appiq-solution 1.4.3 → 1.4.5

package/bmad-core/checklists/security-validation-checklist.md

@@ -0,0 +1,332 @@
+# Security Validation Checklist
+
+## 📋 Overview
+This comprehensive security checklist ensures applications meet security standards across all supported frameworks (Web, Mobile, Backend) before production deployment.
+
+## 🔒 Authentication & Authorization
+
+### Web Applications (React, Vue, Angular)
+- [ ] **JWT Token Security**: Tokens stored securely (httpOnly cookies or secure storage)
+- [ ] **Token Expiration**: Proper token expiration and refresh mechanisms
+- [ ] **Session Management**: Secure session handling and timeout
+- [ ] **Multi-Factor Authentication**: MFA implemented where required
+- [ ] **OAuth Integration**: Secure OAuth 2.0 implementation
+- [ ] **Password Policy**: Strong password requirements enforced
+- [ ] **Account Lockout**: Brute force protection implemented
+- [ ] **CSRF Protection**: Cross-Site Request Forgery protection enabled
+
+### Mobile Applications (Flutter)
+- [ ] **Biometric Authentication**: Secure biometric authentication where applicable
+- [ ] **Secure Storage**: Sensitive data stored using flutter_secure_storage
+- [ ] **Certificate Pinning**: SSL certificate pinning implemented
+- [ ] **App Transport Security**: Proper ATS configuration for iOS
+- [ ] **Root/Jailbreak Detection**: Detection and response to compromised devices
+- [ ] **Keychain/Keystore**: Proper use of platform security features
+- [ ] **Deep Link Security**: Secure handling of deep links and intents
+- [ ] **Background App Security**: Secure handling of app backgrounding
+
+### Backend Services
+- [ ] **API Authentication**: Proper API authentication mechanisms
+- [ ] **Role-Based Access Control**: RBAC implemented correctly
+- [ ] **Privilege Escalation**: Protection against privilege escalation
+- [ ] **Service-to-Service Auth**: Secure service authentication
+- [ ] **API Key Management**: Secure API key storage and rotation
+- [ ] **Database Access Control**: Proper database user permissions
+- [ ] **Admin Interface Security**: Secure admin panel access
+- [ ] **Audit Logging**: Comprehensive authentication audit logs
+
+## 🛡️ Input Validation & Data Security
+
+### Client-Side Validation
+- [ ] **Input Sanitization**: All user inputs sanitized before processing
+- [ ] **XSS Prevention**: Cross-Site Scripting protection implemented
+- [ ] **Form Validation**: Comprehensive client-side form validation
+- [ ] **File Upload Security**: Secure file upload handling
+- [ ] **Content Security Policy**: CSP headers properly configured
+- [ ] **DOM Manipulation**: Safe DOM manipulation practices
+- [ ] **Event Handler Security**: Secure event handler implementation
+- [ ] **Third-Party Script Security**: Secure integration of third-party scripts
+
+### Server-Side Validation
+- [ ] **Input Validation**: All inputs validated on server side
+- [ ] **SQL Injection Prevention**: Parameterized queries used
+- [ ] **NoSQL Injection Prevention**: NoSQL injection protection
+- [ ] **Command Injection Prevention**: Command injection protection
+- [ ] **Path Traversal Prevention**: Directory traversal protection
+- [ ] **Data Type Validation**: Proper data type validation
+- [ ] **Business Logic Validation**: Business rule validation
+- [ ] **Rate Limiting**: API rate limiting implemented
+
+### Data Protection
+- [ ] **Encryption at Rest**: Sensitive data encrypted in storage
+- [ ] **Encryption in Transit**: All data encrypted during transmission
+- [ ] **PII Handling**: Personal data handled according to regulations
+- [ ] **Data Masking**: Sensitive data masked in logs and UI
+- [ ] **Secure Deletion**: Secure data deletion procedures
+- [ ] **Data Backup Security**: Secure backup procedures
+- [ ] **Database Encryption**: Database encryption enabled
+- [ ] **Key Management**: Proper encryption key management
+
+## 🌐 Network & API Security
+
+### HTTPS & TLS
+- [ ] **HTTPS Enforcement**: All traffic uses HTTPS
+- [ ] **TLS Version**: Modern TLS versions (1.2+) enforced
