bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,182 +1,182 @@
1
- # EU AI Act — Risk Classification Reference
2
-
3
- ## Art. 3 — Key Definitions
4
-
5
- | Term | Definition |
6
- |------|-----------|
7
- | **AI System** (Art. 3(1)) | A machine-based system designed to operate with varying levels of autonomy that, for a given set of objectives, infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content affecting real or virtual environments |
8
- | **GPAI Model** (Art. 3(63)) | An AI model trained with large amounts of data using self-supervision at scale that displays significant generality and competently performs a wide range of distinct tasks, regardless of placement method — excludes pre-release R&D models |
9
- | **GPAI System** (Art. 3(64)) | An AI system based on a GPAI model capable of serving multiple purposes, directly or when integrated into other AI systems |
10
- | **Provider** (Art. 3(3)) | Natural or legal person that develops an AI system or GPAI model and places it on the market or puts it into service under own name/trademark |
11
- | **Deployer** (Art. 3(4)) | Natural or legal person using an AI system under own authority, except for personal non-professional activity |
12
- | **Operator** (Art. 3(8)) | Encompasses provider, product manufacturer, deployer, authorised representative, importer, or distributor |
13
- | **Authorised Representative** (Art. 3(5)) | Person established in EU with written mandate from non-EU provider to act on their behalf |
14
- | **Importer** (Art. 3(6)) | EU-established person placing on market an AI system bearing third-country person's name/trademark |
15
- | **Distributor** (Art. 3(7)) | Supply chain person (other than provider/importer) making AI system available on EU market |
16
- | **Profiling** (Art. 3(52)) | Automated processing of personal data to evaluate natural persons — work performance, economic situation, health, preferences, reliability, behaviour, location |
17
-
18
- ---
19
-
20
- ## Risk Tier Overview
21
-
22
- | Tier | Regulation Path | Key Obligation | Applies From |
23
- |------|----------------|----------------|--------------|
24
- | **Prohibited** | Art. 5 | Complete ban | 2 Feb 2025 |
25
- | **High Risk** | Art. 6 + Annex I/III | Full conformity regime | 2 Aug 2026 (Annex III) / 2027 (Annex I) |
26
- | **Limited Risk** | Art. 50 | Transparency disclosure only | 2 Aug 2026 |
27
- | **Minimal / No Risk** | — | Voluntary codes of conduct | — |
28
-
29
- ---
30
-
31
- ## Art. 5 — Prohibited AI Practices (All 8, applies from 2 February 2025)
32
-
33
- ### 5(1)(a) — Subliminal / Manipulative Techniques
34
- AI systems using subliminal techniques beyond a person's consciousness, or purposefully manipulative/deceptive techniques, that materially distort behavior and impair informed decision-making, causing or likely to cause significant harm to those persons or third parties.
35
-
36
- ### 5(1)(b) — Exploitation of Vulnerabilities
37
- AI systems exploiting vulnerabilities of persons or groups based on age, disability, or socioeconomic circumstances, distorting behavior in a manner that causes or is likely to cause significant harm.
38
-
39
- ### 5(1)(c) — Social Scoring
40
- AI systems that evaluate or classify natural persons or groups based on social behavior over a period of time or inferred personal characteristics, leading to:
41
- - Detrimental or unfavorable treatment of persons or groups in unrelated social contexts; OR
42
- - Treatment that is disproportionate or unjustified relative to the social context in which the behavior occurred
43
-
44
- ### 5(1)(d) — Predictive Criminal Risk Assessment
45
- AI systems assessing the risk of natural persons committing criminal offenses based solely on profiling or personality/character traits assessment. **Exception:** systems supporting human assessment based on objective, verifiable facts directly linked to criminal activity.
46
-
47
- ### 5(1)(e) — Untargeted Facial Recognition Database Creation
48
- Creating or expanding facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
49
-
50
- ### 5(1)(f) — Emotion Inference in Workplace or Educational Institutions
51
- AI systems that infer emotions of natural persons in the workplace or educational institutions. **Exception:** for medical or safety purposes.
52
-
53
- ### 5(1)(g) — Biometric-Based Categorization for Sensitive Attributes
54
- AI systems categorizing natural persons individually based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. **Exception:** labeling/filtering of lawfully acquired biometric datasets in law enforcement.
