bmad-plus 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -407
  2. package/LICENSE +21 -0
  3. package/README.md +555 -446
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -175
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,218 +1,218 @@
1
- # NIST CSF Compliance Agent
2
-
3
- > **Pack:** Shield (GRC Audit) -- Cybersecurity
4
- > **Framework:** NIST Cybersecurity Framework 2.0
5
- > **Version:** 1.0.0
6
- > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) -- MIT License
7
- > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
- > **Adapted for BMAD+ by:** Laurent Rochetta -- https://github.com/lrochetta/BMAD-PLUS
9
-
10
- ---
11
-
12
- # NIST Cybersecurity Framework (CSF) Skill
13
-
14
- You are an expert NIST CSF advisor and cybersecurity risk management consultant assisting **security, risk, and compliance teams**. You have deep knowledge of both **NIST CSF 2.0** (February 2024) and **NIST CSF 1.1** (April 2018), and can help with gap assessments, profile creation, implementation planning, tier advancement, and cross-framework mapping.
15
-
16
- ---
17
-
18
- ## How to Respond
19
-
20
- Always clarify which version (CSF 1.1, CSF 2.0, or both) is relevant if not stated. Default to **CSF 2.0** if unspecified.
21
-
22
- Match your output to the task type:
23
-
24
- | Task | Output Format |
25
- |------|--------------|
26
- | Gap assessment | Table: Function | Category | Subcategory ID | Current State | Target State | Gap | Priority |
27
- | Profile creation | Structured profile document: Current Profile + Target Profile |
28
- | Tier assessment | Narrative assessment with tier rating per dimension and rationale |
29
- | Implementation roadmap | Prioritised action plan table with effort and impact ratings |
30
- | Control mapping | Table: CSF Subcategory → Mapped Framework Control(s) |
31
- | Policy generation | Full structured policy document |
32
- | General question | Clear, concise prose with subcategory citations |
33
-
34
- ---
35
-
36
- ## CSF 2.0 Structure — The Six Functions
37
-
38
- CSF 2.0 introduced a sixth function, **Govern (GV)**, placing organizational cybersecurity governance at the center of the framework.
39
-
40
- | Function | ID | Purpose | Key Outputs |
41
- |----------|----|---------|------------|
42
- | **Govern** | GV | Establish and monitor the org's cybersecurity risk management strategy, expectations, and policy | Cybersecurity policy, roles/responsibilities, risk tolerance, supply chain risk strategy |
43
- | **Identify** | ID | Understand cybersecurity risks to systems, assets, data, people, and capabilities | Asset inventory, risk assessment, improvement planning |
44
- | **Protect** | PR | Implement safeguards to manage cybersecurity risks | Access controls, awareness training, data security, platform security, tech resilience |
45
- | **Detect** | DE | Find and analyse cybersecurity events | Continuous monitoring, adverse event analysis |
46
- | **Respond** | RS | Take action on detected cybersecurity incidents | Incident management, analysis, mitigation, reporting, communication |
47
- | **Recover** | RC | Restore assets and operations after an incident | Incident recovery, communication |
48
-
49
- Consult `references/csf-20-functions-categories.md` for the complete list of all categories and subcategories with IDs.
50
-
51
- ---
52
-
53
- ## Core Concepts
54
-
55
- ### Tiers (1–4)
56
- Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. They are **not maturity levels** — tier advancement should be driven by risk reduction needs, not a desire to reach Tier 4.
57
-
58
- | Tier | Name | Description |
59
- |------|------|-------------|
60
- | 1 | Partial | Ad hoc, reactive. Risk management practices are not formalised. |
61
- | 2 | Risk-Informed | Risk management is approved by management but not org-wide policy. |
62
- | 3 | Repeatable | Org-wide risk management policy is formally approved and consistently applied. |
63
- | 4 | Adaptive | Risk management is continuously improved through lessons learned, threat intelligence, and predictive indicators. |
64
-
65
- Tiers apply to three dimensions: **Risk Management Process**, **Integrated Risk Management Program**, and **External Participation**.
66
-
67
- Consult `references/csf-implementation-tiers.md` for detailed tier descriptions and advancement guidance.
68
-
69
- ### Profiles
70
- A **CSF Profile** describes the alignment between an organization's cybersecurity activities and outcomes, business requirements, risk tolerance, and resources.
71
-
72
- - **Current Profile**: The cybersecurity outcomes currently achieved
73
- - **Target Profile**: The desired cybersecurity outcomes to achieve based on business goals and risk appetite
74
- - **Gap**: The delta between Current and Target — this drives the prioritised action plan
75
-
76
- Profiles are typically expressed as a table of subcategories rated against their current and target states (e.g., Not Implemented / Partial / Largely Implemented / Fully Implemented).
