baldart 3.14.1 → 3.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +79 -0
- package/VERSION +1 -1
- package/framework/.claude/agents/REGISTRY.md +10 -0
- package/framework/.claude/agents/api-perf-cost-auditor.md +47 -10
- package/framework/.claude/agents/coder.md +61 -10
- package/framework/.claude/agents/prd-card-writer.md +92 -19
- package/framework/.claude/agents/security-reviewer.md +1 -1
- package/framework/.claude/skills/bug/references/logging-patterns.md +45 -8
- package/framework/.claude/skills/new/SKILL.md +319 -87
- package/framework/.claude/skills/prd/SKILL.md +30 -2
- package/framework/.claude/skills/prd/assets/card-template.yml +59 -27
- package/framework/.claude/skills/prd/assets/epic-template.yml +11 -3
- package/framework/.claude/skills/prd/assets/prd-template.md +90 -14
- package/framework/.claude/skills/prd/assets/state-template.md +18 -0
- package/framework/.claude/skills/prd/references/api-perf-gate.md +102 -52
- package/framework/.claude/skills/prd/references/audit-phase.md +13 -13
- package/framework/.claude/skills/prd/references/backlog-phase.md +81 -0
- package/framework/.claude/skills/prd/references/discovery-phase.md +214 -28
- package/framework/.claude/skills/prd/references/prd-writing-phase.md +65 -23
- package/framework/.claude/skills/prd/references/research-phase.md +22 -4
- package/framework/.claude/skills/prd/references/ui-design-phase.md +115 -3
- package/framework/.claude/skills/prd/references/validation-phase.md +22 -2
- package/framework/docs/PROJECT-CONFIGURATION.md +41 -1
- package/framework/templates/baldart.config.template.yml +25 -0
- package/package.json +1 -1
- package/src/commands/configure.js +72 -0
- package/src/commands/update.js +13 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,85 @@ All notable changes to BALDART will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [3.16.0] - 2026-05-23
|
|
9
|
+
|
|
10
|
+
The `/new` orchestrator becomes specialist-aware: it now reads `owner_agent` from each card YAML and dispatches the right implementation agent — `coder` for backend/logic, `ui-expert` for UI cards, with `plan`/`visual-designer`/`motion-expert` reserved as stubs that fall back to `coder` with a WARN. UI cards (`owner_agent: ui-expert`) receive a dedicated mission briefing that enforces the registry-first BLOCKING cascade (read `${paths.design_system}/INDEX.md` + `tokens-reference.md` + per-component specs BEFORE coding), the implementation-only constraint (no mockup redesign — STOP and ask on registry conflicts), and the Post-Intervention Coherence Check (reconcile INDEX + components + tokens in the same commit). The PRD side enforces the contract end-to-end: `owner_agent` is now a mandatory enum on every child card, UI cards have UI-only scope (logic moves to a sibling `coder` card), and the validation phase blocks commit on enum violations + warns on mixed-scope UI cards.
|
|
11
|
+
|
|
12
|
+
Until now, every card from `/new` was spawned to the generic `coder` agent regardless of `owner_agent`, and mockups arrived as a textual "match this reference" hint without triggering the registry/tokens/specs cascade that `ui-expert` mandates. The symptom reported by users: graphical code generated from mockups was "not quite right" — wrong shadows, off-scale font sizes, off-palette colors. Root cause: the right specialist existed and PRD cards declared it (`owner_agent: ui-expert`), but the dispatcher never read the field.
|
|
13
|
+
|
|
14
|
+
### Added — Agent router + UI specialist briefing
|
|
15
|
+
|
|
16
|
+
- **§ Agent Routing section in [framework/.claude/skills/new/SKILL.md](framework/.claude/skills/new/SKILL.md)** between Pre-flight and Per-card pipeline. Documents the `owner_agent` → spawn-target mapping in a single table (coder | ui-expert | plan | visual-designer | motion-expert → resolved agent + briefing variant) with a cross-reference list of the 5 layers that must stay in lockstep (template, prd.md enum, prd-card-writer rule, validation-phase check, REGISTRY.md decision tree).
|
|
17
|
+
- **Step 6b "Agent dispatch (router)" in Phase 2** of [framework/.claude/skills/new/SKILL.md](framework/.claude/skills/new/SKILL.md). Reads `card.owner_agent`, resolves the spawn target via a switch with explicit fallbacks: `coder` → coder briefing; `ui-expert` → ui-expert briefing; `plan`/`visual-designer`/`motion-expert` → coder briefing + WARN ("specialized briefing not yet implemented"); empty/`claude`/missing → coder briefing + WARN; unknown value → HALT and ask the user. The resolved spawn + briefing pair is logged in the tracker as the audit trail.
|
|
18
|
+
- **`[UI-ONLY]` mission briefing sections** in Phase 2 step 7 of [framework/.claude/skills/new/SKILL.md](framework/.claude/skills/new/SKILL.md). Three new sections inserted between "Design Reference" and "File Permissions", included ONLY when the router resolves `briefing = "ui-expert"`:
|
|
19
|
+
- **Registry-first BLOCKING pre-work** — reproduces verbatim the cascade defined in [framework/.claude/agents/ui-expert.md](framework/.claude/agents/ui-expert.md) § "Registry-first pre-work (BLOCKING)": read `INDEX.md` + `tokens-reference.md` + `components/<Name>.md` for every primitive in scope, declare which Authority Matrix rows govern the card in the first response. Orchestrator rejects the implementation if the declaration is missing.
|
|
20
|
+
- **Implementation-only constraint** — explicit DO NOTs: don't redesign the mockup, don't silently adapt registry-conflicting details (STOP + `[DS-DRIFT] mockup-vs-registry` log + ask the user), don't extend scope into business logic / API / state / validation (split-into-sibling-card is upstream PRD concern).
|
|
21
|
+
- **Post-Intervention Coherence Check** — citation of [framework/agents/design-system-protocol.md](framework/agents/design-system-protocol.md) § "Post-Intervention Coherence Check": reconcile `INDEX.md` (drift code `DS_INDEX_DRIFT`) + `components/<Name>.md` (`DS_COMPONENT_STALE`) + `tokens-reference.md` (`DS_TOKENS_DRIFT`) in the same commit. The completion report MUST include a `design_system_coherence:` block enumerating the artifacts updated.
|
|
22
|
+
- **`[UI-ONLY]` design-system conformance step in Phase 2.5** of [framework/.claude/skills/new/SKILL.md](framework/.claude/skills/new/SKILL.md). New row in the Completeness Check verification depth, runs only when `briefing = "ui-expert"` AND `features.has_design_system: true`. Greps changed files for hardcoded design values that bypass the registry (hex colors, `rgb(`, inline `box-shadow:` offsets, raw px/rem `border-radius:`/`font-size:`/spacing); verifies the `design_system_coherence:` block in the completion report; verifies new primitives ship their `components/<Name>.md` spec in the same commit; verifies new tokens land in `tokens-reference.md`. Each gap classified Partial → fix-coder sub-loop.
|
|
23
|
+
|
|
24
|
+
### Added — PRD-side enforcement (split-scope + mandatory enum)
|
|
25
|
+
|
|
26
|
+
- **§ MANDATORY Card Rules (Rule A + Rule B)** in [framework/.claude/skills/prd/references/backlog-phase.md](framework/.claude/skills/prd/references/backlog-phase.md). New section between MANDATORY Card Structure and Specialist Audits. **Rule A**: every child card MUST declare `owner_agent` with one of the five enum values; missing/empty/placeholder/non-enum BLOCKS commit. **Rule B**: cards with `owner_agent: ui-expert` MUST be UI-only — components, layout, styling, motion, accessibility — and MUST NOT bundle business logic, API integration, state management, validation logic, or backend changes; mixed steps split into a `ui-expert` card (visual, consumes mocked contract) + a `coder` card (logic, API, state) wired via `depends_on:`/`blocks:`. Ships a canonical Login feature split example (bad: single mixed card; good: `FEAT-XXXX-02` UI + `FEAT-XXXX-01` logic).
