@ngocsangairvds/vsaf 4.1.1 → 4.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/packages/cli/dist/commands/cleanup.d.ts +6 -0
- package/packages/cli/dist/commands/cleanup.d.ts.map +1 -0
- package/packages/cli/dist/commands/cleanup.js +103 -0
- package/packages/cli/dist/commands/cleanup.js.map +1 -0
- package/packages/cli/dist/index.js +15 -0
- package/packages/cli/dist/index.js.map +1 -1
- package/packages/cli/dist/mcp/server.d.ts.map +1 -1
- package/packages/cli/dist/mcp/server.js +9 -0
- package/packages/cli/dist/mcp/server.js.map +1 -1
- package/packages/core/dist/store/run-store.d.ts +8 -0
- package/packages/core/dist/store/run-store.d.ts.map +1 -1
- package/packages/core/dist/store/run-store.js +51 -0
- package/packages/core/dist/store/run-store.js.map +1 -1
- package/skills/sdlc/architecture/SKILL.md +5 -3
- package/skills/sdlc/hotfix-analyze/SKILL.md +1 -1
- package/skills/sdlc/hotfix-implement/SKILL.md +227 -0
- package/skills/sdlc/hotfix-prd/SKILL.md +161 -0
- package/skills/sdlc/hotfix-ship/SKILL.md +221 -0
- package/skills/sdlc/pack.yaml +3 -2
- package/skills/sdlc/prd/SKILL.md +4 -2
- package/skills/sdlc/review/SKILL.md +3 -1
- package/skills/sdlc/sdlc-health/SKILL.md +6 -5
- package/skills/sdlc/ship/SKILL.md +6 -91
- package/skills/sdlc/srs/SKILL.md +3 -1
- package/skills/sdlc/test-design/SKILL.md +3 -1
- package/skills/sdlc/workflows/hotfix-tdd.yaml +7 -12
- package/skills/sdlc/workflows/hotfix.yaml +16 -15
- package/skills/sdlc/hotfix-green/SKILL.md +0 -101
- package/skills/sdlc/hotfix-red/SKILL.md +0 -96
|
@@ -0,0 +1,227 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: hotfix-implement
|
|
3
|
+
description: "Hotfix Phase 3 — TDD implementation: RED → GREEN → REFACTOR, minimal fix, SonarQube-in-loop"
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
author: "@ngocsangairvds/vsaf"
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Hotfix Phase 3: Implementation (TDD)
|
|
9
|
+
|
|
10
|
+
You are a Senior Software Engineer performing a surgical fix. Mission: implement the fix using strict TDD — write failing test first, make it pass with minimal code, refactor. No subagents, no parallel epics — hotfixes are focused single-area changes.
|
|
11
|
+
|
|
12
|
+
## Progress Protocol
|
|
13
|
+
|
|
14
|
+
Print progress at each step:
|
|
15
|
+
```
|
|
16
|
+
[HOTFIX-IMPL] [step/6] description... ⏳
|
|
17
|
+
[HOTFIX-IMPL] [step/6] description... ✅
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
## Index Protection
|
|
21
|
+
|
|
22
|
+
⛔ Do NOT modify `graphify-out/` or `.gitnexus/` — READ only.
|
|
23
|
+
|
|
24
|
+
## Phase Entry Protocol
|
|
25
|
+
|
|
26
|
+
```
|
|
27
|
+
[HOTFIX-IMPL] [1/6] Checking input artifacts... ⏳
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
1. Input:
|
|
31
|
+
- `.vsaf/docs/hotfixes/{bug-id}/02-prd.md`
|
|
32
|
+
- `.vsaf/docs/hotfixes/{bug-id}/01-analysis.md`
|
|
33
|
+
2. Verify BOTH files exist:
|
|
34
|
+
- Missing → Stop: "Run previous phases first."
|
|
35
|
+
3. Check `02-prd.md` has `## Gate: APPROVED`
|
|
36
|
+
- No Gate → Stop: "PRD not approved. Get approval first."
|
|
37
|
+
4. Extract from PRD: FRs, acceptance criteria, scope boundary
|
|
38
|
+
5. Extract from analysis: root cause (file:line), affected files, fix strategy
|
|
39
|
+
6. Read `CONTEXT.md`
|
|
40
|
+
|
|
41
|
+
```
|
|
42
|
+
[HOTFIX-IMPL] [1/6] Checking input artifacts... ✅
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
## Tasks
|
|
46
|
+
|
|
47
|
+
### Step 2: Branch Setup
|
|
48
|
+
|
|
49
|
+
```
|
|
50
|
+
[HOTFIX-IMPL] [2/6] Creating hotfix branch... ⏳
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
```bash
|
|
54
|
+
git checkout -b hotfix/{bug-id}
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
If branch already exists → switch to it.
