Skip to content

feat(us-finra): add FINRA framework plugin stub#67

Merged
ethanolivertroy merged 3 commits into
GRCEngClub:mainfrom
AnandSundar:feat/framework-us-finra-stub
Apr 26, 2026
Merged

feat(us-finra): add FINRA framework plugin stub#67
ethanolivertroy merged 3 commits into
GRCEngClub:mainfrom
AnandSundar:feat/framework-us-finra-stub

Conversation

@AnandSundar

@AnandSundar AnandSundar commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

Summary

Closes #19 - Adds FINRA framework plugin stub

Scaffolded via /grc-engineer:scaffold-framework from the SCF crosswalk with SCF framework ID usa-federal-sro-finra.

What This PR Adds

Plugin: us-finra (FINRA Broker-Dealer Cybersecurity Guidance)

  • Depth: Stub (routes to /grc-engineer:gap-assessment via SCF crosswalk)
  • Region: Americas, United States
  • SCF Controls: 17 SCF controls → 39 FINRA controls
  • Industry: Financial services, broker-dealer
  • Regulator: FINRA

Files Created:

  • plugins/frameworks/us-finra/.claude-plugin/plugin.json - Framework metadata
  • plugins/frameworks/us-finra/commands/assess.md - Routes to gap-assessment
  • plugins/frameworks/us-finra/skills/us-finra-expert/SKILL.md - Framework context (TODOs acceptable at Stub depth)
  • plugins/frameworks/us-finra/README.md - Install instructions and depth badge

Test Plan

  • All 4 files created in plugins/frameworks/us-finra/
  • plugin.json has valid framework_metadata with correct SCF ID
  • depth is "stub" (not reference/full)
  • region is "Americas"
  • industry includes "financial-services" and "broker-dealer"
  • No TODO markers in plugin.json (allowed in SKILL.md)
  • Registered in .claude-plugin/marketplace.json
  • MD032 compliance verified (no blank line issues before lists)
  • /us-finra:assess command routes to /grc-engineer:gap-assessment usa-federal-sro-finra

Part of

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • FINRA Broker-Dealer Cybersecurity Guidance framework plugin now available for use.
    • Compliance gap assessment capability with 17 Secure Controls Framework controls mapped to 39 FINRA controls.
  • Documentation

    • Plugin documentation added with installation instructions and assessment command usage guides.

Scaffolded from SCF crosswalk (usa-federal-sro-finra) with:
- Plugin metadata: region=Americas, country=US, depth=stub
- Framework identity: broker-dealer cybersecurity guidance
- /us-finra:assess command routes to /grc-engineer:gap-assessment
- SKILL.md with TODO placeholders for Reference depth upgrade

Closes GRCEngClub#19
Part of GRCEngClub#12 (framework coverage tracker)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@AnandSundar AnandSundar requested a review from a team as a code owner April 24, 2026 17:07
@qodo-code-review

Copy link
Copy Markdown

Review Summary by Qodo

Add FINRA framework plugin stub with SCF crosswalk

✨ Enhancement

Grey Divider

Walkthroughs

Description
• Adds FINRA framework plugin stub with SCF crosswalk integration
• Registers plugin in marketplace with metadata and version info
• Implements /us-finra:assess command routing to gap-assessment
• Provides framework documentation and expert skill context
Diagram
flowchart LR
  A["SCF Crosswalk<br/>usa-federal-sro-finra"] -->|"17 SCF → 39 FINRA<br/>controls"| B["us-finra Plugin<br/>Stub Depth"]
  B -->|"assess command"| C["gap-assessment<br/>Engine"]
  D["plugin.json<br/>metadata"] -->|"registers"| E["marketplace.json"]
  B -->|"expert skill"| F["us-finra-expert<br/>SKILL.md"]
Loading

Grey Divider

File Changes

1. .claude-plugin/marketplace.json ⚙️ Configuration changes +6/-0

Register us-finra plugin in marketplace

• Registers new us-finra plugin entry in marketplace
• Adds plugin source path and description with control mapping
• Sets version to 0.1.0

