@ngocsangairvds/vsaf 4.1.1 → 4.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/package.json +1 -1
  2. package/packages/cli/dist/commands/cleanup.d.ts +6 -0
  3. package/packages/cli/dist/commands/cleanup.d.ts.map +1 -0
  4. package/packages/cli/dist/commands/cleanup.js +103 -0
  5. package/packages/cli/dist/commands/cleanup.js.map +1 -0
  6. package/packages/cli/dist/commands/install.d.ts +4 -0
  7. package/packages/cli/dist/commands/install.d.ts.map +1 -1
  8. package/packages/cli/dist/commands/install.js +18 -1
  9. package/packages/cli/dist/commands/install.js.map +1 -1
  10. package/packages/cli/dist/index.js +15 -0
  11. package/packages/cli/dist/index.js.map +1 -1
  12. package/packages/cli/dist/mcp/server.d.ts.map +1 -1
  13. package/packages/cli/dist/mcp/server.js +9 -0
  14. package/packages/cli/dist/mcp/server.js.map +1 -1
  15. package/packages/core/dist/store/run-store.d.ts +8 -0
  16. package/packages/core/dist/store/run-store.d.ts.map +1 -1
  17. package/packages/core/dist/store/run-store.js +51 -0
  18. package/packages/core/dist/store/run-store.js.map +1 -1
  19. package/skills/sdlc/architecture/SKILL.md +5 -3
  20. package/skills/sdlc/hotfix-analyze/SKILL.md +1 -1
  21. package/skills/sdlc/hotfix-implement/SKILL.md +227 -0
  22. package/skills/sdlc/hotfix-prd/SKILL.md +161 -0
  23. package/skills/sdlc/hotfix-ship/SKILL.md +221 -0
  24. package/skills/sdlc/pack.yaml +3 -2
  25. package/skills/sdlc/prd/SKILL.md +4 -2
  26. package/skills/sdlc/review/SKILL.md +3 -1
  27. package/skills/sdlc/sdlc-health/SKILL.md +6 -5
  28. package/skills/sdlc/ship/SKILL.md +6 -91
  29. package/skills/sdlc/srs/SKILL.md +3 -1
  30. package/skills/sdlc/test-design/SKILL.md +3 -1
  31. package/skills/sdlc/workflows/hotfix-tdd.yaml +7 -12
  32. package/skills/sdlc/workflows/hotfix.yaml +16 -15
  33. package/skills/sdlc/hotfix-green/SKILL.md +0 -101
  34. package/skills/sdlc/hotfix-red/SKILL.md +0 -96
@@ -0,0 +1,227 @@
1
+ ---
2
+ name: hotfix-implement
3
+ description: "Hotfix Phase 3 — TDD implementation: RED → GREEN → REFACTOR, minimal fix, SonarQube-in-loop"
4
+ version: 1.0.0
5
+ author: "@ngocsangairvds/vsaf"
6
+ ---
7
+
8
+ # Hotfix Phase 3: Implementation (TDD)
9
+
10
+ You are a Senior Software Engineer performing a surgical fix. Mission: implement the fix using strict TDD — write failing test first, make it pass with minimal code, refactor. No subagents, no parallel epics — hotfixes are focused single-area changes.
11
+
12
+ ## Progress Protocol
13
+
14
+ Print progress at each step:
15
+ ```
16
+ [HOTFIX-IMPL] [step/6] description... ⏳
17
+ [HOTFIX-IMPL] [step/6] description... ✅
18
+ ```
19
+
20
+ ## Index Protection
21
+
22
+ ⛔ Do NOT modify `graphify-out/` or `.gitnexus/` — READ only.
23
+
24
+ ## Phase Entry Protocol
25
+
26
+ ```
27
+ [HOTFIX-IMPL] [1/6] Checking input artifacts... ⏳
28
+ ```
29
+
30
+ 1. Input:
31
+ - `.vsaf/docs/hotfixes/{bug-id}/02-prd.md`
32
+ - `.vsaf/docs/hotfixes/{bug-id}/01-analysis.md`
33
+ 2. Verify BOTH files exist:
34
+ - Missing → Stop: "Run previous phases first."