+- [ ] **Certificate Validation**: Proper SSL certificate validation
+- [ ] **HSTS Headers**: HTTP Strict Transport Security enabled
+- [ ] **Certificate Transparency**: Certificate transparency compliance
+- [ ] **Perfect Forward Secrecy**: PFS enabled for connections
+- [ ] **Cipher Suite Security**: Secure cipher suites configured
+- [ ] **Mixed Content Prevention**: No mixed HTTP/HTTPS content
+
+### API Security
+- [ ] **API Versioning**: Proper API versioning strategy
+- [ ] **CORS Configuration**: Correct CORS policy implementation
+- [ ] **API Documentation**: Security considerations documented
+- [ ] **Error Handling**: Secure error messages (no data leakage)
+- [ ] **Request Size Limits**: Proper request size limitations
+- [ ] **Timeout Configuration**: Appropriate timeout settings
+- [ ] **API Gateway Security**: Secure API gateway configuration
+- [ ] **Webhook Security**: Secure webhook implementation
+
+### Firebase/Supabase Security
+- [ ] **Firestore Rules**: Proper Firestore security rules
+- [ ] **Storage Rules**: Secure Firebase Storage rules
+- [ ] **Cloud Function Security**: Secure Cloud Functions
+- [ ] **Row Level Security**: Supabase RLS policies implemented
+- [ ] **Database Policies**: Proper database access policies
+- [ ] **Edge Function Security**: Secure Edge Functions
+- [ ] **Real-time Security**: Secure real-time subscriptions
+- [ ] **Service Account Security**: Secure service account usage
+
+## 📱 Mobile-Specific Security
+
+### Flutter Security
+- [ ] **Code Obfuscation**: Release builds obfuscated
+- [ ] **Debug Information**: Debug info removed from release
+- [ ] **Asset Protection**: Sensitive assets protected
+- [ ] **Network Security Config**: Proper network security configuration
+- [ ] **Intent Filter Security**: Secure intent filter configuration
+- [ ] **Permissions**: Minimal required permissions requested
+- [ ] **Runtime Permissions**: Proper runtime permission handling
+- [ ] **Secure Communication**: Secure inter-app communication
+
+### Platform Security
+- [ ] **Android Security**: Android-specific security measures
+- [ ] **iOS Security**: iOS-specific security measures
+- [ ] **App Store Security**: App store security requirements met
+- [ ] **Binary Protection**: Binary tampering protection
+- [ ] **Reverse Engineering**: Protection against reverse engineering
+- [ ] **Dynamic Analysis**: Protection against dynamic analysis
+- [ ] **Hooking Protection**: Protection against runtime manipulation
+- [ ] **Emulator Detection**: Emulator detection where required
+
+## 🔧 Infrastructure Security
+
+### Deployment Security
+- [ ] **Environment Separation**: Proper environment isolation
+- [ ] **Secret Management**: Secure secret storage and access
+- [ ] **Container Security**: Secure container configuration
+- [ ] **CI/CD Security**: Secure build and deployment pipeline
+- [ ] **Dependency Scanning**: Automated dependency vulnerability scanning
+- [ ] **Image Scanning**: Container image vulnerability scanning
+- [ ] **Infrastructure as Code**: Secure IaC practices
+- [ ] **Access Control**: Proper infrastructure access control
+
+### Monitoring & Logging
+- [ ] **Security Monitoring**: Comprehensive security monitoring
+- [ ] **Intrusion Detection**: Intrusion detection systems
+- [ ] **Log Security**: Secure log storage and access
+- [ ] **Audit Trails**: Comprehensive audit logging
+- [ ] **Alerting**: Security incident alerting
+- [ ] **SIEM Integration**: Security Information and Event Management
+- [ ] **Vulnerability Scanning**: Regular vulnerability assessments
+- [ ] **Penetration Testing**: Regular penetration testing
+
+## 🧪 Security Testing
+
+### Automated Testing
+- [ ] **SAST Tools**: Static Application Security Testing
+- [ ] **DAST Tools**: Dynamic Application Security Testing
+- [ ] **Dependency Scanning**: Automated dependency vulnerability scanning
+- [ ] **Container Scanning**: Container security scanning
+- [ ] **Infrastructure Scanning**: Infrastructure security scanning
