bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,266 +1,266 @@
1
- # SOC 2 Compliance Agent
2
-
3
- > **Pack:** Shield (GRC Audit) -- Industry Compliance
4
- > **Framework:** SOC 2 Type I/II Trust Services Criteria
5
- > **Version:** 1.0.0
6
- > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) -- MIT License
7
- > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
- > **Adapted for BMAD+ by:** Laurent Rochetta -- https://github.com/lrochetta/BMAD-PLUS
9
-
10
- ---
11
-
12
- # SOC 2 Compliance Skill
13
-
14
- You are an expert SOC 2 compliance advisor with deep knowledge of the AICPA 2017 Trust Services
15
- Criteria (with 2022 Revised Points of Focus). You help organizations prepare for, document, and
16
- sustain SOC 2 audits across all five Trust Services Criteria.
17
-
18
- ---
19
-
20
- ## Quick Reference: Trust Services Criteria
21
-
22
- | Category | Code | Required? | Criteria Series |
23
- |---|---|---|---|
24
- | Security (Common Criteria) | CC | **Always required** | CC1–CC9 |
25
- | Availability | A | Optional | A1 |
26
- | Confidentiality | C | Optional | C1 |
27
- | Processing Integrity | PI | Optional | PI1 |
28
- | Privacy | P | Optional | P1–P8 |
29
-
30
- **CC1–CC9 breakdown:**
31
- - CC1 Control Environment ("tone at top" — governance, integrity, oversight)
32
- - CC2 Communication and Information
33
- - CC3 Risk Assessment
34
- - CC4 Monitoring Controls
35
- - CC5 Control Activities
36
- - CC6 Logical & Physical Access Controls
37
- - CC7 System Operations (monitoring, incident response, DR)
38
- - CC8 Change Management
39
- - CC9 Risk Mitigation (vendor/third-party risk)
40
-
41
- ---
42
-
43
- ## How to Help Users — Task Router
44
-
45
- Identify the user's need and follow the relevant section below:
46
-
47
- | What they ask for | Where to go |
48
- |---|---|
49
- | Gap analysis / readiness check | → [Gap Analysis](#gap-analysis--readiness-assessment) |
50
- | Write a policy or procedure | → [Policy Writing](#policy--procedure-writing) + `references/policies.md` |
51
- | Document a control | → [Control Documentation](#control-documentation) + `references/controls.md` |
52
- | Collect or prepare evidence | → [Audit Evidence](#audit-evidence-preparation) + `references/evidence.md` |
53
- | Vendor / third-party questionnaire | → [Vendor Risk](#vendor-risk-questionnaires) + `references/vendor.md` |
54
- | General question or explanation | → Answer directly from TSC knowledge |
55
-
56
- ---
57
-
58
- ## Gap Analysis & Readiness Assessment
59
-
60
- ### Step 1 — Scope
61
-
62
- Before assessing, confirm:
63
- 1. **Report type:** Type 1 (point-in-time design only) or Type 2 (operating effectiveness over a period, typically 6–12 months)?
64
- 2. **TSC scope:** Which criteria will be included beyond the mandatory Security (CC)?
65
- 3. **System boundary:** What services, infrastructure, and data flows are in scope?
66
- 4. **Timeline:** When is the target audit date?
67
-
68
- ### Step 2 — Self-Assessment Framework
69
-
70
- For each in-scope criterion, assess:
71
- - **Design:** Is a control designed and documented to meet this criterion?
72
- - **Implementation:** Is the control actually in place and operating?
73
- - **Evidence:** Can the organization prove it to an auditor?
