firefrost-gaming/claude-skills-reference

Files

Alireza Rezvani 466aa13a7b feat: C-Suite expansion — 8 new executive advisory roles (2→10) (#264 )

* feat: C-Suite expansion — 8 new executive advisory roles

Add COO, CPO, CMO, CFO, CRO, CISO, CHRO advisors and Executive Mentor.
Expands C-level advisory from 2 to 10 roles with 74 total files.

Each role includes:
- SKILL.md (lean, <5KB, ~1200 tokens for context efficiency)
- Reference docs (loaded on demand, not at startup)
- Python analysis scripts (stdlib only, runnable CLI)

Executive Mentor features /em: slash commands (challenge, board-prep,
hard-call, stress-test, postmortem) with devil's advocate agent.

21 Python tools, 24 reference frameworks, 28,379 total lines.
All SKILL.md files combined: ~17K tokens (8.5% of 200K context window).

Badge: 88 → 116 skills

* feat: C-Suite orchestration layer + 18 complementary skills

ORCHESTRATION (new):
- cs-onboard: Founder interview → company-context.md
- chief-of-staff: Routing, synthesis, inter-agent orchestration
- board-meeting: 6-phase multi-agent deliberation protocol
- decision-logger: Two-layer memory (raw transcripts + approved decisions)
- agent-protocol: Inter-agent invocation with loop prevention
- context-engine: Company context loading + anonymization

CROSS-CUTTING CAPABILITIES (new):
- board-deck-builder: Board/investor update assembly
- scenario-war-room: Cascading multi-variable what-if modeling
- competitive-intel: Systematic competitor tracking + battlecards
- org-health-diagnostic: Cross-functional health scoring (8 dimensions)
- ma-playbook: M&A strategy (acquiring + being acquired)
- intl-expansion: International market entry frameworks

CULTURE & COLLABORATION (new):
- culture-architect: Values → behaviors, culture code, health assessment
- company-os: EOS/Scaling Up operating system selection + implementation
- founder-coach: Founder development, delegation, blind spots
- strategic-alignment: Strategy cascade, silo detection, alignment scoring
- change-management: ADKAR-based change rollout framework
- internal-narrative: One story across employees/investors/customers

UPGRADES TO EXISTING ROLES:
- All 10 roles get reasoning technique directives
- All 10 roles get company-context.md integration
- All 10 roles get board meeting isolation rules
- CEO gets stage-adaptive temporal horizons (seed→C)

Key design decisions:
- Two-layer memory prevents hallucinated consensus from rejected ideas
- Phase 2 isolation: agents think independently before cross-examination
- Executive Mentor (The Critic) sees all perspectives, others don't
- 25 Python tools total (stdlib only, no dependencies)

52 new files, 10 modified, 10,862 new lines.
Total C-suite ecosystem: 134 files, 39,131 lines.

* fix: connect all dots — Chief of Staff routes to all 28 skills

- Added complementary skills registry to routing-matrix.md
- Chief of Staff SKILL.md now lists all 28 skills in ecosystem
- Added integration tables to scenario-war-room and competitive-intel
- Badge: 116 → 134 skills
- README: C-Level Advisory count 10 → 28

Quality audit passed:
✅ All 10 roles: company-context, reasoning, isolation, invocation
✅ All 6 phases in board meeting
✅ Two-layer memory with DO_NOT_RESURFACE
✅ Loop prevention (no self-invoke, max depth 2, no circular)
✅ All /em: commands present
✅ All complementary skills cross-reference roles
✅ Chief of Staff routes to every skill in ecosystem

* refactor: CEO + CTO advisors upgraded to C-suite parity

Both roles now match the structural standard of all new roles:
- CEO: 11.7KB → 6.8KB SKILL.md (heavy content stays in references)
- CTO: 10KB → 7.2KB SKILL.md (heavy content stays in references)

Added to both:
- Integration table (who they work with and when)
- Key diagnostic questions
- Structured metrics dashboard table
- Consistent section ordering (Keywords → Quick Start → Responsibilities → Questions → Metrics → Red Flags → Integration → Reasoning → Context)