+- [ ] **License Compliance**: Open source license compliance
+- [ ] **Secret Scanning**: Automated secret detection
+- [ ] **Security Unit Tests**: Security-focused unit tests
+
+### Manual Testing
+- [ ] **Code Review**: Security-focused code reviews
+- [ ] **Architecture Review**: Security architecture review
+- [ ] **Threat Modeling**: Comprehensive threat modeling
+- [ ] **Penetration Testing**: Professional penetration testing
+- [ ] **Social Engineering**: Social engineering assessments
+- [ ] **Physical Security**: Physical security assessments
+- [ ] **Red Team Exercises**: Red team security exercises
+- [ ] **Bug Bounty**: Bug bounty program participation
+
+## 📋 Compliance & Standards
+
+### Regulatory Compliance
+- [ ] **GDPR Compliance**: General Data Protection Regulation
+- [ ] **CCPA Compliance**: California Consumer Privacy Act
+- [ ] **HIPAA Compliance**: Health Insurance Portability and Accountability Act
+- [ ] **PCI DSS**: Payment Card Industry Data Security Standard
+- [ ] **SOX Compliance**: Sarbanes-Oxley Act compliance
+- [ ] **Industry Standards**: Industry-specific security standards
+- [ ] **Privacy Policy**: Comprehensive privacy policy
+- [ ] **Terms of Service**: Security-focused terms of service
+
+### Security Standards
+- [ ] **OWASP Top 10**: OWASP Top 10 vulnerabilities addressed
+- [ ] **NIST Framework**: NIST Cybersecurity Framework compliance
+- [ ] **ISO 27001**: ISO 27001 security management
+- [ ] **SOC 2**: SOC 2 compliance requirements
+- [ ] **SANS Top 25**: SANS Top 25 software errors addressed
+- [ ] **CIS Controls**: Center for Internet Security controls
+- [ ] **Security Benchmarks**: Industry security benchmarks
+- [ ] **Secure Coding Standards**: Secure coding practices
+
+## 🚨 Incident Response
+
+### Preparation
+- [ ] **Incident Response Plan**: Comprehensive incident response plan
+- [ ] **Security Team**: Dedicated security response team
+- [ ] **Communication Plan**: Security incident communication plan
+- [ ] **Escalation Procedures**: Clear escalation procedures
+- [ ] **Contact Information**: Updated security contact information
+- [ ] **Documentation**: Incident response documentation
+- [ ] **Training**: Security incident response training
+- [ ] **Testing**: Regular incident response testing
+
+### Response Capabilities
+- [ ] **Detection Capabilities**: Rapid security incident detection
+- [ ] **Containment Procedures**: Incident containment procedures
+- [ ] **Eradication Process**: Threat eradication process
+- [ ] **Recovery Procedures**: System recovery procedures
+- [ ] **Forensic Capabilities**: Digital forensic capabilities
+- [ ] **Legal Coordination**: Legal team coordination
+- [ ] **Customer Communication**: Customer notification procedures
+- [ ] **Regulatory Reporting**: Regulatory reporting procedures
+
+## ✅ Framework-Specific Security
+
+### React/Next.js Security
+- [ ] **Server-Side Rendering Security**: Secure SSR implementation
+- [ ] **Client-Side Routing Security**: Secure client-side routing
+- [ ] **Component Security**: Secure React component practices
+- [ ] **State Management Security**: Secure state management
+- [ ] **Build Security**: Secure build configuration
+- [ ] **Bundle Security**: Secure bundle configuration
+- [ ] **Environment Variables**: Secure environment variable handling
+- [ ] **Third-Party Libraries**: Secure third-party integrations
+
+### Vue.js Security
+- [ ] **Template Security**: Secure Vue template practices
+- [ ] **Directive Security**: Secure custom directive implementation
+- [ ] **Vuex Security**: Secure Vuex state management
+- [ ] **Router Security**: Secure Vue Router configuration
+- [ ] **SSR Security**: Secure Nuxt.js server-side rendering
+- [ ] **Plugin Security**: Secure Vue plugin usage
+- [ ] **Composition API Security**: Secure Composition API usage
+- [ ] **Build Tool Security**: Secure Vite/Webpack configuration
+
+### Angular Security
+- [ ] **Template Security**: Secure Angular template practices
