bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,287 +1,287 @@
1
- # EU AI Act — High-Risk AI System Obligations Reference
2
-
3
- All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
4
-
5
- ---
6
-
7
- ## Art. 9 — Risk Management System
8
-
9
- **Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
10
-
11
- **Requirements:**
12
- - Continuous, iterative process maintained from development through decommissioning
13
- - Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
14
- - **5-step process:**
15
- 1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
16
- 2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
17
- 3. Evaluate risks emerging from post-market monitoring data
18
- 4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
19
- 5. Assess residual risk acceptability; document reasoning
20
- - **Risk mitigation priority hierarchy (Art. 9(4)):**
21
- 1. Design-based risk elimination first
22
- 2. Adequate mitigation measures if elimination not possible
23
- 3. Information provision to deployers and users
24
- - **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
25
- - **Under-18 impact:** Special attention required for systems likely to adversely impact minors
26
-
27
- **Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
28
-
29
- ---
30
-
31
- ## Art. 10 — Data and Data Governance
32
-
33
- **Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
34
-
35
- **Dataset requirements (Art. 10(2)):**
36
- - Relevant to intended purpose
37
- - Sufficiently representative of the persons/contexts the system will encounter
38
- - Free of errors (where appropriate)
39
- - Complete for the intended purpose
40
- - Statistically appropriate for target geographic, contextual, and behavioral population
41
-
42
- **Data governance practices (Art. 10(3)):**
43
- - Design choices documentation
44
- - Data collection method documentation
45
- - Data origin examination and documentation
46
- - Annotation, labeling, cleaning, enrichment, and aggregation procedures
47
- - Bias examination and identification
48
- - Gap identification in relevant properties
49
-
50
- **Special category data (Art. 10(5)) — bias detection exception:**
51
- Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
52
- 1. No adequate alternative data source exists
53
- 2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
54
- 3. Access controls ensure minimum necessary access
55
- 4. No third-party data transfer
56
- 5. Data deleted upon completion of bias detection
57
- 6. Documented justification maintained
58
-
59
- ---
60
-
61
- ## Art. 11 — Technical Documentation
62
-
63
- **Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
64
-
65
- **Content specified in Annex IV:**
66
- - General description: intended purpose, provider identity, version, interactions with other systems
67
- - Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
68
- - Information about training data (including general description, origin, annotation procedures, design choices)
69
- - Assessment of the measures required to interpret outputs and enable human oversight
70
- - Detailed description of the system design (architecture, source code or training code access if applicable)
71
- - Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
72
- - Risk management system documentation (Art. 9)
73
- - Changes made to system over lifecycle
74
- - List of harmonised standards applied (or description of alternative solutions for conformity)
75
- - EU Declaration of Conformity
76
-
77
- **Retention:** 10 years after market placement or putting into service.
78
-
79
- ---
80
-
81
- ## Art. 12 — Record-Keeping / Automatic Logging
82
-
83
- **Who:** Providers must build in automatic logging capability; deployers must retain logs.
84
-
85
- **Provider obligations:**
86
- - High-risk systems must be capable of automatically generating event logs throughout operation
87
- - Logging capability enables post-deployment reconstruction of circumstances surrounding risks
88
- - For biometric identification: logs must enable identification of persons involved and circumstances
89
-
90
- **Deployer obligations (Art. 26(6)):**
91
- - Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
92
- - Public sector deployers: stricter retention may apply under public records obligations
93
-
94
- ---
95
-
96
- ## Art. 13 — Transparency and Provision of Information to Deployers
97
-
98
- **Purpose:** Enable deployers to understand and correctly use the AI system.
