bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,281 +1,281 @@
1
- # CSRD Compliance Programme Reference
2
-
3
- ## Programme Templates, Checklists, and Implementation Guidance
4
-
5
- ---
6
-
7
- ## 1. CSRD Implementation Roadmap
8
-
9
- ### Phase 0 — Scoping (Months 1–2)
10
- - [ ] Confirm in-scope status: check size thresholds (employees, turnover, assets), listing status, PIE status
11
- - [ ] Determine first mandatory reporting year (FY 2024, 2025, 2026, or 2028)
12
- - [ ] Identify group structure: parent, subsidiaries; check if subsidiary can rely on group CSRD report
13
- - [ ] Assess non-EU company obligations if applicable (>€150M EU turnover)
14
- - [ ] Identify existing ESG reporting: GRI, TCFD, CDP, SASB, NFRD — baseline assessment
15
-
16
- ### Phase 1 — Foundation (Months 2–5)
17
- - [ ] Appoint CSRD project lead and cross-functional team (Finance, Legal, Sustainability, HR, Risk)
18
- - [ ] Establish governance: board/committee oversight of CSRD preparation
19
- - [ ] Engage external advisors: CSRD consultant, assurance provider (early engagement recommended)
20
- - [ ] Conduct preliminary Double Materiality Assessment (DMA) — identify material ESRS topics
21
- - [ ] Map existing disclosures to ESRS datapoints — identify gaps
22
- - [ ] Assess data availability across all material ESRS topics
23
-
24
- ### Phase 2 — Gap Assessment and Planning (Months 4–8)
25
- - [ ] Complete full DMA with stakeholder engagement
26
- - [ ] Document DMA methodology and outputs (ESRS 2 IRO-1 / SBM-3)
27
- - [ ] Conduct detailed gap assessment: required datapoints vs. data available
28
- - [ ] Assess value chain data collection feasibility for material topics
29
- - [ ] Evaluate IT/systems requirements: data collection, aggregation, reporting systems
30
- - [ ] Design data collection processes and assign ownership
31
- - [ ] Plan Scope 3 GHG emissions programme (if E1 material)
32
- - [ ] Engage assurance provider: agree scope, approach, timeline for limited assurance
33
-
34
- ### Phase 3 — Data Collection and Controls (Months 6–14)
35
- - [ ] Implement data collection processes for all material ESRS datapoints
36
- - [ ] Develop and implement internal controls over sustainability reporting
37
- - [ ] Establish data quality review and sign-off procedures
38
- - [ ] Collect and verify Scope 1, 2, 3 GHG emissions data
39
- - [ ] Collect workforce data (ESRS S1 datapoints)
40
- - [ ] Implement value chain data collection: supplier questionnaires, CDP, proxy data
41
- - [ ] Develop transition plan (ESRS E1-1) if climate is material
42
- - [ ] Conduct scenario analysis for climate risks/opportunities (ESRS E1-9)
43
-
44
- ### Phase 4 — Drafting and Assurance (Months 12–18 from first reporting year)
45
- - [ ] Draft CSRD disclosures for all material ESRS topics
46
- - [ ] Ensure dedicated section in management report (Accounting Directive Art. 19a)
47
- - [ ] Apply XBRL/iXBRL digital tagging to sustainability disclosures (ESEF taxonomy)
48
- - [ ] Internal review: legal, finance, sustainability, board review of disclosures
49
- - [ ] Engage assurance provider for limited assurance engagement
50
- - [ ] Respond to assurance queries and implement recommendations
51
- - [ ] Obtain assurance report
52
- - [ ] Board / supervisory body sign-off
53
-
54
- ### Phase 5 — Publication and Ongoing Compliance
55
- - [ ] Publish sustainability disclosures in annual report
56
- - [ ] File ESEF-tagged annual report with national registry
57
- - [ ] Update DMA annually
58
- - [ ] Track ESRS amendments and Commission guidance
59
- - [ ] Monitor Omnibus Package simplifications (post-2025 legislative changes)
60
- - [ ] Begin preparation for reasonable assurance (phased in post-2028)
61
-
62
- ---
63
-
64
- ## 2. CSRD Gap Assessment Template
65
-
66
- ### Instructions
67
- Complete this table after DMA. For each material ESRS topic, assess current data availability and identify gaps requiring action before first reporting year.