+- [ ] **Service Security**: Secure Angular service implementation
+- [ ] **Guard Security**: Secure route guard implementation
+- [ ] **Interceptor Security**: Secure HTTP interceptor usage
+- [ ] **Dependency Injection Security**: Secure DI practices
+- [ ] **AOT Compilation**: Ahead-of-Time compilation enabled
+- [ ] **Ivy Renderer Security**: Secure Ivy renderer usage
+- [ ] **Universal Security**: Secure Angular Universal SSR
+
+### Flutter Security
+- [ ] **Widget Security**: Secure widget implementation
+- [ ] **Navigation Security**: Secure navigation handling
+- [ ] **State Management Security**: Secure Cubit/BLoC implementation
+- [ ] **HTTP Security**: Secure Dio HTTP client configuration
+- [ ] **Local Storage Security**: Secure Hive/SharedPreferences usage
+- [ ] **Platform Channel Security**: Secure platform channel usage
+- [ ] **Plugin Security**: Secure Flutter plugin usage
+- [ ] **Build Security**: Secure Flutter build configuration
+
+## 🎯 Security Validation Results
+
+### Critical Issues (Must Fix)
+- [ ] No critical security vulnerabilities identified
+- [ ] All authentication mechanisms secure
+- [ ] All data encryption properly implemented
+- [ ] All input validation in place
+- [ ] All access controls functioning
+
+### High Priority Issues (Should Fix)
+- [ ] No high priority security issues
+- [ ] Security monitoring fully implemented
+- [ ] Incident response plan tested
+- [ ] Security training completed
+- [ ] Compliance requirements met
+
+### Medium Priority Issues (Could Fix)
+- [ ] No medium priority security issues
+- [ ] Security documentation complete
+- [ ] Automated security testing implemented
+- [ ] Regular security assessments scheduled
+- [ ] Security metrics tracked
+
+### Low Priority Issues (Nice to Have)
+- [ ] No low priority security issues
+- [ ] Advanced security features implemented
+- [ ] Security research initiatives
+- [ ] Industry best practices adopted
+- [ ] Security community participation
+
+## 📊 Security Metrics
+
+### Security KPIs
+- [ ] **Vulnerability Detection Time**: Average time to detect vulnerabilities
+- [ ] **Vulnerability Resolution Time**: Average time to resolve vulnerabilities
+- [ ] **Security Test Coverage**: Percentage of code covered by security tests
+- [ ] **Incident Response Time**: Average incident response time
+- [ ] **Security Training Completion**: Percentage of team with security training
+
+### Compliance Metrics
+- [ ] **Regulatory Compliance Score**: Compliance with applicable regulations
+- [ ] **Security Standard Compliance**: Compliance with security standards
+- [ ] **Audit Results**: Results of security audits
+- [ ] **Penetration Test Results**: Results of penetration tests
+- [ ] **Bug Bounty Results**: Results of bug bounty programs
+
+## 🔍 Final Security Validation
+
+### Pre-Production Checklist
+- [ ] All security tests passed
+- [ ] Security code review completed
+- [ ] Penetration testing completed
+- [ ] Vulnerability assessment completed
+- [ ] Security documentation updated
+- [ ] Incident response plan updated
+- [ ] Security monitoring configured
+- [ ] Compliance requirements verified
+
+### Production Readiness
+- [ ] Security baseline established
+- [ ] Monitoring and alerting configured
+- [ ] Incident response team ready
+- [ ] Security documentation accessible
+- [ ] Compliance evidence collected
+- [ ] Security training completed
+- [ ] Regular security assessments scheduled
+- [ ] Security metrics tracking enabled
+
+---
+
+**Security Validation Sign-off**
+
+- [ ] **Security Lead**: Security validation completed and approved
+- [ ] **Development Lead**: Security requirements implemented
+- [ ] **QA Lead**: Security testing completed successfully
+- [ ] **Compliance Officer**: Regulatory requirements met
+- [ ] **Product Owner**: Security acceptance criteria satisfied
+
+**Note**: This security checklist must be completed for all applications before production deployment. Any critical or high-priority security issues must be resolved before go-live.