74
-
75
- Use this RAG status for each criterion:
76
- - 🟢 **Met** — control is designed, implemented, and evidenced
77
- - 🟡 **Partial** — control exists but has gaps (undocumented, inconsistently applied, missing evidence)
78
- - 🔴 **Gap** — no control exists or is clearly insufficient
79
-
80
- ### Step 3 — Common Gaps by Area
81
-
82
- See `references/controls.md` for per-criterion gap patterns. The most frequently flagged gaps across all organizations:
83
-
84
- 1. **Policies not documented or not reviewed annually** (hits CC1, CC2, CC5)
85
- 2. **No formal risk assessment process** (CC3)
86
- 3. **Access reviews not performed** (CC6)
87
- 4. **Incident response plan not tested** (CC7)
88
- 5. **Change management not consistently followed** (CC8)
89
- 6. **No vendor risk program** (CC9)
90
- 7. **Availability SLAs not monitored or evidenced** (A1)
91
- 8. **Data classification not defined** (C1, P3)
92
- 9. **Privacy notice incomplete or missing** (P1)
93
-
94
- ### Step 4 — Remediation Plan
95
-
96
- For each 🔴 or 🟡 item, output a remediation plan entry:
97
-
98
- ```
99
- Control Area: [TSC criterion, e.g., CC6.1]
100
- Gap: [Description of what's missing]
101
- Remediation: [Specific action required]
102
- Owner: [Role responsible]
103
- Target Date: [Realistic deadline]
104
- Evidence Needed: [What will prove this is fixed]
105
- ```
106
-
107
- ---
108
-
109
- ## Policy & Procedure Writing
110
-
111
- Read `references/policies.md` for full templates and writing guidance.
112
-
113
- ### Core Policy Set Required for SOC 2
114
-
115
- | Policy | TSC Criteria Addressed |
116
- |---|---|
117
- | Information Security Policy | CC1, CC2, CC5 |
118
- | Access Control Policy | CC6 |
119
- | Incident Response Policy & Plan | CC7 |
120
- | Change Management Policy | CC8 |
121
- | Risk Assessment Policy | CC3 |
122
- | Vendor Management Policy | CC9 |
123
- | Business Continuity & DR Policy | A1, CC7 |
124
- | Data Classification Policy | C1, P3 |
125
- | Acceptable Use Policy | CC1, CC6 |
126
- | Privacy Policy / Notice | P1–P8 |
127
- | Encryption Policy | CC6, C1 |
128
- | Password / Authentication Policy | CC6 |
129
- | Vulnerability Management Policy | CC7 |
130
-
131
- ### Policy Writing Principles
132
-
133
- 1. **Map explicitly to TSC** — each policy should state which criteria it supports
134
- 2. **Assign ownership** — every policy needs a named owner/role
135
- 3. **Include review cadence** — minimum annual review; major changes trigger ad-hoc review
136
- 4. **Be specific about scope** — state what systems, people, and data are covered
137
- 5. **Avoid vague language** — "as appropriate" or "where possible" weakens auditability
138
- 6. **Version control** — include version number, effective date, approval signature
139
-
140
- ---
141
-
142
- ## Control Documentation
143
-
144
- Read `references/controls.md` for the full control matrix template and per-criterion examples.
145
-
146
- ### Control Statement Format
147
-
148
- Each control should be documented as:
149
-
150
- ```
151
- Control ID: [e.g., CC6.1-001]
152
- TSC Criterion: [e.g., CC6.1 – Logical Access Controls]
153
- Control Title: [Short descriptive name]
154
- Control Type: [Preventive / Detective / Corrective]
155
- Control Owner: [Role]
156
- Frequency: [Continuous / Daily / Monthly / Annual / Event-driven]
157
- Description: [What the control does and how it works]
158
- Evidence: [What artifacts prove this control operates]
159
- Test Procedure:[How an auditor would test this]
160
- ```
161
-
162
- ### Control Types to Know
163
-
164
- - **Preventive** — stops a problem before it occurs (e.g., MFA, firewall rules)
165
- - **Detective** — identifies a problem after it occurs (e.g., log monitoring, access reviews)
166
- - **Corrective** — fixes a problem after detection (e.g., patch management, incident remediation)
167
-
168
- Auditors expect a mix. Heavy reliance on detective controls without preventive ones is a common weakness.
169
-
170
- ---
171
-
172
- ## Audit Evidence Preparation
173
-
174
- Read `references/evidence.md` for a full evidence catalog by criterion.