68
-
69
- | ESRS | Disclosure | Required Datapoint | Current State | Gap | Priority | Action Required | Owner | Target Date |
70
- |------|-----------|-------------------|--------------|-----|---------|----------------|-------|------------|
71
- | ESRS 2 | GOV-1 | Board sustainability oversight | Partial — board reviews ESG quarterly | Missing: expertise credentials, time spent | HIGH | Document board ESG discussion records; collect CV/bio data | Company Secretary | Q2 2025 |
72
- | ESRS 2 | GOV-3 | Sustainability in incentive schemes | No ESG KPIs in remuneration | Gap: no linkage | HIGH | Board Remuneration Committee to design ESG KPIs | CHRO + Board RemCo | Q1 2025 |
73
- | ESRS 2 | SBM-3 | DMA output — material IROs | DMA not conducted | Critical gap | CRITICAL | Conduct DMA with stakeholder engagement | Sustainability team | Q3 2024 |
74
- | E1 | E1-6 | Scope 1, 2, 3 GHG emissions | Scope 1+2 available; Scope 3 not measured | Scope 3 all 15 categories missing | CRITICAL | Implement Scope 3 measurement programme | Operations + Procurement | Q1 2025 |
75
- | E1 | E1-1 | Climate transition plan | No formal plan | Full gap | HIGH | Develop transition plan aligned with SBTi/Paris | CEO + Strategy | Q2 2025 |
76
- | S1 | S1-16 | Gender pay gap | Partial HR data | Missing: median pay by gender | HIGH | Commission pay analysis; align with EU Pay Transparency Dir. | CHRO | Q3 2025 |
77
- | S1 | S1-14 | LTIFR (lost time injury rate) | Available for own employees | Missing: contractor data | MEDIUM | Extend H&S data collection to contractors | EHS Manager | Q4 2025 |
78
- | G1 | G1-3 | Anti-corruption training coverage | 60% employees trained | Missing: updated coverage data; need >80% | MEDIUM | Run annual anti-corruption training campaign | Legal/Compliance | Q2 2025 |
79
-
80
- **Priority Definitions:**
81
- - **CRITICAL:** Legal requirement; cannot publish without this data
82
- - **HIGH:** Material gap; will result in qualified assurance if not resolved
83
- - **MEDIUM:** Gap exists; resolution improves quality but limited assurance achievable
84
- - **LOW:** Enhancement opportunity; not essential for first-year compliance
85
-
86
- ---
87
-
88
- ## 3. Data Collection Framework
89
-
90
- ### Governance Data (ESRS 2 GOV)
91
-
92
- | Datapoint | Data Source | Frequency | Owner |
93
- |-----------|------------|-----------|-------|
94
- | Board member sustainability expertise | Board CVs / biography | Annual | Company Secretary |
95
- | Board ESG agenda items / time spent | Board meeting minutes | Annual | Company Secretary |
96
- | ESG KPIs in executive remuneration | RemCo decisions / contracts | Annual | CHRO / Legal |
97
- | Due diligence process coverage | Procurement / Legal | Annual | Legal |
98
-
99
- ### Climate Data (ESRS E1)
100
-
101
- | Datapoint | Data Source | Frequency | Owner |
102
- |-----------|------------|-----------|-------|
103
- | Scope 1 emissions | Fuel consumption records, fleet data | Monthly → Annual | Facilities / Fleet |
104
- | Scope 2 (location-based) | Electricity invoices + IEA grid factors | Monthly → Annual | Finance / Facilities |
105
- | Scope 2 (market-based) | Energy certificates (RECs, GOs, PPAs) | Annual | Energy Procurement |
106
- | Scope 3 Cat. 1 (purchased goods) | Supplier spend × emission factors (EPA/ecoinvent) | Annual | Procurement |
107
- | Scope 3 Cat. 3 (fuel & energy) | Calculated from S1+S2 data | Annual | Facilities |
108
- | Scope 3 Cat. 6 (business travel) | Travel management system | Annual | HR / Travel |
109
- | Scope 3 Cat. 7 (commuting) | Employee survey / commuting patterns | Annual | HR |
110
- | Scope 3 Cat. 11 (product use) | Product emission factors + sales data | Annual | Product team |
111
- | Scope 3 Cat. 12 (end-of-life) | Waste management data + product specs | Annual | Product team |
112
- | Energy consumption total | All energy bills / smart metering | Monthly → Annual | Facilities |
113
- | Renewable energy share | Energy purchase contracts / guarantees of origin | Annual | Energy Procurement |
114
-
115
- ### Workforce Data (ESRS S1)
116
-
117
- | Datapoint | Data Source | Frequency | Owner |
118
- |-----------|------------|-----------|-------|
119
- | Headcount by gender / contract type | HRIS system | Monthly → Annual | HR |
120
- | Turnover rate | HRIS system | Annual | HR |
121
- | Gender pay gap (median) | Payroll system analysis | Annual | HR / Finance |
122
- | Collective bargaining coverage | HR records / legal | Annual | HR |
123
- | LTIFR, fatalities | EHS / incident management system | Monthly → Annual | EHS |
124
- | Training hours per employee | LMS (Learning Management System) | Annual | L&D |
