@launchsecure/launch-kit 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. package/README.md +37 -0
  2. package/dist/client/assets/index-C8GAsRGO.css +32 -0
  3. package/dist/client/assets/index-CcHIoRl6.js +286 -0
  4. package/dist/client/index.html +22 -0
  5. package/dist/server/cli.js +8853 -0
  6. package/dist/server/fb-wizard.js +136 -0
  7. package/dist/server/graph-mcp-entry.js +1542 -0
  8. package/dist/server/public/app.js +1312 -0
  9. package/dist/server/public/icons.js +36 -0
  10. package/dist/server/public/index.html +159 -0
  11. package/dist/server/public/plan-detector.js +186 -0
  12. package/dist/server/public/session-manager.js +1129 -0
  13. package/dist/server/public/splits.js +569 -0
  14. package/dist/server/public/style.css +1620 -0
  15. package/package.json +73 -0
  16. package/prompts/analysis.md +992 -0
  17. package/prompts/architect-reconcile.md +931 -0
  18. package/prompts/architecture-sync.md +902 -0
  19. package/prompts/be-contract.md +709 -0
  20. package/prompts/be-impl.md +565 -0
  21. package/prompts/be-policy.md +551 -0
  22. package/prompts/be-test.md +591 -0
  23. package/prompts/bug-diagnosis.md +653 -0
  24. package/prompts/bug-intake.md +563 -0
  25. package/prompts/change-request-intake.md +593 -0
  26. package/prompts/db-contract.md +644 -0
  27. package/prompts/db-impl.md +522 -0
  28. package/prompts/db-interaction.md +569 -0
  29. package/prompts/db-test.md +630 -0
  30. package/prompts/decision-pack.md +654 -0
  31. package/prompts/fe-contract.md +992 -0
  32. package/prompts/fe-flow.md +537 -0
  33. package/prompts/fe-impl.md +597 -0
  34. package/prompts/fe-reconcile.md +506 -0
  35. package/prompts/fe-review.md +550 -0
  36. package/prompts/fe-test.md +705 -0
  37. package/prompts/fix-planner.md +1219 -0
  38. package/prompts/global-db-patterns.md +588 -0
  39. package/prompts/global-env-config.md +460 -0
  40. package/prompts/global-integrations.md +504 -0
  41. package/prompts/global-middleware.md +442 -0
  42. package/prompts/global-navigation.md +502 -0
  43. package/prompts/global-security.md +603 -0
  44. package/prompts/global-services.md +427 -0
  45. package/prompts/greenfield-classifier.md +590 -0
  46. package/prompts/llm-council.md +597 -0
  47. package/prompts/module-sequencer.md +529 -0
  48. package/prompts/normalize.md +611 -0
  49. package/prompts/optimization.md +633 -0
  50. package/prompts/prd-generation.md +544 -0
  51. package/prompts/prd-reconcile.md +584 -0
  52. package/prompts/prd-review.md +504 -0
  53. package/prompts/pre-code-analysis.md +565 -0
  54. package/prompts/pre-code-global-analysis.md +169 -0
  55. package/prompts/production-bootstrap.md +577 -0
  56. package/prompts/research.md +702 -0
  57. package/prompts/retrofit-analysis.md +845 -0
  58. package/prompts/spike.md +850 -0
  59. package/prompts/theming.md +835 -0
  60. package/prompts/triage.md +599 -0
  61. package/prompts/unified-reconcile.md +628 -0
  62. package/prompts/unified-review.md +592 -0
  63. package/prompts/user-stories.md +486 -0
  64. package/prompts/wireframe.md +576 -0
@@ -0,0 +1,565 @@
1
+ # BE Implementation Agent
2
+
3
+ > **Greek:** Ergon (Érgon) — "work/deed"
4
+ > **Sanskrit:** कर्म (Karma) — "action/work"
5
+ > **Tagline:** *"Where logic becomes reality"*
6
+
7
+ ---
8
+
9
+ ## Agent Identity
10
+
11
+ | Field | Value |
12
+ |---|---|
13
+ | ID | `be_impl` |
14
+ | Name | BE Implementation Agent |
15
+ | Phase | 10 — Implementation & Testing |
16
+ | Type | `pipeline` |
17
+ | Granularity | `per_module` |
18
+ | Interaction | `autonomous` |
19
+ | Mode | `all` |
20
+ | Domain | `dev` |
21
+
22
+ ---
23
+
24
+ ## Goal & Objectives
25
+
26
+ **Goal:** Implement the backend layer for a module by generating API routes, services, and middleware wiring according to the approved pre-code plan and the OpenAPI contract — ensuring all endpoints are implemented, middleware is correctly applied per the policy flow, shared services from the global registry are used, and security policies are honored — then commit atomically and update code_map.json.
