@agile-vibe-coding/avc 0.2.3 → 0.3.1

package/cli/checks/epic/security.json

@@ -0,0 +1,184 @@
+{
+  "perspective": "security",
+  "scope": "epic",
+  "checks": [
+    {
+      "id": "sec-epic-01",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "threat-model-coverage",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic handle user input, authentication, or data access? (Does it involve forms, APIs, login, or data queries?)",
+      "question": "Does the epic address primary threat categories: authentication abuse (brute force, credential stuffing), authorization bypass (IDOR/BOLA, privilege escalation), and injection (SQL, path traversal, XSS)?",
+      "failDescription": "Primary threat categories are not addressed — authentication abuse, authorization bypass, or injection threats missing",
+      "failSuggestion": "Address primary threat categories: (1) auth abuse (brute force, credential stuffing), (2) authz bypass (IDOR/BOLA, privilege escalation), (3) injection (SQL, path traversal, XSS)"
+    },
+    {
+      "id": "sec-epic-02",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "threat-model-coverage",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic expose any endpoints or accept external input? (Does it have APIs, webhooks, file uploads, or search endpoints?)",
+      "question": "Does the epic enumerate its attack surface: public endpoints, webhook receivers, file uploads, and search/query endpoints?",
+      "failDescription": "Attack surface is not enumerated — unclear which endpoints and input vectors are exposed",
+      "failSuggestion": "Enumerate the attack surface: list public endpoints, webhook receivers, file upload endpoints, and search/query endpoints"
+    },
+    {
+      "id": "sec-epic-03",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "threat-model-coverage",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve multiple layers of request processing? (Does it have gateway, middleware, handler, or database layers?)",
+      "question": "Does the epic document trust boundaries — what is validated at each layer (gateway, middleware, handler, DB)?",
+      "failDescription": "Trust boundaries are not documented — unclear what validation occurs at each processing layer",
+      "failSuggestion": "Document trust boundaries: specify what is validated at each layer (gateway, middleware, handler, database)"
+    },
+    {
+      "id": "sec-epic-04",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "authentication-session-management",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic manage user sessions or authentication? (Does it handle login, tokens, cookies, or session state?)",
+      "question": "Does the epic describe a complete session lifecycle: issue (login), renew (refresh), and revoke (logout + deactivation)?",
+      "failDescription": "Session lifecycle is incomplete — not all phases (issue, renew, revoke) are addressed",
+      "failSuggestion": "Describe the complete session lifecycle: issue (login), renew (refresh token), revoke (logout + deactivation)"
+    },
+    {
+      "id": "sec-epic-05",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authentication-session-management",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic use cookies for session management? (Does it set or read cookies for auth?)",
+      "question": "Does the epic state cookie security attributes: httpOnly, SameSite, and Secure?",
+      "failDescription": "Cookie security attributes are not stated — httpOnly, SameSite, and Secure flags missing",
+      "failSuggestion": "State cookie security attributes: httpOnly (prevents JS access), SameSite=Strict (CSRF protection), Secure (HTTPS only)"
+    },
+    {
+      "id": "sec-epic-06",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authentication-session-management",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic have state-mutating endpoints? (Does it involve POST, PUT, PATCH, or DELETE operations?)",
+      "question": "Does the epic state a CSRF strategy for mutating endpoints?",
+      "failDescription": "CSRF strategy is not stated for mutating endpoints",
+      "failSuggestion": "State the CSRF strategy: SameSite cookies, CSRF tokens, or double-submit pattern for mutating endpoints"
+    },
+    {
+      "id": "sec-epic-07",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authentication-session-management",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic have authentication endpoints? (Does it involve login, registration, or password reset?)",
+      "question": "Does the epic specify rate limiting and lockout on authentication endpoints?",
+      "failDescription": "Rate limiting and lockout are not specified for authentication endpoints",
+      "failSuggestion": "Specify rate limiting (e.g. 5 attempts/minute) and account lockout (e.g. lock after 10 failed attempts) for auth endpoints"
+    },
+    {
+      "id": "sec-epic-08",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "authorization-model",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve role-based access control? (Does it mention roles, permissions, or restricted operations?)",
+      "question": "Does the epic name all roles with their exact permission boundaries?",
+      "failDescription": "Roles are not named with exact permission boundaries — access control is ambiguous",
+      "failSuggestion": "Name all roles (e.g. admin, staff, user) with their exact permission boundaries for each operation"
+    },
+    {
+      "id": "sec-epic-09",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "authorization-model",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve user-owned resources? (Does it have per-user data like profiles, orders, or documents?)",
