baldart 4.0.1 → 4.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -5,6 +5,21 @@ All notable changes to BALDART will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [4.0.2] - 2026-06-02
9
+
10
+ **Portability fix (round 2): remove hard-coded auth/deployment project identifiers from shipped framework files.** Companion to v4.0.1 — extends the de-contamination from the database dimension to the auth and deployment dimensions, where fidelity-app-specific identifiers (`withAuth`, `withAuthNoParams`, `src/lib/auth/middleware.ts`, `src/app/api/v1/...`, `BookingTable`, `ADMIN + MERCHANT`, "Vercel Functions") leaked into self-verification examples, detection-signal lists, and template fills. No behaviour change → **PATCH**.
11
+
12
+ > **Why.** A project-specific symbol baked into a shipped detection list or CoVe example is the same frozen-spot defect as a hard-coded datastore: the consumer's auth wrapper, role names, and deploy platform are `stack.*` / overlay facts. Genuinely platform-named integrations were left untouched because they are correct: the `vercel:deploy` skill documentation (that skill *is* Vercel-specific), the multi-platform deploy tables in `/new` ("firebase: … vercel: … aws: …"), the per-platform timeout/limit tables in `api-perf-gate.md`, and the config-driven `stack_signature` example in `research-phase.md` (which already shows both a Firestore and a Supabase example).
13
+
14
+ ### Changed — generalized auth/deployment identifiers to placeholders / config keys
15
+
16
+ - **`code-reviewer.md`** + **`plan-auditor.md`** — the chain-of-verification example findings now use `<auth-wrapper>` / `<route-file>` / `<auth-module>` placeholders (resolved from `${paths.high_risk_modules}`) instead of `withAuth` + literal `src/app/api/v1/...` / `src/lib/auth/middleware.ts` paths.
17
+ - **`audit-phase.md`** — the auth-change detection signal cites "the project's auth-guard wrapper / permission helper (e.g. a `withAuth*`-style wrapper)" rather than the literal `withAuth` / `checkPermission` symbols.
18
+ - **`doc-writing-for-rag`** (SKILL + `compact-templates.md`) — endpoint template fills use `<authWrapper>` / `<ROLE_A>` / `<ROLE_B>` instead of `withAuthNoParams` / `ADMIN + MERCHANT`.
19
+ - **`api-perf-gate.md`** — the upload red-flag cites "the platform's request-body limit (e.g. 4.5MB on Vercel Functions — per `stack.deployment`)".
20
+ - **`validation-phase.md`** — the logic-marker grep list covers datastore-access patterns per `stack.database` (not only `prisma` / `firestore.collection`).
21
+ - **`wiki-curator.md`**, **`doc-reviewer.md`** — illustrative example queries/paths use `<authWrapper>` / `<DomainType>` / `src/lib/<module>.ts#<symbol>` placeholders.
22
+
8
23
  ## [4.0.1] - 2026-06-02
9
24
 
10
25
  **Portability fix: remove hard-coded `Firestore` assumptions from shipped framework files (T13 follow-up).** The v4.0.0 portability pass guarded most stack-specific checks behind `stack.database`, but a residual set of agent checklists and methodology blocks still *assumed* Firestore as the datastore — contamination that is dead-false (or misleading) on any non-Firestore consumer. No behaviour change for correctly-configured projects → **PATCH**.
package/VERSION CHANGED
@@ -1 +1 @@
1
- 4.0.1
1
+ 4.0.2
@@ -266,10 +266,10 @@ Emit findings of type `simulation_failure` with the file:line of the breaking br
266
266
 
267
267
  After Challenge Pass + Diff Simulation, for EACH surviving HIGH/MEDIUM finding generate 2–3 verification questions and execute them via grep/read:
268
268
 
269
- Example finding: "withAuth missing on POST handler at `src/app/api/v1/foo/route.ts:45`":
270
- 1. `Does the file exist?` → `test -f src/app/api/v1/foo/route.ts`
271
- 2. `Is there really no withAuth import or wrapper?` → `grep -n "withAuth" src/app/api/v1/foo/route.ts`
272
- 3. `Is the route actually public per docs?` → `grep -l "api/v1/foo" docs/references/api/`
269
+ Example finding: "auth wrapper missing on POST handler at `<route-file>:45`" (here `<auth-wrapper>` is the project's auth guard — e.g. a `withAuth*`-style wrapper; resolve from `${paths.high_risk_modules}`):
270
+ 1. `Does the file exist?` → `test -f <route-file>`
271
+ 2. `Is there really no auth import or wrapper?` → `grep -n "<auth-wrapper>" <route-file>`
272
+ 3. `Is the route actually public per docs?` → `grep -l "<route-path>" ${paths.references_dir}/api/`
273
273
 