125
- | Parental leave uptake | HR records | Annual | HR |
126
- | CEO pay ratio | Remuneration disclosures / payroll | Annual | Finance / HR |
127
-
128
- ---
129
-
130
- ## 4. Scope 3 GHG Emissions Programme
131
-
132
- ### Category Priority Matrix
133
-
134
- | Category | Typically Material? | Data Availability | Recommended Approach |
135
- |----------|-------------------|------------------|---------------------|
136
- | Cat. 1: Purchased goods & services | Yes (for most) | Low-Medium | Spend-based with EEIO factors → supplier surveys for key items |
137
- | Cat. 2: Capital goods | Medium | Medium | Asset registry × emission factors |
138
- | Cat. 3: Fuel & energy (upstream) | Yes | High | Calculate from S1+S2 using GHG Protocol factors |
139
- | Cat. 4: Upstream transport | Medium | Low | Tonne-km × emission factors; freight invoices |
140
- | Cat. 5: Waste in operations | Low-Medium | Medium | Waste management invoices |
141
- | Cat. 6: Business travel | Medium | High | Travel management system data |
142
- | Cat. 7: Employee commuting | Medium | Low | Annual employee survey |
143
- | Cat. 8: Upstream leased assets | Sector-specific | Medium | Lease registry |
144
- | Cat. 9: Downstream transport | Sector-specific | Low | Distribution data |
145
- | Cat. 10: Processing of sold products | Sector-specific | Low | Industry averages |
146
- | Cat. 11: Use of sold products | Yes (for manufacturers) | Medium-High | Product emission factors × sales volume |
147
- | Cat. 12: End-of-life treatment | Medium | Low | Industry averages; waste composition |
148
- | Cat. 13: Downstream leased assets | Sector-specific | Low | Lease register |
149
- | Cat. 14: Franchises | Sector-specific | Low | Franchise data collection |
150
- | Cat. 15: Investments | Sector-specific (financial) | Medium | PCAF methodology |
151
-
152
- **Recommended Scope 3 Phasing:**
153
- - **Year 1:** Cats. 1, 3, 6, 7, 11 (typically 80%+ of emissions)
154
- - **Year 2:** Add Cats. 2, 4, 5, 12
155
- - **Year 3:** Full coverage with improved primary data
156
-
157
- ---
158
-
159
- ## 5. Assurance Readiness Checklist
160
-
161
- ### Pre-Assurance Requirements
162
-
163
- **Governance and Responsibility**
164
- - [ ] Named individual responsible for each material ESRS topic and its data
165
- - [ ] Clear escalation path for sustainability data queries
166
- - [ ] Board/audit committee oversight of sustainability reporting
167
-
168
- **Documentation**
169
- - [ ] DMA documented with methodology, scoring, stakeholder inputs
170
- - [ ] Data collection procedures documented for each datapoint
171
- - [ ] Calculation methodology documented (GHG Protocol, ESRS guidance)
172
- - [ ] Internal review and sign-off process documented
173
- - [ ] Correction procedure for sustainability data errors
174
-
175
- **Data Quality**
176
- - [ ] Data trail from source system to reported figure for each datapoint
177
- - [ ] Evidence of data completeness checks (coverage of operations)
178
- - [ ] Prior year comparatives available and reconciled
179
- - [ ] Estimation methodology documented for gaps (proxy data, interpolation)
180
- - [ ] Restatement policy defined
181
-
182
- **Controls**
183
- - [ ] Internal controls documented for key sustainability data processes
184
- - [ ] Evidence of management review and approval of sustainability disclosures
185
- - [ ] Segregation of duties between data collectors and approvers
186
-
187
- **Boundary and Scope**
188
- - [ ] Reporting boundary clearly defined (consolidation approach: financial control, operational control, equity share)
189
- - [ ] Any boundary differences vs. financial reporting documented and justified
190
- - [ ] Value chain scope clearly defined and disclosed
191
-
192
- ### Limited Assurance vs. Reasonable Assurance
193
-
194
- | Aspect | Limited Assurance (Current) | Reasonable Assurance (Future) |
195
- |--------|----------------------------|------------------------------|
196
- | Standard | ISAE 3000 (Revised) | ISAE 3000 (Revised) — higher standard |
197
- | Procedures | Inquiries + analytical procedures | As above + substantive testing |
198
- | Evidence | Less extensive | More extensive; site visits typical |
199
- | Conclusion | "Nothing came to our attention" | "The information is fairly presented" |
200
- | Documentation | Less detailed | Detailed audit-like evidence file |
201
- | Timeline | CSRD Phase 1 (now) | Commission review by 2028 |
202
-
203
- **Practical Tip:** Build reasonable assurance-quality documentation from day one — retroactively improving evidence trails is very difficult and expensive.