.claude-plugin/marketplace.json


2. plugins/frameworks/us-finra/.claude-plugin/plugin.json ⚙️ Configuration changes +19/-0

Define FINRA plugin metadata and framework identity

• Defines plugin metadata with name, version, and author
• Specifies framework_metadata with SCF ID usa-federal-sro-finra
• Sets region to Americas, country to US, depth to stub
• Maps 17 SCF controls to 39 FINRA framework controls
• Identifies industry as financial-services and broker-dealer

plugins/frameworks/us-finra/.claude-plugin/plugin.json


3. plugins/frameworks/us-finra/README.md 📝 Documentation +36/-0

Document FINRA plugin installation and status

• Provides installation and usage instructions for the plugin
• Explains stub-depth status and routing to gap-assessment
• Documents upgrade path to Reference and Full depths
• Includes metadata table with framework details and SCF references

plugins/frameworks/us-finra/README.md


View more (2)
4. plugins/frameworks/us-finra/commands/assess.md ✨ Enhancement +17/-0

Implement FINRA assessment command routing

• Defines /us-finra:assess command for compliance assessment
• Documents optional scope argument (full, cybersecurity, supervision)
• Routes to /grc-engineer:gap-assessment with SCF framework ID

plugins/frameworks/us-finra/commands/assess.md


5. plugins/frameworks/us-finra/skills/us-finra-expert/SKILL.md 📝 Documentation +40/-0

Create FINRA expert skill with framework context

• Defines expert skill for FINRA broker-dealer cybersecurity guidance
• Provides framework identity and SCF crosswalk context
• Includes TODO placeholders for Reference-depth upgrade sections
• Documents command routing and leveling-up progression

plugins/frameworks/us-finra/skills/us-finra-expert/SKILL.md


Grey Divider

Qodo Logo

@qodo-code-review

qodo-code-review Bot commented Apr 24, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Action required

1. Broken assess delegation🐞 Bug ≡ Correctness
Description
plugins/frameworks/us-finra/commands/assess.md delegates to /grc-engineer:gap-assessment with an
extra positional "$1" and does not document/forward the standard --sources option. This can cause
gap-assessment to treat the scope value as an unexpected framework/arg and prevents users from
running the documented "/us-finra:assess --sources=..." flow reliably.
Code

plugins/frameworks/us-finra/commands/assess.md[R9-17]

+## Arguments
+
+- `$1` - Assessment scope (optional: full, cybersecurity, supervision)
+
+## Assessment
+
+Routes to gap-assessment with SCF framework ID `usa-federal-sro-finra`.
+
+Delegates to: `/grc-engineer:gap-assessment usa-federal-sro-finra $1`
Evidence
The stub framework command template shows the expected delegation shape: a Usage section with
optional --sources and a delegation code block calling `/grc-engineer:gap-assessment
"<scf_framework_id>" [--sources=<connector-list>]. The FINRA assess.md instead appends $1` as a
positional argument and omits the --sources pass-through, while gap-assessment itself only documents
` plus options (not an extra positional scope token). The FINRA README instructs --sources=...`,
which this assess.md does not incorporate into delegation guidance.

