bmad-plus 0.7.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -425
  2. package/LICENSE +21 -21
  3. package/README.md +555 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -222
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,280 +1,280 @@
1
- # EAR Export Compliance Programme, Enforcement, and Special Rules
2
-
3
- ## Export Compliance Programme (ECP) — BIS Seven Elements
4
-
5
- BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
6
-
7
- ### Element 1 — Management Commitment
8
-
9
- - Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
10
- - Written, board-approved export compliance policy signed by senior officer
11
- - Compliance resources: dedicated ECP staff, compliance counsel, budget
12
- - Export Control Officer (ECO) or Export Compliance Manager designated in writing
13
- - Annual certification to the board that the ECP is operating effectively
14
-
15
- **Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
16
-
17
- ### Element 2 — Risk Assessment
18
-
19
- - Identify all products, software, and technology subject to EAR
20
- - Classify each item: ECCN or EAR99 (document the classification rationale)
21
- - Identify all business units, geographies, and transaction types
22
- - Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
23
- - Maintain a classification database tied to product lifecycle (new products re-classified before launch)
24
-
25
- **ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
26
-
27
- ### Element 3 — Written Policies and Procedures
28
-
29
- - Written, procedure-level guidance for each process that touches exports:
30
- - Customer onboarding and restricted party screening
31
- - Order acceptance and fulfilment (sales, finance, logistics)
32
- - ECCN classification and update trigger
33
- - Licence application and management
34
- - Employee travel with controlled items/technology
35
- - Hiring of foreign nationals (deemed export screening)
36
- - Distributor/reseller programme requirements
37
- - Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
38
-
39
- ### Element 4 — Training and Awareness
40
-
41
- - Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
42
- - Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
43
- - Annual refresher training with sign-off acknowledgement
44
- - Training records retained for 5 years
45
- - Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
46
-
47
- **Topics for engineers and developers:**
48
- - Deemed exports: sharing controlled source code with foreign national colleagues
49
- - Cloud platforms and access controls for controlled technology
50
- - Open-source publication — fundamental research exemption vs. EAR controls on software
51
-
52
- ### Element 5 — Restricted Party Screening
53
-
54
- - Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
55
- - Minimum lists to screen against:
56
- - BIS Denied Persons List
57
- - BIS Entity List
58
- - BIS Unverified List
59
- - BIS Military End-User (MEU) List
60
- - State Department Debarred List (DDTC)
61
- - OFAC SDN List
62
- - OFAC Consolidated Sanctions List
63
- - **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
64
- - Screen at time of: quote/order acceptance, before each shipment, and when parties change
65
-
66
- **Screening cadence for ongoing relationships:**
67
- - Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
68
- - Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
69
-
70
- **Handling a match:**
71
- 1. Do not ship or service the order
72
- 2. Escalate to ECO/legal immediately
73
- 3. Determine if the match is a true hit or false positive (similar name, different entity)
74
- 4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
75
- 5. Document the match, review, and outcome
76
-
77
- ### Element 6 — Due Diligence (Know Your Customer)
78
-
79
- - Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
80
- - For high-risk transactions, obtain:
81
- - **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
82
- - **Importer Safety Zone (ISZ) Statement** for certain dual-use items
83
- - **Distributor Management: assurances that downstream sales comply with EAR**
84
- - Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
85
- - **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
86
-
87
- ### Element 7 — Recordkeeping and Audits
88
-
89
- - Retain all export-related records for **5 years** from the date of export (§ 762.6)
90
- - Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
91
- - Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
92
- - Annual internal ECP audit or review
93
- - Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
94
-
95
- ---
96
-
97
- ## Enforcement Regime
98
-
99
- ### Office of Export Enforcement (OEE)
100
-
101
- BIS's enforcement arm investigates violations through:
102
- - **Special Agents** conducting criminal investigations
103
- - **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
104
- - **Administrative investigations** by the Office of Chief Counsel (OCC)
105
-
106
- ### Civil Penalties (§ 764.3, Part 766)
107
-
108
- | Violation Type | Maximum Penalty |
109
- |---------------|----------------|
110
- | Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
111
- | Egregious violations | Higher penalties; may approach statutory maximum |
112
- | Denial of export privileges | Temporary or permanent denial of all export privileges |
113
-
114
- **Penalty determination factors (Part 766, Supplement 1):**
115
- - Willfulness (did the violator know it was a violation?)