+      "question": "Does the epic describe per-resource ownership enforcement to prevent IDOR?",
+      "failDescription": "Per-resource ownership enforcement is not described — IDOR vulnerability risk",
+      "failSuggestion": "Describe per-resource ownership enforcement: how the system verifies that user A cannot access user B's resources"
+    },
+    {
+      "id": "sec-epic-10",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authorization-model",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve both admin and non-admin operations? (Does it have admin-only features alongside regular user features?)",
+      "question": "Are admin vs non-admin distinctions clear for every sensitive operation?",
+      "failDescription": "Admin vs non-admin distinctions are unclear for sensitive operations",
+      "failSuggestion": "Clarify admin vs non-admin access for every sensitive operation — which operations require admin privileges"
+    },
+    {
+      "id": "sec-epic-11",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authorization-model",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic have endpoints that could be accessed by unauthenticated users? (Does it expose public or mixed-auth endpoints?)",
+      "question": "Does the epic define unauthenticated access policy — 401 or 404 response with rationale?",
+      "failDescription": "Unauthenticated access policy is not defined — unclear whether to respond with 401 or 404",
+      "failSuggestion": "Define unauthenticated access policy: respond with 401 (existence visible) or 404 (existence hidden) with rationale for the choice"
+    },
+    {
+      "id": "sec-epic-12",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "data-protection",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic handle personally identifiable information (PII)? (Does it store or process names, emails, phone numbers, or addresses?)",
+      "question": "Does the epic identify PII fields and state a minimization strategy?",
+      "failDescription": "PII fields are not identified and no minimization strategy is stated",
+      "failSuggestion": "Identify PII fields (name, email, phone, etc.) and state a minimization strategy (only collect/return what's needed)"
+    },
+    {
+      "id": "sec-epic-13",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "data-protection",
+      "universal": true,
+      "question": "Does the epic confirm that sensitive credentials/keys are stored in environment variables (never hardcoded)?",
+      "failDescription": "No confirmation that sensitive credentials are stored in environment variables",
+      "failSuggestion": "State that all sensitive credentials and keys are stored in environment variables, never hardcoded in source"
+    },
+    {
+      "id": "sec-epic-14",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "data-protection",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve security-sensitive actions? (Does it handle auth events, admin actions, or data modifications?)",
+      "question": "Does the epic enumerate audit log events for security-sensitive actions?",
+      "failDescription": "Audit log events are not enumerated for security-sensitive actions",
+      "failSuggestion": "Enumerate audit log events: which security-sensitive actions are logged (login, logout, role change, data deletion)"
+    },
+    {
+      "id": "sec-epic-15",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "data-protection",
+      "universal": true,
+      "question": "Does the epic state encryption at rest/in transit requirements (even if 'local dev only — HTTPS on deploy')?",
+      "failDescription": "Encryption requirements are not stated for data at rest and in transit",
+      "failSuggestion": "State encryption requirements: at rest (e.g. DB encryption) and in transit (e.g. HTTPS/TLS) — even if 'HTTPS on deploy only'"
+    }
+  ]
+}

package/cli/checks/epic/solution-architect.json

@@ -0,0 +1,192 @@
+{
+  "perspective": "solution-architect",
+  "scope": "epic",
+  "checks": [
+    {
+      "id": "sa-epic-01",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "critical",
+      "category": "api-surface-definition",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic expose any HTTP API endpoints? (Does it involve REST endpoints, GraphQL, webhooks, or any external-facing HTTP surface?)",
+      "question": "Does the epic name the key API endpoints it exposes (path pattern and HTTP method family)?",
+      "failDescription": "Epic does not name the API surface it exposes — path patterns and HTTP method families are absent",
+      "failSuggestion": "Add to epic description or features: list key endpoints as 'POST /api/X, GET /api/X/:id' pattern"
+    },
+    {
+      "id": "sa-epic-02",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "critical",
+      "category": "api-surface-definition",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic expose any HTTP API endpoints? (Does it involve REST endpoints, GraphQL, webhooks, or any external-facing HTTP surface?)",
+      "question": "Does the epic state an authorization model — which roles exist, where enforced (middleware vs handler), and what unauthenticated callers receive?",
+      "failDescription": "Authorization model is missing — no roles, enforcement points, or unauthenticated response defined",
+      "failSuggestion": "State the authorization model: name exact roles, specify enforcement location (middleware/handler), and define unauthenticated caller response (401)"
+    },
+    {
+      "id": "sa-epic-03",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "critical",
