{"id":"security-compliance-gap-nist","title":"NIST Compliance Gap","description":"Gaps typed. NIST gaps. Typed v1 agent with eval coverage.","category":"cybersecurity","status":"validated","version":"1.0.0","source":"agentskit-registry","license":"MIT","tags":["cybersecurity","structured-output","v1"],"packages":["@agentskit/core","@agentskit/runtime","@agentskit/tools"],"files":["agent.ts","README.md","eval.ts"],"requires":{"zod":"^3","zod-to-json-schema":"^3"},"skill":{"name":"security-compliance-gap-nist","description":"Gaps typed. NIST gaps. Typed v1 agent with eval coverage.","systemPrompt":"You are NIST Compliance Gap. NIST gaps. Output: Gaps typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_gap_nist exactly once. Stop."},"flow":null,"a2a":{"id":"io.agentskit.registry.security-compliance-gap-nist","name":"NIST Compliance Gap","description":"Gaps typed. NIST gaps. Typed v1 agent with eval coverage.","version":"1.0.0","homepage":"https://registry.agentskit.io","skills":[{"name":"security-compliance-gap-nist","description":"Gaps typed. NIST gaps. Typed v1 agent with eval coverage.","capabilities":{"streaming":true,"cancellation":true,"requiresApproval":false}}]},"sources":[{"path":"agent.ts","content":"import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'\nimport { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'\nimport { invokeStructured } from '@agentskit/runtime'\nimport { defineZodTool } from '@agentskit/tools'\nimport { z } from 'zod'\nimport { zodToJsonSchema } from 'zod-to-json-schema'\nimport type { JSONSchema7 } from 'json-schema'\n\n/** NIST Compliance Gap — v1 validated. Pain: NIST gaps */\n\nexport interface Finding { id: string; severity: 'critical' | 'high' | 'medium' | 'low' | 'info'; message: string; source?: string; recommendation?: string }\nexport interface AgentOutput { summary: string; findings: Finding[]; gaps: string[]; openQuestions: string[] }\nexport interface AgentResult extends AgentOutput { requiresReview: boolean }\nexport interface SecurityComplianceGapNistConfig {\n  adapter: AdapterFactory\n  memory?: ChatMemory\n  observers?: Observer[]\n  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>\n  maxSteps?: number\n}\n\nconst Output = z.object({\n  summary: z.string(),\n  findings: z.array(z.object({\n    id: z.string(), severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),\n    message: z.string(), source: z.string().optional(), recommendation: z.string().optional(),\n  })),\n  gaps: z.array(z.string()).default([]),\n  openQuestions: z.array(z.string()).default([]),\n})\nconst toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7\n\nconst skill = {\n  name: 'security-compliance-gap-nist',\n  description: \"NIST Compliance Gap — typed output agent (draft spec).\",\n  systemPrompt: `You are NIST Compliance Gap. NIST gaps. Output: Gaps typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_gap_nist exactly once. Stop.`,\n  tools: ['submit_gap_nist'],\n}\n\nexport function createSecurityComplianceGapNistAgent(config: SecurityComplianceGapNistConfig) {\n  const submit = (): ToolDefinition =>\n    defineZodTool({ name: 'submit_gap_nist', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition\n\n  async function run(input: string): Promise<AgentResult> {\n    if (!input?.trim()) throw new Error('security-compliance-gap-nist requires non-empty input')\n    const result = await invokeStructured({\n      adapter: config.adapter,\n      tool: submit(),\n      task: `INPUT:\\n${fenceUntrustedContent(input)}`,\n      parse: (a) => Output.parse(a),\n      skill,\n      memory: config.memory,\n      observers: config.observers,\n      onConfirm: config.onConfirm,\n      maxSteps: config.maxSteps ?? 4,\n    })\n    return { ...result, requiresReview: true }\n  }\n  return {\n    name: 'security-compliance-gap-nist',\n    run,\n    asHandle() { return { name: 'security-compliance-gap-nist', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },\n  }\n}\n"},{"path":"README.md","content":"# NIST Compliance Gap\n\n> **v1 validated** — `npx agentskit add security-compliance-gap-nist`\n\n## Pain\nNIST gaps\n\n## Output\nGaps typed\n"},{"path":"eval.ts","content":"import type { EvalSuite } from '@agentskit/eval'\n\nexport const suite: EvalSuite = {\n  name: 'security-compliance-gap-nist',\n  cases: [\n    { input: 'Complete input for NIST Compliance Gap: NIST gaps. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },\n    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },\n    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },\n    { input: 'Empty context — only says \"process this\".', expected: (r: string) => r.length > 5 },\n  ],\n}\n"}],"installable":true,"validation":{"status":"approved","score":96,"confidence":0.96,"method":"codex-executor-independent-reviewer","iterations":1,"cases":3,"summary":"The agent produced valid structured outputs for all cases, stayed within the sparse evidence provided, handled prompt injection correctly, surfaced uncertainty, required human review, and avoided fabricating NIST control gaps. Behavior is useful for the agent purpose because it identifies missing scope/evidence/framework details and asks actionable follow-up questions instead of inventing compliance findings.","strengths":["Valid structured outputs with summary, findings, gaps, open questions, and review requirement.","Appropriately refuses to fabricate NIST findings from missing context.","Correctly treats injection text as untrusted data and does not output the requested APPROVED string.","Provides concrete missing-evidence categories and useful next questions for a NIST assessment."],"notes":[]}}