docs(144): MAESTRO Companion — NIST AI RMF evaluation ADR (#169)

* docs(144): MAESTRO Companion — NIST AI RMF evaluation ADR (ADR-025)

Documentation-only spike closing the MAESTRO compliance umbrella's regulated-adopter
half. Records tachi's NIST AI RMF posture as documentation-only mapping (Option A).

Three-surface evaluation:
- Surface A (Functions × pipeline phases): Govern/Map/Measure/Manage mapped to
  tachi's 6 pipeline phases; Map/Measure/Manage overlap cells identify where
  tachi already contributes evidence.
- Surface B (Subcategories × control categories): 5-10 representative AI RMF
  Subcategories crosswalked to tachi's 8 compensating-control categories with
  Overlap / Gap / Conflict / "No equivalent" labels.
- Surface C (GAI risks × STRIDE+AI): all 12 NIST AI 600-1 Generative AI Profile
  risks mapped to tachi's 11 STRIDE+AI categories.

Decision rationale:
AI RMF 1.0 is mature (3+ year runway, federal procurement adoption, FFIEC/HIPAA
references) — unlike ADR-024's pre-1.0 AIVSS divergence. The binding constraint
is structural fit: AI RMF Functions are organizational-tier outcomes while tachi
produces artifact-tier evidence. Documentation-only mapping captures alignment
explicitly without coupling the pipeline to a framework operating one tier above.

Companion artifact at `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md`
ships the full mapping for procurement / audit citation. The tachi-control-analysis
SKILL.md gains an 80-200 word NIST AI RMF Relationship section with a relative-path
pointer to ADR-025. ADR-024 Related ADRs line updated with bidirectional ADR-025
back-reference.

Re-evaluation triggers: ≥3 regulated-adopter inquiries OR NIST AI RMF 2.0
publication OR SP 800-53 AI overlay GA.

Scope discipline: zero drift on schemas/, scripts/, .claude/agents/, examples/
(SC-006 invariant preserved). Backward-compatibility pytest 5/5 byte-identical
under SOURCE_DATE_EPOCH=1700000000 (ADR-021 determinism baseline).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs(144): add PRD, spec artifacts, and regenerate BACKLOG

Adds the PRD (PM + Architect + Team-Lead sign-offs recorded in frontmatter) and
the spec artifact set (spec, plan, tasks, research, quickstart, agent-assignments,
checklists/requirements) for Feature 144 NIST AI RMF evaluation.

BACKLOG.md regenerated to reflect #144 transition to stage:build.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs(144): finalize ADR-025 merge date and mark T043/T044 complete

Set ADR-025 Date field to actual merge date (2026-04-16) per T044 pre-merge
instruction. Mark T043 (PR opened) and T044 (architect APPROVED 2026-04-16 —
see .aod/results/architect-pr-review-144.md) complete in tasks.md.

All 43 tasks now complete (T027 N/A per FR-008 XOR Option A branch).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: davidmatousek

.claude/skills/tachi-control-analysis/SKILL.md

@@ -17,6 +17,10 @@ The control analysis domain covers three areas:
 
 3. **Residual Risk Calculation and Recommendations** -- Recommendation generation rules for missing and partial controls (templates, effort calibration), residual score computation formula with the P0 binary reduction model (reduction factors by control status), severity band mapping for residual scores, and summary statistics calculations.
 
+## NIST AI RMF Relationship
+
+Tachi's compensating-controls analyzer operates in a STRIDE+AI idiom, not a NIST idiom. The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) and its companion Generative AI Profile (NIST AI 600-1) are the U.S. federal reference vocabulary for managing AI system risk — Functions (Govern, Map, Measure, Manage), Subcategories, and 12 GAI risk categories. Tachi's posture toward both documents is **documentation-only mapping** per [ADR-025](../../../docs/architecture/02_ADRs/ADR-025-nist-ai-rmf-evaluation.md): no schema field, no agent, no pipeline phase, and no SARIF tag emits NIST-keyed output. The strongest direct semantic overlap is MEASURE 2.7 ("AI system security and resilience are evaluated and documented") — essentially what `compensating-controls.md` already produces without NIST labeling. Adopters who must cite NIST mappings during procurement, audit, or examination workflows should consult the companion reference `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md` and ADR-025 for the three-surface comparison (Functions × phases, Subcategories × control categories, GAI risks × STRIDE+AI), the full re-evaluation triggers, and the structural-fit rationale for choosing mapping over wired integration.
+
 ## Baseline-Aware Control Analysis Rules
 
 ### Carry-Forward Conditions

.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md

@@ -2662,3 +2662,85 @@ PR review → SC-001 file exists → SC-002 Status: Accepted grep → SC-003 thr
 | Existing backward-compat test suite | Trivial pass gate | `tests/scripts/test_backward_compatibility.py` |
 
