UNPKG

aiwg

Version:

Cognitive architecture for AI-augmented software development with structured memory, ensemble validation, and closed-loop correction. FAIR-aligned artifacts, 84% cost reduction via human-in-the-loop, standards adopted by 100+ organizations.

aiwg.io

jmagly/aiwg

309 lines (226 loc) 8.52 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
# Creating AIWG Extensions Extensions are "expansion packs" that add domain-specific capabilities to existing frameworks. They cannot operate standalone - they require their parent framework. ## When to Create an Extension Create an extension when you need: - Compliance modules (GDPR, HIPAA, SOX, PCI-DSS) - Industry-specific adaptations (healthcare, fintech, government) - Regional/legal variations (EU, US, APAC regulations) - Specialized workflows that build on framework foundations Examples: - `hipaa` extension for `sdlc-complete` - Healthcare compliance - `ftc` extension for `media-marketing-kit` - FTC advertising guidelines - `gdpr` extension for any framework - Data protection requirements ## Extension vs Addon | Aspect | Extension | Addon | |--------|-----------|-------| | Standalone? | No - requires parent | Yes - works anywhere | | Location | `frameworks/{id}/extensions/` | `addons/` | | Manifest | Has `requires` field | No `requires` field | | Deploy | `aiwg -deploy-extension` | `aiwg -deploy-agents` | | Scope | Framework-specific | Universal | ## Quick Start ### Using CLI ```bash # Create extension structure aiwg scaffold-extension hipaa --for sdlc-complete --description "HIPAA compliance templates" # Result: # agentic/code/frameworks/sdlc-complete/extensions/hipaa/ # ├── manifest.json # ├── README.md # ├── templates/ # └── checklists/ # Add components aiwg add-template phi-handling --to sdlc-complete/extensions/hipaa --type checklist aiwg add-agent compliance-reviewer --to sdlc-complete/extensions/hipaa --template complex ``` ### Using In-Session Commands ```bash /devkit-create-extension hipaa --for sdlc-complete --interactive ``` Claude will ask about: 1. **Compliance domain**: What regulations/standards does this cover? 2. **Parent integration**: Which framework phases does this extend? 3. **Artifacts**: What checklists, templates, or agents are needed? 4. **Validation**: How will compliance be verified? ## Extension Structure ``` frameworks/sdlc-complete/extensions/hipaa/ ├── manifest.json # Package metadata with "requires" field ├── README.md # Documentation ├── agents/ # Compliance-focused agents └── phi-reviewer.md ├── commands/ # Compliance workflows └── hipaa-audit.md ├── templates/ # Compliance documents ├── phi-inventory.md ├── baa-template.md └── breach-response.md ├── checklists/ # Audit checklists ├── technical-safeguards.md ├── administrative-safeguards.md └── physical-safeguards.md └── flows/ # Extension-specific workflows (optional) └── compliance-review.md ``` ## Manifest Configuration ```json { "id": "hipaa", "type": "extension", "name": "HIPAA Compliance Extension", "version": "1.0.0", "description": "Healthcare compliance templates and checklists for SDLC", "author": "Your Name", "license": "MIT", "requires": ["sdlc-complete"], "entry": { "agents": "agents", "commands": "commands", "templates": "templates", "checklists": "checklists" }, "agents": ["phi-reviewer"], "commands": ["hipaa-audit"], "templates": ["phi-inventory", "baa-template", "breach-response"], "checklists": ["technical-safeguards", "administrative-safeguards", "physical-safeguards"] } ``` ### Key Fields | Field | Purpose | |-------|---------| | `type` | Must be `"extension"` | | `requires` | Array of parent framework IDs | | `checklists` | Extension-specific component type | ## Creating Compliance Checklists ```bash aiwg add-template security-controls --to sdlc-complete/extensions/hipaa --type checklist ``` ```markdown # HIPAA Security Controls Checklist ## Technical Safeguards (45 CFR 164.312) ### Access Control (§164.312(a)(1)) - [ ] Unique user identification implemented - [ ] Emergency access procedure documented - [ ] Automatic logoff configured - [ ] Encryption and decryption mechanisms in place ### Audit Controls (§164.312(b)) - [ ] Hardware audit mechanisms implemented - [ ] Software audit mechanisms implemented - [ ] Procedural audit mechanisms documented ### Integrity (§164.312(c)(1)) - [ ] Electronic mechanisms to corroborate data integrity - [ ] Transmission security measures in place ## Evidence | Control | Implementation | Evidence Location | |---------|---------------|-------------------| | Access Control | | | | Audit Logging | | | ``` ## Creating Compliance Templates ```bash aiwg add-template risk-assessment --to sdlc-complete/extensions/hipaa --type document ``` Document templates provide structure for compliance artifacts that integrate with parent framework workflows. ## Creating Compliance Agents ```bash aiwg add-agent compliance-auditor --to sdlc-complete/extensions/hipaa --template complex ``` Compliance agents should: 1. Reference parent framework artifacts (requirements, architecture) 2. Apply domain-specific validation rules 3. Generate compliance evidence and reports 4. Integrate with parent framework gates Example agent prompt structure: ```markdown ## Domain Expertise - HIPAA Security Rule (45 CFR 164.302-318) - HIPAA Privacy Rule (45 CFR 164.500-534) - HITECH Act requirements - OCR audit protocols ## Integration Points This agent integrates with parent SDLC framework: - **Requirements phase**: Validate PHI handling requirements - **Architecture phase**: Review security architecture for compliance - **Testing phase**: Verify security control implementation - **Deployment phase**: Validate production security posture ``` ## Integration with Parent Framework Extensions inherit and extend parent framework capabilities: ### Workflow Integration Extensions can hook into parent framework phases: ```markdown # hipaa-audit.md command --- name: hipaa-audit description: HIPAA compliance audit for current phase args: - name: phase description: SDLC phase to audit (inception, elaboration, construction, transition) required: true --- ## Process 1. Read parent framework phase artifacts from `.aiwg/` 2. Apply HIPAA-specific validation rules 3. Generate compliance report 4. Update `.aiwg/security/hipaa/` with audit results ``` ### Template Inheritance Extension templates can reference parent templates: ```markdown <!-- Extends: sdlc-complete/templates/security/threat-model-template.md --> # HIPAA Threat Model This extends the standard threat model with HIPAA-specific threats. ## Standard Threats <!-- Include base threat categories from parent --> ## PHI-Specific Threats ### Unauthorized PHI Access - Threat: Unauthorized access to Protected Health Information - HIPAA Reference: §164.312(a)(1) - Mitigation: [specific controls] ``` ## Deployment ```bash # Deploy extension to project (requires parent framework) aiwg -deploy-extension hipaa --framework sdlc-complete --target ./my-project # This copies: # - Extension agents to .claude/agents/ # - Extension commands to .claude/commands/ # - Extension templates to .aiwg/templates/hipaa/ ``` ## Validation ```bash # Validate extension structure aiwg validate sdlc-complete/extensions/hipaa --verbose # Checks: # - Parent framework exists # - "requires" field is valid # - All referenced components exist # - Extension-specific directories present ``` ## Best Practices 1. **Keep extensions focused** - One compliance domain per extension 2. **Reference parent artifacts** - Don't duplicate, extend 3. **Provide clear traceability** - Map requirements to controls to evidence 4. **Include audit checklists** - Make compliance verification actionable 5. **Document regulatory references** - Cite specific regulations/sections 6. **Version with regulations** - Update when regulations change ## Examples ### Existing Extensions - `sdlc-complete/extensions/gdpr` - GDPR data protection - `sdlc-complete/extensions/legal` - Legal review templates - `media-marketing-kit/extensions/ftc` - FTC advertising compliance ### Common Extension Patterns **Compliance Extension**: - Checklists for each control family - Templates for required documentation - Agents for automated validation - Commands for audit workflows **Industry Extension**: - Domain-specific terminology - Industry workflow variations - Regulatory requirements - Best practice templates **Regional Extension**: - Localized templates - Regional regulatory requirements - Language/cultural considerations