|
|
58
|
+
|
|
59
|
+
```
|
|
60
|
+
[HOTFIX-IMPL] [2/6] Creating hotfix branch... ✅
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
### Step 3: TDD Cycle — `/tdd` Methodology
|
|
64
|
+
|
|
65
|
+
```
|
|
66
|
+
[HOTFIX-IMPL] [3/6] TDD cycle — RED → GREEN → REFACTOR... ⏳
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
Use `/tdd` methodology — behavior-based, vertical slice:
|
|
70
|
+
|
|
71
|
+
**For each FR in the PRD:**
|
|
72
|
+
|
|
73
|
+
1. **RED — Write failing test FIRST**
|
|
74
|
+
- Test the BEHAVIOR described in the acceptance criteria
|
|
75
|
+
- Test the PUBLIC INTERFACE, not internals
|
|
76
|
+
- Include the regression test: reproduce the original bug → MUST FAIL before fix
|
|
77
|
+
- Run test → confirm it FAILS (red)
|
|
78
|
+
- ⚠️ If test passes without code changes → the test is wrong or the bug is already fixed
|
|
79
|
+
|
|
80
|
+
2. **GREEN — Write MINIMAL code to pass**
|
|
81
|
+
- Change ONLY what is needed to make the test pass
|
|
82
|
+
- Stay within the scope boundary from PRD
|
|
83
|
+
- Apply SonarQube rules while writing (see below)
|
|
84
|
+
- Run test → confirm it PASSES (green)
|
|
85
|
+
|
|
86
|
+
3. **REFACTOR — Clean without changing behavior**
|
|
87
|
+
- Remove duplication introduced by the fix
|
|
88
|
+
- Improve naming if needed
|
|
89
|
+
- Run ALL tests → still green
|
|
90
|
+
|
|
91
|
+
**Repeat for each FR.** Typically 1-3 cycles for a hotfix.
|
|
92
|
+
|
|
93
|
+
```
|
|
94
|
+
[HOTFIX-IMPL] [3/6] TDD cycle complete ✅
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
### Step 4: SonarQube Self-Check
|
|
98
|
+
|
|
99
|
+
```
|
|
100
|
+
[HOTFIX-IMPL] [4/6] SonarQube quality check... ⏳
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
Apply DURING Step 3 (not after). After the fix is complete, final sweep:
|
|
104
|
+
|
|
105
|
+
| Metric | Threshold |
|
|
106
|
+
|--------|-----------|
|
|
107
|
+
| New Issues | = 0 |
|
|
108
|
+
| Blocker/Critical | = 0 |
|
|
109
|
+
| Vulnerabilities | = 0 |
|
|
110
|
+
| Duplicated Lines (new) | ≤ 3% |
|
|
111
|
+
|
|
112
|
+
- If project has SonarQube → run `sonar-scanner` incremental
|
|
113
|
+
- If not → Claude self-reviews changed files against metrics above
|
|
114
|
+
|
|
115
|
+
```
|
|
116
|
+
[HOTFIX-IMPL] [4/6] SonarQube quality check... ✅
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
### Step 5: Build & Test Verification
|
|
120
|
+
|
|
121
|
+
```
|
|
122
|
+
[HOTFIX-IMPL] [5/6] Build & test verification... ⏳
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
**MANDATORY — hard gate:**
|
|
126
|
+
|
|
127
|
+
1. **Compile**: Build entire project → 0 errors
|
|
128
|
+
- Java: `mvn compile` / `gradle build`
|
|
129
|
+
- Node: `npm run build` / `tsc --noEmit`
|
|
130
|
+
- Angular: `ng build`
|
|
131
|
+
- Go: `go build ./...`
|
|
132
|
+
- FAIL → fix immediately
|
|
133
|
+
|
|
134
|
+
2. **Full test suite**: Run ALL tests (not just new ones)
|
|
135
|
+
- `npm test` / `mvn test` / equivalent
|
|
136
|
+
- ALL tests MUST pass — no regressions
|
|
137
|
+
- FAIL → use `/diagnose` to find the issue
|
|
138
|
+
|
|
139
|
+
3. **Regression test confirmation**: The specific test from Step 3 RED phase → now PASSES
|
|
140
|
+
|
|
141
|
+
⚠️ DO NOT exit if build fails or tests fail. This is a hard gate.
