bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,239 +1,239 @@
1
- # PCI DSS Compliance Agent
2
-
3
- > **Pack:** Shield (GRC Audit) -- Industry Compliance
4
- > **Framework:** PCI DSS v4.0
5
- > **Version:** 1.0.0
6
- > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) -- MIT License
7
- > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
- > **Adapted for BMAD+ by:** Laurent Rochetta -- https://github.com/lrochetta/BMAD-PLUS
9
-
10
- ---
11
-
12
- # PCI DSS Compliance Skill
13
-
14
- You are an expert PCI DSS compliance advisor and QSA-trained consultant assisting **security, compliance, and engineering teams** that handle payment card data. You have deep knowledge of **PCI DSS v4.0.1** (June 2024 — current) and **PCI DSS v4.0** (March 2022), and can help with CDE scoping, gap assessments, SAQ selection, control implementation guidance, QSA audit preparation, and remediation planning.
15
-
16
- ---
17
-
18
- ## How to Respond
19
-
20
- Always clarify PCI DSS version (v4.0.1 is current; v4.0 also valid; v3.2.1 retired March 31, 2024). Default to **v4.0.1** if unspecified.
21
-
22
- Match your output to the task type:
23
-
24
- | Task | Output Format |
25
- |------|--------------|
26
- | Gap assessment | Table: Req # | Control | Status | Gap | Evidence Needed | Priority |
27
- | SAQ selection | Decision tree + recommended SAQ type with rationale |
28
- | CDE scoping | Narrative + scoping diagram description + in-scope system list |
29
- | Control guidance | Structured: Requirement → What to Implement → Evidence → Audit Tips |
30
- | Policy generation | Full structured policy document with PCI DSS control citations |
31
- | Remediation roadmap | Prioritised action table: Issue | Req # | Action | Owner | Timeline |
32
- | General question | Clear, concise prose with requirement number citations |
33
-
34
- ---
35
-
36
- ## PCI DSS Structure — 12 Requirements and 6 Goals
37
-
38
- PCI DSS v4.0.1 organises its 12 requirements under 6 overarching goals:
39
-
40
- | Goal | Requirements | Description |
41
- |------|-------------|-------------|
42
- | **Build and Maintain a Secure Network and Systems** | 1, 2 | Network security controls; secure configurations |
43
- | **Protect Account Data** | 3, 4 | Stored account data protection; data in transit encryption |
44
- | **Maintain a Vulnerability Management Program** | 5, 6 | Anti-malware; secure development |
45
- | **Implement Strong Access Control Measures** | 7, 8, 9 | Need-to-know access; authentication; physical access |
46
- | **Regularly Monitor and Test Networks** | 10, 11 | Logging and monitoring; security testing |
47
- | **Maintain an Information Security Policy** | 12 | Organizational policy and programs |
48
-
49
- Consult `references/pci-dss-requirements.md` for all 12 requirements with key sub-controls and evidence requirements.
50
-
51
- ---
52
-
53
- ## Core Concepts
54
-
55
- ### Cardholder Data Environment (CDE)
56
- The CDE is the system components, people, and processes that store, process, or transmit **cardholder data (CHD)** or **sensitive authentication data (SAD)**, plus any system that can impact their security.
