bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,135 +1,135 @@
1
- # NIST CSF 2.0 — Implementation Tiers
2
-
3
- Source: NIST Cybersecurity Framework 2.0, Section 3.2 (February 2024)
4
-
5
- ---
6
-
7
- ## Overview
8
-
9
- Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the CSF. They provide context for how an organization views cybersecurity risk management and the processes in place to manage risk.
10
-
11
- **Key principles:**
12
- - Tiers are **not maturity levels** — there is no requirement to advance to Tier 4
13
- - Tier selection should reflect the organization's goals, legal/regulatory requirements, and risk reduction objectives
14
- - Moving to a higher tier is appropriate only when it would reduce cybersecurity risk at a justifiable cost
15
- - Organizations should operate at the tier appropriate for their risk environment — not the highest achievable tier
16
-
17
- ---
18
-
19
- ## The Four Tiers
20
-
21
- ### Tier 1 — Partial
22
-
23
- **Risk Management Process**: Cybersecurity risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of cybersecurity activities may not be directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
24
-
25
- **Integrated Risk Management Program**: There is limited awareness of cybersecurity risk at the organisational level. The organisation implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable cybersecurity information to be shared within the organisation.
26
-
27
- **External Participation**: The organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organisation does not have the processes in place to participate in coordination or collaboration with other entities.
28
-
29
- **Diagnostic indicators of Tier 1:**
30
- - No formal cybersecurity policy exists or it has not been approved by leadership
31
- - Asset inventories are incomplete or inconsistently maintained
32
- - Risk assessments are performed reactively (after incidents, not proactively)
33
- - No defined roles or responsibilities for cybersecurity
34
- - Incident response is ad hoc with no documented plan
35
- - Supply chain risks are not considered
36
-
37
- ---
38
-
39
- ### Tier 2 — Risk-Informed
40
-
41
- **Risk Management Process**: Risk management practices are approved by management but may not be established as organisational-wide policy. The prioritisation of cybersecurity activities and protection needs is directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
42
-
43
- **Integrated Risk Management Program**: There is an awareness of cybersecurity risk at the organisational level, but an organisation-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organisation on an informal basis. Consideration of cybersecurity in organisational objectives and programs may occur at some but not all levels of the organisation.
44
-
45
- **External Participation**: The organisation knows its role in the larger ecosystem with respect to its own dependencies, but has not formalised its capabilities to interact and share information externally.
46
-
47
- **Diagnostic indicators of Tier 2:**
48
- - Cybersecurity policy exists and is management-approved, but inconsistently followed
49
- - Risk assessments are performed but not on a regular schedule
50
- - Asset inventory is maintained but may have gaps
51
- - Roles for cybersecurity exist but accountability is not enforced
52
- - Incident response plan exists but has not been tested
53
- - Supply chain risk considered for some but not all suppliers
54
-
55
- ---
56
-
57
- ### Tier 3 — Repeatable
58
-
59
- **Risk Management Process**: The organisation's risk management practices are formally approved and expressed as policy. Cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
60
-
61
- **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organisation consistently and accurately monitors cybersecurity risk of assets.
62
-
63
- **External Participation**: The organisation understands its dependencies and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks. It collaborates with and receives information from supply chain partners, which enables prioritisation and validation of cybersecurity risk management activities.
64
-
65
- **Diagnostic indicators of Tier 3:**
66
- - Formal cybersecurity policy is enforced organisation-wide
67
- - Risk assessments are conducted on a regular, defined schedule
68
- - Asset inventory is comprehensive and actively maintained
69
- - Defined roles with accountability metrics; performance reviewed
70
- - Incident response plan is documented, tested, and updated
71
- - Third-party risk is formally assessed for all critical suppliers
72
- - Cybersecurity metrics are reported to leadership
73
-
74
- ---
75
-
76
- ### Tier 4 — Adaptive
77
-
78
- **Risk Management Process**: The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
79
-
80
- **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organisational culture and evolves from an awareness of previous activities and continuous awareness of activities on organisational systems and networks. The organisation can quickly and efficiently account for new knowledge to continuously improve security practices and integrate into risk management practices.
81
-
82
- **External Participation**: The organisation receives, generates, and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organisation shares that information internally and externally on a routine basis. The organisation uses real-time or near real-time information to understand and consistently act upon supply chain risks throughout the technology product and service lifecycle. The organisation communicates proactively, using formal and informal mechanisms, to develop and maintain strong supply chain relationships.
83
-
84
- **Diagnostic indicators of Tier 4:**
85
- - Cybersecurity risk management is embedded in organisational culture
86
- - Threat intelligence is operationalised and feeds real-time risk decisions
87
- - Continuous monitoring with automated anomaly detection
88
- - Lessons learned from incidents systematically improve controls
89
- - Active participation in information sharing communities (ISACs, etc.)
