skillstore-cli 1.0.0

package/data/free-skills/devflow-postproject/template/workflows/transition-workflow.md

@@ -0,0 +1,72 @@
+# Post-Project Transition Workflow
+
+Complete post-project process from closure through maintenance handover.
+
+## Phase 1: Project Closure
+
+1. **Retrospective**
+   - `transition-manager` activates `retrospective` skill
+   - Conduct while team is still together
+   - Document lessons learned
+   - Create organizational improvement actions
+   - Output: Lessons learned document
+
+2. **Client Feedback**
+   - `transition-manager` activates `client-feedback` skill
+   - Collect CSAT and NPS scores
+   - Conduct structured feedback interview
+   - Identify improvement areas and upsell opportunities
+   - Output: Client satisfaction report
+
+## Phase 2: Knowledge Transfer
+
+3. **Documentation**
+   - `transition-manager` activates `handover` skill
+   - Create/update architecture documentation
+   - Write environment setup guides
+   - Document known issues and workarounds
+   - Output: Handover package
+
+4. **Knowledge Transfer Sessions**
+   - Plan KT sessions based on handover checklist
+   - Conduct sessions (architecture, code, operations, business context)
+   - Verify receiving team understanding
+   - Output: KT completion sign-off
+
+## Phase 3: Maintenance Transition
+
+5. **SLA Setup**
+   - `transition-manager` activates `maintenance-support` skill
+   - Define SLA tiers and targets
+   - Create escalation matrix
+   - Setup monitoring and alerting
+   - Output: SLA document
+
+6. **Operational Readiness**
+   - Verify maintenance team has all access
+   - Test incident response process
+   - Conduct dry-run of hotfix workflow
+   - Output: Operational readiness sign-off
+
+## Quality Gates
+
+- **After Phase 1**: Lessons learned reviewed by management
+- **After Phase 2**: Receiving team confirms documentation sufficiency
+- **After Phase 3**: First incident handled successfully by maintenance team
+
+## Error Recovery
+
+Reference: `protocols/error-recovery.md`
+
+### Common Post-Project Failures
+| Failure | Recovery |
+|---------|----------|
+| Team disbanded before KT complete | Emergency KT sessions, focus on critical systems only |
+| Client unresponsive to feedback request | Escalate, try different channel, document attempt |
+| SLA metrics not measurable | Redefine with measurable alternatives, get client sign-off |
+| Handover docs incomplete | Prioritize critical docs, schedule remaining as maintenance tasks |
+
+### Retry Limits
+- KT sessions: max 2 retries per topic (different approach each time)
+- Client outreach: max 3 attempts via different channels
+- Documentation: no retry limit (iterative improvement)

package/data/free-skills/devflow-presale/manifest.json

@@ -0,0 +1,15 @@
+{
+  "name": "@skillstore/devflow-presale",
+  "version": "1.0.0",
+  "skills": [
+    "requirement-analysis",
+    "proposal-writer",
+    "estimation",
+    "risk-assessment",
+    "solution-design",
+    "pricing-strategy"
+  ],
+  "freeSkills": ["requirement-analysis"],
+  "commands": ["presale", "presale/analyze", "presale/propose", "presale/estimate", "presale/price"],
+  "modes": ["plugin", "template"]
+}

package/data/free-skills/devflow-presale/plugin/commands/devflow.md

@@ -0,0 +1,47 @@
+---
+description: DevFlow smart router — automatically routes tasks to the right presale skill
+argument-hint: [task description]
+---
+
+## Your Mission
+
+<task>
+$ARGUMENTS
+</task>
+
+## Smart Routing
+
+Analyze the task and determine which presale skill to activate:
+
+### Route Detection
+| Keywords/Patterns | Route To |
+|-------------------|----------|
+| RFP, RFQ, RFI, requirements, scope, gaps, assumptions | `requirement-analysis` skill |
+| proposal, bid, response, technical approach, methodology | `proposal-writer` skill |
+| estimate, effort, man-days, WBS, sizing, how long | `estimation` skill |
+| risk, mitigation, contingency, what could go wrong | `risk-assessment` skill |
+| architecture, tech stack, design, integration, NFR | `solution-design` skill |
+| price, cost, rate, margin, T&M, fixed price, commercial | `pricing-strategy` skill |
+| full presale, complete cycle, end-to-end | Full orchestration (see below) |
+
+### Single Skill Route
+If task maps to one skill: activate that skill directly with the task context.
+
+### Full Orchestration
+If task requires multiple skills or is ambiguous:
+1. Start with `requirement-analysis`
+2. Feed output to `solution-design` + `estimation` (parallel if independent)
+3. Use all outputs for `risk-assessment`
+4. Combine into `proposal-writer`
+5. Finalize with `pricing-strategy`
+
+### Ambiguity Handling
+If the task doesn't clearly map to any skill:
+- Ask ONE clarifying question (not multiple)
+- Suggest the most likely skill based on context
+- Example: "This sounds like an estimation task. Should I proceed with effort estimation, or did you mean something else?"
+
+## References
+- Load `rules/development-rules.md` for quality standards
+- Follow `protocols/error-recovery.md` for failure handling
+- Follow `protocols/orchestration-protocol.md` for multi-skill coordination