116
- - Nature of the item (weapons-relevant, dual-use, EAR99)
117
- - Harm to US national security or foreign policy interests
118
- - Compliance programme quality (strong ECP = significant mitigation)
119
- - Remedial action taken
120
- - Cooperation with OEE
121
-
122
- **Base penalty matrix** (post-September 2024 rule change):
123
- - BIS removed caps that previously limited penalties below statutory maximums
124
- - Penalties now more directly reflect transaction value, particularly for egregious cases
125
- - Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
126
-
127
- ### Criminal Penalties (§ 764.2)
128
-
129
- Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
130
- - **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
131
- - **Corporations:** Fines up to $1 million per violation (per count)
132
- - Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
133
-
134
- ### Export Denial Orders (EDOs)
135
-
136
- BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
137
- - EDOs are published in the Federal Register and placed on the Denied Persons List
138
- - Third parties are prohibited from participating in any transaction involving a denied person
139
- - Scope: US persons everywhere in the world; any person regarding items subject to EAR
140
-
141
- ---
142
-
143
- ## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
144
-
145
- ### What is a VSD?
146
-
147
- A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
148
-
149
- ### When to File
150
-
151
- File a VSD when you discover:
152
- - Items shipped without a required licence
153
- - Items shipped to an Entity List, Denied Persons List, or Unverified List party
154
- - Incorrect ECCN used that resulted in an unlicensed shipment
155
- - SNAP-R licence conditions violated
156
- - Prohibited end-use found post-shipment
157
-
158
- ### VSD Process
159
-
160
- 1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
161
- 2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
162
- 3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
163
- - Detailed narrative of the facts
164
- - All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
165
- - Root cause analysis
166
- - Remedial actions already taken
167
- - Proposed corrective actions
168
- 4. **OEE Review:** May request additional information; may conduct End-Use Checks
169
- 5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
170
-
171
- ### VSD Penalty Mitigation
172
-
173
- - VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
174
- - Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
175
- - Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
176
-
177
- ---
178
-
179
- ## Foreign Direct Product Rule (FDPR) — Deep Dive
180
-
181
- ### General FDPR (§ 736.2(b)(3))
182
-
183
- Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
184
-
185
- **Test:** Two-prong test:
186
- 1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
187
- 2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
188
-
189
- ### Entity List FDPR (2020 — Huawei Rule)
190
-
191
- Extended the FDPR to capture foreign-made items when:
192
- 1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
193
- 2. AND the item is destined for a party on the Entity List
194
-
195
- Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
196
-
197
- ### Advanced Computing FDPR (October 2022 / October 2023)
198
-
199
- Captures items produced with US wafer fabrication equipment destined for:
200
- - China or Macau for use in advanced computing applications above threshold
201
- - Any Entity List party
202
-
203
- ### Russia/Belarus FDPR (March 2022)
204
-
205
- Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
206
-
207
- ---
208
-
209
- ## Deemed Export Rules — Compliance Programme Implications
210
-
211
- ### What Constitutes a Deemed Export
212
-
213
- Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
214
- - Visual inspection of controlled hardware
215
- - Providing access to controlled equipment
216
- - Oral, written, or electronic transmission of controlled technical data
217
- - Demonstration of controlled software
218
-
219
- ### Nationality Rule
220
-
221
- BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
222
- - Apply the nationality that requires the most restrictive licensing treatment
223
- - Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
224
-
225
- ### Practical Compliance Steps
226
-
227
- 1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
228
- 2. **Classification Review:** Determine which technologies the employee will access; classify each