35
+ 3. Check `02-prd.md` has `## Gate: APPROVED`
36
+ - No Gate → Stop: "PRD not approved. Get approval first."
37
+ 4. Extract from PRD: FRs, acceptance criteria, scope boundary
38
+ 5. Extract from analysis: root cause (file:line), affected files, fix strategy
39
+ 6. Read `CONTEXT.md`
40
+
41
+ ```
42
+ [HOTFIX-IMPL] [1/6] Checking input artifacts... ✅
43
+ ```
44
+
45
+ ## Tasks
46
+
47
+ ### Step 2: Branch Setup
48
+
49
+ ```
50
+ [HOTFIX-IMPL] [2/6] Creating hotfix branch... ⏳
51
+ ```
52
+
53
+ ```bash
54
+ git checkout -b hotfix/{bug-id}
55
+ ```
56
+
57
+ If branch already exists → switch to it.
58
+
59
+ ```
60
+ [HOTFIX-IMPL] [2/6] Creating hotfix branch... ✅
61
+ ```
62
+
63
+ ### Step 3: TDD Cycle — `/tdd` Methodology
64
+
65
+ ```
66
+ [HOTFIX-IMPL] [3/6] TDD cycle — RED → GREEN → REFACTOR... ⏳
67
+ ```
68
+
69
+ Use `/tdd` methodology — behavior-based, vertical slice:
70
+
71
+ **For each FR in the PRD:**
72
+
73
+ 1. **RED — Write failing test FIRST**
74
+ - Test the BEHAVIOR described in the acceptance criteria
75
+ - Test the PUBLIC INTERFACE, not internals
76
+ - Include the regression test: reproduce the original bug → MUST FAIL before fix
77
+ - Run test → confirm it FAILS (red)
78
+ - ⚠️ If test passes without code changes → the test is wrong or the bug is already fixed
79
+
80
+ 2. **GREEN — Write MINIMAL code to pass**
81
+ - Change ONLY what is needed to make the test pass
82
+ - Stay within the scope boundary from PRD
83
+ - Apply SonarQube rules while writing (see below)
84
+ - Run test → confirm it PASSES (green)
85
+
86
+ 3. **REFACTOR — Clean without changing behavior**
87
+ - Remove duplication introduced by the fix
88
+ - Improve naming if needed
89
+ - Run ALL tests → still green
90
+
91
+ **Repeat for each FR.** Typically 1-3 cycles for a hotfix.
92
+
93
+ ```
94
+ [HOTFIX-IMPL] [3/6] TDD cycle complete ✅
95
+ ```
96
+
97
+ ### Step 4: SonarQube Self-Check
98
+
99
+ ```
100
+ [HOTFIX-IMPL] [4/6] SonarQube quality check... ⏳
101
+ ```
102
+
103
+ Apply DURING Step 3 (not after). After the fix is complete, final sweep:
104
+
105
+ | Metric | Threshold |
106
+ |--------|-----------|
107
+ | New Issues | = 0 |
108
+ | Blocker/Critical | = 0 |
109
+ | Vulnerabilities | = 0 |
110
+ | Duplicated Lines (new) | ≤ 3% |
111
+
112
+ - If project has SonarQube → run `sonar-scanner` incremental
113
+ - If not → Claude self-reviews changed files against metrics above
114
+
115
+ ```
116
+ [HOTFIX-IMPL] [4/6] SonarQube quality check... ✅
117
+ ```
118
+
119
+ ### Step 5: Build & Test Verification
120
+
121
+ ```
122
+ [HOTFIX-IMPL] [5/6] Build & test verification... ⏳
123
+ ```
124
+
125
+ **MANDATORY — hard gate:**
126
+
127
+ 1. **Compile**: Build entire project → 0 errors
128
+ - Java: `mvn compile` / `gradle build`
129
+ - Node: `npm run build` / `tsc --noEmit`
130
+ - Angular: `ng build`
131
+ - Go: `go build ./...`
132
+ - FAIL → fix immediately
133
+
134
+ 2. **Full test suite**: Run ALL tests (not just new ones)
135
+ - `npm test` / `mvn test` / equivalent
136
+ - ALL tests MUST pass — no regressions
137
+ - FAIL → use `/diagnose` to find the issue
138
+
139
+ 3. **Regression test confirmation**: The specific test from Step 3 RED phase → now PASSES
140
+
141
+ ⚠️ DO NOT exit if build fails or tests fail. This is a hard gate.