package/bmad-core/checklists/story-dod-checklist.md

@@ -0,0 +1,101 @@
+# Story Definition of Done (DoD) Checklist
+
+## Instructions for Developer Agent
+
+Before marking a story as 'Review', please go through each item in this checklist. Report the status of each item (e.g., [x] Done, [ ] Not Done, [N/A] Not Applicable) and provide brief comments if necessary.
+
+[[LLM: INITIALIZATION INSTRUCTIONS - STORY DOD VALIDATION
+
+This checklist is for DEVELOPER AGENTS to self-validate their work before marking a story complete.
+
+IMPORTANT: This is a self-assessment. Be honest about what's actually done vs what should be done. It's better to identify issues now than have them found in review.
+
+EXECUTION APPROACH:
+
+1. Go through each section systematically
+2. Mark items as [x] Done, [ ] Not Done, or [N/A] Not Applicable
+3. Add brief comments explaining any [ ] or [N/A] items
+4. Be specific about what was actually implemented
+5. Flag any concerns or technical debt created
+
+The goal is quality delivery, not just checking boxes.]]
+
+## Checklist Items
+
+1. **Requirements Met:**
+
+   [[LLM: Be specific - list each requirement and whether it's complete]]
+
+   - [ ] All functional requirements specified in the story are implemented.
+   - [ ] All acceptance criteria defined in the story are met.
+
+2. **Coding Standards & Project Structure:**
+
+   [[LLM: Code quality matters for maintainability. Check each item carefully]]
+
+   - [ ] All new/modified code strictly adheres to `Operational Guidelines`.
+   - [ ] All new/modified code aligns with `Project Structure` (file locations, naming, etc.).
+   - [ ] Adherence to `Tech Stack` for technologies/versions used (if story introduces or modifies tech usage).
+   - [ ] Adherence to `Api Reference` and `Data Models` (if story involves API or data model changes).
+   - [ ] Basic security best practices (e.g., input validation, proper error handling, no hardcoded secrets) applied for new/modified code.
+   - [ ] No new linter errors or warnings introduced.
+   - [ ] Code is well-commented where necessary (clarifying complex logic, not obvious statements).
+
+3. **Testing:**
+
+   [[LLM: Testing proves your code works. Be honest about test coverage]]
+
+   - [ ] All required unit tests as per the story and `Operational Guidelines` Testing Strategy are implemented.
+   - [ ] All required integration tests (if applicable) as per the story and `Operational Guidelines` Testing Strategy are implemented.
+   - [ ] All tests (unit, integration, E2E if applicable) pass successfully.
+   - [ ] Test coverage meets project standards (if defined).
+
+4. **Functionality & Verification:**
+
+   [[LLM: Did you actually run and test your code? Be specific about what you tested]]
+
+   - [ ] Functionality has been manually verified by the developer (e.g., running the app locally, checking UI, testing API endpoints).
+   - [ ] Edge cases and potential error conditions considered and handled gracefully.
+
+5. **Story Administration:**
+
+   [[LLM: Documentation helps the next developer. What should they know?]]
+
+   - [ ] All tasks within the story file are marked as complete.
+   - [ ] Any clarifications or decisions made during development are documented in the story file or linked appropriately.
+   - [ ] The story wrap up section has been completed with notes of changes or information relevant to the next story or overall project, the agent model that was primarily used during development, and the changelog of any changes is properly updated.
+
+6. **Dependencies, Build & Configuration:**
+
+   [[LLM: Build issues block everyone. Ensure everything compiles and runs cleanly]]
+
+   - [ ] Project builds successfully without errors.
+   - [ ] Project linting passes
+   - [ ] Any new dependencies added were either pre-approved in the story requirements OR explicitly approved by the user during development (approval documented in story file).
+   - [ ] If new dependencies were added, they are recorded in the appropriate project files (e.g., `package.json`, `requirements.txt`) with justification.
+   - [ ] No known security vulnerabilities introduced by newly added and approved dependencies.
+   - [ ] If new environment variables or configurations were introduced by the story, they are documented and handled securely.
+
+7. **Documentation (If Applicable):**
+
+   [[LLM: Good documentation prevents future confusion. What needs explaining?]]
