baldart 4.0.1 → 4.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +30 -0
- package/VERSION +1 -1
- package/framework/.claude/agents/code-reviewer.md +4 -4
- package/framework/.claude/agents/doc-reviewer.md +2 -2
- package/framework/.claude/agents/plan-auditor.md +3 -3
- package/framework/.claude/agents/prd-card-writer.md +2 -2
- package/framework/.claude/agents/prd.md +2 -2
- package/framework/.claude/agents/visual-fidelity-verifier.md +2 -2
- package/framework/.claude/agents/wiki-curator.md +4 -4
- package/framework/.claude/commands/design-review.md +4 -4
- package/framework/.claude/skills/doc-writing-for-rag/SKILL.md +1 -1
- package/framework/.claude/skills/doc-writing-for-rag/references/before-after-examples.md +7 -1
- package/framework/.claude/skills/doc-writing-for-rag/references/compact-templates.md +7 -2
- package/framework/.claude/skills/doc-writing-for-rag/references/schemas-and-errors.md +5 -1
- package/framework/.claude/skills/e2e-review/SKILL.md +4 -4
- package/framework/.claude/skills/prd/references/api-perf-gate.md +1 -1
- package/framework/.claude/skills/prd/references/audit-phase.md +1 -1
- package/framework/.claude/skills/prd/references/impact-analysis.md +1 -1
- package/framework/.claude/skills/prd/references/validation-phase.md +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,36 @@ All notable changes to BALDART will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [4.0.3] - 2026-06-02
|
|
9
|
+
|
|
10
|
+
**Portability fix (round 3 — final): remove fidelity-app DOMAIN example-flavor from shipped framework files.** Closes the T13 portability sweep started in v4.0.1/4.0.2 by genericizing the consumer-domain vocabulary (`merchant`/`booking`/`reservation`/`merchant-theming`, `/merchant/dashboard` routes, `customer-facing vs merchant-facing`, `FEAT-0127-merchant-points-guard`, `area:customer|merchant|admin`) that survived as illustrative example flavor. No behaviour change → **PATCH**.
|
|
11
|
+
|
|
12
|
+
> **Why.** Even in prose examples, a consumer-domain noun teaches the wrong vocabulary and trips the `contamination.js` `requires-decision` rules. The fix distinguishes genuine fidelity-domain flavor (generalized) from legitimate generic English (`customer` in marketing/security "multi-tenant … customers"), the scanner's own meta-references (`framework-edit-gate.js`, `contamination.js`), and `project-context.md`'s explanation that these opinionated tokens belong in the overlay — all of which are correct and untouched.
|
|
13
|
+
|
|
14
|
+
### Changed — genericized domain example flavor
|
|
15
|
+
|
|
16
|
+
- **Example queries/routes** → placeholders: `wiki-curator.md` / `doc-reviewer.md` search examples (`<feature-X>` / `<entity>`); `visual-fidelity-verifier.md`, `commands/design-review.md`, `e2e-review/SKILL.md` route envelopes (`/dashboard` instead of `/merchant/dashboard`); `impact-analysis.md` worked-CR endpoint.
|
|
17
|
+
- **`prd.md`** — example card filename and `area:` labels reference `identity.audience_segments` instead of literal `merchant`/`customer`/`admin`.
|
|
18
|
+
- **`prd-card-writer.md`** — "split by audience segment (per `identity.audience_segments`)" instead of "customer-facing vs merchant-facing"; generic subsystem example.
|
|
19
|
+
- **`doc-writing-for-rag` reference files** (`before-after-examples.md`, `compact-templates.md`, `schemas-and-errors.md`) — added an "illustrative sample domain" disclaimer (the worked before/after corpus uses a sample API; only the *technique* is normative), rather than rewriting 290+ lines of self-contained illustration.
|
|
20
|
+
|
|
21
|
+
> **Note — out of scope, surfaced for a future pass.** Running `contamination.js` over the whole `framework/` payload also flags ~200 hard-coded **path literals** (`backlog/`, `docs/design-system/`, `src/components/…`) that should be `${paths.*}` config keys. A meaningful fraction are legitimate (config-template defaults, `PROJECT-CONFIGURATION.md` docs, canonical protocol examples), but the rest are a genuine, larger portability cleanup deserving its own dedicated pass — not bundled here.
|
|
22
|
+
|
|
23
|
+
## [4.0.2] - 2026-06-02
|
|
24
|
+
|
|
25
|
+
**Portability fix (round 2): remove hard-coded auth/deployment project identifiers from shipped framework files.** Companion to v4.0.1 — extends the de-contamination from the database dimension to the auth and deployment dimensions, where fidelity-app-specific identifiers (`withAuth`, `withAuthNoParams`, `src/lib/auth/middleware.ts`, `src/app/api/v1/...`, `BookingTable`, `ADMIN + MERCHANT`, "Vercel Functions") leaked into self-verification examples, detection-signal lists, and template fills. No behaviour change → **PATCH**.
