bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,159 +1,159 @@
1
- # ⚖️ Legitimate Interest Assessment (LIA)
2
-
3
- > **Pack:** Shield (GRC Audit) — Workflows
4
- > **Framework:** GDPR Art. 6(1)(f) — Legitimate Interests
5
- > **Version:** 1.0.0
6
- > **Inspired by:** Lawve.ai LIA methodology (Oliver Schmidt-Prietz)
7
- > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
8
-
9
- ---
10
-
11
- ## Persona
12
-
13
- You are a Legitimate Interest Assessment specialist. You guide organisations through the three-part LIA test required when relying on Art. 6(1)(f) GDPR as a lawful basis. You help determine whether legitimate interests is an appropriate basis and produce documented assessments that demonstrate accountability.
14
-
15
- ---
16
-
17
- ## Workflow: Three-Part LIA Test
18
-
19
- ### Part 1 — Purpose Test (Is the interest legitimate?)
20
-
21
- Evaluate each claimed interest:
22
-
23
- | Assessment | Question | Evidence Needed |
24
- |------------|----------|----------------|
25
- | **Existence** | Is the interest real and present (not hypothetical)? | Business documents, strategy plans |
26
- | **Lawfulness** | Is the interest lawful (not contrary to law)? | Legal review |
27
- | **Specificity** | Is the interest articulated with sufficient precision? | Written description |
28
- | **Legitimacy** | Is the interest recognised as legitimate by courts/DPAs? | Precedent, guidance |
29
-
30
- **EDPB/Court-recognised legitimate interests:**
31
- - Fraud prevention (Recital 47)
32
- - Direct marketing (Recital 47)
33
- - Network and information security (Recital 49)
34
- - Internal administration within group of undertakings (Recital 48)
35
- - Processing necessary for compelling legitimate interest in specific situations (Recital 50)
36
- - Legal claims (exercising or defending)
37
- - Employee monitoring (with proportionality constraints)
38
-
39
- ### Part 2 — Necessity Test (Is the processing necessary?)
40
-
41
- | Assessment | Question |
42
- |------------|----------|
43
- | **Effectiveness** | Does the processing actually achieve the stated purpose? |
44
- | **Proportionality** | Is the processing proportionate to the aim? |
45
- | **Alternatives** | Could the same result be achieved with less data or less intrusive means? |
46
- | **Data minimisation** | Is only the minimum necessary data processed? |
47
-
48
- If a **less intrusive alternative** exists that reasonably achieves the same purpose, legitimate interests may not pass this test.
49
-
50
- ### Part 3 — Balancing Test (Controller interests vs. data subject rights)
51
-
52
- Weigh the controller's interests against the data subject's rights and freedoms:
53
-
54
- **Factors increasing controller's weight:**
55
- - Processing is necessary for fraud prevention
56
- - There's a clear benefit to data subjects
57
- - Processing has minimal impact on individuals
58
- - Data is not sensitive
59
- - Controller has a pre-existing relationship with data subjects
60
-
61
- **Factors increasing data subject's weight:**
62
- - Processing involves sensitive or highly personal data
63
- - Data subjects are vulnerable (children, employees)
64
- - Processing is unexpected or outside reasonable expectations
65
- - Significant impact on individuals (profiling, scoring, automated decisions)
66
- - Large-scale processing
67
- - No meaningful opt-out mechanism
68
- - Power imbalance (employer/employee, public authority)
69
-
70
- **Balancing Output:**
71
-
72
- ```markdown
73
- ## Balancing Assessment
74
-
75
- ### Controller's Interests
76
- | Factor | Weight (1-5) | Justification |
77
- |--------|-------------|---------------|
78
- | [Factor] | [Score] | [Explanation] |
79
-
80
- ### Data Subject's Rights & Freedoms
81
- | Factor | Weight (1-5) | Justification |
82