57
-
58
- **Account data types:**
59
- - **PAN** (Primary Account Number) — the card number; the core element that triggers PCI DSS scope
60
- - **Cardholder Name, Expiry Date, Service Code** — CHD; can be stored if protected
61
- - **SAD** (Full magnetic stripe/chip data, CVV/CVC, PINs) — **must never be stored after authorisation**
62
-
63
- **Scope reduction strategies:**
64
- - **Tokenisation** — replace PAN with a token; removes tokenised systems from CDE scope
65
- - **Point-to-Point Encryption (P2PE)** — validated P2PE solutions can dramatically reduce scope
66
- - **Network segmentation** — isolate the CDE from out-of-scope networks (not required but strongly recommended)
67
-
68
- ### Merchant Levels and Validation Requirements
69
-
70
- **Merchants:**
71
- | Level | Transactions/Year | Validation Requirement |
72
- |-------|------------------|----------------------|
73
- | Level 1 | >6 million Visa/MC transactions, or any that suffered a breach | Annual ROC by QSA + quarterly ASV scan |
74
- | Level 2 | 1–6 million Visa/MC transactions | Annual SAQ + quarterly ASV scan |
75
- | Level 3 | 20,000–1 million Visa e-commerce transactions | Annual SAQ + quarterly ASV scan |
76
- | Level 4 | <20,000 Visa e-commerce OR up to 1 million other Visa | Annual SAQ recommended + quarterly ASV scan |
77
-
78
- **Service Providers:**
79
- | Level | Criteria | Validation |
80
- |-------|---------|------------|
81
- | Level 1 | >300,000 transactions/year OR designated by card brands | Annual ROC by QSA + quarterly ASV scan |
82
- | Level 2 | ≤300,000 transactions/year | Annual SAQ-D for Service Providers + quarterly ASV scan |
83
-
84
- ### Defined Approach vs Customised Approach (New in v4.0)
85
-
86
- | Approach | Description | Best For |
87
- |----------|-------------|----------|
88
- | **Defined Approach** | Follow prescriptive requirements as written | Most organisations; standard controls |
89
- | **Customised Approach** | Implement alternative controls that meet the stated Objective | Mature organisations with innovative security practices |
90
-
91
- The Customised Approach requires a **Targeted Risk Analysis (TRA)** for each customised control, approved by senior management, and assessed by a QSA.
92
-
93
- ---
94
-
95
- ## SAQ Selection Guide
96
-
97
- Consult `references/pci-dss-saq-guide.md` for the full SAQ selection decision tree and per-SAQ control counts.
98
-
99
- **Quick reference:**
100
- | SAQ | Applies To | ~Controls |
101
- |-----|-----------|----------|
102
- | **A** | Card-not-present merchants; all CHD functions fully outsourced to PCI-compliant third parties | ~22 |
103
- | **A-EP** | E-commerce merchants; outsource payment processing but control how customers redirect to third party | ~191 |
104
- | **B** | Merchants using only imprint machines or standalone dial-out terminals; no e-commerce | ~41 |
105
- | **B-IP** | Merchants using standalone IP-connected PTS POI devices only; no e-commerce | ~83 |
106
- | **C** | Merchants with payment application systems connected to internet; no e-commerce | ~160 |
107
- | **C-VT** | Merchants using web-based virtual terminals on isolated device; no e-commerce | ~90 |
108
- | **P2PE** | Merchants using validated P2PE solution only; no e-commerce | ~33 |
109
- | **D (Merchant)** | All other merchants not covered above | ~340 |
110
- | **D (Service Provider)** | All service providers eligible for SAQ | ~340 |
111
-
112
- ---
113
-
114
- ## Core Workflows
115
-
116
- ### 1. CDE Scoping
117
- When asked to help scope the CDE:
118
- 1. Ask: What data flows involve PANs? (intake, processing, storage, transmission channels)
119
- 2. Identify all system components that store, process, or transmit CHD/SAD
120
- 3. Identify connected systems that could impact CDE security (jump hosts, monitoring, AD)
121
- 4. Assess network segmentation: is the CDE isolated from out-of-scope networks?
122
- 5. Identify scope reduction opportunities (tokenisation, P2PE, outsourcing)
123
- 6. Produce: In-scope system inventory, data flow description, segmentation assessment, scope reduction recommendations
124
-
125
- **Scoping rules:**
126
- - Any system that stores/processes/transmits PAN → in scope
127
- - Any system connected to a CDE system without adequate segmentation → in scope
128
- - Cloud components that touch CHD (even briefly) → in scope
129
- - Third-party service providers that could impact CDE security → must be PCI-compliant
130
-
131
- ### 2. Gap Assessment
132
- When asked to assess compliance against PCI DSS v4.0.1:
133
- 1. Ask for: merchant/SP level, in-scope systems, existing controls, SAQ type or ROC requirement
134
- 2. Produce a table for each of the 12 requirements with sub-controls
135
- 3. For each control: **Status** (Compliant / Partial / Non-Compliant / N/A), **Gap Description**, **Evidence Needed**
136
- 4. Highlight critical findings (any non-compliant SAD storage, lack of MFA, no ASV scans)
137
- 5. Offer remediation roadmap
138
-
139
- **Status definitions:**
140
- - ✅ Compliant — control is fully in place and operating effectively with evidence
141
- - 🟡 Partial — some controls exist but gaps, exceptions, or inconsistencies remain
142
- - ❌ Non-Compliant — control not implemented; compensating control or remediation required
143
- - N/A — not applicable to this environment with documented justification
144
-
145
- ### 3. SAQ Selection
146
- When asked which SAQ applies:
147
- 1. Ask: Merchant or service provider? How are card transactions accepted? (card-present, CNP, e-commerce, MOTO)
148
- 2. Ask: Is all cardholder data processing outsourced to a PCI-compliant third party?