|
|
27
|
+
- **§ Agent Specialization Rules in [framework/.claude/agents/prd-card-writer.md](framework/.claude/agents/prd-card-writer.md)** before Card Atomicity Rules. The same Rule A + Rule B formulated from the agent writer's POV (which value to pick per work type, what NOT to bundle, when not to assign `ui-expert` to a tight-knit mixed card). Cross-references the backlog-phase split example for canonical guidance.
|
|
28
|
+
- **§ Step 6 Agent Specialization Audit (new step 0)** in [framework/.claude/skills/prd/references/validation-phase.md](framework/.claude/skills/prd/references/validation-phase.md). Runs FIRST, before the Field Name Audit. Step 0a: `owner_agent` enum check (BLOCKING) — halts the audit on missing/empty/placeholder/non-enum with an actionable message. Step 0b: UI-only scope heuristic (WARN, soft gate) — for each `ui-expert` card, greps `scope.summary` + `requirements` + `acceptance_criteria` for logic markers (`api call`, `endpoint`, `route handler`, `state machine`, `validation logic`, `business rule`, `database`, `migration`, `prisma`, `auth flow`, `token storage`, `webhook`, `cron`) and emits `[UI-SCOPE-WARN]` lines for human review. Intentionally soft: legitimate UI references to mocked contracts ("consumes `useAuth()` mock") don't trip the WARN thanks to the consume/mock/contract-reference exception.
|
|
29
|
+
- **§ Card-template fields updated** in [framework/.claude/skills/prd/assets/card-template.yml](framework/.claude/skills/prd/assets/card-template.yml). The placeholder `owner_agent: claude` is replaced with `owner_agent: <REQUIRED — coder | ui-expert | plan | visual-designer | motion-expert>` so a card left at the placeholder fails validation. A leading comment block documents each enum value (one line each) and a comment under `scope:` reminds the writer of the UI-only constraint for `ui-expert` cards.
|
|
30
|
+
- **§ Epic-template aligned to the tracker-only contract** in [framework/.claude/skills/prd/assets/epic-template.yml](framework/.claude/skills/prd/assets/epic-template.yml). `owner_agent` changes from the legacy `claude` placeholder to `""` (empty string) with an inline comment clarifying that epics are tracker-only — the dispatcher skips them and the validation-phase enum-check exempts them — so the empty value is the correct signal that no specialist is assigned to an epic. Prevents the false-positive of writing a child enum value (e.g. `coder`) on an epic and implying it carries implementation work.
|
|
31
|
+
|
|
32
|
+
### Notes
|
|
33
|
+
|
|
34
|
+
- **No new `baldart.config.yml` keys** — the schema-change propagation rule does not apply to this release. The router consumes an existing field (`owner_agent`) already present in the PRD card schema.
|
|
35
|
+
- **Backwards compatibility for cards written before v3.16.0.** The dispatcher accepts `owner_agent: ""` / missing / legacy `claude` value via the WARN-and-fallback-to-coder branch, so existing backlogs keep working — the WARN surfaces the gap on first use without blocking. New PRD sessions on v3.16.0+ produce enum-compliant cards from the start; the validation phase's enum BLOCKER applies only to NEW cards generated under v3.16.0+.
|
|
36
|
+
- **Specialist briefings for `plan` / `visual-designer` / `motion-expert` are stubs** in this release — they fall back to the coder briefing with a WARN. Specialized briefings will follow in future iterations without further schema changes (the router structure is already in place).
|
|
37
|
+
- **`ui-expert` in `/new` is implementation-only by design** — refinement of the mockup remains a PRD-phase responsibility (the `ui-design-phase` skill handles design decisions). If the implementation step finds a mockup-vs-registry conflict, `ui-expert` STOPs and asks the user; it does not auto-adapt the mockup. This boundary is documented in the `[UI-ONLY] Implementation-only constraint` briefing section.
|
|
38
|
+
- **REGISTRY.md decision tree** in [framework/.claude/agents/REGISTRY.md](framework/.claude/agents/REGISTRY.md) gains a header note clarifying that `/new` dispatches by `owner_agent` (not by re-running the decision tree) — the tree remains authoritative for ad-hoc spawns and for `prd-card-writer`'s writing decisions, with a lockstep-with-skill warning to keep the 5 layers in sync.
|
|
39
|
+
- **Verification is manual** (no test suite — `npm test` remains a no-op stub). Dogfood scenarios to run after install: (1) `/new <CARD-ID>` on a card with `owner_agent: coder` → identical behavior to v3.15.x (no regression); (2) `/new <CARD-ID>` on a card with `owner_agent: ui-expert` + valorized `links.design` → `ui-expert` is spawned (not coder), the briefing contains the BLOCKING cascade verbatim, the implementation reads `INDEX.md` + `tokens-reference.md` + `components/<Name>.md` BEFORE coding, the completion report ships the `design_system_coherence:` block, the commit reconciles the three design-system sources; (3) `/new` on a legacy card with `owner_agent: claude` or missing field → fallback to coder + WARN line in tracker; (4) `/prd` on a feature involving login (UI + logic) → produces TWO cards (`UI-LOGIN-*` ui-expert + `LOGIC-LOGIN-*` coder) wired via `depends_on:` rather than one mixed coder card; (5) PRD validation phase on a card with `owner_agent: ""` → enum BLOCKER, commit refused.
|
|
40
|
+
|
|
41
|
+
## [3.15.0] - 2026-05-23
|
|
42
|
+
|
|
43
|
+
Two changes ship together. **(1) PRD becomes mockup-aware** — formal intake of existing mockups between Kickoff and Discovery, with a per-screen decision tree in Step 3 that skips generation for screens already covered. **(2) Framework becomes stack-aware** — four new `stack.*` cardinal scalars (`database`, `auth_provider`, `framework`, `deployment`) drive vocabulary, gate sections, anti-pattern checklists, and deploy commands across `/prd`, `coder`, `api-perf-cost-auditor`, `/new`, `code-reviewer`, `security-reviewer`, `bug`. Project-identity assumptions previously hard-coded (mayo personas, real test credentials, Italian merchant business names) are removed from the framework and now resolved from `identity.audience_segments[]` + `.baldart/overlays/prd.md`. Sanitization sweep removed all PII (phone numbers, real usernames, real passwords, real store names) from the published payload.
|
|
44
|
+
|
|
45
|
+
### Added — Mockup-aware PRD
|
|
46
|
+
|
|
47
|
+
- **Step 1.6 — Mockup Intake** in [framework/.claude/skills/prd/references/discovery-phase.md](framework/.claude/skills/prd/references/discovery-phase.md). New mandatory step between Kickoff (Step 1) and Discovery (Step 2). Asks the user "Hai dei mockup a disposizione?" — if yes, asks for format (chat images / local paths / mixed), STOPs, and on receipt: copies local files into `${paths.prd_dir}/<slug>/mockups/` (with collision-safe rename), analyzes every mockup against the **Mockup analysis schema** (screens, user_flow, components, states_visible, copy_excerpts, gaps, design_system_alignment with violations when `features.has_design_system: true`), and populates `## UI Design` in the state file before entering Discovery. If "no", marks `mockups.status: none` and proceeds with the standard flow — fully backwards-compatible for projects without mockups.
|
|
48
|
+
- **Step 3 decision tree (Full / Hybrid / Skip)** in [framework/.claude/skills/prd/references/ui-design-phase.md](framework/.claude/skills/prd/references/ui-design-phase.md). Replaces the legacy "skip if UI N/A" precondition. The tree reads `mockups.status` + `screens_in_scope[]` from the state file and routes per-screen: covered-by-mockups screens skip 3a (options) and 3b (generation) — only Component Registry Lookup, approval gate (3c), and inventory (3d) run; uncovered screens invoke the `ui-design` subskill scoped to that single screen, passing the existing mockups as "design language anchor" so the new screen stays consistent. Includes a canonical 5-screen example (3 covered + 2 new) showing exactly which subskill invocations happen and how the final inventory merges.