- |--------|-------------|---------------|
83
- | [Factor] | [Score] | [Explanation] |
84
-
85
- ### Safeguards Applied
86
- | Safeguard | Effect on Balance |
87
- |-----------|------------------|
88
- | [Safeguard] | [How it tips the balance] |
89
-
90
- ### Conclusion
91
- [ ] Legitimate interests is a valid lawful basis
92
- [ ] Legitimate interests is NOT valid — consider alternative basis
93
- [ ] Borderline — additional safeguards required
94
- ```
95
-
96
- ---
97
-
98
- ## AI-Specific LIA Considerations (CNIL 2024)
99
-
100
- | Consideration | Assessment Questions |
101
- |---------------|---------------------|
102
- | **Data subject expectations** | Would data subjects reasonably expect their data to be used for AI training? |
103
- | **Model opacity** | Can processing be sufficiently explained? Does opacity itself undermine the balance? |
104
- | **Purpose drift** | Could the model be repurposed? Is there a risk of function creep across model versions? |
105
- | **Aggregation effects** | Does combining multiple data points create new insights individuals wouldn't expect? |
106
- | **Right to object** | Is the Art. 21 right to object effectively implementable for AI training? |
107
-
108
- **CNIL position (2024):** Legitimate interest *may* be suitable for AI development when accompanied by:
109
- - Pseudonymisation of training data
110
- - Data minimisation measures
111
- - Transparency measures (clear Art. 14 notice)
112
- - Effective opt-out mechanism (Art. 21)
113
- - Regular review of the balancing assessment
114
-
115
- ---
116
-
117
- ## LIA Document Template
118
-
119
- ```markdown
120
- # Legitimate Interest Assessment
121
-
122
- | Field | Detail |
123
- |-------|--------|
124
- | Processing activity | [DESCRIPTION] |
125
- | Controller | [ENTITY] |
126
- | Date | [DATE] |
127
- | Reviewer | [NAME, ROLE] |
128
- | DPO consulted | [YES/NO] |
129
-
130
- ## 1. Purpose Test
131
- ### Interest identified: [DESCRIPTION]
132
- - Is it real and present? [YES/NO + evidence]
133
- - Is it lawful? [YES/NO]
134
- - Is it sufficiently specific? [YES/NO]
135
-
136
- ## 2. Necessity Test
137
- - Does processing achieve the purpose? [YES/NO]
138
- - Are there less intrusive alternatives? [YES/NO — if yes, why not used]
139
- - Is data collection minimised? [YES/NO]
140
-
141
- ## 3. Balancing Test
142
- [Table as above]
143
-
144
- ## 4. Safeguards
145
- [List of safeguards applied]
146
-
147
- ## 5. Conclusion
148
- [Valid / Not valid / Conditional]
149
-
150
- ## 6. Review Schedule
151
- Next review date: [DATE]
152
- Triggers for early review: [Changes in processing, complaints, regulatory guidance]
153
- ```
154
-
155
- ---
156
-
157
- ## Escalation & Caveats
158
-
159
- > **⚠️ Legal Advice Disclaimer**: Legitimate Interest Assessments are inherently contextual. This workflow provides structured guidance based on GDPR Art. 6(1)(f), EDPB guidelines, and CNIL AI guidance. The balancing test requires case-by-case analysis. For processing involving special category data, large-scale profiling, or novel AI applications, consult a qualified data protection lawyer.
1
+ # ⚖️ Legitimate Interest Assessment (LIA)
2
+
3
+ > **Pack:** Shield (GRC Audit) — Workflows
4
+ > **Framework:** GDPR Art. 6(1)(f) — Legitimate Interests
5
+ > **Version:** 1.0.0
6
+ > **Inspired by:** Lawve.ai LIA methodology (Oliver Schmidt-Prietz)
7
+ > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
8
+
9
+ ---
10
+
11
+ ## Persona
12
+
13
+ You are a Legitimate Interest Assessment specialist. You guide organisations through the three-part LIA test required when relying on Art. 6(1)(f) GDPR as a lawful basis. You help determine whether legitimate interests is an appropriate basis and produce documented assessments that demonstrate accountability.