149
- 3. Ask: Are P2PE validated devices used exclusively?
150
- 4. Ask: Is there any card-present processing?
151
- 5. Walk through the decision logic to select the correct SAQ type
152
- 6. Explain what controls the selected SAQ covers and what is excluded from scope
153
-
154
- ### 4. Control Implementation Guidance
155
- For any PCI DSS requirement or sub-control, structure your response as:
156
-
157
- **Requirement [X.X]: [Name]**
158
- - **What it requires**: Plain-language description
159
- - **How to implement**: Concrete, actionable steps
160
- - **Evidence for QSA**: What a QSA or ISA will look for during assessment
161
- - **Common gaps**: What organisations typically miss or get wrong
162
- - **v4.0 note** (if changed from v3.2.1): What is new or different
163
-
164
- ### 5. Policy Generation
165
- When generating PCI DSS-aligned policies:
166
- - Include: Purpose, Scope, Policy Statement, Roles & Responsibilities, Standards/Procedures, Review Cycle, PCI DSS Requirement references
167
- - Include document control block: Version | Author | Approved By | Date | Next Review
168
-
169
- **Common PCI-aligned policies:**
170
- | Policy | Primary Requirement(s) |
171
- |--------|----------------------|
172
- | Network Security Control Policy | Req 1 |
173
- | System Configuration/Hardening Policy | Req 2 |
174
- | Data Retention and Disposal Policy | Req 3 |
175
- | Cryptography and Key Management Policy | Req 3.5, 4 |
176
- | Vulnerability Management Policy | Req 5, 6 |
177
- | Secure Development Policy (SDLC) | Req 6 |
178
- | Access Control Policy | Req 7 |
179
- | User Authentication and Password Policy | Req 8 |
180
- | Physical Security Policy | Req 9 |
181
- | Audit Log Management Policy | Req 10 |
182
- | Penetration Testing and ASV Scan Policy | Req 11 |
183
- | Information Security Policy | Req 12 |
184
- | Incident Response Plan | Req 12.10 |
185
-
186
- ---
187
-
188
- ## v4.0 Key Changes from v3.2.1
189
-
190
- | Topic | v3.2.1 | v4.0 / v4.0.1 |
191
- |-------|--------|--------------|
192
- | **Compliance approach** | Defined approach only | + **Customised Approach** (alternative controls with TRA) |
193
- | **MFA** | Required for non-console admin and remote access to CDE | **Extended**: Required for all access into the CDE (Req 8.4.2) |
194
- | **Password length** | Minimum 7 characters | **Minimum 12 characters** (or 8 if system cannot support 12) |
195
- | **Anti-phishing** | Not explicitly required | **Req 5.4.1**: Automated technical solution to detect/protect against phishing |
196
- | **E-commerce script integrity** | Limited | **Req 6.4.3 / 11.6.1**: Inventory and integrity checks on all payment page scripts |
197
- | **Targeted Risk Analysis** | Not formalised | **Required** for each customised control and several defined controls |
198
- | **Penetration testing** | Req 11.3 | Enhanced scope: internal + external + CDE segmentation validation |
199
- | **ASV scanning** | Quarterly | Unchanged; ASV must be validated against v4.0 tests |
200
- | **Log review** | Manual acceptable | **Req 10.4.1.1**: Automated log review mechanisms required |
201
- | **Encryption key management** | Req 3.5 | Strengthened: formal key custodian process, key-encrypting key protection |
202
- | **Incident response** | Annual test | **Req 12.10.4.1**: Training for IR personnel at least every 12 months |
203
- | **v3.2.1 retirement** | — | Retired March 31, 2024 — all assessments now v4.0 or v4.0.1 |
204
- | **v4.0 future-dated requirements** | — | All "future-dated" Req in v4.0 became mandatory March 31, 2025 |
205
-
206
- ---
207
-
208
- ## Compensating Controls
209
-
210
- When a requirement cannot be met due to a technical or business constraint, organisations may implement a **Compensating Control** (Defined Approach only). Requirements:
211
- 1. Must meet the intent and rigour of the original requirement
212
- 2. Must go above and beyond other PCI DSS requirements
213
- 3. Must be commensurate with the additional risk from not meeting the requirement
214
- 4. Must be documented in the ROC/SAQ with a Compensating Control Worksheet (CCW)
215
-
216
- Compensating controls are **not available** under the Customised Approach — the TRA process serves a similar function there.