55
-
56
- ### 5(1)(h) — Real-Time Remote Biometric Identification (RBI) in Public Spaces by Law Enforcement
57
- Real-time RBI systems in publicly accessible spaces for law enforcement purposes. **Narrow exceptions:**
58
- - (i) Targeted search for specific missing persons or trafficking victims
59
- - (ii) Preventing specific, substantial, imminent threat to life or terrorist attack
60
- - (iii) Identifying suspects of serious criminal offenses carrying ≥4-year sentences listed in Annex II
61
-
62
- **Procedural requirements for exceptions:** Prior judicial or independent administrative body authorization (post-hoc authorization within 24 hours for urgency); fundamental rights impact assessment; registration in EU AI database; report to market surveillance authority after each use. **Prohibited:** use to identify protected attributes.
63
-
64
- ---
65
-
66
- ## Art. 6 — High-Risk Classification Rules
67
-
68
- ### Path A — Art. 6(1): Safety Component of Sectoral Product
69
- System is high-risk when BOTH conditions are met:
70
- 1. It is a **safety component of a product** covered by Annex I harmonisation legislation (or is itself such a product); **AND**
71
- 2. That product **requires third-party conformity assessment** under the relevant Annex I legislation
72
-
73
- ### Path B — Art. 6(2): Annex III Listed Use Case
74
- System is high-risk when **listed in Annex III**, unless the following non-high-risk exceptions all apply:
75
- - Performs a narrow procedural task
76
- - Improves result of a previously completed human activity
77
- - Detects decision-making patterns/deviations without replacing/influencing human assessment
78
- - Performs preparatory tasks for assessment relevant to Annex III use cases
79
-
80
- **Critical override (Art. 6(3)):** Any Annex III system that **profiles natural persons** is ALWAYS high-risk regardless of the above exceptions.
81
-
82
- **Documentation obligation (Art. 6(3)):** Providers claiming non-high-risk status must document their assessment before market placement and make it available to national authorities on request.
83
-
84
- ---
85
-
86
- ## Annex I — Sectoral Harmonisation Laws (Safety Component Path)
87
-
88
- ### Section A — New Legislative Framework Products
89
- 1. Machinery — Directive 2006/42/EC
90
- 2. Toys — Directive 2009/48/EC
91
- 3. Recreational watercraft — Directive 2013/53/EU
92
- 4. Lifts — Directive 2014/33/EU
93
- 5. ATEX equipment — Directive 2014/34/EU
94
- 6. Radio equipment — Directive 2014/53/EU
95
- 7. Pressure equipment — Directive 2014/68/EU
96
- 8. Cableway installations — Regulation 2016/424
97
- 9. Personal protective equipment — Regulation 2016/425
98
- 10. Gaseous fuel appliances — Regulation 2016/426
99
- 11. Medical devices — Regulation 2017/745
100
- 12. In vitro diagnostic medical devices — Regulation 2017/746
101
-
102
- ### Section B — Other Harmonisation Legislation
103
- 13. Civil aviation security — Regulation 300/2008
104
- 14. Two/three-wheel vehicles — Regulation 168/2013
105
- 15. Agricultural/forestry vehicles — Regulation 167/2013
106
- 16. Marine equipment — Directive 2014/90/EU
107
- 17. Rail interoperability — Directive 2016/797
108
- 18. Motor vehicles and trailers — Regulation 2018/858
109
- 19. Motor vehicle safety standards — Regulation 2019/2144
110
- 20. Civil aviation and drones — Regulation 2018/1139
111
-
112
- ---
113
-
114
- ## Annex III — High-Risk AI Use Case Areas (8 Areas)
115
-
116
- ### Area 1 — Biometrics
117
- - (a) Remote biometric identification systems (excluding personal identity verification)
118
- - (b) Biometric categorization systems inferring sensitive/protected attributes
119
- - (c) Emotion recognition systems
120
-
121
- **Notes:** (b) and (c) are prohibited under Art. 5(1)(g) and 5(1)(f) respectively in many contexts. Area 1(a) biometric categorization/emotion recognition systems that fall under Art. 5 prohibitions cannot qualify as merely high-risk — the prohibition takes precedence.