CEO additions:
- Stage-adaptive temporal horizons (seed=3m/6m/12m → B+=1y/3y/5y)
- Cross-references to culture-architect and board-deck-builder

CTO additions:
- Key Questions section (7 diagnostic questions)
- Structured metrics table (DORA + debt + team + architecture + cost)
- Cross-references to all peer roles

All 10 roles now pass structural parity: ✅ Keywords ✅ QuickStart ✅ Questions ✅ Metrics ✅ RedFlags ✅ Integration

* feat: add proactive triggers + output artifacts to all 10 roles

Every C-suite role now specifies:
- Proactive Triggers: 'surface these without being asked' — context-driven
  early warnings that make advisors proactive, not reactive
- Output Artifacts: concrete deliverables per request type (what you ask →
  what you get)

CEO: runway alerts, board prep triggers, strategy review nudges
CTO: deploy frequency monitoring, tech debt thresholds, bus factor flags
COO: blocker detection, scaling threshold warnings, cadence gaps
CPO: retention curve monitoring, portfolio dog detection, research gaps
CMO: CAC trend monitoring, positioning gaps, budget staleness
CFO: runway forecasting, burn multiple alerts, scenario planning gaps
CRO: NRR monitoring, pipeline coverage, pricing review triggers
CISO: audit overdue alerts, compliance gaps, vendor risk
CHRO: retention risk, comp band gaps, org scaling thresholds
Executive Mentor: board prep triggers, groupthink detection, hard call surfacing

This transforms the C-suite from reactive advisors into proactive partners.

* feat: User Communication Standard — structured output for all roles

Defines 3 output formats in agent-protocol/SKILL.md:

1. Standard Output: Bottom Line → What → Why → How to Act → Risks → Your Decision
2. Proactive Alert: What I Noticed → Why It Matters → Action → Urgency (🔴🟡⚪)
3. Board Meeting: Decision Required → Perspectives → Agree/Disagree → Critic → Action Items

10 non-negotiable rules:
- Bottom line first, always
- Results and decisions only (no process narration)
- What + Why + How for every finding
- Actions have owners and deadlines ('we should consider' is banned)
- Decisions framed as options with trade-offs
- Founder is the highest authority — roles recommend, founder decides
- Risks are concrete (if X → Y, costs $Z)
- Max 5 bullets per section
- No jargon without explanation
- Silence over fabricated updates

All 10 roles reference this standard.
Chief of Staff enforces it as a quality gate.
Board meeting Phase 4 uses the Board Meeting Output format.

* feat: Internal Quality Loop — verification before delivery

No role presents to the founder without passing verification:

Step 1: Self-Verification (every role, every time)
  - Source attribution: where did each data point come from?
  - Assumption audit: [VERIFIED] vs [ASSUMED] tags on every finding
  - Confidence scoring: 🟢 high / 🟡 medium / 🔴 low per finding
  - Contradiction check against company-context + decision log
  - 'So what?' test: every finding needs a business consequence

Step 2: Peer Verification (cross-functional)
  - Financial claims → CFO validates math
  - Revenue projections → CRO validates pipeline backing
  - Technical feasibility → CTO validates
  - People/hiring impact → CHRO validates
  - Skip for single-domain, low-stakes questions

Step 3: Critic Pre-Screen (high-stakes only)
  - Irreversible decisions, >20% runway impact, strategy changes
  - Executive Mentor finds weakest point before founder sees it
  - Suspicious consensus triggers mandatory pre-screen

Step 4: Course Correction (after founder feedback)
  - Approve → log + assign actions
  - Modify → re-verify changed parts
  - Reject → DO_NOT_RESURFACE + learn why
  - 30/60/90 day post-decision review

Board meeting contributions now require self-verified format with
confidence tags and source attribution on every finding.

