feat(frameworks): CH-FADP stub plugin [EMEA]#87
Conversation
- Adds plugins/frameworks/ch-fadp/ with plugin.json, SKILL.md, assess.md, README.md - Registers under EMEA group in marketplace.json - Routes /ch-fadp:assess to gap-assessment (SCF ID: CH-FADP) - Documents key GDPR divergence: risk-based breach notification, individual criminal enforcement, voluntary DSO, Swiss transfer mechanisms, nFADP sensitive data categories - Stub TODOs left for Reference/Full level-up contributors Ref: GRCEngClub#12 (framework coverage tracker) Ref: GRCEngClub#9 (scaffold-framework — built manually pending tooling) Ref: GRCEngClub#11 (FRAMEWORK-PLUGIN-GUIDE.md depth tiers) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a new CH‑FADP (Swiss nFADP) framework plugin: marketplace registration, plugin metadata, README, an Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant ch_fadp as ch-fadp Plugin
participant grc as GRC-Engineer
participant scf as SCF Crosswalk
User->>ch_fadp: /ch-fadp:assess --sources=<connectors>
ch_fadp->>grc: /grc-engineer:gap-assessment (framework="emea-che-fadp-2025", sources)
grc->>scf: Request mappings (SCF controls → nFADP controls)
scf-->>grc: Control mapping + metadata
grc->>grc: Generate prioritized gap report (grouped by SCF family)
grc-->>ch_fadp: Gap report mapped to nFADP controls
ch_fadp-->>User: Prioritized gap assessment output
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Greptile SummaryThis PR adds a stub-depth Swiss nFADP plugin to the marketplace, routing Confidence Score: 5/5Safe to merge — all prior P0/P1 findings have been resolved. Every previously flagged issue has been addressed: the three missing nFADP sensitive-data categories are present, the SCF framework ID follows EMEA convention, the year-2025 designator is explained in SKILL.md, README metadata is consistent with plugin.json, and the community-mirror URLs have been replaced with the official SCF link. No new P0 or P1 issues were found in this iteration. No files require special attention; the SCF Important Files Changed
Sequence DiagramsequenceDiagram
participant U as User
participant A as /ch-fadp:assess
participant G as /grc-engineer:gap-assessment
participant S as SCF Crosswalk API
participant C as Connector Plugins
U->>A: /ch-fadp:assess [--sources=...]
A->>G: delegate "emea-che-fadp-2025" [--sources=...]
G->>S: GET crosswalks/emea-che-fadp-2025.json
S-->>G: 35 SCF → 90 nFADP control mappings
G->>C: pull evidence (aws-inspector, github-inspector, …)
C-->>G: control evidence data
G-->>A: prioritized gap report (blockers / findings / recommendations)
A-->>U: Swiss FADP gap report
Reviews (12): Last reviewed commit: "fix(ch-fadp): add race/ethnicity and soc..." | Re-trigger Greptile |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@plugins/frameworks/ch-fadp/commands/assess.md`:
- Line 34: The external link
"https://hackidle.github.io/scf-api/api/crosswalks/CH-FADP.json" is returning
404 and breaking CI; update the markdown in
plugins/frameworks/ch-fadp/commands/assess.md by either replacing that URL with
the correct working endpoint (or a relative/local copy of the JSON), or remove
the broken link and add a brief note or alternate reference to the CH-FADP
crosswalk resource so the link-check passes.
In `@plugins/frameworks/ch-fadp/README.md`:
- Line 47: The README.md contains a broken SCF API link ([SCF API entry]
pointing to https://hackidle.github.io/scf-api/api/crosswalks/CH-FADP.json);
update that link to a valid SCF API reference (either the current upstream URL
for the CH-FADP crosswalk or a maintained local copy in the repo/docs),
replacing the stale URL so the link-check passes; ensure the anchor text remains
"[SCF API entry]" and that the new URL is reachable (or switch the link to a
relative path to a bundled JSON file if the external resource is unavailable).