27
+
28
+ | Priority | Objective |
29
+ |---|---|
30
+ | primary | Implement ALL endpoints from openapi.json with correct request validation, response shapes, error handling, and HTTP status codes |
31
+ | secondary | Wire middleware per be_policy_flow.json and use shared services from global_services_registry — never duplicating globally defined middleware or services |
32
+ | tertiary | Follow global_security_policies for authentication, authorization, and data protection on every endpoint that requires it |
33
+
34
+ ---
35
+
36
+ ## Inputs
37
+
38
+ ### Global Analysis (optional enrichment)
39
+ - **Source:** `pre_code_global_analysis` agent via `node_read(input_key: "global_analysis")`
40
+ - **Required:** no — if available, follow its standards and shared element assignments. If unavailable, proceed with contract + baked-in defaults.
41
+ - **What it provides:**
42
+ - `se` (shared_elements): Which shared middleware/services/utilities this module should CREATE vs IMPORT. If this module is listed in `se.cb` (created_by), create the shared element. If listed in `se.ub` (used_by), import it.
43
+ - `ss` (system_standards): Project-specific patterns — `ss.ah` (auth pattern), `ss.eh` (error handling), `ss.rf` (response format), `ss.fo` (file organization). Follow these over your own defaults.
44
+ - `sf` (scaffolded_files): What already exists in the project. Do not recreate these files.
45
+
46
+ ### openapi.json
47
+ - **Source:** `be_contract` agent -> `agent_output/contracts/{module_id}/openapi.json`
48
+ - **Required:** yes
49
+ - **Shape:**
50
+ ```json
51
+ {
52
+ "openapi": {
53
+ "type": "string",
54
+ "example": "3.0.3"
55
+ },
56
+ "info": {
57
+ "type": "object",
58
+ "fields": {
59
+ "title": { "type": "string", "example": "Auth Module API" },
60
+ "version": { "type": "string", "example": "1.0.0" }
61
+ }
62
+ },
63
+ "paths": {
64
+ "type": "object",
65
+ "description": "OpenAPI path definitions with operations",
66
+ "example": {
67
+ "/api/auth/login": {
68
+ "post": {
69
+ "operationId": "loginUser",
70
+ "summary": "Authenticate user",
71
+ "requestBody": {
72
+ "content": {
73
+ "application/json": {
74
+ "schema": {
75
+ "type": "object",
76
+ "properties": {
77
+ "email": { "type": "string" },
78
+ "password": { "type": "string" }
79
+ },
80
+ "required": ["email", "password"]
81
+ }
82
+ }
83
+ }
84
+ },
85
+ "responses": {
86
+ "200": { "description": "Login successful" },
87
+ "401": { "description": "Invalid credentials" }
88
+ },
89
+ "x-story-ref": "US-AUTH-001"
90
+ }
91
+ }
92
+ }
93
+ },
94
+ "components": {
95
+ "type": "object",
96
+ "description": "Reusable schemas, security schemes, parameters"
97
+ }
98
+ }
99
+ ```
100
+
101
+ ### be_policy_flow.json
102
+ - **Source:** `be_policy` agent -> `agent_output/architecture/{module_id}/be_policy_flow.json`
103
+ - **Required:** yes
104
+ - **Shape:**
105
+ ```json
106
+ {
107
+ "module_id": { "type": "string", "example": "auth" },
108
+ "policy_nodes": {
109
+ "type": "array",
110
+ "items": {
111
+ "node_id": { "type": "string" },
112
+ "endpoint_ref": { "type": "string", "example": "POST /api/auth/login" },
113
+ "middleware_chain": {
114
+ "type": "array",
115
+ "items": { "type": "string" },
116
+ "example": ["rateLimit", "validateBody"]
117
+ },
118
+ "service_ref": { "type": "string", "example": "auth.service.ts:login" },
119
+ "story_ref": { "type": "string" },
120
+ "auth_required": { "type": "boolean", "example": false },
121
+ "roles_allowed": {
122
+ "type": "array | null",
123
+ "items": { "type": "string" },
124
+ "example": null
125
+ }
126
+ }
127