122
-
123
- ### Area 2 — Critical Infrastructure
124
- AI safety components managing or used in safety-critical management of: road traffic, water supply, gas supply, heating supply, electricity supply, and critical digital infrastructure.
125
-
126
- ### Area 3 — Education and Vocational Training
127
- - (a) Determining access/admission to or assignment to educational institutions at any level
128
- - (b) Evaluating learning outcomes that materially influence the learning process
129
- - (c) Assessing appropriate level of education and materially influencing the level of education received
130
- - (d) Monitoring and detecting prohibited student behavior in tests/examinations
131
-
132
- ### Area 4 — Employment, Workers Management, and Self-Employment
133
- - (a) Recruitment and selection: targeted job advertising, application filtering/screening, candidate evaluation and selection
134
- - (b) Making decisions affecting terms of employment/work relationships: promotion, termination, task allocation, monitoring/evaluating performance/behavior of employed persons
135
-
136
- ### Area 5 — Access to and Enjoyment of Essential Private and Public Services
137
- - (a) Public authorities evaluating individual eligibility for public assistance benefits and services (including healthcare)
138
- - (b) Creditworthiness assessment and credit scoring (excluding fraud detection)
139
- - (c) Life insurance and health insurance risk assessment and pricing for natural persons
140
- - (d) Emergency dispatch and emergency call classification and prioritization
141
-
142
- ### Area 6 — Law Enforcement
143
- - (a) Individual risk assessment for becoming victim of criminal offenses
144
- - (b) Polygraphs and similar tools to assess reliability of persons
145
- - (c) Evaluating reliability of evidence in criminal investigations/prosecution
146
- - (d) Assessing risk of offending/reoffending, including recidivism assessment
147
- - (e) Profiling natural persons in course of criminal detection, investigation, or prosecution
148
-
149
- ### Area 7 — Migration, Asylum, and Border Control Management
150
- - (a) Polygraph-like tools and similar for competent authorities in migration/asylum/border control
151
- - (b) Assessing risk (including security/irregular migration risk) of persons intending to enter or having entered EU territory
152
- - (c) Assisting competent authorities in examining applications for asylum, visa, and residence permits
153
- - (d) Detecting, recognizing, or identifying natural persons (excluding verification of travel documents)
154
-
155
- ### Area 8 — Administration of Justice and Democratic Processes
156
- - (a) AI assisting judicial authorities in researching, interpreting, and applying the law
157
- - (b) AI intended to influence the outcome of elections or referenda, or the voting behavior of natural persons
158
-
159
- ---
160
-
161
- ## Art. 50 — Limited Risk Transparency Obligations (applies from 2 August 2026)
162
-
163
- ### Chatbots and AI Interaction Systems (Art. 50(1))
164
- Providers must ensure users are informed they are interacting with an AI system, unless:
165
- - Obvious to a reasonably well-informed user given context and circumstances
166
- - System is authorized by law for detection of criminal offenses
167
-
168
- ### Synthetic Media — Deepfakes (Art. 50(2) and (4))
169
- - Deployers of systems generating synthetic image/video/audio/text resembling real persons/places/events must disclose in machine-readable format that content is artificially generated or manipulated
170
- - Deployer disclosure exceptions: authorized by law for criminal offense detection; artistic, satirical, or fictional works with appropriate disclosure that doesn't impair enjoyment
171
- - All AI-generated text published to inform public on matters of public interest must be disclosed as AI-generated, unless: authorized for criminal investigation; content underwent human editorial review and editorial accountability exists
172
-
173
- ### Emotion Recognition and Biometric Categorization (Art. 50(3))
174
- Deployers must inform natural persons exposed to these systems of:
175
- - The operation of the system
176
- - Must comply with GDPR and data protection law
177
- - Exception: authorized for law enforcement
178
-
179
- ### Format Requirements
180
- - Disclosures must be made at the latest at first interaction/exposure
181
- - Clear and distinguishable manner
182
- - Must meet accessibility standards (Directive 2019/882)
1
