@agile-vibe-coding/avc 0.1.1 → 0.3.1

package/cli/ceremony-history.js

@@ -0,0 +1,369 @@
+/**
+ * Ceremony History Tracker - Records all ceremony executions with status and metadata
+ *
+ * Tracks when ceremonies are run, their outcomes, and preserves historical data.
+ * Helps detect abrupt terminations and provides audit trail.
+ */
+
+import fs from 'fs';
+import path from 'path';
+
+export class CeremonyHistory {
+  constructor(avcPath = path.join(process.cwd(), '.avc')) {
+    this.avcPath = avcPath;
+    this.historyPath = path.join(avcPath, 'ceremonies-history.json');
+    this.data = null;
+  }
+
+  /**
+   * Initialize ceremony history file if it doesn't exist
+   */
+  init() {
+    // Ensure .avc directory exists
+    if (!fs.existsSync(this.avcPath)) {
+      fs.mkdirSync(this.avcPath, { recursive: true });
+    }
+
+    if (!fs.existsSync(this.historyPath)) {
+      const initialData = {
+        version: "1.0",
+        lastUpdated: new Date().toISOString(),
+        ceremonies: {}
+      };
+      this._writeData(initialData);
+    }
+  }
+
+  /**
+   * Load ceremony history from disk
+   */
+  load() {
+    if (fs.existsSync(this.historyPath)) {
+      this.data = JSON.parse(fs.readFileSync(this.historyPath, 'utf8'));
+    } else {
+      this.init();
+      this.data = JSON.parse(fs.readFileSync(this.historyPath, 'utf8'));
+    }
+    return this.data;
+  }
+
+  /**
+   * Write data to disk atomically
+   */
+  _writeData(data) {
+    try {
+      const tempPath = this.historyPath + '.tmp';
+      fs.writeFileSync(tempPath, JSON.stringify(data, null, 2), 'utf8');
+      fs.renameSync(tempPath, this.historyPath);
+    } catch (error) {
+      // Fallback to direct write if atomic write fails
+      try {
+        fs.writeFileSync(this.historyPath, JSON.stringify(data, null, 2), 'utf8');
+      } catch (fallbackError) {
+        console.error(`Failed to write ceremony history: ${fallbackError.message}`);
+        console.error(`Path: ${this.historyPath}`);
+        throw fallbackError;
+      }
+    }
+  }
+
+  /**
+   * Start a new ceremony execution
+   * @param {string} ceremonyName - e.g., 'sponsor-call'
+   * @param {string} stage - Initial stage (default: 'questionnaire')
+   * @returns {string} Execution ID
+   */
+  startExecution(ceremonyName, stage = 'questionnaire') {
+    this.load();
+
+    const now = new Date();
+    const timestamp = now.toISOString()
+      .replace(/T/, '-')
+      .replace(/:/g, '-')
+      .replace(/\..+/, '');
+
+    const executionId = `${ceremonyName}-${timestamp}`;
+
+    // Initialize ceremony entry if doesn't exist
+    if (!this.data.ceremonies[ceremonyName]) {
+      this.data.ceremonies[ceremonyName] = {
+        executions: [],
+        totalExecutions: 0,
+        lastRun: null,
+        lastSuccess: null
+      };
+    }
+
+    // Create execution record
+    const execution = {
+      id: executionId,
+      startTime: now.toISOString(),
+      endTime: null,
+      status: 'in-progress',
+      stage: stage,
+      answers: null,
+      filesGenerated: [],
+      tokenUsage: null,
+      duration: null,
+      outcome: null
+    };
+
+    // Add to executions array
+    this.data.ceremonies[ceremonyName].executions.push(execution);
+    this.data.ceremonies[ceremonyName].lastRun = now.toISOString();
+    this.data.lastUpdated = now.toISOString();
+
+    this._writeData(this.data);
+
+    return executionId;
+  }
+
+  /**
+   * Update an existing execution
+   * @param {string} ceremonyName - Ceremony name
+   * @param {string} executionId - Execution ID
+   * @param {Object} updates - Fields to update
+   */
+  updateExecution(ceremonyName, executionId, updates) {
+    this.load();
+
+    if (!this.data.ceremonies[ceremonyName]) {
+      throw new Error(`Ceremony '${ceremonyName}' not found in history`);
+    }
+
+    const execution = this.data.ceremonies[ceremonyName].executions.find(
+      e => e.id === executionId
+    );
+
+    if (!execution) {
+      throw new Error(`Execution '${executionId}' not found for ceremony '${ceremonyName}'`);
+    }
+
+    // Update fields
+    Object.assign(execution, updates);
+    this.data.lastUpdated = new Date().toISOString();
+
+    this._writeData(this.data);
+  }
+
+  /**
+   * Complete an execution
+   * @param {string} ceremonyName - Ceremony name
+   * @param {string} executionId - Execution ID
+   * @param {string} outcome - 'success', 'user-cancelled', or 'abrupt-termination'
+   * @param {Object} metadata - Additional data (answers, filesGenerated, tokenUsage, etc.)
+   */
+  completeExecution(ceremonyName, executionId, outcome, metadata = {}) {
+    this.load();
+
+    if (!this.data.ceremonies[ceremonyName]) {
+      throw new Error(`Ceremony '${ceremonyName}' not found in history`);
+    }
+
+    const execution = this.data.ceremonies[ceremonyName].executions.find(
+      e => e.id === executionId
+    );
+
+    if (!execution) {
+      throw new Error(`Execution '${executionId}' not found for ceremony '${ceremonyName}'`);
+    }
+
+    const now = new Date();
+    const startTime = new Date(execution.startTime);
+    const duration = now - startTime;
+
+    // Determine status based on outcome
+    let status;
+    switch (outcome) {
+      case 'success':
+        status = 'completed';
+        break;
+      case 'user-cancelled':
+        status = 'cancelled';
+        break;
+      case 'abrupt-termination':
+        status = 'aborted';
+        break;
+      default:
+        status = 'completed';
+    }
+
+    // Update execution
+    execution.status = status;
+    execution.endTime = now.toISOString();
+    execution.outcome = outcome;
+    execution.duration = duration;
+
+    // Merge metadata
+    if (metadata.answers) execution.answers = metadata.answers;
+    if (metadata.filesGenerated) execution.filesGenerated = metadata.filesGenerated;
+    if (metadata.tokenUsage) execution.tokenUsage = metadata.tokenUsage;
+    if (metadata.cost) execution.cost = metadata.cost;
+    if (metadata.model) execution.model = metadata.model;
+    if (metadata.stage) execution.stage = metadata.stage;
+    if (metadata.error) execution.error = metadata.error;
+    if (metadata.note) execution.note = metadata.note;
+
+    // Update ceremony totals
+    this.data.ceremonies[ceremonyName].totalExecutions =
+      this.data.ceremonies[ceremonyName].executions.length;
+
+    if (outcome === 'success') {
+      this.data.ceremonies[ceremonyName].lastSuccess = now.toISOString();
+    }
+
+    this.data.lastUpdated = now.toISOString();
+
+    this._writeData(this.data);
+  }
+
+  /**
+   * Archive answers to an execution (before LLM generation starts)
+   * @param {string} ceremonyName - Ceremony name
+   * @param {string} executionId - Execution ID
+   * @param {Object} answers - Questionnaire answers
+   */
+  archiveAnswers(ceremonyName, executionId, answers) {
+    this.updateExecution(ceremonyName, executionId, {
+      answers: { ...answers }
+    });
+  }
+
+  /**
+   * Get the most recent execution for a ceremony
+   * @param {string} ceremonyName - Ceremony name
+   * @returns {Object|null} Execution record or null
+   */
+  getLastExecution(ceremonyName) {
+    this.load();
+
+    if (!this.data.ceremonies[ceremonyName]) {
+      return null;
+    }
+
+    const executions = this.data.ceremonies[ceremonyName].executions;
+    if (executions.length === 0) {
+      return null;
+    }
+
+    // Return most recent (last in array)
+    return executions[executions.length - 1];
+  }
+
+  /**
+   * Get a specific execution by ID
+   * @param {string} ceremonyName - Ceremony name
+   * @param {string} executionId - Execution ID
+   * @returns {Object|null} Execution record or null
+   */
+  getExecutionById(ceremonyName, executionId) {
+    this.load();
+
+    if (!this.data.ceremonies[ceremonyName]) {
+      return null;
+    }
+
+    return this.data.ceremonies[ceremonyName].executions.find(
+      e => e.id === executionId
+    ) || null;
+  }
+
+  /**
+   * Get all executions for a ceremony
+   * @param {string} ceremonyName - Ceremony name
+   * @returns {Array} Array of execution records (newest first)
+   */
+  getAllExecutions(ceremonyName) {
+    this.load();
+
+    if (!this.data.ceremonies[ceremonyName]) {
+      return [];
+    }
+
+    // Return copy, sorted by startTime descending
+    return [...this.data.ceremonies[ceremonyName].executions]
+      .sort((a, b) => new Date(b.startTime) - new Date(a.startTime));
+  }
+
+  /**
+   * Detect if the last execution was abruptly terminated
+   * @param {string} ceremonyName - Ceremony name
+   * @returns {boolean} True if abrupt termination detected
+   */
+  detectAbruptTermination(ceremonyName) {
+    const lastExecution = this.getLastExecution(ceremonyName);
+
+    if (!lastExecution) {
+      return false;
+    }
+
+    // Check if last execution is still in-progress and in LLM generation stage
+    return lastExecution.status === 'in-progress' &&
+           lastExecution.stage === 'llm-generation';
+  }
+
+  /**
+   * Clean up abrupt termination (mark as aborted)
+   * @param {string} ceremonyName - Ceremony name
+   */
+  cleanupAbruptTermination(ceremonyName) {
+    const lastExecution = this.getLastExecution(ceremonyName);
+
+    if (!lastExecution || lastExecution.status !== 'in-progress') {
+      return;
+    }
+
+    this.completeExecution(ceremonyName, lastExecution.id, 'abrupt-termination', {
+      note: 'Process was interrupted during LLM generation',
+      stage: lastExecution.stage
+    });
+  }
+
+  /**
+   * Get ceremony statistics
+   * @param {string} ceremonyName - Ceremony name
+   * @returns {Object} Statistics object
+   */
+  getStats(ceremonyName) {
+    this.load();
+
+    if (!this.data.ceremonies[ceremonyName]) {
+      return {
+        totalExecutions: 0,
+        successful: 0,
+        cancelled: 0,
+        aborted: 0,
+        lastRun: null,
+        lastSuccess: null
+      };
+    }
+
+    const ceremony = this.data.ceremonies[ceremonyName];
+    const executions = ceremony.executions;
+
+    return {
+      totalExecutions: ceremony.totalExecutions,
+      successful: executions.filter(e => e.outcome === 'success').length,
+      cancelled: executions.filter(e => e.outcome === 'user-cancelled').length,
+      aborted: executions.filter(e => e.outcome === 'abrupt-termination').length,
+      lastRun: ceremony.lastRun,
+      lastSuccess: ceremony.lastSuccess
+    };
+  }
+
+  /**
+   * Check if a ceremony has completed successfully at least once
+   * @param {string} ceremonyName - Ceremony name
+   * @returns {boolean} True if ceremony has a successful completion
+   */
+  hasSuccessfulCompletion(ceremonyName) {
+    this.load();
+
+    if (!this.data.ceremonies[ceremonyName]) {
+      return false;
+    }
+
+    // Check if lastSuccess is set (indicates at least one successful execution)
+    return this.data.ceremonies[ceremonyName].lastSuccess !== null;
+  }
+}