142
+
143
+ ```
144
+ [HOTFIX-IMPL] [5/6] Build & test verification... ✅
145
+ ```
146
+
147
+ ### Step 6: Impact Verification
148
+
149
+ ```
150
+ [HOTFIX-IMPL] [6/6] Impact verification via GitNexus... ⏳
151
+ ```
152
+
153
+ Use GitNexus `impact` — verify the fix did not break anything outside blast radius.
154
+
155
+ If unexpected impact detected → evaluate:
156
+ - Within scope boundary → OK, note in impl log
157
+ - Outside scope boundary → STOP, escalate to user
158
+
159
+ ```
160
+ [HOTFIX-IMPL] [6/6] Impact verification... ✅
161
+ ```
162
+
163
+ ## Output
164
+
165
+ Write file: `.vsaf/docs/hotfixes/{bug-id}/03-impl-log.md`
166
+
167
+ ```markdown
168
+ # Implementation Log: {bug-id}
169
+
170
+ ## Branch
171
+ `hotfix/{bug-id}`
172
+
173
+ ## TDD Cycles
174
+
175
+ ### FR-001: {title}
176
+ - RED: {test file}:{test name} — FAILED ✓
177
+ - GREEN: {changed files} — PASSED ✓
178
+ - REFACTOR: {what was cleaned}
179
+
180
+ ### FR-002: {title} (if applicable)
181
+ ...
182
+
183
+ ## Files Changed
184
+ | File | Change type | Lines |
185
+ |------|-------------|-------|
186
+ | {file} | Modified / Added | +{n} -{m} |
187
+
188
+ ## Test Results
189
+ - New tests: {count}
190
+ - Regression test: {test name} — PASS
191
+ - Full suite: {total} tests, all PASS
192
+
193
+ ## SonarQube
194
+ - Issues: 0
195
+ - Vulnerabilities: 0
196
+ - Duplication: {n}%
197
+
198
+ ## Build
199
+ - Compile: PASS
200
+ - Full test suite: PASS
201
+ ```
202
+
203
+ ## Phase Exit Protocol
204
+
205
+ Print PHASE REPORT:
206
+ - Bug: {bug-id}
207
+ - Status: IMPLEMENTATION COMPLETED
208
+ - Branch: `hotfix/{bug-id}`
209
+ - Tests: {new} new, {total} total — all PASS
210
+ - Files changed: {count}
211
+ - Output: `.vsaf/docs/hotfixes/{bug-id}/03-impl-log.md`
212
+ - Next step: `/sdlc-hotfix-ship`
213
+
214
+ Update `.vsaf/docs/STATUS.md`.
215
+
216
+ > Artifacts saved. If the session is interrupted, open a new session and run the next phase — data is safe.
217
+
218
+ ## Rules
219
+
220
+ - ⛔ Do NOT write code without a failing test first (TDD)
221
+ - ⛔ Do NOT modify `graphify-out/` or `.gitnexus/`
222
+ - ⛔ Do NOT exceed scope boundary defined in PRD
223
+ - ⛔ Do NOT use subagent-driven development — hotfixes are sequential, focused
224
+ - Code MUST compile — hard gate, no exceptions
225
+ - Full test suite MUST pass — no regressions allowed
226
+ - If fix fails 3 times → STOP, escalate to user
227
+ - If scope drift detected → STOP, go back to PRD
@@ -0,0 +1,161 @@
1
+ ---
2
+ name: hotfix-prd
3
+ description: "Hotfix Phase 2 — Lightweight PRD from analysis: fix requirements, acceptance criteria, scope"
4
+ version: 1.0.0
5
+ author: "@ngocsangairvds/vsaf"
6
+ ---
7
+
8
+ # Hotfix Phase 2: PRD (Fix Requirements)
9
+
10
+ You are a Principal Product Owner focused on a surgical fix. Mission: define exactly what needs to change, acceptance criteria, and "done" definition — no discovery needed (grill already happened in analyze phase).