+      "category": "api-surface-definition",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic expose any HTTP API endpoints? (Does it involve REST endpoints, GraphQL, webhooks, or any external-facing HTTP surface?)",
+      "question": "Does the epic define an error taxonomy — the set of error codes this epic produces (e.g. 401/403/404/409/422/429)?",
+      "failDescription": "Error taxonomy is missing — no error codes defined for the epic's endpoints",
+      "failSuggestion": "Define the set of error codes this epic produces, e.g. 401 (unauthenticated), 403 (forbidden), 404 (not found), 422 (validation), 429 (rate limited)"
+    },
+    {
+      "id": "sa-epic-04",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "api-surface-definition",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic describe access control or authorization? (Does it mention roles, permissions, or restricted access?)",
+      "question": "Does the epic avoid vague authorization phrases like 'permitted users', 'authorized users', 'users with access', or 'allowed roles' — using exact role names and access rules instead?",
+      "failDescription": "Epic uses vague authorization phrases that are unimplementable — exact role names and access rules are required",
+      "failSuggestion": "Replace vague phrases ('permitted users', 'authorized users') with exact role names (e.g. 'admin', 'staff', 'owner') and specific access rules"
+    },
+    {
+      "id": "sa-epic-05",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "technical-architecture-coherence",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve database operations or data persistence? (Does it mention storing, querying, or managing data?)",
+      "question": "Does the epic state the database technology that matches the project's stated tech stack exactly?",
+      "failDescription": "Database technology is not stated or does not match the project's tech stack",
+      "failSuggestion": "State the database technology explicitly and ensure it matches the project's tech stack (e.g. PostgreSQL, MongoDB)"
+    },
+    {
+      "id": "sa-epic-06",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "technical-architecture-coherence",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve database operations with an ORM or data-access layer? (Does it use an ORM like Prisma, TypeORM, Sequelize?)",
+      "question": "Does the epic name the ORM/data-access layer if one is used (e.g. Prisma, TypeORM, Sequelize)?",
+      "failDescription": "ORM/data-access layer is not named despite the epic involving database operations",
+      "failSuggestion": "Name the ORM or data-access layer used (e.g. Prisma, TypeORM, Sequelize, raw SQL)"
+    },
+    {
+      "id": "sa-epic-07",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "technical-architecture-coherence",
+      "universal": true,
+      "question": "Are all technology names (DB, framework, runtime) consistent throughout the epic description and features list?",
+      "failDescription": "Technology names are inconsistent — different names used for the same technology in different parts of the epic",
+      "failSuggestion": "Audit all technology references and ensure consistent naming throughout the epic description and features"
+    },
+    {
+      "id": "sa-epic-08",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "technical-architecture-coherence",
+      "universal": true,
+      "question": "Does the epic state its integration points with other epics — what this epic consumes and what it exposes?",
+      "failDescription": "Integration points with other epics are not stated — unclear what this epic consumes and exposes",
+      "failSuggestion": "Add integration points: list what contracts/services this epic consumes from other epics and what it exposes to them"
+    },
+    {
+      "id": "sa-epic-09",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "cross-cutting-concerns",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic have protected routes or require authentication? (Does it involve auth enforcement, middleware, or guarded endpoints?)",
+      "question": "Does the epic describe how protected routes are guarded — naming the middleware or auth enforcement pattern?",
+      "failDescription": "Auth enforcement mechanism is not described — no middleware name or pattern specified for protecting routes",
+      "failSuggestion": "Describe auth enforcement: name the middleware/pattern used to guard protected routes (e.g. 'requireAuth middleware', 'JWT verification middleware')"
+    },
+    {
+      "id": "sa-epic-10",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "cross-cutting-concerns",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic own authentication? (Does it handle login, sessions, tokens, or user authentication?)",
+      "question": "Does the epic address the full session/token lifecycle — issue, refresh, and revoke phases?",
+      "failDescription": "Session/token lifecycle is incomplete — not all three phases (issue, refresh, revoke) are addressed",
+      "failSuggestion": "Address all three session lifecycle phases: issue (login), refresh (token renewal), and revoke (logout + deactivation)"
+    },
+    {
+      "id": "sa-epic-11",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "cross-cutting-concerns",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve security-sensitive or business-critical operations? (Does it handle user data, financial transactions, or admin actions?)",
+      "question": "Does the epic specify which events are audit-logged and where the audit logs are stored?",
+      "failDescription": "Audit logging is not addressed — no events enumerated and no storage location specified",
