@bridge_gpt/mcp-server 0.2.2 → 0.2.3

package/build/credentials-cli.js

@@ -0,0 +1,223 @@
+/**
+ * credentials-cli — the `credentials` subcommand, which hosts the consent-gated
+ * migration of a `BAPI_API_KEY` from an agent MCP config (`.mcp.json` /
+ * `.cursor/mcp.json`) into the user-scoped credential store.
+ *
+ *   npx -y @bridge_gpt/mcp-server credentials migrate-agent-config \
+ *     [--write-credentials|--no-write-credentials] \
+ *     [--source=.mcp.json|--source=.cursor/mcp.json]
+ *
+ * This subcommand owns the WRITE path so the `doctor` subcommand can remain
+ * strictly read-only. Without `--write-credentials` it is a dry preview that
+ * writes nothing. The migrated key value is NEVER printed anywhere — diagnostics
+ * and prompts reference only candidate `filePath`/`serverName`.
+ */
+import { readFile, mkdir, writeFile, rename, chmod, unlink } from "fs/promises";
+import os from "os";
+import readline from "readline";
+import { migrateAgentConfigCredentialToStore, } from "./agent-config-credential-migration.js";
+/** The only agent-config sources the migration knows how to scan. */
+const ALLOWED_SOURCES = [".mcp.json", ".cursor/mcp.json"];
+/** User-facing usage text for the `credentials` subcommand. */
+export function getCredentialsUsage() {
+    return [
+        "Usage:",
+        "  npx -y @bridge_gpt/mcp-server credentials migrate-agent-config \\",
+        "    [--write-credentials|--no-write-credentials] \\",
+        "    [--source=.mcp.json|--source=.cursor/mcp.json]",
+        "",
+        "Migrates a BAPI_API_KEY found in .mcp.json / .cursor/mcp.json into the",
+        "user-scoped credential store (~/.config/bridge/credentials.json), so that a",
+        "Bash-spawned CLI (e.g. start-tickets) can resolve it. The key value is never",
+        "printed.",
+        "",
+        "Without --write-credentials this is a dry preview: it scans and reports what",
+        "it WOULD migrate but writes nothing.",
+        "",
+        "Flags:",
+        "  --write-credentials        Consent to write the discovered key into the store",
+        "  --no-write-credentials     Dry preview only (default)",
+        "  --source=<file>            Restrict scanning (repeatable):",
+        "                             .mcp.json or .cursor/mcp.json",
+        "  -h, --help                 Show this help",
+    ].join("\n");
+}
+/**
+ * Parse argv strictly. Supports the `migrate-agent-config` subcommand,
+ * `--write-credentials` / `--no-write-credentials` (last one wins; default
+ * false), repeatable `--source=<file>` (validated against the allowed set), and
+ * `-h` / `--help`. Unknown subcommands/flags produce a structured error.
+ */
+export function parseCredentialsArgs(argv) {
+    if (argv.includes("-h") || argv.includes("--help")) {
+        return { status: "help" };
+    }
+    const positionals = [];
+    let writeCredentials = false;
+    const sources = [];
+    for (const arg of argv) {
+        if (arg === "--write-credentials") {
+            writeCredentials = true;
+            continue;
+        }
+        if (arg === "--no-write-credentials") {
+            writeCredentials = false;
+            continue;
+        }
+        if (arg.startsWith("--source=")) {
+            const value = arg.slice("--source=".length);
+            if (!ALLOWED_SOURCES.includes(value)) {
+                return {
+                    status: "error",
+                    message: `Invalid --source value: '${value}' (allowed: ${ALLOWED_SOURCES.join(", ")}).`,
+                };
+            }
+            sources.push(value);
+            continue;
+        }
+        if (arg.startsWith("-")) {
+            return { status: "error", message: `Unknown flag: ${arg}` };
+        }
+        positionals.push(arg);
+    }
+    if (positionals.length === 0) {
+        return {
+            status: "error",
+            message: "Missing subcommand. Expected: migrate-agent-config.",
+        };
+    }
+    if (positionals.length > 1) {
+        return {
+            status: "error",
+            message: `Unexpected extra argument: '${positionals[1]}'.`,
+        };
+    }
+    if (positionals[0] !== "migrate-agent-config") {
+        return {
+            status: "error",
+            message: `Unknown subcommand: '${positionals[0]}'. Expected: migrate-agent-config.`,
+        };
+    }
+    return {
+        status: "ok",
+        subcommand: "migrate-agent-config",
+        writeCredentials,
+        sources,
+    };
+}
+/**
+ * TTY-gated interactive chooser for conflicting candidate values. Returns the
+ * chosen index, or null to abort. Only ever displays each candidate's
+ * `serverName`/`filePath` — never the secret value.
+ */
+function promptChoiceViaReadline(candidates) {
+    return new Promise((resolve) => {