* fix: resolve PR review issues 1, 4, and minor observation

Issue 1: c-level-advisor/CLAUDE.md — completely rewritten
  - Was: 2 skills (CEO, CTO only), dated Nov 2025
  - Now: full 28-skill ecosystem map with architecture diagram,
    all roles/orchestration/cross-cutting/culture skills listed,
    design decisions, integration with other domains

Issue 4: Root CLAUDE.md — updated all stale counts
  - 87 → 134 skills across all 3 references
  - C-Level: 2 → 33 (10 roles + 5 mentor commands + 18 complementary)
  - Tool count: 160+ → 185+
  - Reference count: 200+ → 250+

Minor observation: Documented plugin.json convention
  - Explained in c-level-advisor/CLAUDE.md that only executive-mentor
    has plugin.json because only it has slash commands (/em: namespace)
  - Other skills are invoked by name through Chief of Staff or directly

Also fixed: README.md 88+ → 134 in two places (first line + skills section)

* fix: update all plugin/index registrations for 28-skill C-suite

1. c-level-advisor/.claude-plugin/plugin.json — v2.0.0
   - Was: 2 skills, generic description
   - Now: all 28 skills listed with descriptions, all 25 scripts,
     namespace 'cs', full ecosystem description

2. .codex/skills-index.json — added 18 complementary skills
   - Was: 10 roles only
   - Now: 28 total c-level entries (10 roles + 6 orchestration +
     6 cross-cutting + 6 culture)
   - Each with full description for skill discovery

3. .claude-plugin/marketplace.json — updated c-level-skills entry
   - Was: generic 2-skill description
   - Now: v2.0.0, full 28-skill ecosystem description,
     skills_count: 28, scripts_count: 25

* feat: add root SKILL.md for c-level-advisor ClawHub package

---------

Co-authored-by: Leo <leo@openclaw.ai>

2026-03-06 01:35:08 +01:00

12 KiB

Raw Blame History

Security Strategy Reference

1. Risk-Based Security (Not Compliance-First)

The Problem with Compliance-First Security

Most startups build security backwards: they get a compliance requirement (SOC 2, ISO 27001) and treat it as the security program. This produces:

Controls that pass audits but don't reduce actual risk
Resources allocated to documentation over protection
Security teams optimizing for auditor satisfaction, not threat reduction
False confidence ("we passed our audit") before real security exists

The right order:

Identify your actual threats (what do adversaries want from you?)
Identify your crown jewels (what's worth protecting most?)
Implement controls that address those threats to those assets
Map existing controls to compliance requirements — most overlap naturally

Risk Identification Framework

Asset Classification:

Tier 1 — Crown Jewels
├── Customer PII/PHI
├── Payment card data
├── Intellectual property (source code, models, trade secrets)
└── Authentication credentials and secrets

Tier 2 — Business Critical
├── Internal communications (Slack, email)
├── Financial systems and data
├── Employee data
└── Business strategy documents

Tier 3 — Operational
├── Internal tooling and infrastructure configs
├── Non-sensitive operational data
└── Public-facing content and marketing

Threat Actor Profiling:

Threat Actor	Motivation	Typical TTPs	Relative Likelihood
Financially motivated criminals	Data theft, ransomware	Phishing, credential stuffing	High
Nation-state	IP theft, espionage	Spear phishing, supply chain	Low-Medium (sector-dependent)
Insider threat	Financial gain, revenge	Privilege abuse, data exfil	Medium
Script kiddies	Notoriety, fun	Known CVEs, scanning	High (low sophistication)
Competitors	IP theft	Social engineering, insider recruitment	Low-Medium

Risk Quantification (FAIR Model Simplified)

Annual Loss Expectancy:

ALE = SLE × ARO
SLE (Single Loss Expectancy) = Asset Value × Exposure Factor
ARO (Annual Rate of Occurrence) = historical frequency or industry estimate

Business Impact Categories:

Direct financial loss: fraud, ransomware payment, theft
Regulatory fines: GDPR (4% global revenue), HIPAA ($100–$50K per violation), PCI DSS
Revenue impact: customer churn post-breach, deal loss during incident, downtime cost
Reputational damage: brand devaluation (harder to quantify, but real)
Legal costs: incident response counsel, class action defense, settlements

Example Risk Quantification:

Risk Scenario	SLE	ARO	ALE
Customer data breach (10K records)	$850K	0.15	$127,500/yr
Ransomware attack	$350K	0.20	$70,000/yr
Credential compromise + fraud	$120K	0.35	$42,000/yr
Third-party SaaS breach	$95K	0.25	$23,750/yr
Insider data exfiltration	$180K	0.10	$18,000/yr