+ # EU AI Act — Risk Classification Reference
2
+
3
+ ## Art. 3 — Key Definitions
4
+
5
+ | Term | Definition |
6
+ |------|-----------|
7
+ | **AI System** (Art. 3(1)) | A machine-based system designed to operate with varying levels of autonomy that, for a given set of objectives, infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content affecting real or virtual environments |
8
+ | **GPAI Model** (Art. 3(63)) | An AI model trained with large amounts of data using self-supervision at scale that displays significant generality and competently performs a wide range of distinct tasks, regardless of placement method — excludes pre-release R&D models |
9
+ | **GPAI System** (Art. 3(64)) | An AI system based on a GPAI model capable of serving multiple purposes, directly or when integrated into other AI systems |
10
+ | **Provider** (Art. 3(3)) | Natural or legal person that develops an AI system or GPAI model and places it on the market or puts it into service under own name/trademark |
11
+ | **Deployer** (Art. 3(4)) | Natural or legal person using an AI system under own authority, except for personal non-professional activity |
12
+ | **Operator** (Art. 3(8)) | Encompasses provider, product manufacturer, deployer, authorised representative, importer, or distributor |
13
+ | **Authorised Representative** (Art. 3(5)) | Person established in EU with written mandate from non-EU provider to act on their behalf |
14
+ | **Importer** (Art. 3(6)) | EU-established person placing on market an AI system bearing third-country person's name/trademark |
15
+ | **Distributor** (Art. 3(7)) | Supply chain person (other than provider/importer) making AI system available on EU market |
16
+ | **Profiling** (Art. 3(52)) | Automated processing of personal data to evaluate natural persons — work performance, economic situation, health, preferences, reliability, behaviour, location |
17
+
18
+ ---
19
+
20
+ ## Risk Tier Overview
21
+
22
+ | Tier | Regulation Path | Key Obligation | Applies From |
23
+ |------|----------------|----------------|--------------|
24
+ | **Prohibited** | Art. 5 | Complete ban | 2 Feb 2025 |
25
+ | **High Risk** | Art. 6 + Annex I/III | Full conformity regime | 2 Aug 2026 (Annex III) / 2027 (Annex I) |
26
+ | **Limited Risk** | Art. 50 | Transparency disclosure only | 2 Aug 2026 |
27
+ | **Minimal / No Risk** | — | Voluntary codes of conduct | — |
28
+
29
+ ---
30
+
31
+ ## Art. 5 — Prohibited AI Practices (All 8, applies from 2 February 2025)
32
+
33
+ ### 5(1)(a) — Subliminal / Manipulative Techniques
34
+ AI systems using subliminal techniques beyond a person's consciousness, or purposefully manipulative/deceptive techniques, that materially distort behavior and impair informed decision-making, causing or likely to cause significant harm to those persons or third parties.
35
+
36
+ ### 5(1)(b) — Exploitation of Vulnerabilities
37
+ AI systems exploiting vulnerabilities of persons or groups based on age, disability, or socioeconomic circumstances, distorting behavior in a manner that causes or is likely to cause significant harm.
38
+
39
+ ### 5(1)(c) — Social Scoring
40
+ AI systems that evaluate or classify natural persons or groups based on social behavior over a period of time or inferred personal characteristics, leading to:
41
+ - Detrimental or unfavorable treatment of persons or groups in unrelated social contexts; OR
42
+ - Treatment that is disproportionate or unjustified relative to the social context in which the behavior occurred
43
+
44
+ ### 5(1)(d) — Predictive Criminal Risk Assessment
45
+ AI systems assessing the risk of natural persons committing criminal offenses based solely on profiling or personality/character traits assessment. **Exception:** systems supporting human assessment based on objective, verifiable facts directly linked to criminal activity.
46
+
47
+ ### 5(1)(e) — Untargeted Facial Recognition Database Creation
48
+ Creating or expanding facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
49
+
50
+ ### 5(1)(f) — Emotion Inference in Workplace or Educational Institutions
51
+ AI systems that infer emotions of natural persons in the workplace or educational institutions. **Exception:** for medical or safety purposes.
52
+
53
+ ### 5(1)(g) — Biometric-Based Categorization for Sensitive Attributes
54
+ AI systems categorizing natural persons individually based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. **Exception:** labeling/filtering of lawfully acquired biometric datasets in law enforcement.