+        const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+        process.stderr.write("Multiple, conflicting BAPI_API_KEY values were found. Choose a source:\n");
+        candidates.forEach((c, i) => {
+            process.stderr.write(`  [${i}] ${c.serverName} in ${c.filePath}\n`);
+        });
+        rl.question("Enter the number to migrate (or blank to abort): ", (answer) => {
+            rl.close();
+            const trimmed = answer.trim();
+            if (trimmed.length === 0) {
+                resolve(null);
+                return;
+            }
+            const index = Number.parseInt(trimmed, 10);
+            if (Number.isInteger(index) && index >= 0 && index < candidates.length) {
+                resolve(index);
+                return;
+            }
+            resolve(null);
+        });
+    });
+}
+/**
+ * Build default CLI deps from the live process: env, cwd, platform, homedir, and
+ * `fs/promises` I/O primitives. `promptChoice` is only wired when stdin is a TTY
+ * (otherwise undefined, so a conflict refuses non-interactively). `log` and
+ * `errorLog` go to stdout/stderr respectively.
+ */
+export function createDefaultCredentialsDeps(writeCredentials) {
+    return {
+        env: process.env,
+        cwd: process.cwd(),
+        platform: process.platform,
+        homedir: os.homedir,
+        readFile: (p) => readFile(p, "utf-8"),
+        mkdir: (p, o) => mkdir(p, o),
+        writeFile: (p, d, o) => writeFile(p, d, o),
+        rename: (a, b) => rename(a, b),
+        chmod: (p, m) => chmod(p, m),
+        unlink: (p) => unlink(p),
+        writeCredentials,
+        promptChoice: process.stdin.isTTY ? promptChoiceViaReadline : undefined,
+        log: (m) => console.log(m),
+        errorLog: (m) => console.error(m),
+    };
+}
+/**
+ * CLI entry for the `credentials` subcommand. Returns a process exit code. Help
+ * returns 0; parser errors return 1. For `migrate-agent-config` it runs the
+ * consent-gated migration:
+ *   - success → confirmation (secret-free), return 0.
+ *   - `consent-required` → a successful no-op preview: print the exact re-run
+ *     command WITH `--write-credentials` plus candidate sources, return 0.
+ *   - any other failure → errorLog the secret-free message, return 1.
+ * The migrated key value is never printed anywhere.
+ */
+export async function runCredentialsCli(argv, overrides) {
+    const parse = overrides?.parse ?? parseCredentialsArgs;
+    const parsed = parse(argv);
+    // Use overridden log/errorLog if provided so help/error paths are testable too.
+    const log = overrides?.log ?? ((m) => console.log(m));
+    const errorLog = overrides?.errorLog ?? ((m) => console.error(m));
+    if (parsed.status === "help") {
+        log(getCredentialsUsage());
+        return 0;
+    }
+    if (parsed.status === "error") {
+        errorLog(`Error: ${parsed.message}`);
+        errorLog("");
+        errorLog(getCredentialsUsage());
+        return 1;
+    }
+    // Build deps: defaults seeded with the parsed consent flag, then any overrides.
+    const baseDeps = createDefaultCredentialsDeps(parsed.writeCredentials);
+    const deps = { ...baseDeps, ...overrides };
+    // Overrides win, but the parsed consent flag is authoritative unless a test
+    // explicitly overrode writeCredentials.
+    if (overrides?.writeCredentials === undefined) {
+        deps.writeCredentials = parsed.writeCredentials;
+    }
+    // Thread the parsed `--source` restriction into the migration so the flag is
+    // honored (not a no-op). Empty → scan both. Overrides win for tests.
+    if (overrides?.sources === undefined) {
+        deps.sources = parsed.sources;
+    }
+    const result = await migrateAgentConfigCredentialToStore(deps);
+    if (result.ok) {
+        deps.log(`Stored routing credential for ${result.target} at ${result.path} ` +
+            `(migrated from ${result.sourceServerName} in ${result.sourceFilePath}).`);
+        return 0;
+    }
+    if (result.kind === "consent-required") {
+        // A successful no-op preview — NOT an error.
+        deps.log(result.message);
+        deps.log("");
+        deps.log("To migrate it, re-run with --write-credentials:");
+        deps.log("  npx -y @bridge_gpt/mcp-server credentials migrate-agent-config --write-credentials");
+        if (result.candidates && result.candidates.length > 0) {
+            deps.log("");
+            deps.log("Discovered source(s):");
+            for (const candidate of result.candidates) {
+                deps.log(`  - ${candidate.serverName} in ${candidate.filePath}`);
+            }
+        }
+        return 0;
+    }
+    // Any other failure is a real error (secret-free message).
+    deps.errorLog(`Error: ${result.message}`);
+    return 1;
+}