99
-
100
- **System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
101
-
102
- **Instructions for use must include:**
103
- - Provider identity, address, registration data
104
- - System characteristics, capabilities, and intended purpose
105
- - Performance metrics: level of accuracy, robustness, cybersecurity
106
- - Known or foreseeable circumstances that may lead to risks
107
- - System performance for specific persons/groups
108
- - Specifications for input data (data types, formats, dimensions)
109
- - Information on changes made vs prior versions
110
- - Human oversight measures (Art. 14) and technical measures to enable oversight
111
- - Computational resources required; expected system lifetime
112
- - Description of logging mechanisms (Art. 12)
113
- - Any predetermined modifications or updates
114
-
115
- **Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
116
-
117
- ---
118
-
119
- ## Art. 14 — Human Oversight
120
-
121
- **Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
122
-
123
- **System design obligations (providers, Art. 14(3)):**
124
- High-risk AI systems must be designed to allow natural persons to:
125
- - Understand system capabilities and limitations
126
- - Recognize **automation bias** (over-reliance on AI outputs)
127
- - Correctly interpret AI outputs (including interpretability features)
128
- - Decide not to use, or disregard, override, or reverse AI outputs
129
- - Intervene through a **stop button** or similar interrupt mechanism
130
-
131
- **Deployer implementation obligations (Art. 14(4)):**
132
- - Assign human oversight to natural persons with necessary competence, authority, and resources
133
- - Train oversight persons on system capabilities/limitations and automation bias risk
134
-
135
- **Biometric identification specific (Art. 14(5)):**
136
- - Minimum **two separate persons** must independently verify and confirm identification before action is taken
137
-
138
- **Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
139
-
140
- ---
141
-
142
- ## Art. 15 — Accuracy, Robustness, and Cybersecurity
143
-
144
- **Accuracy:**
145
- - System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
146
- - Declared accuracy levels and metrics must be in instructions for use (Art. 13)
147
- - Training, validation, and testing data must be statistically appropriate to achieve declared levels
148
-
149
- **Robustness:**
150
- - Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
151
- - Consistent performance throughout operational lifetime
152
- - Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
153
- - For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
154
-
155
- **Cybersecurity:**
156
- Resilience against attempts to alter use, outputs, or performance, including:
157
- - **Data poisoning attacks** (contaminating training data)
158
- - **Model poisoning attacks** (manipulating model weights)
159
- - **Adversarial examples** (crafted inputs causing misclassification)
160
- - **Confidentiality attacks** (extracting training data or model internals)
161
- - **Model flaws exploitation** (taking advantage of design weaknesses)
162
-
163
- **Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
164
-
165
- ---
166
-
167
- ## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
168
-
169
- Before placing on market or putting into service, providers must:
170
-
171
- 1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
172
- 2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
173
- 3. ☐ Establish and implement quality management system (Art. 17)
174
- 4. ☐ Keep technical documentation (Art. 11, Annex IV)
175
- 5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
176
- 6. ☐ Complete required conformity assessment (Art. 43) before market placement
177
- 7. ☐ Draw up EU Declaration of Conformity (Art. 47)
178
- 8. ☐ Affix CE marking (Art. 48)
179
- 9. ☐ Register in EU AI database (Art. 49) before market placement
180
- 10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
181
- 11. ☐ Demonstrate conformity upon request of national competent authority
182
- 12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
183
-
184
- ---
185
-
186
- ## Art. 17 — Quality Management System (13 Required Components)
187
-
188
- Documented policies and procedures covering:
189
-
190
- 1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
191
- 2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
192
- 3. **Development quality control** procedures
193
- 4. **Testing and validation** — before, during, and after development
194
- 5. **Technical standards application** — harmonised standards and common specifications
195
- 6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
196
- 7. **Risk management** per Art. 9
197
- 8. **Post-market monitoring** per Art. 72
198
- 9. **Serious incident reporting** per Art. 73 — communication with national authorities
199
- 10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
200
- 11. **Record-keeping and documentation** — retention periods and access procedures
201
- 12. **Resource management** including supply-chain security measures
202
- 13. **Accountability framework** — clear responsibility assignment for all above components
203
-
204
- **Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
205
-
206
- ---
207
-
208
- ## Art. 26 — Deployer Obligations
209
-
210
- 1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
211
- 2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
212
- 3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
213
- 4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
214
- 5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
215
- 6. **Log retention:** Retain automatically generated logs for **at least 6 months**
216
- 7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
217
- 8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
218
- 9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
219
- 10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
220
-
221
- ---
222
-
223
- ## Arts. 43–49 — Conformity Assessment and CE Marking
224
-
225
- ### Art. 43 — Conformity Assessment Paths
226
-
227
- **Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
228
- - **(A) Self-assessment** — Internal control via Annex VI procedure; OR