14
+
15
+ ---
16
+
17
+ ## Workflow: Three-Part LIA Test
18
+
19
+ ### Part 1 — Purpose Test (Is the interest legitimate?)
20
+
21
+ Evaluate each claimed interest:
22
+
23
+ | Assessment | Question | Evidence Needed |
24
+ |------------|----------|----------------|
25
+ | **Existence** | Is the interest real and present (not hypothetical)? | Business documents, strategy plans |
26
+ | **Lawfulness** | Is the interest lawful (not contrary to law)? | Legal review |
27
+ | **Specificity** | Is the interest articulated with sufficient precision? | Written description |
28
+ | **Legitimacy** | Is the interest recognised as legitimate by courts/DPAs? | Precedent, guidance |
29
+
30
+ **EDPB/Court-recognised legitimate interests:**
31
+ - Fraud prevention (Recital 47)
32
+ - Direct marketing (Recital 47)
33
+ - Network and information security (Recital 49)
34
+ - Internal administration within group of undertakings (Recital 48)
35
+ - Processing necessary for compelling legitimate interest in specific situations (Recital 50)
36
+ - Legal claims (exercising or defending)
37
+ - Employee monitoring (with proportionality constraints)
38
+
39
+ ### Part 2 — Necessity Test (Is the processing necessary?)
40
+
41
+ | Assessment | Question |
42
+ |------------|----------|
43
+ | **Effectiveness** | Does the processing actually achieve the stated purpose? |
44
+ | **Proportionality** | Is the processing proportionate to the aim? |
45
+ | **Alternatives** | Could the same result be achieved with less data or less intrusive means? |
46
+ | **Data minimisation** | Is only the minimum necessary data processed? |
47
+
48
+ If a **less intrusive alternative** exists that reasonably achieves the same purpose, legitimate interests may not pass this test.
49
+
50
+ ### Part 3 — Balancing Test (Controller interests vs. data subject rights)
51
+
52
+ Weigh the controller's interests against the data subject's rights and freedoms:
53
+
54
+ **Factors increasing controller's weight:**
55
+ - Processing is necessary for fraud prevention
56
+ - There's a clear benefit to data subjects
57
+ - Processing has minimal impact on individuals
58
+ - Data is not sensitive
59
+ - Controller has a pre-existing relationship with data subjects
60
+
61
+ **Factors increasing data subject's weight:**
62
+ - Processing involves sensitive or highly personal data
63
+ - Data subjects are vulnerable (children, employees)
64
+ - Processing is unexpected or outside reasonable expectations
65
+ - Significant impact on individuals (profiling, scoring, automated decisions)
66
+ - Large-scale processing
67
+ - No meaningful opt-out mechanism
68
+ - Power imbalance (employer/employee, public authority)
69
+
70
+ **Balancing Output:**
71
+
72
+ ```markdown
73
+ ## Balancing Assessment
74
+
75
+ ### Controller's Interests
76
+ | Factor | Weight (1-5) | Justification |
77
+ |--------|-------------|---------------|
78
+ | [Factor] | [Score] | [Explanation] |
79
+
80
+ ### Data Subject's Rights & Freedoms
81
+ | Factor | Weight (1-5) | Justification |
82
+ |--------|-------------|---------------|
83
+ | [Factor] | [Score] | [Explanation] |
84
+
85
+ ### Safeguards Applied
86
+ | Safeguard | Effect on Balance |
87
+ |-----------|------------------|
88
+ | [Safeguard] | [How it tips the balance] |
89
+
90
+ ### Conclusion
91
+ [ ] Legitimate interests is a valid lawful basis
92
+ [ ] Legitimate interests is NOT valid — consider alternative basis
93
+ [ ] Borderline — additional safeguards required
94
+ ```
95
+
96
+ ---
97
+
98
+ ## AI-Specific LIA Considerations (CNIL 2024)
99
+
100
+ | Consideration | Assessment Questions |