|
|
142
|
+
|
|
143
|
+
```
|
|
144
|
+
[HOTFIX-IMPL] [5/6] Build & test verification... ✅
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
### Step 6: Impact Verification
|
|
148
|
+
|
|
149
|
+
```
|
|
150
|
+
[HOTFIX-IMPL] [6/6] Impact verification via GitNexus... ⏳
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
Use GitNexus `impact` — verify the fix did not break anything outside blast radius.
|
|
154
|
+
|
|
155
|
+
If unexpected impact detected → evaluate:
|
|
156
|
+
- Within scope boundary → OK, note in impl log
|
|
157
|
+
- Outside scope boundary → STOP, escalate to user
|
|
158
|
+
|
|
159
|
+
```
|
|
160
|
+
[HOTFIX-IMPL] [6/6] Impact verification... ✅
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
## Output
|
|
164
|
+
|
|
165
|
+
Write file: `.vsaf/docs/hotfixes/{bug-id}/03-impl-log.md`
|
|
166
|
+
|
|
167
|
+
```markdown
|
|
168
|
+
# Implementation Log: {bug-id}
|
|
169
|
+
|
|
170
|
+
## Branch
|
|
171
|
+
`hotfix/{bug-id}`
|
|
172
|
+
|
|
173
|
+
## TDD Cycles
|
|
174
|
+
|
|
175
|
+
### FR-001: {title}
|
|
176
|
+
- RED: {test file}:{test name} — FAILED ✓
|
|
177
|
+
- GREEN: {changed files} — PASSED ✓
|
|
178
|
+
- REFACTOR: {what was cleaned}
|
|
179
|
+
|
|
180
|
+
### FR-002: {title} (if applicable)
|
|
181
|
+
...
|
|
182
|
+
|
|
183
|
+
## Files Changed
|
|
184
|
+
| File | Change type | Lines |
|
|
185
|
+
|------|-------------|-------|
|
|
186
|
+
| {file} | Modified / Added | +{n} -{m} |
|
|
187
|
+
|
|
188
|
+
## Test Results
|
|
189
|
+
- New tests: {count}
|
|
190
|
+
- Regression test: {test name} — PASS
|
|
191
|
+
- Full suite: {total} tests, all PASS
|
|
192
|
+
|
|
193
|
+
## SonarQube
|
|
194
|
+
- Issues: 0
|
|
195
|
+
- Vulnerabilities: 0
|
|
196
|
+
- Duplication: {n}%
|
|
197
|
+
|
|
198
|
+
## Build
|
|
199
|
+
- Compile: PASS
|
|
200
|
+
- Full test suite: PASS
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
## Phase Exit Protocol
|
|
204
|
+
|
|
205
|
+
Print PHASE REPORT:
|
|
206
|
+
- Bug: {bug-id}
|
|
207
|
+
- Status: IMPLEMENTATION COMPLETED
|
|
208
|
+
- Branch: `hotfix/{bug-id}`
|
|
209
|
+
- Tests: {new} new, {total} total — all PASS
|
|
210
|
+
- Files changed: {count}
|
|
211
|
+
- Output: `.vsaf/docs/hotfixes/{bug-id}/03-impl-log.md`
|
|
212
|
+
- Next step: `/sdlc-hotfix-ship`
|
|
213
|
+
|
|
214
|
+
Update `.vsaf/docs/STATUS.md`.
|
|
215
|
+
|
|
216
|
+
> Artifacts saved. If the session is interrupted, open a new session and run the next phase — data is safe.
|
|
217
|
+
|
|
218
|
+
## Rules
|
|
219
|
+
|
|
220
|
+
- ⛔ Do NOT write code without a failing test first (TDD)
|
|
221
|
+
- ⛔ Do NOT modify `graphify-out/` or `.gitnexus/`
|
|
222
|
+
- ⛔ Do NOT exceed scope boundary defined in PRD
|
|
223
|
+
- ⛔ Do NOT use subagent-driven development — hotfixes are sequential, focused
|
|
224
|
+
- Code MUST compile — hard gate, no exceptions
|
|
225
|
+
- Full test suite MUST pass — no regressions allowed
|
|
226
|
+
- If fix fails 3 times → STOP, escalate to user
|
|
227
|
+
- If scope drift detected → STOP, go back to PRD
|
|
@@ -0,0 +1,161 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: hotfix-prd
|
|
3
|
+
description: "Hotfix Phase 2 — Lightweight PRD from analysis: fix requirements, acceptance criteria, scope"
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
author: "@ngocsangairvds/vsaf"
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Hotfix Phase 2: PRD (Fix Requirements)
|
|
9
|
+
|
|
10
|
+
You are a Principal Product Owner focused on a surgical fix. Mission: define exactly what needs to change, acceptance criteria, and "done" definition — no discovery needed (grill already happened in analyze phase).
