jabrena · jabrena · Jun 14, 2026 · Jun 14, 2026
@@ -0,0 +1,62 @@
+# eu-cyber-resilience-act-regulation-skill-reference Specification
+
+## Purpose
+TBD - created by archiving change add-eu-cyber-resilience-act-regulation-skill. Update Purpose after archive.
+## Requirements
+### Requirement: Cyber Resilience Act regulation skill
+
+The repository MUST define `805-regulations-eu-cyber-resilience-act` as the EU Cyber Resilience Act skill for Java enterprise engineering review.
+
+#### Scenario: Cyber Resilience Act skill identifier is standardized
+
+- **GIVEN** maintainers implement Cyber Resilience Act guidance in generator sources
+- **WHEN** they create or reference the skill in XML, inventories, OpenSpec artifacts, or generated local skill output
+- **THEN** the identifier is `805-regulations-eu-cyber-resilience-act`
+- **AND** the official source reference is `https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32024R2847`
+
+#### Scenario: Cyber Resilience Act scope maps product-security concerns to engineering controls
+
+- **GIVEN** a user asks to review a Java enterprise system or product for Cyber Resilience Act concerns
+- **WHEN** the `805-regulations-eu-cyber-resilience-act` skill is applied
+- **THEN** the guidance frames findings as engineering controls rather than legal advice
+- **AND** it addresses secure-by-design controls, threat modeling, secure defaults, vulnerability management, coordinated disclosure, security update mechanisms, dependency and SBOM evidence, cryptography, authentication and authorization, sensitive-data-safe logging, product security documentation, end-of-support signaling, and release readiness
+- **AND** it recommends escalation to legal, compliance, product, security, risk, or executive accountability owners for product classification, economic-operator role, conformity assessment, CE marking implications, and regulatory interpretation
+
+### Requirement: Relationship to other regulation skills
+
+The Cyber Resilience Act skill MUST complement existing and planned regulation skills without changing their workflows.
+
+#### Scenario: Select CRA for product-security concerns
+
+- **GIVEN** a Java enterprise system may involve AI, privacy, resilience, product security, platform, data, and cybersecurity concerns
+- **WHEN** an agent chooses regulation guidance
+- **THEN** `804-regulations-eu-nis2` is used for EU cybersecurity risk-management and critical-sector concerns
+- **AND** `805-regulations-eu-cyber-resilience-act` is used for products with digital elements, secure-by-design, vulnerability handling, coordinated disclosure, security updates, product security documentation, or SBOM evidence concerns
+- **AND** multiple regulation skills may be used together when the same Java system crosses those concern boundaries
+
+### Requirement: Generator registration
+
+The Cyber Resilience Act skill source MUST be registered in the generator inventory so local skill generation emits it.
+
+#### Scenario: Register Cyber Resilience Act regulation skill
+
+- **WHEN** `skills-generator/src/main/resources/skills.xml` is inspected
+- **THEN** skill id `805` registers reference `805-regulations-eu-cyber-resilience-act`
+
+#### Scenario: Generate local Cyber Resilience Act skill
+
+- **WHEN** `./mvnw clean install -pl skills-generator` is run
+- **THEN** generated local skill output includes `.agents/skills/805-regulations-eu-cyber-resilience-act/SKILL.md`
+- **AND** generated references contain no unresolved include markers or broken local reference paths
+
+### Requirement: Source and generated-output boundaries
+
+The implementation MUST edit XML sources and validate generated local skill output without directly editing generated legacy or release outputs.
+
+#### Scenario: Preserve generated-output ownership
+
+- **WHEN** implementation files are reviewed
+- **THEN** `.cursor/rules/` is not edited directly
+- **AND** public `skills/` release output is not edited manually
+- **AND** public `skills/` is refreshed only through the release profile when release output is intentionally in scope
+
@@ -0,0 +1,62 @@
+# eu-data-act-regulation-skill-reference Specification
+
+## Purpose
+TBD - created by archiving change add-eu-data-act-regulation-skill. Update Purpose after archive.