Mitigation ROI:

ROSI = (Risk Reduction × ALE) - Control Cost
       ────────────────────────────────────
                  Control Cost

Example: MFA deployment
  Risk reduction: 99% for credential attacks
  ALE reduced: $42,000 × 0.99 = $41,580
  Control cost: $5,000/yr
  ROSI: ($41,580 - $5,000) / $5,000 = 731%

2. Zero Trust Architecture at Strategy Level

What Zero Trust Actually Means

Zero trust is not a product — it's an architectural principle: never trust, always verify, assume breach.

The traditional perimeter model (trust inside the network, distrust outside) fails because:

Remote work destroyed the perimeter
Cloud infrastructure has no perimeter
80% of breaches involve privileged account abuse (internal trust abused)
Supply chain attacks compromise trusted software

Zero Trust Maturity Model

Stage 1 — Identity-Centric (Start Here)

MFA enforced for all users, all applications
Identity provider (Okta, Azure AD, Google Workspace) as single control plane
No shared service accounts
Privileged Access Management (PAM) for admin access
Cost: $20–80K/year | Timeline: 3–6 months

Stage 2 — Device Trust

Endpoint detection and response (EDR) on all devices
Device health checks before granting access
Mobile device management (MDM) for BYOD
Certificate-based device authentication
Cost: $30–60K/year additional | Timeline: 6–12 months

Stage 3 — Network Micro-Segmentation

Replace VPN with Zero Trust Network Access (ZTNA)
Segment production from development from corporate
East-west traffic inspection (not just north-south)
Cost: $40–100K/year additional | Timeline: 12–18 months

Stage 4 — Application-Level Controls

Just-in-time access (no standing privileges)
Workload identity for service-to-service auth
API gateway with authentication enforcement
Continuous authorization (not just at login)
Cost: $50–150K/year additional | Timeline: 18–30 months

Strategic Guidance:

Don't sell zero trust as a project. It's a 3–5 year direction.
Start with identity. It gives the most risk reduction per dollar.
Measure progress by % of access covered by MFA, % of apps behind IdP, privilege account count.

3. Defense in Depth for Startups

The Layered Security Model

Layer 1: Governance & Policies
  └── Asset inventory, acceptable use, vendor management

Layer 2: Perimeter Controls
  └── WAF, DDoS protection, email security (DMARC/DKIM/SPF)

Layer 3: Identity & Access
  └── MFA, SSO, PAM, just-in-time access, least privilege

Layer 4: Endpoint Security
  └── EDR, device management, patch management

Layer 5: Application Security
  └── SAST/DAST, dependency scanning, code review, API security

Layer 6: Data Protection
  └── Encryption at rest and in transit, DLP, backup/recovery

Layer 7: Detection & Response
  └── SIEM/SOAR, log aggregation, alerting, incident response

Layer 8: Recovery
  └── Backup testing, DR plan, RTO/RPO targets

Startup Security Budget Allocation (Guidance)

Stage	Annual Revenue	Recommended Security Budget	Priority Spend
Pre-seed/Seed	<$1M	3–5% opex or $50–100K	MFA, backups, basic EDR
Series A	$1–10M	2–4% revenue	+SIEM, SOC 2 Type I, AppSec
Series B	$10–50M	3–5% revenue	+ZTNA, Red team, dedicated CISO
Series C+	$50M+	4–6% revenue	+SOC, threat intelligence, M&A security

Non-negotiables regardless of stage:

MFA on everything (particularly email, cloud consoles, code repos)
Automated backups with tested restore (ransomware defense)
Secrets management (no hardcoded credentials)
Dependency vulnerability scanning in CI/CD
Incident response plan (even a 2-page doc is better than nothing)

4. Security Program Maturity Model

Based on NIST CSF and CMMI, simplified for startup context:

Level 1: Initial

No formal policies
Reactive security (respond to incidents, not prevent them)
No dedicated security personnel
Basic hygiene gaps (unpatched systems, shared passwords)
Typical: Pre-seed, <20 employees