|
|
11
|
+
|
|
12
|
+
## Language Rule
|
|
13
|
+
|
|
14
|
+
Output documents (02-prd.md) MUST be written in Vietnamese. Only keep English for: IDs, technical terms, code references.
|
|
15
|
+
|
|
16
|
+
## Progress Protocol
|
|
17
|
+
|
|
18
|
+
Print progress at each step:
|
|
19
|
+
```
|
|
20
|
+
[HOTFIX-PRD] [step/4] description... ⏳
|
|
21
|
+
[HOTFIX-PRD] [step/4] description... ✅
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
## Index Protection
|
|
25
|
+
|
|
26
|
+
⛔ Do NOT modify `graphify-out/` or `.gitnexus/` — READ only.
|
|
27
|
+
|
|
28
|
+
## Phase Entry Protocol
|
|
29
|
+
|
|
30
|
+
```
|
|
31
|
+
[HOTFIX-PRD] [1/4] Checking input artifacts... ⏳
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
1. Input: `.vsaf/docs/hotfixes/{bug-id}/01-analysis.md`
|
|
35
|
+
2. Verify file exists:
|
|
36
|
+
- Does not exist → Stop: "Analysis not found. Run `/sdlc-hotfix-analyze` first."
|
|
37
|
+
3. Read the analysis file — extract:
|
|
38
|
+
- Root cause (file:line)
|
|
39
|
+
- Blast radius
|
|
40
|
+
- Fix strategy (proposed in analyze phase)
|
|
41
|
+
- Affected files
|
|
42
|
+
4. Read `.vsaf/docs/STATUS.md`
|
|
43
|
+
5. Read `CONTEXT.md`
|
|
44
|
+
|
|
45
|
+
```
|
|
46
|
+
[HOTFIX-PRD] [1/4] Checking input artifacts... ✅
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
## Tasks
|
|
50
|
+
|
|
51
|
+
### Step 2: Define Fix Requirements
|
|
52
|
+
|
|
53
|
+
```
|
|
54
|
+
[HOTFIX-PRD] [2/4] Defining fix requirements from analysis... ⏳
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
Based on the analysis (NOT a new grill session — that already happened), define:
|
|
58
|
+
|
|
59
|
+
1. **Fix Goal** — one sentence: what the fix achieves
|
|
60
|
+
2. **Functional Requirements** — FR-001, FR-002... (typically 1-3 for a hotfix)
|
|
61
|
+
- Each FR traces to the root cause or blast radius item
|
|
62
|
+
3. **Acceptance Criteria** — Given/When/Then for each FR
|
|
63
|
+
- MUST include a regression test criterion: "Given the fix is applied, When {original reproduction steps}, Then {expected behavior}"
|
|
64
|
+
4. **Scope Boundary** — explicitly state what is OUT of scope (no refactoring, no enhancements)
|
|
65
|
+
5. **Non-Functional Requirements** — only if relevant (performance regression, security)
|
|
66
|
+
|
|
67
|
+
```
|
|
68
|
+
[HOTFIX-PRD] [2/4] Defining fix requirements... ✅
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
### Step 3: Validate + Risk Check
|
|
72
|
+
|
|
73
|
+
```
|
|
74
|
+
[HOTFIX-PRD] [3/4] Validating PRD... ⏳
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
Use `/bmad-validate-prd` — validate:
|
|
78
|
+
- Every FR is testable
|
|
79
|
+
- Acceptance criteria are unambiguous
|
|
80
|
+
- Scope is minimal (hotfix, not enhancement)
|
|
81
|
+
- Fix addresses root cause, not just symptom
|
|
82
|
+
|
|
83
|
+
If FAIL → fix inline, re-validate.
|
|
84
|
+
|
|
85
|
+
Use GitNexus `impact` — confirm blast radius from analysis is still accurate.
|
|
86
|
+
|
|
87
|
+
```
|
|
88
|
+
[HOTFIX-PRD] [3/4] Validating PRD... ✅
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### Step 4: Write PRD
|
|
92
|
+
|
|
93
|
+
```
|
|
94
|
+
[HOTFIX-PRD] [4/4] Writing hotfix PRD... ⏳
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
Write file: `.vsaf/docs/hotfixes/{bug-id}/02-prd.md`
|
|
98
|
+
|
|
99
|
+
```markdown
|
|
100
|
+
# Hotfix PRD: {bug-id}
|
|
101
|
+
|
|
102
|
+
## Fix Goal
|
|
103
|
+
{one sentence}
|
|
104
|
+
|
|
105
|
+
## Source
|
|
106
|
+
- Analysis: `01-analysis.md`
|
|
107
|
+
- Root cause: {file:line — summary}
|
|
108
|
+
|
|
109
|
+
## Functional Requirements
|
|
110
|
+
|
|
111
|
+
### FR-001: {title}
|
|
112
|
+
{description}
|
|
113
|
+
|
|
114
|
+
**Acceptance Criteria:**
|
|
115
|
+
- Given {context}, When {action}, Then {expected result}
|
|
116
|
+
|
|
117
|
+
### FR-002: {title} (if needed)
|
|
118
|
+
...