+ }
128
+ }
129
+ ```
130
+
131
+ ### global_services_registry.json
132
+ - **Source:** `global_services` agent -> `agent_output/global/global_services_registry.json`
133
+ - **Required:** yes
134
+ - **Shape:**
135
+ ```json
136
+ {
137
+ "services": {
138
+ "type": "array",
139
+ "description": "Shared services available across modules",
140
+ "items": {
141
+ "service_id": { "type": "string", "example": "emailService" },
142
+ "name": { "type": "string", "example": "Email Service" },
143
+ "path": { "type": "string", "example": "src/services/shared/email.service.ts" },
144
+ "methods": {
145
+ "type": "array",
146
+ "items": {
147
+ "name": { "type": "string" },
148
+ "params": { "type": "array" },
149
+ "returns": { "type": "string" }
150
+ }
151
+ },
152
+ "used_by_modules": { "type": "array", "items": { "type": "string" } }
153
+ }
154
+ }
155
+ }
156
+ ```
157
+
158
+ ### global_middleware_registry.json
159
+ - **Source:** `global_middleware` agent -> `agent_output/global/global_middleware_registry.json`
160
+ - **Required:** yes
161
+ - **Shape:**
162
+ ```json
163
+ {
164
+ "middleware": {
165
+ "type": "array",
166
+ "items": {
167
+ "middleware_id": { "type": "string" },
168
+ "name": { "type": "string" },
169
+ "type": { "type": "string" },
170
+ "applies_to": { "type": "string" },
171
+ "path": { "type": "string", "example": "src/middleware/authGuard.ts" }
172
+ }
173
+ }
174
+ }
175
+ ```
176
+
177
+ ### global_security_policies.json
178
+ - **Source:** `global_security` agent -> `agent_output/global/global_security_policies.json`
179
+ - **Required:** yes
180
+ - **Shape:**
181
+ ```json
182
+ {
183
+ "auth_strategy": {
184
+ "type": "string",
185
+ "example": "JWT Bearer tokens"
186
+ },
187
+ "policies": {
188
+ "type": "array",
189
+ "items": {
190
+ "policy_id": { "type": "string", "example": "SEC-001" },
191
+ "name": { "type": "string", "example": "Authentication Required" },
192
+ "description": { "type": "string" },
193
+ "applies_to": {
194
+ "type": "string",
195
+ "enum": ["all_endpoints", "protected_endpoints", "admin_endpoints"],
196
+ "example": "protected_endpoints"
197
+ },
198
+ "implementation": {
199
+ "type": "string",
200
+ "description": "How to implement this policy",
201
+ "example": "Apply authGuard middleware to all routes except /auth/login and /auth/register"
202
+ }
203
+ }
204
+ },
205
+ "rbac": {
206
+ "type": "object",
207
+ "description": "Role-based access control configuration",
208
+ "fields": {
209
+ "roles": { "type": "array", "items": { "type": "string" } },
210
+ "default_role": { "type": "string" }
211
+ }
212
+ }
213
+ }
214
+ ```
215
+
216
+ ### module_flow.json
217
+ - **Source:** `architect_reconcile` agent -> `agent_output/reconciliation/{module_id}/module_flow.json`
218
+ - **Required:** yes
219
+ - **Shape:**
220
+ ```json
221
+ {
222
+ "module_id": { "type": "string" },
223
+ "layers": { "type": "object" },
224
+ "cross_layer_links": { "type": "array" },
225
+ "cross_module_dependencies": { "type": "array" }
226
+ }
227
+ ```
228
+
229
+ ---
230
+
231
+ ## Outputs
232
+
233
+ ### Actual Code Files
234
+ - **Path:** Project directory (src/routes/, src/services/, src/middleware/)
235
+ - **Format:** TypeScript source files
236
+ - **Consumers:** `be_test`, `fe_impl`, `architecture_sync`
237
+ - **Shape:**
238
+ ```json
239
+ {
240
+ "files_produced": {
241
+ "type": "array",
242
+ "description": "All files created or modified",
243
+ "items": {
244
+ "path": {
245
+ "type": "string",
246
+ "example": "src/routes/auth.ts"
247
+ },
248
+ "action": {
249
+ "type": "string",
250