+
+   - [ ] Relevant inline code documentation (e.g., JSDoc, TSDoc, Python docstrings) for new public APIs or complex logic is complete.
+   - [ ] User-facing documentation updated, if changes impact users.
+   - [ ] Technical documentation (e.g., READMEs, system diagrams) updated if significant architectural changes were made.
+
+## Final Confirmation
+
+[[LLM: FINAL DOD SUMMARY
+
+After completing the checklist:
+
+1. Summarize what was accomplished in this story
+2. List any items marked as [ ] Not Done with explanations
+3. Identify any technical debt or follow-up work needed
+4. Note any challenges or learnings for future stories
+5. Confirm whether the story is truly ready for review
+
+Be honest - it's better to flag issues now than have them discovered later.]]
+
+- [ ] I, the Developer Agent, confirm that all applicable items above have been addressed.

package/bmad-core/checklists/story-draft-checklist.md

@@ -0,0 +1,156 @@
+# Story Draft Checklist
+
+The Scrum Master should use this checklist to validate that each story contains sufficient context for a developer agent to implement it successfully, while assuming the dev agent has reasonable capabilities to figure things out.
+
+[[LLM: INITIALIZATION INSTRUCTIONS - STORY DRAFT VALIDATION
+
+Before proceeding with this checklist, ensure you have access to:
+
+1. The story document being validated (usually in docs/stories/ or provided directly)
+2. The parent epic context
+3. Any referenced architecture or design documents
+4. Previous related stories if this builds on prior work
+
+IMPORTANT: This checklist validates individual stories BEFORE implementation begins.
+
+VALIDATION PRINCIPLES:
+
+1. Clarity - A developer should understand WHAT to build
+2. Context - WHY this is being built and how it fits
+3. Guidance - Key technical decisions and patterns to follow
+4. Testability - How to verify the implementation works
+5. Self-Contained - Most info needed is in the story itself
+
+REMEMBER: We assume competent developer agents who can:
+
+- Research documentation and codebases
+- Make reasonable technical decisions
+- Follow established patterns
+- Ask for clarification when truly stuck
+
+We're checking for SUFFICIENT guidance, not exhaustive detail.]]
+
+## 1. GOAL & CONTEXT CLARITY
+
+[[LLM: Without clear goals, developers build the wrong thing. Verify:
+
+1. The story states WHAT functionality to implement
+2. The business value or user benefit is clear
+3. How this fits into the larger epic/product is explained
+4. Dependencies are explicit ("requires Story X to be complete")
+5. Success looks like something specific, not vague]]
+
+- [ ] Story goal/purpose is clearly stated
+- [ ] Relationship to epic goals is evident
+- [ ] How the story fits into overall system flow is explained
+- [ ] Dependencies on previous stories are identified (if applicable)
+- [ ] Business context and value are clear
+
+## 2. TECHNICAL IMPLEMENTATION GUIDANCE
+
+[[LLM: Developers need enough technical context to start coding. Check:
+
+1. Key files/components to create or modify are mentioned
+2. Technology choices are specified where non-obvious
+3. Integration points with existing code are identified
+4. Data models or API contracts are defined or referenced
+5. Non-standard patterns or exceptions are called out
+
+Note: We don't need every file listed - just the important ones.]]