11
+
12
+ ## Language Rule
13
+
14
+ Output documents (02-prd.md) MUST be written in Vietnamese. Only keep English for: IDs, technical terms, code references.
15
+
16
+ ## Progress Protocol
17
+
18
+ Print progress at each step:
19
+ ```
20
+ [HOTFIX-PRD] [step/4] description... ⏳
21
+ [HOTFIX-PRD] [step/4] description... ✅
22
+ ```
23
+
24
+ ## Index Protection
25
+
26
+ ⛔ Do NOT modify `graphify-out/` or `.gitnexus/` — READ only.
27
+
28
+ ## Phase Entry Protocol
29
+
30
+ ```
31
+ [HOTFIX-PRD] [1/4] Checking input artifacts... ⏳
32
+ ```
33
+
34
+ 1. Input: `.vsaf/docs/hotfixes/{bug-id}/01-analysis.md`
35
+ 2. Verify file exists:
36
+ - Does not exist → Stop: "Analysis not found. Run `/sdlc-hotfix-analyze` first."
37
+ 3. Read the analysis file — extract:
38
+ - Root cause (file:line)
39
+ - Blast radius
40
+ - Fix strategy (proposed in analyze phase)
41
+ - Affected files
42
+ 4. Read `.vsaf/docs/STATUS.md`
43
+ 5. Read `CONTEXT.md`
44
+
45
+ ```
46
+ [HOTFIX-PRD] [1/4] Checking input artifacts... ✅
47
+ ```
48
+
49
+ ## Tasks
50
+
51
+ ### Step 2: Define Fix Requirements
52
+
53
+ ```
54
+ [HOTFIX-PRD] [2/4] Defining fix requirements from analysis... ⏳
55
+ ```
56
+
57
+ Based on the analysis (NOT a new grill session — that already happened), define:
58
+
59
+ 1. **Fix Goal** — one sentence: what the fix achieves
60
+ 2. **Functional Requirements** — FR-001, FR-002... (typically 1-3 for a hotfix)
61
+ - Each FR traces to the root cause or blast radius item
62
+ 3. **Acceptance Criteria** — Given/When/Then for each FR
63
+ - MUST include a regression test criterion: "Given the fix is applied, When {original reproduction steps}, Then {expected behavior}"
64
+ 4. **Scope Boundary** — explicitly state what is OUT of scope (no refactoring, no enhancements)
65
+ 5. **Non-Functional Requirements** — only if relevant (performance regression, security)
66
+
67
+ ```
68
+ [HOTFIX-PRD] [2/4] Defining fix requirements... ✅
69
+ ```
70
+
71
+ ### Step 3: Validate + Risk Check
72
+
73
+ ```
74
+ [HOTFIX-PRD] [3/4] Validating PRD... ⏳
75
+ ```
76
+
77
+ Use `/bmad-validate-prd` — validate:
78
+ - Every FR is testable
79
+ - Acceptance criteria are unambiguous
80
+ - Scope is minimal (hotfix, not enhancement)
81
+ - Fix addresses root cause, not just symptom
82
+
83
+ If FAIL → fix inline, re-validate.
84
+
85
+ Use GitNexus `impact` — confirm blast radius from analysis is still accurate.