204
-
205
- ---
206
-
207
- ## 6. XBRL Digital Tagging — Practical Guide
208
-
209
- ### What Must Be Tagged
210
- - All quantitative datapoints in the sustainability disclosures
211
- - Key qualitative disclosures (policy statements, targets)
212
- - Taxonomy: European Single Electronic Format (ESEF) extended with CSRD sustainability taxonomy
213
-
214
- ### Tagging Approach Options
215
- 1. **Software-integrated:** Sustainability reporting software with built-in XBRL tagging (SAP Sustainability Footprint Management, Workiva, Sweep, etc.)
216
- 2. **Post-report tagging:** Tag the final report using ESEF tagging tools
217
- 3. **Outsourced:** Use XBRL tagging service provider
218
-
219
- ### Timeline
220
- - ESEF sustainability taxonomy: Commission in development (consult ESMA for latest timeline)
221
- - First XBRL-tagged sustainability reports: aligned with first CSRD reporting year
222
-
223
- ---
224
-
225
- ## 7. Value Chain Data Collection — Supplier Engagement
226
-
227
- ### Supplier Prioritisation Framework
228
-
229
- Prioritise suppliers based on:
230
- 1. **Spend-based emissions significance** (Cat. 1 Scope 3 contribution)
231
- 2. **High-risk sectors** (garments, electronics, agriculture, extractives)
232
- 3. **High-risk geographies** (countries with elevated labour/environmental risks)
233
- 4. **Strategic / sole-source relationships** (limited substitutability)
234
-
235
- ### Data Collection Methods
236
-
237
- | Method | Best for | Effort | Data Quality |
238
- |--------|---------|--------|-------------|
239
- | CDP Supply Chain | Large, listed suppliers | Low (for company) | High |
240
- | Supplier questionnaire (EcoVadis, custom) | Tier-1 suppliers | Medium | Medium-High |
241
- | Spend-based emission factors (EEIO) | Long-tail suppliers | Very low | Low-Medium |
242
- | Industry sector averages | Where direct data unavailable | Very low | Low |
243
- | Site audits | High-risk suppliers | High | Very High |
244
-
245
- ### Disclosure of Estimation Approaches (ESRS 1, para. 64)
246
- Where value chain data is not directly available, companies must disclose:
247
- - Which datapoints use estimated/proxy data
248
- - The estimation methodology applied
249
- - The level of accuracy and main sources of uncertainty
250
- - Steps being taken to improve data quality over time
251
-
252
- ---
253
-
254
- ## 8. CSRD vs. NFRD — Key Differences
255
-
256
- | Aspect | NFRD (old) | CSRD (new) |
257
- |--------|-----------|-----------|
258
- | Companies in scope | ~11,000 (PIEs >500 employees) | ~50,000 (all large + listed SMEs) |
259
- | Non-EU companies | Not covered | >€150M EU turnover |
260
- | Standards | No mandatory standards | Mandatory ESRS |
261
- | Materiality | Financial only | Double materiality (impact + financial) |
262
- | Value chain | Not required | Required where material |
263
- | Assurance | Not required (some member states) | Mandatory limited assurance |
264
- | Digital tagging | Not required | XBRL/iXBRL mandatory |
265
- | Location | Flexible (separate report allowed) | Dedicated section of management report |
266
-
267
- ---
268
-
269
- ## 9. Omnibus Package Watch (2025)
270
-
271
- The European Commission proposed CSRD simplifications in the "Omnibus Package" (February 2025):
272
-
273
- **Proposed changes (not yet final as of ESRS publication date):**
274
- - Narrowing scope: may raise employee threshold to 1,000 (from 250)
275
- - Reducing mandatory datapoints
276
- - Delaying listed SME obligations
277
- - Simplifying value chain reporting requirements
278
-
279
- **Important:** Always verify the current legislative status before advising clients on scope and datapoint requirements. Check EUR-Lex and the European Commission website for latest developments.
280
-
281
- The underlying ESRS standards issued under Commission Delegated Regulation (EU) 2023/2772 remain the definitive source until amended.
