Overview
8
-
9
- Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the CSF. They provide context for how an organization views cybersecurity risk management and the processes in place to manage risk.
10
-
11
- **Key principles:**
12
- - Tiers are **not maturity levels** — there is no requirement to advance to Tier 4
13
- - Tier selection should reflect the organization's goals, legal/regulatory requirements, and risk reduction objectives
14
- - Moving to a higher tier is appropriate only when it would reduce cybersecurity risk at a justifiable cost
15
- - Organizations should operate at the tier appropriate for their risk environment — not the highest achievable tier
16
-
17
- ---
18
-
19
- ## The Four Tiers
20
-
21
- ### Tier 1 — Partial
22
-
23
- **Risk Management Process**: Cybersecurity risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of cybersecurity activities may not be directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
24
-
25
- **Integrated Risk Management Program**: There is limited awareness of cybersecurity risk at the organisational level. The organisation implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable cybersecurity information to be shared within the organisation.
26
-
27
- **External Participation**: The organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organisation does not have the processes in place to participate in coordination or collaboration with other entities.
28
-
29
- **Diagnostic indicators of Tier 1:**
30
- - No formal cybersecurity policy exists or it has not been approved by leadership
31
- - Asset inventories are incomplete or inconsistently maintained
32
- - Risk assessments are performed reactively (after incidents, not proactively)
33
- - No defined roles or responsibilities for cybersecurity
34
- - Incident response is ad hoc with no documented plan
35
- - Supply chain risks are not considered
36
-
37
- ---
38
-
39
- ### Tier 2 — Risk-Informed
40
-
41
- **Risk Management Process**: Risk management practices are approved by management but may not be established as organisational-wide policy. The prioritisation of cybersecurity activities and protection needs is directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
42
-
43
- **Integrated Risk Management Program**: There is an awareness of cybersecurity risk at the organisational level, but an organisation-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organisation on an informal basis. Consideration of cybersecurity in organisational objectives and programs may occur at some but not all levels of the organisation.
44
-
45
- **External Participation**: The organisation knows its role in the larger ecosystem with respect to its own dependencies, but has not formalised its capabilities to interact and share information externally.
46
-
47
- **Diagnostic indicators of Tier 2:**
48
- - Cybersecurity policy exists and is management-approved, but inconsistently followed
49
- - Risk assessments are performed but not on a regular schedule
50
- - Asset inventory is maintained but may have gaps
51
- - Roles for cybersecurity exist but accountability is not enforced
52
- - Incident response plan exists but has not been tested
53
- - Supply chain risk considered for some but not all suppliers
54
-
55
- ---
56
-
57
- ### Tier 3 — Repeatable
58
-
59
- **Risk Management Process**: The organisation's risk management practices are formally approved and expressed as policy. Cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
60
-
61
- **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organisation consistently and accurately monitors cybersecurity risk of assets.
62
-
63
- **External Participation**: The organisation understands its dependencies and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks. It collaborates with and receives information from supply chain partners, which enables prioritisation and validation of cybersecurity risk management activities.
64
-
65
- **Diagnostic indicators of Tier 3:**
66
- - Formal cybersecurity policy is enforced organisation-wide
67
- - Risk assessments are conducted on a regular, defined schedule
68
- - Asset inventory is comprehensive and actively maintained
69
- - Defined roles with accountability metrics; performance reviewed
70
- - Incident response plan is documented, tested, and updated
71
- - Third-party risk is formally assessed for all critical suppliers
72
- - Cybersecurity metrics are reported to leadership
73
-
74
- ---
75
-
76
- ### Tier 4 — Adaptive
77
-
78
- **Risk Management Process**: The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
79
-
80
- **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organisational culture and evolves from an awareness of previous activities and continuous awareness of activities on organisational systems and networks. The organisation can quickly and efficiently account for new knowledge to continuously improve security practices and integrate into risk management practices.
81
-
82
- **External Participation**: The organisation receives, generates, and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organisation shares that information internally and externally on a routine basis. The organisation uses real-time or near real-time information to understand and consistently act upon supply chain risks throughout the technology product and service lifecycle. The organisation communicates proactively, using formal and informal mechanisms, to develop and maintain strong supply chain relationships.
83
-
84
- **Diagnostic indicators of Tier 4:**
85
- - Cybersecurity risk management is embedded in organisational culture
86
- - Threat intelligence is operationalised and feeds real-time risk decisions
87
- - Continuous monitoring with automated anomaly detection
88
- - Lessons learned from incidents systematically improve controls
89
- - Active participation in information sharing communities (ISACs, etc.)
90
- - Supply chain risk managed in real time across the full lifecycle
91
- - Cybersecurity KPIs drive leadership strategy decisions
92
-
93
- ---
94
-
95
- ## Tier Assessment Guide
96
-
97
- When assessing an organisation's current tier, evaluate these three dimensions:
98
-
99
- ### Dimension 1: Risk Management Process
100
- Ask:
101
- - Is cybersecurity risk management ad hoc (Tier 1), management-approved (Tier 2), policy-formalised (Tier 3), or continuously adapting (Tier 4)?