In `@plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md`:
- Line 163: The relative link in SKILL.md uses
"../../../../docs/FRAMEWORK-PLUGIN-GUIDE.md" which is one level too shallow;
update the link target for [Framework Plugin Guide] to ascend five levels to
reach the repo-root docs (use "../../../../../docs/FRAMEWORK-PLUGIN-GUIDE.md")
so the reference resolves correctly from
plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: e30c8547-2d58-4154-bdd8-9eeec2703c1c
📒 Files selected for processing (5)
.claude-plugin/marketplace.jsonplugins/frameworks/ch-fadp/.claude-plugin/plugin.jsonplugins/frameworks/ch-fadp/README.mdplugins/frameworks/ch-fadp/commands/assess.mdplugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md
| ## References | ||
|
|
||
| - [Secure Controls Framework](https://securecontrolsframework.com) — crosswalk source (CC BY-ND 4.0) | ||
| - [SCF API entry](https://hackidle.github.io/scf-api/api/crosswalks/CH-FADP.json) |
There was a problem hiding this comment.
README includes a stale SCF API link (404).
Line 47 points to a URL that fails link-check. Please replace with a valid SCF API reference to keep docs and CI green.
Suggested doc fix
-- [SCF API entry](https://hackidle.github.io/scf-api/api/crosswalks/CH-FADP.json)
+- [SCF API frameworks index](https://grcengclub.github.io/scf-api/api/crosswalks.json)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - [SCF API entry](https://hackidle.github.io/scf-api/api/crosswalks/CH-FADP.json) | |
| - [SCF API frameworks index](https://grcengclub.github.io/scf-api/api/crosswalks.json) |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@plugins/frameworks/ch-fadp/README.md` at line 47, The README.md contains a
broken SCF API link ([SCF API entry] pointing to
https://hackidle.github.io/scf-api/api/crosswalks/CH-FADP.json); update that
link to a valid SCF API reference (either the current upstream URL for the
CH-FADP crosswalk or a maintained local copy in the repo/docs), replacing the
stale URL so the link-check passes; ensure the anchor text remains "[SCF API
entry]" and that the new URL is reachable (or switch the link to a relative path
to a bundled JSON file if the external resource is unavailable).
- Remove 404 SCF API link from commands/assess.md (hackidle.github.io) - Remove 404 SCF API link from README.md (hackidle.github.io) - Fix relative path to FRAMEWORK-PLUGIN-GUIDE.md in SKILL.md (4 levels → 5 levels up to reach repo root docs) The CH-FADP crosswalk may not yet be published in the SCF API, so the broken API links are removed. The main SCF website link is retained as a working reference. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@plugins/frameworks/ch-fadp/commands/assess.md`:
- Around line 13-15: The markdown fenced code blocks in
plugins/frameworks/ch-fadp/commands/assess.md are missing language identifiers
causing markdownlint MD040; update the unlabeled triple-backtick blocks that
contain the command examples (e.g. the blocks with "/ch-fadp:assess
[--sources=<connector-list>]" and "/grc-engineer:gap-assessment \"CH-FADP\"
[--sources=<connector-list>]") to include a language tag such as "text" (i.e.,
replace ``` with ```text) so the code fences are labeled and the lint warning is
resolved.