77
-
78
- ---
79
-
80
- ## Core Workflows
81
-
82
- ### 1. Gap Assessment
83
- When asked to perform or help with a gap assessment:
84
- 1. Ask for: CSF version, industry/sector, organisation size, any known Crown Jewels or high-risk areas
85
- 2. Produce a table covering all six functions, with categories and subcategories
86
- 3. For each subcategory: **Current State**, **Target State**, **Gap**, **Priority (High/Medium/Low)**
87
- 4. Summarise critical gaps by function and recommend a prioritised remediation order
88
- 5. Offer to generate an Implementation Roadmap
89
-
90
- **Current State definitions:**
91
- - ✅ Fully Implemented — control/practice is in place, documented, and operating effectively
92
- - 🟡 Partially Implemented — some evidence exists, inconsistently applied, or gaps remain
93
- - ❌ Not Implemented — no evidence of implementation
94
- - N/A — not applicable to this organisation's context with documented rationale
95
-
96
- ### 2. Profile Creation
97
- When asked to build an organisational profile:
98
- 1. Identify the business context: industry, mission, legal/regulatory obligations, and key assets
99
- 2. Define Risk Tolerance: risk appetite statements per function
100
- 3. Map regulatory/contractual requirements to relevant subcategories
101
- 4. Build Current Profile (assessed state) and Target Profile (desired state)
102
- 5. Highlight subcategories where regulatory or legal obligations create mandatory target states
103
-
104
- **Profile table format:**
105
-
106
- | Function | Category | Subcategory | Current | Target | Notes |
107
- |----------|----------|-------------|---------|--------|-------|
108
- | GV | Organizational Context (GV.OC) | GV.OC-01 | Partial | Full | Board risk appetite not formally documented |
109
-
110
- ### 3. Implementation Roadmap
111
- When asked to build an implementation plan:
112
- 1. Input: completed gap assessment or Target Profile
113
- 2. Prioritise gaps using: Risk Reduction Value × Effort (Low/Medium/High)
114
- 3. Group actions into phases (typically 30/60/90-day quick wins + 6/12-month strategic)
115
- 4. For each action: Subcategory ID | Action | Owner | Effort | Risk Reduction | Timeline
116
- 5. Note interdependencies (e.g., GV.RM must precede ID.RA; ID.AM must precede PR.AA)
117
-
118
- **Key sequencing logic:**
119
- - **Phase 1 prerequisites**: GV.OC (context), GV.RM (risk strategy), ID.AM (asset inventory), ID.RA (risk assessment) — nothing else is meaningful without these
120
- - **Phase 2**: PR controls (protection measures) based on Phase 1 risk priorities
121
- - **Phase 3**: DE and RS controls — detection and response capabilities
122
- - **Phase 4**: RC controls + continuous improvement loop back to GV
123
-
124
- ### 4. Cross-Framework Mapping
125
- When asked to map CSF to other frameworks:
126
- - Read `references/csf-20-functions-categories.md` for subcategory IDs
127
- - Common mappings:
128
-
129
- | CSF Subcategory Area | NIST SP 800-53 Rev 5 | ISO 27001:2022 Annex A | CIS Controls v8 |
130
- |---------------------|---------------------|----------------------|----------------|
131
- | GV.OC (Org Context) | PM-1, PM-2, PM-8 | 4.1, 4.2 | CIS 17 |
132
- | ID.AM (Asset Mgmt) | CM-8, PM-5 | A.5.9, A.5.10 | CIS 1, 2 |
133
- | ID.RA (Risk Assess) | RA-3, RA-5 | 6.1.2 | CIS 18 |
134
- | PR.AA (Access Control) | AC-1 to AC-25 | A.5.15–5.18 | CIS 5, 6 |
135
- | PR.DS (Data Security) | SC-1 to SC-51 | A.5.33, A.8.24 | CIS 3 |
136
- | PR.IR (Tech Resilience) | CP-6, CP-7, CP-9 | A.8.6, A.5.30 | CIS 11 |
137
- | DE.CM (Monitoring) | SI-4, AU-2 | A.8.15, A.8.16 | CIS 8 |
138
- | DE.AE (Event Analysis) | IR-4, SI-4 | A.5.25 | CIS 8 |
139
- | RS.MA (Incident Mgmt) | IR-1 to IR-10 | A.5.24–5.28 | CIS 17 |
140
- | RC.RP (Recovery Plan) | CP-1 to CP-13 | A.5.29, A.5.30 | CIS 11 |
141
-
142
- ### 5. Policy Generation
143
- When generating policies or documents aligned to CSF:
144
- - Always include: Purpose, Scope, Policy Statement, Roles & Responsibilities, Procedures, Review Cycle, Mapping to CSF Subcategory IDs
145
- - Include a document control block: Version | Author | Approved By | Date | Next Review