package/cli/checks/catalog.json

@@ -0,0 +1,76 @@
+{
+  "version": "1.0.0",
+  "description": "Micro-check catalog for AVC validation system",
+  "tiers": {
+    "1": "Independent micro-checks — one YES/NO question per LLM call",
+    "2": "Cross-reference checks — validate consistency across perspectives",
+    "3": "Programmatic pattern detection — pure JS, no LLM"
+  },
+  "perspectives": [
+    "solution-architect",
+    "security",
+    "developer",
+    "devops",
+    "cloud",
+    "backend",
+    "database",
+    "api",
+    "frontend",
+    "ui",
+    "ux",
+    "mobile",
+    "data",
+    "qa",
+    "test-architect"
+  ],
+  "scopes": ["epic", "story"],
+  "checkCounts": {
+    "epic": {
+      "tier1": 157,
+      "tier2": 15,
+      "byPerspective": {
+        "solution-architect": 16,
+        "security": 15,
+        "developer": 16,
+        "devops": 14,
+        "cloud": 10,
+        "backend": 10,
+        "database": 9,
+        "api": 9,
+        "frontend": 13,
+        "ui": 8,
+        "ux": 7,
+        "mobile": 8,
+        "data": 8,
+        "qa": 7,
+        "test-architect": 7
+      }
+    },
+    "story": {
+      "tier1": 185,
+      "tier2": 13,
+      "byPerspective": {
+        "solution-architect": 19,
+        "security": 16,
+        "developer": 14,
+        "devops": 8,
+        "cloud": 8,
+        "backend": 8,
+        "database": 8,
+        "api": 15,
+        "frontend": 14,
+        "ui": 8,
+        "ux": 8,
+        "mobile": 8,
+        "data": 17,
+        "qa": 17,
+        "test-architect": 17
+      }
+    },
+    "total": {
+      "tier1": 342,
+      "tier2": 28,
+      "all": 370
+    }
+  }
+}