90
- - Supply chain risk managed in real time across the full lifecycle
91
- - Cybersecurity KPIs drive leadership strategy decisions
92
-
93
- ---
94
-
95
- ## Tier Assessment Guide
96
-
97
- When assessing an organisation's current tier, evaluate these three dimensions:
98
-
99
- ### Dimension 1: Risk Management Process
100
- Ask:
101
- - Is cybersecurity risk management ad hoc (Tier 1), management-approved (Tier 2), policy-formalised (Tier 3), or continuously adapting (Tier 4)?
102
- - Are risk assessments conducted reactively, periodically, or continuously?
103
- - Is there a documented risk management methodology consistently applied?
104
-
105
- ### Dimension 2: Integrated Risk Management Program
106
- Ask:
107
- - Is cybersecurity risk managed in silos or integrated into enterprise risk management?
108
- - Does cybersecurity risk information flow to leadership on a regular basis?
109
- - Are cybersecurity objectives aligned with business objectives?
110
-
111
- ### Dimension 3: External Participation
112
- Ask:
113
- - Does the organisation know which external entities it depends on and which depend on it?
114
- - Does the organisation participate in threat intelligence sharing?
115
- - Is supply chain risk actively managed across all critical third parties?
116
-
117
- ---
118
-
119
- ## Tier Advancement Guidance
120
-
121
- Advancing tiers requires sustained investment. Common barriers and enablers:
122
-
123
- | From → To | Common Barriers | Key Enablers |
124
- |-----------|----------------|-------------|
125
- | 1 → 2 | No leadership buy-in, no budget | Tie first risk assessment to a business event (audit, incident, M&A) |
126
- | 2 → 3 | Inconsistent enforcement, siloed teams | Embed cybersecurity in HR processes; create organisation-wide policy with enforcement |
127
- | 3 → 4 | Technology and process gaps, culture | Implement threat intelligence feeds; automate monitoring; build continuous improvement loops |
128
-
129
- **Recommended starting sequence for Tier 1 → 2 transition:**
130
- 1. GV.OC-01 — Document the organisational mission and cybersecurity context
131
- 2. GV.RM-01, GV.RM-02 — Establish risk management objectives and risk tolerance
132
- 3. ID.AM-01, ID.AM-02 — Build asset inventories
133
- 4. GV.RR-02 — Define cybersecurity roles and responsibilities
134
- 5. GV.PO-01 — Establish and communicate a cybersecurity policy
135
- 6. ID.RA-03, ID.RA-04 — Perform an initial risk assessment
1
+ # NIST CSF 2.0 — Implementation Tiers
2
+
3
+ Source: NIST Cybersecurity Framework 2.0, Section 3.2 (February 2024)
4
+
5
+ ---
6
+
7
+ ## Overview
8
+
9
+ Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the CSF. They provide context for how an organization views cybersecurity risk management and the processes in place to manage risk.
10
+
11
+ **Key principles:**
12
+ - Tiers are **not maturity levels** — there is no requirement to advance to Tier 4
13
+ - Tier selection should reflect the organization's goals, legal/regulatory requirements, and risk reduction objectives
14
+ - Moving to a higher tier is appropriate only when it would reduce cybersecurity risk at a justifiable cost
15
+ - Organizations should operate at the tier appropriate for their risk environment — not the highest achievable tier
16
+
17
+ ---
18
+
19
+ ## The Four Tiers
20
+
21
+ ### Tier 1 — Partial
22
+
23
+ **Risk Management Process**: Cybersecurity risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of cybersecurity activities may not be directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
24
+
25
+ **Integrated Risk Management Program**: There is limited awareness of cybersecurity risk at the organisational level. The organisation implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable cybersecurity information to be shared within the organisation.
26
+
27
+ **External Participation**: The organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organisation does not have the processes in place to participate in coordination or collaboration with other entities.
28
+
29
+ **Diagnostic indicators of Tier 1:**
30
+ - No formal cybersecurity policy exists or it has not been approved by leadership
31
+ - Asset inventories are incomplete or inconsistently maintained
32
+ - Risk assessments are performed reactively (after incidents, not proactively)
33
+ - No defined roles or responsibilities for cybersecurity
34
+ - Incident response is ad hoc with no documented plan
35
+ - Supply chain risks are not considered
36
+
37
+ ---
38
+
39
+ ### Tier 2 — Risk-Informed
40
+
41
+ **Risk Management Process**: Risk management practices are approved by management but may not be established as organisational-wide policy. The prioritisation of cybersecurity activities and protection needs is directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
42
+
43
+ **Integrated Risk Management Program**: There is an awareness of cybersecurity risk at the organisational level, but an organisation-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organisation on an informal basis. Consideration of cybersecurity in organisational objectives and programs may occur at some but not all levels of the organisation.
44
+
45
+ **External Participation**: The organisation knows its role in the larger ecosystem with respect to its own dependencies, but has not formalised its capabilities to interact and share information externally.
