fraim-framework 2.0.56 → 2.0.58

package/dist/registry/workflows/compliance/soc2-evidence-generator.md

@@ -1,332 +0,0 @@
-# Learned Skill: SOC2 Evidence Generator
-
-**Category:** compliance
-**Created:** 2026-02-01
-**Last Updated:** 2026-02-01
-**Project Context:** FRAIM Framework - AI Management System requiring SOC2 compliance for enterprise customers
-
----
-
-## INTENT
-Generate comprehensive SOC2 compliance evidence packages by automatically collecting, documenting, and formatting evidence from project systems to demonstrate adherence to Trust Service Criteria during annual audits.
-
-## PRINCIPLES
-- **Comprehensive Coverage**: Address all five Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy)
-- **Automated Collection**: Minimize manual effort through systematic evidence gathering
-- **Auditor-Ready Format**: Present evidence in formats auditors expect and can easily review
-- **Gap Detection**: Identify missing controls and evidence to ensure audit readiness
-- **Continuous Monitoring**: Support ongoing evidence collection throughout the year
-
-## SOC2 REFERENCE MATERIALS
-
-### Official SOC2 Resources
-- **AICPA SOC2 Framework**: https://www.aicpa.org/resources/landing/system-and-organization-controls-soc-suite-of-services
-- **Trust Service Criteria**: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
-- **SOC2 Implementation Guide**: https://www.aicpa.org/resources/download/soc-2-implementation-guide
-
-### Trust Service Criteria Details
-1. **Security (CC1.0-CC9.0)**: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf#page=15
-2. **Availability (A1.0-A1.3)**: System availability and operational requirements
-3. **Processing Integrity (PI1.0-PI1.3)**: Data processing accuracy and completeness
-4. **Confidentiality (C1.0-C1.2)**: Information protection and access controls
-5. **Privacy (P1.0-P9.0)**: Personal information handling and protection
-
-## WORKFLOW
-
-### Phase 1: Evidence Planning & Scoping
-**Objective**: Identify applicable controls and map evidence sources
-
-**Actions**:
-1. **Review Project Configuration**:
-   - Read `.fraim/config.json` compliance settings
-   - Confirm SOC2 Trust Service Criteria in scope
-   - Identify project-specific compliance requirements
-
-2. **Map Controls to Evidence Sources**:
-   - **GitHub Repository**: Access controls, change management, code reviews
-   - **Application Logs**: Security events, error handling, monitoring
-   - **Infrastructure**: System configurations, backup procedures
-   - **Documentation**: Policies, procedures, incident response plans
-   - **Dependencies**: Vulnerability management, third-party assessments
-
-3. **Create Evidence Collection Plan**:
-   - Define evidence collection timeline (typically 12 months)
-   - Assign responsibility for each evidence type
-   - Establish evidence retention and storage procedures
-
-**Tools/Resources**:
-- `.fraim/config.json` for compliance configuration
-- SOC2 Trust Service Criteria mapping template
-- Evidence collection checklist
-
-**Output**: Comprehensive evidence collection plan with timelines and responsibilities
-
-### Phase 2: Automated Evidence Collection
-**Objective**: Systematically gather evidence from all identified sources
-
-**Security Controls Evidence**:
-1. **Access Management (CC6.0)**:
-   - GitHub user access reports and permissions
-   - Repository access logs and audit trails
-   - Multi-factor authentication configurations
-   - User provisioning/deprovisioning records
-
-2. **Change Management (CC8.0)**:
-   - Git commit history with author attribution
-   - Pull request reviews and approvals
-   - Deployment logs and change approvals
-   - Emergency change procedures documentation
-
-3. **System Monitoring (CC7.0)**:
-   - Application error logs and monitoring alerts
-   - Security incident logs and response records
-   - Vulnerability scan results and remediation
-   - System performance and availability metrics
-
-**Availability Controls Evidence**:
-1. **System Availability (A1.0)**:
-   - Uptime monitoring reports and SLA metrics
-   - Backup and recovery test results
-   - Disaster recovery procedures and testing
-   - Capacity planning and resource monitoring
-
-**Processing Integrity Evidence**:
-1. **Data Processing (PI1.0)**:
-   - Input validation and error handling logs
-   - Data processing accuracy controls
-   - System processing completeness checks
-   - Automated testing results and coverage
-
-**Confidentiality Evidence**:
-1. **Data Protection (C1.0)**:
-   - Encryption implementation and key management