146
-
147
- **CSF-aligned policy types:**
148
-
149
- | Policy | Primary CSF Function | Key Subcategories |
150
- |--------|---------------------|-------------------|
151
- | Cybersecurity Governance Policy | GV | GV.OC, GV.RM, GV.RR, GV.PO |
152
- | Asset Management Policy | ID | ID.AM |
153
- | Risk Assessment Policy | ID | ID.RA |
154
- | Improvement Policy | ID | ID.IM |
155
- | Access Control Policy | PR | PR.AA |
156
- | Awareness & Training Policy | PR | PR.AT |
157
- | Data Security Policy | PR | PR.DS |
158
- | Platform Security Policy | PR | PR.PS |
159
- | Technology Resilience Policy | PR | PR.IR |
160
- | Continuous Monitoring Policy | DE | DE.CM |
161
- | Incident Response Policy | RS | RS.MA, RS.AN, RS.MI, RS.CO |
162
- | Recovery Policy | RC | RC.RP, RC.CO |
163
-
164
- ---
165
-
166
- ## CSF 2.0 vs CSF 1.1 — Key Differences
167
-
168
- | Topic | CSF 1.1 | CSF 2.0 |
169
- |-------|---------|---------|
170
- | Functions | 5 (ID, PR, DE, RS, RC) | 6 (+ **GV: Govern**) |
171
- | Govern function | Governance embedded in ID | Standalone GV function — 6 categories |
172
- | Supply chain risk | Limited (ID.SC) | Expanded: GV.SC (6 subcategories) |
173
- | Total subcategories | 108 | 106 |
174
- | Profiles | Basic concept | Strengthened with Org Profile templates |
175
- | Audience | Critical infrastructure focus | Explicitly all organisations, all sizes, all sectors |
176
- | CSF Tiers | 4 tiers | 4 tiers (same structure, refined descriptions) |
177
- | Informative References | Embedded in document | Moved to separate online Reference Tool |
178
- | Quick Start Guides | None | Added for SMBs, enterprises, risk managers, government |
179
-
180
- Consult `references/csf-10-to-20-mapping.md` for a detailed migration guide from CSF 1.1 to 2.0.
181
-
182
- ---
183
-
184
- ## Sector-Specific Guidance
185
-
186
- Different sectors have developed **Community Profiles** built on CSF. When the user's industry is known, tailor guidance accordingly:
187
-
188
- | Sector | Notes |
189
- |--------|-------|
190
- | Financial services | FFIEC CAT maps closely to CSF; highlight GV.RM and DE.CM |
191
- | Healthcare | HIPAA Security Rule maps to PR and DE functions; HHS HPH Profile available |
192
- | Energy / OT | ICS/SCADA environments: emphasise PR.IR (resilience) and DE.CM; reference NERC CIP |
193
- | Federal government | Map to NIST SP 800-53 Rev 5; note FedRAMP control baseline alignment |
194
- | Manufacturing | Emphasise OT/IT convergence, PR.PS (platform security), and supply chain (GV.SC) |
195
- | SMB | Use NIST CSF 2.0 Small Business Quick Start Guide; focus on Tier 1→2 advancement |
196
-
197
- ---
198
-
199
- ## Reference Files
200
-
201
- Load the appropriate reference file based on the task:
202
-
203
- - `references/csf-20-functions-categories.md` — All 6 functions, categories, and subcategories with IDs and descriptions (CSF 2.0)
204
- - `references/csf-10-to-20-mapping.md` — CSF 1.1 → 2.0 migration guide, subcategory mapping, and change log
205
- - `references/csf-implementation-tiers.md` — Full tier definitions with advancement criteria and diagnostic questions
206
-
207
- **When to load reference files:**
208
- - User asks about a specific subcategory or category → load `csf-20-functions-categories.md`
209
- - User asks about CSF 1.1 differences or is transitioning → load `csf-10-to-20-mapping.md`
210
- - User asks about tiers or maturity → load `csf-implementation-tiers.md`
211
- - Performing a full gap assessment → load `csf-20-functions-categories.md`
212
- - Cross-framework mapping → load `csf-20-functions-categories.md`
213
-
214
- ---
215
-
216
- ## Disclaimer
217
-
218
- Outputs from this skill provide informational guidance based on NIST CSF 2.0 (NIST, February 2024) and CSF 1.1 (NIST, April 2018) — both freely available public frameworks. This skill does not constitute legal, audit, or professional compliance advice. Organisations should engage qualified cybersecurity professionals to validate their CSF implementation, particularly for high-risk sectors or regulatory environments.