|
|
119
|
+
|
|
120
|
+
## Non-Functional Requirements
|
|
121
|
+
{NFR-001 if applicable, otherwise "N/A — no NFR impact for this fix"}
|
|
122
|
+
|
|
123
|
+
## Scope Boundary
|
|
124
|
+
**In scope:** {what will change}
|
|
125
|
+
**Out of scope:** {what will NOT change — no refactoring, no enhancements}
|
|
126
|
+
|
|
127
|
+
## Blast Radius (confirmed)
|
|
128
|
+
{from GitNexus impact — files that may be affected}
|
|
129
|
+
|
|
130
|
+
## Gate: {PENDING / APPROVED by {name} on {date}}
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
```
|
|
134
|
+
[HOTFIX-PRD] [4/4] Writing hotfix PRD... ✅
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
## Gate
|
|
138
|
+
|
|
139
|
+
Human must approve the PRD. Write `## Gate: APPROVED` at the end of the file.
|
|
140
|
+
Do NOT proceed to implementation without the Gate marker.
|
|
141
|
+
|
|
142
|
+
## Phase Exit Protocol
|
|
143
|
+
|
|
144
|
+
Print PHASE REPORT:
|
|
145
|
+
- Bug: {bug-id}
|
|
146
|
+
- Status: PRD COMPLETED
|
|
147
|
+
- FRs: {count} functional requirements
|
|
148
|
+
- Output: `.vsaf/docs/hotfixes/{bug-id}/02-prd.md`
|
|
149
|
+
- Next step: `/sdlc-hotfix-implement`
|
|
150
|
+
|
|
151
|
+
Update `.vsaf/docs/STATUS.md`.
|
|
152
|
+
|
|
153
|
+
> Artifacts saved. If the session is interrupted, open a new session and run the next phase — data is safe.
|
|
154
|
+
|
|
155
|
+
## Rules
|
|
156
|
+
|
|
157
|
+
- ⛔ Do NOT start a new grill session — analysis already has grill results
|
|
158
|
+
- ⛔ Do NOT modify `graphify-out/` or `.gitnexus/`
|
|
159
|
+
- ⛔ Do NOT add enhancements — hotfix scope only
|
|
160
|
+
- Scope MUST be minimal — fix root cause, add regression test, nothing more
|
|
161
|
+
- Every FR MUST be directly traceable to the root cause or blast radius
|
|
@@ -0,0 +1,221 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: hotfix-ship
|
|
3
|
+
description: "Hotfix Phase 4 — Ship: commit, PR on hotfix branch, ship report"
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
author: "@ngocsangairvds/vsaf"
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Hotfix Phase 4: Ship
|
|
9
|
+
|
|
10
|
+
You are DevOps Engineer. Mission: ship the approved hotfix — commit, push, create PR, write ship report.
|
|
11
|
+
|
|
12
|
+
## Progress Protocol
|
|
13
|
+
|
|
14
|
+
Print progress at each step:
|
|
15
|
+
```
|
|
16
|
+
[HOTFIX-SHIP] [step/5] description... ⏳
|
|
17
|
+
[HOTFIX-SHIP] [step/5] description... ✅
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
## Phase Entry Protocol
|
|
21
|
+
|
|
22
|
+
```
|
|
23
|
+
[HOTFIX-SHIP] [1/5] Checking prerequisites... ⏳
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
1. Input: `.vsaf/docs/hotfixes/{bug-id}/` directory
|
|
27
|
+
2. Verify these files exist:
|
|
28
|
+
- `01-analysis.md` — root cause analysis
|
|
29
|
+
- `02-prd.md` — fix requirements (MUST have `## Gate: APPROVED`)
|
|
30
|
+
- `03-impl-log.md` — implementation log
|
|
31
|
+
3. Check `02-prd.md` has `## Gate: APPROVED`
|
|
32
|
+
- No Gate → Stop: "PRD not approved. Get approval before shipping."
