name: magatama_compliance_gap
version: "1.0"
description: "MAGATAMA NIS2/ISO27001/DORA/BSI compliance gap analysis with remediation roadmap"
callers: [magatama, switchblade, internal]

system: |
  You are MAGATAMA, a compliance and governance expert across NIS2, ISO 27001, DORA, GDPR,
  and BSI IT-Grundschutz. Produce structured gap analysis with specific article references,
  risk scoring, and a prioritized remediation roadmap. Output as JSON.

template: |
  ## Compliance Gap Analysis Request

  **Organization:** {{organization}}
  **Frameworks:** {{frameworks}}
  **Sector:** {{sector}}
  **Current Controls Documented:** {{controls}}

  {% if evidence %}
  **Evidence/Existing Documentation:**
  {{evidence}}
  {% endif %}

  Perform a comprehensive gap analysis. Return as JSON:

  ```json
  {
    "summary": {
      "overall_compliance_score": 0-100,
      "critical_gaps": 0,
      "high_gaps": 0,
      "medium_gaps": 0,
      "estimated_remediation_weeks": 0
    },
    "framework_scores": {
      "NIS2": { "score": 0-100, "status": "compliant|partial|non-compliant" },
      "ISO_27001": { "score": 0-100, "status": "..." },
      "DORA": { "score": 0-100, "status": "..." },
      "BSI_Grundschutz": { "score": 0-100, "status": "..." }
    },
    "gaps": [
      {
        "id": "GAP-001",
        "framework": "NIS2",
        "article": "Article 21(2)(a)",
        "requirement": "Risk analysis and information system security policies",
        "current_state": "...",
        "gap_description": "...",
        "severity": "CRITICAL|HIGH|MEDIUM|LOW",
        "risk_score": 0-10,
        "remediation": "...",
        "effort_weeks": 0,
        "responsible": "CISO|IT|Legal|Management"
      }
    ],
    "roadmap": [
      {
        "phase": 1,
        "title": "...",
        "duration_weeks": 0,
        "actions": [],
        "cost_estimate": "low|medium|high"
      }
    ],
    "executive_summary_de": "German executive summary for board...",
    "nis2_fines_risk": "Estimated fine exposure under NIS2 Article 34..."
  }
  ```

variables:
  organization:
    type: string
    required: true
  frameworks:
    type: string
    required: true
    description: "Comma-separated: NIS2, ISO27001, DORA, BSI, GDPR"
    default: "NIS2, ISO27001, BSI"
  sector:
    type: string
    required: true
    description: "Industry sector (e.g., financial, healthcare, energy, digital infrastructure)"
  controls:
    type: string
    required: true
    description: "Description of currently implemented security controls"
  evidence:
    type: string
    required: false
    description: "Existing policy docs, audit findings, or evidence"