1
+ # CSRD Compliance Programme Reference
2
+
3
+ ## Programme Templates, Checklists, and Implementation Guidance
4
+
5
+ ---
6
+
7
+ ## 1. CSRD Implementation Roadmap
8
+
9
+ ### Phase 0 — Scoping (Months 1–2)
10
+ - [ ] Confirm in-scope status: check size thresholds (employees, turnover, assets), listing status, PIE status
11
+ - [ ] Determine first mandatory reporting year (FY 2024, 2025, 2026, or 2028)
12
+ - [ ] Identify group structure: parent, subsidiaries; check if subsidiary can rely on group CSRD report
13
+ - [ ] Assess non-EU company obligations if applicable (>€150M EU turnover)
14
+ - [ ] Identify existing ESG reporting: GRI, TCFD, CDP, SASB, NFRD — baseline assessment
15
+
16
+ ### Phase 1 — Foundation (Months 2–5)
17
+ - [ ] Appoint CSRD project lead and cross-functional team (Finance, Legal, Sustainability, HR, Risk)
18
+ - [ ] Establish governance: board/committee oversight of CSRD preparation
19
+ - [ ] Engage external advisors: CSRD consultant, assurance provider (early engagement recommended)
20
+ - [ ] Conduct preliminary Double Materiality Assessment (DMA) — identify material ESRS topics
21
+ - [ ] Map existing disclosures to ESRS datapoints — identify gaps
22
+ - [ ] Assess data availability across all material ESRS topics
23
+
24
+ ### Phase 2 — Gap Assessment and Planning (Months 4–8)
25
+ - [ ] Complete full DMA with stakeholder engagement
26
+ - [ ] Document DMA methodology and outputs (ESRS 2 IRO-1 / SBM-3)
27
+ - [ ] Conduct detailed gap assessment: required datapoints vs. data available
28
+ - [ ] Assess value chain data collection feasibility for material topics
29
+ - [ ] Evaluate IT/systems requirements: data collection, aggregation, reporting systems
30
+ - [ ] Design data collection processes and assign ownership
31
+ - [ ] Plan Scope 3 GHG emissions programme (if E1 material)
32
+ - [ ] Engage assurance provider: agree scope, approach, timeline for limited assurance
33
+
34
+ ### Phase 3 — Data Collection and Controls (Months 6–14)
35
+ - [ ] Implement data collection processes for all material ESRS datapoints
36
+ - [ ] Develop and implement internal controls over sustainability reporting
37
+ - [ ] Establish data quality review and sign-off procedures
38
+ - [ ] Collect and verify Scope 1, 2, 3 GHG emissions data
39
+ - [ ] Collect workforce data (ESRS S1 datapoints)
40
+ - [ ] Implement value chain data collection: supplier questionnaires, CDP, proxy data
41
+ - [ ] Develop transition plan (ESRS E1-1) if climate is material
42
+ - [ ] Conduct scenario analysis for climate risks/opportunities (ESRS E1-9)
43
+
44
+ ### Phase 4 — Drafting and Assurance (Months 12–18 from first reporting year)
45
+ - [ ] Draft CSRD disclosures for all material ESRS topics
46
+ - [ ] Ensure dedicated section in management report (Accounting Directive Art. 19a)
47
+ - [ ] Apply XBRL/iXBRL digital tagging to sustainability disclosures (ESEF taxonomy)
48
+ - [ ] Internal review: legal, finance, sustainability, board review of disclosures
49
+ - [ ] Engage assurance provider for limited assurance engagement
50
+ - [ ] Respond to assurance queries and implement recommendations
51
+ - [ ] Obtain assurance report
52
+ - [ ] Board / supervisory body sign-off
53
+
54
+ ### Phase 5 — Publication and Ongoing Compliance
55
+ - [ ] Publish sustainability disclosures in annual report
56
+ - [ ] File ESEF-tagged annual report with national registry
57
+ - [ ] Update DMA annually
58
+ - [ ] Track ESRS amendments and Commission guidance
59
+ - [ ] Monitor Omnibus Package simplifications (post-2025 legislative changes)
60
+ - [ ] Begin preparation for reasonable assurance (phased in post-2028)
61
+
62
+ ---
63
+
64
+ ## 2. CSRD Gap Assessment Template
65
+
66
+ ### Instructions
67
+ Complete this table after DMA. For each material ESRS topic, assess current data availability and identify gaps requiring action before first reporting year.