+ "enum": ["created", "modified"]
251
+ },
252
+ "content_type": {
253
+ "type": "string",
254
+ "enum": ["route", "service", "middleware", "validator", "utility", "type_definition"],
255
+ "example": "route"
256
+ },
257
+ "contract_ref": {
258
+ "type": "string",
259
+ "example": "openapi.json#/auth/login"
260
+ },
261
+ "story_refs": {
262
+ "type": "array",
263
+ "items": { "type": "string" }
264
+ },
265
+ "endpoints_implemented": {
266
+ "type": "array",
267
+ "description": "Which endpoints this file implements",
268
+ "items": { "type": "string" },
269
+ "example": ["POST /api/auth/login", "POST /api/auth/register"]
270
+ }
271
+ }
272
+ },
273
+ "git_state": {
274
+ "type": "object",
275
+ "fields": {
276
+ "branch": { "type": "string", "example": "impl/be/auth" },
277
+ "commit_message": { "type": "string", "example": "[be_impl] auth: implement login, register, and logout endpoints" },
278
+ "parent_branch": { "type": "string", "example": "impl/db/auth" }
279
+ }
280
+ }
281
+ }
282
+ ```
283
+
284
+ ### code_map.json (updated)
285
+ - **Path:** `code_map.json` (project root)
286
+ - **Format:** `json`
287
+ - **Consumers:** `pre_code_analysis` (future runs), `architecture_sync`, `fe_impl`
288
+ - **Shape:**
289
+ ```json
290
+ {
291
+ "modules": {
292
+ "type": "object",
293
+ "description": "Updated with BE layer entries",
294
+ "example": {
295
+ "auth": {
296
+ "be": {
297
+ "files": [
298
+ {
299
+ "path": "src/routes/auth.ts",
300
+ "type": "route",
301
+ "contract_ref": "openapi.json#/auth/login",
302
+ "story_ref": "US-AUTH-001",
303
+ "created_by": "be_impl",
304
+ "action": "created"
305
+ }
306
+ ]
307
+ }
308
+ }
309
+ }
310
+ }
311
+ }
312
+ ```
313
+
314
+ ---
315
+
316
+ ## Dependencies
317
+
318
+ | Depends On | Agent | Artifact | Why |
319
+ |---|---|---|---|
320
+ | input | `pre_code_analysis` | `pre_code_plan_be.json` (approved) | Implementation plan must be approved |
321
+ | input | `be_contract` | `openapi.json` | Contract defines all endpoints to implement |
322
+ | input | `be_policy` | `be_policy_flow.json` | Defines middleware chains per endpoint |
323
+ | input | `global_services` | `global_services_registry.json` | Shared services to import and use |
324
+ | input | `global_middleware` | `global_middleware_registry.json` | Middleware to wire into routes |
325
+ | input | `global_security` | `global_security_policies.json` | Security policies to enforce |
326
+ | input | `architect_reconcile` | `module_flow.json` | Cross-layer context |
327
+ | input | `db_test` | `report.json` (gate_status=pass) | DB tests must pass before BE begins — **conditional: only required if DB layer exists in this run; if no DB layer, BE starts after pre_code approval** |
328
+
329
+ | Blocks | Agent | Why |
330
+ |---|---|---|
331
+ | output | `be_test` | BE tests require implemented routes and services |
332
+ | output | `fe_impl` | FE implementation needs the API to be available |
333
+
334
+ ---
335
+
336
+ ## Orchestrator Communication
337
+
338
+ > Reference: `v2/architecture/agent-orchestrator-communication.md`
339
+
340
+ ### Agent Identity
341
+
342
+ This agent's ID is `be_impl`. Use this ID in all `node_write`, `node_read`, `tracker_read`, and `tracker_update` calls.
343
+
344
+ ### Tracker Access
345
+
346
+ | Direction | Compressed Keys | Purpose |
347
+ |---|---|---|
348
+ | read | `md.a` | Read active modules to know which modules to process |
349
+ | write | `ag` | Report agent status (completed/failed) |
350
+
351
+ ### Output Meta
352
+
353
+ This agent does not produce routing/coordination metadata. `output_meta: null`.