86
+
87
+ ```
88
+ [HOTFIX-PRD] [3/4] Validating PRD... ✅
89
+ ```
90
+
91
+ ### Step 4: Write PRD
92
+
93
+ ```
94
+ [HOTFIX-PRD] [4/4] Writing hotfix PRD... ⏳
95
+ ```
96
+
97
+ Write file: `.vsaf/docs/hotfixes/{bug-id}/02-prd.md`
98
+
99
+ ```markdown
100
+ # Hotfix PRD: {bug-id}
101
+
102
+ ## Fix Goal
103
+ {one sentence}
104
+
105
+ ## Source
106
+ - Analysis: `01-analysis.md`
107
+ - Root cause: {file:line — summary}
108
+
109
+ ## Functional Requirements
110
+
111
+ ### FR-001: {title}
112
+ {description}
113
+
114
+ **Acceptance Criteria:**
115
+ - Given {context}, When {action}, Then {expected result}
116
+
117
+ ### FR-002: {title} (if needed)
118
+ ...
119
+
120
+ ## Non-Functional Requirements
121
+ {NFR-001 if applicable, otherwise "N/A — no NFR impact for this fix"}
122
+
123
+ ## Scope Boundary
124
+ **In scope:** {what will change}
125
+ **Out of scope:** {what will NOT change — no refactoring, no enhancements}
126
+
127
+ ## Blast Radius (confirmed)
128
+ {from GitNexus impact — files that may be affected}
129
+
130
+ ## Gate: {PENDING / APPROVED by {name} on {date}}
131
+ ```
132
+
133
+ ```
134
+ [HOTFIX-PRD] [4/4] Writing hotfix PRD... ✅
135
+ ```
136
+
137
+ ## Gate
138
+
139
+ Human must approve the PRD. Write `## Gate: APPROVED` at the end of the file.
140
+ Do NOT proceed to implementation without the Gate marker.
141
+
142
+ ## Phase Exit Protocol
143
+
144
+ Print PHASE REPORT:
145
+ - Bug: {bug-id}
146
+ - Status: PRD COMPLETED
147
+ - FRs: {count} functional requirements
148
+ - Output: `.vsaf/docs/hotfixes/{bug-id}/02-prd.md`
149
+ - Next step: `/sdlc-hotfix-implement`
150
+
151
+ Update `.vsaf/docs/STATUS.md`.
152
+
153
+ > Artifacts saved. If the session is interrupted, open a new session and run the next phase — data is safe.
154
+
155
+ ## Rules
156
+
157
+ - ⛔ Do NOT start a new grill session — analysis already has grill results
158
+ - ⛔ Do NOT modify `graphify-out/` or `.gitnexus/`
159
+ - ⛔ Do NOT add enhancements — hotfix scope only
160
+ - Scope MUST be minimal — fix root cause, add regression test, nothing more
161
+ - Every FR MUST be directly traceable to the root cause or blast radius
@@ -0,0 +1,221 @@
1
+ ---
2
+ name: hotfix-ship
3
+ description: "Hotfix Phase 4 — Ship: commit, PR on hotfix branch, ship report"
4
+ version: 1.0.0
5
+ author: "@ngocsangairvds/vsaf"
6
+ ---
7
+
8
+ # Hotfix Phase 4: Ship
9
+
10
+ You are DevOps Engineer. Mission: ship the approved hotfix — commit, push, create PR, write ship report.
11
+
12
+ ## Progress Protocol
13
+
14
+ Print progress at each step:
15
+ ```
16
+ [HOTFIX-SHIP] [step/5] description... ⏳
17
+ [HOTFIX-SHIP] [step/5] description... ✅
18
+ ```
19
+
20
+ ## Phase Entry Protocol
21
+
22
+ ```
23
+ [HOTFIX-SHIP] [1/5] Checking prerequisites... ⏳
24
+ ```
25
+
26
+ 1. Input: `.vsaf/docs/hotfixes/{bug-id}/` directory
27
+ 2. Verify these files exist:
28
+ - `01-analysis.md` — root cause analysis
29
+ - `02-prd.md` — fix requirements (MUST have `## Gate: APPROVED`)
30
+ - `03-impl-log.md` — implementation log
31
+ 3. Check `02-prd.md` has `## Gate: APPROVED`
32
+ - No Gate → Stop: "PRD not approved. Get approval before shipping."