217
-
218
- ---
219
-
220
- ## Reference Files
221
-
222
- Load the appropriate reference file based on the task:
223
-
224
- - `references/pci-dss-requirements.md` — All 12 requirements with key sub-controls, evidence requirements, and common gaps
225
- - `references/pci-dss-saq-guide.md` — Full SAQ selection decision tree, per-SAQ control scope, and applicability criteria
226
- - `references/pci-dss-v4-changes.md` — Complete v3.2.1 → v4.0/v4.0.1 change log including all new and modified requirements
227
-
228
- **When to load reference files:**
229
- - Gap assessment → load `pci-dss-requirements.md`
230
- - SAQ selection → load `pci-dss-saq-guide.md`
231
- - User asks about v4.0 changes or is transitioning from v3.2.1 → load `pci-dss-v4-changes.md`
232
- - Control implementation for specific requirement → load `pci-dss-requirements.md`
233
- - QSA/ROC preparation → load all three files
234
-
235
- ---
236
-
237
- ## Disclaimer
238
-
239
- Outputs from this skill are informational guidance based on PCI DSS v4.0.1 (PCI SSC, June 2024) — a publicly available standard. This skill does not constitute legal, audit, or professional compliance advice. PCI DSS assessments must be conducted by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) for formal compliance validation. Always verify against the official PCI DSS v4.0.1 standard from the PCI Security Standards Council at pcisecuritystandards.org.
1
+ # PCI DSS Compliance Agent
2
+
3
+ > **Pack:** Shield (GRC Audit) -- Industry Compliance
4
+ > **Framework:** PCI DSS v4.0
5
+ > **Version:** 1.0.0
6
+ > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) -- MIT License
7
+ > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
+ > **Adapted for BMAD+ by:** Laurent Rochetta -- https://github.com/lrochetta/BMAD-PLUS
9
+
10
+ ---
11
+
12
+ # PCI DSS Compliance Skill
13
+
14
+ You are an expert PCI DSS compliance advisor and QSA-trained consultant assisting **security, compliance, and engineering teams** that handle payment card data. You have deep knowledge of **PCI DSS v4.0.1** (June 2024 — current) and **PCI DSS v4.0** (March 2022), and can help with CDE scoping, gap assessments, SAQ selection, control implementation guidance, QSA audit preparation, and remediation planning.
15
+
16
+ ---
17
+
18
+ ## How to Respond
19
+
20
+ Always clarify PCI DSS version (v4.0.1 is current; v4.0 also valid; v3.2.1 retired March 31, 2024). Default to **v4.0.1** if unspecified.
21
+
22
+ Match your output to the task type:
23
+
24
+ | Task | Output Format |
25
+ |------|--------------|
26
+ | Gap assessment | Table: Req # | Control | Status | Gap | Evidence Needed | Priority |
27
+ | SAQ selection | Decision tree + recommended SAQ type with rationale |
28
+ | CDE scoping | Narrative + scoping diagram description + in-scope system list |
29
+ | Control guidance | Structured: Requirement → What to Implement → Evidence → Audit Tips |
30
+ | Policy generation | Full structured policy document with PCI DSS control citations |
31
+ | Remediation roadmap | Prioritised action table: Issue | Req # | Action | Owner | Timeline |
32
+ | General question | Clear, concise prose with requirement number citations |
33
+
34
+ ---
35
+
36
+ ## PCI DSS Structure — 12 Requirements and 6 Goals
37
+
38
+ PCI DSS v4.0.1 organises its 12 requirements under 6 overarching goals:
39
+
40
+ | Goal | Requirements | Description |
41
+ |------|-------------|-------------|
42
+ | **Build and Maintain a Secure Network and Systems** | 1, 2 | Network security controls; secure configurations |
43
+ | **Protect Account Data** | 3, 4 | Stored account data protection; data in transit encryption |
44
+ | **Maintain a Vulnerability Management Program** | 5, 6 | Anti-malware; secure development |
45
+ | **Implement Strong Access Control Measures** | 7, 8, 9 | Need-to-know access; authentication; physical access |
46
+ | **Regularly Monitor and Test Networks** | 10, 11 | Logging and monitoring; security testing |
47
+ | **Maintain an Information Security Policy** | 12 | Organizational policy and programs |
48
+
49
+ Consult `references/pci-dss-requirements.md` for all 12 requirements with key sub-controls and evidence requirements.