|
|
49
|
+
- **"Design Reference & Mockup Inventory" section in the PRD template** ([framework/.claude/skills/prd/assets/prd-template.md](framework/.claude/skills/prd/assets/prd-template.md)). New section inserted between Documentation Impact and Section 1 (Problem Statement). Tracks `mockups.status`, `step_3_mode`, the screen inventory table (mapping each screen to its user story + mockup path + origin), the component-mapping table when a design system is in play (reused + new components + token violations), and the source-files traceability list (original user paths → canonical `mockups/` paths, or `chat://image-N` for inline images).
|
|
50
|
+
- **Mockup-aware fields in the state template** ([framework/.claude/skills/prd/assets/state-template.md](framework/.claude/skills/prd/assets/state-template.md)). Extends `## UI Design` with `mockups.{status,format,original_paths,canonical_paths}`, `mockup_analysis.{screens,user_flow,design_system_alignment}`, `step_3_mode`, `design.html_path`, `screens_in_scope`, `ui_inventory`. Single source of truth for everything Step 1.6 produces and Step 3 + PRD Writing consume.
|
|
51
|
+
- **PRD writing acknowledges mockup canonicality** in [framework/.claude/skills/prd/references/prd-writing-phase.md](framework/.claude/skills/prd/references/prd-writing-phase.md). The canonical sources resolution step now adds the `mockups/` directory as a canonical visual reference when `mockups.status` ∈ {`provided`, `partial`}, and the PRD sections checklist includes a new "Design Reference & Mockup Inventory" entry plus revised UI Specifications guidance to avoid duplication.
|
|
52
|
+
- **Hard Rule 16 (Mockup Intake) + Step 1.6 in the flow overview + progress-bar row** in [framework/.claude/skills/prd/SKILL.md](framework/.claude/skills/prd/SKILL.md). Codifies the new step as MANDATORY in the hard-rules section, adds the row `1.6 Mockup intake` to both the in-progress and completed progress-bar templates (with the `Mockup` and `Step 3 mode` summary lines), and adds a "Mockup-driven pre-population" note to the Quick Reference Comprehension Dimensions explaining how dimension 5 (UI impact) and partially dimension 2 (User journey) are pre-resolved from `mockup_analysis` when mockups are provided.
|
|
53
|
+
- **New-Screen Check during Discovery** in [framework/.claude/skills/prd/references/discovery-phase.md](framework/.claude/skills/prd/references/discovery-phase.md). When a user answer reveals a UI screen NOT in `mockup_analysis.screens[]`, the skill no longer treats it as a generic scope expansion (which would offer `/prd-add`). Instead it appends the screen to `screens_in_scope[]` with `covered_by_mockups: false` and logs inline that Step 3 will generate that single screen in Hybrid mode. The Scope Expansion Check still applies for non-UI entities (new endpoints, roles, collections).
|
|
54
|
+
|
|
55
|
+
### Added — Stack-aware framework
|
|
56
|
+
|
|
57
|
+
- **Four new `stack.*` scalar keys** in [framework/templates/baldart.config.template.yml](framework/templates/baldart.config.template.yml): `stack.database` (enum: firestore/supabase/postgres/mysql/mongodb/dynamodb/sqlite/none), `stack.auth_provider` (firebase-auth/supabase-auth/clerk/auth0/cognito/nextauth/lucia/custom/none), `stack.framework` (nextjs/remix/sveltekit/astro/nuxt/rails/django/fastapi/express/none), `stack.deployment` (vercel/firebase/aws/gcp/cloudflare/render/fly/self-hosted/none). Empty string preserves the always-ask contract — skills prompt the user when a needed scalar is unset and suggest `npx baldart configure`.
|
|
58
|
+
- **`baldart configure` autodetection + prompts for the 4 stack scalars** in [src/commands/configure.js](src/commands/configure.js). Autodetection probes `package.json` deps (`firebase`/`@supabase/*`/`pg`/`mongoose`/`@clerk/*`/`@auth0/*`/`next-auth`/`lucia`/`@aws-sdk/client-cognito-identity-provider`/`next`/`@remix-run/*`/`@sveltejs/kit`/`astro`/`nuxt`/`express`), file presence (`vercel.json`/`firebase.json`/`wrangler.toml`/`fly.toml`/`render.yaml`/`Gemfile`/`manage.py`/`requirements.txt`), and content patterns (Django/FastAPI in requirements, rails gem in Gemfile). Detected values pre-fill the interactive prompt. AUTODETECTED box surfaces all 4 values to the user.
|
|
59
|
+
- **`baldart update` schema-drift detector covers scalar `stack.*` keys** in [src/commands/update.js](src/commands/update.js). Extends the existing detector (which already flagged missing `features.*`, `paths.*`, `git.*` keys after an update) to enumerate `tpl.stack[*]` and report only the string-typed top-level scalars as `stack.<key>`. Sub-object keys (`charting`/`animation`/`testing`/`monorepo`/`design_system_signals`) are intentionally ignored — their drift is handled by their dedicated configure prompts. On missing scalars, the detector auto-offers `baldart configure`.
|
|
60
|
+
- **Database vocabulary branching in PRD writing** in [framework/.claude/skills/prd/references/prd-writing-phase.md](framework/.claude/skills/prd/references/prd-writing-phase.md). The Schema Verification Gate header now reads "MANDATORY if feature touches the persistence layer" instead of "if feature touches Firestore"; vocabulary adapts ({entity} = collection|table, {field} = field|column); the schema-registry path resolves via overlay → `stack.database` convention (Firestore `field-registry.json`, SQL `prisma/schema.prisma` or migrations dir, Mongo collection markdown). The PRD-template's Section 5 "Data Model" now ships **5 variants** (Firestore Composite, Relational B-tree+RLS, MongoDB compound, DynamoDB GSI/LSI, None) — the writer keeps only the variant matching `stack.database`.
|
|
61
|
+
- **api-perf-gate refactored as universal-core + stack addenda** in [framework/.claude/skills/prd/references/api-perf-gate.md](framework/.claude/skills/prd/references/api-perf-gate.md). Gate 5 (keyword scan): universal keywords + "Stack-specific keyword addenda" table activated only by the matching `stack.database`. Gates 1–3: universal checklist + "Stack-specific addenda" per `stack.database` (firestore listener/index/ID-hotspot rules, postgres/supabase RLS+EXPLAIN+JSONB rules, mongo compound-field-order+embed rules, dynamodb GSI+hot-partition rules) and per `stack.framework` (nextjs Route Handler `revalidate`/`use cache`, remix `headers`+`shouldRevalidate`, sveltekit runtime declaration, astro `prerender`). Reference Data section split into "Database pricing & cost-model snapshots" (4 stacks), "Runtime limits by `stack.deployment`" (Vercel/Cloudflare/AWS/Firebase table), "Framework caching primitives by `stack.framework`" (4 frameworks). User cites only the variant matching their config.
|
|
62
|
+
- **coder.md Database Index Invariant** in [framework/.claude/agents/coder.md](framework/.claude/agents/coder.md). Renamed from "Firestore Index Invariant"; ships per-stack instructions (Firestore composite + `firestore.indexes.json`, Postgres/Supabase `EXPLAIN` + migration with covering/GIN/RLS, MongoDB `createIndex` with equality→range→sort field order, DynamoDB GSI/LSI in CDK/Terraform, None/unset → skip with warning).
|
|
63
|
+
- **prd-card-writer Field Grounding Rule per-stack registry resolution** in [framework/.claude/agents/prd-card-writer.md](framework/.claude/agents/prd-card-writer.md). The Grep target for field verification is no longer hard-coded to `docs/references/field-registry.json` — it resolves via `.baldart/overlays/prd.md § Schema Registry` first, then by convention matching `stack.database` (Firestore field-registry, Prisma schema, SQL migrations, Mongo collection docs, DynamoDB table definition). Universal identifiers (`id`/`uuid`/PK, `createdAt`/`created_at`, `updatedAt`/`updated_at`) are exempt regardless of stack.