55
+
56
+ ### 5(1)(h) — Real-Time Remote Biometric Identification (RBI) in Public Spaces by Law Enforcement
57
+ Real-time RBI systems in publicly accessible spaces for law enforcement purposes. **Narrow exceptions:**
58
+ - (i) Targeted search for specific missing persons or trafficking victims
59
+ - (ii) Preventing specific, substantial, imminent threat to life or terrorist attack
60
+ - (iii) Identifying suspects of serious criminal offenses carrying ≥4-year sentences listed in Annex II
61
+
62
+ **Procedural requirements for exceptions:** Prior judicial or independent administrative body authorization (post-hoc authorization within 24 hours for urgency); fundamental rights impact assessment; registration in EU AI database; report to market surveillance authority after each use. **Prohibited:** use to identify protected attributes.
63
+
64
+ ---
65
+
66
+ ## Art. 6 — High-Risk Classification Rules
67
+
68
+ ### Path A — Art. 6(1): Safety Component of Sectoral Product
69
+ System is high-risk when BOTH conditions are met:
70
+ 1. It is a **safety component of a product** covered by Annex I harmonisation legislation (or is itself such a product); **AND**
71
+ 2. That product **requires third-party conformity assessment** under the relevant Annex I legislation
72
+
73
+ ### Path B — Art. 6(2): Annex III Listed Use Case
74
+ System is high-risk when **listed in Annex III**, unless the following non-high-risk exceptions all apply:
75
+ - Performs a narrow procedural task
76
+ - Improves result of a previously completed human activity
77
+ - Detects decision-making patterns/deviations without replacing/influencing human assessment
78
+ - Performs preparatory tasks for assessment relevant to Annex III use cases
79
+
80
+ **Critical override (Art. 6(3)):** Any Annex III system that **profiles natural persons** is ALWAYS high-risk regardless of the above exceptions.
81
+
82
+ **Documentation obligation (Art. 6(3)):** Providers claiming non-high-risk status must document their assessment before market placement and make it available to national authorities on request.
83
+
84
+ ---
85
+
86
+ ## Annex I — Sectoral Harmonisation Laws (Safety Component Path)
87
+
88
+ ### Section A — New Legislative Framework Products
89
+ 1. Machinery — Directive 2006/42/EC
90
+ 2. Toys — Directive 2009/48/EC
91
+ 3. Recreational watercraft — Directive 2013/53/EU
92
+ 4. Lifts — Directive 2014/33/EU
93
+ 5. ATEX equipment — Directive 2014/34/EU
94
+ 6. Radio equipment — Directive 2014/53/EU
95
+ 7. Pressure equipment — Directive 2014/68/EU
96
+ 8. Cableway installations — Regulation 2016/424
97
+ 9. Personal protective equipment — Regulation 2016/425
98
+ 10. Gaseous fuel appliances — Regulation 2016/426
99
+ 11. Medical devices — Regulation 2017/745
100
+ 12. In vitro diagnostic medical devices — Regulation 2017/746
101
+
102
+ ### Section B — Other Harmonisation Legislation
103
+ 13. Civil aviation security — Regulation 300/2008
104
+ 14. Two/three-wheel vehicles — Regulation 168/2013
105
+ 15. Agricultural/forestry vehicles — Regulation 167/2013
106
+ 16. Marine equipment — Directive 2014/90/EU
107
+ 17. Rail interoperability — Directive 2016/797
108
+ 18. Motor vehicles and trailers — Regulation 2018/858
109
+ 19. Motor vehicle safety standards — Regulation 2019/2144
110
+ 20. Civil aviation and drones — Regulation 2018/1139
111
+
112
+ ---
113
+
114
+ ## Annex III — High-Risk AI Use Case Areas (8 Areas)
115
+
116
+ ### Area 1 — Biometrics
117
+ - (a) Remote biometric identification systems (excluding personal identity verification)
118
+ - (b) Biometric categorization systems inferring sensitive/protected attributes
119
+ - (c) Emotion recognition systems
120
+
121
+ **Notes:** (b) and (c) are prohibited under Art. 5(1)(g) and 5(1)(f) respectively in many contexts. Area 1(a) biometric categorization/emotion recognition systems that fall under Art. 5 prohibitions cannot qualify as merely high-risk — the prohibition takes precedence.