package/data/free-skills/devflow-presale/plugin/commands/presale/analyze.md

@@ -0,0 +1,30 @@
+---
+description: Analyze an RFP/RFQ document — extract requirements, identify gaps, flag assumptions
+argument-hint: [rfp-document-path or paste content]
+---
+
+## Your Mission
+
+Analyze the following RFP/RFQ and produce a structured requirement analysis:
+
+<input>
+$ARGUMENTS
+</input>
+
+## Process
+
+1. Activate the `requirement-analysis` skill
+2. If a file path is provided, read the document
+3. If content is pasted, process it directly
+4. Follow the skill's extraction framework
+5. Produce the deliverable using the output template
+
+## Output
+
+Deliver a complete requirement analysis including:
+- Executive summary
+- Requirements matrix (functional + non-functional)
+- Gap analysis
+- Assumption register
+- Questions for client
+- Risk flags

package/data/free-skills/devflow-presale/plugin/commands/presale/estimate.md

@@ -0,0 +1,30 @@
+---
+description: Estimate effort for a project scope
+argument-hint: [scope description or requirements doc]
+---
+
+## Your Mission
+
+Estimate effort for:
+
+<scope>
+$ARGUMENTS
+</scope>
+
+## Process
+
+1. Activate the `estimation` skill
+2. Decompose scope into WBS
+3. Apply 3-point estimation per work package
+4. Calculate buffers based on risk level
+5. Produce the estimation deliverable
+
+## Output
+
+Deliver a complete estimation including:
+- Work Breakdown Structure
+- 3-point estimates per module/component
+- Buffer calculation (risk-based + management reserve)
+- Total effort in man-days
+- Team composition recommendation
+- Confidence level assessment

package/data/free-skills/devflow-presale/plugin/commands/presale/price.md

@@ -0,0 +1,30 @@
+---
+description: Calculate pricing for a project
+argument-hint: [project-name or estimation reference]
+---
+
+## Your Mission
+
+Calculate pricing for:
+
+<project>
+$ARGUMENTS
+</project>
+
+## Process
+
+1. Activate the `pricing-strategy` skill
+2. Review estimation data (if available)
+3. Build cost baseline
+4. Generate pricing options (T&M, Fixed Price, Hybrid)
+5. Perform margin analysis
+6. Recommend optimal pricing model
+
+## Output
+
+Deliver a complete pricing analysis including:
+- Cost breakdown
+- 2-3 pricing model options with pros/cons
+- Margin analysis per model
+- Recommended pricing with justification
+- Sensitivity analysis (key variables)

package/data/free-skills/devflow-presale/plugin/commands/presale/propose.md

@@ -0,0 +1,30 @@
+---
+description: Create a technical proposal for a project
+argument-hint: [project-name or context]
+---
+
+## Your Mission
+
+Create a technical proposal for:
+
+<project>
+$ARGUMENTS
+</project>
+
+## Process
+
+1. Activate the `proposal-writer` skill
+2. Review available context (requirements analysis, solution design, estimation)
+3. If prerequisite analyses don't exist, recommend running them first
+4. Follow the skill's proposal structure
+5. Apply writing guidelines for quality
+
+## Output
+
+Deliver a complete technical proposal including:
+- Executive summary
+- Technical approach
+- Methodology
+- Team structure
+- Project timeline
+- Risk management summary