|
|
64
|
+
- **api-perf-cost-auditor reads stack scalars at session start** in [framework/.claude/agents/api-perf-cost-auditor.md](framework/.claude/agents/api-perf-cost-auditor.md). The agent's "Project Context" section is no longer hard-coded to "Next.js 16 + Firestore + Vercel Fluid Compute" — it now lists universal hard rules + addenda tables for `stack.framework`, `stack.database`, `stack.deployment`, and cites the resolved values in every audit header so the user knows which variant applied. Perf budgets move out of the agent into `${paths.references_dir}/perf-budgets.md` (consumer-owned); absence is flagged as a `BUDGETS_GAP` warning instead of using framework-baked numbers.
|
|
65
|
+
- **security-reviewer multi-stack access-rule coverage** in [framework/.claude/agents/security-reviewer.md](framework/.claude/agents/security-reviewer.md). Rule 6 (cloud/infra risks) lists the access-rule variant per `stack.database`: Firebase security rules, Supabase RLS policies, MongoDB validators + collection access, DynamoDB IAM policies, Postgres GRANT/REVOKE + RLS.
|
|
66
|
+
- **`/new` Production Readiness Checklist becomes stack-aware** in [framework/.claude/skills/new/SKILL.md](framework/.claude/skills/new/SKILL.md). Detection table and auto-executable commands branch on `stack.deployment` + `stack.database`. Firebase commands are no longer the default — they're one branch among many (vercel deploy, supabase db push, CDK/Terraform apply, firebase deploy). When `stack.deployment` is empty, the skill infers from config-file presence and falls back to asking the user — never auto-executes a guess.
|
|
67
|
+
- **`/new` end-to-end flow generalized for non-Firestore stacks** in [framework/.claude/skills/new/SKILL.md](framework/.claude/skills/new/SKILL.md). Five additional spots got the same treatment so a Supabase / Postgres / Mongo / DynamoDB project doesn't see Firestore-only instructions: pre-flight `data_fields` warning triggers on `db_indexes` (any dialect) and reads "touches the persistence layer" instead of "touches Firestore"; Codex parallel-conflict analyzer asks about same-{entity} writes in the project's vocabulary; DEEP-review trigger keys off `db_indexes` (legacy `firestore_indexes` still recognized); the Coder Briefing's index section ships per-`stack.database` instructions (Firestore JSON snippet, SQL migration / Prisma `@@index`, Mongo `createIndex`, DynamoDB GSI/LSI in IaC) and explicitly tells the agent which artifact to stage; post-implementation verification of compound queries branches into 4 dialects with their own missing-index severity; Docs Routing Reminder uses `{entity}` vocabulary and points at the stack-matched index artifact; and the post-deploy "DB Index Verification" section (previously Firestore-only with curl to the Firestore REST API) now opens with a Skip rule and 4 dialect variants (Firestore REST API, Postgres `pg_indexes` + `pg_stat_progress_create_index`, Mongo `getIndexes` + `currentOp`, DynamoDB `describe-table` GSI status). The Firestore variant retains its full procedure verbatim — no regression for Firestore consumers.
|
|
68
|
+
- **bug/logging-patterns.md framework-agnostic** in [framework/.claude/skills/bug/references/logging-patterns.md](framework/.claude/skills/bug/references/logging-patterns.md). The Next.js 16 logging section is now one of four (Next.js, Remix, SvelteKit, Astro/Nuxt) plus a generic `pino`/`winston` fallback. DB-tracing env var examples document the per-stack equivalent (`DEBUG_FIRESTORE=true`, `SUPABASE_DEBUG=true`, `DEBUG=knex:query`, `DEBUG=mongoose:*`).
|
|
69
|
+
- **Persona references generalized to `identity.audience_segments[]`** in [framework/.claude/skills/prd/references/discovery-phase.md](framework/.claude/skills/prd/references/discovery-phase.md), [framework/.claude/skills/prd/references/prd-writing-phase.md](framework/.claude/skills/prd/references/prd-writing-phase.md), [framework/.claude/skills/prd/references/audit-phase.md](framework/.claude/skills/prd/references/audit-phase.md), [framework/.claude/skills/prd/assets/card-template.yml](framework/.claude/skills/prd/assets/card-template.yml), [framework/.claude/skills/prd/assets/epic-template.yml](framework/.claude/skills/prd/assets/epic-template.yml), [framework/.claude/skills/prd/assets/prd-template.md](framework/.claude/skills/prd/assets/prd-template.md). Hard-coded persona literals (`CUSTOMER`/`MERCHANT`/`MERCHANT_STAFF`/`SUPER_ADMIN`) are gone from the framework — replaced by `{{from identity.audience_segments[]}}` placeholders and explicit instructions to loop over the project-declared segments. AC grouping in PRD writing now reads "one group per persona drawn from `identity.audience_segments[]`, plus cross-cutting groups".
|
|
70
|
+
- **`db_indexes` field replaces `firestore_indexes` in card YAML** in [framework/.claude/skills/prd/assets/card-template.yml](framework/.claude/skills/prd/assets/card-template.yml). The card template renames the section; entries gain a `dialect` field matching `stack.database` and a `kind` field (composite/covering/partial/GIN/GSI/LSI/unique/fulltext). The legacy `firestore_indexes` name remains accepted as an alias so v3.14.x cards keep working — the validator in [framework/.claude/skills/prd/references/validation-phase.md](framework/.claude/skills/prd/references/validation-phase.md) recognizes both. Metric `has_firestore_indexes_pct` in [framework/.claude/skills/prd/SKILL.md](framework/.claude/skills/prd/SKILL.md) renamed to `has_db_indexes_pct`.
|
|
71
|
+
- **PROJECT-CONFIGURATION.md § 4.4 documents the 4 new scalars** in [framework/docs/PROJECT-CONFIGURATION.md](framework/docs/PROJECT-CONFIGURATION.md). New "Stack-cardinal scalars" subsection enumerates the 8 skills/agents that branch on them, the always-ask contract on empty values, and the schema-drift detector behavior.
|
|
72
|
+
|
|
73
|
+
### Removed — PII sanitization
|
|
74
|
+
|
|
75
|
+
- **Test credentials (phone, username, password, store name) removed from the published payload.** [framework/.claude/skills/prd/references/discovery-phase.md](framework/.claude/skills/prd/references/discovery-phase.md), [framework/.claude/skills/prd/assets/prd-template.md](framework/.claude/skills/prd/assets/prd-template.md), [framework/.claude/skills/prd/assets/card-template.yml](framework/.claude/skills/prd/assets/card-template.yml) no longer ship any real credential as "example". The discovery Test Strategy step now (a) consults `.baldart/overlays/prd.md § Test Credentials` first, (b) asks the user one structured question per persona if the overlay is silent, (c) stores a credential REFERENCE (secret-manager path, `.env.test:VAR_NAME`) in the state file instead of the literal secret, and (d) explicitly forbids the framework from carrying real PII.
|
|
76
|
+
|
|
77
|
+
### Notes
|
|
78
|
+
|
|
79
|
+
- **One CLI change — `baldart configure`.** v3.15.0 adds autodetection + prompts for the 4 `stack.*` scalars and extends the `baldart update` schema-drift detector to flag missing scalar `stack.*` keys. Consumers upgrading from v3.14.x get the new prompts on the next `baldart configure` invocation; the detector triggers automatically on the next `baldart update`.
|
|
80
|
+
- **The schema-change propagation rule applied end-to-end** for the 4 new scalars: template ✓, configure prompt ✓, update detector ✓, doctor not extended (the always-ask contract in skills already covers the empty case), CHANGELOG ✓.