68
+
69
+ | ESRS | Disclosure | Required Datapoint | Current State | Gap | Priority | Action Required | Owner | Target Date |
70
+ |------|-----------|-------------------|--------------|-----|---------|----------------|-------|------------|
71
+ | ESRS 2 | GOV-1 | Board sustainability oversight | Partial — board reviews ESG quarterly | Missing: expertise credentials, time spent | HIGH | Document board ESG discussion records; collect CV/bio data | Company Secretary | Q2 2025 |
72
+ | ESRS 2 | GOV-3 | Sustainability in incentive schemes | No ESG KPIs in remuneration | Gap: no linkage | HIGH | Board Remuneration Committee to design ESG KPIs | CHRO + Board RemCo | Q1 2025 |
73
+ | ESRS 2 | SBM-3 | DMA output — material IROs | DMA not conducted | Critical gap | CRITICAL | Conduct DMA with stakeholder engagement | Sustainability team | Q3 2024 |
74
+ | E1 | E1-6 | Scope 1, 2, 3 GHG emissions | Scope 1+2 available; Scope 3 not measured | Scope 3 all 15 categories missing | CRITICAL | Implement Scope 3 measurement programme | Operations + Procurement | Q1 2025 |
75
+ | E1 | E1-1 | Climate transition plan | No formal plan | Full gap | HIGH | Develop transition plan aligned with SBTi/Paris | CEO + Strategy | Q2 2025 |
76
+ | S1 | S1-16 | Gender pay gap | Partial HR data | Missing: median pay by gender | HIGH | Commission pay analysis; align with EU Pay Transparency Dir. | CHRO | Q3 2025 |
77
+ | S1 | S1-14 | LTIFR (lost time injury rate) | Available for own employees | Missing: contractor data | MEDIUM | Extend H&S data collection to contractors | EHS Manager | Q4 2025 |
78
+ | G1 | G1-3 | Anti-corruption training coverage | 60% employees trained | Missing: updated coverage data; need >80% | MEDIUM | Run annual anti-corruption training campaign | Legal/Compliance | Q2 2025 |
79
+
80
+ **Priority Definitions:**
81
+ - **CRITICAL:** Legal requirement; cannot publish without this data
82
+ - **HIGH:** Material gap; will result in qualified assurance if not resolved
83
+ - **MEDIUM:** Gap exists; resolution improves quality but limited assurance achievable
84
+ - **LOW:** Enhancement opportunity; not essential for first-year compliance
85
+
86
+ ---
87
+
88
+ ## 3. Data Collection Framework
89
+
90
+ ### Governance Data (ESRS 2 GOV)
91
+
92
+ | Datapoint | Data Source | Frequency | Owner |
93
+ |-----------|------------|-----------|-------|
94
+ | Board member sustainability expertise | Board CVs / biography | Annual | Company Secretary |
95
+ | Board ESG agenda items / time spent | Board meeting minutes | Annual | Company Secretary |
96
+ | ESG KPIs in executive remuneration | RemCo decisions / contracts | Annual | CHRO / Legal |
97
+ | Due diligence process coverage | Procurement / Legal | Annual | Legal |
98
+
99
+ ### Climate Data (ESRS E1)
100
+
101
+ | Datapoint | Data Source | Frequency | Owner |
102
+ |-----------|------------|-----------|-------|
103
+ | Scope 1 emissions | Fuel consumption records, fleet data | Monthly → Annual | Facilities / Fleet |
104
+ | Scope 2 (location-based) | Electricity invoices + IEA grid factors | Monthly → Annual | Finance / Facilities |
105
+ | Scope 2 (market-based) | Energy certificates (RECs, GOs, PPAs) | Annual | Energy Procurement |
106
+ | Scope 3 Cat. 1 (purchased goods) | Supplier spend × emission factors (EPA/ecoinvent) | Annual | Procurement |
107
+ | Scope 3 Cat. 3 (fuel & energy) | Calculated from S1+S2 data | Annual | Facilities |
108
+ | Scope 3 Cat. 6 (business travel) | Travel management system | Annual | HR / Travel |
109
+ | Scope 3 Cat. 7 (commuting) | Employee survey / commuting patterns | Annual | HR |
110
+ | Scope 3 Cat. 11 (product use) | Product emission factors + sales data | Annual | Product team |
111
+ | Scope 3 Cat. 12 (end-of-life) | Waste management data + product specs | Annual | Product team |
112
+ | Energy consumption total | All energy bills / smart metering | Monthly → Annual | Facilities |
113
+ | Renewable energy share | Energy purchase contracts / guarantees of origin | Annual | Energy Procurement |
114
+
115
+ ### Workforce Data (ESRS S1)
116
+
117
+ | Datapoint | Data Source | Frequency | Owner |
118
+ |-----------|------------|-----------|-------|
119
+ | Headcount by gender / contract type | HRIS system | Monthly → Annual | HR |
120
+ | Turnover rate | HRIS system | Annual | HR |
121
+ | Gender pay gap (median) | Payroll system analysis | Annual | HR / Finance |
122
+ | Collective bargaining coverage | HR records / legal | Annual | HR |
123
+ | LTIFR, fatalities | EHS / incident management system | Monthly → Annual | EHS |
124
+ | Training hours per employee | LMS (Learning Management System) | Annual | L&D |