package/data/free-skills/devflow-presale/plugin/commands/presale.md

@@ -0,0 +1,42 @@
+---
+description: Presale workflow orchestrator — analyze RFPs, write proposals, estimate effort, and price projects
+argument-hint: [task description]
+---
+
+## Your Mission
+
+<task>
+$ARGUMENTS
+</task>
+
+## Workflow
+
+Analyze the task and route to the appropriate presale skill:
+
+1. **Understand the request** — What presale activity is needed?
+2. **Route to skill** — Based on the task:
+   - RFP/RFQ analysis → Activate `requirement-analysis` skill
+   - Proposal writing → Activate `proposal-writer` skill
+   - Effort estimation → Activate `estimation` skill
+   - Risk evaluation → Activate `risk-assessment` skill
+   - Architecture/tech → Activate `solution-design` skill
+   - Pricing/commercials → Activate `pricing-strategy` skill
+3. **Orchestrate if needed** — For full presale cycle:
+   - Start with requirement-analysis
+   - Feed output to solution-design + estimation (parallel)
+   - Use all outputs for risk-assessment
+   - Combine into proposal-writer
+   - Finalize with pricing-strategy
+
+## Sub-commands
+
+- `/presale:analyze [rfp-doc]` — Analyze a specific RFP document
+- `/presale:propose [project]` — Create a technical proposal
+- `/presale:estimate [scope]` — Estimate effort for given scope
+- `/presale:price [project]` — Calculate pricing
+
+## Important
+
+- Always ask for clarification if the RFP/scope is ambiguous
+- Reference existing project context when available
+- Produce actionable deliverables, not theoretical advice

package/data/free-skills/devflow-presale/plugin/skills/requirement-analysis/SKILL.md

@@ -0,0 +1,63 @@
+---
+name: requirement-analysis
+description: Analyze RFP/RFQ, extract requirements, identify gaps and assumptions for ITO presale
+---
+
+# Requirement Analysis
+
+Analyze client RFP/RFQ documents, extract structured requirements, detect gaps and record assumptions — output feeds into estimation, proposal and solution design.
+
+## When to Use
+
+- Received a new RFP/RFQ/RFI from a client that needs analysis
+- Need to convert free-form scope descriptions into structured requirement lists
+- Need to identify ambiguities, gaps, or assumptions before estimation
+- Preparing clarification questions to send to the client before deadline
+
+## Process
+
+### 1. Document Intake
+- Read the entire RFP/RFQ, identify format (PDF, Word, email thread, slide deck)
+- Extract metadata: project name, client, industry, submission deadline, budget range (if available)
+- Identify key sections: scope, technical requirements, commercial terms, evaluation criteria
+
+### 2. Requirement Extraction
+- Classify into Functional Requirements (FR) and Non-Functional Requirements (NFR)
+- For each requirement: assign ID, description, module/area, priority (MoSCoW), complexity
+- Identify implicit requirements (those not explicitly stated but understood in the industry)
+- See details: [references/extraction-framework.md](references/extraction-framework.md)
+
+### 3. Gap Analysis
+- Compare requirements against provided information — flag missing items
+- Identify technical gaps: unclear integration points, data migration scope, infrastructure ownership
+- Identify business gaps: undefined user roles, undefined workflows, missing compliance requirements
+- Classify gaps by impact level: Critical (blocks estimation) / Major (affects scope) / Minor (clarify later)
+
+### 4. Assumption Identification
+- For each gap, propose reasonable assumptions based on industry standards and experience
+- Tag risk level for each assumption: High / Medium / Low
+- Document assumption source: industry practice, similar past project, or logical inference
+
+### 5. Output Generation
+- Create deliverable using standard template: [references/output-template.md](references/output-template.md)
+- Include: Executive Summary, Requirements Matrix, Gap Analysis Table, Assumption Register, Questions for Client
+- See sample output: [assets/sample-output.md](assets/sample-output.md)
+
+## Output Format
+
+Create a Markdown file in `docs/presale/` named: `{project-name}-requirement-analysis.md`
+
+Required sections:
+1. **Executive Summary** — 3-5 sentence summary of scope, complexity, key concerns
+2. **Requirements Matrix** — FR/NFR table with ID, description, priority, complexity
+3. **Gap Analysis** — List of gaps classified by severity
+4. **Assumption Register** — Assumptions with risk level and rationale
+5. **Client Questions** — Clarification questions sorted by priority
+
+## Tips
+
+- Read evaluation criteria BEFORE analyzing requirements — they reveal the client's true priorities
+- Note "shall" vs "should" vs "may" in RFPs — they indicate different levels of obligation
+- If the RFP requires compliance (HIPAA, PCI-DSS, SOC2), flag immediately — significant effort impact
+- Integration requirements are often understated — always ask about API availability and documentation
+- When an RFP says "as per industry standards", RECORD A SPECIFIC ASSUMPTION about which standard applies

package/data/free-skills/devflow-presale/plugin/skills/requirement-analysis/assets/sample-output.md