|
|
81
|
+
- **Backwards-compatibility for v3.14.x cards.** Cards with the legacy `firestore_indexes` field still validate (the writer-side renamed it to `db_indexes`, but the validator and downstream agents accept both names). Cards with `type: firestore` in `data_sources` are equivalent to `type: db, db_dialect: firestore`.
|
|
82
|
+
- **Active PRD sessions started under v3.14.x** do not have `## UI Design` populated with the mockup fields; the skill treats `pending`/missing as `mockups.status: none` and falls into the Full Step-3 branch (legacy behavior). New sessions on v3.15.0+ pick up Step 1.6 automatically.
|
|
83
|
+
- **Step 3 Hybrid mode preserves the design-system cascade.** When `features.has_design_system: true`, the BLOCKING reads of `${paths.design_system}/INDEX.md` + `tokens-reference.md` run BOTH in Step 1.6 (during mockup analysis, to flag violations early) AND in Step 3 (during per-screen Component Registry Lookup, to validate covered + new screens uniformly). Violations bubble up to the unified 3c approval gate.
|
|
84
|
+
- **Sanitization is final, not a heuristic.** Grep across `framework/` for `3486417303`, `antonio.baldassarre2336`, `bRkS2bzqyesK`, `Bar Roma` returns zero hits after this release. Consumers who already had `.baldart/overlays/prd.md` with their real credentials are unaffected — the overlay never leaves the consumer repo.
|
|
85
|
+
- **Verification is manual** (no test suite — `npm test` is no-op stub). Scenarios to dogfood after install: (1) `npx baldart update` on a v3.14.x consumer → schema-drift detector flags 4 new `stack.*` keys → `baldart configure` autodetection pre-fills them; (2) `/prd` on a Supabase project (`stack.database: supabase`) → Schema Verification Gate uses Variant B (Relational), api-perf-gate adds postgres+supabase addenda, audit-phase enforces RLS; (3) `/prd` on a Firestore project (`stack.database: firestore`) → behavior identical to v3.14.x (no regression); (4) `/prd` with mockups → mockup intake + Hybrid Step 3; (5) `/new` on a Cloudflare deployment (`stack.deployment: cloudflare`) → no `firebase deploy` commands proposed.
|
|
86
|
+
|
|
8
87
|
## [3.14.1] - 2026-05-23
|
|
9
88
|
|
|
10
89
|
Hotfix for the `.framework/` gitignore self-heal shipped in v3.14.0. The detector misread `git check-ignore -v` output: when `check-ignore` matched a negation pattern (`!.framework`), it still reported the match, and `checkFrameworkIgnored` flagged the path as ignored. The result: every consumer who hit the self-heal on first run got `.framework/ is STILL ignored after auto-heal` and `process.exit(1)` — the heal *had* actually worked (the negation was in place), but the verifier didn't recognize its own fix. Reported during the v3.13.0 → v3.14.0 update in a downstream consumer.
|
package/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
3.
|
|
1
|
+
3.16.0
|
|
@@ -37,6 +37,16 @@ Quick-reference for all custom agents. Use this to route tasks to the right spec
|
|
|
37
37
|
|
|
38
38
|
## Decision Tree
|
|
39
39
|
|
|
40
|
+
> **Note**: when invoked from the `/new` skill, agent assignment is NOT taken
|
|
41
|
+
> from this tree — `/new` reads `owner_agent` directly from each card YAML
|
|
42
|
+
> (enum: `coder | ui-expert | plan | visual-designer | motion-expert`, set
|
|
43
|
+
> by `prd-card-writer`). This tree is the source for HUMAN routing (when
|
|
44
|
+
> spawning an agent ad-hoc) and for prd-card-writer's WRITING decisions.
|
|
45
|
+
> If you change agent capabilities here, keep the enum in
|
|
46
|
+
> `framework/.claude/agents/prd.md:538` and the router in
|
|
47
|
+
> `framework/.claude/skills/new/SKILL.md` § Agent Routing in lockstep —
|
|
48
|
+
> drift between layers silently mis-routes cards.
|
|
49
|
+
|
|
40
50
|
```
|
|
41
51
|
Need to understand existing code? --> codebase-architect (MANDATORY)
|
|
42
52
|
Have a plan to review? --> plan-auditor
|
|
@@ -39,16 +39,53 @@ To prevent context bloat:
|
|
|
39
39
|
- Max **5 search_docs MCP calls**.
|
|
40
40
|
- Never read files outside `git diff --name-only` (or scope passed by orchestrator) unless tracing a callgraph that proves a regression.
|
|
41
41
|
|
|
42
|
-
## Project Context (
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
-
|
|
42
|
+
## Project Context (read from `baldart.config.yml`)
|
|
43
|
+
|
|
44
|
+
Read `stack.framework`, `stack.database`, `stack.deployment` at the start of
|
|
45
|
+
every audit. The rules below adapt automatically; cite the resolved values in
|
|
46
|
+
your findings header so the user knows which variant you applied.
|
|
47
|
+
|
|
48
|
+
**Universal hard rules** (apply to any stack):
|
|
49
|
+
- Every list query MUST include a `limit` (or equivalent pagination size).
|
|
50
|
+
- Pagination MUST be cursor/keyset-based, never offset-based on hot paths.
|
|
51
|
+
- No N+1 reads in loops — batch / join / `$lookup` / `getAll` per stack.
|
|
52
|
+
- Multi-attribute queries require their matching index shipped in the same commit
|
|
53
|
+
as the query (see Database Index Invariant in coder.md per `stack.database`).
|
|
54
|
+
|
|
55
|
+
**Stack-specific addenda** (apply only when matching):
|
|
56
|
+
|
|
57
|
+
- `stack.framework: nextjs` → Default runtime Fluid Compute (Node.js 24 LTS).
|
|
58
|
+
Edge runtime is not the recommended default. GET Route Handlers are dynamic
|
|
59
|
+
by default since v15 — opt in to caching via `revalidate` / `'use cache'`.
|
|
60
|
+
- `stack.framework: remix` → Set `headers` for Cache-Control explicitly.
|
|
61
|
+
Rely on CDN-level caching.
|
|
62
|
+
- `stack.framework: sveltekit` → Choose Edge vs Node runtime per route;
|
|
63
|
+
declare `prerender` for static pages.
|
|
64
|
+
|
|
65
|
+
- `stack.database: firestore` → Hard rules from AGENTS.md NFR Performance:
|
|
66
|
+
every `where()` includes `.limit()`; pagination uses `startAfter()`; no
|
|
67
|
+
`getDoc()` in loops; composite queries update `firestore.indexes.json` in
|
|
68
|
+
the same commit.
|
|
69
|
+
- `stack.database: postgres | supabase | mysql | sqlite` → `EXPLAIN` every
|
|
70
|
+
new query on a >10k-row table; surface Seq Scan as a HIGH finding.
|
|
71
|
+
Supabase: every new table needs RLS aligned with the auth contract (CRITICAL).
|
|
72
|
+
- `stack.database: mongodb` → Compound index field order: equality → range →
|
|
73
|
+
sort. Aggregations on hot paths must use indexes (no `$match` after
|
|
74
|
+
`$project` that strips the indexed field).
|
|
75
|
+
- `stack.database: dynamodb` → Every non-PK access pattern has a GSI / LSI.
|
|
76
|
+
Reject `FilterExpression` on hot paths.
|
|
77
|
+
|
|
78
|
+
- `stack.deployment: vercel` → Active CPU + provisioned memory + invocations
|
|
79
|
+
billing (not wall-clock GB-s). Payload limit 4.5 MB. Max duration 300s
|
|
80
|
+
Hobby / 800s Pro.
|
|
81
|
+
- `stack.deployment: cloudflare` → 30s CPU per request; 100 MB payload.
|
|
82
|
+
- `stack.deployment: aws` → Lambda 6 MB sync / 256 KB async, max 900s.
|
|
83
|
+
- `stack.deployment: firebase` → 32 MB payload, max 540s (gen 2).