46
+
47
+ **Diagnostic indicators of Tier 2:**
48
+ - Cybersecurity policy exists and is management-approved, but inconsistently followed
49
+ - Risk assessments are performed but not on a regular schedule
50
+ - Asset inventory is maintained but may have gaps
51
+ - Roles for cybersecurity exist but accountability is not enforced
52
+ - Incident response plan exists but has not been tested
53
+ - Supply chain risk considered for some but not all suppliers
54
+
55
+ ---
56
+
57
+ ### Tier 3 — Repeatable
58
+
59
+ **Risk Management Process**: The organisation's risk management practices are formally approved and expressed as policy. Cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
60
+
61
+ **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organisation consistently and accurately monitors cybersecurity risk of assets.
62
+
63
+ **External Participation**: The organisation understands its dependencies and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks. It collaborates with and receives information from supply chain partners, which enables prioritisation and validation of cybersecurity risk management activities.
64
+
65
+ **Diagnostic indicators of Tier 3:**
66
+ - Formal cybersecurity policy is enforced organisation-wide
67
+ - Risk assessments are conducted on a regular, defined schedule
68
+ - Asset inventory is comprehensive and actively maintained
69
+ - Defined roles with accountability metrics; performance reviewed
70
+ - Incident response plan is documented, tested, and updated
71
+ - Third-party risk is formally assessed for all critical suppliers
72
+ - Cybersecurity metrics are reported to leadership
73
+
74
+ ---
75
+
76
+ ### Tier 4 — Adaptive
77
+
78
+ **Risk Management Process**: The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
79
+
80
+ **Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organisational culture and evolves from an awareness of previous activities and continuous awareness of activities on organisational systems and networks. The organisation can quickly and efficiently account for new knowledge to continuously improve security practices and integrate into risk management practices.
81
+
82
+ **External Participation**: The organisation receives, generates, and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organisation shares that information internally and externally on a routine basis. The organisation uses real-time or near real-time information to understand and consistently act upon supply chain risks throughout the technology product and service lifecycle. The organisation communicates proactively, using formal and informal mechanisms, to develop and maintain strong supply chain relationships.
83
+
84
+ **Diagnostic indicators of Tier 4:**
85
+ - Cybersecurity risk management is embedded in organisational culture
86
+ - Threat intelligence is operationalised and feeds real-time risk decisions
87
+ - Continuous monitoring with automated anomaly detection
88
+ - Lessons learned from incidents systematically improve controls
89
+ - Active participation in information sharing communities (ISACs, etc.)
90
+ - Supply chain risk managed in real time across the full lifecycle
91
+ - Cybersecurity KPIs drive leadership strategy decisions
92
+
93
+ ---
94
+
95
+ ## Tier Assessment Guide
96
+
97
+ When assessing an organisation's current tier, evaluate these three dimensions:
98
+
99
+ ### Dimension 1: Risk Management Process
100
+ Ask:
101
+ - Is cybersecurity risk management ad hoc (Tier 1), management-approved (Tier 2), policy-formalised (Tier 3), or continuously adapting (Tier 4)?
102
+ - Are risk assessments conducted reactively, periodically, or continuously?
103
+ - Is there a documented risk management methodology consistently applied?
104
+
105
+ ### Dimension 2: Integrated Risk Management Program
106
+ Ask:
107
+ - Is cybersecurity risk managed in silos or integrated into enterprise risk management?
108
+ - Does cybersecurity risk information flow to leadership on a regular basis?
109
+ - Are cybersecurity objectives aligned with business objectives?
110
+
111
+ ### Dimension 3: External Participation
112
+ Ask:
113
+ - Does the organisation know which external entities it depends on and which depend on it?
114
+ - Does the organisation participate in threat intelligence sharing?
115
+ - Is supply chain risk actively managed across all critical third parties?
116
+
117
+ ---
118
+
119
+ ## Tier Advancement Guidance
120
+
121
+ Advancing tiers requires sustained investment. Common barriers and enablers:
122
+
123
+ | From → To | Common Barriers | Key Enablers |
124
+ |-----------|----------------|-------------|
125
+ | 1 → 2 | No leadership buy-in, no budget | Tie first risk assessment to a business event (audit, incident, M&A) |
126
+ | 2 → 3 | Inconsistent enforcement, siloed teams | Embed cybersecurity in HR processes; create organisation-wide policy with enforcement |
127
+ | 3 → 4 | Technology and process gaps, culture | Implement threat intelligence feeds; automate monitoring; build continuous improvement loops |
128
+
129
+ **Recommended starting sequence for Tier 1 → 2 transition:**
130
+ 1. GV.OC-01 — Document the organisational mission and cybersecurity context
131
+ 2. GV.RM-01, GV.RM-02 — Establish risk management objectives and risk tolerance
132
+ 3. ID.AM-01, ID.AM-02 — Build asset inventories
133
+ 4. GV.RR-02 — Define cybersecurity roles and responsibilities
134
+ 5. GV.PO-01 — Establish and communicate a cybersecurity policy
135
+ 6. ID.RA-03, ID.RA-04 — Perform an initial risk assessment