bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,280 +1,280 @@
1
- # EAR Export Compliance Programme, Enforcement, and Special Rules
2
-
3
- ## Export Compliance Programme (ECP) — BIS Seven Elements
4
-
5
- BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
6
-
7
- ### Element 1 — Management Commitment
8
-
9
- - Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
10
- - Written, board-approved export compliance policy signed by senior officer
11
- - Compliance resources: dedicated ECP staff, compliance counsel, budget
12
- - Export Control Officer (ECO) or Export Compliance Manager designated in writing
13
- - Annual certification to the board that the ECP is operating effectively
14
-
15
- **Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
16
-
17
- ### Element 2 — Risk Assessment
18
-
19
- - Identify all products, software, and technology subject to EAR
20
- - Classify each item: ECCN or EAR99 (document the classification rationale)
21
- - Identify all business units, geographies, and transaction types
22
- - Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
23
- - Maintain a classification database tied to product lifecycle (new products re-classified before launch)
24
-
25
- **ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
26
-
27
- ### Element 3 — Written Policies and Procedures
28
-
29
- - Written, procedure-level guidance for each process that touches exports:
30
- - Customer onboarding and restricted party screening
31
- - Order acceptance and fulfilment (sales, finance, logistics)
32
- - ECCN classification and update trigger
33
- - Licence application and management
34
- - Employee travel with controlled items/technology
35
- - Hiring of foreign nationals (deemed export screening)
36
- - Distributor/reseller programme requirements
37
- - Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
38
-
39
- ### Element 4 — Training and Awareness
40
-
41
- - Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
42
- - Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
43
- - Annual refresher training with sign-off acknowledgement
44
- - Training records retained for 5 years
45
- - Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
46
-
47
- **Topics for engineers and developers:**
48
- - Deemed exports: sharing controlled source code with foreign national colleagues
49
- - Cloud platforms and access controls for controlled technology
50
- - Open-source publication — fundamental research exemption vs. EAR controls on software
51
-
52
- ### Element 5 — Restricted Party Screening
53
-
54
- - Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
55
- - Minimum lists to screen against:
56
- - BIS Denied Persons List
57
- - BIS Entity List
58
- - BIS Unverified List
59
- - BIS Military End-User (MEU) List
60
- - State Department Debarred List (DDTC)
61
- - OFAC SDN List
62
- - OFAC Consolidated Sanctions List
63
- - **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
64
- - Screen at time of: quote/order acceptance, before each shipment, and when parties change
65
-
66
- **Screening cadence for ongoing relationships:**
67
- - Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
68
- - Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
69
-
70
- **Handling a match:**
71
- 1. Do not ship or service the order
72
- 2. Escalate to ECO/legal immediately
73
- 3. Determine if the match is a true hit or false positive (similar name, different entity)
74
- 4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
75
- 5. Document the match, review, and outcome
76
-
77
- ### Element 6 — Due Diligence (Know Your Customer)
78
-
79
- - Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
80
- - For high-risk transactions, obtain:
81
- - **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
82
- - **Importer Safety Zone (ISZ) Statement** for certain dual-use items
83
- - **Distributor Management: assurances that downstream sales comply with EAR**
84
- - Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
85
- - **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
86
-
87
- ### Element 7 — Recordkeeping and Audits
88
-
89
- - Retain all export-related records for **5 years** from the date of export (§ 762.6)
90
- - Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
91
- - Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
92
- - Annual internal ECP audit or review
93
- - Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
94
-
95
- ---
96
-
97
- ## Enforcement Regime
98
-
99
- ### Office of Export Enforcement (OEE)
100
-
101
- BIS's enforcement arm investigates violations through:
102
- - **Special Agents** conducting criminal investigations
103
- - **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
104
- - **Administrative investigations** by the Office of Chief Counsel (OCC)
105
-
106
- ### Civil Penalties (§ 764.3, Part 766)
107
-
108
- | Violation Type | Maximum Penalty |
109
- |---------------|----------------|
110
- | Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
111
- | Egregious violations | Higher penalties; may approach statutory maximum |
112
- | Denial of export privileges | Temporary or permanent denial of all export privileges |
113
-
114
- **Penalty determination factors (Part 766, Supplement 1):**
115
- - Willfulness (did the violator know it was a violation?)