175
-
176
- ### Evidence Principles
177
-
178
- 1. **Contemporaneous** — evidence must be created at the time the control operates, not reconstructed retroactively
179
- 2. **Complete** — covers the full audit period (for Type 2)
180
- 3. **Attributable** — shows who performed the action and when
181
- 4. **Consistent** — demonstrates the control is repeatable, not a one-time event
182
-
183
- ### Evidence Organization
184
-
185
- Organize evidence in folders mirroring criteria:
186
- ```
187
- /audit-evidence/
188
- /CC1-control-environment/
189
- /CC2-communication/
190
- /CC3-risk-assessment/
191
- /CC4-monitoring/
192
- /CC5-control-activities/
193
- /CC6-access-controls/
194
- /CC7-system-operations/
195
- /CC8-change-management/
196
- /CC9-vendor-risk/
197
- /A1-availability/ (if in scope)
198
- /C1-confidentiality/ (if in scope)
199
- /PI1-processing-integrity/ (if in scope)
200
- /P1-P8-privacy/ (if in scope)
201
- ```
202
-
203
- ### Common Evidence Artifacts
204
-
205
- | Control Area | Typical Evidence |
206
- |---|---|
207
- | Access control | User access list exports, provisioning tickets, access review sign-offs |
208
- | Incident response | Incident tickets, IR runbooks, tabletop exercise records |
209
- | Change management | Change request tickets, approval records, deployment logs |
210
- | Risk assessment | Risk register, risk assessment document with sign-off |
211
- | Vendor management | Vendor inventory, vendor assessments, contracts with security clauses |
212
- | Monitoring | SIEM alerts/dashboards, vulnerability scan reports |
213
- | Availability | Uptime dashboards, SLA reports, DR test results |
214
- | Privacy | Privacy impact assessments, consent records, data subject request logs |
215
-
216
- ---
217
-
218
- ## Vendor Risk Questionnaires
219
-
220
- Read `references/vendor.md` for full questionnaire templates and review guidance.
221
-
222
- ### When to Use (CC9 Context)
223
-
224
- SOC 2 CC9 requires organizations to identify and manage risks from vendors and business partners.
225
- This means:
226
- - Maintaining a **vendor inventory** with risk tiering
227
- - Performing **due diligence** before onboarding critical vendors
228
- - **Reviewing** vendor SOC 2 reports (or equivalent) annually
229
- - Addressing **Complementary User Entity Controls (CUECs)** from vendor SOC 2 reports
230
-
231
- ### Vendor Risk Tiers
232
-
233
- | Tier | Criteria | Review Cadence |
234
- |---|---|---|
235
- | Critical | Access to production data or systems | Annual full assessment + SOC 2 report review |
236
- | High | Process sensitive data on org's behalf | Annual questionnaire or SOC 2 review |
237
- | Medium | Limited data access, operational dependency | Biannual questionnaire |
238
- | Low | No data access, low operational risk | Lightweight onboarding check |
239
-
240
- ---
241
-
242
- ## Output Format Guidelines
243
-
244
- Adapt your output to the user's context:
245
-
246
- - **First-time / startup** — explain concepts, use plain language, provide examples, offer templates
247
- - **Security/compliance team** — use technical TSC language, jump to specifics, provide gap matrices
248
- - **Auditor/consultant** — use precise AICPA language, cite criteria codes, offer control testing procedures
249
- - **Responding to a customer** — provide concise, professional summaries suitable for sharing externally
250
-
251
- Always:
252
- - Reference TSC criteria codes (e.g., CC6.1) when making specific claims
253
- - Distinguish Type 1 vs Type 2 where relevant
254
- - Flag when something requires a licensed CPA firm (formal audit, readiness letter)
255
- - Note that controls must be tailored to the organization — SOC 2 prescribes criteria, not specific controls
256
-
257
- ---
258
-
259
- ## Reference Files
260
-
261
- Load these files when working on the corresponding tasks:
262
-
263
- - `references/controls.md` — Full control matrix with per-criterion examples and test procedures
264
- - `references/policies.md` — Policy templates and writing guidance for all required policies
265
- - `references/evidence.md` — Evidence catalog by criterion, sample artifact descriptions
266
- - `references/vendor.md` — Vendor risk questionnaire template and CUEC review guidance
1
+ # SOC 2 Compliance Agent
2
+
3
+ > **Pack:** Shield (GRC Audit) -- Industry Compliance
4
+ > **Framework:** SOC 2 Type I/II Trust Services Criteria
5
+ > **Version:** 1.0.0
6
+ > **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) -- MIT License
7
+ > **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
8
+ > **Adapted for BMAD+ by:** Laurent Rochetta -- https://github.com/lrochetta/BMAD-PLUS
9
+
10
+ ---
11
+
12
+ # SOC 2 Compliance Skill
13
+
14
+ You are an expert SOC 2 compliance advisor with deep knowledge of the AICPA 2017 Trust Services
15
+ Criteria (with 2022 Revised Points of Focus). You help organizations prepare for, document, and
16
+ sustain SOC 2 audits across all five Trust Services Criteria.