@@ -0,0 +1,129 @@
+# Healthcare Patient Portal — Requirement Analysis
+
+## Executive Summary
+
+**Project:** MedConnect Patient Portal
+**Client:** HealthFirst Medical Group
+**Industry:** Healthcare
+**Analysis Date:** 2026-03-15
+**Source Documents:** RFP v2.1 (dated 01/03/2026), Appendix A — Technical Requirements, Appendix B — Compliance Requirements
+
+### Summary
+HealthFirst requires building a Patient Portal that allows patients to book appointments, view test results, message doctors, and make online payments. The system needs to integrate with the existing EHR (Epic) and a payment gateway. The scope is medium-high with the main complexity factors being HIPAA compliance and Epic integration. The requested 6-month timeline is tight but feasible if scope is confirmed early.
+
+### Key Highlights
+- **Total FR:** 34 | **Total NFR:** 12
+- **Gaps identified:** 8 (Critical: 2, Major: 4, Minor: 2)
+- **Assumptions:** 11 (High-risk: 3)
+- **Questions requiring clarification:** 10 — 3 blocking estimation
+
+### Preliminary Assessment
+- **Complexity:** High
+- **Estimation confidence:** Medium (2 critical gaps need clarification)
+- **Key risks:** Epic EHR integration complexity, HIPAA compliance audit process, data migration from legacy portal
+
+---
+
+## Requirements Matrix
+
+### Functional Requirements
+
+| ID | Module | Requirement | Priority | Complexity | Notes |
+|----|--------|------------|----------|------------|-------|
+| FR-001 | Auth | Patient registration with identity verification | Must | Medium | KYC flow needs clarification |
+| FR-002 | Auth | SSO with existing hospital staff portal | Must | High | SAML 2.0 assumed |
+| FR-003 | Auth | MFA for all patient accounts | Must | Low | HIPAA requirement |
+| FR-004 | Scheduling | Book/reschedule/cancel appointments | Must | Medium | |
+| FR-005 | Scheduling | View doctor availability in real-time | Must | High | Depends on Epic calendar API |
+| FR-006 | Scheduling | Automated appointment reminders (email + SMS) | Should | Low | |
+| FR-007 | Records | View lab results and diagnostic reports | Must | High | Epic integration — see GAP-001 |
+| FR-008 | Records | Download medical records as PDF | Must | Medium | PHI handling |
+| FR-009 | Records | View medication history and prescriptions | Must | Medium | Epic integration |
+| FR-010 | Messaging | Secure messaging with care team | Must | High | HIPAA-compliant, encrypted |
+| FR-011 | Messaging | File attachment in messages (images, documents) | Should | Medium | Size limit unclear — GAP-005 |
+| FR-012 | Payments | View and pay outstanding bills | Must | High | Payment gateway TBD — GAP-002 |
+| FR-013 | Payments | Payment plan setup for large bills | Should | Medium | Business rules unclear |
+| FR-014 | Payments | Insurance claim status tracking | Could | High | Integration scope unknown |
+| FR-015 | Admin | Care team management dashboard | Must | Medium | |
+| FR-016 | Admin | Patient analytics and engagement reports | Should | Medium | KPIs not defined — GAP-006 |
+| FR-017 | Migration | Migrate patient accounts from legacy portal | Must | High | Volume unknown — GAP-004 |
+
+### Non-Functional Requirements
+
+| ID | Category | Requirement | Priority | Impact | Notes |
+|----|----------|------------|----------|--------|-------|
+| NFR-001 | Compliance | HIPAA compliance (PHI protection) | Must | High | Audit + BAA required |
+| NFR-002 | Security | End-to-end encryption for messaging | Must | High | At rest + in transit |