33
+ 4. Verify current branch is `hotfix/{bug-id}`
34
+ - Wrong branch → Stop: "Not on hotfix branch. Switch to `hotfix/{bug-id}`."
35
+ 5. Read `CONTEXT.md`
36
+
37
+ ```
38
+ [HOTFIX-SHIP] [1/5] Checking prerequisites... ✅
39
+ ```
40
+
41
+ ## Tasks
42
+
43
+ ### Step 2: .gitignore Enforcement
44
+
45
+ ```
46
+ [HOTFIX-SHIP] [2/5] Checking .gitignore... ⏳
47
+ ```
48
+
49
+ **MANDATORY** — verify before committing:
50
+
51
+ 1. Check `.gitignore` contains:
52
+ ```
53
+ graphify-out/
54
+ .gitnexus/
55
+ ```
56
+ 2. If MISSING → add automatically and notify user
57
+ 3. Verify with `git status` — `graphify-out/` and `.gitnexus/` do NOT appear
58
+ 4. If they appear → `git rm --cached -r graphify-out/ .gitnexus/`
59
+
60
+ ⚠️ **ABSOLUTELY DO NOT commit `graphify-out/` or `.gitnexus/`**
61
+
62
+ ```
63
+ [HOTFIX-SHIP] [2/5] Checking .gitignore... ✅
64
+ ```
65
+
66
+ ### Step 3: Final Test Gate
67
+
68
+ ```
69
+ [HOTFIX-SHIP] [3/5] Final test verification... ⏳
70
+ ```
71
+
72
+ Run full test suite one last time before shipping:
73
+ ```bash
74
+ npm test # or mvn test / gradle test / equivalent
75
+ ```
76
+
77
+ - ALL tests MUST pass
78
+ - If FAIL → Stop: "Tests failing. Fix before shipping."
79
+
80
+ ```
81
+ [HOTFIX-SHIP] [3/5] Final test verification... ✅
82
+ ```
83
+
84
+ ### Step 4: Commit + Push + PR
85
+
86
+ ```
87
+ [HOTFIX-SHIP] [4/5] Commit + push + create PR... ⏳
88
+ ```
89
+
90
+ **Commit scope — ONLY commit:**
91
+ - Source code changes (the fix)
92
+ - `.vsaf/docs/hotfixes/{bug-id}/` (all artifacts)
93
+ - `.gitignore` (if updated)
94
+
95
+ **DO NOT commit:**
96
+ - `graphify-out/`
97
+ - `.gitnexus/`
98
+
99
+ **Commit message format:**
100
+ ```
101
+ fix({area}): {short description}
102
+
103
+ Root cause: {one line from 01-analysis.md}
104
+ Closes: #{issue-number} (if applicable)
105
+ ```
106
+
107
+ **Push + PR:**
108
+ ```bash
109
+ git push -u origin hotfix/{bug-id}
110
+ gh pr create --title "fix({area}): {short description}" --body "{PR body}"
111
+ ```
112
+
113
+ **PR body template:**
114
+ ```markdown
115
+ ## Bug Fix: {bug-id}
116
+
117
+ ### Root Cause
118
+ {from 01-analysis.md — one paragraph}
119
+
120
+ ### Fix
121
+ {from 03-impl-log.md — what was changed and why}
122
+
123
+ ### Tests
124
+ - Regression test: `{test file}:{test name}`
125
+ - Full suite: {total} tests, all PASS
126
+
127
+ ### Affected Files
128
+ {list from 03-impl-log.md}
129
+
130
+ ### Scope
131
+ - ✅ Fix only — no refactoring, no enhancements
132
+ - ✅ Regression test added
133
+ - ✅ Full test suite passing
134
+
135
+ ---
136
+ > **Post-pull:** Run `npx -y gitnexus@latest analyze` and `/graphify` to re-index locally.