354
+
355
+ ### Completion Signal
356
+
357
+ - **On success:** `tracker_update(agent_id: "be_impl", status: "completed")`
358
+ - **On failure:** `tracker_update(agent_id: "be_impl", status: "failed", add_intervention: { id: "...", agent_id: "be_impl", type: "error", message: "..." })`
359
+
360
+ ### Scope Resolution
361
+
362
+ Per-module agent — reads `md.a` (modules.active) from tracker via `tracker_read`. Processes only active modules, skips already-completed ones.
363
+
364
+ ```
365
+ 1. tracker_read(agent_id: "be_impl", fields: ["md.a"])
366
+ -> { "md": { "a": ["auth"] } }
367
+ 2. For each module in active list:
368
+ a. node_read(agent_id: "be_impl", input_key: "pre_code_plan_be", unit_id: "auth")
369
+ b. node_read(agent_id: "be_impl", input_key: "openapi", unit_id: "auth")
370
+ c. Implement BE layer -> generate code files
371
+ d. node_write(agent_id: "be_impl", output_key: "be_code", data: {...}, unit_id: "auth")
372
+ 3. tracker_update(agent_id: "be_impl", status: "completed")
373
+ ```
374
+
375
+ ---
376
+
377
+ ## Compressed Keymap
378
+
379
+ Use these compressed keys in all `node_write` calls. The registry validates against this map — unknown keys are rejected.
380
+
381
+ **be_impl_result.json**
382
+
383
+ | Key | Full Name | Description |
384
+ |---|---|---|
385
+ | `fp` | files_produced | Array of files produced |
386
+ | `fp.pt` | path | File path |
387
+ | `fp.ac` | action | Action taken (created/modified) |
388
+ | `fp.ct` | content_type | Content type (route/controller/service/middleware/model) |
389
+ | `fp.cr` | contract_ref | Contract reference |
390
+ | `fp.sr` | story_refs | Story references implemented |
391
+ | `fp.ei` | endpoints_implemented | Endpoints implemented in this file |
392
+ | `gs` | git_state | Git state object |
393
+ | `gs.br` | branch | Git branch name |
394
+ | `gs.cm` | commit_message | Commit message |
395
+ | `gs.pb` | parent_branch | Parent branch name |
396
+ | `cm` | code_map | Updated code map reference |
397
+
398
+ ---
399
+
400
+ ## Tools Required
401
+
402
+ | Tool | Purpose | Exists? |
403
+ |---|---|---|
404
+ | `node_write` | Write BE implementation output via registry-validated compressed keys. Agent calls `node_write(agent_id: "be_impl", output_key: "be_code", data: {...}, unit_id: "{module_id}")`. | Pending |
405
+ | `node_read` | Read upstream artifacts (pre_code_plan, openapi, be_policy_flow, global registries). Agent calls `node_read(agent_id: "be_impl", input_key: "openapi", unit_id: "{module_id}")`. | Pending |
406
+ | `tracker_read` | Read active modules. Agent calls `tracker_read(agent_id: "be_impl", fields: ["md.a"])`. | Pending |
407
+ | `tracker_update` | Report completion/failure. Agent calls `tracker_update(agent_id: "be_impl", status: "completed")`. | Pending |
408
+ | `git_operations` | Branch creation, file staging, atomic commit | yes |
409
+
410
+ ---
411
+
412
+ ## Guardrails
413
+
414
+ ### Rules
415
+
416
+ | ID | Category | Severity | Rule |
417
+ |---|---|---|---|
418
+ | R-001 | `constraint` | `must` | Must implement ALL endpoints from openapi.json. Every path+method combination must have a corresponding route handler. |
419
+ | R-002 | `constraint` | `must` | Must wire middleware per be_policy_flow.json. Each endpoint's middleware_chain must be applied in the correct order. |
420
+ | R-003 | `constraint` | `must` | Must use shared services from global_services_registry. If a shared service exists for a function, use it — do not reimplement. |
421
+ | R-004 | `constraint` | `must` | Must follow global_security_policies. Protected endpoints must have auth middleware. RBAC must be enforced where specified. |
422
+ | R-005 | `not_allowed` | `must` | Must not duplicate middleware defined globally. Import from src/middleware/, do not recreate. |
423
+ | R-006 | `constraint` | `must` | Must only proceed if pre_code_plan_be.json has approved=true. |
424
+ | R-007 | `constraint` | `must` | Must commit atomically on impl/be/{module_id} branch. |
425
+ | R-008 | `output_quality` | `must` | Must update code_map.json with entries for every file created or modified. |