229
- - **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
230
-
231
- Notified body (B) is **mandatory** when:
232
- - No harmonised standards covering the system exist
233
- - Standards exist but provider has not applied them (or only partially)
234
- - Common specifications are unavailable or not used
235
- - Standards published with restrictions that limit presumption of conformity
236
-
237
- **Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
238
-
239
- **Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
240
-
241
- **Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
242
-
243
- **Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
244
-
245
- ### Art. 47 — EU Declaration of Conformity
246
- - Drawn up by provider (or authorised representative); provider assumes full responsibility
247
- - Must confirm compliance with all applicable AI Act requirements (Section 2)
248
- - Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
249
- - Machine-readable format; translation required into languages required by national authorities
250
- - Maintained for **10 years** from market placement
251
-
252
- ### Art. 48 — CE Marking
253
- - Visible, legible, indelible affixation on system, packaging, or documentation
254
- - Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
255
- - Subject to general principles of CE marking (Regulation 765/2008)
256
- - Affixed before market placement; re-affixed if system substantially modified
257
-
258
- ### Arts. 49 and 60 — EU AI Database Registration
259
-
260
- **Provider registration (Art. 49):**
261
- - Before market placement (Annex III systems — Art. 6(2))
262
- - Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
263
- - Provider registration covers all deployers and users of that system
264
-
265
- **Public authority deployer registration (Art. 60):**
266
- - Before deployment of registered high-risk systems
267
- - Additional system-specific information for public authority use
268
-
269
- **Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
270
-
271
- **Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
272
-
273
- ---
274
-
275
- ## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
276
-
277
- **Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
278
-
279
- **Content:**
280
- - Description of the deployer's processes in which the system will be used
281
- - Time period, frequency, and number of persons affected
282
- - The specific categories of persons likely to be affected
283
- - Specific risks of harm to categories of affected persons
284
- - Human oversight measures (Art. 14) planned
285
- - Measures to address fundamental rights risks
286
-
287
- **Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.
1
+ # EU AI Act — High-Risk AI System Obligations Reference
2
+
3
+ All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
4
+
5
+ ---
6
+
7
+ ## Art. 9 — Risk Management System
8
+
9
+ **Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
10
+
11
+ **Requirements:**
12
+ - Continuous, iterative process maintained from development through decommissioning
13
+ - Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
14
+ - **5-step process:**
15
+ 1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
16
+ 2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
17
+ 3. Evaluate risks emerging from post-market monitoring data
18
+ 4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
19
+ 5. Assess residual risk acceptability; document reasoning
20
+ - **Risk mitigation priority hierarchy (Art. 9(4)):**
21
+ 1. Design-based risk elimination first
22
+ 2. Adequate mitigation measures if elimination not possible
23
+ 3. Information provision to deployers and users
24
+ - **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
25
+ - **Under-18 impact:** Special attention required for systems likely to adversely impact minors
26
+
27
+ **Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
28
+
29
+ ---
30
+
31
+ ## Art. 10 — Data and Data Governance
32
+
33
+ **Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
34
+
35
+ **Dataset requirements (Art. 10(2)):**
36
+ - Relevant to intended purpose
37
+ - Sufficiently representative of the persons/contexts the system will encounter
38
+ - Free of errors (where appropriate)
39
+ - Complete for the intended purpose
40
+ - Statistically appropriate for target geographic, contextual, and behavioral population
41
+
42
+ **Data governance practices (Art. 10(3)):**
43
+ - Design choices documentation
44
+ - Data collection method documentation
45
+ - Data origin examination and documentation
46
+ - Annotation, labeling, cleaning, enrichment, and aggregation procedures
47
+ - Bias examination and identification
48
+ - Gap identification in relevant properties
49
+
50
+ **Special category data (Art. 10(5)) — bias detection exception:**
51
+ Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
52
+ 1. No adequate alternative data source exists
53
+ 2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
54
+ 3. Access controls ensure minimum necessary access
55
+ 4. No third-party data transfer
56
+ 5. Data deleted upon completion of bias detection
57
+ 6. Documented justification maintained
58
+
59
+ ---
60
+
61
+ ## Art. 11 — Technical Documentation
62
+
63
+ **Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
64
+
65
+ **Content specified in Annex IV:**
66
+ - General description: intended purpose, provider identity, version, interactions with other systems
67
+ - Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
68
+ - Information about training data (including general description, origin, annotation procedures, design choices)
69
+ - Assessment of the measures required to interpret outputs and enable human oversight
70
+ - Detailed description of the system design (architecture, source code or training code access if applicable)
71
+ - Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
72
+ - Risk management system documentation (Art. 9)
73
+ - Changes made to system over lifecycle
74
+ - List of harmonised standards applied (or description of alternative solutions for conformity)
75
+ - EU Declaration of Conformity
76
+
77
+ **Retention:** 10 years after market placement or putting into service.