package/cli/checks/code/quality.json

@@ -0,0 +1,26 @@
+[
+  {
+    "id": "qual-01",
+    "severity": "major",
+    "question": "Are ALL functions 25 lines or fewer (excluding JSDoc comments and blank lines)?",
+    "evidenceGuide": "Count executable lines per function body. List any function exceeding 25 lines with its actual line count. Orchestration methods up to 50 lines are acceptable if each line is a single function call."
+  },
+  {
+    "id": "qual-02",
+    "severity": "major",
+    "question": "Are business logic functions pure (no file I/O, no network calls, no database access, no console output)?",
+    "evidenceGuide": "Check non-boundary functions for side-effect calls: fs.*, fetch, database queries, console.*. Side effects must be isolated in clearly named boundary functions (e.g., readFromDatabase, writeToFile, sendApiRequest)."
+  },
+  {
+    "id": "qual-03",
+    "severity": "minor",
+    "question": "Do function names use domain vocabulary from the documentation chain rather than generic programming terms?",
+    "evidenceGuide": "Compare function names against domain nouns and verbs found in the task's context.md and doc.md. Flag generic names like processData, handleRequest, doWork, updateDB. Prefer domain terms like bookAppointment, validateSlotAvailability, sendReminderMessage."
+  },
+  {
+    "id": "qual-04",
+    "severity": "minor",
+    "question": "Is each source file named after its primary exported function using kebab-case with the hierarchy prefix?",
+    "evidenceGuide": "Compare file names to their primary export. Expected pattern: e0001-s0002-t0003-function-name.js for export e0001_s0002_t0003_functionName."
+  }
+]

package/cli/checks/code/testing.json

@@ -0,0 +1,14 @@
+[
+  {
+    "id": "test-01",
+    "severity": "critical",
+    "question": "Do all test describe blocks reference acceptance criterion IDs in the format taskId#ACn (e.g., context-0001-0002-0003#AC1)?",
+    "evidenceGuide": "Check every describe() string in test files for an AC ID reference. The format must include the full task ID and AC number. List any describe blocks without a valid reference."
+  },
+  {
+    "id": "test-02",
+    "severity": "major",
+    "question": "Is there no orphan code — does every function (exported or helper) have a @satisfies tag or belong to a module whose primary export has one?",
+    "evidenceGuide": "List any functions that cannot be traced to an acceptance criterion through either a direct @satisfies tag or membership in a file whose primary export has one."
+  }
+]

package/cli/checks/code/traceability.json

@@ -0,0 +1,26 @@
+[
+  {
+    "id": "trace-01",
+    "severity": "critical",
+    "question": "Do ALL exported functions and classes have the correct hierarchy prefix e{X}_s{Y}_t{Z}_ matching the task ID?",
+    "evidenceGuide": "Check every export statement. The prefix must match the task's position in the hierarchy: e{epicNum}_s{storyNum}_t{taskNum}_. List any exports missing or using wrong prefix."
+  },
+  {
+    "id": "trace-02",
+    "severity": "critical",
+    "question": "Does every generated file have a provenance header with @file, @story, @task, @agent, and @generated JSDoc tags?",
+    "evidenceGuide": "Check the first JSDoc comment block at the top of each file for all five required tags. List any files missing tags."
+  },
+  {
+    "id": "trace-03",
+    "severity": "critical",
+    "question": "Does every exported function have a JSDoc comment with a @satisfies tag referencing a specific acceptance criterion (e.g., context-XXXX-XXXX-XXXX#AC1)?",
+    "evidenceGuide": "Check the JSDoc block above each exported function for a @satisfies tag with a valid AC reference. List any exports without it."
+  },
+  {
+    "id": "trace-04",
+    "severity": "major",
+    "question": "Is every acceptance criterion from the task's work.json covered by at least one exported function (@satisfies) AND at least one test (describe block)?",
+    "evidenceGuide": "Cross-reference the acceptance criteria array from work.json against @satisfies tags in source files and describe() strings in test files. List any uncovered ACs."
+  }
+]