274
274
  Drop findings whose verification fails. Record dropped findings under "Hallucinated findings dropped (CoVe)".
275
275
 
@@ -393,7 +393,7 @@ function whose **identity** matters to the doc's correctness — you SHOULD add
393
393
  a `code_refs:` entry to the doc's frontmatter that anchors the prose to a
394
394
  compiler-stable SCIP symbol ID.
395
395
 
396
- **Why**: prose paths like `src/lib/auth/middleware.ts#withAuth` rot silently
396
+ **Why**: prose paths like `src/lib/<module>.ts#<symbol>` rot silently
397
397
  on rename. SCIP (Sourcegraph Code Intelligence Protocol) emits refactor-stable
398
398
  symbol IDs that survive moves and renames as long as the index is rebuilt.
399
399
  Research on LLM-driven doc-code traceability using SCIP-style anchors reports
@@ -306,9 +306,9 @@ Emit findings of type `simulation_failure` with the failing step number and the
306
306
 
307
307
  After Challenge Pass and Simulation Pass, for EACH surviving HIGH/MEDIUM finding, generate 2–3 verification questions and execute them:
308
308
 
309
- For example, finding "Card lists `src/lib/auth/middleware.ts:45` but the function `withAuth` is at line 67":
310
- 1. `Does the file exist?` → `test -f src/lib/auth/middleware.ts`
311
- 2. `Is the function at line 45?` → `grep -n "function withAuth" src/lib/auth/middleware.ts`
309
+ For example, finding "Card lists `<auth-module>:45` but the function `<auth-wrapper>` is at line 67" (where `<auth-module>` / `<auth-wrapper>` are the project's auth guard, resolved from `${paths.high_risk_modules}`):
310
+ 1. `Does the file exist?` → `test -f <auth-module>`
311
+ 2. `Is the function at line 45?` → `grep -n "function <auth-wrapper>" <auth-module>`
312
312
  3. `Does the proposed signature match?` → read 5 lines around the actual location
313
313
 
314
314
  Drop findings whose verification fails (i.e. the finding itself was wrong). Record them under "Hallucinated findings dropped (CoVe)".
@@ -107,7 +107,7 @@ exposed via dedicated MCP tools alongside `search_docs`:
107
107
  - "Which areas share the merchant-theming pattern?"
108
108
  - `search_synthesis(question, level="local")` — entity-centric retrieval
109
109
  (delegates to the existing `local` mode). Use for **specific lookups** —
110
- "what is `withAuth`?", "show me the BookingTable type definition".
110
+ "what is `<authWrapper>`?", "show me the `<DomainType>` type definition".
111
111
  - `search_docs(query, mode="drift")` (or the dedicated `search_drift` tool) —
112
112
  the GraphRAG DRIFT pattern: first pick candidate communities via `global`,
113
113
  then run a scoped `local` retrieval for each. Use when a question is both
@@ -48,7 +48,7 @@ Do NOT load for:
48
48
  ```markdown
49
49
  ### POST /api/v1/domain/resource
50
50
 
51
- **Auth**: withAuthNoParams | **Access**: ADMIN + MERCHANT
51
+ **Auth**: `<authWrapper>` | **Access**: `<ROLE_A>` + `<ROLE_B>`
52
52
 
53
53
  **Body**:
54
54
  | Field | Type | Required | Desc |
@@ -9,7 +9,7 @@ Template validati su 45 file in 3 wave di compressione. Ogni template include: b
9
9
  ```markdown
10
10
  ### POST /api/v1/domain/resource
11
11
 
12
- **Auth**: withAuthNoParams | **Access**: ADMIN + MERCHANT
12
+ **Auth**: `<authWrapper>` | **Access**: `<ROLE_A>` + `<ROLE_B>`
13
13
 