78
+
79
+ ---
80
+
81
+ ## Art. 12 — Record-Keeping / Automatic Logging
82
+
83
+ **Who:** Providers must build in automatic logging capability; deployers must retain logs.
84
+
85
+ **Provider obligations:**
86
+ - High-risk systems must be capable of automatically generating event logs throughout operation
87
+ - Logging capability enables post-deployment reconstruction of circumstances surrounding risks
88
+ - For biometric identification: logs must enable identification of persons involved and circumstances
89
+
90
+ **Deployer obligations (Art. 26(6)):**
91
+ - Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
92
+ - Public sector deployers: stricter retention may apply under public records obligations
93
+
94
+ ---
95
+
96
+ ## Art. 13 — Transparency and Provision of Information to Deployers
97
+
98
+ **Purpose:** Enable deployers to understand and correctly use the AI system.
99
+
100
+ **System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
101
+
102
+ **Instructions for use must include:**
103
+ - Provider identity, address, registration data
104
+ - System characteristics, capabilities, and intended purpose
105
+ - Performance metrics: level of accuracy, robustness, cybersecurity
106
+ - Known or foreseeable circumstances that may lead to risks
107
+ - System performance for specific persons/groups
108
+ - Specifications for input data (data types, formats, dimensions)
109
+ - Information on changes made vs prior versions
110
+ - Human oversight measures (Art. 14) and technical measures to enable oversight
111
+ - Computational resources required; expected system lifetime
112
+ - Description of logging mechanisms (Art. 12)
113
+ - Any predetermined modifications or updates
114
+
115
+ **Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
116
+
117
+ ---
118
+
119
+ ## Art. 14 — Human Oversight
120
+
121
+ **Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
122
+
123
+ **System design obligations (providers, Art. 14(3)):**
124
+ High-risk AI systems must be designed to allow natural persons to:
125
+ - Understand system capabilities and limitations
126
+ - Recognize **automation bias** (over-reliance on AI outputs)
127
+ - Correctly interpret AI outputs (including interpretability features)
128
+ - Decide not to use, or disregard, override, or reverse AI outputs
129
+ - Intervene through a **stop button** or similar interrupt mechanism
130
+
131
+ **Deployer implementation obligations (Art. 14(4)):**
132
+ - Assign human oversight to natural persons with necessary competence, authority, and resources
133
+ - Train oversight persons on system capabilities/limitations and automation bias risk
134
+
135
+ **Biometric identification specific (Art. 14(5)):**
136
+ - Minimum **two separate persons** must independently verify and confirm identification before action is taken
137
+
138
+ **Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
139
+
140
+ ---
141
+
142
+ ## Art. 15 — Accuracy, Robustness, and Cybersecurity
143
+
144
+ **Accuracy:**
145
+ - System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
146
+ - Declared accuracy levels and metrics must be in instructions for use (Art. 13)
147
+ - Training, validation, and testing data must be statistically appropriate to achieve declared levels
148
+
149
+ **Robustness:**
150
+ - Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
151
+ - Consistent performance throughout operational lifetime
152
+ - Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
153
+ - For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
154
+
155
+ **Cybersecurity:**
156
+ Resilience against attempts to alter use, outputs, or performance, including:
157
+ - **Data poisoning attacks** (contaminating training data)
158
+ - **Model poisoning attacks** (manipulating model weights)
159
+ - **Adversarial examples** (crafted inputs causing misclassification)
160
+ - **Confidentiality attacks** (extracting training data or model internals)
161
+ - **Model flaws exploitation** (taking advantage of design weaknesses)
162
+
163
+ **Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
164
+
165
+ ---
166
+
167
+ ## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
168
+
169
+ Before placing on market or putting into service, providers must:
170
+
171
+ 1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
172
+ 2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
173
+ 3. ☐ Establish and implement quality management system (Art. 17)
174
+ 4. ☐ Keep technical documentation (Art. 11, Annex IV)
175
+ 5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
176
+ 6. ☐ Complete required conformity assessment (Art. 43) before market placement
177
+ 7. ☐ Draw up EU Declaration of Conformity (Art. 47)
178
+ 8. ☐ Affix CE marking (Art. 48)
179
+ 9. ☐ Register in EU AI database (Art. 49) before market placement
180
+ 10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
181
+ 11. ☐ Demonstrate conformity upon request of national competent authority