|
|
84
|
+
|
|
85
|
+
**Project performance budgets** are NOT hard-coded here. They live in
|
|
86
|
+
`${paths.references_dir}/perf-budgets.md` (consumer-owned). If that file does
|
|
87
|
+
not exist, derive ad-hoc defaults from the stack snapshot above and flag the
|
|
88
|
+
absence in your audit summary as a `BUDGETS_GAP` warning.
|
|
52
89
|
|
|
53
90
|
## Scope Boundary (MUST — read first)
|
|
54
91
|
|
|
@@ -161,16 +161,67 @@ This rule is enforced by:
|
|
|
161
161
|
- `.claude/skills/new/SKILL.md § Phase 3.7 trigger #6` (mutation-after-helper
|
|
162
162
|
call invokes per-card `/codexreview` before commit).
|
|
163
163
|
|
|
164
|
-
##
|
|
165
|
-
|
|
166
|
-
When writing or modifying
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
164
|
+
## Database Index Invariant (MUST)
|
|
165
|
+
|
|
166
|
+
When writing or modifying queries that combine filters and orderings on
|
|
167
|
+
different attributes, ensure the matching index exists and ships in the same
|
|
168
|
+
commit as the query. Apply the variant matching `stack.database` from
|
|
169
|
+
`baldart.config.yml`:
|
|
170
|
+
|
|
171
|
+
**Variant — Firestore (`stack.database: firestore`)**
|
|
172
|
+
|
|
173
|
+
Where `where()` + `orderBy()` on different fields, or multiple `where()` on
|
|
174
|
+
different fields:
|
|
175
|
+
|
|
176
|
+
1. Check `firestore.indexes.json` for a composite index matching the exact
|
|
177
|
+
pattern (collection, fields, order).
|
|
178
|
+
2. If missing: add it and stage with your commit.
|
|
179
|
+
3. For dynamic queries (`let query = ...; if (x) query = query.where(...)`)
|
|
180
|
+
add a JSDoc: `/** @requires-index: collectionGroup(field1 ASC, field2 DESC) */`
|
|
181
|
+
4. All-equality queries (only `==` filters, no `orderBy` on a different
|
|
182
|
+
field) do NOT need composite indexes.
|
|
183
|
+
|
|
184
|
+
Missing indexes cause **500 errors in production** (`FAILED_PRECONDITION`,
|
|
185
|
+
error code 9) invisible until runtime.
|
|
186
|
+
|
|
187
|
+
**Variant — Relational (`stack.database` ∈ {postgres, supabase, mysql, sqlite})**
|
|
188
|
+
|
|
189
|
+
When the query uses `WHERE col_a = ? AND col_b > ? ORDER BY col_c`, or any
|
|
190
|
+
JOIN/sort/filter combination that can produce a sequential scan on a hot
|
|
191
|
+
table:
|
|
192
|
+
|
|
193
|
+
1. Run `EXPLAIN` (or `EXPLAIN ANALYZE` in dev) on the new query. Verify the
|
|
194
|
+
planner picks an Index Scan or Index Only Scan, not Seq Scan, on tables
|
|
195
|
+
with >10k rows.
|
|
196
|
+
2. If a Seq Scan appears: add a composite or covering index in a new migration
|
|
197
|
+
(`migrations/<ts>_add_<entity>_<purpose>_idx.sql`, or
|
|
198
|
+
`prisma migrate dev` / `supabase migration new` per project conventions).
|
|
199
|
+
3. Stage the migration with the same commit as the query change.
|
|
200
|
+
4. For JSONB queries: ensure a GIN index exists on the JSONB column when
|
|
201
|
+
the query filters on it.
|
|
202
|
+
5. For Supabase: every new table also requires an RLS policy aligned with the
|
|
203
|
+
PRD permissions section.
|
|
204
|
+
|
|
205
|
+
**Variant — MongoDB (`stack.database: mongodb`)**
|
|
206
|
+
|
|
207
|
+
1. Check the collection's indexes via `db.<collection>.getIndexes()` (or the
|
|
208
|
+
schema file the project uses as registry).
|
|
209
|
+
2. For compound queries, ensure the index field order follows
|
|
210
|
+
equality → range → sort.
|
|
211
|
+
3. Add the index in code (`createIndex`) or migration, in the same commit.
|
|
212
|
+
|
|
213
|
+
**Variant — DynamoDB (`stack.database: dynamodb`)**
|
|
214
|
+
|
|
215
|
+
1. Every non-PK access pattern needs either a GSI or LSI declared in the
|
|
216
|
+
table definition (CDK / Terraform / SAM template).
|
|
217
|
+
2. Update the table definition in the same commit as the new query.
|
|
218
|
+
3. Avoid `FilterExpression` on hot paths — pick a GSI instead.
|
|
219
|
+
|
|
220
|
+
**Variant — None / unset**
|
|
221
|
+
|
|
222
|
+
If `stack.database` is empty or `"none"`, skip this section. If you encounter
|
|
223
|
+
persistence code while `stack.database` is empty, surface a warning suggesting
|
|
224
|
+
`npx baldart configure`.
|
|
174
225
|
|
|
175
226
|
## Incremental Verification (MUST)
|
|
176
227
|
|
|
@@ -15,7 +15,15 @@ You are **PRD Card Writer** — a specialist agent that converts an approved PRD
|
|
|
15
15
|
1. **Read the PRD `## Schema Verification` section** (generated during Step 4 of the PRD skill).
|
|
16
16
|
Every field you write MUST appear in that table with status `✅ existing` or `🆕 new`.
|
|
17
17
|
|
|
18
|
-
2. **For each `✅ existing` field**: call `Grep("fieldName",
|
|
18
|
+
2. **For each `✅ existing` field**: call `Grep("fieldName", <schema-registry-path>)`.
|
|
19
|
+
The registry path is resolved per the project:
|
|
20
|
+
- `.baldart/overlays/prd.md § Schema Registry` defines it explicitly when present;
|
|
21
|
+
- otherwise the convention follows `stack.database`:
|
|
22
|
+
- firestore → `${paths.references_dir}/field-registry.json`
|
|
23
|
+
- postgres/supabase/mysql/sqlite → `prisma/schema.prisma` OR `${paths.references_dir}/schema.md` OR the latest migration under the project's migrations dir;
|
|
24
|
+
- mongodb → `${paths.references_dir}/collections/<name>.md` or a JSON schema file in the validator dir;
|
|
25
|
+
- dynamodb → the CDK / Terraform table definition file.
|
|
26
|
+
Then:
|
|
19
27
|
- ≥1 match → set `ts_verified: true` in the card's `data_fields` entry.
|
|
20
28
|
- 0 matches → HALT. Do NOT use this field. Ask: "Field not found in registry — is it new or a typo?"
|
|
21
29
|
|
|
@@ -23,9 +31,9 @@ You are **PRD Card Writer** — a specialist agent that converts an approved PRD
|
|
|
23
31
|
|
|
24
32
|
4. **NEVER invent a field name** not in the Schema Verification snapshot, even if it "sounds right".
|
|
25
33
|
|
|
26
|
-
5. **Exempt from verification** (do not include in `data_fields`): `id
|
|
34
|
+
5. **Exempt from verification** (do not include in `data_fields`): the project's universal identifiers — `id`/`uuid`/PK, `createdAt`/`created_at`, `updatedAt`/`updated_at`.
|
|
27
35
|
|
|
28
|
-
6. **Populate `data_fields`** for every card that reads/writes
|
|
36
|
+
6. **Populate `data_fields`** for every card that reads/writes the persistence layer (see Required Fields).
|
|
29
37
|
|
|
30
38
|
## Mission
|
|
31
39
|
|
|
@@ -48,6 +56,69 @@ You produce:
|
|
|
48
56
|
4. **Scan existing backlog** — `backlog/*.yml` to find the highest `FEAT-XXXX` number. Use Glob to list files, then Grep for `^id:` lines to extract IDs.
|
|
49
57
|
5. **Read existing card conventions** — sample 2-3 recent cards from `backlog/` to match style.