|
|
33
|
+
4. Verify current branch is `hotfix/{bug-id}`
|
|
34
|
+
- Wrong branch → Stop: "Not on hotfix branch. Switch to `hotfix/{bug-id}`."
|
|
35
|
+
5. Read `CONTEXT.md`
|
|
36
|
+
|
|
37
|
+
```
|
|
38
|
+
[HOTFIX-SHIP] [1/5] Checking prerequisites... ✅
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
## Tasks
|
|
42
|
+
|
|
43
|
+
### Step 2: .gitignore Enforcement
|
|
44
|
+
|
|
45
|
+
```
|
|
46
|
+
[HOTFIX-SHIP] [2/5] Checking .gitignore... ⏳
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
**MANDATORY** — verify before committing:
|
|
50
|
+
|
|
51
|
+
1. Check `.gitignore` contains:
|
|
52
|
+
```
|
|
53
|
+
graphify-out/
|
|
54
|
+
.gitnexus/
|
|
55
|
+
```
|
|
56
|
+
2. If MISSING → add automatically and notify user
|
|
57
|
+
3. Verify with `git status` — `graphify-out/` and `.gitnexus/` do NOT appear
|
|
58
|
+
4. If they appear → `git rm --cached -r graphify-out/ .gitnexus/`
|
|
59
|
+
|
|
60
|
+
⚠️ **ABSOLUTELY DO NOT commit `graphify-out/` or `.gitnexus/`**
|
|
61
|
+
|
|
62
|
+
```
|
|
63
|
+
[HOTFIX-SHIP] [2/5] Checking .gitignore... ✅
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
### Step 3: Final Test Gate
|
|
67
|
+
|
|
68
|
+
```
|
|
69
|
+
[HOTFIX-SHIP] [3/5] Final test verification... ⏳
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
Run full test suite one last time before shipping:
|
|
73
|
+
```bash
|
|
74
|
+
npm test # or mvn test / gradle test / equivalent
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
- ALL tests MUST pass
|
|
78
|
+
- If FAIL → Stop: "Tests failing. Fix before shipping."
|
|
79
|
+
|
|
80
|
+
```
|
|
81
|
+
[HOTFIX-SHIP] [3/5] Final test verification... ✅
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
### Step 4: Commit + Push + PR
|
|
85
|
+
|
|
86
|
+
```
|
|
87
|
+
[HOTFIX-SHIP] [4/5] Commit + push + create PR... ⏳
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
**Commit scope — ONLY commit:**
|
|
91
|
+
- Source code changes (the fix)
|
|
92
|
+
- `.vsaf/docs/hotfixes/{bug-id}/` (all artifacts)
|
|
93
|
+
- `.gitignore` (if updated)
|
|
94
|
+
|
|
95
|
+
**DO NOT commit:**
|
|
96
|
+
- `graphify-out/`
|
|
97
|
+
- `.gitnexus/`
|
|
98
|
+
|
|
99
|
+
**Commit message format:**
|
|
100
|
+
```
|
|
101
|
+
fix({area}): {short description}
|
|
102
|
+
|
|
103
|
+
Root cause: {one line from 01-analysis.md}
|
|
104
|
+
Closes: #{issue-number} (if applicable)
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
**Push + PR:**
|
|
108
|
+
```bash
|
|
109
|
+
git push -u origin hotfix/{bug-id}
|
|
110
|
+
gh pr create --title "fix({area}): {short description}" --body "{PR body}"
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
**PR body template:**
|
|
114
|
+
```markdown
|
|
115
|
+
## Bug Fix: {bug-id}
|
|
116
|
+
|
|
117
|
+
### Root Cause
|
|
118
|
+
{from 01-analysis.md — one paragraph}
|
|
119
|
+
|
|
120
|
+
### Fix
|
|
121
|
+
{from 03-impl-log.md — what was changed and why}
|
|
122
|
+
|
|
123
|
+
### Tests
|
|
124
|
+
- Regression test: `{test file}:{test name}`
|
|
125
|
+
- Full suite: {total} tests, all PASS
|
|
126
|
+
|
|
127
|
+
### Affected Files
|
|
128
|
+
{list from 03-impl-log.md}
|
|
129
|
+
|
|
130
|
+
### Scope
|
|
131
|
+
- ✅ Fix only — no refactoring, no enhancements
|
|
132
|
+
- ✅ Regression test added
|
|
133
|
+
- ✅ Full test suite passing
|
|
134
|
+
|
|
135
|
+
---
|
|
136
|
+
> **Post-pull:** Run `npx -y gitnexus@latest analyze` and `/graphify` to re-index locally.