182
+ 12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
183
+
184
+ ---
185
+
186
+ ## Art. 17 — Quality Management System (13 Required Components)
187
+
188
+ Documented policies and procedures covering:
189
+
190
+ 1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
191
+ 2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
192
+ 3. **Development quality control** procedures
193
+ 4. **Testing and validation** — before, during, and after development
194
+ 5. **Technical standards application** — harmonised standards and common specifications
195
+ 6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
196
+ 7. **Risk management** per Art. 9
197
+ 8. **Post-market monitoring** per Art. 72
198
+ 9. **Serious incident reporting** per Art. 73 — communication with national authorities
199
+ 10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
200
+ 11. **Record-keeping and documentation** — retention periods and access procedures
201
+ 12. **Resource management** including supply-chain security measures
202
+ 13. **Accountability framework** — clear responsibility assignment for all above components
203
+
204
+ **Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
205
+
206
+ ---
207
+
208
+ ## Art. 26 — Deployer Obligations
209
+
210
+ 1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
211
+ 2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
212
+ 3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
213
+ 4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
214
+ 5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
215
+ 6. **Log retention:** Retain automatically generated logs for **at least 6 months**
216
+ 7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
217
+ 8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
218
+ 9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
219
+ 10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
220
+
221
+ ---
222
+
223
+ ## Arts. 43–49 — Conformity Assessment and CE Marking
224
+
225
+ ### Art. 43 — Conformity Assessment Paths
226
+
227
+ **Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
228
+ - **(A) Self-assessment** — Internal control via Annex VI procedure; OR
229
+ - **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
230
+
231
+ Notified body (B) is **mandatory** when:
232
+ - No harmonised standards covering the system exist
233
+ - Standards exist but provider has not applied them (or only partially)
234
+ - Common specifications are unavailable or not used
235
+ - Standards published with restrictions that limit presumption of conformity
236
+
237
+ **Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
238
+
239
+ **Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
240
+
241
+ **Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
242
+
243
+ **Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
244
+
245
+ ### Art. 47 — EU Declaration of Conformity
246
+ - Drawn up by provider (or authorised representative); provider assumes full responsibility
247
+ - Must confirm compliance with all applicable AI Act requirements (Section 2)
248
+ - Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
249
+ - Machine-readable format; translation required into languages required by national authorities
250
+ - Maintained for **10 years** from market placement
251
+
252
+ ### Art. 48 — CE Marking
253
+ - Visible, legible, indelible affixation on system, packaging, or documentation
254
+ - Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
255
+ - Subject to general principles of CE marking (Regulation 765/2008)
256
+ - Affixed before market placement; re-affixed if system substantially modified
257
+
258
+ ### Arts. 49 and 60 — EU AI Database Registration
259
+
260
+ **Provider registration (Art. 49):**
261
+ - Before market placement (Annex III systems — Art. 6(2))
262
+ - Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
263
+ - Provider registration covers all deployers and users of that system
264
+
265
+ **Public authority deployer registration (Art. 60):**
266
+ - Before deployment of registered high-risk systems
267
+ - Additional system-specific information for public authority use
268
+
269
+ **Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
270
+
271
+ **Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
272
+
273
+ ---
274
+
275
+ ## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
276
+
277
+ **Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
278
+
279
+ **Content:**
280
+ - Description of the deployer's processes in which the system will be used
281
+ - Time period, frequency, and number of persons affected
282
+ - The specific categories of persons likely to be affected
283
+ - Specific risks of harm to categories of affected persons
284
+ - Human oversight measures (Art. 14) planned
285
+ - Measures to address fundamental rights risks
286
+
287
+ **Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.