In `@plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md`:
- Line 76: Fix the casing typo in SKILL.md by changing the phrase "DSo
consultation" to "DSO consultation" (update the exact text in the line that
reads "- **DSo consultation**: If DSO is appointed, they must be consulted on
high-risk processing") so the acronym is consistently capitalized as "DSO".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: f9e21f7b-80b7-4aeb-ba20-cdd63e5c0c97
📒 Files selected for processing (3)
plugins/frameworks/ch-fadp/README.mdplugins/frameworks/ch-fadp/commands/assess.mdplugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md
✅ Files skipped from review due to trivial changes (1)
- plugins/frameworks/ch-fadp/README.md
- Add ```text language identifier to fenced code blocks in assess.md (resolves markdownlint MD040) - Fix typo: "DSo consultation" → "DSO consultation" in SKILL.md
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md`:
- Around line 122-134: Update the GDPR cell in the table row labeled "Breach
notification clock" to correct the wording — replace "Strict deadline (know
without undue delay)" with a clear phrasing such as "Notify supervisory
authority without undue delay (GDPR Art. 33)" so it accurately reflects the
obligation to notify rather than "know" within the timeframe; ensure the change
is made in the GDPR column of that table row in SKILL.md.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 240e5038-c76c-4815-9a85-9b36787862da
📒 Files selected for processing (2)
plugins/frameworks/ch-fadp/commands/assess.mdplugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md
✅ Files skipped from review due to trivial changes (1)
- plugins/frameworks/ch-fadp/commands/assess.md
- Fix typo in GDPR column: "know without undue delay" → "Notify supervisory authority without undue delay (GDPR Art. 33)"
There was a problem hiding this comment.
🧹 Nitpick comments (1)
plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md (1)
108-117: Add a missing subsection header before sensitive-data bullets.These bullets currently follow the DSO section directly, which makes them read as part of DSO guidance. Add a dedicated heading (e.g.,
#### Sensitive Personal Data) to avoid ambiguity.💡 Proposed doc refactor
#### **Data Security Officer (DSO)** @@ - **No GDPR Article 37 trigger**: No automatic requirement based on core activities or scale +#### **Sensitive Personal Data** + - Health data - Genetic data - Biometric data (for uniquely identifying a person) - Religious or philosophical beliefs🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md` around lines 108 - 117, Add a dedicated subsection header before the bullet list that begins with "Health data" to separate it from the preceding DSO section; insert a heading like "#### Sensitive Personal Data" immediately above that list (with a blank line before and after the heading) so the bullets are clearly under their own section and keep the existing trailing note about financial data unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md`:
- Around line 108-117: Add a dedicated subsection header before the bullet list
that begins with "Health data" to separate it from the preceding DSO section;
insert a heading like "#### Sensitive Personal Data" immediately above that list
(with a blank line before and after the heading) so the bullets are clearly
under their own section and keep the existing trailing note about financial data
unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 18dd93f5-e7b0-416f-a252-c0762a8772a0
📒 Files selected for processing (1)
plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md
48f58bc to
12b75b6
Compare
- Update scf_framework_id from "CH-FADP" to "emea-che-fadp-2025"
to match SCF API convention and enable gap-assessment lookup
- Update assess.md to pass correct framework ID to gap-assessment
- Update SKILL.md to reference correct framework ID
The EMEA convention uses emea-{country_alpha3}-{framework}-{year}
format. Switzerland FADP in SCF API is "emea-che-fadp-2025"
(CHE = ISO 3166-1 alpha-3 for Switzerland).
Fixes issue where gap-assessment would return empty results.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Update README.md SCF framework ID from CH-FADP to emea-che-fadp-2025 to match plugin.json and ensure consistency across all files Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add explanatory note in SKILL.md about why SCF framework ID uses 2025 (SCF's internal cycle) vs 2023 (law's effective date) - Prevents future contributor confusion about the year mismatch The SCF's year suffix reflects their intake/release cycle, not the underlying law's effective date. The ID must match the SCF crosswalk exactly for gap-assessment lookups to work. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add "Data about the intimate sphere (including sexual preferences and life)" to special categories per nFADP Art. 5(1)(c) - Fixes false negative where gap assessment would not flag sexual orientation/life data as requiring heightened protection The intimate sphere (Intimsphäre) is explicitly listed in nFADP alongside health, genetic, and racial/ethnic data as a special category requiring heightened protection.