package/build/decision-page-schema.js

@@ -92,12 +92,72 @@ export const DecisionPageLabelsSchema = z.object({
         .optional()
         .describe('Overrides the confirmed-improvements <h2> (default "Confirmed Improvements").'),
 });
+// A single non-functional requirement captured during pre-ticket planning.
+// `status` records how settled the requirement is; `implication` forces the
+// caller to state what the requirement changes about the implementation so the
+// page never accumulates boilerplate. These render read-only — open NFRs that
+// need a human choice belong in `actionable_items`, not here.
+export const SystemGoalNfrSchema = z.object({
+    category: z
+        .string()
+        .min(1)
+        .describe("Canonical NFR category, e.g. security/privacy, performance/latency, reliability/failure-modes, observability/auditability, accessibility/UX, data-integrity/migration, compatibility, operability/config, compliance/SOC2, rollout/reversibility."),
+    requirement: z.string().min(1).describe("The non-functional requirement itself."),
+    implication: z
+        .string()
+        .min(1)
+        .describe("What this requirement changes about the implementation. Required — drop the NFR rather than emit boilerplate without an implication."),
+    status: z
+        .enum(["confirmed", "assumed", "open"])
+        .describe("confirmed = explicitly stated or observable in code; assumed = low-risk and reversible default; open = unresolved (also surface as an actionable_items card)."),
+});
+// Read-only system-goals panel for the pre_ticket_planning artifact. Captures the
+// business goal, the desired end-state, how the system must behave to complete its
+// task, and the classified NFR list. Display-only: it states what is settled; it
+// does not collect input.
+export const SystemGoalsSchema = z.object({
+    business_goal: z.string().min(1).describe("The business goal this work serves."),
+    desired_end_state: z.string().min(1).describe("The end-state the system should reach."),
+    system_behavior: z
+        .string()
+        .min(1)
+        .describe("How the system must behave / complete its task (quality attributes in prose)."),
+    nfrs: z.array(SystemGoalNfrSchema).optional().default([]),
+});
+// Read-only recommended implementation order for epic-planning surfaces. Hard
+// prerequisites (`depends_on`) are modelled separately from soft sequencing
+// (`recommended_after`) per the brainstorm; neither becomes a Jira link in this
+// pass — order is delivered into the epic (comment/description) downstream.
+export const ImplementationOrderItemSchema = z.object({
+    title: z.string().min(1).describe("Short title of the slice / child ticket."),
+    depends_on: z
+        .array(z.string().min(1))
+        .optional()
+        .default([])
+        .describe("Hard prerequisites (titles or keys) that must land first."),
+    recommended_after: z
+        .array(z.string().min(1))
+        .optional()
+        .default([])
+        .describe("Soft sequencing preferences — not hard blockers."),
+    rationale: z.string().min(1).describe("Why this slice sits at this point in the order."),
+});
 // Raw input shape for the `generate_decision_page` tool registration.
 // MCP's registerTool expects a shape object (which the SDK wraps in z.object),
 // not a pre-built z.object. Exporting the shape lets index.ts and the schema
 // share a single source of truth for the input contract.
 export const DecisionPageInputShape = {
     ticket_key: z.string().describe("Jira ticket key, e.g. BAPI-123"),
+    artifact_type: z
+        .enum(["review_decisions", "pre_ticket_planning"])
+        .optional()
+        .default("review_decisions")
+        .describe('Which flavor of page to render. "review_decisions" (default) is the ticket-review decision-capture page and is unaffected by the planning fields. "pre_ticket_planning" additionally renders the read-only system_goals and implementation_order sections for pre-ticket epic/task framing.'),
+    system_goals: SystemGoalsSchema.optional().describe("pre_ticket_planning only: read-only business goal, desired end-state, system behavior, and classified NFRs. Unresolved (open) NFRs should ALSO be passed as actionable_items so the human can decide them."),
+    implementation_order: z
+        .array(ImplementationOrderItemSchema)
+        .optional()
+        .describe("pre_ticket_planning epic surfaces only: read-only recommended implementation order (hard depends_on vs soft recommended_after). No Jira links are created from this."),
     output_subdir: z
         .string()
         .optional()