|
|
50
58
|
|
|
59
|
+
## Agent Specialization Rules (HARD RULE — zero tolerance)
|
|
60
|
+
|
|
61
|
+
These two rules govern HOW you assign work to specialist agents. They are
|
|
62
|
+
enforced by the validation phase of `/prd` (Step 6) and by the `/new`
|
|
63
|
+
dispatcher — getting them wrong silently routes work to the wrong agent.
|
|
64
|
+
|
|
65
|
+
### Rule A — Set `owner_agent` on every child card (enum, no default)
|
|
66
|
+
|
|
67
|
+
Every child card you produce MUST set `owner_agent` to exactly one of:
|
|
68
|
+
|
|
69
|
+
```
|
|
70
|
+
coder | ui-expert | plan | visual-designer | motion-expert
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
`claude` is NOT a valid value (it is a legacy placeholder kept only for
|
|
74
|
+
backward compatibility in the dispatcher's fallback). Missing, empty, or
|
|
75
|
+
out-of-enum values fail validation.
|
|
76
|
+
|
|
77
|
+
**How to choose:**
|
|
78
|
+
|
|
79
|
+
- `coder` — backend, business logic, state management, data layer, API
|
|
80
|
+
handlers, scripts, CLI, hooks, anything that writes/reads persistence.
|
|
81
|
+
- `ui-expert` — UI implementation from an existing mockup (`links.design`):
|
|
82
|
+
components, layout, styling, motion, accessibility, registry-first
|
|
83
|
+
discipline (reads `${paths.design_system}/INDEX.md` + tokens-reference
|
|
84
|
+
+ per-component specs BEFORE coding, runs Post-Intervention Coherence
|
|
85
|
+
Check after).
|
|
86
|
+
- `plan` — planning-only deliverables (no code edits): RFC, ADR draft,
|
|
87
|
+
research synopsis, sequencing doc.
|
|
88
|
+
- `visual-designer` — static visual asset generation (illustrations, icons,
|
|
89
|
+
hero images) via the visual-designer agent.
|
|
90
|
+
- `motion-expert` — motion specs (timing tables, easing curves,
|
|
91
|
+
micro-interaction storyboards) — NOT motion code implementation, which
|
|
92
|
+
is `ui-expert` work.
|
|
93
|
+
|
|
94
|
+
**Epic cards** use `owner_agent: ""` (empty string) because they are
|
|
95
|
+
trackers, not implementation. The dispatcher skips them.
|
|
96
|
+
|
|
97
|
+
### Rule B — UI cards (`ui-expert`) have UI-ONLY scope
|
|
98
|
+
|
|
99
|
+
When you assign `owner_agent: ui-expert` to a card, its scope MUST cover
|
|
100
|
+
ONLY graphical concerns. The card MUST NOT bundle:
|
|
101
|
+
|
|
102
|
+
- business logic, domain rules, calculation
|
|
103
|
+
- API calls, data fetching, mutations
|
|
104
|
+
- state management beyond local UI state (`useState` for open/closed,
|
|
105
|
+
hover, focus — fine; global app state, cache invalidation, sync — not)
|
|
106
|
+
- validation LOGIC (rendering validation states is UI work; the rules and
|
|
107
|
+
side-effects are coder work)
|
|
108
|
+
- backend changes (routes, handlers, DB schema, migrations, indexes)
|
|
109
|
+
|
|
110
|
+
**If a step requires both UI and logic, you MUST split it into two cards**
|
|
111
|
+
and wire them via `depends_on:` / `blocks:` — a `ui-expert` card that
|
|
112
|
+
consumes a mocked or contract-stable interface, plus a `coder` card that
|
|
113
|
+
owns the logic side. Canonical example: see § "Split example — Login
|
|
114
|
+
feature" in `framework/.claude/skills/prd/references/backlog-phase.md`.
|
|
115
|
+
|
|
116
|
+
If you cannot reasonably split (e.g. because the UI and logic share <3
|
|
117
|
+
files and one file would be torn between two cards), prefer a single
|
|
118
|
+
`coder` card with UI work as one of its acceptance criteria — do NOT
|
|
119
|
+
assign `ui-expert` to a mixed card. The dispatcher's specialist routing
|
|
120
|
+
breaks down when scope is mixed.
|
|
121
|
+
|
|
51
122
|
## Card Atomicity Rules
|
|
52
123
|
|
|
53
124
|
Cards MUST be as atomic as possible to enable parallel execution:
|
|
@@ -127,7 +198,7 @@ applies even when N=1.
|
|
|
127
198
|
4. **Reusing the FEAT-XXXX integer**. Each epic reserves the full integer space.
|
|
128
199
|
5. **Epic with implementation fields**. The epic NEVER has `files_likely_touched`
|
|
129
200
|
pointing to code (only docs), `validation_commands`, `existing_patterns`,
|
|
130
|
-
`data_fields`, `data_sources` beyond `[]`, or `firestore_indexes
|
|
201
|
+
`data_fields`, `data_sources` beyond `[]`, or `db_indexes` (legacy `firestore_indexes` alias also forbidden on epics).
|
|
131
202
|
|
|
132
203
|
### Why MANDATORY
|
|
133
204
|
|
|
@@ -188,31 +259,33 @@ Every card MUST include ALL fields from the template:
|
|
|
188
259
|
- `data_sources` — MANDATORY for EVERY card (never omit, even if empty):
|
|
189
260
|
- High-level inventory of every data source or destination the card touches.
|
|
190
261
|
- One entry per distinct source. Supported types:
|
|
191
|
-
- `
|
|
262
|
+
- `db`: {entity} name in `path` (collection/table/index per `stack.database`); set `db_dialect` to the matching value. Field-level detail lives in `data_fields` (below).
|
|
192
263
|
- `file`: repo-relative path, `operations` (READ|WRITE|APPEND|CREATE|DELETE), `format` (JSONL|YAML|JSON|markdown|binary).
|
|
193
264
|
- `api`: URL or endpoint pattern; READ = GET, WRITE = POST/PUT/PATCH/DELETE.
|
|
194
265
|
- `env`: env var name; `operations: [READ]`.
|
|
266
|
+
- **Legacy:** `firestore` is still accepted (treated as `db` with `db_dialect: firestore`).
|
|
195
267
|
- For **pure docs/config/scaffolding cards** that read and write no data: set `data_sources: []` (explicit empty list — confirms the writer verified there are no sources; never silently omit the field).
|
|
196
|
-
- For **
|
|
197
|
-
- For **file-based tooling cards** (scripts, CLIs, hooks): list each file or directory the card reads from or writes to. This is the primary documentation for non-
|
|
198
|
-
- `data_fields` — MANDATORY if card reads/writes
|
|
199
|
-
- For each field the card touches (excluding `id
|
|
200
|
-
- `
|
|
201
|
-
- `field`: exact
|
|
202
|
-
- `type`:
|
|
268
|
+
- For **persistence-touching cards**: include `type: db` entries here AND populate `data_fields` below. The two fields serve different purposes: `data_sources` is the traceable overview; `data_fields` is the field-level grounding for mechanical validation.
|
|
269
|
+
- For **file-based tooling cards** (scripts, CLIs, hooks): list each file or directory the card reads from or writes to. This is the primary documentation for non-DB data flows.
|
|
270
|
+
- `data_fields` — MANDATORY if card reads/writes the persistence layer:
|
|
271
|
+
- For each field the card touches (excluding universal identifiers — `id`/`uuid`/PK, `createdAt`/`created_at`, `updatedAt`/`updated_at`):
|
|
272
|
+
- `entity`: exact collection or table name (must match key in the schema registry resolved per Field Grounding Rule step 2)
|
|
273
|
+
- `field`: exact identifier (verified via Grep per Field Grounding Rule above)
|
|
274
|
+
- `type`: language-native type from the schema (TypeScript interface / Prisma model / SQL column / Mongo validator)
|
|
203
275
|
- `status`: `existing` | `new` | `modified` | `deprecated_removed`
|
|
204
276
|
- `ts_verified`: `true` (after Grep confirms field in registry) or `false` (new fields only)
|
|
205
|
-
- `source`:
|
|
277
|
+
- `source`: schema file path (e.g. `src/types/booking.ts`, `prisma/schema.prisma:42`, `migrations/2024_...sql`)
|
|
206
278
|
- `schema_ref`: PRD section link — ONLY for `status: new` fields
|
|
207
279
|
- Omit this block entirely for UI-only, docs-only, or config-only cards.
