tractorjuice/arckit-fr-marche-public

⚠️ Community-contributed command — not part of the officially-maintained ArcKit baseline. Output should be reviewed by qualified DPO / RSSI / legal counsel before reliance. Citations to ANSSI / CNIL / EU regulations may lag the current text — verify against the source.

You are helping an enterprise architect generate French public procurement documentation (Dossier de Consultation des Entreprises) aligned with the Code de la Commande Publique, UGAP, and DINUM digital doctrine requirements.

User Input

$ARGUMENTS

Instructions

Note: Before generating, scan projects/ for existing project directories. For each project, list all ARC-*.md artifacts, check external/ for reference documents, and check 000-global/ for cross-project policies. If no external docs exist but they would improve output, ask the user.

Step 0: Read existing artifacts from the project context

MANDATORY (warn if missing):

• REQ (Requirements) — Extract: functional requirements (FR-xxx) for procurement scope, non-functional requirements (NFR-xxx), integration requirements (INT-xxx), data sovereignty and security requirements
  • If missing: warn that procurement documentation requires defined requirements to produce a valid requirements statement

RECOMMENDED (read if available, note if missing):

• RISK (Risk Register) — Extract: vendor risks, technology risks, lock-in risks, sovereignty risks
• SECNUM (SecNumCloud Assessment) — Extract: cloud qualification requirements, recommended providers, data classification that drives sovereignty clauses
• DINUM (DINUM Standards Assessment) — Extract: mandatory DINUM standards (RGAA, RGS, RGI) to include as contract requirements

OPTIONAL (read if available, skip silently):

• PRIN (Architecture Principles, 000-global) — Extract: open source policy, cloud strategy, technology standards
• DATA (Data Model) — Extract: data categories (health data → HDS clause, personal data → GDPR/DPA clause)

Step 0b: Read external documents and policies

• Read any external documents in external/ — extract previous procurement files, UGAP framework references, legal notices, budget documents
• Read any global policies in 000-global/policies/ — extract procurement policy, open source policy, data classification policy
• If procurement-related external documents found, use them to pre-populate threshold analysis and budget constraints.

Step 1: Identify or Create Project

Identify the target project from the hook context. If the project doesn't exist:

1. Use Glob to list projects/*/ directories and find the highest NNN-* number
2. Calculate the next number (zero-padded to 3 digits)
3. Slugify the project name
4. Use the Write tool to create projects/{NNN}-{slug}/README.md and projects/{NNN}-{slug}/vendors/README.md
5. Set PROJECT_ID and PROJECT_PATH

Step 2: Read Source Artifacts

Read all documents from Step 0. Extract key information for the procurement file:

• Total estimated value (from requirements or user input)
• Data categories (drives sovereignty and certification clauses)
• Security classification level (drives RGS requirements)
• Cloud involvement (drives cloud doctrine assessment)

Step 3: Procurement Template Reading

Read the template (with user override support):

• First, check if .arckit/templates-custom/fr-marche-public-template.md exists in the project root
• If found: Read the user's customized template
• If not found: Read .arckit/templates/fr-marche-public-template.md

Step 4: Threshold Analysis

Before generating the document, determine the applicable procedure:

| Threshold | Procedure | BOAMP | JOUE | Min. Period | |-----------|-----------|-------|------|-------------| | < €40,000 | Below-threshold (no formal procedure required) | No | No | Informal | | €40,000 – €215,000 (supplies/services) | MAPA (Marché à Procédure Adaptée) | Yes | No | 15 days | | > €215,000 (supplies/services) | Open call for tenders (Appel d'Offres Ouvert) | Yes | Yes | 35 days | | > €5.38M (works) | Open call for tenders | Yes | Yes | 35 days |

Show threshold determination to the user before generating the full document.

Step 5: Generate Procurement Documentation

CRITICAL: Use the Write tool to create the procurement document.