package/build/decision-page-template.js

@@ -31,6 +31,7 @@ const COPY_SUCCESS_LABEL = "Copied!";
 const COPY_FALLBACK_PROMPT_LABEL = "Auto-copy unavailable. Press Ctrl+C / Cmd+C to copy.";
 const PAGE_INTRO_ASK_COPY = "Have a question about an item? Choose 'Ask about this' for that card; we'll discuss before the changes are made.";
 const PAGE_INTRO_NO_DECISIONS = "All suggestions were confirmed as improvements. No decisions are needed from you.";
+const PAGE_INTRO_PLANNING_NO_DECISIONS = "No open non-functional requirements need a decision. The goals and NFRs above are for your reference.";
 // Raw (unescaped) default label constants. They reproduce the legacy review copy
 // exactly so omitting `labels` yields byte-identical output. Escaping happens at
 // each render site, so these must stay raw to avoid double-escaping.
@@ -62,15 +63,24 @@ const DEFAULT_ASSETS = { faviconBase64: "", logoBase64: "", fontsRelPath: "" };
 export function generateDecisionPageHtml(data, assets = DEFAULT_ASSETS) {
     const { ticket_key, actionable_items, clear_improvements } = data;
     const hasDecisions = actionable_items.length > 0;
+    const isPlanning = data.artifact_type === "pre_ticket_planning";
+    const needsForm = hasDecisions || (isPlanning && (data.system_goals?.nfrs?.length ?? 0) > 0);
     const effectiveLabels = resolveDecisionPageLabels(data.labels);
     const faviconLink = assets.faviconBase64
         ? `<link rel="icon" type="image/png" sizes="32x32" href="data:image/png;base64,${assets.faviconBase64}">`
         : "";
     const fontFaces = assets.fontsRelPath ? renderFontFaces(assets.fontsRelPath) : "";
     // The has-decisions intro is an overridable label; the no-decisions copy is a
-    // fixed constant because the MCP handler returns before rendering in that path
-    // (this branch is only reachable from direct renderer callers/tests).
-    const pageIntro = hasDecisions ? effectiveLabels.intro : PAGE_INTRO_NO_DECISIONS;
+    // fixed constant. For review_decisions pages the MCP handler short-circuits
+    // before rendering when there are no decisions, so that branch is reachable
+    // only from direct callers/tests. For pre_ticket_planning pages it IS reachable
+    // from the handler — a goals-only page (system_goals present, no actionable
+    // items) renders here and shows PAGE_INTRO_PLANNING_NO_DECISIONS.
+    const pageIntro = hasDecisions
+        ? effectiveLabels.intro
+        : isPlanning
+            ? PAGE_INTRO_PLANNING_NO_DECISIONS
+            : PAGE_INTRO_NO_DECISIONS;
     return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -413,6 +423,50 @@ ${fontFaces}
       margin-top: 0.25rem;
     }
 