125
+ | Parental leave uptake | HR records | Annual | HR |
126
+ | CEO pay ratio | Remuneration disclosures / payroll | Annual | Finance / HR |
127
+
128
+ ---
129
+
130
+ ## 4. Scope 3 GHG Emissions Programme
131
+
132
+ ### Category Priority Matrix
133
+
134
+ | Category | Typically Material? | Data Availability | Recommended Approach |
135
+ |----------|-------------------|------------------|---------------------|
136
+ | Cat. 1: Purchased goods & services | Yes (for most) | Low-Medium | Spend-based with EEIO factors → supplier surveys for key items |
137
+ | Cat. 2: Capital goods | Medium | Medium | Asset registry × emission factors |
138
+ | Cat. 3: Fuel & energy (upstream) | Yes | High | Calculate from S1+S2 using GHG Protocol factors |
139
+ | Cat. 4: Upstream transport | Medium | Low | Tonne-km × emission factors; freight invoices |
140
+ | Cat. 5: Waste in operations | Low-Medium | Medium | Waste management invoices |
141
+ | Cat. 6: Business travel | Medium | High | Travel management system data |
142
+ | Cat. 7: Employee commuting | Medium | Low | Annual employee survey |
143
+ | Cat. 8: Upstream leased assets | Sector-specific | Medium | Lease registry |
144
+ | Cat. 9: Downstream transport | Sector-specific | Low | Distribution data |
145
+ | Cat. 10: Processing of sold products | Sector-specific | Low | Industry averages |
146
+ | Cat. 11: Use of sold products | Yes (for manufacturers) | Medium-High | Product emission factors × sales volume |
147
+ | Cat. 12: End-of-life treatment | Medium | Low | Industry averages; waste composition |
148
+ | Cat. 13: Downstream leased assets | Sector-specific | Low | Lease register |
149
+ | Cat. 14: Franchises | Sector-specific | Low | Franchise data collection |
150
+ | Cat. 15: Investments | Sector-specific (financial) | Medium | PCAF methodology |
151
+
152
+ **Recommended Scope 3 Phasing:**
153
+ - **Year 1:** Cats. 1, 3, 6, 7, 11 (typically 80%+ of emissions)
154
+ - **Year 2:** Add Cats. 2, 4, 5, 12
155
+ - **Year 3:** Full coverage with improved primary data
156
+
157
+ ---
158
+
159
+ ## 5. Assurance Readiness Checklist
160
+
161
+ ### Pre-Assurance Requirements
162
+
163
+ **Governance and Responsibility**
164
+ - [ ] Named individual responsible for each material ESRS topic and its data
165
+ - [ ] Clear escalation path for sustainability data queries
166
+ - [ ] Board/audit committee oversight of sustainability reporting
167
+
168
+ **Documentation**
169
+ - [ ] DMA documented with methodology, scoring, stakeholder inputs
170
+ - [ ] Data collection procedures documented for each datapoint
171
+ - [ ] Calculation methodology documented (GHG Protocol, ESRS guidance)
172
+ - [ ] Internal review and sign-off process documented
173
+ - [ ] Correction procedure for sustainability data errors
174
+
175
+ **Data Quality**
176
+ - [ ] Data trail from source system to reported figure for each datapoint
177
+ - [ ] Evidence of data completeness checks (coverage of operations)
178
+ - [ ] Prior year comparatives available and reconciled
179
+ - [ ] Estimation methodology documented for gaps (proxy data, interpolation)
180
+ - [ ] Restatement policy defined
181
+
182
+ **Controls**
183
+ - [ ] Internal controls documented for key sustainability data processes
184
+ - [ ] Evidence of management review and approval of sustainability disclosures
185
+ - [ ] Segregation of duties between data collectors and approvers
186
+
187
+ **Boundary and Scope**
188
+ - [ ] Reporting boundary clearly defined (consolidation approach: financial control, operational control, equity share)
189
+ - [ ] Any boundary differences vs. financial reporting documented and justified
190
+ - [ ] Value chain scope clearly defined and disclosed
191
+
192
+ ### Limited Assurance vs. Reasonable Assurance
193
+
194
+ | Aspect | Limited Assurance (Current) | Reasonable Assurance (Future) |
195
+ |--------|----------------------------|------------------------------|
196
+ | Standard | ISAE 3000 (Revised) | ISAE 3000 (Revised) — higher standard |
197
+ | Procedures | Inquiries + analytical procedures | As above + substantive testing |
198
+ | Evidence | Less extensive | More extensive; site visits typical |
199
+ | Conclusion | "Nothing came to our attention" | "The information is fairly presented" |
200
+ | Documentation | Less detailed | Detailed audit-like evidence file |
201
+ | Timeline | CSRD Phase 1 (now) | Commission review by 2028 |
202
+
203
+ **Practical Tip:** Build reasonable assurance-quality documentation from day one — retroactively improving evidence trails is very difficult and expensive.
