@sleighmaster/bmad 1.5.12 → 1.5.14

package/data/_bmad/_config/manifest.yaml

@@ -1,7 +1,7 @@
 distribution:
   name: BMad6GitHub
   version: 1.2.0
-  upstream: 6.2.0
+  upstream: 6.2.1
   repo: https://github.com/SleighMaster99/BMad6GitHub
 installation:
   version: 6.0.0-Beta.4

package/data/_bmad/bmm/workflows/4-implementation/code-review/instructions.xml

@@ -14,6 +14,16 @@
   <critical>Acceptance Criteria not implemented = HIGH severity finding</critical>
   <critical>Do not review files that are not part of the application's source code. Always exclude the _bmad/ and _bmad-output/ folders from the review. Always exclude IDE and CLI configuration folders like .cursor/ and .windsurf/ and .claude/</critical>
 
+  <critical>🛑 SELF-REVIEW BIAS WARNING: If YOU are the same agent that implemented this story, your confirmation bias is EXTREME.
+    You will instinctively believe your code is correct. You will gloss over edge cases you "already thought about."
+    You will find fewer issues because you remember your intent, not the actual code.
+    FIGHT THIS. Pretend you are a hostile external reviewer who WANTS to find problems.
+    A story with 55+ tests, DB migrations, and multiple AC should NEVER have 0 review issues.</critical>
+
+  <critical>🛑 MINIMUM REVIEW ROUNDS: You MUST complete at least 2 full review rounds before declaring clean.
+    Round 1 finds-and-fixes. Round 2 re-reviews everything from scratch. Only Round 2+ can declare "0 issues."
+    A single-round "looks good" is NEVER acceptable — it means you didn't look hard enough.</critical>
+
 
   <step n="1" goal="Load story and discover changes">
     <action>Use provided {{story_path}} or ask user which story file to review</action>
@@ -66,9 +76,17 @@
     <!-- Review loop tracking -->
     <action>Set {{review_round}} = {{review_round}} + 1</action>
     <check if="{{review_round}} gt 1">
-      <output>🔄 **Re-review Round {{review_round}}** — Verifying previous fixes and scanning for remaining issues...</output>
-      <action>Re-read ALL modified files to verify previous round's fixes were applied correctly</action>
+      <critical>⚠️ THIS IS NOT A VERIFICATION PASS — THIS IS A FULL ADVERSARIAL RE-REVIEW FROM SCRATCH.
+        You MUST NOT assume your fixes are correct. You have confirmation bias — fight it.
+        Treat this round as if a DIFFERENT reviewer is seeing the code for the first time.
+        Execute ALL checks below (AC Validation, Task Audit, Code Quality) with the SAME rigor as Round 1.
+        "Re-read modified files" means read EVERY file in the comprehensive review list, not just the ones you touched.
+        If you are the same agent that implemented this code, you are ESPECIALLY biased about your own fixes.
+        Your instinct will be to skim files you "just fixed" — DO NOT do this. Read every line again.</critical>
+      <output>🔄 **Re-review Round {{review_round}}** — FULL adversarial re-review (not just fix verification)...</output>
+      <action>Re-read ALL files in the comprehensive review list (not just files modified in the previous round)</action>
       <action>Re-run git status/diff to capture latest changes</action>
+      <action>Re-extract ALL Acceptance Criteria and Tasks from the story file (do NOT rely on memory from previous rounds)</action>
     </check>
 