+| NFR-003 | Security | SOC 2 Type II certification | Must | High | Affects hosting choice |
+| NFR-004 | Performance | Page load < 2s, API response < 500ms | Must | Medium | |
+| NFR-005 | Availability | 99.95% uptime SLA | Must | High | Requires HA architecture |
+| NFR-006 | Scalability | Support 50,000 concurrent patients | Should | High | Peak during flu season |
+| NFR-007 | Accessibility | WCAG 2.1 AA compliance | Must | Medium | ADA requirement for healthcare |
+| NFR-008 | Compatibility | iOS 15+, Android 12+, Chrome/Safari/Edge latest 2 versions | Must | Low | |
+| NFR-009 | Data Retention | Medical records retained 7 years minimum | Must | Medium | State regulation |
+| NFR-010 | Performance | Support 500 concurrent video calls | Could | High | Telehealth mentioned briefly |
+
+---
+
+## Gap Analysis
+
+| ID | Related Req | Gap Description | Severity | Impact on Estimation | Suggested Action |
+|----|------------|----------------|----------|---------------------|-----------------|
+| GAP-001 | FR-007, FR-009 | Epic EHR API documentation not provided. FHIR R4 or proprietary API unclear | Critical | Cannot estimate integration — could be 40-120 man-days variance | Request Epic API docs and sandbox access |
+| GAP-002 | FR-012 | Payment gateway not specified. PCI-DSS scope depends on gateway choice | Critical | 15-40 man-days variance depending on Stripe/custom integration | Client to confirm preferred payment provider |
+| GAP-003 | NFR-010 | Telehealth/video call mentioned once in RFP but no detailed requirements | Major | Could add 80+ man-days if in scope for Phase 1 | Confirm if telehealth is Phase 1 or future |
+| GAP-004 | FR-017 | Data migration volume and source system structure not specified | Major | 10-30 man-days variance | Request legacy DB schema and record counts |
+| GAP-005 | FR-011 | File attachment size limits and allowed types not defined | Minor | Minimal impact | Assume max 10MB, common formats |
+| GAP-006 | FR-016 | Patient engagement KPIs and report definitions not provided | Major | 5-15 man-days variance | Request specific metrics and report mockups |
+| GAP-007 | NFR-003 | SOC 2 Type II — is existing certification needed or new certification? | Major | New certification adds 3-6 months + audit cost | Clarify if client has existing SOC 2 or needs new |
+| GAP-008 | FR-006 | SMS provider preference not stated | Minor | Minimal | Assume Twilio, confirm later |
+
+---
+
+## Assumption Register
+
+| ID | Related Gap | Assumption | Risk Level | Rationale | Impact if Wrong |
+|----|-----------|-----------|------------|-----------|----------------|
+| ASM-001 | GAP-001 | Epic provides FHIR R4 compliant API with documented endpoints | High | FHIR R4 is current Epic standard | Proprietary API adds 60+ man-days and Epic consultant cost |
+| ASM-002 | GAP-002 | Stripe will be used as payment gateway with standard integration | Medium | Most common choice for healthcare portals | Custom gateway adds 15-20 man-days |
+| ASM-003 | GAP-003 | Telehealth is NOT in Phase 1 scope — planned for Phase 2 | High | Only mentioned once, no detailed requirements | +80 man-days and Twilio Video / similar cost |
+| ASM-004 | GAP-004 | Legacy portal has < 100,000 patient records, standard relational DB | High | Typical for regional medical group | >1M records or NoSQL source adds significant ETL effort |
+| ASM-005 | GAP-005 | File attachments: max 10MB, formats — JPG, PNG, PDF, DOCX | Low | Industry standard for patient portals | Minimal impact |