…ata list Adds the two FADP Art. 5(1)(c) sensitive personal data categories that were missing from the SKILL.md special-categories list, using canonical Swiss statutory wording (verified against fedlex.data.admin.ch). Resolves greptile P1 review feedback. Without these, gap assessments routed through this skill would produce false negatives on race/ethnicity and social-assistance data processing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves conflicts on plugins/frameworks/ch-fadp/* introduced by GRCEngClub#87 merge: - Keep main's two new sensitive-data bullets (race/ethnicity, social assistance) - Apply branch's "Protected entities: natural persons only" correction — authoritative per kmu.admin.ch: the 2023 nFADP revision narrowed scope and legal persons are no longer covered (one of the 8 major changes). - Keep branch's "commands"/"skills" arrays in ch-fadp/plugin.json (CodeRabbit feedback from GRCEngClub#87 follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two broken external URLs were failing the lychee link-check on every PR: 1. mattpocock/skills/grill-me — Matt reorganized into category subdirectories; new path is skills/productivity/grill-me. 3 references updated (CHANGELOG.md, plugins/teach-me/README.md, plugins/teach-me/commands/quiz.md). 2. www.edoeb.admin.ch/edoeb/en/home.html — 301-redirects to /en, but lychee's user agent gets a bot-detection 500 from the FDPIC origin. Switched both ch-fadp references to the canonical /en URL. PRs #87, #89, and #90 all hit these failures.
Summary
Adds Swiss Federal Act on Data Protection (nFADP) plugin at stub depth to the GRC Engineering Club marketplace. The plugin provides
/ch-fadp:assesscommand that routes to the SCF crosswalk for gap assessments against Swiss data protection requirements.What this adds
plugins/frameworks/ch-fadp/.claude-plugin/plugin.json— Framework metadata (SCF ID: CH-FADP, EMEA region, stub depth)plugins/frameworks/ch-fadp/skills/ch-fadp-expert/SKILL.md— nFADP expertise with key GDPR divergencesplugins/frameworks/ch-fadp/commands/assess.md— Routes to/grc-engineer:gap-assessmentplugins/frameworks/ch-fadp/README.md— Install instructions and metadata.claude-plugin/marketplace.jsonunder EMEA frameworksKey nFADP vs GDPR Divergences Documented
Acceptance Criteria (from issue #12)
Stub Depth (this PR) ✅
CH-FADPEMEA, country toCHstub/ch-fadp:assessroutes to gap-assessment with correct SCF IDReference Depth (deferred to follow-up PR) 📋
/ch-fadp:scope— Framework-specific applicability determination/ch-fadp:evidence-checklist— Evidence patterns by nFADP articlesFull Depth (deferred to future PR) 📋
/ch-fadp:dpia-review— DPIA workflow for high-risk processing/ch-fadp:transfer-mechanism-check— Cross-border transfer validation/ch-fadp:breach-triage— Risk-based breach notification workflowReferences
Verification Checklist Passed
git branch --show-current→feat/ch-fadp-stubpython3 -m json.tool plugin.json→ validpython3 -m json.tool marketplace.json→ validgrep -i "72.hour" SKILL.md→ no matchesgrep -i "entity fine" SKILL.md→ no matchesgrep -i "mandatory.*dso\|dso.*mandatory" SKILL.md→ no matchesgrep "CH-FADP" plugin.json→ foundgrep '"depth".*"stub"' plugin.json→ foundgrep "ch-fadp" marketplace.json→ foundNote for Reviewers
This is intentionally a stub plugin. Framework-specific workflow commands (
/ch-fadp:evidence-checklist,/ch-fadp:dpia-review,/ch-fadp:transfer-mechanism-check,/ch-fadp:breach-triage) are deferred to Reference/Full depth level-ups per the Framework Plugin Guide.The control counts (35 SCF → 90 nFADP) are estimates based on the framework's scope. These should be validated against the SCF API and updated if needed when the crosswalk data is available.
Summary by CodeRabbit
New Features
Documentation