229
- 3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
230
- 4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
231
- 5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
232
- 6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
233
-
234
- ---
235
-
236
- ## SNAP-R — Licensing Portal Guidance
237
-
238
- **URL:** snap-r.bis.doc.gov (requires free BIS account)
239
-
240
- **Forms filed through SNAP-R:**
241
- - BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
242
- - BIS-748P-A: Supplement for encryption review notifications (ENC exception)
243
- - BIS-748P-B: Supplement for end-user statement attachments
244
- - BIS-711: Statement by Ultimate Consignee and Purchaser
245
-
246
- **SNAP-R Best Practices:**
247
- - Submit complete applications — missing technical data is the #1 cause of delay
248
- - Include end-use statements and supporting technical documentation proactively
249
- - Track licence expiration dates and re-apply at least 60 days before expiry
250
- - For time-sensitive transactions: contact the relevant BIS division directly after submission
251
- - Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
252
-
253
- ---
254
-
255
- ## EAR Recordkeeping Quick Reference
256
-
257
- | Document Type | Retention Period | Format |
258
- |---------------|-----------------|--------|
259
- | Commercial invoices, purchase orders | 5 years from export date | Any readable format |
260
- | Bills of lading, air waybills | 5 years | Any |
261
- | EEI/AES filings | 5 years | Any |
262
- | Licence applications and approvals | 5 years from expiry/completion | Any |
263
- | Licence exception documentation | 5 years from export | Any |
264
- | Restricted party screening records | 5 years | Recommended: dated screenshots |
265
- | End-user statements and certifications | 5 years | Any |
266
- | ECCN classification records | 5 years from last export of item | Any |
267
- | VSD submissions and correspondence | Permanently | Any |
268
-
269
- ---
270
-
271
- ## Compliance Programme Maturity Assessment
272
-
273
- | Level | Characteristics |
274
- |-------|----------------|
275
- | **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
276
- | **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
277
- | **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
278
- | **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
279
-
280
- BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.
1
+ # EAR Export Compliance Programme, Enforcement, and Special Rules
2
+
3
+ ## Export Compliance Programme (ECP) — BIS Seven Elements
4
+
5
+ BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
6
+
7
+ ### Element 1 — Management Commitment
8
+
9
+ - Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
10
+ - Written, board-approved export compliance policy signed by senior officer
11
+ - Compliance resources: dedicated ECP staff, compliance counsel, budget
12
+ - Export Control Officer (ECO) or Export Compliance Manager designated in writing
13
+ - Annual certification to the board that the ECP is operating effectively
14
+
15
+ **Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
16
+
17
+ ### Element 2 — Risk Assessment
18
+
19
+ - Identify all products, software, and technology subject to EAR
20
+ - Classify each item: ECCN or EAR99 (document the classification rationale)
21
+ - Identify all business units, geographies, and transaction types
22
+ - Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
23
+ - Maintain a classification database tied to product lifecycle (new products re-classified before launch)
24
+
25
+ **ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
26
+
27
+ ### Element 3 — Written Policies and Procedures
28
+
29
+ - Written, procedure-level guidance for each process that touches exports:
30
+ - Customer onboarding and restricted party screening
31
+ - Order acceptance and fulfilment (sales, finance, logistics)
32
+ - ECCN classification and update trigger
33
+ - Licence application and management
34
+ - Employee travel with controlled items/technology
35
+ - Hiring of foreign nationals (deemed export screening)
36
+ - Distributor/reseller programme requirements
37
+ - Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
38
+
39
+ ### Element 4 — Training and Awareness
40
+
41
+ - Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
42
+ - Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
43
+ - Annual refresher training with sign-off acknowledgement
44
+ - Training records retained for 5 years
45
+ - Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
46
+
47
+ **Topics for engineers and developers:**
48
+ - Deemed exports: sharing controlled source code with foreign national colleagues
49
+ - Cloud platforms and access controls for controlled technology
50
+ - Open-source publication — fundamental research exemption vs. EAR controls on software
51
+
52
+ ### Element 5 — Restricted Party Screening
53
+
54
+ - Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
55
+ - Minimum lists to screen against:
56
+ - BIS Denied Persons List
57
+ - BIS Entity List
58
+ - BIS Unverified List
59
+ - BIS Military End-User (MEU) List
60
+ - State Department Debarred List (DDTC)
61
+ - OFAC SDN List
62
+ - OFAC Consolidated Sanctions List
63
+ - **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
64
+ - Screen at time of: quote/order acceptance, before each shipment, and when parties change
65
+
66
+ **Screening cadence for ongoing relationships:**
67
+ - Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
68
+ - Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
69
+
70
+ **Handling a match:**
71
+ 1. Do not ship or service the order
72
+ 2. Escalate to ECO/legal immediately
73
+ 3. Determine if the match is a true hit or false positive (similar name, different entity)
74
+ 4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
75
+ 5. Document the match, review, and outcome
76
+
77
+ ### Element 6 — Due Diligence (Know Your Customer)
78
+
79
+ - Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
80
+ - For high-risk transactions, obtain:
81
+ - **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
82
+ - **Importer Safety Zone (ISZ) Statement** for certain dual-use items
83
+ - **Distributor Management: assurances that downstream sales comply with EAR**
84
+ - Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
85
+ - **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
86
+
87
+ ### Element 7 — Recordkeeping and Audits
88
+
89
+ - Retain all export-related records for **5 years** from the date of export (§ 762.6)
90
+ - Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
91
+ - Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
92
+ - Annual internal ECP audit or review
93
+ - Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
94
+
95
+ ---
96
+
97
+ ## Enforcement Regime
98
+
99
+ ### Office of Export Enforcement (OEE)
100
+
101
+ BIS's enforcement arm investigates violations through:
102
+ - **Special Agents** conducting criminal investigations
103
+ - **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
104
+ - **Administrative investigations** by the Office of Chief Counsel (OCC)
105
+
106
+ ### Civil Penalties (§ 764.3, Part 766)
107
+
108
+ | Violation Type | Maximum Penalty |
109
+ |---------------|----------------|
110
+ | Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
111
+ | Egregious violations | Higher penalties; may approach statutory maximum |
112
+ | Denial of export privileges | Temporary or permanent denial of all export privileges |
113
+
114
+ **Penalty determination factors (Part 766, Supplement 1):**
115
+ - Willfulness (did the violator know it was a violation?)
116
+ - Nature of the item (weapons-relevant, dual-use, EAR99)
117
+ - Harm to US national security or foreign policy interests
118
+ - Compliance programme quality (strong ECP = significant mitigation)
119
+ - Remedial action taken
120
+ - Cooperation with OEE
121
+
122
+ **Base penalty matrix** (post-September 2024 rule change):
123
+ - BIS removed caps that previously limited penalties below statutory maximums
124
+ - Penalties now more directly reflect transaction value, particularly for egregious cases
125
+ - Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
126
+
127
+ ### Criminal Penalties (§ 764.2)
128
+
129
+ Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
130
+ - **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
131
+ - **Corporations:** Fines up to $1 million per violation (per count)
132
+ - Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
133
+
134
+ ### Export Denial Orders (EDOs)
135
+
136
+ BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
137
+ - EDOs are published in the Federal Register and placed on the Denied Persons List
138
+ - Third parties are prohibited from participating in any transaction involving a denied person
139
+ - Scope: US persons everywhere in the world; any person regarding items subject to EAR
140
+
141
+ ---
142
+
143
+ ## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
144
+
145
+ ### What is a VSD?