+| ASM-006 | — | Client provides HIPAA-compliant hosting (AWS GovCloud or Azure Healthcare) | Medium | RFP mentions cloud but not specific provider | If on-prem, architecture changes significantly |
+| ASM-007 | — | Client handles BAA (Business Associate Agreement) with hosting provider | Medium | Standard client responsibility | If vendor must arrange, adds procurement timeline |
+| ASM-008 | GAP-008 | Twilio for SMS delivery | Low | Market leader, HIPAA-eligible | Minimal — swap SMS provider is straightforward |
+| ASM-009 | — | English-only interface for Phase 1 | Medium | RFP doesn't mention i18n | Multi-language adds 15-20% to frontend effort |
+| ASM-010 | — | Standard CI/CD pipeline, client provides deployment credentials | Low | Standard outsourcing arrangement | If restricted deployment process, adds coordination overhead |
+| ASM-011 | GAP-007 | Client has existing SOC 2 Type II; vendor must comply, not obtain new cert | Medium | More common for established medical groups | New certification is 3-6 month process |
+
+---
+
+## Risk Flags
+
+| # | Risk | Source | Likelihood | Impact | Mitigation |
+|---|------|--------|-----------|--------|------------|
+| 1 | Epic integration complexity underestimated | GAP-001, FR-007 | High | High | Request API docs immediately, plan 2-week PoC sprint |
+| 2 | HIPAA compliance scope creep | NFR-001, NFR-002 | Medium | High | Engage compliance consultant early, define audit scope |
+| 3 | 6-month timeline tight for scope | RFP Section 6 | High | Medium | Propose phased delivery, telehealth in Phase 2 |
+| 4 | Data migration delays go-live | FR-017, GAP-004 | Medium | Medium | Start migration analysis in Sprint 1, parallel track |
+| 5 | Payment PCI-DSS scope unclear | GAP-002, FR-012 | Medium | Medium | Use tokenized gateway (Stripe) to minimize PCI scope |
+
+---
+
+## Questions for Client
+
+### Critical (Blocking Estimation)
+1. **[GAP-001]** Could you provide Epic EHR API documentation and sandbox access? We need to understand available FHIR R4 endpoints, authentication flow, and rate limits to estimate the integration accurately.
+2. **[GAP-002]** What is your preferred payment gateway (Stripe, Braintree, custom)? This determines PCI-DSS scope and integration effort.
+3. **[GAP-004]** How many patient records need to be migrated from the legacy portal? What database system is currently used? Can you share the schema?
+
+### Important (Affects Scope)
+4. **[GAP-003]** The RFP mentions telehealth briefly (Section 3.7). Is video consultation in scope for Phase 1 or planned for a later phase? This represents approximately 80+ man-days of additional effort.
+5. **[GAP-007]** Does HealthFirst currently hold SOC 2 Type II certification? Do you expect the vendor to obtain separate certification or comply under your existing framework?
+6. **[GAP-006]** What specific patient engagement KPIs should the analytics dashboard track? Are there existing report templates or mockups we can reference?
+7. **[NFR-006]** The 50,000 concurrent patient target — is this a current peak or projected growth? Over what timeframe?
+
+### Nice to Know (Improves Accuracy)
+8. **[ASM-009]** Is the portal English-only or will multi-language support be needed? If so, which languages and by when?
+9. **[ASM-006]** What is the preferred cloud provider and hosting model? Is a HIPAA-eligible environment (AWS GovCloud, Azure Healthcare) already provisioned?
+10. **[GAP-008]** Do you have a preferred SMS provider for appointment reminders, or are we free to recommend?