204
+
205
+ ---
206
+
207
+ ## 6. XBRL Digital Tagging — Practical Guide
208
+
209
+ ### What Must Be Tagged
210
+ - All quantitative datapoints in the sustainability disclosures
211
+ - Key qualitative disclosures (policy statements, targets)
212
+ - Taxonomy: European Single Electronic Format (ESEF) extended with CSRD sustainability taxonomy
213
+
214
+ ### Tagging Approach Options
215
+ 1. **Software-integrated:** Sustainability reporting software with built-in XBRL tagging (SAP Sustainability Footprint Management, Workiva, Sweep, etc.)
216
+ 2. **Post-report tagging:** Tag the final report using ESEF tagging tools
217
+ 3. **Outsourced:** Use XBRL tagging service provider
218
+
219
+ ### Timeline
220
+ - ESEF sustainability taxonomy: Commission in development (consult ESMA for latest timeline)
221
+ - First XBRL-tagged sustainability reports: aligned with first CSRD reporting year
222
+
223
+ ---
224
+
225
+ ## 7. Value Chain Data Collection — Supplier Engagement
226
+
227
+ ### Supplier Prioritisation Framework
228
+
229
+ Prioritise suppliers based on:
230
+ 1. **Spend-based emissions significance** (Cat. 1 Scope 3 contribution)
231
+ 2. **High-risk sectors** (garments, electronics, agriculture, extractives)
232
+ 3. **High-risk geographies** (countries with elevated labour/environmental risks)
233
+ 4. **Strategic / sole-source relationships** (limited substitutability)
234
+
235
+ ### Data Collection Methods
236
+
237
+ | Method | Best for | Effort | Data Quality |
238
+ |--------|---------|--------|-------------|
239
+ | CDP Supply Chain | Large, listed suppliers | Low (for company) | High |
240
+ | Supplier questionnaire (EcoVadis, custom) | Tier-1 suppliers | Medium | Medium-High |
241
+ | Spend-based emission factors (EEIO) | Long-tail suppliers | Very low | Low-Medium |
242
+ | Industry sector averages | Where direct data unavailable | Very low | Low |
243
+ | Site audits | High-risk suppliers | High | Very High |
244
+
245
+ ### Disclosure of Estimation Approaches (ESRS 1, para. 64)
246
+ Where value chain data is not directly available, companies must disclose:
247
+ - Which datapoints use estimated/proxy data
248
+ - The estimation methodology applied
249
+ - The level of accuracy and main sources of uncertainty
250
+ - Steps being taken to improve data quality over time
251
+
252
+ ---
253
+
254
+ ## 8. CSRD vs. NFRD — Key Differences
255
+
256
+ | Aspect | NFRD (old) | CSRD (new) |
257
+ |--------|-----------|-----------|
258
+ | Companies in scope | ~11,000 (PIEs >500 employees) | ~50,000 (all large + listed SMEs) |
259
+ | Non-EU companies | Not covered | >€150M EU turnover |
260
+ | Standards | No mandatory standards | Mandatory ESRS |
261
+ | Materiality | Financial only | Double materiality (impact + financial) |
262
+ | Value chain | Not required | Required where material |
263
+ | Assurance | Not required (some member states) | Mandatory limited assurance |
264
+ | Digital tagging | Not required | XBRL/iXBRL mandatory |
265
+ | Location | Flexible (separate report allowed) | Dedicated section of management report |
266
+
267
+ ---
268
+
269
+ ## 9. Omnibus Package Watch (2025)
270
+
271
+ The European Commission proposed CSRD simplifications in the "Omnibus Package" (February 2025):
272
+
273
+ **Proposed changes (not yet final as of ESRS publication date):**
274
+ - Narrowing scope: may raise employee threshold to 1,000 (from 250)
275
+ - Reducing mandatory datapoints
276
+ - Delaying listed SME obligations
277
+ - Simplifying value chain reporting requirements
278
+
279
+ **Important:** Always verify the current legislative status before advising clients on scope and datapoint requirements. Check EUR-Lex and the European Commission website for latest developments.
280
+
281
+ The underlying ESRS standards issued under Commission Delegated Regulation (EU) 2023/2772 remain the definitive source until amended.