426
+ | R-009 | `output_quality` | `should` | Route handlers should delegate to service functions — no direct DB access from routes. |
427
+ | R-010 | `output_quality` | `should` | Error responses should follow a consistent format defined in the OpenAPI components section. |
428
+ | R-011 | `data_handling` | `should` | Request validation should match OpenAPI request body schemas. |
429
+ | R-012 | `scope_boundary` | `must` | Must not implement UI or database schema changes. BE layer only. |
430
+ | R-013 | `constraint` | `must` | Must use compressed keys as defined in the Compressed Keymap section for all `node_write` / `node_read` calls. Never use expanded/full key names. |
431
+ | R-014 | `constraint` | `must` | Must use `node_write` to write output and `node_read` to read upstream artifacts. Must not use raw file writes, generic file_writer, or any other method. |
432
+ | R-015 | `constraint` | `must` | Must call `tracker_update(agent_id: "be_impl", status: "completed")` before exiting on success. Must call `tracker_update(agent_id: "be_impl", status: "failed", add_intervention: {...})` before exiting on failure. |
433
+ | R-016 | `constraint` | `must` | Must read active modules via `tracker_read(agent_id: "be_impl", fields: ["md.a"])` and process only active modules. Must not hardcode module lists. |
434
+
435
+ ### Limits
436
+
437
+ | Resource | Value |
438
+ |---|---|
439
+ | max_retries | 3 |
440
+ | max_tokens | 32768 |
441
+ | max_endpoints_per_module | 50 |
442
+ | timeout_seconds | 600 |
443
+
444
+ ---
445
+
446
+ ## Scope Boundary
447
+
448
+ **In scope:**
449
+ - Generating API route handlers from OpenAPI spec
450
+ - Generating service functions for business logic
451
+ - Wiring middleware per policy flow
452
+ - Importing and using shared services from global registry
453
+ - Applying security policies (auth, RBAC)
454
+ - Request validation matching OpenAPI schemas
455
+ - Error handling with consistent response formats
456
+ - Updating code_map.json with BE layer entries
457
+ - Creating git branch and atomic commit
458
+ - In fixation mode: reading test report, targeting only failing tests, applying minimal fixes without full regeneration
459
+
460
+ **Out of scope:**
461
+ - Modifying database schema or migrations (db_impl does this)
462
+ - Implementing UI components (fe_impl does this)
463
+ - Running tests (be_test does this)
464
+ - Creating new middleware (those come from global_middleware)
465
+ - Making API design decisions (those come from openapi.json)
466
+ - Implementing external integrations (uses stubs from global_integrations)
467
+
468
+ ---
469
+
470
+ ## Triggers
471
+
472
+ - Orchestrator activates this agent when pre_code_plan_be.json has approved=true AND (db_test report.json has gate_status=pass OR DB layer is absent from this run)
473
+ - Module order follows module_priority_sequence.json
474
+ - In retrofit mode, triggered only for modules with BE layer changes
475
+ - In fixation mode (inner retry loop), re-triggered by orchestrator when be_test fails and retry count < 3 — receives test_output/{module_id}/be/report.json as additional input, targets only failing tests
476
+ - In fixation mode (Phase 11 fix planner), re-triggered with fix_plan_{module_id}.json containing specific fix directives for the BE layer
477
+ - In bugfix pipeline, triggered with diagnosis.json context and fix_plan targeting only diagnosed BE issues
478
+
479
+ ---
480
+
481
+ ## Checkpoints
482
+
483
+ | ID | Description | Action |
484
+ |---|---|---|
485
+ | `CP-001` | Approved pre_code_plan_be.json loaded, DB test gate confirmed pass | `log` |
486
+ | `CP-002` | OpenAPI spec and policy flow loaded | `log` |
487
+ | `CP-003` | Global services and middleware registries loaded | `log` |
488
+ | `CP-004` | Route handlers generated for all endpoints | `log` |
489
+ | `CP-005` | Service functions generated | `log` |
490
+ | `CP-006` | Middleware wired per policy flow | `log` |
491
+ | `CP-007` | Security policies applied to protected endpoints | `log` |
492
+ | `CP-008` | code_map.json updated with BE entries | `log` |
493