+    /* Pre-ticket planning: read-only system goals + implementation order */
+    .planning-section { margin-bottom: 1rem; }
+    .goal-row { margin-bottom: 0.75rem; }
+    .goal-label {
+      font-size: 0.875rem;
+      font-weight: 600;
+      color: var(--secondary-color);
+      margin-bottom: 0.25rem;
+    }
+    .goal-body {
+      font-size: 0.95rem;
+      color: var(--text-color);
+      white-space: pre-wrap;
+    }
+    .nfr-list, .order-list {
+      list-style: none;
+      padding: 0;
+      margin-top: 0.5rem;
+    }
+    .nfr-list li, .order-list li {
+      padding: 0.75rem 0;
+      border-bottom: 1px solid var(--border-color);
+    }
+    .nfr-list li:last-child, .order-list li:last-child { border-bottom: none; }
+    .nfr-category { font-weight: 600; }
+    .nfr-implication, .order-meta {
+      font-size: 0.9rem;
+      color: var(--secondary-color);
+      margin-top: 0.25rem;
+    }
+    .order-title { font-weight: 600; }
+    .status-tag {
+      display: inline-block;
+      padding: 0.1rem 0.5rem;
+      border-radius: 3px;
+      font-size: 0.75rem;
+      font-weight: 600;
+      text-transform: uppercase;
+      margin-left: 0.5rem;
+    }
+    .status-confirmed { background: #dcfce7; color: #166534; }
+    .status-assumed { background: #fef3c7; color: #92400e; }
+    .status-open { background: #fef2f2; color: #991b1b; }
+
     /* No decisions state */
     .no-decisions-msg {
       text-align: center;
@@ -421,6 +475,32 @@ ${fontFaces}
       font-size: 1.2rem;
     }
 
+    /* Focus style applied globally across all textareas */
+    textarea:focus {
+      outline: none;
+      border-color: var(--primary-color);
+      box-shadow: 0 0 0 3px rgba(226, 98, 75, 0.2);
+    }
+    .nfr-feedback .comment-area {
+      display: block !important;
+      overflow: hidden;
+      transition: max-height 150ms cubic-bezier(0.4, 0, 0.2, 1),
+                  opacity 150ms cubic-bezier(0.4, 0, 0.2, 1),
+                  margin-top 150ms cubic-bezier(0.4, 0, 0.2, 1);
+    }
+    .nfr-feedback .comment-area.hidden {
+      max-height: 0;
+      opacity: 0;
+      margin-top: 0;
+      pointer-events: none;
+    }
+    .nfr-feedback .radio-group {
+      display: flex;
+      flex-direction: row;
+      gap: 1.5rem;
+      margin-top: 0.75rem;
+    }
+
     @media (max-width: 768px) {
       .main-content { padding: 0 1rem; margin: 1.5rem auto; }
       .container { padding: 1.5rem; }
@@ -428,6 +508,10 @@ ${fontFaces}
         align-items: stretch;
         flex-direction: column;
       }
+      .nfr-feedback .radio-group {
+        flex-direction: column;
+        gap: 0.75rem;
+      }
     }
   </style>
 </head>
@@ -438,13 +522,15 @@ ${renderHeader(assets)}
       <h1>${escapeHtml(effectiveLabels.title)}: ${escapeHtml(ticket_key)}</h1>
       <p class="page-intro">${escapeHtml(pageIntro)}</p>
 