146
+
147
+ A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
148
+
149
+ ### When to File
150
+
151
+ File a VSD when you discover:
152
+ - Items shipped without a required licence
153
+ - Items shipped to an Entity List, Denied Persons List, or Unverified List party
154
+ - Incorrect ECCN used that resulted in an unlicensed shipment
155
+ - SNAP-R licence conditions violated
156
+ - Prohibited end-use found post-shipment
157
+
158
+ ### VSD Process
159
+
160
+ 1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
161
+ 2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
162
+ 3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
163
+ - Detailed narrative of the facts
164
+ - All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
165
+ - Root cause analysis
166
+ - Remedial actions already taken
167
+ - Proposed corrective actions
168
+ 4. **OEE Review:** May request additional information; may conduct End-Use Checks
169
+ 5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
170
+
171
+ ### VSD Penalty Mitigation
172
+
173
+ - VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
174
+ - Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
175
+ - Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
176
+
177
+ ---
178
+
179
+ ## Foreign Direct Product Rule (FDPR) — Deep Dive
180
+
181
+ ### General FDPR (§ 736.2(b)(3))
182
+
183
+ Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
184
+
185
+ **Test:** Two-prong test:
186
+ 1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
187
+ 2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
188
+
189
+ ### Entity List FDPR (2020 — Huawei Rule)
190
+
191
+ Extended the FDPR to capture foreign-made items when:
192
+ 1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
193
+ 2. AND the item is destined for a party on the Entity List
194
+
195
+ Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
196
+
197
+ ### Advanced Computing FDPR (October 2022 / October 2023)
198
+
199
+ Captures items produced with US wafer fabrication equipment destined for:
200
+ - China or Macau for use in advanced computing applications above threshold
201
+ - Any Entity List party
202
+
203
+ ### Russia/Belarus FDPR (March 2022)
204
+
205
+ Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
206
+
207
+ ---
208
+
209
+ ## Deemed Export Rules — Compliance Programme Implications
210
+
211
+ ### What Constitutes a Deemed Export
212
+
213
+ Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
214
+ - Visual inspection of controlled hardware
215
+ - Providing access to controlled equipment
216
+ - Oral, written, or electronic transmission of controlled technical data
217
+ - Demonstration of controlled software
218
+
219
+ ### Nationality Rule
220
+
221
+ BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
222
+ - Apply the nationality that requires the most restrictive licensing treatment
223
+ - Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
224
+
225
+ ### Practical Compliance Steps
226
+
227
+ 1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
228
+ 2. **Classification Review:** Determine which technologies the employee will access; classify each
229
+ 3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
230
+ 4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
231
+ 5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
232
+ 6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
233
+
234
+ ---
235
+
236
+ ## SNAP-R — Licensing Portal Guidance
237
+
238
+ **URL:** snap-r.bis.doc.gov (requires free BIS account)
239
+
240
+ **Forms filed through SNAP-R:**
241
+ - BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
242
+ - BIS-748P-A: Supplement for encryption review notifications (ENC exception)
243
+ - BIS-748P-B: Supplement for end-user statement attachments
244
+ - BIS-711: Statement by Ultimate Consignee and Purchaser
245
+
246
+ **SNAP-R Best Practices:**
247
+ - Submit complete applications — missing technical data is the #1 cause of delay
248
+ - Include end-use statements and supporting technical documentation proactively
249
+ - Track licence expiration dates and re-apply at least 60 days before expiry
250
+ - For time-sensitive transactions: contact the relevant BIS division directly after submission
251
+ - Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
252
+
253
+ ---
254
+
255
+ ## EAR Recordkeeping Quick Reference
256
+
257
+ | Document Type | Retention Period | Format |
258
+ |---------------|-----------------|--------|
259
+ | Commercial invoices, purchase orders | 5 years from export date | Any readable format |
260
+ | Bills of lading, air waybills | 5 years | Any |
261
+ | EEI/AES filings | 5 years | Any |
262
+ | Licence applications and approvals | 5 years from expiry/completion | Any |
263
+ | Licence exception documentation | 5 years from export | Any |
264
+ | Restricted party screening records | 5 years | Recommended: dated screenshots |
265
+ | End-user statements and certifications | 5 years | Any |
266
+ | ECCN classification records | 5 years from last export of item | Any |
267
+ | VSD submissions and correspondence | Permanently | Any |
268
+
269
+ ---
270
+
271
+ ## Compliance Programme Maturity Assessment
272
+
273
+ | Level | Characteristics |
274
+ |-------|----------------|
275
+ | **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
276
+ | **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
277
+ | **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
278
+ | **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
279
+
280
+ BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.