14
14
  **Body**:
15
15
  | Field | Type | Required | Desc |
@@ -70,7 +70,7 @@ Scan the PRD text for these keywords. Each match = a finding.
70
70
  | "global counter" / "total X" / "increment count" / "contatore" | Transaction hotspot (serializes writers) | HIGH |
71
71
  | "no limit" / "unlimited" / "senza limiti" / "illimitato" | Unbounded data growth | HIGH |
72
72
  | "save all in document" / "embed list" / "array nel documento" | Unbounded array in doc (max 1MB, degrades at 40K) | HIGH |
73
- | "upload file/image via API" / "carica file" | 4.5MB payload limit on Vercel Functions | HIGH |
73
+ | "upload file/image via API" / "carica file" | the platform's request-body limit (e.g. 4.5MB on Vercel Functions — per `stack.deployment`) | HIGH |
74
74
  | "search by name" / "full-text search" / "cerca per nome" | Many DBs need a dedicated search index (Algolia/Typesense/Postgres FTS/Mongo Atlas Search) — DB-specific | HIGH |
75
75
  | "page N" / "skip" / "offset" / "pagina N" | Offset pagination is inefficient in most DBs (Firestore charges for skipped docs; SQL scans them) | MEDIUM |
76
76
  | "send email/SMS" in request path / "invia email/SMS" | Blocking I/O in request path (use waitUntil / background job) | MEDIUM |
@@ -23,7 +23,7 @@ Scan each card for security signals to decide whether the `security-reviewer` ag
23
23
  | Signal | Where to look |
24
24
  |--------|---------------|
25
25
  | **New or modified API route** | `files_likely_touched` contains `route.ts`, `api/`, or requirements mention new endpoints |
26
- | **Authentication/authorization changes** | Requirements/files mention `withAuth`, `checkPermission`, `permissions`, login, session, token, JWT, OAuth |
26
+ | **Authentication/authorization changes** | Requirements/files mention the project's auth-guard wrapper or permission helper (e.g. a `withAuth*`-style wrapper / `checkPermission`-style guard — resolve from `${paths.high_risk_modules}`), or generic markers: `permissions`, login, session, token, JWT, OAuth |
27
27
  | **Persistence-layer access rules** | `files_likely_touched` contains rule/policy files matching `stack.database` (e.g. `firestore.rules`, Supabase RLS migration, MongoDB validator) or requirements mention rule changes |
28
28
  | **External integrations** | Requirements mention webhooks, third-party APIs, payment, SMS, email providers, or external callbacks |
29
29
  | **File upload or media handling** | Requirements mention upload, image, file, media, or `files_likely_touched` contains upload/media paths |
@@ -18,7 +18,7 @@ Mark task 5 as `in_progress`.
18
18
 
19
19
  b. **UI-only scope heuristic (WARN — soft gate, not blocking)** — for each card with `owner_agent: ui-expert`:
20
20
  - Concatenate `scope.summary`, `requirements[]`, and `acceptance_criteria[]` into one lowercase string.
21
- - Grep for logic-marker substrings: `api call`, `endpoint`, `route handler`, `state machine`, `validation logic`, `business rule`, `database`, `migration`, `prisma`, `firestore.collection`, `auth flow`, `token storage`, `webhook`, `cron`.
21
+ - Grep for logic-marker substrings: `api call`, `endpoint`, `route handler`, `state machine`, `validation logic`, `business rule`, `database`, `migration`, and datastore-access patterns per `stack.database` (e.g. `prisma`, `.from(` / SQL client, `firestore.collection`, `db.collection`), `auth flow`, `token storage`, `webhook`, `cron`.
22
22
  - For each marker hit, log a WARN line in the audit output:
23
23
  `"[UI-SCOPE-WARN] Card <ID> (ui-expert) mentions '<marker>' — review whether logic belongs in a sibling coder card. See backlog-phase.md § Rule B."`
24
24
  - The check is intentionally a soft gate: substrings like "API contract per il mock" or "consumes the auth state from `useAuth()`" are legitimate UI references. The WARN exists to prompt human review, not to block.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "baldart",
3
- "version": "4.0.1",
3
+ "version": "4.0.2",
4
4
  "description": "Claude Agent Framework - Reusable framework for coordinating AI agents and humans in software projects",
5
5
  "bin": {
6
6
  "baldart": "./bin/baldart.js"