-${hasDecisions ? renderForm(data, effectiveLabels) : renderNoDecisions()}
+${renderSystemGoals(data.system_goals, isPlanning)}
+${renderImplementationOrder(data.implementation_order)}
+${needsForm ? renderForm(data, effectiveLabels, hasDecisions) : renderNoDecisions(isPlanning)}
 
 ${renderImprovements(clear_improvements, effectiveLabels)}
 
     </div>
   </main>
-${hasDecisions ? renderScript(data) : ""}
+${needsForm ? renderScript(data, isPlanning) : ""}
 </body>
 </html>`;
 }
@@ -489,16 +575,124 @@ function renderHeader(assets) {
     </div>
   </header>`;
 }
-function renderNoDecisions() {
+function renderNoDecisions(isPlanning = false) {
+    const message = isPlanning
+        ? "No open decisions. The goals and non-functional requirements above are for your reference."
+        : "No decisions needed. All suggestions were confirmed as improvements.";
     return `      <div class="no-decisions-msg">
-        <p>No decisions needed. All suggestions were confirmed as improvements.</p>
+        <p>${escapeHtml(message)}</p>
       </div>`;
 }
-function renderForm(data, labels) {
+// Read-only system-goals panel for the pre_ticket_planning artifact. Returns ""
+// when no goals are supplied so the review_decisions page is byte-for-byte
+// unchanged. Every model-supplied string is escaped via escapeHtml().
+// When isPlanning is true, each NFR renders an interactive stance control
+// (Agreed / Ask about this / Disagree) with a conditional comment textarea.
+function renderSystemGoals(goals, isPlanning = false) {
+    if (!goals)
+        return "";
+    const nfrs = goals.nfrs ?? [];
+    let nfrHtml = "";
+    if (nfrs.length > 0) {
+        let items = "";
+        for (const nfr of nfrs) {
+            const statusClass = nfr.status === "confirmed"
+                ? "status-confirmed"
+                : nfr.status === "assumed"
+                    ? "status-assumed"
+                    : "status-open";
+            // nfrId is used as data-nfr-id (becomes the JSON output key) and aria-label.
+            // nfrHtmlId is a whitespace-free variant used for id/name/for attributes —
+            // HTML5 forbids spaces in id values.
+            const nfrId = escapeHtml(nfr.category);
+            const nfrHtmlId = escapeHtml(nfr.category.replace(/\s+/g, "-"));
+            const radioName = `nfr-stance-${nfrHtmlId}`;
+            const textareaId = `nfr-comment-${nfrHtmlId}`;
+            const stanceControls = isPlanning ? `
+              <div class="nfr-feedback" data-nfr-id="${nfrId}">
+                <div class="radio-group" role="radiogroup" aria-label="Stance on ${nfrId}">
+                  <div class="radio-option">
+                    <input type="radio" id="${radioName}-agreed" name="${radioName}" value="agreed" checked data-testid="nfr-stance-radio">
+                    <label for="${radioName}-agreed">Agreed</label>
+                  </div>
+                  <div class="radio-option">
+                    <input type="radio" id="${radioName}-ask" name="${radioName}" value="ask" data-testid="nfr-stance-radio">
+                    <label for="${radioName}-ask">Ask about this</label>
+                  </div>
+                  <div class="radio-option">
+                    <input type="radio" id="${radioName}-disagree" name="${radioName}" value="disagree" data-testid="nfr-stance-radio">
+                    <label for="${radioName}-disagree">Disagree</label>
+                  </div>
+                </div>
+                <div class="comment-area hidden">
+                  <label for="${textareaId}">Comment</label>
+                  <textarea id="${textareaId}" name="${textareaId}" placeholder="Explain your question or concern..." data-testid="nfr-comment"></textarea>
+                </div>
+              </div>` : "";
+            items += `
+            <li data-testid="system-goal-nfr" data-status="${escapeHtml(nfr.status)}">