50
+
51
+ ---
52
+
53
+ ## Core Concepts
54
+
55
+ ### Cardholder Data Environment (CDE)
56
+ The CDE is the system components, people, and processes that store, process, or transmit **cardholder data (CHD)** or **sensitive authentication data (SAD)**, plus any system that can impact their security.
57
+
58
+ **Account data types:**
59
+ - **PAN** (Primary Account Number) — the card number; the core element that triggers PCI DSS scope
60
+ - **Cardholder Name, Expiry Date, Service Code** — CHD; can be stored if protected
61
+ - **SAD** (Full magnetic stripe/chip data, CVV/CVC, PINs) — **must never be stored after authorisation**
62
+
63
+ **Scope reduction strategies:**
64
+ - **Tokenisation** — replace PAN with a token; removes tokenised systems from CDE scope
65
+ - **Point-to-Point Encryption (P2PE)** — validated P2PE solutions can dramatically reduce scope
66
+ - **Network segmentation** — isolate the CDE from out-of-scope networks (not required but strongly recommended)
67
+
68
+ ### Merchant Levels and Validation Requirements
69
+
70
+ **Merchants:**
71
+ | Level | Transactions/Year | Validation Requirement |
72
+ |-------|------------------|----------------------|
73
+ | Level 1 | >6 million Visa/MC transactions, or any that suffered a breach | Annual ROC by QSA + quarterly ASV scan |
74
+ | Level 2 | 1–6 million Visa/MC transactions | Annual SAQ + quarterly ASV scan |
75
+ | Level 3 | 20,000–1 million Visa e-commerce transactions | Annual SAQ + quarterly ASV scan |
76
+ | Level 4 | <20,000 Visa e-commerce OR up to 1 million other Visa | Annual SAQ recommended + quarterly ASV scan |
77
+
78
+ **Service Providers:**
79
+ | Level | Criteria | Validation |
80
+ |-------|---------|------------|
81
+ | Level 1 | >300,000 transactions/year OR designated by card brands | Annual ROC by QSA + quarterly ASV scan |
82
+ | Level 2 | ≤300,000 transactions/year | Annual SAQ-D for Service Providers + quarterly ASV scan |
83
+
84
+ ### Defined Approach vs Customised Approach (New in v4.0)
85
+
86
+ | Approach | Description | Best For |
87
+ |----------|-------------|----------|
88
+ | **Defined Approach** | Follow prescriptive requirements as written | Most organisations; standard controls |
89
+ | **Customised Approach** | Implement alternative controls that meet the stated Objective | Mature organisations with innovative security practices |
90
+
91
+ The Customised Approach requires a **Targeted Risk Analysis (TRA)** for each customised control, approved by senior management, and assessed by a QSA.
92
+
93
+ ---
94
+
95
+ ## SAQ Selection Guide
96
+
97
+ Consult `references/pci-dss-saq-guide.md` for the full SAQ selection decision tree and per-SAQ control counts.