+      "failSuggestion": "Enumerate which events are audit-logged (e.g. login, role change, data deletion) and where logs are stored"
+    },
+    {
+      "id": "sa-epic-12",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "cross-cutting-concerns",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic expose public-facing API endpoints? (Does it involve endpoints accessible from external clients?)",
+      "question": "Does the epic state whether rate limiting applies and at what threshold?",
+      "failDescription": "Rate limiting is not addressed — unclear whether it applies or at what threshold",
+      "failSuggestion": "State whether rate limiting applies and at what threshold (e.g. '100 requests/minute per IP' or 'no rate limiting — internal service only')"
+    },
+    {
+      "id": "sa-epic-13",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "acceptance-criteria-testability",
+      "universal": true,
+      "question": "Does the epic have enough stories to fully cover its scope, each focused on a single cohesive capability?",
+      "failDescription": "Epic stories do not fully cover its scope — some features or capabilities are missing",
+      "failSuggestion": "Add stories until the epic's full scope is covered — each story should own a single cohesive capability"
+    },
+    {
+      "id": "sa-epic-14",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "acceptance-criteria-testability",
+      "universal": true,
+      "question": "Does each feature string include a technical detail in parentheses?",
+      "failDescription": "Feature strings lack technical details — no parenthetical technical context provided",
+      "failSuggestion": "Add technical details in parentheses to each feature, e.g. 'User registration (POST /api/auth/register, bcrypt hashing)'"
+    },
+    {
+      "id": "sa-epic-15",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "acceptance-criteria-testability",
+      "universal": true,
+      "question": "Is the epic description 2-5 sentences covering: what, how, key constraints, and integration touchpoints?",
+      "failDescription": "Epic description is too brief or does not cover all four required aspects (what, how, constraints, integration)",
+      "failSuggestion": "Write a 2-5 sentence description covering: (1) what the epic delivers, (2) how it's implemented, (3) key constraints, (4) integration touchpoints"
+    },
+    {
+      "id": "sa-epic-16",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "acceptance-criteria-testability",
+      "universal": true,
+      "question": "Does the epic specify measurable NFRs — latency targets, error rate budgets, or test coverage expectations?",
+      "failDescription": "NFRs are not measurable — no latency targets, error rate budgets, or test coverage expectations specified",
+      "failSuggestion": "Add measurable NFRs: e.g. 'p95 latency < 200ms', 'error rate < 0.1%', 'test coverage > 80%'"
+    }
+  ]
+}

package/cli/checks/epic/test-architect.json

@@ -0,0 +1,90 @@
+{
+  "perspective": "test-architect",
+  "scope": "epic",
+  "checks": [
+    {
+      "id": "ta-epic-01",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "critical",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve test infrastructure, automation frameworks, or test architecture? (Does it define test frameworks, CI/CD test integration, or test data strategy?)",
+      "question": "Does the epic scope clearly define test architecture boundaries?",
+      "failDescription": "Test architecture boundaries are not defined — unclear which test infrastructure and frameworks are in scope",
+      "failSuggestion": "Define test architecture boundaries: test frameworks, CI/CD integration, test data management, test environments"
+    },
+    {
+      "id": "ta-epic-02",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "critical",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve test infrastructure, automation frameworks, or test architecture?",
+      "question": "Are all critical test architecture features identified?",
+      "failDescription": "Critical test architecture features are missing — framework selection, CI integration, or test data strategy not identified",
+      "failSuggestion": "Identify critical features: test framework, CI/CD integration, test data management, parallel execution, reporting"
+    },
+    {
+      "id": "ta-epic-03",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic depend on test infrastructure or services?",
+      "question": "Are dependencies on test architecture services/infrastructure explicit?",
+      "failDescription": "Test infrastructure dependencies are not explicit",
+      "failSuggestion": "Make test dependencies explicit: test framework, CI/CD runner, test database, mock services, browser drivers"
+    },
+    {
+      "id": "ta-epic-04",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve test infrastructure, automation frameworks, or test architecture?",
+      "question": "Are test architecture success criteria measurable?",
+      "failDescription": "Test architecture success criteria are not measurable",
+      "failSuggestion": "Define measurable criteria: test execution time, flakiness rate, coverage targets, CI/CD integration status"
+    },
+    {
+      "id": "ta-epic-05",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "technical-depth",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve test architecture design?",
+      "question": "Are test architecture patterns considered?",
+      "failDescription": "Test architecture patterns are not considered",
+      "failSuggestion": "Consider test patterns: page object model, test data factories, fixture management, parallel execution strategy"