|
|
208
|
-
- `
|
|
209
|
-
- For each card that introduces or modifies a
|
|
210
|
-
(
|
|
280
|
+
- `db_indexes` — propagated from PRD Section 5 `### Database Indexes & Query Optimization` table:
|
|
281
|
+
- For each card that introduces or modifies a query needing a multi-attribute index
|
|
282
|
+
(Firestore composite, SQL B-tree/covering, Mongo compound, DynamoDB GSI/LSI),
|
|
211
283
|
include the matching `IDX-N` entries from the PRD index table.
|
|
212
|
-
- Each entry: `
|
|
284
|
+
- Each entry: `entity`, `dialect` (matches `stack.database`), `fields`, `kind`, `query_location`, `prd_ref`.
|
|
213
285
|
- If the PRD has no index table or this card has no compound queries: omit the field entirely.
|
|
214
|
-
- **CRITICAL**: missing indexes
|
|
215
|
-
The coder MUST
|
|
286
|
+
- **CRITICAL**: missing indexes degrade performance or break production (Firestore: FAILED_PRECONDITION 500; SQL: sequential scan on hot path; DynamoDB: throttle on hot partition).
|
|
287
|
+
The coder MUST ship the index in the same commit as the query — per `stack.database` (firestore.indexes.json, migration file, createIndex call, table definition).
|
|
288
|
+
- Legacy field name `firestore_indexes` is still accepted for pre-3.15.0 cards.
|
|
216
289
|
- `documentation_impact` — list of docs to update when card is DONE:
|
|
217
290
|
- New `route.ts` -> `docs/references/api/<module>.md` + `api/index.md`
|
|
218
291
|
- New collection -> `docs/references/data-model.md` + `collections/<domain>.md`
|
|
@@ -43,7 +43,7 @@ Before reviewing:
|
|
|
43
43
|
3. **Flag security anti-patterns**: unsafe libraries, insecure framework usage, dangerous data flows.
|
|
44
44
|
4. **Review comprehensively**: authentication, authorization, session handling, secrets management, cryptography, input validation, output encoding, deserialization, file handling, logging, error handling.
|
|
45
45
|
5. **Assess attack vectors**: SSRF, XSS, CSRF, SQL/NoSQL injection, command injection, path traversal, RCE, IDOR, broken access control, race conditions, insecure randomness, data leakage.
|
|
46
|
-
6. **Evaluate cloud/infra risks**: IAM over-permissioning, public exposure, insecure storage, CI/CD secret leakage, supply chain risks, Firebase security rules.
|
|
46
|
+
6. **Evaluate cloud/infra risks**: IAM over-permissioning, public exposure, insecure storage, CI/CD secret leakage, supply chain risks, persistence-layer access rules (variant per `stack.database`: Firebase security rules, Supabase RLS policies, MongoDB validators + role-based collection access, DynamoDB IAM policies, Postgres GRANT/REVOKE + RLS).
|
|
47
47
|
7. **Assess privacy/data protection**: PII exposure, credential leakage, tokens in logs, internal ID exposure.
|
|
48
48
|
8. **Evaluate dependencies**: third-party integration risks visible in code or manifests.
|
|
49
49
|
9. **Propose remediations**: concrete, minimal, production-ready fixes.
|
|
@@ -1,8 +1,13 @@
|
|
|
1
1
|
# Logging Patterns & Debug Environment Reference
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
> Pick the section matching `stack.framework` from `baldart.config.yml`. The
|
|
4
|
+
> first section (Next.js) is the most common; sections for other frameworks
|
|
5
|
+
> follow the same intent: maximize signal during a debug session, with a way
|
|
6
|
+
> to turn it off cleanly when done.
|
|
4
7
|
|
|
5
|
-
|
|
8
|
+
## Next.js 16 Built-In Logging (`stack.framework: nextjs`)
|
|
9
|
+
|
|
10
|
+
Add to `next.config.ts` during debug sessions:
|
|
6
11
|
|
|
7
12
|
```typescript
|
|
8
13
|
logging: {
|
|
@@ -17,17 +22,49 @@ logging: {
|
|
|
17
22
|
|
|
18
23
|
`browserToTerminal` (v16.2+) is the most powerful: it streams client-side `console.*` to the dev server terminal with file:line:col source location. No code changes needed.
|
|
19
24
|
|
|
25
|
+
## Remix Built-In Logging (`stack.framework: remix`)
|
|
26
|
+
|
|
27
|
+
- Enable `loader` / `action` timing via `DEBUG=remix:*` env.
|
|
28
|
+
- For request logging, instrument `entry.server.ts` with a `handleRequest`
|
|
29
|
+
wrapper that logs method/path/duration.
|
|
30
|
+
- Browser console forwarding: not built-in; use a small client-side logger
|
|
31
|
+
posting to `/__debug` route handler during the session.
|
|
32
|
+
|
|
33
|
+
## SvelteKit (`stack.framework: sveltekit`)
|
|
34
|
+
|
|
35
|
+
- Enable verbose `vite` logging via `vite --debug` for build-time issues.
|
|
36
|
+
- `handle` hook in `hooks.server.ts` is the natural choke point: log
|
|
37
|
+
method/path/duration there during a session.
|
|
38
|
+
|
|
39
|
+
## Astro / Nuxt / Other
|
|
40
|
+
|
|
41
|
+
- Use the framework's request hook (Astro middleware, Nuxt `defineEventHandler`
|
|
42
|
+
wrapper) to log structured request/response data.
|
|
43
|
+
- Stick to plain `console.log` with a unique prefix that's easy to grep and
|
|
44
|
+
remove (e.g. `[BUG-1234]`).
|
|
45
|
+
|
|
46
|
+
## Generic fallback (any framework)
|
|
47
|
+
|
|
48
|
+
When the framework has no built-in equivalent, add `pino` or `winston` to the
|
|
49
|
+
project and emit JSON logs at every interesting choke point (request entry,
|
|
50
|
+
DB call, external API call). Remove on session close.
|
|
51
|
+
|
|
20
52
|
## Environment Variables for Debug Sessions
|
|
21
53
|
|
|
22
54
|
Set in `.env.local` during investigation, remove after:
|
|
23
55
|
|
|
24
56
|
```bash
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
57
|
+
# Examples — pick the ones matching this project's stack:
|
|
58
|
+
DEBUG_MODULES=<module>.<verb> # server-side module filter (project-specific)
|
|
59
|
+
DEBUG_DB=true # generic DB op tracing — name varies by stack:
|
|
60
|
+
# firestore → DEBUG_FIRESTORE=true
|
|
61
|
+
# supabase → SUPABASE_DEBUG=true
|
|
62
|
+
# postgres → DEBUG=knex:query (or your ORM's flag)
|
|
63
|
+
# mongo → DEBUG=mongoose:* (if using mongoose)
|
|
64
|
+
DEBUG_NETWORK=true # request/response logging
|
|
65
|
+
DEBUG_PROXY=true # proxy/middleware logging
|
|
66
|
+
NEXT_PUBLIC_DEBUG_COMPONENTS=<module> # Next.js only — client component logs (rebuild required)
|
|
67
|
+
NEXT_OTEL_VERBOSE=1 # Next.js only — verbose OpenTelemetry spans
|
|
31
68
|
NEXT_TURBOPACK_TRACING=1 # Turbopack bundler trace → .next/dev/trace-turbopack
|
|
32
69
|
```
|
|
33
70
|
|