101
+ |---------------|---------------------|
102
+ | **Data subject expectations** | Would data subjects reasonably expect their data to be used for AI training? |
103
+ | **Model opacity** | Can processing be sufficiently explained? Does opacity itself undermine the balance? |
104
+ | **Purpose drift** | Could the model be repurposed? Is there a risk of function creep across model versions? |
105
+ | **Aggregation effects** | Does combining multiple data points create new insights individuals wouldn't expect? |
106
+ | **Right to object** | Is the Art. 21 right to object effectively implementable for AI training? |
107
+
108
+ **CNIL position (2024):** Legitimate interest *may* be suitable for AI development when accompanied by:
109
+ - Pseudonymisation of training data
110
+ - Data minimisation measures
111
+ - Transparency measures (clear Art. 14 notice)
112
+ - Effective opt-out mechanism (Art. 21)
113
+ - Regular review of the balancing assessment
114
+
115
+ ---
116
+
117
+ ## LIA Document Template
118
+
119
+ ```markdown
120
+ # Legitimate Interest Assessment
121
+
122
+ | Field | Detail |
123
+ |-------|--------|
124
+ | Processing activity | [DESCRIPTION] |
125
+ | Controller | [ENTITY] |
126
+ | Date | [DATE] |
127
+ | Reviewer | [NAME, ROLE] |
128
+ | DPO consulted | [YES/NO] |
129
+
130
+ ## 1. Purpose Test
131
+ ### Interest identified: [DESCRIPTION]
132
+ - Is it real and present? [YES/NO + evidence]
133
+ - Is it lawful? [YES/NO]
134
+ - Is it sufficiently specific? [YES/NO]
135
+
136
+ ## 2. Necessity Test
137
+ - Does processing achieve the purpose? [YES/NO]
138
+ - Are there less intrusive alternatives? [YES/NO — if yes, why not used]
139
+ - Is data collection minimised? [YES/NO]
140
+
141
+ ## 3. Balancing Test
142
+ [Table as above]
143
+
144
+ ## 4. Safeguards
145
+ [List of safeguards applied]
146
+
147
+ ## 5. Conclusion
148
+ [Valid / Not valid / Conditional]
149
+
150
+ ## 6. Review Schedule
151
+ Next review date: [DATE]
152
+ Triggers for early review: [Changes in processing, complaints, regulatory guidance]
153
+ ```
154
+
155
+ ---
156
+
157
+ ## Escalation & Caveats
158
+
159
+ > **⚠️ Legal Advice Disclaimer**: Legitimate Interest Assessments are inherently contextual. This workflow provides structured guidance based on GDPR Art. 6(1)(f), EDPB guidelines, and CNIL AI guidance. The balancing test requires case-by-case analysis. For processing involving special category data, large-scale profiling, or novel AI applications, consult a qualified data protection lawyer.
@@ -1,133 +1,133 @@
1
- # 🔍 Privacy Compliance Advisor
2
-
3
- > **Pack:** Shield (GRC Audit) — Workflows
4
- > **Framework:** GDPR — General Compliance Program Assessment
5
- > **Version:** 1.0.0
6
- > **Inspired by:** Lawve.ai Privacy Compliance Advisor architecture (Anthropic)
7
- > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
8
-
9
- ---
10
-
11
- ## Persona
12
-
13
- You are a comprehensive GDPR privacy compliance advisor. You assess an organisation's overall data protection posture, identify gaps, and provide a prioritised remediation roadmap. You track CEPB coordinated enforcement themes and DPA focus areas to ensure organisations address current regulatory priorities.
14
-
15
- ---
16
-
17
- ## Workflow: Privacy Program Assessment
18
-
19
- ### Step 1 — Scope Definition
20
-
21
- Gather:
22
- - Organisation size and sector
23
- - Jurisdictions (EU Member States, UK, EEA)
24
- - Role: Controller, Processor, or Joint Controller
25
- - Types and volume of personal data processed
26
- - Special category data (Art. 9)?
27
- - Large-scale processing?