1. Detect version: Check for existing ARC-{PROJECT_ID}-MARPUB-v*.md files:

   • No existing file → VERSION="1.0"
   • Existing file → minor increment for updates, major for procedure change

2. Auto-populate Document Control:

   • Document ID: ARC-{PROJECT_ID}-MARPUB-v{VERSION}
   • Status: DRAFT
   • Created Date: {current_date}
   • Review Cycle: On-Demand
   • Classification: OFFICIAL as default

3. Section 1: Threshold Analysis and Recommended Procedure

   • Estimated value (extract from user input or requirements)
   • Applicable threshold and recommended procedure from Step 4
   • BOAMP/JOUE publication requirement
   • Minimum consultation period
   • Cloud doctrine compliance (if cloud services involved — circular 6264/SG)

4. Section 2: Requirements Statement

   • Subject of the contract: concise description from user input
   • Functional requirements: extract relevant FR-xxx from REQ artifact
   • Technical requirements: extract relevant NFR-xxx (security, accessibility, interoperability)
   • Sovereignty and security requirements table:
     • Data hosting in France/EU (State Cloud Doctrine)
     • SecNumCloud qualification (if sensitive data — from SECNUM artifact)
     • HDS certification (if health data detected in DATA or REQ)
     • RGS v2.0 compliance
     • RGI v2.0 interoperability
     • RGAA 4.1 accessibility (for public digital services)
     • RGESN ecodesign (recommended)

5. Section 3: Award Criteria

   • Suggested weighting: Technical value (60%), Price (30%), Execution conditions (10%)
   • Sub-criteria breakdown with sovereignty/security sub-criterion (15% of technical value)
   • Technical scoring grid (0–3 scoring with descriptions)
   • Note: total must equal 100% — flag if user specifies different weights

6. Section 4: Security and Sovereignty Clauses

   • Security annex (mandatory): RGS v2.0, PSSIE, ANSSI IT hygiene guide (42 measures)
   • If OIV/OSE: LPM/NIS sector-specific orders
   • Data localisation clause: EU territory, no extraterritorial law access
   • Reversibility clause: DINUM reversibility requirements (plan, open formats, migration period, exit costs)
   • Open source clause: if applicable per State Cloud Doctrine Point 3
   • GDPR/DPA clause: mandatory if personal data processed — Article 28 requirements

7. Section 5: UGAP Catalogue

   • Guide user to check ugap.fr for current framework agreements
   • Provide category table with typical UGAP-accessible provider types:
     • Sovereign cloud IaaS (Outscale, OVHcloud, NumSpot)
     • Application development (major IT service firms)
     • Cybersecurity (PRIS-qualified providers)
     • Managed services

8. Section 6: Indicative Timeline

   • Mermaid Gantt chart from today's date:
     • Preparation phase: file drafting + legal validation (3-4 weeks)
     • Publication: BOAMP/JOUE (1 day)
     • Consultation period: per procedure type
     • Evaluation: 2-3 weeks
     • Award and contracting: 3-4 weeks

9. Section 7: ANSSI-Qualified Security Provider Selection If the procurement includes cybersecurity services (audit, incident response, SOC/detection), include selection criteria requiring ANSSI qualification:

   | ANSSI Qualification | Scope | When to Require | |--------------------|--------------------|----------------| | PASSI (Prestataires d'Audit de Sécurité des SI) | Penetration testing, technical audits | Any IS security audit or pentest | | PRIS (Prestataires de Réponse aux Incidents de Sécurité) | Incident response, forensics | IR retainer or OIV/OSE obligation | | PDIS (Prestataires de Détection des Incidents de Sécurité) | SOC, threat detection, SIEM management | Managed detection services | | PDCS (Prestataires de Cybersécurité pour les Collectivités) | Local authority-specific cybersecurity | Collectivités territoriales only |

   • For OIV/OSE systems: require PASSI qualification for any IS audit; PRIS for incident response services — both are mandatory under the sectoral arrêté or NIS2 obligations
   • Include qualification requirement in the technical specifications (CCTP), not just as selection criterion
   • Qualification lists are published on ssi.gouv.fr — advise buyers to verify currency at contract signature
   • ANSSI qualifications are not certifications: they require reassessment — confirm current validity in tender evaluation

10. Section 8: Digital State Doctrine Compliance

    • DINUM checklist: cloud-first, RGI, RGAA, RGESN, open source, GDPR/DPA
    • PSSIE and RGS target level
    • Cross-reference DINUM artifact conclusions if available

Before writing the file, read .arckit/references/quality-checklist.md and verify all Common Checks pass.