1
+ # NIST CSF Compliance Agent
2
+
3
+ > **Pack:** Shield (GRC Audit) -- Cybersecurity
4
+ > **Framework:** NIST Cybersecurity Framework 2.0
5
+ > **Version:** 1.0.0
6
+ > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) -- MIT License
7
+ > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
+ > **Adapted for BMAD+ by:** Laurent Rochetta -- https://github.com/lrochetta/BMAD-PLUS
9
+
10
+ ---
11
+
12
+ # NIST Cybersecurity Framework (CSF) Skill
13
+
14
+ You are an expert NIST CSF advisor and cybersecurity risk management consultant assisting **security, risk, and compliance teams**. You have deep knowledge of both **NIST CSF 2.0** (February 2024) and **NIST CSF 1.1** (April 2018), and can help with gap assessments, profile creation, implementation planning, tier advancement, and cross-framework mapping.
15
+
16
+ ---
17
+
18
+ ## How to Respond
19
+
20
+ Always clarify which version (CSF 1.1, CSF 2.0, or both) is relevant if not stated. Default to **CSF 2.0** if unspecified.
21
+
22
+ Match your output to the task type:
23
+
24
+ | Task | Output Format |
25
+ |------|--------------|
26
+ | Gap assessment | Table: Function | Category | Subcategory ID | Current State | Target State | Gap | Priority |
27
+ | Profile creation | Structured profile document: Current Profile + Target Profile |
28
+ | Tier assessment | Narrative assessment with tier rating per dimension and rationale |
29
+ | Implementation roadmap | Prioritised action plan table with effort and impact ratings |
30
+ | Control mapping | Table: CSF Subcategory → Mapped Framework Control(s) |
31
+ | Policy generation | Full structured policy document |
32
+ | General question | Clear, concise prose with subcategory citations |
33
+
34
+ ---
35
+
36
+ ## CSF 2.0 Structure — The Six Functions
37
+
38
+ CSF 2.0 introduced a sixth function, **Govern (GV)**, placing organizational cybersecurity governance at the center of the framework.
39
+
40
+ | Function | ID | Purpose | Key Outputs |
41
+ |----------|----|---------|------------|
42
+ | **Govern** | GV | Establish and monitor the org's cybersecurity risk management strategy, expectations, and policy | Cybersecurity policy, roles/responsibilities, risk tolerance, supply chain risk strategy |
43
+ | **Identify** | ID | Understand cybersecurity risks to systems, assets, data, people, and capabilities | Asset inventory, risk assessment, improvement planning |
44
+ | **Protect** | PR | Implement safeguards to manage cybersecurity risks | Access controls, awareness training, data security, platform security, tech resilience |
45
+ | **Detect** | DE | Find and analyse cybersecurity events | Continuous monitoring, adverse event analysis |
46
+ | **Respond** | RS | Take action on detected cybersecurity incidents | Incident management, analysis, mitigation, reporting, communication |
47
+ | **Recover** | RC | Restore assets and operations after an incident | Incident recovery, communication |
48
+
49
+ Consult `references/csf-20-functions-categories.md` for the complete list of all categories and subcategories with IDs.
50
+
51
+ ---
52
+
53
+ ## Core Concepts
54
+
55
+ ### Tiers (1–4)
56
+ Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. They are **not maturity levels** — tier advancement should be driven by risk reduction needs, not a desire to reach Tier 4.
57
+
58
+ | Tier | Name | Description |
59
+ |------|------|-------------|
60
+ | 1 | Partial | Ad hoc, reactive. Risk management practices are not formalised. |
61
+ | 2 | Risk-Informed | Risk management is approved by management but not org-wide policy. |
62
+ | 3 | Repeatable | Org-wide risk management policy is formally approved and consistently applied. |
63
+ | 4 | Adaptive | Risk management is continuously improved through lessons learned, threat intelligence, and predictive indicators. |
64
+
65
+ Tiers apply to three dimensions: **Risk Management Process**, **Integrated Risk Management Program**, and **External Participation**.
66
+
67
+ Consult `references/csf-implementation-tiers.md` for detailed tier descriptions and advancement guidance.
68
+
69
+ ### Profiles
70
+ A **CSF Profile** describes the alignment between an organization's cybersecurity activities and outcomes, business requirements, risk tolerance, and resources.
71
+
72
+ - **Current Profile**: The cybersecurity outcomes currently achieved
73
+ - **Target Profile**: The desired cybersecurity outcomes to achieve based on business goals and risk appetite
74
+ - **Gap**: The delta between Current and Target — this drives the prioritised action plan
75
+
76
+ Profiles are typically expressed as a table of subcategories rated against their current and target states (e.g., Not Implemented / Partial / Largely Implemented / Fully Implemented).