102
- - Are risk assessments conducted reactively, periodically, or continuously?
103
- - Is there a documented risk management methodology consistently applied?
104
-
105
- ### Dimension 2: Integrated Risk Management Program
106
- Ask:
107
- - Is cybersecurity risk managed in silos or integrated into enterprise risk management?
108
- - Does cybersecurity risk information flow to leadership on a regular basis?
109
- - Are cybersecurity objectives aligned with business objectives?
110
-
111
- ### Dimension 3: External Participation
112
- Ask:
113
- - Does the organisation know which external entities it depends on and which depend on it?
114
- - Does the organisation participate in threat intelligence sharing?
115
- - Is supply chain risk actively managed across all critical third parties?
116
-
117
- ---
118
-
119
- ## Tier Advancement Guidance
120
-
121
- Advancing tiers requires sustained investment. Common barriers and enablers:
122
-
123
- | From → To | Common Barriers | Key Enablers |
124
- |-----------|----------------|-------------|
125
- | 1 → 2 | No leadership buy-in, no budget | Tie first risk assessment to a business event (audit, incident, M&A) |
126
- | 2 → 3 | Inconsistent enforcement, siloed teams | Embed cybersecurity in HR processes; create organisation-wide policy with enforcement |
127
- | 3 → 4 | Technology and process gaps, culture | Implement threat intelligence feeds; automate monitoring; build continuous improvement loops |
128
-
129
- **Recommended starting sequence for Tier 1 → 2 transition:**
130
- 1. GV.OC-01 — Document the organisational mission and cybersecurity context
131
- 2. GV.RM-01, GV.RM-02 — Establish risk management objectives and risk tolerance
132
- 3. ID.AM-01, ID.AM-02 — Build asset inventories
133
- 4. GV.RR-02 — Define cybersecurity roles and responsibilities
134
- 5. GV.PO-01 — Establish and communicate a cybersecurity policy
135
- 6. ID.RA-03, ID.RA-04 — Perform an initial risk assessment
1
+ # NIST CSF 2.0 — Implementation Tiers
2
+
3
+ Source: NIST Cybersecurity Framework 2.0, Section 3.2 (February 2024)
4
+
5
+ ---
6
+
7
+ ## Overview
8
+
9
+ Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the CSF. They provide context for how an organization views cybersecurity risk management and the processes in place to manage risk.
10
+
11
+ **Key principles:**
12
+ - Tiers are **not maturity levels** — there is no requirement to advance to Tier 4
13
+ - Tier selection should reflect the organization's goals, legal/regulatory requirements, and risk reduction objectives
14
+ - Moving to a higher tier is appropriate only when it would reduce cybersecurity risk at a justifiable cost
15
+ - Organizations should operate at the tier appropriate for their risk environment — not the highest achievable tier
16
+
17
+ ---
18
+
19
+ ## The Four Tiers
20
+
21
+ ### Tier 1 — Partial
22
+
23
+ **Risk Management Process**: Cybersecurity risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of cybersecurity activities may not be directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
24
+
25
+ **Integrated Risk Management Program**: There is limited awareness of cybersecurity risk at the organisational level. The organisation implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable cybersecurity information to be shared within the organisation.
26
+
27
+ **External Participation**: The organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organisation does not have the processes in place to participate in coordination or collaboration with other entities.
28
+
29
+ **Diagnostic indicators of Tier 1:**
30
+ - No formal cybersecurity policy exists or it has not been approved by leadership
31
+ - Asset inventories are incomplete or inconsistently maintained
32
+ - Risk assessments are performed reactively (after incidents, not proactively)
33
+ - No defined roles or responsibilities for cybersecurity
34
+ - Incident response is ad hoc with no documented plan
35
+ - Supply chain risks are not considered
36
+
37
+ ---
38
+
39
+ ### Tier 2 — Risk-Informed
40
+
41
+ **Risk Management Process**: Risk management practices are approved by management but may not be established as organisational-wide policy. The prioritisation of cybersecurity activities and protection needs is directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
42
+
43
+ **Integrated Risk Management Program**: There is an awareness of cybersecurity risk at the organisational level, but an organisation-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organisation on an informal basis. Consideration of cybersecurity in organisational objectives and programs may occur at some but not all levels of the organisation.
44
+
45
+ **External Participation**: The organisation knows its role in the larger ecosystem with respect to its own dependencies, but has not formalised its capabilities to interact and share information externally.