+## Requirements
+### Requirement: Data Act regulation skill
+
+The repository MUST define `806-regulations-eu-data-act` as the EU Data Act skill for Java enterprise engineering review.
+
+#### Scenario: Data Act skill identifier is standardized
+
+- **GIVEN** maintainers implement Data Act guidance in generator sources
+- **WHEN** they create or reference the skill in XML, inventories, OpenSpec artifacts, or generated local skill output
+- **THEN** the identifier is `806-regulations-eu-data-act`
+- **AND** the official source reference is `https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32023R2854`
+
+#### Scenario: Data Act scope maps data access and portability concerns to engineering controls
+
+- **GIVEN** a user asks to review a Java enterprise system for Data Act concerns
+- **WHEN** the `806-regulations-eu-data-act` skill is applied
+- **THEN** the guidance frames findings as engineering controls rather than legal advice
+- **AND** it addresses data inventory, access authorization, portability APIs, export formats, interoperability, metadata, audit logs, cloud-switching support, non-personal data safeguards, trade-secret or sensitive-data handoff, data-sharing request workflows, contract evidence, and operational controls for data access requests
+- **AND** it recommends escalation to legal, compliance, privacy, data governance, security, product, or risk owners for data-holder status, user entitlement, contract interpretation, trade-secret disclosure boundaries, international access restrictions, and regulatory interpretation
+
+### Requirement: Relationship to other regulation skills
+
+The Data Act skill MUST complement existing and planned regulation skills without changing their workflows.
+
+#### Scenario: Select Data Act for data access and portability concerns
+
+- **GIVEN** a Java enterprise system may involve AI, privacy, non-personal data, cloud, platform, cybersecurity, and resilience concerns
+- **WHEN** an agent chooses regulation guidance
+- **THEN** `803-regulations-gdpr` is used for EU personal-data processing and privacy controls
+- **AND** `806-regulations-eu-data-act` is used for EU data access, data sharing, data portability, interoperability, cloud switching, and non-personal data governance concerns
+- **AND** multiple regulation skills may be used together when the same Java system crosses those concern boundaries
+
+### Requirement: Generator registration
+
+The Data Act skill source MUST be registered in the generator inventory so local skill generation emits it.
+
+#### Scenario: Register Data Act regulation skill
+
+- **WHEN** `skills-generator/src/main/resources/skills.xml` is inspected
+- **THEN** skill id `806` registers reference `806-regulations-eu-data-act`
+
+#### Scenario: Generate local Data Act skill
+
+- **WHEN** `./mvnw clean install -pl skills-generator` is run
+- **THEN** generated local skill output includes `.agents/skills/806-regulations-eu-data-act/SKILL.md`
+- **AND** generated references contain no unresolved include markers or broken local reference paths
+
+### Requirement: Source and generated-output boundaries
+
+The implementation MUST edit XML sources and validate generated local skill output without directly editing generated legacy or release outputs.
+
+#### Scenario: Preserve generated-output ownership
+
+- **WHEN** implementation files are reviewed
+- **THEN** `.cursor/rules/` is not edited directly
+- **AND** public `skills/` release output is not edited manually
+- **AND** public `skills/` is refreshed only through the release profile when release output is intentionally in scope
+
@@ -0,0 +1,64 @@
+# eu-digital-markets-act-regulation-skill-reference Specification
+
+## Purpose
+TBD - created by archiving change add-eu-digital-markets-act-regulation-skill. Update Purpose after archive.
+## Requirements
+### Requirement: Digital Markets Act regulation skill
+
+The repository MUST define `808-regulations-eu-digital-markets-act` as the EU Digital Markets Act skill for Java enterprise engineering review.