package/data/free-skills/devflow-presale/plugin/skills/requirement-analysis/references/extraction-framework.md

@@ -0,0 +1,140 @@
+# Extraction Framework — Extracting Requirements from RFP/RFQ
+
+## Functional Requirements (FR) Extraction Patterns
+
+### How to identify FR in documents
+- Sentences with action verbs: "The system shall...", "Users must be able to...", "The platform should support..."
+- Implicit use cases or user stories: "Customers can track their orders..."
+- Business rules: "Discount applies when order exceeds $500"
+- Workflow descriptions: "After approval, the request moves to..."
+
+### FR classification checklist by module
+- **User Management**: Registration, authentication, authorization, roles, profiles
+- **Core Business Logic**: Main system workflow, business rules, calculations
+- **Data Management**: CRUD operations, search, filtering, import/export, bulk operations
+- **Reporting & Analytics**: Dashboards, reports, data visualization, export formats
+- **Communication**: Notifications (email, SMS, push), alerts, messaging
+- **Integration**: Third-party APIs, SSO, payment gateways, external data sources
+- **Content Management**: CMS, media upload, document management, templates
+- **Administration**: System config, audit logs, feature toggles, tenant management
+
+## Non-Functional Requirements (NFR) Checklist
+
+### Performance
+- [ ] Response time targets (page load < 3s, API < 500ms)
+- [ ] Concurrent users (peak load, normal load)
+- [ ] Transaction throughput (TPS)
+- [ ] Data volume expectations (records, storage)
+- [ ] Batch processing windows
+
+### Security
+- [ ] Authentication method (SSO, MFA, OAuth2)
+- [ ] Authorization model (RBAC, ABAC)
+- [ ] Data encryption (at rest, in transit)
+- [ ] Audit logging requirements
+- [ ] Penetration testing requirements
+- [ ] Data residency / sovereignty
+
+### Scalability
+- [ ] Growth projections (users, data, transactions)
+- [ ] Horizontal vs vertical scaling expectations
+- [ ] Multi-region / multi-tenant requirements
+- [ ] Auto-scaling requirements
+
+### Compliance & Regulatory
+- [ ] Industry-specific (HIPAA, PCI-DSS, SOX, GDPR)
+- [ ] Accessibility (WCAG 2.1 AA/AAA)
+- [ ] Data retention policies
+- [ ] Right to deletion / data portability
+- [ ] Audit trail requirements
+
+### Availability & Reliability
+- [ ] SLA targets (99.9%, 99.95%, 99.99%)
+- [ ] RPO / RTO requirements
+- [ ] Disaster recovery expectations
+- [ ] Maintenance windows
+- [ ] Failover requirements
+
+### Compatibility
+- [ ] Browser support matrix
+- [ ] Mobile platforms (iOS, Android, responsive web)
+- [ ] OS requirements
+- [ ] Network conditions (low bandwidth, offline mode)
+
+## Stakeholder Identification Matrix
+
+| Stakeholder Type | Commonly found in RFP | Questions to clarify |
+|-----------------|----------------------|---------------------|
+| **Decision Maker** | CTO, VP Engineering, Product Owner | Budget authority? Evaluation criteria weights? |
+| **End User** | Operators, agents, customers | Skill level? Training plan? Current tools? |
+| **Technical Gatekeeper** | Enterprise Architect, Security team | Integration standards? Security review process? |
+| **Business Owner** | Department head, Business analyst | Success metrics? KPIs? Current pain points? |
+| **Compliance Officer** | Legal, DPO, Audit team | Specific compliance frameworks? Audit frequency? |
+| **Operations** | DevOps, SRE, Support team | Deployment model? Monitoring requirements? SLA expectations? |
+
+## Requirement Prioritization — MoSCoW
+
+### Must Have (M)
+- Explicitly stated in mandatory requirements section
+- Related to compliance / regulatory
+- Core business workflow that cannot operate without it
+- Listed in evaluation criteria with high weight
+
+### Should Have (S)
+- Mentioned but not in mandatory section
+- Adds significant value to the solution
+- Can be delivered in phase 1 with reasonable effort
+
+### Could Have (C)
+- Nice-to-have features mentioned
+- Enhancements on core functionality
+- Can be planned for phase 2
+
+### Won't Have (W) — this time
+- Clearly out of scope
+- Features too complex for the timeline
+- Requires a separate phase to address
+
+## Gap Detection Techniques
+
+### 1. Completeness Check
+- For each FR, verify: input → process → output — is it all defined?
+- For each integration, verify: source → protocol → format → frequency → error handling
+
+### 2. Consistency Check
+- Compare requirements across sections — are there contradictions?
+- Timeline vs scope — is it realistic?
+- Budget range (if known) vs scope complexity
+
+### 3. Boundary Analysis
+- Define data migration scope: "migrate existing data" = migrate what? how much? transform?
+- "Support multiple languages" = how many languages? RTL? Dynamic content?
+- "High availability" = specifically what % uptime?
+
+### 4. Negative Testing
+- Ask "What happens when...?" for each main workflow
+- Error handling, edge cases, exception flows are often missing from RFPs
+
+## Assumption Documentation Template
+
+For each assumption, record:
+
+```
+ID: ASM-{number}
+Related Gap: GAP-{number}
+Assumption: [Description of the assumption]
+Rationale: [Why this assumption is reasonable]
+Risk if Wrong: [Impact if the assumption is incorrect]
+Risk Level: High / Medium / Low
+Validation: [How to confirm — ask client / PoC / research]
+```
+
+## Cross-Reference Validation
+
+### Checklist before finalizing
+- [ ] Each FR has at least 1 related NFR (performance, security)
+- [ ] Each integration point has protocol, authentication, data format defined or assumed
+- [ ] Each user role has a permission matrix or assumption about access level
+- [ ] Timeline milestones align with dependencies between modules
+- [ ] Compliance requirements are mapped to specific FR/NFR
+- [ ] All acronyms and domain terms are defined or clarification requested