plugins/frameworks/us-finra/commands/assess.md[1-17]
plugins/grc-engineer/templates/framework-plugin/stub/commands/assess.md.tmpl[7-26]
plugins/grc-engineer/commands/gap-assessment.md[10-31]
plugins/frameworks/us-finra/README.md[5-8]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`/us-finra:assess` documentation currently delegates to `/grc-engineer:gap-assessment` incorrectly by appending `$1` as a positional argument and omitting the standard `--sources` pass-through guidance. This can cause `gap-assessment` to misinterpret the extra positional token and makes the command inconsistent with the repo’s stub template and the plugin README.
## Issue Context
Other stub framework plugins (and the scaffold template) standardize `assess.md` to:
- Provide `Usage` with `[--sources=<connector-list>]`
- Delegate via a code block calling `/grc-engineer:gap-assessment "<scf_framework_id>" [--sources=<connector-list>]`
`gap-assessment` itself takes `<frameworks>` then options; it does not define a positional scope argument.
## Fix Focus Areas
- plugins/frameworks/us-finra/commands/assess.md[1-17]
- plugins/grc-engineer/templates/framework-plugin/stub/commands/assess.md.tmpl[7-26]
- plugins/grc-engineer/commands/gap-assessment.md[10-31]
## What to change
- Remove `$1` from the delegation line.
- Add a `Usage` section and an `Arguments` section consistent with the stub template, documenting `--sources=<connector-list>`.
- Format the delegation as a fenced code block and quote the SCF framework id (consistent with the template).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread plugins/frameworks/us-finra/commands/assess.md Outdated
- Remove incorrect $1 positional argument from delegation
- Add Usage section with --sources pass-through guidance
- Quote SCF framework ID in delegation code block
- Document --sources argument in Arguments section
- Align with repo stub template format

Fixes delegation inconsistency where gap-assessment was receiving
an unexpected positional token instead of just the framework ID
and optional --sources flag.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@ethanolivertroy

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Apr 26, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Apr 26, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This PR introduces a new FINRA framework plugin at Stub depth. It registers the us-finra plugin in the marketplace, defines plugin metadata with framework information (17 SCF controls mapped to 39 FINRA controls), and adds documentation for the assess command and skill definition that delegate to the GRC engineer gap assessment capability.

Changes

Cohort / File(s) Summary
Marketplace Registration
.claude-plugin/marketplace.json
Adds us-finra plugin entry to the plugins array with source path, descriptive text about FINRA's cybersecurity guidance with SCF crosswalk mapping, and version 0.1.0.
Plugin Configuration & Documentation
plugins/frameworks/us-finra/.claude-plugin/plugin.json, plugins/frameworks/us-finra/README.md, plugins/frameworks/us-finra/skills/us-finra-expert/SKILL.md
Defines plugin identity, provenance, and framework metadata (SCF ID, control mapping counts: 17↔39, industry/regulator tags); documents plugin installation, current Stub depth behavior, planned upgrades, and command routing to gap-assessment.
Command Documentation
plugins/frameworks/us-finra/commands/assess.md
Documents the us-finra:assess command for compliance gap assessment, including optional --sources argument, expected output format (severity-tagged report grouped by SCF family), and references to relevant SCF resources.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop through FINRA's cybersecurity lane,
Seventeen controls ease the pain,
From stub to full, the path is clear,
Broker-dealers have naught to fear! 🔐

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(us-finra): add FINRA framework plugin stub' clearly and concisely summarizes the main change—adding a stub-depth FINRA framework plugin.
Linked Issues check ✅ Passed The PR satisfies all acceptance criteria from issue #19: creates plugin at plugins/frameworks/us-finra/ with valid plugin.json and framework_metadata, includes SKILL.md with framework context, routes /us-finra:assess to gap-assessment with correct SCF ID (usa-federal-sro-finra), registers in marketplace.json, and maintains stub depth without excessive TODOs.
Out of Scope Changes check ✅ Passed All changes are scoped to the FINRA framework plugin creation: plugin.json, plugin registration in marketplace.json, README, assess.md command, and SKILL.md documentation. No unrelated modifications present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Apr 26, 2026

Copy link
Copy Markdown

Greptile Summary

Adds the us-finra stub-depth framework plugin for FINRA Broker-Dealer Cybersecurity Guidance, scaffolded from the SCF crosswalk (17 SCF → 39 framework controls). All 5 files are consistent with the established stub-plugin pattern, relative doc links resolve correctly, and the marketplace registration is well-formed.

Confidence Score: 5/5

Safe to merge — clean stub scaffold with no logic errors or broken references.

All files follow the established stub-plugin convention, SCF framework ID and control counts are consistent across plugin.json/README/assess.md/marketplace.json, all relative paths to FRAMEWORK-PLUGIN-GUIDE.md resolve correctly, and no P0/P1 issues were found. The only prior concern (inline author formatting) was already addressed in a previous review thread.