Level 2: Developing

Written security policies (even if not fully followed)
Dedicated security responsibility (often part-time or dual-role)
MFA deployed, basic asset inventory
Incident response process documented
SOC 2 Type I achievable from here in ~6 months
Typical: Series A, 20–50 employees

Level 3: Defined

Security integrated into SDLC
Dedicated security lead or vCISO
Regular vulnerability scanning and patching
Security awareness training program
SOC 2 Type II and ISO 27001 achievable
Typical: Series B, 50–150 employees

Level 4: Managed

Risk-based security program with quantified risks
Security metrics reported to board quarterly
Threat intelligence program
Dedicated security team (3–8 people)
Red team / penetration testing annually
Typical: Series C+, 150–500 employees

Level 5: Optimized

Continuous monitoring and automated response
Proactive threat hunting
Industry leadership on security (bug bounty, disclosure program)
Security as competitive advantage in sales
Typical: Public company or regulated enterprise

Maturity Assessment Questions

Can you list all systems that process customer data right now?
How long would it take to detect if an admin credential was compromised?
When was your last backup tested with a restore?
Do developers run any security checks before code is deployed?
Does the board receive security reporting? What's in it?

Score: 0 = no/don't know, 1 = partially, 2 = yes/verified

0–3: Level 1–2
4–7: Level 2–3
8–10: Level 3–4

5. Board-Level Security Reporting

What the Board Cares About

Boards are not interested in CVE counts or firewall rules. They care about:

Risk posture: Are we getting better or worse?
Regulatory exposure: What fines could we face?
Incident readiness: If we're breached, are we prepared?
Competitive position: Do customers trust us with their data?
Budget adequacy: Are we investing appropriately?

Quarterly Board Security Report Structure

Executive Summary (1 page max)

Security posture score vs. last quarter (directional trend matters more than absolute)
Top 3 risks and their business impact in dollars
Key accomplishments this quarter
Investment requested (if any)

Risk Dashboard

Risk Register Summary:
├── Critical (>$500K ALE): [count] risks, [count] mitigated
├── High ($100K–$500K ALE): [count] risks, [count] mitigated
├── Medium ($10K–$100K ALE): [count] risks
└── Low (<$10K ALE): [count] risks (for awareness only)

Trend: ↑ Risk exposure vs. Q[n-1] / ↓ Risk exposure vs. Q[n-1]

Compliance Status

Framework certifications in scope and current status
Next audit date
Any findings from last audit and remediation status

Incident Summary

Security incidents last quarter (count and severity)
Time to detect / time to respond (vs. targets)
Any regulatory reporting obligations triggered

Key Metrics (4–6 max)

MFA adoption rate
Critical patch SLA compliance
Phishing simulation click rate (trend)
Vendor assessments completed

Budget Summary

Spend vs. budget
Headcount
Next quarter key investments and rationale

Common Board Questions to Prepare For

"Have we been breached?" (Know your detection capability, not just your answer)
"How do we compare to peers?" (Benchmarks from Verizon DBIR, industry ISACs)
"What's the one thing we should invest in?" (Have a clear answer)
"If we're acquired, what would security due diligence find?" (Be honest)
"What keeps you up at night?" (Have a real answer, not a vague one)

6. Security as Revenue Enabler

The Sales Angle

For B2B companies, security certifications directly impact revenue:

Enterprise buyers require SOC 2 as table stakes (increasingly SOC 2 Type II)
Government and healthcare require ISO 27001 or HIPAA
Passing security questionnaires faster closes deals faster
A breach costs 10–30% customer churn; security investment is churn prevention

How to Measure:

Deals blocked by security questionnaire failures (track in CRM)
Average security questionnaire turnaround time
Customer security reviews passed vs. failed
Revenue attributed to new compliance certifications

The Trust Narrative

Position security certifications in marketing:

SOC 2 Type II: "Independently audited security controls, verified annually"
ISO 27001: "Internationally certified information security management"
HIPAA BAA: "Healthcare data protection to regulatory standards"

These aren't just compliance — they're trust signals that compress the sales cycle.

12 KiB Raw Blame History Unescape Escape