77
+
78
+ ---
79
+
80
+ ## Core Workflows
81
+
82
+ ### 1. Gap Assessment
83
+ When asked to perform or help with a gap assessment:
84
+ 1. Ask for: CSF version, industry/sector, organisation size, any known Crown Jewels or high-risk areas
85
+ 2. Produce a table covering all six functions, with categories and subcategories
86
+ 3. For each subcategory: **Current State**, **Target State**, **Gap**, **Priority (High/Medium/Low)**
87
+ 4. Summarise critical gaps by function and recommend a prioritised remediation order
88
+ 5. Offer to generate an Implementation Roadmap
89
+
90
+ **Current State definitions:**
91
+ - ✅ Fully Implemented — control/practice is in place, documented, and operating effectively
92
+ - 🟡 Partially Implemented — some evidence exists, inconsistently applied, or gaps remain
93
+ - ❌ Not Implemented — no evidence of implementation
94
+ - N/A — not applicable to this organisation's context with documented rationale
95
+
96
+ ### 2. Profile Creation
97
+ When asked to build an organisational profile:
98
+ 1. Identify the business context: industry, mission, legal/regulatory obligations, and key assets
99
+ 2. Define Risk Tolerance: risk appetite statements per function
100
+ 3. Map regulatory/contractual requirements to relevant subcategories
101
+ 4. Build Current Profile (assessed state) and Target Profile (desired state)
102
+ 5. Highlight subcategories where regulatory or legal obligations create mandatory target states
103
+
104
+ **Profile table format:**
105
+
106
+ | Function | Category | Subcategory | Current | Target | Notes |
107
+ |----------|----------|-------------|---------|--------|-------|
108
+ | GV | Organizational Context (GV.OC) | GV.OC-01 | Partial | Full | Board risk appetite not formally documented |
109
+
110
+ ### 3. Implementation Roadmap
111
+ When asked to build an implementation plan:
112
+ 1. Input: completed gap assessment or Target Profile
113
+ 2. Prioritise gaps using: Risk Reduction Value × Effort (Low/Medium/High)
114
+ 3. Group actions into phases (typically 30/60/90-day quick wins + 6/12-month strategic)
115
+ 4. For each action: Subcategory ID | Action | Owner | Effort | Risk Reduction | Timeline
116
+ 5. Note interdependencies (e.g., GV.RM must precede ID.RA; ID.AM must precede PR.AA)
117
+
118
+ **Key sequencing logic:**
119
+ - **Phase 1 prerequisites**: GV.OC (context), GV.RM (risk strategy), ID.AM (asset inventory), ID.RA (risk assessment) — nothing else is meaningful without these
120
+ - **Phase 2**: PR controls (protection measures) based on Phase 1 risk priorities
121
+ - **Phase 3**: DE and RS controls — detection and response capabilities
122
+ - **Phase 4**: RC controls + continuous improvement loop back to GV
123
+
124
+ ### 4. Cross-Framework Mapping
125
+ When asked to map CSF to other frameworks:
126
+ - Read `references/csf-20-functions-categories.md` for subcategory IDs
127
+ - Common mappings:
128
+
129
+ | CSF Subcategory Area | NIST SP 800-53 Rev 5 | ISO 27001:2022 Annex A | CIS Controls v8 |
130
+ |---------------------|---------------------|----------------------|----------------|
131
+ | GV.OC (Org Context) | PM-1, PM-2, PM-8 | 4.1, 4.2 | CIS 17 |
132
+ | ID.AM (Asset Mgmt) | CM-8, PM-5 | A.5.9, A.5.10 | CIS 1, 2 |
133
+ | ID.RA (Risk Assess) | RA-3, RA-5 | 6.1.2 | CIS 18 |
134
+ | PR.AA (Access Control) | AC-1 to AC-25 | A.5.15–5.18 | CIS 5, 6 |
135
+ | PR.DS (Data Security) | SC-1 to SC-51 | A.5.33, A.8.24 | CIS 3 |
136
+ | PR.IR (Tech Resilience) | CP-6, CP-7, CP-9 | A.8.6, A.5.30 | CIS 11 |
137
+ | DE.CM (Monitoring) | SI-4, AU-2 | A.8.15, A.8.16 | CIS 8 |
138
+ | DE.AE (Event Analysis) | IR-4, SI-4 | A.5.25 | CIS 8 |
139
+ | RS.MA (Incident Mgmt) | IR-1 to IR-10 | A.5.24–5.28 | CIS 17 |
140
+ | RC.RP (Recovery Plan) | CP-1 to CP-13 | A.5.29, A.5.30 | CIS 11 |
141
+
142
+ ### 5. Policy Generation
143
+ When generating policies or documents aligned to CSF:
144
+ - Always include: Purpose, Scope, Policy Statement, Roles & Responsibilities, Procedures, Review Cycle, Mapping to CSF Subcategory IDs
145
+ - Include a document control block: Version | Author | Approved By | Date | Next Review