No files require special attention.

Important Files Changed

Filename Overview
.claude-plugin/marketplace.json Appends the us-finra entry at the end of the plugins array with correct name, source path, description, and version.
plugins/frameworks/us-finra/.claude-plugin/plugin.json Well-formed plugin manifest with correct SCF framework ID, region, depth, control counts, and industry tags; author uses inline object style (flagged in prior review).
plugins/frameworks/us-finra/README.md Install/usage guide with correct stub-depth badge, metadata table, and valid relative path to FRAMEWORK-PLUGIN-GUIDE.md.
plugins/frameworks/us-finra/commands/assess.md Stub command that correctly delegates to /grc-engineer:gap-assessment "usa-federal-sro-finra" with optional --sources passthrough; all relative links resolve correctly.
plugins/frameworks/us-finra/skills/us-finra-expert/SKILL.md Stub skill with appropriate TODO placeholders, correct frontmatter, and valid path back to FRAMEWORK-PLUGIN-GUIDE.md.

Sequence Diagram

sequenceDiagram
    actor User
    participant assess as /us-finra:assess
    participant skill as us-finra-expert (SKILL.md)
    participant gap as /grc-engineer:gap-assessment
    participant scf as SCF Crosswalk<br/>(usa-federal-sro-finra)

    User->>assess: /us-finra:assess [--sources=...]
    assess->>skill: load stub context
    assess->>gap: delegate with framework ID
    gap->>scf: expand 17 SCF controls → 39 FINRA controls
    scf-->>gap: control mappings
    gap-->>User: prioritized gap report
Loading

Reviews (2): Last reviewed commit: "Merge branch 'main' into feat/framework-..." | Re-trigger Greptile

{
"name": "us-finra",
"description": "FINRA Plugin - Broker-dealer cybersecurity guidance (builds on SEC Reg S-P, SEC 17a-4)",
"version": "0.1.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Inline author object inconsistent with sibling plugins

All other framework plugin.json files use multi-line formatting for the author object (e.g. glba, nydfs, dora). Keeping the same style makes diffs and reviews easier to parse.

Suggested change
"version": "0.1.0",
"author": {
"name": "GRC Engineering Club Contributors"
},

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

@ethanolivertroy ethanolivertroy left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving per pre-merge review pass: Qodo bug on broken assess delegation addressed in commit 7041199 (now uses templated Usage block + documents --sources). Structure conforms to framework-stub pattern (matches glba/nydfs/singapore-pdpa); marketplace.json registration correct; namespace /us-finra: unique; author field uses correct object form. Greptile P2 (inline vs multi-line author) is cosmetic and matches singapore-pdpa precedent.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/frameworks/us-finra/README.md`:
- Line 3: Replace all user-facing occurrences of the phrase "FINRA Cybersecurity
Rules" in the README with the plugin-scoped term "Broker-Dealer Cybersecurity
Guidance" to ensure consistent terminology; search for the literal string "FINRA
Cybersecurity Rules" in the README.md and update each instance (including the
header and any descriptive lines) so the doc consistently references
"Broker-Dealer Cybersecurity Guidance" and avoid introducing new variations.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b143dbff-5fb8-483f-8b77-3eb09b0eb923

📥 Commits

Reviewing files that changed from the base of the PR and between 9305d5a and b996d59.

📒 Files selected for processing (5)
  • .claude-plugin/marketplace.json
  • plugins/frameworks/us-finra/.claude-plugin/plugin.json
  • plugins/frameworks/us-finra/README.md
  • plugins/frameworks/us-finra/commands/assess.md
  • plugins/frameworks/us-finra/skills/us-finra-expert/SKILL.md

@@ -0,0 +1,36 @@
# us-finra — FINRA Broker-Dealer Cybersecurity Guidance

Stub-depth framework plugin scaffolded from the SCF crosswalk. Install and use it to run a gap assessment against **FINRA Cybersecurity Rules**:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use “Guidance” terminology consistently in user-facing docs.