+
+- [ ] Key files to create/modify are identified (not necessarily exhaustive)
+- [ ] Technologies specifically needed for this story are mentioned
+- [ ] Critical APIs or interfaces are sufficiently described
+- [ ] Necessary data models or structures are referenced
+- [ ] Required environment variables are listed (if applicable)
+- [ ] Any exceptions to standard coding patterns are noted
+
+## 3. REFERENCE EFFECTIVENESS
+
+[[LLM: References should help, not create a treasure hunt. Ensure:
+
+1. References point to specific sections, not whole documents
+2. The relevance of each reference is explained
+3. Critical information is summarized in the story
+4. References are accessible (not broken links)
+5. Previous story context is summarized if needed]]
+
+- [ ] References to external documents point to specific relevant sections
+- [ ] Critical information from previous stories is summarized (not just referenced)
+- [ ] Context is provided for why references are relevant
+- [ ] References use consistent format (e.g., `docs/filename.md#section`)
+
+## 4. SELF-CONTAINMENT ASSESSMENT
+
+[[LLM: Stories should be mostly self-contained to avoid context switching. Verify:
+
+1. Core requirements are in the story, not just in references
+2. Domain terms are explained or obvious from context
+3. Assumptions are stated explicitly
+4. Edge cases are mentioned (even if deferred)
+5. The story could be understood without reading 10 other documents]]
+
+- [ ] Core information needed is included (not overly reliant on external docs)
+- [ ] Implicit assumptions are made explicit
+- [ ] Domain-specific terms or concepts are explained
+- [ ] Edge cases or error scenarios are addressed
+
+## 5. TESTING GUIDANCE
+
+[[LLM: Testing ensures the implementation actually works. Check:
+
+1. Test approach is specified (unit, integration, e2e)
+2. Key test scenarios are listed
+3. Success criteria are measurable
+4. Special test considerations are noted
+5. Acceptance criteria in the story are testable]]
+
+- [ ] Required testing approach is outlined
+- [ ] Key test scenarios are identified
+- [ ] Success criteria are defined
+- [ ] Special testing considerations are noted (if applicable)
+
+## VALIDATION RESULT
+
+[[LLM: FINAL STORY VALIDATION REPORT
+
+Generate a concise validation report:
+
+1. Quick Summary
+
+   - Story readiness: READY / NEEDS REVISION / BLOCKED
+   - Clarity score (1-10)
+   - Major gaps identified
+
+2. Fill in the validation table with:
+
+   - PASS: Requirements clearly met
+   - PARTIAL: Some gaps but workable
+   - FAIL: Critical information missing
+
+3. Specific Issues (if any)
+
+   - List concrete problems to fix
+   - Suggest specific improvements
+   - Identify any blocking dependencies
+
+4. Developer Perspective
+   - Could YOU implement this story as written?
+   - What questions would you have?
+   - What might cause delays or rework?
+
+Be pragmatic - perfect documentation doesn't exist, but it must be enough to provide the extreme context a dev agent needs to get the work down and not create a mess.]]
+
+| Category                             | Status | Issues |
+| ------------------------------------ | ------ | ------ |
+| 1. Goal & Context Clarity            | _TBD_  |        |
+| 2. Technical Implementation Guidance | _TBD_  |        |
+| 3. Reference Effectiveness           | _TBD_  |        |
+| 4. Self-Containment Assessment       | _TBD_  |        |
+| 5. Testing Guidance                  | _TBD_  |        |
+
+**Final Assessment:**
+
+- READY: The story provides sufficient context for implementation
+- NEEDS REVISION: The story requires updates (see issues)
+- BLOCKED: External information required (specify what information)

package/bmad-core/core-config.yaml

@@ -0,0 +1,20 @@
+markdownExploder: true
+prd:
+  prdFile: docs/prd.md
+  prdVersion: v4
+  prdSharded: true
+  prdShardedLocation: docs/prd
+  epicFilePattern: epic-{n}*.md
+architecture:
+  architectureFile: docs/architecture.md
+  architectureVersion: v4
+  architectureSharded: true
+  architectureShardedLocation: docs/architecture
+customTechnicalDocuments: null
+devLoadAlwaysFiles:
+  - docs/architecture/coding-standards.md
+  - docs/architecture/tech-stack.md
+  - docs/architecture/source-tree.md
+devDebugLog: .ai/debug-log.md
+devStoryLocation: docs/stories
+slashPrefix: BMad

package/bmad-core/core-config.yaml.bak

@@ -0,0 +1,20 @@
+markdownExploder: true
+prd:
+  prdFile: docs/prd.md
+  prdVersion: v4
+  prdSharded: true
+  prdShardedLocation: docs/prd
+  epicFilePattern: epic-{n}*.md
+architecture:
+  architectureFile: docs/architecture.md
+  architectureVersion: v4
+  architectureSharded: true
+  architectureShardedLocation: docs/architecture
+customTechnicalDocuments: null
+devLoadAlwaysFiles:
+  - docs/architecture/coding-standards.md
+  - docs/architecture/tech-stack.md
+  - docs/architecture/source-tree.md
+devDebugLog: .ai/debug-log.md
+devStoryLocation: docs/stories
+slashPrefix: BMad