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
```
|
|
140
|
+
[HOTFIX-SHIP] [4/5] Commit + push + create PR... ✅
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
### Step 5: Ship Report
|
|
144
|
+
|
|
145
|
+
```
|
|
146
|
+
[HOTFIX-SHIP] [5/5] Writing ship report... ⏳
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Write file: `.vsaf/docs/hotfixes/{bug-id}/04-ship.md`
|
|
150
|
+
|
|
151
|
+
```markdown
|
|
152
|
+
# Ship Report: {bug-id}
|
|
153
|
+
|
|
154
|
+
## PR
|
|
155
|
+
- {repo}: PR #{number} — {url}
|
|
156
|
+
|
|
157
|
+
## Branch
|
|
158
|
+
`hotfix/{bug-id}` → `main`
|
|
159
|
+
|
|
160
|
+
## Commit Scope
|
|
161
|
+
- Source code: {N} files (minimal fix)
|
|
162
|
+
- .vsaf/docs/: {M} files (hotfix artifacts)
|
|
163
|
+
- Excluded: graphify-out/, .gitnexus/ (local index)
|
|
164
|
+
|
|
165
|
+
## Final Status
|
|
166
|
+
- Build: PASS
|
|
167
|
+
- Tests: all GREEN (including regression test)
|
|
168
|
+
- PRD Gate: APPROVED
|
|
169
|
+
|
|
170
|
+
## Bug Fix Summary
|
|
171
|
+
- Root cause: {from 01-analysis.md}
|
|
172
|
+
- Regression test: {test file}:{test name}
|
|
173
|
+
- Fix: {minimal diff description}
|
|
174
|
+
|
|
175
|
+
## Artifacts
|
|
176
|
+
- `01-analysis.md` — root cause analysis
|
|
177
|
+
- `02-prd.md` — fix requirements (approved)
|
|
178
|
+
- `03-impl-log.md` — TDD implementation log
|
|
179
|
+
- `04-ship.md` — this file
|
|
180
|
+
|
|
181
|
+
## Post-pull Setup
|
|
182
|
+
After pulling the code, run:
|
|
183
|
+
- `npx -y gitnexus@latest analyze` — re-index code
|
|
184
|
+
- `/graphify` — rebuild knowledge graph
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
```
|
|
188
|
+
[HOTFIX-SHIP] [5/5] Writing ship report... ✅
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
## Phase Exit Protocol
|
|
192
|
+
|
|
193
|
+
Print PHASE REPORT:
|
|
194
|
+
```
|
|
195
|
+
═══════════════════════════════════════════
|
|
196
|
+
HOTFIX SHIPPED: {bug-id}
|
|
197
|
+
═══════════════════════════════════════════
|
|
198
|
+
Flow: Analyze → PRD → Implement → Ship
|
|
199
|
+
|
|
200
|
+
PR: #{number} — {url}
|
|
201
|
+
Branch: hotfix/{bug-id}
|
|
202
|
+
Commit: source code + .vsaf/docs/ only
|
|
203
|
+
Excluded: graphify-out/, .gitnexus/
|
|
204
|
+
|
|
205
|
+
Artifacts: .vsaf/docs/hotfixes/{bug-id}/ (4 files)
|
|
206
|
+
|
|
207
|
+
Hotfix DONE.
|
|
208
|
+
═══════════════════════════════════════════
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
Update `.vsaf/docs/STATUS.md` → move to "Completed Hotfixes".
|
|
212
|
+
|
|
213
|
+
## Rules
|
|
214
|
+
|
|
215
|
+
- ⛔ Do NOT review code — that happened during TDD (self-review via SonarQube)
|
|
216
|
+
- ⛔ Do NOT commit `graphify-out/` or `.gitnexus/`
|
|
217
|
+
- ⛔ Do NOT ship if tests are failing
|
|
218
|
+
- ⛔ Do NOT ship without PRD Gate: APPROVED
|
|
219
|
+
- Gate comes from PRD approval — no separate review phase needed
|
|
220
|
+
- PR description MUST be self-contained
|
|
221
|
+
- Commit message follows conventional format: `fix({area}): {description}`
|
package/skills/sdlc/pack.yaml
CHANGED
package/skills/sdlc/prd/SKILL.md
CHANGED
|
@@ -63,7 +63,9 @@ Record results in `02-prd.md` §Grill Log.
|
|
|
63
63
|
[PRD] [3/5] Creating PRD from grill results... ⏳
|
|
64
64
|
```
|
|
65
65
|
|
|
66
|
-
|
|
66
|
+
Use `/bmad-create-prd` — create structured PRD from grill results (Step 2).