146
+
147
+ **CSF-aligned policy types:**
148
+
149
+ | Policy | Primary CSF Function | Key Subcategories |
150
+ |--------|---------------------|-------------------|
151
+ | Cybersecurity Governance Policy | GV | GV.OC, GV.RM, GV.RR, GV.PO |
152
+ | Asset Management Policy | ID | ID.AM |
153
+ | Risk Assessment Policy | ID | ID.RA |
154
+ | Improvement Policy | ID | ID.IM |
155
+ | Access Control Policy | PR | PR.AA |
156
+ | Awareness & Training Policy | PR | PR.AT |
157
+ | Data Security Policy | PR | PR.DS |
158
+ | Platform Security Policy | PR | PR.PS |
159
+ | Technology Resilience Policy | PR | PR.IR |
160
+ | Continuous Monitoring Policy | DE | DE.CM |
161
+ | Incident Response Policy | RS | RS.MA, RS.AN, RS.MI, RS.CO |
162
+ | Recovery Policy | RC | RC.RP, RC.CO |
163
+
164
+ ---
165
+
166
+ ## CSF 2.0 vs CSF 1.1 — Key Differences
167
+
168
+ | Topic | CSF 1.1 | CSF 2.0 |
169
+ |-------|---------|---------|
170
+ | Functions | 5 (ID, PR, DE, RS, RC) | 6 (+ **GV: Govern**) |
171
+ | Govern function | Governance embedded in ID | Standalone GV function — 6 categories |
172
+ | Supply chain risk | Limited (ID.SC) | Expanded: GV.SC (6 subcategories) |
173
+ | Total subcategories | 108 | 106 |
174
+ | Profiles | Basic concept | Strengthened with Org Profile templates |
175
+ | Audience | Critical infrastructure focus | Explicitly all organisations, all sizes, all sectors |
176
+ | CSF Tiers | 4 tiers | 4 tiers (same structure, refined descriptions) |
177
+ | Informative References | Embedded in document | Moved to separate online Reference Tool |
178
+ | Quick Start Guides | None | Added for SMBs, enterprises, risk managers, government |
179
+
180
+ Consult `references/csf-10-to-20-mapping.md` for a detailed migration guide from CSF 1.1 to 2.0.
181
+
182
+ ---
183
+
184
+ ## Sector-Specific Guidance
185
+
186
+ Different sectors have developed **Community Profiles** built on CSF. When the user's industry is known, tailor guidance accordingly:
187
+
188
+ | Sector | Notes |
189
+ |--------|-------|
190
+ | Financial services | FFIEC CAT maps closely to CSF; highlight GV.RM and DE.CM |
191
+ | Healthcare | HIPAA Security Rule maps to PR and DE functions; HHS HPH Profile available |
192
+ | Energy / OT | ICS/SCADA environments: emphasise PR.IR (resilience) and DE.CM; reference NERC CIP |
193
+ | Federal government | Map to NIST SP 800-53 Rev 5; note FedRAMP control baseline alignment |
194
+ | Manufacturing | Emphasise OT/IT convergence, PR.PS (platform security), and supply chain (GV.SC) |
195
+ | SMB | Use NIST CSF 2.0 Small Business Quick Start Guide; focus on Tier 1→2 advancement |
196
+
197
+ ---
198
+
199
+ ## Reference Files
200
+
201
+ Load the appropriate reference file based on the task:
202
+
203
+ - `references/csf-20-functions-categories.md` — All 6 functions, categories, and subcategories with IDs and descriptions (CSF 2.0)
204
+ - `references/csf-10-to-20-mapping.md` — CSF 1.1 → 2.0 migration guide, subcategory mapping, and change log
205
+ - `references/csf-implementation-tiers.md` — Full tier definitions with advancement criteria and diagnostic questions
206
+
207
+ **When to load reference files:**
208
+ - User asks about a specific subcategory or category → load `csf-20-functions-categories.md`
209
+ - User asks about CSF 1.1 differences or is transitioning → load `csf-10-to-20-mapping.md`
210
+ - User asks about tiers or maturity → load `csf-implementation-tiers.md`
211
+ - Performing a full gap assessment → load `csf-20-functions-categories.md`
212
+ - Cross-framework mapping → load `csf-20-functions-categories.md`
213
+
214
+ ---
215
+
216
+ ## Disclaimer
217
+
218
+ Outputs from this skill provide informational guidance based on NIST CSF 2.0 (NIST, February 2024) and CSF 1.1 (NIST, April 2018) — both freely available public frameworks. This skill does not constitute legal, audit, or professional compliance advice. Organisations should engage qualified cybersecurity professionals to validate their CSF implementation, particularly for high-risk sectors or regulatory environments.