116
- - Nature of the item (weapons-relevant, dual-use, EAR99)
117
- - Harm to US national security or foreign policy interests
118
- - Compliance programme quality (strong ECP = significant mitigation)
119
- - Remedial action taken
120
- - Cooperation with OEE
121
-
122
- **Base penalty matrix** (post-September 2024 rule change):
123
- - BIS removed caps that previously limited penalties below statutory maximums
124
- - Penalties now more directly reflect transaction value, particularly for egregious cases
125
- - Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
126
-
127
- ### Criminal Penalties (§ 764.2)
128
-
129
- Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
130
- - **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
131
- - **Corporations:** Fines up to $1 million per violation (per count)
132
- - Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
133
-
134
- ### Export Denial Orders (EDOs)
135
-
136
- BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
137
- - EDOs are published in the Federal Register and placed on the Denied Persons List
138
- - Third parties are prohibited from participating in any transaction involving a denied person
139
- - Scope: US persons everywhere in the world; any person regarding items subject to EAR
140
-
141
- ---
142
-
143
- ## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
144
-
145
- ### What is a VSD?
146
-
147
- A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
148
-
149
- ### When to File
150
-
151
- File a VSD when you discover:
152
- - Items shipped without a required licence
153
- - Items shipped to an Entity List, Denied Persons List, or Unverified List party
154
- - Incorrect ECCN used that resulted in an unlicensed shipment
155
- - SNAP-R licence conditions violated
156
- - Prohibited end-use found post-shipment
157
-
158
- ### VSD Process
159
-
160
- 1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
161
- 2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
162
- 3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
163
- - Detailed narrative of the facts
164
- - All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
165
- - Root cause analysis
166
- - Remedial actions already taken
167
- - Proposed corrective actions
168
- 4. **OEE Review:** May request additional information; may conduct End-Use Checks
169
- 5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
170
-
171
- ### VSD Penalty Mitigation
172
-
173
- - VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
174
- - Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
175
- - Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
176
-
177
- ---
178
-
179
- ## Foreign Direct Product Rule (FDPR) — Deep Dive
180
-
181
- ### General FDPR (§ 736.2(b)(3))
182
-
183
- Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
184
-
185
- **Test:** Two-prong test:
186
- 1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
187
- 2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
188
-
189
- ### Entity List FDPR (2020 — Huawei Rule)
190
-
191
- Extended the FDPR to capture foreign-made items when:
192
- 1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
193
- 2. AND the item is destined for a party on the Entity List
194
-
195
- Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
196
-
197
- ### Advanced Computing FDPR (October 2022 / October 2023)
198
-
199
- Captures items produced with US wafer fabrication equipment destined for:
200
- - China or Macau for use in advanced computing applications above threshold
201
- - Any Entity List party
202
-
203
- ### Russia/Belarus FDPR (March 2022)
204
-
205
- Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
206
-
207
- ---
208
-
209
- ## Deemed Export Rules — Compliance Programme Implications
210
-
211
- ### What Constitutes a Deemed Export
212
-
213
- Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
214
- - Visual inspection of controlled hardware
215
- - Providing access to controlled equipment
216
- - Oral, written, or electronic transmission of controlled technical data
217
- - Demonstration of controlled software
218
-
219
- ### Nationality Rule
220
-
221
- BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
222
- - Apply the nationality that requires the most restrictive licensing treatment
223
- - Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
224
-
225
- ### Practical Compliance Steps
226
-
227
- 1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
228
- 2. **Classification Review:** Determine which technologies the employee will access; classify each