package/cli/checks/cross-refs/epic.json

@@ -0,0 +1,171 @@
+{
+  "scope": "epic",
+  "tier": 2,
+  "checks": [
+    {
+      "id": "xref-sec-api-epic-01",
+      "tier": 2,
+      "perspectives": ["security", "api"],
+      "severity": "critical",
+      "category": "consistency",
+      "dependsOn": ["sec-epic-08", "api-epic-01"],
+      "question": "Security requires: {{sec-epic-08.evidence}}. API defines: {{api-epic-01.evidence}}. Are the named roles and permission boundaries consistent with the API endpoint definitions?",
+      "failDescription": "Security role model and API endpoint access control definitions are inconsistent",
+      "failSuggestion": "Align API endpoint authorization with the security role model — ensure every endpoint names which roles can access it"
+    },
+    {
+      "id": "xref-sec-api-epic-02",
+      "tier": 2,
+      "perspectives": ["security", "api"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["sec-epic-03", "api-epic-06"],
+      "question": "Security defines trust boundaries: {{sec-epic-03.evidence}}. API patterns: {{api-epic-06.evidence}}. Are API error codes consistent with the security error taxonomy?",
+      "failDescription": "Security error taxonomy and API error codes are inconsistent",
+      "failSuggestion": "Ensure API error codes (401/403/404/422/429) match the security-defined error taxonomy"
+    },
+    {
+      "id": "xref-sec-db-epic-01",
+      "tier": 2,
+      "perspectives": ["security", "database"],
+      "severity": "critical",
+      "category": "consistency",
+      "dependsOn": ["sec-epic-12", "db-epic-01"],
+      "question": "Security identifies PII fields: {{sec-epic-12.evidence}}. Database defines schema: {{db-epic-01.evidence}}. Are PII fields identified in the database schema with appropriate protection?",
+      "failDescription": "Security PII requirements and database schema protection are misaligned",
+      "failSuggestion": "Ensure PII fields identified by security are protected in the database schema (encryption at rest, access controls)"
+    },
+    {
+      "id": "xref-sec-db-epic-02",
+      "tier": 2,
+      "perspectives": ["security", "database"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["sec-epic-14", "db-epic-06"],
+      "question": "Security requires audit logging: {{sec-epic-14.evidence}}. Database architecture: {{db-epic-06.evidence}}. Is the audit log storage aligned with database architecture?",
+      "failDescription": "Security audit log requirements and database storage architecture are inconsistent",
+      "failSuggestion": "Align audit log storage with database architecture — define where and how audit events are persisted"
+    },
+    {
+      "id": "xref-be-api-epic-01",
+      "tier": 2,
+      "perspectives": ["backend", "api"],
+      "severity": "critical",
+      "category": "consistency",
+      "dependsOn": ["be-epic-01", "api-epic-01"],
+      "question": "Backend defines service boundaries: {{be-epic-01.evidence}}. API defines endpoint surface: {{api-epic-01.evidence}}. Are backend service boundaries consistent with API endpoint definitions?",
+      "failDescription": "Backend service boundaries and API endpoint surface are inconsistent",
+      "failSuggestion": "Align backend services with API endpoints — each API endpoint should map to a defined backend service"
+    },
+    {
+      "id": "xref-be-api-epic-02",
+      "tier": 2,
+      "perspectives": ["backend", "api"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["be-epic-07", "api-epic-07"],
+      "question": "Backend architecture patterns: {{be-epic-07.evidence}}. API performance: {{api-epic-07.evidence}}. Are backend architectural patterns supporting the API performance requirements?",
+      "failDescription": "Backend architecture does not adequately support API performance requirements",
+      "failSuggestion": "Ensure backend architecture (caching, async processing) supports API performance targets (latency, throughput)"
+    },
+    {
+      "id": "xref-devops-be-epic-01",
+      "tier": 2,
+      "perspectives": ["devops", "backend"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["devops-epic-08", "be-epic-01"],
+      "question": "DevOps infrastructure: {{devops-epic-08.evidence}}. Backend boundaries: {{be-epic-01.evidence}}. Are deployment infrastructure patterns aligned with backend service architecture?",
+      "failDescription": "DevOps deployment infrastructure and backend service architecture are misaligned",
+      "failSuggestion": "Align deployment infrastructure with backend architecture — each service should have a defined deployment strategy"
+    },
+    {
+      "id": "xref-devops-be-epic-02",
+      "tier": 2,
+      "perspectives": ["devops", "backend"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["devops-epic-10", "be-epic-08"],