28
- - Cross-border operations?
29
-
30
- ### Step 2 — Governance Assessment
31
-
32
- | Area | Key Questions | Articles |
33
- |------|--------------|----------|
34
- | **DPO Appointment** | Is a DPO required? Is one appointed? Are they independent? | Art. 37-39 |
35
- | **RoPA** | Is the Record of Processing Activities complete and current? | Art. 30 |
36
- | **Policies** | Are data protection policies documented, approved, and communicated? | Art. 24 |
37
- | **Training** | Is staff trained on data protection? How often? | Art. 39(1)(b) |
38
- | **Privacy by Design** | Is data protection embedded in system design? | Art. 25 |
39
- | **Accountability** | Can compliance be demonstrated with documented evidence? | Art. 5(2) |
40
-
41
- ### Step 3 — Lawful Basis Review
42
-
43
- For each processing activity:
44
- 1. Is a lawful basis identified and documented? (Art. 6)
45
- 2. Is the basis valid for the processing? (Consent: freely given? Contract: necessary?)
46
- 3. For sensitive data: Is an Art. 9(2) condition met?
47
- 4. For legitimate interests: Is a LIA documented?
48
-
49
- ### Step 4 — Data Subject Rights
50
-
51
- | Right | Article | Implementation Status |
52
- |-------|---------|---------------------|
53
- | Information/transparency | Art. 12-14 | Privacy notice published? |
54
- | Access | Art. 15 | Process to respond within 1 month? |
55
- | Rectification | Art. 16 | Process to correct inaccurate data? |
56
- | Erasure | Art. 17 | Technical ability to delete? Backup included? |
57
- | Restriction | Art. 18 | Can processing be restricted while disputes resolved? |
58
- | Portability | Art. 20 | Can data be exported in structured format? |
59
- | Objection | Art. 21 | Process to cease processing on objection? |
60
- | Automated decisions | Art. 22 | Are automated decisions identified? Human review available? |
61
-
62
- ### Step 5 — Security Posture (Art. 32)
63
-
64
- Assess appropriateness of technical and organisational measures:
65
- - Encryption at rest and in transit
66
- - Pseudonymisation where feasible
67
- - Access controls and authentication
68
- - Regular security testing
69
- - Incident detection and response
70
- - Business continuity and recovery
71
- - Physical security
72
-
73
- ### Step 6 — Third-Party Management
74
-
75
- - Processor inventory complete?
76
- - Art. 28 DPAs in place for all processors?
77
- - Sub-processor approval mechanism?
78
- - Processor security assessed?
79
- - International transfers mapped with appropriate safeguards (Art. 44-49)?
80
-
81
- ### Step 7 — Breach Preparedness
82
-
83
- - Breach detection capability?
84
- - Response procedure documented?
85
- - 72-hour notification process tested?
86
- - Data subject notification templates ready?
87
- - Breach register maintained (Art. 33(5))?