137
+ ```
138
+
139
+ ```
140
+ [HOTFIX-SHIP] [4/5] Commit + push + create PR... ✅
141
+ ```
142
+
143
+ ### Step 5: Ship Report
144
+
145
+ ```
146
+ [HOTFIX-SHIP] [5/5] Writing ship report... ⏳
147
+ ```
148
+
149
+ Write file: `.vsaf/docs/hotfixes/{bug-id}/04-ship.md`
150
+
151
+ ```markdown
152
+ # Ship Report: {bug-id}
153
+
154
+ ## PR
155
+ - {repo}: PR #{number} — {url}
156
+
157
+ ## Branch
158
+ `hotfix/{bug-id}` → `main`
159
+
160
+ ## Commit Scope
161
+ - Source code: {N} files (minimal fix)
162
+ - .vsaf/docs/: {M} files (hotfix artifacts)
163
+ - Excluded: graphify-out/, .gitnexus/ (local index)
164
+
165
+ ## Final Status
166
+ - Build: PASS
167
+ - Tests: all GREEN (including regression test)
168
+ - PRD Gate: APPROVED
169
+
170
+ ## Bug Fix Summary
171
+ - Root cause: {from 01-analysis.md}
172
+ - Regression test: {test file}:{test name}
173
+ - Fix: {minimal diff description}
174
+
175
+ ## Artifacts
176
+ - `01-analysis.md` — root cause analysis
177
+ - `02-prd.md` — fix requirements (approved)
178
+ - `03-impl-log.md` — TDD implementation log
179
+ - `04-ship.md` — this file
180
+
181
+ ## Post-pull Setup
182
+ After pulling the code, run:
183
+ - `npx -y gitnexus@latest analyze` — re-index code
184
+ - `/graphify` — rebuild knowledge graph
185
+ ```
186
+
187
+ ```
188
+ [HOTFIX-SHIP] [5/5] Writing ship report... ✅
189
+ ```
190
+
191
+ ## Phase Exit Protocol
192
+
193
+ Print PHASE REPORT:
194
+ ```
195
+ ═══════════════════════════════════════════
196
+ HOTFIX SHIPPED: {bug-id}
197
+ ═══════════════════════════════════════════
198
+ Flow: Analyze → PRD → Implement → Ship
199
+
200
+ PR: #{number} — {url}
201
+ Branch: hotfix/{bug-id}
202
+ Commit: source code + .vsaf/docs/ only
203
+ Excluded: graphify-out/, .gitnexus/
204
+
205
+ Artifacts: .vsaf/docs/hotfixes/{bug-id}/ (4 files)
206
+
207
+ Hotfix DONE.
208
+ ═══════════════════════════════════════════
209
+ ```
210
+
211
+ Update `.vsaf/docs/STATUS.md` → move to "Completed Hotfixes".
212
+
213
+ ## Rules
214
+
215
+ - ⛔ Do NOT review code — that happened during TDD (self-review via SonarQube)
216
+ - ⛔ Do NOT commit `graphify-out/` or `.gitnexus/`
217
+ - ⛔ Do NOT ship if tests are failing
218
+ - ⛔ Do NOT ship without PRD Gate: APPROVED
219
+ - Gate comes from PRD approval — no separate review phase needed
220
+ - PR description MUST be self-contained
221
+ - Commit message follows conventional format: `fix({area}): {description}`
@@ -25,8 +25,9 @@ skills:
25
25
 
26
26
  # Hotfix flow
27
27
  - hotfix-analyze
28
- - hotfix-red
29
- - hotfix-green
28
+ - hotfix-prd
29
+ - hotfix-implement
30
+ - hotfix-ship
30
31
  - hotfix-review
31
32
 
32
33
  # Diagnostics
@@ -63,7 +63,9 @@ Record results in `02-prd.md` §Grill Log.
63
63
  [PRD] [3/5] Creating PRD from grill results... ⏳
64
64
  ```
65
65
 
66
- Based on grill results from Step 2, create structured PRD:
66
+ Use `/bmad-create-prd` — create structured PRD from grill results (Step 2).
67
+
68
+ Ensure the output covers:
67
69
 
68
70
  1. **Goals** — business goals + success metrics
69
71
  2. **User Stories** — each MUST have acceptance criteria (Given/When/Then)
@@ -85,7 +87,7 @@ Write to `02-prd.md` §Requirements.