+              <span class="nfr-category">${escapeHtml(nfr.category)}</span><span class="status-tag ${statusClass}">${escapeHtml(nfr.status)}</span>
+              <div class="goal-body">${escapeHtml(nfr.requirement)}</div>
+              <div class="nfr-implication">Implication: ${escapeHtml(nfr.implication)}</div>${stanceControls}
+            </li>`;
+        }
+        nfrHtml = `
+          <div class="goal-label">Non-functional requirements</div>
+          <ul class="nfr-list">${items}
+          </ul>`;
+    }
+    return `      <section class="planning-section" data-testid="system-goals">
+      <h2>System Goals &amp; Non-Functional Requirements</h2>
+      <div class="goal-row">
+        <div class="goal-label">Business goal</div>
+        <div class="goal-body" data-testid="system-goal-business">${escapeHtml(goals.business_goal)}</div>
+      </div>
+      <div class="goal-row">
+        <div class="goal-label">Desired end-state</div>
+        <div class="goal-body" data-testid="system-goal-end-state">${escapeHtml(goals.desired_end_state)}</div>
+      </div>
+      <div class="goal-row">
+        <div class="goal-label">System behavior</div>
+        <div class="goal-body" data-testid="system-goal-behavior">${escapeHtml(goals.system_behavior)}</div>
+      </div>${nfrHtml}
+      </section>`;
+}
+// Read-only recommended implementation order (epic surfaces). Returns "" when the
+// list is absent or empty. No interactive controls — ordering is delivered into
+// the epic downstream, not edited here.
+function renderImplementationOrder(order) {
+    if (!order || order.length === 0)
+        return "";
+    let items = "";
+    for (let i = 0; i < order.length; i++) {
+        const item = order[i];
+        const dependsOn = item.depends_on ?? [];
+        const recommendedAfter = item.recommended_after ?? [];
+        const dependsLine = dependsOn.length > 0
+            ? `<div class="order-meta" data-testid="order-depends-on">Depends on: ${escapeHtml(dependsOn.join(", "))}</div>`
+            : "";
+        const afterLine = recommendedAfter.length > 0
+            ? `<div class="order-meta" data-testid="order-recommended-after">Recommended after: ${escapeHtml(recommendedAfter.join(", "))}</div>`
+            : "";
+        items += `
+            <li data-testid="implementation-order-item">
+              <span class="order-title">${i + 1}. ${escapeHtml(item.title)}</span>
+              <div class="order-meta">${escapeHtml(item.rationale)}</div>
+              ${dependsLine}${afterLine}
+            </li>`;
+    }
+    return `      <section class="planning-section" data-testid="implementation-order">
+      <h2>Recommended Implementation Order</h2>
+      <p>Recommended sequence only — no Jira dependency links are created from this.</p>
+      <ul class="order-list">${items}
+      </ul>
+      </section>`;
+}
+function renderForm(data, labels, hasDecisions = true) {
     const { actionable_items } = data;
     let html = `      <div id="form-container">
         <form id="decision-form">`;
-    if (actionable_items.length > 0) {
+    if (hasDecisions && actionable_items.length > 0) {
         html += `
           <h2>${escapeHtml(labels.section_heading)}</h2>`;
         for (const item of actionable_items) {
@@ -638,7 +832,7 @@ function renderImprovements(improvements, labels) {
 // ---------------------------------------------------------------------------
 // Embedded script
 // ---------------------------------------------------------------------------
-function renderScript(data) {
+function renderScript(data, isPlanning = false) {
     return `  <script>
     (function() {
       var submitBtn;
@@ -654,6 +848,29 @@ function renderScript(data) {
         postSubmitContainer = document.getElementById("post-submit-container");
         jsonOutput = document.getElementById("json-output");
 