Line 3 and Line 16 say “FINRA Cybersecurity Rules,” but the plugin is scoped as “Broker-Dealer Cybersecurity Guidance.” Keeping one term avoids scope ambiguity.

✏️ Suggested wording update
-Stub-depth framework plugin scaffolded from the SCF crosswalk. Install and use it to run a gap assessment against **FINRA Cybersecurity Rules**:
+Stub-depth framework plugin scaffolded from the SCF crosswalk. Install and use it to run a gap assessment against **FINRA Broker-Dealer Cybersecurity Guidance**:

-Reference-depth adds an evidence checklist and framework-specific context. If you have domain expertise for FINRA Cybersecurity Rules, see the [Framework Plugin Guide](../../../docs/FRAMEWORK-PLUGIN-GUIDE.md) and open a PR.
+Reference-depth adds an evidence checklist and framework-specific context. If you have domain expertise for FINRA Broker-Dealer Cybersecurity Guidance, see the [Framework Plugin Guide](../../../docs/FRAMEWORK-PLUGIN-GUIDE.md) and open a PR.

Also applies to: 16-16

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@plugins/frameworks/us-finra/README.md` at line 3, Replace all user-facing
occurrences of the phrase "FINRA Cybersecurity Rules" in the README with the
plugin-scoped term "Broker-Dealer Cybersecurity Guidance" to ensure consistent
terminology; search for the literal string "FINRA Cybersecurity Rules" in the
README.md and update each instance (including the header and any descriptive
lines) so the doc consistently references "Broker-Dealer Cybersecurity Guidance"
and avoid introducing new variations.

@ethanolivertroy ethanolivertroy merged commit bb1f7af into GRCEngClub:main Apr 26, 2026
2 checks passed
ethanolivertroy added a commit to FunkeOmolere/claude-grc-engineering that referenced this pull request Apr 26, 2026
…author

- marketplace.json: reset to upstream main and re-apply cyber-essentials-plus
  entry cleanly. Restores the us-finra plugin entry (added in PR GRCEngClub#67) that
  was lost to a stale base, and removes the indentation drift +
  singapore-pdpa description corruption.
- plugin.json: switch author from bare string to object form per
  schemas/plugin.schema.json (the description note explicitly says bare
  strings are rejected by `claude plugin install`).

Both manifests now pass tests/validate-plugin-manifests.sh against the
ajv schema (35/35 valid).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ethanolivertroy added a commit that referenced this pull request Apr 26, 2026
)

* feat: add Cyber Essentials Plus (CE+) v3.3 Danzell framework plugin

* fix: update broken links in cyber-essentials-plus plugin

* fix: correct metadata table header in cyber-essentials-plus README

* Update plugins/frameworks/cyber-essentials-plus/commands/evidence-checklist.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: flatten author to string and correct SCF framework ID to emea-gbr-ce-2021

* Add cyber-essentials-plus plugin to marketplace.json

* fix: correct JSON syntax errors in marketplace. json

Reorganized the marketplace.json file by removing and re-adding the singapore-pdpa plugin with updated formatting.

* Update scf_controls_mapped value in plugin.json

* Correct number of SCF controls in assessment.md

* Update SCF controls mapped from 30 to 26

* Update SCF controls count in SKILL.md

Corrected the number of SCF controls from 30 to 26.

* fix: restore us-finra entry, normalize marketplace.json, object-form author

- marketplace.json: reset to upstream main and re-apply cyber-essentials-plus
  entry cleanly. Restores the us-finra plugin entry (added in PR #67) that
  was lost to a stale base, and removes the indentation drift +
  singapore-pdpa description corruption.
- plugin.json: switch author from bare string to object form per
  schemas/plugin.schema.json (the description note explicitly says bare
  strings are rejected by `claude plugin install`).

Both manifests now pass tests/validate-plugin-manifests.sh against the
ajv schema (35/35 valid).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ethan Troy <63926014+ethanolivertroy@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

framework: FINRA plugin (Stub depth)

2 participants