-   - Data classification and handling procedures
-   - Secure transmission and storage controls
-   - Data access logging and monitoring
-
-**Privacy Evidence** (if applicable):
-1. **Personal Information (P1.0-P9.0)**:
-   - Privacy policy and consent management
-   - Data collection and usage documentation
-   - Data subject rights procedures
-   - Data retention and disposal records
-
-**Tools/Resources**:
-- GitHub API for access and change management data
-- Application logging systems for security events
-- Monitoring tools for availability and performance data
-- Documentation repositories for policies and procedures
-
-**Output**: Organized evidence files mapped to specific SOC2 controls
-
-### Phase 3: Evidence Documentation & Formatting
-**Objective**: Create auditor-ready evidence packages with proper documentation
-
-**Actions**:
-1. **Generate Evidence Narratives**:
-   - Create control descriptions explaining how each control operates
-   - Document control design and implementation details
-   - Provide context for evidence and its relevance to controls
-
-2. **Format Evidence Packages**:
-   - Organize evidence by Trust Service Criteria
-   - Include screenshots and system configurations
-   - Create evidence matrices mapping controls to evidence
-   - Add timestamps and data integrity verification
-
-3. **Create Supporting Documentation**:
-   - System boundary descriptions and network diagrams
-   - Vendor management and third-party assessments
-   - Incident response procedures and testing results
-   - Employee training records and security awareness
-
-**Evidence Package Structure**:
-```
-docs/compliance/soc2-evidence/
-├── 01-security/
-│   ├── CC1-control-environment/
-│   ├── CC2-communication-information/
-│   ├── CC3-risk-assessment/
-│   ├── CC4-monitoring-activities/
-│   ├── CC5-control-activities/
-│   ├── CC6-logical-physical-access/
-│   ├── CC7-system-operations/
-│   ├── CC8-change-management/
-│   └── CC9-risk-mitigation/
-├── 02-availability/
-├── 03-processing-integrity/
-├── 04-confidentiality/
-├── 05-privacy/
-└── evidence-matrix.xlsx
-```
-
-**Tools/Resources**:
-- Evidence documentation templates
-- Screenshot and configuration capture tools
-- Evidence matrix spreadsheet templates
-
-**Output**: Complete, organized evidence packages ready for auditor review
-
-### Phase 4: Evidence Validation & Gap Analysis
-**Objective**: Ensure evidence completeness and identify compliance gaps
-
-**Actions**:
-1. **Evidence Completeness Review**:
-   - Verify all required controls have supporting evidence
-   - Check evidence quality and relevance to controls
-   - Validate evidence covers the full audit period
-   - Confirm evidence integrity and authenticity
-
-2. **Gap Analysis**:
-   - Identify missing evidence or incomplete controls
-   - Assess control design and operating effectiveness
-   - Document exceptions and compensating controls
-   - Prioritize gaps by risk and audit impact
-
-3. **Create Evidence Documentation**:
-   - Generate evidence summary reports
-   - Create control testing worksheets
-   - Document management responses to findings
-   - Prepare evidence index and cross-references
-
-4. **File Issues for Detected Gaps**:
-   - Create GitHub issues for missing controls
-   - Document remediation plans and timelines
-   - Assign responsibility for gap closure
-   - Track progress on compliance improvements
-
-**Tools/Resources**:
-- Evidence validation checklists
-- Gap analysis templates
-- GitHub issue templates for compliance gaps
-
-**Output**: Validated evidence packages and documented remediation plans for any gaps
-
-## EVIDENCE COLLECTION COMMANDS
-
-### GitHub Evidence Collection
-```bash
-# Access management evidence
-git log --pretty=format:"%h %an %ad %s" --date=short --since="1 year ago" > access-logs.txt
-
-# Change management evidence  
-git log --oneline --since="1 year ago" --grep="security\|fix\|patch" > security-changes.txt
-
-# Code review evidence
-gh pr list --state=all --limit=1000 --json=number,title,author,reviewDecision,createdAt > pr-reviews.json
-```
-
-### System Evidence Collection
-```bash
-# Application logs (security events)
-grep -i "error\|security\|auth\|access" logs/*.log > security-events.txt
-
-# Dependency vulnerability scans
-npm audit --json > vulnerability-scan.json
-
-# Test coverage reports
-npm test -- --coverage > test-coverage.txt
-```
-
-## EVIDENCE TEMPLATES
-
-### Control Narrative Template
-```markdown
-# Control [Control ID]: [Control Title]