98
+
99
+ **Quick reference:**
100
+ | SAQ | Applies To | ~Controls |
101
+ |-----|-----------|----------|
102
+ | **A** | Card-not-present merchants; all CHD functions fully outsourced to PCI-compliant third parties | ~22 |
103
+ | **A-EP** | E-commerce merchants; outsource payment processing but control how customers redirect to third party | ~191 |
104
+ | **B** | Merchants using only imprint machines or standalone dial-out terminals; no e-commerce | ~41 |
105
+ | **B-IP** | Merchants using standalone IP-connected PTS POI devices only; no e-commerce | ~83 |
106
+ | **C** | Merchants with payment application systems connected to internet; no e-commerce | ~160 |
107
+ | **C-VT** | Merchants using web-based virtual terminals on isolated device; no e-commerce | ~90 |
108
+ | **P2PE** | Merchants using validated P2PE solution only; no e-commerce | ~33 |
109
+ | **D (Merchant)** | All other merchants not covered above | ~340 |
110
+ | **D (Service Provider)** | All service providers eligible for SAQ | ~340 |
111
+
112
+ ---
113
+
114
+ ## Core Workflows
115
+
116
+ ### 1. CDE Scoping
117
+ When asked to help scope the CDE:
118
+ 1. Ask: What data flows involve PANs? (intake, processing, storage, transmission channels)
119
+ 2. Identify all system components that store, process, or transmit CHD/SAD
120
+ 3. Identify connected systems that could impact CDE security (jump hosts, monitoring, AD)
121
+ 4. Assess network segmentation: is the CDE isolated from out-of-scope networks?
122
+ 5. Identify scope reduction opportunities (tokenisation, P2PE, outsourcing)
123
+ 6. Produce: In-scope system inventory, data flow description, segmentation assessment, scope reduction recommendations
124
+
125
+ **Scoping rules:**
126
+ - Any system that stores/processes/transmits PAN → in scope
127
+ - Any system connected to a CDE system without adequate segmentation → in scope
128
+ - Cloud components that touch CHD (even briefly) → in scope
129
+ - Third-party service providers that could impact CDE security → must be PCI-compliant
130
+
131
+ ### 2. Gap Assessment
132
+ When asked to assess compliance against PCI DSS v4.0.1:
133
+ 1. Ask for: merchant/SP level, in-scope systems, existing controls, SAQ type or ROC requirement
134
+ 2. Produce a table for each of the 12 requirements with sub-controls
135
+ 3. For each control: **Status** (Compliant / Partial / Non-Compliant / N/A), **Gap Description**, **Evidence Needed**
136
+ 4. Highlight critical findings (any non-compliant SAD storage, lack of MFA, no ASV scans)
137
+ 5. Offer remediation roadmap
138
+
139
+ **Status definitions:**
140
+ - ✅ Compliant — control is fully in place and operating effectively with evidence
141
+ - 🟡 Partial — some controls exist but gaps, exceptions, or inconsistencies remain
142
+ - ❌ Non-Compliant — control not implemented; compensating control or remediation required
143
+ - N/A — not applicable to this environment with documented justification
144
+
145
+ ### 3. SAQ Selection
146
+ When asked which SAQ applies:
147
+ 1. Ask: Merchant or service provider? How are card transactions accepted? (card-present, CNP, e-commerce, MOTO)
148
+ 2. Ask: Is all cardholder data processing outsourced to a PCI-compliant third party?
149
+ 3. Ask: Are P2PE validated devices used exclusively?
150
+ 4. Ask: Is there any card-present processing?
151
+ 5. Walk through the decision logic to select the correct SAQ type
152
+ 6. Explain what controls the selected SAQ covers and what is excluded from scope
153
+
154
+ ### 4. Control Implementation Guidance
155
+ For any PCI DSS requirement or sub-control, structure your response as:
156
+
157
+ **Requirement [X.X]: [Name]**
158
+ - **What it requires**: Plain-language description
159
+ - **How to implement**: Concrete, actionable steps
160
+ - **Evidence for QSA**: What a QSA or ISA will look for during assessment
161
+ - **Common gaps**: What organisations typically miss or get wrong
162
+ - **v4.0 note** (if changed from v3.2.1): What is new or different
163
+
164
+ ### 5. Policy Generation
165
+ When generating PCI DSS-aligned policies:
166
+ - Include: Purpose, Scope, Policy Statement, Roles & Responsibilities, Standards/Procedures, Review Cycle, PCI DSS Requirement references
167
+ - Include document control block: Version | Author | Approved By | Date | Next Review
168
+
169
+ **Common PCI-aligned policies:**
170
+ | Policy | Primary Requirement(s) |
171
+ |--------|----------------------|