229
- 3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
230
- 4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
231
- 5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
232
- 6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
233
-
234
- ---
235
-
236
- ## SNAP-R — Licensing Portal Guidance
237
-
238
- **URL:** snap-r.bis.doc.gov (requires free BIS account)
239
-
240
- **Forms filed through SNAP-R:**
241
- - BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
242
- - BIS-748P-A: Supplement for encryption review notifications (ENC exception)
243
- - BIS-748P-B: Supplement for end-user statement attachments
244
- - BIS-711: Statement by Ultimate Consignee and Purchaser
245
-
246
- **SNAP-R Best Practices:**
247
- - Submit complete applications — missing technical data is the #1 cause of delay
248
- - Include end-use statements and supporting technical documentation proactively
249
- - Track licence expiration dates and re-apply at least 60 days before expiry
250
- - For time-sensitive transactions: contact the relevant BIS division directly after submission
251
- - Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
252
-
253
- ---
254
-
255
- ## EAR Recordkeeping Quick Reference
256
-
257
- | Document Type | Retention Period | Format |
258
- |---------------|-----------------|--------|
259
- | Commercial invoices, purchase orders | 5 years from export date | Any readable format |
260
- | Bills of lading, air waybills | 5 years | Any |
261
- | EEI/AES filings | 5 years | Any |
262
- | Licence applications and approvals | 5 years from expiry/completion | Any |
263
- | Licence exception documentation | 5 years from export | Any |
264
- | Restricted party screening records | 5 years | Recommended: dated screenshots |
265
- | End-user statements and certifications | 5 years | Any |
266
- | ECCN classification records | 5 years from last export of item | Any |
267
- | VSD submissions and correspondence | Permanently | Any |
268
-
269
- ---
270
-
271
- ## Compliance Programme Maturity Assessment
272
-
273
- | Level | Characteristics |
274
- |-------|----------------|
275
- | **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
276
- | **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
277
- | **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
278
- | **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
279
-
280
- BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.
1
+ # EAR Export Compliance Programme, Enforcement, and Special Rules
2
+
3
+ ## Export Compliance Programme (ECP) — BIS Seven Elements
4
+
5
+ BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
6
+
7
+ ### Element 1 — Management Commitment
8
+
9
+ - Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
10
+ - Written, board-approved export compliance policy signed by senior officer
11
+ - Compliance resources: dedicated ECP staff, compliance counsel, budget
12
+ - Export Control Officer (ECO) or Export Compliance Manager designated in writing
13
+ - Annual certification to the board that the ECP is operating effectively
14
+
15
+ **Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
16
+
17
+ ### Element 2 — Risk Assessment
18
+
19
+ - Identify all products, software, and technology subject to EAR
20
+ - Classify each item: ECCN or EAR99 (document the classification rationale)
21
+ - Identify all business units, geographies, and transaction types
22
+ - Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
23
+ - Maintain a classification database tied to product lifecycle (new products re-classified before launch)
24
+
25
+ **ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
26
+
27
+ ### Element 3 — Written Policies and Procedures
28
+
29
+ - Written, procedure-level guidance for each process that touches exports:
30
+ - Customer onboarding and restricted party screening
31
+ - Order acceptance and fulfilment (sales, finance, logistics)
32
+ - ECCN classification and update trigger
33
+ - Licence application and management
34
+ - Employee travel with controlled items/technology
35
+ - Hiring of foreign nationals (deemed export screening)
36
+ - Distributor/reseller programme requirements
37
+ - Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
38
+
39
+ ### Element 4 — Training and Awareness
40
+
41
+ - Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
42
+ - Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
43
+ - Annual refresher training with sign-off acknowledgement
44
+ - Training records retained for 5 years
45
+ - Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
46
+
47
+ **Topics for engineers and developers:**
48
+ - Deemed exports: sharing controlled source code with foreign national colleagues
49
+ - Cloud platforms and access controls for controlled technology
50
+ - Open-source publication — fundamental research exemption vs. EAR controls on software
51
+
52
+ ### Element 5 — Restricted Party Screening
53
+
54
+ - Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
55
+ - Minimum lists to screen against:
56
+ - BIS Denied Persons List
57
+ - BIS Entity List
58
+ - BIS Unverified List
59
+ - BIS Military End-User (MEU) List
60
+ - State Department Debarred List (DDTC)
61
+ - OFAC SDN List
62
+ - OFAC Consolidated Sanctions List
63
+ - **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
64
+ - Screen at time of: quote/order acceptance, before each shipment, and when parties change
65
+
66
+ **Screening cadence for ongoing relationships:**
67
+ - Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
68
+ - Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
69
+
70
+ **Handling a match:**
71
+ 1. Do not ship or service the order
72
+ 2. Escalate to ECO/legal immediately
73
+ 3. Determine if the match is a true hit or false positive (similar name, different entity)
74
+ 4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
75
+ 5. Document the match, review, and outcome
76
+
77
+ ### Element 6 — Due Diligence (Know Your Customer)
78
+
79
+ - Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
80
+ - For high-risk transactions, obtain:
81
+ - **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
82
+ - **Importer Safety Zone (ISZ) Statement** for certain dual-use items
83
+ - **Distributor Management: assurances that downstream sales comply with EAR**
84
+ - Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
85
+ - **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
86
+
87
+ ### Element 7 — Recordkeeping and Audits
88
+
89
+ - Retain all export-related records for **5 years** from the date of export (§ 762.6)
90
+ - Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
91
+ - Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
92
+ - Annual internal ECP audit or review
93
+ - Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
94
+
95
+ ---
96
+
97
+ ## Enforcement Regime
98
+
99
+ ### Office of Export Enforcement (OEE)
100
+
101
+ BIS's enforcement arm investigates violations through:
102
+ - **Special Agents** conducting criminal investigations
103
+ - **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
104
+ - **Administrative investigations** by the Office of Chief Counsel (OCC)
105
+
106
+ ### Civil Penalties (§ 764.3, Part 766)
107
+
108
+ | Violation Type | Maximum Penalty |
109
+ |---------------|----------------|
110
+ | Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
111
+ | Egregious violations | Higher penalties; may approach statutory maximum |
112
+ | Denial of export privileges | Temporary or permanent denial of all export privileges |
113
+
114
+ **Penalty determination factors (Part 766, Supplement 1):**
115
+ - Willfulness (did the violator know it was a violation?)
116
+ - Nature of the item (weapons-relevant, dual-use, EAR99)
117
+ - Harm to US national security or foreign policy interests
118
+ - Compliance programme quality (strong ECP = significant mitigation)
119
+ - Remedial action taken
120
+ - Cooperation with OEE
121
+
122
+ **Base penalty matrix** (post-September 2024 rule change):
123
+ - BIS removed caps that previously limited penalties below statutory maximums
124
+ - Penalties now more directly reflect transaction value, particularly for egregious cases
125
+ - Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
126
+
127
+ ### Criminal Penalties (§ 764.2)
128
+
129
+ Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
130
+ - **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
131
+ - **Corporations:** Fines up to $1 million per violation (per count)
132
+ - Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
133
+
134
+ ### Export Denial Orders (EDOs)
135
+
136
+ BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
137
+ - EDOs are published in the Federal Register and placed on the Denied Persons List
138
+ - Third parties are prohibited from participating in any transaction involving a denied person
139
+ - Scope: US persons everywhere in the world; any person regarding items subject to EAR
140
+
141
+ ---
142
+
143
+ ## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
144
+
145
+ ### What is a VSD?