-
-## Control Description
-[Detailed description of how the control operates]
-
-## Control Design
-[How the control is designed to address the criteria]
-
-## Control Implementation
-[How the control is implemented in practice]
-
-## Evidence Provided
-- [Evidence item 1]: [Description and relevance]
-- [Evidence item 2]: [Description and relevance]
-
-## Testing Performed
-[Description of control testing and results]
-
-## Exceptions/Deviations
-[Any exceptions or deviations noted]
-```
-
-### Gap Analysis Template
-```markdown
-# SOC2 Compliance Gap Analysis
-
-## Control: [Control ID and Title]
-
-### Gap Description
-[Detailed description of the identified gap]
-
-### Risk Assessment
-- **Risk Level**: [High/Medium/Low]
-- **Impact**: [Description of potential impact]
-- **Likelihood**: [Assessment of likelihood]
-
-### Remediation Plan
-- **Action Required**: [Specific actions needed]
-- **Owner**: [Responsible party]
-- **Target Date**: [Completion deadline]
-- **Status**: [Current status]
-
-### Compensating Controls
-[Any existing controls that partially address the gap]
-```
-
-## SUCCESS CRITERIA
-- [ ] All applicable Trust Service Criteria have supporting evidence
-- [ ] Evidence covers the full 12-month audit period
-- [ ] Evidence is properly organized and documented for auditor review
-- [ ] All compliance gaps are identified and documented
-- [ ] Remediation plans are created for identified gaps
-- [ ] GitHub issues are filed for missing controls or evidence
-- [ ] Evidence packages are validated for completeness and quality
-
-## COMMON EVIDENCE GAPS
-
-### Frequently Missing Evidence
-1. **Vendor Management**: Third-party security assessments and contracts
-2. **Incident Response**: Documented incidents and response procedures
-3. **Business Continuity**: Disaster recovery testing and procedures
-4. **Employee Training**: Security awareness training records
-5. **Risk Assessment**: Formal risk assessments and mitigation plans
-
-### System-Specific Gaps for FRAIM
-1. **AI/ML Controls**: Model governance and data processing integrity
-2. **API Security**: Authentication and authorization controls
-3. **Data Pipeline**: Processing accuracy and completeness controls
-4. **Multi-tenant**: Data segregation and access controls
-5. **Integration**: Third-party service security assessments
-
-## FINAL ACTIONS
-
-After completing evidence collection and gap analysis, this skill will:
-
-1. **Create Evidence Documentation**:
-   - Generate complete evidence packages in `docs/compliance/soc2-evidence/`
-   - Create evidence matrix mapping controls to evidence
-   - Document control narratives and testing procedures
-
-2. **File Compliance Issues**:
-   - Create GitHub issues for each identified gap
-   - Include remediation plans and target dates
-   - Assign appropriate labels (compliance, security, priority)
-   - Link related issues and dependencies
-
-3. **Generate Audit Readiness Report**:
-   - Summarize evidence collection status
-   - Highlight any remaining gaps or risks
-   - Provide recommendations for audit preparation
-   - Create timeline for final audit preparation
-
-## NOTES
-- Evidence collection should begin at least 3 months before the audit
-- Some evidence requires continuous collection throughout the year
-- Coordinate with legal and security teams for policy documentation
-- Consider engaging a SOC2 consultant for first-time audits
-- Maintain evidence integrity through proper version control and access controls

package/dist/registry/workflows/customer-development/insight-analysis.md

@@ -1,156 +0,0 @@
-# Insight Analysis Workflow
-
-## INTENT
-To help Product Managers extract, structure, and analyze customer insights from interview notes, enabling data-driven product decisions and systematic customer relationship management.
-
-## PRINCIPLES
-- **Comprehensive Extraction**: Capture all insights from raw notes
-- **Structured Analysis**: Organize insights into actionable categories
-- **Customer Scoring**: Evaluate customer fit and prioritization
-- **Follow-up Generation**: Create personalized follow-up communications
-
-## WORKFLOW TRIGGER
-**PM explicitly starts this workflow**:
-- "Starting Insight Analysis for [Customer Name]"
-- "I want to analyze the interview with [Customer Name]"
-- "Following the insight analysis workflow"
-
-## INPUT REQUIREMENTS
-**PM provides**:
-- The `[customer-name]-interview-prep.md` file that needs to be updated
-- Raw interview notes in any format (bullet points, paragraphs, voice-to-text, etc.)