Write the document to:

projects/{project_id}/ARC-{PROJECT_ID}-MARPUB-v{VERSION}.md

Step 6: Summary Output

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Procurement File Generated
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📄 Document: projects/{project_id}/ARC-{PROJECT_ID}-MARPUB-v{VERSION}.md
📋 Document ID: {document_id}
📅 Created: {date}

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 Procurement Parameters
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Estimated Value: {amount}
Applicable Threshold: {threshold}
Recommended Procedure: {procedure}
BOAMP Publication: {Yes / No}
JOUE Publication: {Yes / No}
Min. Consultation Period: {X days}

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🛡️ Mandatory Clauses Included
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ Security annex (RGS v2.0, PSSIE)
✅ Data localisation clause (EU territory)
✅ Reversibility clause (DINUM standards)
{✅ GDPR/DPA clause (personal data detected)}
{✅ HDS certification clause (health data detected)}
{✅ SecNumCloud clause (sensitive data + cloud)}
{✅ Open source clause (if applicable)}

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📦 Requirements Linked
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

{N} functional requirements extracted
{N} technical requirements (NFR-xxx) included

Next steps:
1. Review and complete UGAP catalogue references (ugap.fr)
2. Legal team validation of contract clauses
3. {If tenders received: Run $arckit-evaluate for scoring}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Important Notes

• Threshold accuracy: The estimated contract value must exclude VAT (hors taxes). Include all option periods in the estimate — the total lifetime value determines the applicable threshold.
• UGAP catalogue: UGAP framework references must be verified at ugap.fr before use in official procurement — agreements are updated regularly.
• Legal validation: This document generates a draft procurement file. It must be reviewed by the contracting authority's legal team and procurement officer before publication.
• Cloud Act clause: The data localisation clause explicitly addresses extraterritorial laws (Cloud Act, FISA). This is a DINUM requirement for any cloud procurement involving sensitive data.
• Use Write Tool: Procurement files are typically 3,000–6,000 words. Always use the Write tool.

Key References

| Document | Publisher | URL | |----------|-----------|-----| | Code de la commande publique | Légifrance | https://www.legifrance.gouv.fr/codes/id/LEGITEXT000037701019/ | | UGAP — Union des Groupements d'Achats Publics (framework catalogue) | UGAP | https://www.ugap.fr/ | | BOAMP — Bulletin Officiel des Annonces des Marchés Publics | DILA | https://www.boamp.fr/ | | TED / JOUE — EU procurement journal (above EU thresholds) | EU Publications Office | https://ted.europa.eu/ | | ANSSI-qualified security providers (PASSI, PRIS, PDIS) | ANSSI | https://cyber.gouv.fr/qualification-des-prestataires-de-services | | DINUM digital doctrine — standards for public IS procurement | DINUM | https://www.numerique.gouv.fr/services/cloud/doctrine/ | | Procurement thresholds (updated annually) | DAJ / Légifrance | https://www.economie.gouv.fr/daj/marches-publics |

Note for reviewers: French public procurement is governed by the Code de la commande publique (transposing EU Directives 2014/24 and 2014/25). UGAP is a French central purchasing body — pre-competed framework agreements that public buyers can call off without running a full tender. BOAMP is the mandatory French publication journal for procurement notices above €40,000 (JOUE/TED required above EU thresholds). PASSI, PRIS, and PDIS are ANSSI qualification schemes for security service providers — requiring PASSI-qualified auditors and PRIS-qualified incident responders is mandatory for OIV and recommended for all sensitive IS.

Success Criteria

• ✅ Procurement document created at projects/{project_id}/ARC-{PROJECT_ID}-MARPUB-v{VERSION}.md
• ✅ Threshold analysis completed with recommended procedure
• ✅ BOAMP/JOUE publication requirements determined
• ✅ Requirements statement linked to REQ artifact (FR-xxx, NFR-xxx)
• ✅ Sovereignty and security requirements table populated
• ✅ Award criteria with weighting defined (total = 100%)
• ✅ Security and sovereignty clauses included (data localisation, reversibility, GDPR/DPA)
• ✅ HDS clause included if health data detected
• ✅ SecNumCloud clause included if sensitive data and cloud
• ✅ UGAP catalogue guidance provided
• ✅ Indicative timeline Gantt chart generated
• ✅ DINUM digital doctrine checklist completed

Example Usage

$arckit-fr-marche-public Generate procurement documentation for a digital identity platform for a French ministry, estimated value €2.5M, handling personal data, requires SecNumCloud, RGAA compliance mandatory

$arckit-fr-marche-public Procurement file for 001 — cybersecurity services contract, €800K, MAPA procedure, existing UGAP framework available

$arckit-fr-marche-public Create procurement file for a French regional health authority digital platform, health data in scope, HDS certification required, estimated €3.5M over 3 years

Suggested Next Steps

After completing this command, consider running:

• $arckit-evaluate -- Score vendor responses against the award criteria defined in this document (when Tenders received and ready for evaluation)
• $arckit-traceability -- Link procurement requirements back to functional and non-functional requirements