+
+#### Scenario: Digital Markets Act skill identifier is standardized
+
+- **GIVEN** maintainers implement Digital Markets Act guidance in generator sources
+- **WHEN** they create or reference the skill in XML, inventories, OpenSpec artifacts, or generated local skill output
+- **THEN** the identifier is `808-regulations-eu-digital-markets-act`
+- **AND** the official source reference is `https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R1925`
+
+#### Scenario: Digital Markets Act scope maps gatekeeper-platform concerns to engineering controls
+
+- **GIVEN** a user asks to review a Java enterprise system for Digital Markets Act concerns
+- **WHEN** the `808-regulations-eu-digital-markets-act` skill is applied
+- **THEN** the guidance frames findings as engineering controls rather than legal advice
+- **AND** it addresses interoperability interfaces, data access APIs, consent and preference evidence, ranking and self-preferencing audit signals, business-user export workflows, anti-circumvention guardrails, access control, observability, change control, documentation, and compliance evidence handoff
+- **AND** it recommends escalation to legal, compliance, platform governance, product, privacy, security, or risk owners for gatekeeper designation, core-platform-service classification, obligation applicability, self-preferencing determinations, and regulatory interpretation
+
+### Requirement: Relationship to other regulation skills
+
+The Digital Markets Act skill MUST complement existing and planned regulation skills without changing their workflows.
+
+#### Scenario: Select DMA for gatekeeper-platform concerns
+
+- **GIVEN** a Java enterprise system may involve AI, privacy, platform, marketplace, advertising, data access, and interoperability concerns
+- **WHEN** an agent chooses regulation guidance
+- **THEN** `803-regulations-gdpr` is used for EU personal-data processing and privacy controls
+- **AND** `806-regulations-eu-data-act` is used for EU data access and portability concerns
+- **AND** `807-regulations-eu-digital-services-act` is used for online-platform, content-moderation, recommender, advertising, and transparency concerns
+- **AND** `808-regulations-eu-digital-markets-act` is used for gatekeeper-platform, core-platform-service, interoperability, business-user access, consent-dependent data combination, self-preferencing, and platform-control concerns
+- **AND** multiple regulation skills may be used together when the same Java system crosses those concern boundaries
+
+### Requirement: Generator registration
+
+The Digital Markets Act skill source MUST be registered in the generator inventory so local skill generation emits it.
+
+#### Scenario: Register Digital Markets Act regulation skill
+
+- **WHEN** `skills-generator/src/main/resources/skills.xml` is inspected
+- **THEN** skill id `808` registers reference `808-regulations-eu-digital-markets-act`
+
+#### Scenario: Generate local Digital Markets Act skill
+
+- **WHEN** `./mvnw clean install -pl skills-generator` is run
+- **THEN** generated local skill output includes `.agents/skills/808-regulations-eu-digital-markets-act/SKILL.md`
+- **AND** generated references contain no unresolved include markers or broken local reference paths
+
+### Requirement: Source and generated-output boundaries
+
+The implementation MUST edit XML sources and validate generated local skill output without directly editing generated legacy or release outputs.
+
+#### Scenario: Preserve generated-output ownership
+
+- **WHEN** implementation files are reviewed
+- **THEN** `.cursor/rules/` is not edited directly
+- **AND** public `skills/` release output is not edited manually
+- **AND** public `skills/` is refreshed only through the release profile when release output is intentionally in scope
+
@@ -0,0 +1,74 @@
+# eu-digital-omnibus-regulation-skill-reference Specification
+
+## Purpose
+TBD - created by archiving change add-eu-digital-omnibus-regulation-skill. Update Purpose after archive.
+## Requirements
+### Requirement: Digital Omnibus regulation skill
+
+The repository MUST define `809-regulations-eu-digital-omnibus` as the EU Digital Omnibus simplification-impact skill for Java enterprise engineering review.