+        ${isPlanning ? `// NFR stance radio disclosure (planning mode only)
+        var nfrContainers = document.querySelectorAll(".nfr-feedback");
+        nfrContainers.forEach(function(container) {
+          var radios = container.querySelectorAll('input[type="radio"]');
+          radios.forEach(function(radio) {
+            radio.addEventListener("change", function() {
+              var commentArea = container.querySelector(".comment-area");
+              var textarea = commentArea ? commentArea.querySelector("textarea") : null;
+              if (radio.value === "ask" || radio.value === "disagree") {
+                commentArea.classList.remove("hidden");
+              } else {
+                commentArea.classList.add("hidden");
+                if (textarea) {
+                  textarea.value = "";
+                  textarea.classList.remove("validation-error");
+                  var existingMsg = commentArea.querySelector(".validation-msg");
+                  if (existingMsg) existingMsg.remove();
+                }
+              }
+            });
+          });
+        });` : `var nfrContainers = [];`}
+
         submitBtn.addEventListener("click", function() {
           var cards = document.querySelectorAll(".card[data-item-id]");
           var valid = true;
@@ -687,6 +904,27 @@ function renderScript(data) {
             }
           });
 
+          // Validate NFR feedback: ask/disagree stance requires a comment.
+          nfrContainers.forEach(function(container) {
+            var selected = container.querySelector('input[type="radio"]:checked');
+            if (!selected) return;
+            if (selected.value === "ask" || selected.value === "disagree") {
+              var commentArea = container.querySelector(".comment-area");
+              var textarea = commentArea ? commentArea.querySelector("textarea") : null;
+              var existingMsg = commentArea ? commentArea.querySelector(".validation-msg") : null;
+              if (existingMsg) existingMsg.remove();
+              if (textarea) textarea.classList.remove("validation-error");
+              if (!textarea || !textarea.value.trim()) {
+                if (textarea) textarea.classList.add("validation-error");
+                var msg = document.createElement("div");
+                msg.className = "validation-msg";
+                msg.textContent = "A comment is required.";
+                if (commentArea) commentArea.appendChild(msg);
+                valid = false;
+              }
+            }
+          });
+
           if (!valid) return;
 
           // Build output JSON
@@ -714,9 +952,23 @@ function renderScript(data) {
             };
           });
 
+          ${isPlanning ? `// Capture NFR feedback stances
+          var nfrFeedback = {};
+          nfrContainers.forEach(function(container) {
+            var nfrId = container.getAttribute("data-nfr-id");
+            var selected = container.querySelector('input[type="radio"]:checked');
+            var commentArea = container.querySelector(".comment-area");
+            var textarea = commentArea ? commentArea.querySelector("textarea") : null;
+            nfrFeedback[nfrId] = {
+              stance: selected ? selected.value : "agreed",
+              comment: textarea ? textarea.value : ""
+            };
+          });` : ""}
+
           var output = {
             ticket_key: ${safeJsonForScript(data.ticket_key)},
             decisions: decisions,
+            ${isPlanning ? "nfr_feedback: nfrFeedback," : ""}
             general_comment: document.getElementById("general-comment").value
           };
 

package/build/doctor.js

@@ -35,7 +35,11 @@ export function getDoctorUsage() {
         "",
         "Checks (for the current OS): the start-tickets preflight prerequisites plus",
         "uv, the selected agent's command, Bridge API credential resolution, and",
-        "worktree MCP registration reachability.",
+        "worktree MCP registration reachability. Credential resolution reports the",
+        "source it would use (env vs. store target bapi:<repo>); it never reads or",
+        "prints the key value and never writes the credential store. To persist or",
+        "migrate a credential, use /install-bridge or the `credentials` subcommand —",
+        "doctor stays strictly read-only.",
         "",
         "Exit code: 0 when all required prerequisites are present, non-zero otherwise.",
     ].join("\n");