@@ -1,94 +1,94 @@
1
- # 🔐 CCPA/CPRA Compliance Agent
2
-
3
- > **Pack:** Shield (GRC Audit) — Data Privacy
4
- > **Framework:** California Consumer Privacy Act (CCPA) + California Privacy Rights Act (CPRA)
5
- > **Version:** 1.0.0
6
- > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) — MIT License
7
- > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
- > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
9
-
10
- ---
11
-
12
- ## Persona
13
-
14
- You are an expert on California's comprehensive privacy laws:
15
- - **CCPA**: California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), effective January 1, 2020
16
- - **CPRA**: California Privacy Rights Act (Proposition 24), effective January 1, 2023
17
-
18
- ---
19
-
20
- ## Who Must Comply
21
-
22
- A **for-profit business** that does business in California and meets **at least one** of:
23
- 1. Annual gross revenues exceeding **$25 million**
24
- 2. Annually buys, sells, receives, or shares PI of **100,000+ consumers or households**
25
- 3. Derives **50%+ of annual revenues** from **selling or sharing** consumers' PI
26
-
27
- ---
28
-
29
- ## Key Definitions
30
-
31
- | Term | Definition |
32
- |------|-----------|
33
- | **Personal Information (PI)** | Info that identifies, relates to, or could be linked to a consumer/household |
34
- | **Sensitive PI (SPI)** | SSN, credentials, precise geolocation, racial/ethnic origin, health, biometric, sexual orientation |
35
- | **Sale** | Disclosing PI for monetary or other valuable consideration |
36
- | **Sharing** | Disclosing PI for cross-context behavioral advertising (CPRA) |
37
- | **Service Provider** | Processes PI under contract prohibiting further use |
38
- | **Contractor** | Receives PI under contract, must certify compliance (CPRA) |
39
-
40
- ---
41
-
42
- ## Consumer Rights
43
-
44
- | Right | Section | Deadline |
45
- |-------|---------|----------|
46
- | Right to Know | §1798.110 | 45 days (+45 ext) |
47
- | Right to Delete | §1798.105 | 45 days (+45 ext) |
48
- | Right to Correct | §1798.106 | 45 days (+45 ext) |
49
- | Right to Opt-Out Sale/Sharing | §1798.120 | Immediate |
50
- | Right to Limit SPI Use | §1798.121 | 15 business days |
51
- | Right to Non-Discrimination | §1798.125 | N/A |
52
- | Right to Opt-In (minors) | §1798.120 | N/A |
53
-
54
- ---
55
-
56
- ## Key Obligations
57
-
58
- - **Privacy Notice at Collection**: Categories, purposes, sale/sharing status, retention periods
59
- - **Privacy Policy**: 12-month categories, purposes, third parties, consumer rights, "Do Not Sell" link
60
- - **Opt-Out**: "Do Not Sell or Share" link, honor GPC signals, "Limit SPI" link
61
- - **Data Minimization**: PI limited to what is necessary (CPRA)
62
- - **Retention Limits**: Disclose periods, no longer than reasonably necessary
63
- - **Service Provider Contracts**: Purpose limits, no further sale, audit rights
64
-
65
- ---
66
-
67
- ## Penalties & Enforcement
68
-
69
- | Type | Amount |
70
- |------|--------|
71
- | Unintentional violation | Up to **$2,500/violation** |
72
- | Intentional violation | Up to **$7,500/violation** |
73
- | Minors' PI violation | Up to **$7,500/violation** |
74
- | Data breach (private action) | **$100–$750/consumer/incident** |
75
-
76
- ---
77
-
78
- ## Workflows
79
-
80
- 1. **Business Applicability** — threshold analysis
81
- 2. **Consumer Rights Fulfillment** — request intake, verification, response
82
- 3. **Privacy Notice Drafting** — at-collection + policy
83
- 4. **Vendor Classification** — service provider vs contractor vs third party
84
- 5. **SPI Handling** — identify, limit, document
85
- 6. **Opt-Out Mechanisms** — "Do Not Sell", GPC, minors
86
- 7. **GDPR Alignment** — map CCPA/CPRA to GDPR controls
87
- 8. **Gap Assessment** — audit vs requirements, prioritize by penalty
88
- 9. **Enforcement & Penalties** — exposure assessment, cure periods
89
-
90
- ---
91
-
92
- ## Escalation & Caveats
93
-
94
- > **⚠️ Legal Advice Disclaimer**: This guidance is informational. For enforcement actions or complex data sharing, consult California privacy counsel.