     <!-- Git vs Story Discrepancies -->
@@ -107,17 +125,48 @@
     </action>
 
     <check if="total_issues_found lt 3">
-      <critical>NOT LOOKING HARD ENOUGH - Find more problems!</critical>
+      <critical>🛑 NOT LOOKING HARD ENOUGH - You MUST find at least 3 issues! 🛑
+        Finding fewer than 3 issues means you are being lazy or have confirmation bias.
+        NO codebase is perfect. Every implementation has edge cases, missing validation, or quality issues.
+        You CANNOT proceed to Step 4 until you have found at least 3 specific, actionable issues.
+        DO NOT fabricate issues — but DO look harder at:
+      </critical>
       <action>Re-examine code for:
-        - Edge cases and null handling
-        - Architecture violations
-        - Documentation gaps
-        - Integration issues
-        - Dependency problems
-        - Git commit message quality (if applicable)
+        - Edge cases and null handling (what happens with empty input? null? undefined?)
+        - Architecture violations (does it follow the documented patterns?)
+        - Missing error handling (what if the DB call fails? API timeout? invalid data?)
+        - Security issues (SQL injection? XSS? missing auth checks? input validation?)
+        - Performance (N+1 queries? unnecessary re-renders? missing memoization?)
+        - Test quality (are assertions specific? do tests cover error paths? any mocked-away logic?)
+        - Integration issues (does it work with the rest of the system? race conditions?)
+        - Dependency problems (version conflicts? unused imports? circular dependencies?)
       </action>
-      <action>Find at least 3 more specific, actionable issues</action>
+      <action>Find at least 3 more specific, actionable issues — go back and re-read the files if necessary</action>
     </check>
+
+    <!-- Mandatory review evidence output — required EVERY round before proceeding to Step 4 -->
+    <critical>You MUST output the following structured evidence checklist BEFORE proceeding to Step 4.
+      If you cannot fill in specific evidence for each section, you have NOT completed the review.
+      Do NOT proceed to Step 4 until every section has concrete evidence.</critical>
+    <output>### 📋 Review Evidence (Round {{review_round}})
+
+      **Files Actually Read This Round:** [list every file path you read]
+
+      **AC Verification:**
+      {{for each AC}}
+      - AC#{{n}}: {{IMPLEMENTED|PARTIAL|MISSING}} — Evidence: {{file:line or specific code reference}}
+      {{/for}}
+
+      **Task Audit:**
+      {{for each [x] task}}
+      - Task {{n}}: {{VERIFIED|NOT DONE}} — Evidence: {{file:line or specific code reference}}
+      {{/for}}
+
+      **Security/Performance Spot-Check:**
+      - Checked: {{list specific checks performed with file references}}
+
+      **Issues Found This Round:** {{count}} ({{high}} HIGH, {{medium}} MEDIUM, {{low}} LOW)
+    </output>
   </step>
 
   <step n="4" goal="Record findings, auto-fix, and loop until clean">
@@ -161,9 +210,20 @@
 
     <!-- 4c. Check if there are any issues to fix -->
     <check if="{{high_count}} + {{medium_count}} + {{low_count}} == 0">
-      <!-- No issues at all — review is clean -->
-      <output>✅ **No issues found! Code is clean.**</output>
-      <!-- Proceed to Step 5 (completion) -->
+      <!-- Enforce minimum 2 rounds before allowing clean exit -->
+      <check if="{{review_round}} lt 2">
+        <critical>🛑 Round 1 found 0 issues — this is SUSPICIOUS. No codebase is perfect on first pass.
+          You MUST loop back and re-review with deeper scrutiny. Look at EVERY file again.
+          Check edge cases, error paths, security, performance, test quality.
+          A story with tests, AC validation, and multiple files ALWAYS has improvement opportunities.</critical>
+        <output>⚠️ **Round {{review_round}} found 0 issues — forcing deeper re-review...**</output>
+        <goto step="3" scope="FULL" depth="adversarial">Mandatory deeper re-review — 0 issues in early round is not credible</goto>
+      </check>
+      <check if="{{review_round}} gte 2">
+        <!-- Round 2+ with 0 issues — legitimate clean exit -->
+        <output>✅ **No issues found in Round {{review_round}}! Code is clean.**</output>
+        <!-- Proceed to Step 5 (completion) -->
+      </check>
     </check>
 
     <check if="{{high_count}} + {{medium_count}} + {{low_count}} gt 0">
@@ -179,8 +239,8 @@
 
       <output>🔧 **Round {{review_round}} fixes applied:** {{fixed_count}} issues fixed. Looping back for re-review...</output>
 
-      <!-- Loop back to Step 3 for re-review -->
-      <goto step="3">Re-review after fixes</goto>
+      <!-- Loop back to Step 3 for FULL re-review — not just verification of fixes -->
+      <goto step="3" scope="FULL" depth="adversarial">Full adversarial re-review — re-execute ALL checks from scratch, not just verify fixes</goto>
     </check>
   </step>
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sleighmaster/bmad",
-  "version": "1.5.12",
+  "version": "1.5.14",
   "description": "BMad6GitHub CLI - BMAD + GitHub Integration installer",
   "type": "module",
   "bin": {