46
+
47
+ **Diagnostic indicators of Tier 2:**
48
+ - Cybersecurity policy exists and is management-approved, but inconsistently followed
49
+ - Risk assessments are performed but not on a regular schedule
50
+ - Asset inventory is maintained but may have gaps
51
+ - Roles for cybersecurity exist but accountability is not enforced
52
+ - Incident response plan exists but has not been tested
53
+ - Supply chain risk considered for some but not all suppliers
54
+
55
+ ---
56
+
57
+ ### Tier 3 — Repeatable
58
+
59
+ **Risk Management Process**: The organisation's risk management practices are formally approved and expressed as policy. Cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
60
+
61
+ **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organisation consistently and accurately monitors cybersecurity risk of assets.
62
+
63
+ **External Participation**: The organisation understands its dependencies and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks. It collaborates with and receives information from supply chain partners, which enables prioritisation and validation of cybersecurity risk management activities.
64
+
65
+ **Diagnostic indicators of Tier 3:**
66
+ - Formal cybersecurity policy is enforced organisation-wide
67
+ - Risk assessments are conducted on a regular, defined schedule
68
+ - Asset inventory is comprehensive and actively maintained
69
+ - Defined roles with accountability metrics; performance reviewed
70
+ - Incident response plan is documented, tested, and updated
71
+ - Third-party risk is formally assessed for all critical suppliers
72
+ - Cybersecurity metrics are reported to leadership
73
+
74
+ ---
75
+
76
+ ### Tier 4 — Adaptive
77
+
78
+ **Risk Management Process**: The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
79
+
80
+ **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organisational culture and evolves from an awareness of previous activities and continuous awareness of activities on organisational systems and networks. The organisation can quickly and efficiently account for new knowledge to continuously improve security practices and integrate into risk management practices.
81
+
82
+ **External Participation**: The organisation receives, generates, and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organisation shares that information internally and externally on a routine basis. The organisation uses real-time or near real-time information to understand and consistently act upon supply chain risks throughout the technology product and service lifecycle. The organisation communicates proactively, using formal and informal mechanisms, to develop and maintain strong supply chain relationships.
83
+
84
+ **Diagnostic indicators of Tier 4:**
85
+ - Cybersecurity risk management is embedded in organisational culture
86
+ - Threat intelligence is operationalised and feeds real-time risk decisions
87
+ - Continuous monitoring with automated anomaly detection
88
+ - Lessons learned from incidents systematically improve controls
89
+ - Active participation in information sharing communities (ISACs, etc.)
90
+ - Supply chain risk managed in real time across the full lifecycle
91
+ - Cybersecurity KPIs drive leadership strategy decisions
92
+
93
+ ---
94
+
95
+ ## Tier Assessment Guide
96
+
97
+ When assessing an organisation's current tier, evaluate these three dimensions:
98
+
99
+ ### Dimension 1: Risk Management Process
100
+ Ask:
101
+ - Is cybersecurity risk management ad hoc (Tier 1), management-approved (Tier 2), policy-formalised (Tier 3), or continuously adapting (Tier 4)?
102
+ - Are risk assessments conducted reactively, periodically, or continuously?
103
+ - Is there a documented risk management methodology consistently applied?
104
+
105
+ ### Dimension 2: Integrated Risk Management Program
106
+ Ask:
107
+ - Is cybersecurity risk managed in silos or integrated into enterprise risk management?
108
+ - Does cybersecurity risk information flow to leadership on a regular basis?
109
+ - Are cybersecurity objectives aligned with business objectives?
110
+
111
+ ### Dimension 3: External Participation
112
+ Ask:
113
+ - Does the organisation know which external entities it depends on and which depend on it?
114
+ - Does the organisation participate in threat intelligence sharing?
115
+ - Is supply chain risk actively managed across all critical third parties?
116
+
117
+ ---
118
+
119
+ ## Tier Advancement Guidance
120
+
121
+ Advancing tiers requires sustained investment. Common barriers and enablers:
122
+
123
+ | From → To | Common Barriers | Key Enablers |
124
+ |-----------|----------------|-------------|
125
+ | 1 → 2 | No leadership buy-in, no budget | Tie first risk assessment to a business event (audit, incident, M&A) |
126
+ | 2 → 3 | Inconsistent enforcement, siloed teams | Embed cybersecurity in HR processes; create organisation-wide policy with enforcement |
127
+ | 3 → 4 | Technology and process gaps, culture | Implement threat intelligence feeds; automate monitoring; build continuous improvement loops |
128
+
129
+ **Recommended starting sequence for Tier 1 → 2 transition:**
130
+ 1. GV.OC-01 — Document the organisational mission and cybersecurity context
131
+ 2. GV.RM-01, GV.RM-02 — Establish risk management objectives and risk tolerance
132
+ 3. ID.AM-01, ID.AM-02 — Build asset inventories
133
+ 4. GV.RR-02 — Define cybersecurity roles and responsibilities
134
+ 5. GV.PO-01 — Establish and communicate a cybersecurity policy
135
+ 6. ID.RA-03, ID.RA-04 — Perform an initial risk assessment