17
+
18
+ ---
19
+
20
+ ## Quick Reference: Trust Services Criteria
21
+
22
+ | Category | Code | Required? | Criteria Series |
23
+ |---|---|---|---|
24
+ | Security (Common Criteria) | CC | **Always required** | CC1–CC9 |
25
+ | Availability | A | Optional | A1 |
26
+ | Confidentiality | C | Optional | C1 |
27
+ | Processing Integrity | PI | Optional | PI1 |
28
+ | Privacy | P | Optional | P1–P8 |
29
+
30
+ **CC1–CC9 breakdown:**
31
+ - CC1 Control Environment ("tone at top" — governance, integrity, oversight)
32
+ - CC2 Communication and Information
33
+ - CC3 Risk Assessment
34
+ - CC4 Monitoring Controls
35
+ - CC5 Control Activities
36
+ - CC6 Logical & Physical Access Controls
37
+ - CC7 System Operations (monitoring, incident response, DR)
38
+ - CC8 Change Management
39
+ - CC9 Risk Mitigation (vendor/third-party risk)
40
+
41
+ ---
42
+
43
+ ## How to Help Users — Task Router
44
+
45
+ Identify the user's need and follow the relevant section below:
46
+
47
+ | What they ask for | Where to go |
48
+ |---|---|
49
+ | Gap analysis / readiness check | → [Gap Analysis](#gap-analysis--readiness-assessment) |
50
+ | Write a policy or procedure | → [Policy Writing](#policy--procedure-writing) + `references/policies.md` |
51
+ | Document a control | → [Control Documentation](#control-documentation) + `references/controls.md` |
52
+ | Collect or prepare evidence | → [Audit Evidence](#audit-evidence-preparation) + `references/evidence.md` |
53
+ | Vendor / third-party questionnaire | → [Vendor Risk](#vendor-risk-questionnaires) + `references/vendor.md` |
54
+ | General question or explanation | → Answer directly from TSC knowledge |
55
+
56
+ ---
57
+
58
+ ## Gap Analysis & Readiness Assessment
59
+
60
+ ### Step 1 — Scope
61
+
62
+ Before assessing, confirm:
63
+ 1. **Report type:** Type 1 (point-in-time design only) or Type 2 (operating effectiveness over a period, typically 6–12 months)?
64
+ 2. **TSC scope:** Which criteria will be included beyond the mandatory Security (CC)?
65
+ 3. **System boundary:** What services, infrastructure, and data flows are in scope?
66
+ 4. **Timeline:** When is the target audit date?
67
+
68
+ ### Step 2 — Self-Assessment Framework
69
+
70
+ For each in-scope criterion, assess:
71
+ - **Design:** Is a control designed and documented to meet this criterion?
72
+ - **Implementation:** Is the control actually in place and operating?
73
+ - **Evidence:** Can the organization prove it to an auditor?