+    },
+    {
+      "id": "ta-epic-06",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "minor",
+      "category": "consistency",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve test infrastructure, automation frameworks, or test architecture?",
+      "question": "Does the test architecture approach align with project context?",
+      "failDescription": "Test architecture approach does not align with project context",
+      "failSuggestion": "Ensure test architecture aligns with project: consistent frameworks, patterns, and CI/CD pipeline"
+    },
+    {
+      "id": "ta-epic-07",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "minor",
+      "category": "best-practices",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve test infrastructure, automation frameworks, or test architecture?",
+      "question": "Are industry-standard test architecture patterns followed (DRY tests, test pyramid, BDD)?",
+      "failDescription": "Test architecture best practices are not followed",
+      "failSuggestion": "Follow test architecture best practices: DRY test helpers, test pyramid, BDD patterns, deterministic tests"
+    }
+  ]
+}

package/cli/checks/epic/ui.json

@@ -0,0 +1,102 @@
+{
+  "perspective": "ui",
+  "scope": "epic",
+  "checks": [
+    {
+      "id": "ui-epic-01",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "critical",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve visual design, UI components, or design systems? (Does it include UI specifications, component libraries, or visual design?)",
+      "question": "Does the epic scope clearly define UI boundaries?",
+      "failDescription": "UI boundaries are not defined — unclear which components and visual elements are in scope",
+      "failSuggestion": "Define UI boundaries: which components, pages, and visual elements belong to this epic"
+    },
+    {
+      "id": "ui-epic-02",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "critical",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve visual design, UI components, or design systems?",
+      "question": "Are all critical UI features identified?",
+      "failDescription": "Critical UI features are missing — component specs, design tokens, or responsive rules not identified",
+      "failSuggestion": "Identify critical UI features: component library, design tokens (colors, spacing, typography), responsive breakpoints"
+    },
+    {
+      "id": "ui-epic-03",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "major",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic depend on UI libraries or design systems?",
+      "question": "Are dependencies on UI services/infrastructure explicit?",
+      "failDescription": "UI dependencies are not explicit — component library, icon set, or font requirements missing",
+      "failSuggestion": "Make UI dependencies explicit: component library (MUI, Ant Design), icon set, font family, design system"
+    },
+    {
+      "id": "ui-epic-04",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "major",
+      "category": "completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve visual design, UI components, or design systems?",
+      "question": "Are UI success criteria measurable?",
+      "failDescription": "UI success criteria are not measurable",
+      "failSuggestion": "Define measurable UI criteria: design consistency score, accessibility audit pass rate, responsive breakpoint coverage"
+    },
+    {
+      "id": "ui-epic-05",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "major",
+      "category": "technical-depth",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve UI design patterns or component architecture?",
+      "question": "Are UI architectural patterns considered?",
+      "failDescription": "UI architectural patterns are not considered",
+      "failSuggestion": "Consider UI patterns: design system tokens, component composition, responsive layout strategy, theming"
+    },
+    {
+      "id": "ui-epic-06",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "minor",
+      "category": "technical-depth",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve UI components that need to render efficiently?",
+      "question": "Are performance/scalability concerns for UI addressed?",
+      "failDescription": "UI performance concerns are not addressed — rendering, animation, or large list handling missing",
+      "failSuggestion": "Address UI performance: virtualized lists, optimized re-renders, animation performance, image optimization"
+    },
+    {
+      "id": "ui-epic-07",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "minor",
+      "category": "consistency",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve visual design, UI components, or design systems?",
+      "question": "Does the UI approach align with project context?",
+      "failDescription": "UI approach does not align with project context",
+      "failSuggestion": "Ensure UI approach aligns with project: consistent component library, design tokens, and visual language"
+    },
+    {
+      "id": "ui-epic-08",
+      "tier": 1,
+      "perspective": "ui",
+      "severity": "minor",
+      "category": "best-practices",
+      "universal": false,
+      "applicabilityQuestion": "Does this epic involve visual design, UI components, or design systems?",
+      "question": "Are industry-standard UI patterns followed (visual hierarchy, contrast, spacing)?",
+      "failDescription": "UI best practices are not followed",
+      "failSuggestion": "Follow UI best practices: visual hierarchy, sufficient contrast, consistent spacing, clear typography scale"
+    }
+  ]
+}