 **No new technology introduced.** Documentation-only feature. Zero schema changes, zero script changes, zero agent changes, zero example regenerations.
+
+---
+
+### Feature 144: NIST AI RMF Integration Evaluation ADR
+
+## Components
+
+This feature does not add or modify runtime components. Components touched are documentation surfaces:
+
+### Component 1 — ADR-025 (new)
+
+**File**: `docs/architecture/02_ADRs/ADR-025-nist-ai-rmf-evaluation.md`
+**Owner**: architect (Wave 2 author)
+
+Sections: Header (Status: Accepted, Date, Deciders, Feature 144, Related ADRs cross-referencing ADR-024 + ADR-020 + ADR-019 + ADR-018 + ADR-021 + ADR-023); Context with three Surface subsections using explicit anchors `<a id="surface-{a,b,c}"></a>`; Decision (canonical noun in first paragraph); Rationale (five-criteria justification); Alternatives Considered (Options A/B/C); Consequences (Positive/Negative/Mitigation/Follow-on); When to Re-Evaluate; References. Length expected 200-280 lines.
+
+### Component 2 — `nist-ai-rmf-mapping.md` (new)
+
+**File**: `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md`
+**Owner**: architect (Wave 2)
+
+Content shape conditional on chosen option: Option A → complete mapping table (8 control categories → NIST Subcategories) + Surface C crosswalk; Option B/C → relationship-only stub naming wired-integration site + forward link to follow-on Issue + back-link to ADR-025. Additive only; renderable in standard Markdown.
+
+### Component 3 — SKILL.md NIST AI RMF Relationship Section (additive edit)
+
+**File**: `.claude/skills/tachi-control-analysis/SKILL.md`
+**Owner**: architect (Wave 2, after ADR-025 Decision text is finalized)
+
+Insertion point: After existing `## Domain Overview`, before existing `## Baseline-Aware Control Analysis Rules`. 80-200 words. Decision-noun byte-identical (case-insensitive) to ADR-025 Decision section. Relative link to ADR-025.
+
+### Component 4 — ADR-024 Back-Reference (single-line edit)
+
+**File**: `docs/architecture/02_ADRs/ADR-024-owasp-aivss-evaluation.md`
+**Owner**: architect (Wave 2, ships in same PR as ADR-025)
+
+Append `[ADR-025](ADR-025-nist-ai-rmf-evaluation.md) (companion NIST AI RMF evaluation)` to the existing Related ADRs line. Housekeeping edit — does NOT change ADR-024 Status field.
+
+### Component 5 — Follow-On GitHub Issue (conditional)
+
+**File**: GitHub Issues (filed via `bash .aod/scripts/bash/create-issue.sh`)
+**Owner**: product-manager (Wave 2 cleanup, only if Option B or C chosen)
+
+`stage:discover` label, concrete title, body links back to ADR-025, names surfaces that would change, includes effort estimate copied verbatim from ADR-025 Alternatives, names "non-disruptive"/"opt-in" constraint. **Skipped if Option A chosen** (FR-008 N/A).
+
+## Data Flow
+
+Documentation flows from authoring (Wave 1 + Wave 2) to publication (PR merge to `main`):
+
+```
+Wave 1 (3-hour timebox)
+  web-researcher reads NIST AI RMF 1.0 + NIST AI 600-1 (canonical URLs from spec Assumptions)
+  → appends findings to specs/144-*/research.md ## Wave 1 — NIST AI RMF Spec Notes section
+  → escalates to PM if 3-hour budget exceeded (3 contingency options per Edge Case 1)
+
+Wave 2 (sequential authorship)
+  architect drafts ADR-025 skeleton
+  → fills Surface A/B/C tables from research.md Wave 1 notes + tachi compensating controls reference
+  → drafts Decision (canonical noun) → Rationale → Alternatives → Consequences → Re-Evaluation Triggers → References
+  → creates .claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md (content shape per chosen option)
+  → appends ## NIST AI RMF Relationship section to .claude/skills/tachi-control-analysis/SKILL.md
+  → appends ADR-025 back-reference to docs/architecture/02_ADRs/ADR-024-owasp-aivss-evaluation.md Related ADRs line
+  → product-manager files follow-on Issue if Option B/C chosen (FR-008)
+
+PR Cycle (~half-day)
+  Open PR with docs: prefix conventional commit
+  → 13 SCs verified (shell + awk + grep + pytest + manual inspection)
+  → architect reviews PR (= "Accepted at merge" attestation per Closed Q2)
+  → squash-merge to main
+```
+
+## Tech Stack
+
+No tech stack changes. Reference lineage unchanged from current state:
+
+- **Documentation format**: Markdown (CommonMark, no GFM extensions required)
+- **ADR conventions**: Match ADR-022/023/024 structural template
+- **Verifiers**: shell (`grep`, `awk`, `wc -w`, `tr`), Python (`pytest tests/scripts/test_backward_compatibility.py`), git (`git diff`, `git log`)
+- **Determinism baseline**: `SOURCE_DATE_EPOCH=1700000000` for byte-identical PDF comparison (per ADR-021)
+- **Conventional commits**: `docs:` prefix only (per Constitution IX + SC-012)
+- **GitHub CLI**: `bash .aod/scripts/bash/create-issue.sh` for FR-008 conditional Issue filing
+
+**Zero new runtime dependencies**: empty diff on `requirements*.txt`, `pyproject.toml`, `package.json`. Zero new CLI prerequisites.

docs/architecture/01_system_design/README.md

@@ -4,7 +4,7 @@
 **Date**: 2026-04-15
 **Deciders**: Architect, Product Manager, Team-Lead
 **Feature**: 143 (MAESTRO Phase 4)
-**Related ADRs**: [ADR-020](ADR-020-maestro-layer-classification.md) (MAESTRO classification), [ADR-019](ADR-019-shared-definitions-and-model-field-governance.md) (shared cross-agent definitions), [ADR-018](ADR-018-baseline-aware-pipeline-correlation.md) (baseline-aware scoring lineage)
+**Related ADRs**: [ADR-020](ADR-020-maestro-layer-classification.md) (MAESTRO classification), [ADR-019](ADR-019-shared-definitions-and-model-field-governance.md) (shared cross-agent definitions), [ADR-018](ADR-018-baseline-aware-pipeline-correlation.md) (baseline-aware scoring lineage), [ADR-025](ADR-025-nist-ai-rmf-evaluation.md) (companion NIST AI RMF evaluation)
 
 ---