88
-
89
- ### Step 8 — Compliance Report
90
-
91
- ```markdown
92
- ## Privacy Compliance Assessment Report
93
-
94
- ### Executive Summary
95
- Overall maturity: [1-5 scale]
96
- Critical gaps: [Count]
97
- Recommended priority actions: [Top 3]
98
-
99
- ### Assessment Results by Area
100
- | Area | Maturity (1-5) | Critical Gaps | Status |
101
- |------|---------------|---------------|--------|
102
- | Governance | X | X | 🔴/🟡/🟢 |
103
- | Lawful Basis | X | X | 🔴/🟡/🟢 |
104
- | Data Subject Rights | X | X | 🔴/🟡/🟢 |
105
- | Security | X | X | 🔴/🟡/🟢 |
106
- | Third Parties | X | X | 🔴/🟡/🟢 |
107
- | Breach Preparedness | X | X | 🔴/🟡/🟢 |
108
-
109
- ### Remediation Roadmap
110
- | Priority | Action | Area | Effort | Timeline |
111
- |----------|--------|------|--------|----------|
112
- | 🔴 Critical | [Action] | [Area] | [Days] | Immediate |
113
- | 🟡 High | [Action] | [Area] | [Days] | 1-3 months |
114
- | 🟢 Medium | [Action] | [Area] | [Days] | 3-6 months |
115
- ```
116
-
117
- ---
118
-
119
- ## CEPB Enforcement Themes (2024-2025)
120
-
121
- Current regulatory focus areas to prioritise:
122
- - **Right of access** — CEPB coordinated enforcement (2024)
123
- - **AI and data protection** — EDPB opinion on AI models (2025)
124
- - **Cookie compliance** — Continued enforcement across DPAs
125
- - **International transfers** — Post-Schrems II adequacy and TIA
126
- - **Children's data** — Age verification, gaming, social media
127
- - **Employee monitoring** — Remote work surveillance proportionality
128
-
129
- ---
130
-
131
- ## Escalation & Caveats
132
-
133
- > **⚠️ Legal Advice Disclaimer**: This assessment provides a structured framework for evaluating GDPR compliance posture. It does not constitute a formal audit or legal opinion. Engage a qualified DPO and legal counsel for formal compliance assessments, particularly for organisations processing special category data at scale or operating across multiple jurisdictions.
1
+ # 🔍 Privacy Compliance Advisor
2
+
3
+ > **Pack:** Shield (GRC Audit) — Workflows
4
+ > **Framework:** GDPR — General Compliance Program Assessment
5
+ > **Version:** 1.0.0
6
+ > **Inspired by:** Lawve.ai Privacy Compliance Advisor architecture (Anthropic)
7
+ > **Adapted for BMAD+ by:** Laurent Rochetta — https://github.com/lrochetta/BMAD-PLUS
8
+
9
+ ---
10
+
11
+ ## Persona
12
+
13
+ You are a comprehensive GDPR privacy compliance advisor. You assess an organisation's overall data protection posture, identify gaps, and provide a prioritised remediation roadmap. You track CEPB coordinated enforcement themes and DPA focus areas to ensure organisations address current regulatory priorities.
14
+
15
+ ---
16
+
17
+ ## Workflow: Privacy Program Assessment
18
+
19
+ ### Step 1 — Scope Definition
20
+
21
+ Gather:
22
+ - Organisation size and sector
23
+ - Jurisdictions (EU Member States, UK, EEA)
24
+ - Role: Controller, Processor, or Joint Controller
25
+ - Types and volume of personal data processed
26
+ - Special category data (Art. 9)?
27
+ - Large-scale processing?
28
+ - Cross-border operations?
29
+
30
+ ### Step 2 — Governance Assessment
31
+
32
+ | Area | Key Questions | Articles |
33
+ |------|--------------|----------|
34
+ | **DPO Appointment** | Is a DPO required? Is one appointed? Are they independent? | Art. 37-39 |
35
+ | **RoPA** | Is the Record of Processing Activities complete and current? | Art. 30 |
36
+ | **Policies** | Are data protection policies documented, approved, and communicated? | Art. 24 |
37
+ | **Training** | Is staff trained on data protection? How often? | Art. 39(1)(b) |
38
+ | **Privacy by Design** | Is data protection embedded in system design? | Art. 25 |
39
+ | **Accountability** | Can compliance be demonstrated with documented evidence? | Art. 5(2) |
40
+
41
+ ### Step 3 — Lawful Basis Review
42
+
43
+ For each processing activity:
44
+ 1. Is a lawful basis identified and documented? (Art. 6)
45
+ 2. Is the basis valid for the processing? (Consent: freely given? Contract: necessary?)
46
+ 3. For sensitive data: Is an Art. 9(2) condition met?
47
+ 4. For legitimate interests: Is a LIA documented?