146
+
147
+ A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
148
+
149
+ ### When to File
150
+
151
+ File a VSD when you discover:
152
+ - Items shipped without a required licence
153
+ - Items shipped to an Entity List, Denied Persons List, or Unverified List party
154
+ - Incorrect ECCN used that resulted in an unlicensed shipment
155
+ - SNAP-R licence conditions violated
156
+ - Prohibited end-use found post-shipment
157
+
158
+ ### VSD Process
159
+
160
+ 1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
161
+ 2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
162
+ 3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
163
+ - Detailed narrative of the facts
164
+ - All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
165
+ - Root cause analysis
166
+ - Remedial actions already taken
167
+ - Proposed corrective actions
168
+ 4. **OEE Review:** May request additional information; may conduct End-Use Checks
169
+ 5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
170
+
171
+ ### VSD Penalty Mitigation
172
+
173
+ - VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
174
+ - Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
175
+ - Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
176
+
177
+ ---
178
+
179
+ ## Foreign Direct Product Rule (FDPR) — Deep Dive
180
+
181
+ ### General FDPR (§ 736.2(b)(3))
182
+
183
+ Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
184
+
185
+ **Test:** Two-prong test:
186
+ 1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
187
+ 2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
188
+
189
+ ### Entity List FDPR (2020 — Huawei Rule)
190
+
191
+ Extended the FDPR to capture foreign-made items when:
192
+ 1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
193
+ 2. AND the item is destined for a party on the Entity List
194
+
195
+ Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
196
+
197
+ ### Advanced Computing FDPR (October 2022 / October 2023)
198
+
199
+ Captures items produced with US wafer fabrication equipment destined for:
200
+ - China or Macau for use in advanced computing applications above threshold
201
+ - Any Entity List party
202
+
203
+ ### Russia/Belarus FDPR (March 2022)
204
+
205
+ Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
206
+
207
+ ---
208
+
209
+ ## Deemed Export Rules — Compliance Programme Implications
210
+
211
+ ### What Constitutes a Deemed Export
212
+
213
+ Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
214
+ - Visual inspection of controlled hardware
215
+ - Providing access to controlled equipment
216
+ - Oral, written, or electronic transmission of controlled technical data
217
+ - Demonstration of controlled software
218
+
219
+ ### Nationality Rule
220
+
221
+ BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
222
+ - Apply the nationality that requires the most restrictive licensing treatment
223
+ - Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
224
+
225
+ ### Practical Compliance Steps
226
+
227
+ 1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
228
+ 2. **Classification Review:** Determine which technologies the employee will access; classify each
229
+ 3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
230
+ 4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
231
+ 5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
232
+ 6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
233
+
234
+ ---
235
+
236
+ ## SNAP-R — Licensing Portal Guidance
237
+
238
+ **URL:** snap-r.bis.doc.gov (requires free BIS account)
239
+
240
+ **Forms filed through SNAP-R:**
241
+ - BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
242
+ - BIS-748P-A: Supplement for encryption review notifications (ENC exception)
243
+ - BIS-748P-B: Supplement for end-user statement attachments
244
+ - BIS-711: Statement by Ultimate Consignee and Purchaser
245
+
246
+ **SNAP-R Best Practices:**
247
+ - Submit complete applications — missing technical data is the #1 cause of delay
248
+ - Include end-use statements and supporting technical documentation proactively
249
+ - Track licence expiration dates and re-apply at least 60 days before expiry
250
+ - For time-sensitive transactions: contact the relevant BIS division directly after submission
251
+ - Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
252
+
253
+ ---
254
+
255
+ ## EAR Recordkeeping Quick Reference
256
+
257
+ | Document Type | Retention Period | Format |
258
+ |---------------|-----------------|--------|
259
+ | Commercial invoices, purchase orders | 5 years from export date | Any readable format |
260
+ | Bills of lading, air waybills | 5 years | Any |
261
+ | EEI/AES filings | 5 years | Any |
262
+ | Licence applications and approvals | 5 years from expiry/completion | Any |
263
+ | Licence exception documentation | 5 years from export | Any |
264
+ | Restricted party screening records | 5 years | Recommended: dated screenshots |
265
+ | End-user statements and certifications | 5 years | Any |
266
+ | ECCN classification records | 5 years from last export of item | Any |
267
+ | VSD submissions and correspondence | Permanently | Any |
268
+
269
+ ---
270
+
271
+ ## Compliance Programme Maturity Assessment
272
+
273
+ | Level | Characteristics |
274
+ |-------|----------------|
275
+ | **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
276
+ | **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
277
+ | **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
278
+ | **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
279
+
280
+ BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.