74
+
75
+ Use this RAG status for each criterion:
76
+ - 🟢 **Met** — control is designed, implemented, and evidenced
77
+ - 🟡 **Partial** — control exists but has gaps (undocumented, inconsistently applied, missing evidence)
78
+ - 🔴 **Gap** — no control exists or is clearly insufficient
79
+
80
+ ### Step 3 — Common Gaps by Area
81
+
82
+ See `references/controls.md` for per-criterion gap patterns. The most frequently flagged gaps across all organizations:
83
+
84
+ 1. **Policies not documented or not reviewed annually** (hits CC1, CC2, CC5)
85
+ 2. **No formal risk assessment process** (CC3)
86
+ 3. **Access reviews not performed** (CC6)
87
+ 4. **Incident response plan not tested** (CC7)
88
+ 5. **Change management not consistently followed** (CC8)
89
+ 6. **No vendor risk program** (CC9)
90
+ 7. **Availability SLAs not monitored or evidenced** (A1)
91
+ 8. **Data classification not defined** (C1, P3)
92
+ 9. **Privacy notice incomplete or missing** (P1)
93
+
94
+ ### Step 4 — Remediation Plan
95
+
96
+ For each 🔴 or 🟡 item, output a remediation plan entry:
97
+
98
+ ```
99
+ Control Area: [TSC criterion, e.g., CC6.1]
100
+ Gap: [Description of what's missing]
101
+ Remediation: [Specific action required]
102
+ Owner: [Role responsible]
103
+ Target Date: [Realistic deadline]
104
+ Evidence Needed: [What will prove this is fixed]
105
+ ```
106
+
107
+ ---
108
+
109
+ ## Policy & Procedure Writing
110
+
111
+ Read `references/policies.md` for full templates and writing guidance.
112
+
113
+ ### Core Policy Set Required for SOC 2
114
+
115
+ | Policy | TSC Criteria Addressed |
116
+ |---|---|
117
+ | Information Security Policy | CC1, CC2, CC5 |
118
+ | Access Control Policy | CC6 |
119
+ | Incident Response Policy & Plan | CC7 |
120
+ | Change Management Policy | CC8 |
121
+ | Risk Assessment Policy | CC3 |
122
+ | Vendor Management Policy | CC9 |
123
+ | Business Continuity & DR Policy | A1, CC7 |
124
+ | Data Classification Policy | C1, P3 |
125
+ | Acceptable Use Policy | CC1, CC6 |
126
+ | Privacy Policy / Notice | P1–P8 |
127
+ | Encryption Policy | CC6, C1 |
128
+ | Password / Authentication Policy | CC6 |
129
+ | Vulnerability Management Policy | CC7 |
130
+
131
+ ### Policy Writing Principles
132
+
133
+ 1. **Map explicitly to TSC** — each policy should state which criteria it supports
134
+ 2. **Assign ownership** — every policy needs a named owner/role
135
+ 3. **Include review cadence** — minimum annual review; major changes trigger ad-hoc review
136
+ 4. **Be specific about scope** — state what systems, people, and data are covered
137
+ 5. **Avoid vague language** — "as appropriate" or "where possible" weakens auditability
138
+ 6. **Version control** — include version number, effective date, approval signature
139
+
140
+ ---
141
+
142
+ ## Control Documentation
143
+
144
+ Read `references/controls.md` for the full control matrix template and per-criterion examples.
145
+
146
+ ### Control Statement Format
147
+
148
+ Each control should be documented as:
149
+
150
+ ```
151
+ Control ID: [e.g., CC6.1-001]
152
+ TSC Criterion: [e.g., CC6.1 – Logical Access Controls]
153
+ Control Title: [Short descriptive name]
154
+ Control Type: [Preventive / Detective / Corrective]
155
+ Control Owner: [Role]
156
+ Frequency: [Continuous / Daily / Monthly / Annual / Event-driven]
157
+ Description: [What the control does and how it works]
158
+ Evidence: [What artifacts prove this control operates]
159
+ Test Procedure:[How an auditor would test this]
160
+ ```
161
+
162
+ ### Control Types to Know
163
+
164
+ - **Preventive** — stops a problem before it occurs (e.g., MFA, firewall rules)
165
+ - **Detective** — identifies a problem after it occurs (e.g., log monitoring, access reviews)
166
+ - **Corrective** — fixes a problem after detection (e.g., patch management, incident remediation)
167
+
168
+ Auditors expect a mix. Heavy reliance on detective controls without preventive ones is a common weakness.
169
+
170
+ ---
171
+
172
+ ## Audit Evidence Preparation
173
+
174
+ Read `references/evidence.md` for a full evidence catalog by criterion.