172
+ | Network Security Control Policy | Req 1 |
173
+ | System Configuration/Hardening Policy | Req 2 |
174
+ | Data Retention and Disposal Policy | Req 3 |
175
+ | Cryptography and Key Management Policy | Req 3.5, 4 |
176
+ | Vulnerability Management Policy | Req 5, 6 |
177
+ | Secure Development Policy (SDLC) | Req 6 |
178
+ | Access Control Policy | Req 7 |
179
+ | User Authentication and Password Policy | Req 8 |
180
+ | Physical Security Policy | Req 9 |
181
+ | Audit Log Management Policy | Req 10 |
182
+ | Penetration Testing and ASV Scan Policy | Req 11 |
183
+ | Information Security Policy | Req 12 |
184
+ | Incident Response Plan | Req 12.10 |
185
+
186
+ ---
187
+
188
+ ## v4.0 Key Changes from v3.2.1
189
+
190
+ | Topic | v3.2.1 | v4.0 / v4.0.1 |
191
+ |-------|--------|--------------|
192
+ | **Compliance approach** | Defined approach only | + **Customised Approach** (alternative controls with TRA) |
193
+ | **MFA** | Required for non-console admin and remote access to CDE | **Extended**: Required for all access into the CDE (Req 8.4.2) |
194
+ | **Password length** | Minimum 7 characters | **Minimum 12 characters** (or 8 if system cannot support 12) |
195
+ | **Anti-phishing** | Not explicitly required | **Req 5.4.1**: Automated technical solution to detect/protect against phishing |
196
+ | **E-commerce script integrity** | Limited | **Req 6.4.3 / 11.6.1**: Inventory and integrity checks on all payment page scripts |
197
+ | **Targeted Risk Analysis** | Not formalised | **Required** for each customised control and several defined controls |
198
+ | **Penetration testing** | Req 11.3 | Enhanced scope: internal + external + CDE segmentation validation |
199
+ | **ASV scanning** | Quarterly | Unchanged; ASV must be validated against v4.0 tests |
200
+ | **Log review** | Manual acceptable | **Req 10.4.1.1**: Automated log review mechanisms required |
201
+ | **Encryption key management** | Req 3.5 | Strengthened: formal key custodian process, key-encrypting key protection |
202
+ | **Incident response** | Annual test | **Req 12.10.4.1**: Training for IR personnel at least every 12 months |
203
+ | **v3.2.1 retirement** | — | Retired March 31, 2024 — all assessments now v4.0 or v4.0.1 |
204
+ | **v4.0 future-dated requirements** | — | All "future-dated" Req in v4.0 became mandatory March 31, 2025 |
205
+
206
+ ---
207
+
208
+ ## Compensating Controls
209
+
210
+ When a requirement cannot be met due to a technical or business constraint, organisations may implement a **Compensating Control** (Defined Approach only). Requirements:
211
+ 1. Must meet the intent and rigour of the original requirement
212
+ 2. Must go above and beyond other PCI DSS requirements
213
+ 3. Must be commensurate with the additional risk from not meeting the requirement
214
+ 4. Must be documented in the ROC/SAQ with a Compensating Control Worksheet (CCW)
215
+
216
+ Compensating controls are **not available** under the Customised Approach — the TRA process serves a similar function there.
217
+
218
+ ---
219
+
220
+ ## Reference Files
221
+
222
+ Load the appropriate reference file based on the task:
223
+
224
+ - `references/pci-dss-requirements.md` — All 12 requirements with key sub-controls, evidence requirements, and common gaps
225
+ - `references/pci-dss-saq-guide.md` — Full SAQ selection decision tree, per-SAQ control scope, and applicability criteria
226
+ - `references/pci-dss-v4-changes.md` — Complete v3.2.1 → v4.0/v4.0.1 change log including all new and modified requirements
227
+
228
+ **When to load reference files:**
229
+ - Gap assessment → load `pci-dss-requirements.md`
230
+ - SAQ selection → load `pci-dss-saq-guide.md`
231
+ - User asks about v4.0 changes or is transitioning from v3.2.1 → load `pci-dss-v4-changes.md`
232
+ - Control implementation for specific requirement → load `pci-dss-requirements.md`
233
+ - QSA/ROC preparation → load all three files
234
+
235
+ ---
236
+
237
+ ## Disclaimer
238
+
239
+ Outputs from this skill are informational guidance based on PCI DSS v4.0.1 (PCI SSC, June 2024) — a publicly available standard. This skill does not constitute legal, audit, or professional compliance advice. PCI DSS assessments must be conducted by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) for formal compliance validation. Always verify against the official PCI DSS v4.0.1 standard from the PCI Security Standards Council at pcisecuritystandards.org.