-- Brief unstructured thoughts about the interview (optional but helpful)
-
-## AI AGENT PROCESS
-
-### Step 1: Insight Extraction & Template Update
-**AI Agent Analysis Process**:
-1. **Read Existing Prep File**
-   - Load the `[customer-name]-interview-prep.md` file
-   - Understand the customer context and research from preparation phase
-   - Review the pre-filled template structure
-
-2. **Parse Raw Notes**
-   - Extract customer quotes and key statements
-   - Identify pain points and challenges
-   - Capture success and failure criteria
-   - Note feature requests and preferences
-   - **Date Handling**: If user provides relative time references (e.g., "yesterday", "today", "last Friday"), run `new Date()` to determine the actual date and use that in the analysis file
-
-3. **Create Analysis File**
-   - Create new file: `[customer-name]-interview-analysis.md`
-   - Include comprehensive analysis with customer scoring and insights
-   - Reference the prep file for context but keep files separate
-   - Include follow-up actions and next steps
-
-### Step 2: Customer Scoring & Prioritization
-**AI Agent Scoring Process**:
-1. **Customer Fit Scoring (1-10)**
-   - Target customer segment alignment
-   - Pain point severity and frequency
-   - Budget and decision-making authority
-   - Influence and referral potential
-
-2. **Urgency Assessment**
-   - Active seeking of solutions
-   - Budget allocation and timeline
-   - Competitive pressure
-   - Implementation readiness
-
-3. **Willingness to Pay**
-   - Budget authority and constraints
-   - Current spending on similar solutions
-   - Value perception and ROI understanding
-
-### Step 3: Follow-up Generation
-**AI Agent Communication Process**:
-1. **Generate Follow-up Email**
-   - Use follow-up email templates as reference
-   - Create personalized email based on interview content
-   - Include key takeaways confirmation
-   - Add specific next steps and timeline
-   - Reference customer quotes and insights
-
-2. **Follow-up Questions**
-   - Clarify any gaps in understanding
-   - Deepen insights on key topics
-   - Validate assumptions and priorities
-   - Explore referral opportunities
-
-3. **Next Steps Planning**
-   - Demo scheduling if appropriate
-   - Additional stakeholder meetings
-   - Resource sharing and education
-   - Timeline and milestone setting
-
-### Step 4: File Creation & Finalization
-**AI Agent File Management**:
-1. **Create Analysis File**
-   - Create `[customer-name]-interview-analysis.md` with comprehensive analysis
-   - Include customer scoring, insights, and follow-up actions
-   - Reference the prep file for context but keep files separate
-
-2. **Preserve Prep File**
-   - Keep `[customer-name]-interview-prep.md` unchanged
-   - Maintains clean separation between preparation and analysis
-   - Both files can be referenced independently
-
-## OUTPUT TEMPLATE
-
-### Analysis File Template
-**Template**: Retrieve via `get_fraim_file({ path: "templates/customer-development/insight-analysis-template.md" })`
-**File Location**: `docs/customer-development/[customer-name]-interview-analysis.md`
-
-**Process**:
-1. Use the insight analysis template
-2. Extract insights from raw interview notes
-3. Score customer based on fit, urgency, willingness to pay, and likelihood to buy
-4. Include direct customer quotes for authenticity
-5. Create next steps and follow-up questions
-6. Reference the original prep file for context
-7. **Generate personalized follow-up email** using follow-up email templates as reference `get_fraim_file({ path: "templates/customer-development/follow-up-email-templates.md" })` ... add this to the end of the analysis file.
-
-## EXAMPLES
-
-### Good: Insight Analysis
-```
-Input: 
-- File: ronil-dhruva-interview-prep.md
-- Raw notes: "Ronil mentioned calendar conflicts, uses Outlook, frustrated with rescheduling, would pay $50/month, concerned about AI decisions. He was really engaged and seemed to understand the problem well."
-
-AI Agent Process:
-1. Reads existing prep file with LinkedIn research
-2. Extracts insights from raw notes
-3. Creates separate analysis file: ronil-dhruva-interview-analysis.md
-4. Preserves original prep file unchanged
-5. **Generates personalized follow-up email** using follow-up email templates
-6. Creates next steps and follow-up questions
-
-Output:
-- New analysis file: ronil-dhruva-interview-analysis.md
-- Original prep file: ronil-dhruva-interview-prep.md (unchanged)
-- Customer score: 8/10 (high fit, clear pain points, enterprise budget)
-- **Personalized follow-up email** using template structure with customer-specific content
-- Next questions: "What specific hierarchy rules should AI respect?"
-```
-
-### Bad: Surface-Level Analysis
-```
-Input: 
-- File: ronil-dhruva-interview-prep.md
-- Raw notes: "Ronil interview went well"
-
-AI Agent Output:
-- Generic analysis with no specific insights
-- No customer scoring or prioritization
-- No follow-up recommendations
-- No actionable next steps
-
-Result: Lost insights, no clear next steps, wasted prep work
-```
-
-## SUCCESS METRICS
-- **Insight Extraction**: 95% of key insights captured from raw notes
-- **Customer Scoring**: Consistent scoring across all customers
-- **Follow-up Quality**: 80% of follow-up emails result in positive responses
-- **Action Clarity**: Clear next steps for every customer