+
+#### Scenario: Digital Omnibus skill identifier is standardized
+
+- **GIVEN** maintainers implement Digital Omnibus guidance in generator sources
+- **WHEN** they create or reference the skill in XML, inventories, OpenSpec artifacts, or generated local skill output
+- **THEN** the identifier is `809-regulations-eu-digital-omnibus`
+- **AND** source references include `https://commission.europa.eu/news-and-media/news/simpler-digital-rules-help-eu-businesses-grow-2025-11-19_en` and `https://digital-strategy.ec.europa.eu/en/policies/digital-rulebook`
+
+#### Scenario: Digital Omnibus scope maps simplification impacts to engineering controls
+
+- **GIVEN** a user asks to review a Java enterprise system for Digital Omnibus impacts
+- **WHEN** the `809-regulations-eu-digital-omnibus` skill is applied
+- **THEN** the guidance frames findings as proposal-stage simplification impacts and engineering controls rather than legal advice
+- **AND** it addresses source-status checks, affected-regulation mapping, evidence inventory updates, change-control impacts, questionnaire or report-template update candidates, incident-reporting workflow consolidation, data-rights workflow impacts, AI governance timeline changes, compatibility with existing regulation skills, and escalation when proposal-stage language is ambiguous
+- **AND** it recommends escalation to legal, compliance, privacy, security, risk, resilience, data-governance, or AI governance owners for legislative-status assessment, applicability, interpretation, and adoption decisions
+
+### Requirement: Proposal-stage safeguards
+
+The Digital Omnibus skill MUST prevent proposal-stage material from being treated as final settled regulation.
+
+#### Scenario: Preserve regulation-specific authority
+
+- **GIVEN** Digital Omnibus material may affect AI Act, GDPR, DORA, NIS2, Data Act, or other EU digital-rule guidance
+- **WHEN** the `809-regulations-eu-digital-omnibus` skill is applied
+- **THEN** it checks and reports the source status before recommending changes
+- **AND** it does not replace regulation-specific review from `801`, `802`, `803`, `804`, `806`, or future regulation skills
+- **AND** it does not silently relax controls, reduce escalation requirements, or rewrite conclusions from regulation-specific skills
+
+### Requirement: Relationship to other regulation skills
+
+The Digital Omnibus skill MUST complement existing and planned regulation skills without changing their workflows.
+
+#### Scenario: Select Digital Omnibus as a cross-cutting overlay
+
+- **GIVEN** a Java enterprise system may involve AI, privacy, cybersecurity, resilience, data access, or incident-reporting concerns
+- **WHEN** an agent chooses regulation guidance
+- **THEN** regulation-specific skills are used for regulation-specific review
+- **AND** `809-regulations-eu-digital-omnibus` is used only when the primary concern is how Digital Omnibus simplification proposals may affect existing EU digital-rule evidence, timelines, reporting paths, or skill guidance
+- **AND** multiple regulation skills may be used together when the same Java system crosses those concern boundaries
+
+### Requirement: Generator registration
+
+The Digital Omnibus skill source MUST be registered in the generator inventory so local skill generation emits it.
+
+#### Scenario: Register Digital Omnibus regulation skill
+
+- **WHEN** `skills-generator/src/main/resources/skills.xml` is inspected
+- **THEN** skill id `809` registers reference `809-regulations-eu-digital-omnibus`
+
+#### Scenario: Generate local Digital Omnibus skill
+
+- **WHEN** `./mvnw clean install -pl skills-generator` is run
+- **THEN** generated local skill output includes `.agents/skills/809-regulations-eu-digital-omnibus/SKILL.md`
+- **AND** generated references contain no unresolved include markers or broken local reference paths
+
+### Requirement: Source and generated-output boundaries
+
+The implementation MUST edit XML sources and validate generated local skill output without directly editing generated legacy or release outputs.
+
+#### Scenario: Preserve generated-output ownership
+
+- **WHEN** implementation files are reviewed
+- **THEN** `.cursor/rules/` is not edited directly
+- **AND** public `skills/` release output is not edited manually
+- **AND** public `skills/` is refreshed only through the release profile when release output is intentionally in scope
+