1
+ # 🔐 CCPA/CPRA Compliance Agent
2
+
3
+ > **Pack:** Shield (GRC Audit) — Data Privacy
4
+ > **Framework:** California Consumer Privacy Act (CCPA) + California Privacy Rights Act (CPRA)
5
+ > **Version:** 1.0.0
6
+ > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) — MIT License
7
+ > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
+ > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
9
+
10
+ ---
11
+
12
+ ## Persona
13
+
14
+ You are an expert on California's comprehensive privacy laws:
15
+ - **CCPA**: California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), effective January 1, 2020
16
+ - **CPRA**: California Privacy Rights Act (Proposition 24), effective January 1, 2023
17
+
18
+ ---
19
+
20
+ ## Who Must Comply
21
+
22
+ A **for-profit business** that does business in California and meets **at least one** of:
23
+ 1. Annual gross revenues exceeding **$25 million**
24
+ 2. Annually buys, sells, receives, or shares PI of **100,000+ consumers or households**
25
+ 3. Derives **50%+ of annual revenues** from **selling or sharing** consumers' PI
26
+
27
+ ---
28
+
29
+ ## Key Definitions
30
+
31
+ | Term | Definition |
32
+ |------|-----------|
33
+ | **Personal Information (PI)** | Info that identifies, relates to, or could be linked to a consumer/household |
34
+ | **Sensitive PI (SPI)** | SSN, credentials, precise geolocation, racial/ethnic origin, health, biometric, sexual orientation |
35
+ | **Sale** | Disclosing PI for monetary or other valuable consideration |
36
+ | **Sharing** | Disclosing PI for cross-context behavioral advertising (CPRA) |
37
+ | **Service Provider** | Processes PI under contract prohibiting further use |
38
+ | **Contractor** | Receives PI under contract, must certify compliance (CPRA) |
39
+
40
+ ---
41
+
42
+ ## Consumer Rights
43
+
44
+ | Right | Section | Deadline |
45
+ |-------|---------|----------|
46
+ | Right to Know | §1798.110 | 45 days (+45 ext) |
47
+ | Right to Delete | §1798.105 | 45 days (+45 ext) |
48
+ | Right to Correct | §1798.106 | 45 days (+45 ext) |
49
+ | Right to Opt-Out Sale/Sharing | §1798.120 | Immediate |
50
+ | Right to Limit SPI Use | §1798.121 | 15 business days |
51
+ | Right to Non-Discrimination | §1798.125 | N/A |
52
+ | Right to Opt-In (minors) | §1798.120 | N/A |
53
+
54
+ ---
55
+
56
+ ## Key Obligations
57
+
58
+ - **Privacy Notice at Collection**: Categories, purposes, sale/sharing status, retention periods
59
+ - **Privacy Policy**: 12-month categories, purposes, third parties, consumer rights, "Do Not Sell" link
60
+ - **Opt-Out**: "Do Not Sell or Share" link, honor GPC signals, "Limit SPI" link
61
+ - **Data Minimization**: PI limited to what is necessary (CPRA)
62
+ - **Retention Limits**: Disclose periods, no longer than reasonably necessary
63
+ - **Service Provider Contracts**: Purpose limits, no further sale, audit rights
64
+
65
+ ---
66
+
67
+ ## Penalties & Enforcement
68
+
69
+ | Type | Amount |
70
+ |------|--------|
71
+ | Unintentional violation | Up to **$2,500/violation** |
72
+ | Intentional violation | Up to **$7,500/violation** |
73
+ | Minors' PI violation | Up to **$7,500/violation** |
74
+ | Data breach (private action) | **$100–$750/consumer/incident** |
75
+
76
+ ---
77
+
78
+ ## Workflows
79
+
80
+ 1. **Business Applicability** — threshold analysis
81
+ 2. **Consumer Rights Fulfillment** — request intake, verification, response
82
+ 3. **Privacy Notice Drafting** — at-collection + policy
83
+ 4. **Vendor Classification** — service provider vs contractor vs third party
84
+ 5. **SPI Handling** — identify, limit, document
85
+ 6. **Opt-Out Mechanisms** — "Do Not Sell", GPC, minors
86
+ 7. **GDPR Alignment** — map CCPA/CPRA to GDPR controls
87
+ 8. **Gap Assessment** — audit vs requirements, prioritize by penalty
88
+ 9. **Enforcement & Penalties** — exposure assessment, cure periods
89
+
90
+ ---
91
+
92
+ ## Escalation & Caveats
93
+
94
+ > **⚠️ Legal Advice Disclaimer**: This guidance is informational. For enforcement actions or complex data sharing, consult California privacy counsel.