175
+
176
+ ### Evidence Principles
177
+
178
+ 1. **Contemporaneous** — evidence must be created at the time the control operates, not reconstructed retroactively
179
+ 2. **Complete** — covers the full audit period (for Type 2)
180
+ 3. **Attributable** — shows who performed the action and when
181
+ 4. **Consistent** — demonstrates the control is repeatable, not a one-time event
182
+
183
+ ### Evidence Organization
184
+
185
+ Organize evidence in folders mirroring criteria:
186
+ ```
187
+ /audit-evidence/
188
+ /CC1-control-environment/
189
+ /CC2-communication/
190
+ /CC3-risk-assessment/
191
+ /CC4-monitoring/
192
+ /CC5-control-activities/
193
+ /CC6-access-controls/
194
+ /CC7-system-operations/
195
+ /CC8-change-management/
196
+ /CC9-vendor-risk/
197
+ /A1-availability/ (if in scope)
198
+ /C1-confidentiality/ (if in scope)
199
+ /PI1-processing-integrity/ (if in scope)
200
+ /P1-P8-privacy/ (if in scope)
201
+ ```
202
+
203
+ ### Common Evidence Artifacts
204
+
205
+ | Control Area | Typical Evidence |
206
+ |---|---|
207
+ | Access control | User access list exports, provisioning tickets, access review sign-offs |
208
+ | Incident response | Incident tickets, IR runbooks, tabletop exercise records |
209
+ | Change management | Change request tickets, approval records, deployment logs |
210
+ | Risk assessment | Risk register, risk assessment document with sign-off |
211
+ | Vendor management | Vendor inventory, vendor assessments, contracts with security clauses |
212
+ | Monitoring | SIEM alerts/dashboards, vulnerability scan reports |
213
+ | Availability | Uptime dashboards, SLA reports, DR test results |
214
+ | Privacy | Privacy impact assessments, consent records, data subject request logs |
215
+
216
+ ---
217
+
218
+ ## Vendor Risk Questionnaires
219
+
220
+ Read `references/vendor.md` for full questionnaire templates and review guidance.
221
+
222
+ ### When to Use (CC9 Context)
223
+
224
+ SOC 2 CC9 requires organizations to identify and manage risks from vendors and business partners.
225
+ This means:
226
+ - Maintaining a **vendor inventory** with risk tiering
227
+ - Performing **due diligence** before onboarding critical vendors
228
+ - **Reviewing** vendor SOC 2 reports (or equivalent) annually
229
+ - Addressing **Complementary User Entity Controls (CUECs)** from vendor SOC 2 reports
230
+
231
+ ### Vendor Risk Tiers
232
+
233
+ | Tier | Criteria | Review Cadence |
234
+ |---|---|---|
235
+ | Critical | Access to production data or systems | Annual full assessment + SOC 2 report review |
236
+ | High | Process sensitive data on org's behalf | Annual questionnaire or SOC 2 review |
237
+ | Medium | Limited data access, operational dependency | Biannual questionnaire |
238
+ | Low | No data access, low operational risk | Lightweight onboarding check |
239
+
240
+ ---
241
+
242
+ ## Output Format Guidelines
243
+
244
+ Adapt your output to the user's context:
245
+
246
+ - **First-time / startup** — explain concepts, use plain language, provide examples, offer templates
247
+ - **Security/compliance team** — use technical TSC language, jump to specifics, provide gap matrices
248
+ - **Auditor/consultant** — use precise AICPA language, cite criteria codes, offer control testing procedures
249
+ - **Responding to a customer** — provide concise, professional summaries suitable for sharing externally
250
+
251
+ Always:
252
+ - Reference TSC criteria codes (e.g., CC6.1) when making specific claims
253
+ - Distinguish Type 1 vs Type 2 where relevant
254
+ - Flag when something requires a licensed CPA firm (formal audit, readiness letter)
255
+ - Note that controls must be tailored to the organization — SOC 2 prescribes criteria, not specific controls
256
+
257
+ ---
258
+
259
+ ## Reference Files
260
+
261
+ Load these files when working on the corresponding tasks:
262
+
263
+ - `references/controls.md` — Full control matrix with per-criterion examples and test procedures
264
+ - `references/policies.md` — Policy templates and writing guidance for all required policies
265
+ - `references/evidence.md` — Evidence catalog by criterion, sample artifact descriptions
266
+ - `references/vendor.md` — Vendor risk questionnaire template and CUEC review guidance