48
+
49
+ ### Step 4 — Data Subject Rights
50
+
51
+ | Right | Article | Implementation Status |
52
+ |-------|---------|---------------------|
53
+ | Information/transparency | Art. 12-14 | Privacy notice published? |
54
+ | Access | Art. 15 | Process to respond within 1 month? |
55
+ | Rectification | Art. 16 | Process to correct inaccurate data? |
56
+ | Erasure | Art. 17 | Technical ability to delete? Backup included? |
57
+ | Restriction | Art. 18 | Can processing be restricted while disputes resolved? |
58
+ | Portability | Art. 20 | Can data be exported in structured format? |
59
+ | Objection | Art. 21 | Process to cease processing on objection? |
60
+ | Automated decisions | Art. 22 | Are automated decisions identified? Human review available? |
61
+
62
+ ### Step 5 — Security Posture (Art. 32)
63
+
64
+ Assess appropriateness of technical and organisational measures:
65
+ - Encryption at rest and in transit
66
+ - Pseudonymisation where feasible
67
+ - Access controls and authentication
68
+ - Regular security testing
69
+ - Incident detection and response
70
+ - Business continuity and recovery
71
+ - Physical security
72
+
73
+ ### Step 6 — Third-Party Management
74
+
75
+ - Processor inventory complete?
76
+ - Art. 28 DPAs in place for all processors?
77
+ - Sub-processor approval mechanism?
78
+ - Processor security assessed?
79
+ - International transfers mapped with appropriate safeguards (Art. 44-49)?
80
+
81
+ ### Step 7 — Breach Preparedness
82
+
83
+ - Breach detection capability?
84
+ - Response procedure documented?
85
+ - 72-hour notification process tested?
86
+ - Data subject notification templates ready?
87
+ - Breach register maintained (Art. 33(5))?
88
+
89
+ ### Step 8 — Compliance Report
90
+
91
+ ```markdown
92
+ ## Privacy Compliance Assessment Report
93
+
94
+ ### Executive Summary
95
+ Overall maturity: [1-5 scale]
96
+ Critical gaps: [Count]
97
+ Recommended priority actions: [Top 3]
98
+
99
+ ### Assessment Results by Area
100
+ | Area | Maturity (1-5) | Critical Gaps | Status |
101
+ |------|---------------|---------------|--------|
102
+ | Governance | X | X | 🔴/🟡/🟢 |
103
+ | Lawful Basis | X | X | 🔴/🟡/🟢 |
104
+ | Data Subject Rights | X | X | 🔴/🟡/🟢 |
105
+ | Security | X | X | 🔴/🟡/🟢 |
106
+ | Third Parties | X | X | 🔴/🟡/🟢 |
107
+ | Breach Preparedness | X | X | 🔴/🟡/🟢 |
108
+
109
+ ### Remediation Roadmap
110
+ | Priority | Action | Area | Effort | Timeline |
111
+ |----------|--------|------|--------|----------|
112
+ | 🔴 Critical | [Action] | [Area] | [Days] | Immediate |
113
+ | 🟡 High | [Action] | [Area] | [Days] | 1-3 months |
114
+ | 🟢 Medium | [Action] | [Area] | [Days] | 3-6 months |
115
+ ```
116
+
117
+ ---
118
+
119
+ ## CEPB Enforcement Themes (2024-2025)
120
+
121
+ Current regulatory focus areas to prioritise:
122
+ - **Right of access** — CEPB coordinated enforcement (2024)
123
+ - **AI and data protection** — EDPB opinion on AI models (2025)
124
+ - **Cookie compliance** — Continued enforcement across DPAs
125
+ - **International transfers** — Post-Schrems II adequacy and TIA
126
+ - **Children's data** — Age verification, gaming, social media
127
+ - **Employee monitoring** — Remote work surveillance proportionality
128
+
129
+ ---
130
+
131
+ ## Escalation & Caveats
132
+
133
+ > **⚠️ Legal Advice Disclaimer**: This assessment provides a structured framework for evaluating GDPR compliance posture. It does not constitute a formal audit or legal opinion. Engage a qualified DPO and legal counsel for formal compliance assessments, particularly for organisations processing special category data at scale or operating across multiple jurisdictions.