+      "question": "DevOps observability: {{devops-epic-10.evidence}}. Backend performance: {{be-epic-08.evidence}}. Does the observability stack cover backend performance monitoring needs?",
+      "failDescription": "DevOps observability stack does not adequately cover backend performance monitoring",
+      "failSuggestion": "Ensure observability stack monitors backend performance metrics: latency, error rates, resource utilization"
+    },
+    {
+      "id": "xref-qa-dev-epic-01",
+      "tier": 2,
+      "perspectives": ["qa", "developer"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["qa-epic-01", "dev-epic-06"],
+      "question": "QA defines test boundaries: {{qa-epic-01.evidence}}. Developer testing strategy: {{dev-epic-06.evidence}}. Are QA quality gates aligned with the developer testing strategy?",
+      "failDescription": "QA quality gates and developer testing strategy are not aligned",
+      "failSuggestion": "Align QA quality gates with developer testing — ensure coverage targets, test types, and quality metrics are consistent"
+    },
+    {
+      "id": "xref-qa-sec-epic-01",
+      "tier": 2,
+      "perspectives": ["qa", "security"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["qa-epic-05", "sec-epic-01"],
+      "question": "QA test patterns: {{qa-epic-05.evidence}}. Security threat model: {{sec-epic-01.evidence}}. Does the QA test strategy include security testing for identified threat categories?",
+      "failDescription": "QA test strategy does not include security testing for identified threats",
+      "failSuggestion": "Include security test scenarios in QA strategy for each threat category: auth abuse, authz bypass, injection"
+    },
+    {
+      "id": "xref-sa-be-epic-01",
+      "tier": 2,
+      "perspectives": ["solution-architect", "backend"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["sa-epic-08", "be-epic-03"],
+      "question": "SA integration points: {{sa-epic-08.evidence}}. Backend dependencies: {{be-epic-03.evidence}}. Are architecture integration points consistent with backend service dependencies?",
+      "failDescription": "Architecture integration points and backend dependencies are inconsistent",
+      "failSuggestion": "Align integration points with backend dependencies — every consumed service should be listed in both places"
+    },
+    {
+      "id": "xref-sa-db-epic-01",
+      "tier": 2,
+      "perspectives": ["solution-architect", "database"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["sa-epic-05", "db-epic-01"],
+      "question": "SA database technology: {{sa-epic-05.evidence}}. Database boundaries: {{db-epic-01.evidence}}. Are the SA-specified database technology and the database schema design consistent?",
+      "failDescription": "SA database technology choice and database schema design are inconsistent",
+      "failSuggestion": "Ensure database technology matches across SA and database perspectives — same engine, same ORM, same conventions"
+    },
+    {
+      "id": "xref-fe-api-epic-01",
+      "tier": 2,
+      "perspectives": ["frontend", "api"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["fe-epic-02", "api-epic-01"],
+      "question": "Frontend server-state management: {{fe-epic-02.evidence}}. API boundaries: {{api-epic-01.evidence}}. Does the frontend data fetching strategy align with the API endpoint structure?",
+      "failDescription": "Frontend data fetching strategy and API endpoint structure are misaligned",
+      "failSuggestion": "Align frontend data fetching with API design — cache keys, refetch patterns, and pagination should match API contracts"
+    },
+    {
+      "id": "xref-fe-sec-epic-01",
+      "tier": 2,
+      "perspectives": ["frontend", "security"],
+      "severity": "major",
+      "category": "consistency",
+      "dependsOn": ["fe-epic-09", "sec-epic-04"],
+      "question": "Frontend accessibility standard: {{fe-epic-09.evidence}}. Security session lifecycle: {{sec-epic-04.evidence}}. Does the frontend handle session expiration and token refresh consistently with the security model?",
+      "failDescription": "Frontend session handling and security session lifecycle are inconsistent",
+      "failSuggestion": "Ensure frontend handles session expiration per security model: redirect on 401, refresh token flow, logout cleanup"
+    },
+    {
+      "id": "xref-ta-devops-epic-01",
+      "tier": 2,
+      "perspectives": ["test-architect", "devops"],
+      "severity": "minor",
+      "category": "consistency",
+      "dependsOn": ["ta-epic-01", "devops-epic-02"],
+      "question": "Test architecture: {{ta-epic-01.evidence}}. DevOps CI/CD: {{devops-epic-02.evidence}}. Is the test automation framework integrated into the CI/CD pipeline?",
+      "failDescription": "Test automation framework is not integrated into the CI/CD pipeline",
+      "failSuggestion": "Integrate test framework into CI/CD: run unit tests on commit, integration tests on PR, e2e tests before deploy"
+    }
+  ]
+}