|
|
67
|
+
|
|
68
|
+
Ensure the output covers:
|
|
67
69
|
|
|
68
70
|
1. **Goals** — business goals + success metrics
|
|
69
71
|
2. **User Stories** — each MUST have acceptance criteria (Given/When/Then)
|
|
@@ -85,7 +87,7 @@ Write to `02-prd.md` §Requirements.
|
|
|
85
87
|
|
|
86
88
|
**4a — Validate PRD:**
|
|
87
89
|
|
|
88
|
-
|
|
90
|
+
Use `/bmad-validate-prd` — validate the PRD against BMAD standards:
|
|
89
91
|
- Completeness — all user stories covered by FRs? All FRs traceable to a user story?
|
|
90
92
|
- Clarity — any ambiguous requirements? Can each FR be implemented without guessing?
|
|
91
93
|
- Testability — can each FR be verified with a test case?
|
|
@@ -69,7 +69,9 @@ Write to `08-review.md` §Verification.
|
|
|
69
69
|
[REVIEW] [3/5] Adversarial code review... ⏳
|
|
70
70
|
```
|
|
71
71
|
|
|
72
|
-
|
|
72
|
+
Use `/bmad-code-review` — adversarial code review on the feature branch diff with parallel review layers (Blind Hunter, Edge Case Hunter, Acceptance Auditor).
|
|
73
|
+
|
|
74
|
+
Ensure the review covers:
|
|
73
75
|
|
|
74
76
|
1. **Security scan** — SQL injection, XSS, command injection, hardcoded secrets, insecure deserialization
|
|
75
77
|
2. **Data integrity** — null dereference, resource leaks, race conditions, missing transactions
|
|
@@ -15,7 +15,7 @@ Execute ALL checks below in order, then print the summary table.
|
|
|
15
15
|
|
|
16
16
|
### Check 1: SDLC Skills (filesystem)
|
|
17
17
|
|
|
18
|
-
Use the Read tool to check each of these
|
|
18
|
+
Use the Read tool to check each of these 17 skill files (sdlc-health is excluded — if you're running this, it's installed). If the file exists, mark ✓. If Read returns an error, mark ✗.
|
|
19
19
|
|
|
20
20
|
```
|
|
21
21
|
.claude/skills/sdlc-init/SKILL.md
|
|
@@ -31,8 +31,9 @@ Use the Read tool to check each of these 16 skill files (sdlc-health is excluded
|
|
|
31
31
|
.claude/skills/sdlc-feature-complete/SKILL.md
|
|
32
32
|
.claude/skills/sdlc-ship/SKILL.md
|
|
33
33
|
.claude/skills/sdlc-hotfix-analyze/SKILL.md
|
|
34
|
-
.claude/skills/sdlc-hotfix-
|
|
35
|
-
.claude/skills/sdlc-hotfix-
|
|
34
|
+
.claude/skills/sdlc-hotfix-prd/SKILL.md
|
|
35
|
+
.claude/skills/sdlc-hotfix-implement/SKILL.md
|
|
36
|
+
.claude/skills/sdlc-hotfix-ship/SKILL.md
|
|
36
37
|
.claude/skills/sdlc-hotfix-review/SKILL.md
|
|
37
38
|
```
|
|
38
39
|
|
|
@@ -137,7 +138,7 @@ After completing all checks, print this summary:
|
|
|
137
138
|
|
|
138
139
|
| Category | Status | Details |
|
|
139
140
|
|----------------------|--------|-----------------------------------------|
|
|
140
|
-
| SDLC Skills (
|
|
141
|
+
| SDLC Skills (17) | {s} | {deployed}/{17} deployed |
|
|
141
142
|
| BMAD Skills (17) | {s} | {deployed}/{17} deployed |
|
|
142
143
|
| mattpocock Skills (5)| {s} | {deployed}/{5} deployed |
|
|
143
144
|
| Plugins | {s} | superpowers {s} |
|
|
@@ -163,5 +164,5 @@ Replace `{s}` with: ✓ (pass), ✗ (required missing), ⚠ (optional missing).
|
|
|
163
164
|
- ✗ = required missing → must fix before using SDLC
|
|
164
165
|
- ⚠ = optional missing → SDLC works but some features unavailable
|
|
165
166
|
|
|
166
|
-
**Required:** all
|
|
167
|
+
**Required:** all 17 SDLC skills, all 17 BMAD skills, all 5 mattpocock skills, superpowers plugin, gh binary, graphify binary + skill, gitnexus MCP, .mcp.json entries
|
|
167
168
|
**Optional:** docker, sonar-scanner, vsaf MCP (only for coroutine engine)
|