85
87
 
86
88
  **4a — Validate PRD:**
87
89
 
88
- Check the PRD for:
90
+ Use `/bmad-validate-prd` — validate the PRD against BMAD standards:
89
91
  - Completeness — all user stories covered by FRs? All FRs traceable to a user story?
90
92
  - Clarity — any ambiguous requirements? Can each FR be implemented without guessing?
91
93
  - Testability — can each FR be verified with a test case?
@@ -69,7 +69,9 @@ Write to `08-review.md` §Verification.
69
69
  [REVIEW] [3/5] Adversarial code review... ⏳
70
70
  ```
71
71
 
72
- Perform adversarial code review on the feature branch diff:
72
+ Use `/bmad-code-review` — adversarial code review on the feature branch diff with parallel review layers (Blind Hunter, Edge Case Hunter, Acceptance Auditor).
73
+
74
+ Ensure the review covers:
73
75
 
74
76
  1. **Security scan** — SQL injection, XSS, command injection, hardcoded secrets, insecure deserialization
75
77
  2. **Data integrity** — null dereference, resource leaks, race conditions, missing transactions
@@ -15,7 +15,7 @@ Execute ALL checks below in order, then print the summary table.
15
15
 
16
16
  ### Check 1: SDLC Skills (filesystem)
17
17
 
18
- Use the Read tool to check each of these 16 skill files (sdlc-health is excluded — if you're running this, it's installed). If the file exists, mark ✓. If Read returns an error, mark ✗.
18
+ Use the Read tool to check each of these 17 skill files (sdlc-health is excluded — if you're running this, it's installed). If the file exists, mark ✓. If Read returns an error, mark ✗.
19
19
 
20
20
  ```
21
21
  .claude/skills/sdlc-init/SKILL.md
@@ -31,8 +31,9 @@ Use the Read tool to check each of these 16 skill files (sdlc-health is excluded
31
31
  .claude/skills/sdlc-feature-complete/SKILL.md
32
32
  .claude/skills/sdlc-ship/SKILL.md
33
33
  .claude/skills/sdlc-hotfix-analyze/SKILL.md
34
- .claude/skills/sdlc-hotfix-red/SKILL.md
35
- .claude/skills/sdlc-hotfix-green/SKILL.md
34
+ .claude/skills/sdlc-hotfix-prd/SKILL.md
35
+ .claude/skills/sdlc-hotfix-implement/SKILL.md
36
+ .claude/skills/sdlc-hotfix-ship/SKILL.md
36
37
  .claude/skills/sdlc-hotfix-review/SKILL.md
37
38
  ```
38
39
 
@@ -137,7 +138,7 @@ After completing all checks, print this summary:
137
138
 
138
139
  | Category | Status | Details |
139
140
  |----------------------|--------|-----------------------------------------|
140
- | SDLC Skills (16) | {s} | {deployed}/{16} deployed |
141
+ | SDLC Skills (17) | {s} | {deployed}/{17} deployed |
141
142
  | BMAD Skills (17) | {s} | {deployed}/{17} deployed |
142
143
  | mattpocock Skills (5)| {s} | {deployed}/{5} deployed |
143
144
  | Plugins | {s} | superpowers {s} |
@@ -163,5 +164,5 @@ Replace `{s}` with: ✓ (pass), ✗ (required missing), ⚠ (optional missing).
163
164
  - ✗ = required missing → must fix before using SDLC
164
165
  - ⚠ = optional missing → SDLC works but some features unavailable
165
166
 
166
- **Required:** all 16 SDLC skills, all 17 BMAD skills, all 5 mattpocock skills, superpowers plugin, gh binary, graphify binary + skill, gitnexus MCP, .mcp.json entries
167
+ **Required:** all 17 SDLC skills, all 17 BMAD skills, all 5 mattpocock skills, superpowers plugin, gh binary, graphify binary + skill, gitnexus MCP, .mcp.json entries
167
168
  **Optional:** docker, sonar-scanner, vsaf MCP (only for coroutine engine)