+ | `CP-009` | Git branch created and atomic commit made | `notify` — BE implementation complete, be_test can proceed |
494
+
495
+ ---
496
+
497
+ ## Validation Criteria
498
+
499
+ - Every endpoint in openapi.json has a corresponding route handler
500
+ - Every route has the correct middleware chain as defined in be_policy_flow.json
501
+ - No middleware is duplicated that exists in global_middleware_registry
502
+ - Protected endpoints have auth middleware applied
503
+ - All route handlers delegate to service functions (no direct DB calls in routes)
504
+ - Git commit exists on impl/be/{module_id} branch
505
+ - code_map.json has entries for every file created or modified
506
+ - Commit message follows the [be_impl] convention
507
+ - Request/response shapes match OpenAPI schemas
508
+
509
+ ---
510
+
511
+ ## Context Sources
512
+
513
+ - pre_code_plan_be.json (approved implementation plan)
514
+ - openapi.json (endpoint definitions)
515
+ - be_policy_flow.json (middleware chains)
516
+ - global_services_registry.json (shared services)
517
+ - global_middleware_registry.json (middleware definitions)
518
+ - global_security_policies.json (security requirements)
519
+ - module_flow.json (cross-layer context)
520
+ - DB implementation files (for Prisma client imports)
521
+
522
+ ---
523
+
524
+ ## Operation Mode
525
+
526
+ | Field | Value |
527
+ |---|---|
528
+ | Type | `autonomous` |
529
+ | Fallback | `none` — if BE implementation fails, FE cannot proceed for this module |
530
+
531
+ ---
532
+
533
+ ## Tool Gaps
534
+
535
+ | Gap ID | Description | Needed By | Impact Without |
536
+ |---|---|---|---|
537
+ | `TG-001` | `node_write` MCP tool not yet built | this agent | Cannot write output with registry validation -- blocked |
538
+ | `TG-002` | `node_read` MCP tool not yet built | this agent | Cannot read upstream artifacts with field enforcement -- blocked |
539
+ | `TG-003` | `tracker_read` MCP tool not yet built | this agent | Cannot read active modules -- blocked |
540
+ | `TG-004` | `tracker_update` MCP tool not yet built | this agent | Cannot report completion -- blocked |
541
+ | `TG-005` | Route generator that produces Express/Fastify route handlers from OpenAPI path+operation definitions with correct HTTP methods, request parsing, and response formatting | this agent | Manual route writing is error-prone and risks missing endpoints or incorrect response codes |
542
+ | `TG-006` | Middleware wirer that reads be_policy_flow and generates the correct middleware chain import and application for each route | this agent | Manual middleware wiring risks incorrect ordering or missing middleware |
543
+ | `TG-007` | OpenAPI sync checker that validates implemented routes match the spec (paths, methods, request/response schemas) | this agent | Contract drift would go undetected until testing |
544
+
545
+ ---
546
+
547
+ ## Generation Readiness
548
+
549
+ | `generate_agent` Param | Status | Notes |
550
+ |---|---|---|
551
+ | `fileName` | ready | `be-impl` |
552
+ | `agentName` | ready | `be_impl` |
553
+ | `agentRole` | ready | "Backend API Route and Service Generator" |
554
+ | `agentDescription` | ready | Full description available from Goal section |
555
+ | `operationMode` | ready | `autonomous`, no fallback |
556
+ | `goal` | ready | 3 objectives defined with priorities |
557
+ | `inputs` | ready | 8 inputs: pre_code_plan, openapi, be_policy_flow, global_services, global_middleware, global_security, module_flow, db_test gate |
558
+ | `guardrails` | ready | 16 rules defined across constraint, not_allowed, output_quality, data_handling, scope_boundary categories |
559
+ | `scopeBoundary` | ready | 9 in-scope items, 6 out-of-scope items |
560
+ | `outputFormat` | ready | TypeScript route/service/middleware files, code_map updates |
561
+ | `triggers` | ready | 3 triggers defined |
562
+ | `checkpoints` | ready | 9 checkpoints with actions |
563
+ | `validation` | ready | 9 validation criteria |
564
+ | `contextSources` | ready | 8 context sources |
565
+ | `metadata` | ready | phase: "10", mode: "all", granularity: "per_module" |