122
+
123
+ ### Area 2 — Critical Infrastructure
124
+ AI safety components managing or used in safety-critical management of: road traffic, water supply, gas supply, heating supply, electricity supply, and critical digital infrastructure.
125
+
126
+ ### Area 3 — Education and Vocational Training
127
+ - (a) Determining access/admission to or assignment to educational institutions at any level
128
+ - (b) Evaluating learning outcomes that materially influence the learning process
129
+ - (c) Assessing appropriate level of education and materially influencing the level of education received
130
+ - (d) Monitoring and detecting prohibited student behavior in tests/examinations
131
+
132
+ ### Area 4 — Employment, Workers Management, and Self-Employment
133
+ - (a) Recruitment and selection: targeted job advertising, application filtering/screening, candidate evaluation and selection
134
+ - (b) Making decisions affecting terms of employment/work relationships: promotion, termination, task allocation, monitoring/evaluating performance/behavior of employed persons
135
+
136
+ ### Area 5 — Access to and Enjoyment of Essential Private and Public Services
137
+ - (a) Public authorities evaluating individual eligibility for public assistance benefits and services (including healthcare)
138
+ - (b) Creditworthiness assessment and credit scoring (excluding fraud detection)
139
+ - (c) Life insurance and health insurance risk assessment and pricing for natural persons
140
+ - (d) Emergency dispatch and emergency call classification and prioritization
141
+
142
+ ### Area 6 — Law Enforcement
143
+ - (a) Individual risk assessment for becoming victim of criminal offenses
144
+ - (b) Polygraphs and similar tools to assess reliability of persons
145
+ - (c) Evaluating reliability of evidence in criminal investigations/prosecution
146
+ - (d) Assessing risk of offending/reoffending, including recidivism assessment
147
+ - (e) Profiling natural persons in course of criminal detection, investigation, or prosecution
148
+
149
+ ### Area 7 — Migration, Asylum, and Border Control Management
150
+ - (a) Polygraph-like tools and similar for competent authorities in migration/asylum/border control
151
+ - (b) Assessing risk (including security/irregular migration risk) of persons intending to enter or having entered EU territory
152
+ - (c) Assisting competent authorities in examining applications for asylum, visa, and residence permits
153
+ - (d) Detecting, recognizing, or identifying natural persons (excluding verification of travel documents)
154
+
155
+ ### Area 8 — Administration of Justice and Democratic Processes
156
+ - (a) AI assisting judicial authorities in researching, interpreting, and applying the law
157
+ - (b) AI intended to influence the outcome of elections or referenda, or the voting behavior of natural persons
158
+
159
+ ---
160
+
161
+ ## Art. 50 — Limited Risk Transparency Obligations (applies from 2 August 2026)
162
+
163
+ ### Chatbots and AI Interaction Systems (Art. 50(1))
164
+ Providers must ensure users are informed they are interacting with an AI system, unless:
165
+ - Obvious to a reasonably well-informed user given context and circumstances
166
+ - System is authorized by law for detection of criminal offenses
167
+
168
+ ### Synthetic Media — Deepfakes (Art. 50(2) and (4))
169
+ - Deployers of systems generating synthetic image/video/audio/text resembling real persons/places/events must disclose in machine-readable format that content is artificially generated or manipulated
170
+ - Deployer disclosure exceptions: authorized by law for criminal offense detection; artistic, satirical, or fictional works with appropriate disclosure that doesn't impair enjoyment
171
+ - All AI-generated text published to inform public on matters of public interest must be disclosed as AI-generated, unless: authorized for criminal investigation; content underwent human editorial review and editorial accountability exists
172
+
173
+ ### Emotion Recognition and Biometric Categorization (Art. 50(3))
174
+ Deployers must inform natural persons exposed to these systems of:
175
+ - The operation of the system
176
+ - Must comply with GDPR and data protection law
177
+ - Exception: authorized for law enforcement
178
+
179
+ ### Format Requirements
180
+ - Disclosures must be made at the latest at first interaction/exposure
181
+ - Clear and distinguishable manner
182
+ - Must meet accessibility standards (Directive 2019/882)