|
|
26
|
+
|
|
27
|
+
> **Why.** A project-specific symbol baked into a shipped detection list or CoVe example is the same frozen-spot defect as a hard-coded datastore: the consumer's auth wrapper, role names, and deploy platform are `stack.*` / overlay facts. Genuinely platform-named integrations were left untouched because they are correct: the `vercel:deploy` skill documentation (that skill *is* Vercel-specific), the multi-platform deploy tables in `/new` ("firebase: … vercel: … aws: …"), the per-platform timeout/limit tables in `api-perf-gate.md`, and the config-driven `stack_signature` example in `research-phase.md` (which already shows both a Firestore and a Supabase example).
|
|
28
|
+
|
|
29
|
+
### Changed — generalized auth/deployment identifiers to placeholders / config keys
|
|
30
|
+
|
|
31
|
+
- **`code-reviewer.md`** + **`plan-auditor.md`** — the chain-of-verification example findings now use `<auth-wrapper>` / `<route-file>` / `<auth-module>` placeholders (resolved from `${paths.high_risk_modules}`) instead of `withAuth` + literal `src/app/api/v1/...` / `src/lib/auth/middleware.ts` paths.
|
|
32
|
+
- **`audit-phase.md`** — the auth-change detection signal cites "the project's auth-guard wrapper / permission helper (e.g. a `withAuth*`-style wrapper)" rather than the literal `withAuth` / `checkPermission` symbols.
|
|
33
|
+
- **`doc-writing-for-rag`** (SKILL + `compact-templates.md`) — endpoint template fills use `<authWrapper>` / `<ROLE_A>` / `<ROLE_B>` instead of `withAuthNoParams` / `ADMIN + MERCHANT`.
|
|
34
|
+
- **`api-perf-gate.md`** — the upload red-flag cites "the platform's request-body limit (e.g. 4.5MB on Vercel Functions — per `stack.deployment`)".
|
|
35
|
+
- **`validation-phase.md`** — the logic-marker grep list covers datastore-access patterns per `stack.database` (not only `prisma` / `firestore.collection`).
|
|
36
|
+
- **`wiki-curator.md`**, **`doc-reviewer.md`** — illustrative example queries/paths use `<authWrapper>` / `<DomainType>` / `src/lib/<module>.ts#<symbol>` placeholders.
|
|
37
|
+
|
|
8
38
|
## [4.0.1] - 2026-06-02
|
|
9
39
|
|
|
10
40
|
**Portability fix: remove hard-coded `Firestore` assumptions from shipped framework files (T13 follow-up).** The v4.0.0 portability pass guarded most stack-specific checks behind `stack.database`, but a residual set of agent checklists and methodology blocks still *assumed* Firestore as the datastore — contamination that is dead-false (or misleading) on any non-Firestore consumer. No behaviour change for correctly-configured projects → **PATCH**.
|
package/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
4.0.
|
|
1
|
+
4.0.3
|
|
@@ -266,10 +266,10 @@ Emit findings of type `simulation_failure` with the file:line of the breaking br
|
|
|
266
266
|
|
|
267
267
|
After Challenge Pass + Diff Simulation, for EACH surviving HIGH/MEDIUM finding generate 2–3 verification questions and execute them via grep/read:
|
|
268
268
|
|
|
269
|
-
Example finding: "
|
|
270
|
-
1. `Does the file exist?` → `test -f
|
|
271
|
-
2. `Is there really no
|
|
272
|
-
3. `Is the route actually public per docs?` → `grep -l "
|
|
269
|
+
Example finding: "auth wrapper missing on POST handler at `<route-file>:45`" (here `<auth-wrapper>` is the project's auth guard — e.g. a `withAuth*`-style wrapper; resolve from `${paths.high_risk_modules}`):
|
|
270
|
+
1. `Does the file exist?` → `test -f <route-file>`
|
|
271
|
+
2. `Is there really no auth import or wrapper?` → `grep -n "<auth-wrapper>" <route-file>`
|
|
272
|
+
3. `Is the route actually public per docs?` → `grep -l "<route-path>" ${paths.references_dir}/api/`
|
|
273
273
|
|
|
274
274
|
Drop findings whose verification fails. Record dropped findings under "Hallucinated findings dropped (CoVe)".
|
|
275
275
|
|
|
@@ -119,7 +119,7 @@ the flags above.
|
|
|
119
119
|
`docs/ops/graph-communities-scheduling.md`:
|
|
120
120
|
- `search_synthesis(question, level="global")` — community-summary
|
|
121
121
|
retrieval. Use for relational / cross-cutting questions ("how does
|
|
122
|
-
auth interact with
|
|
122
|
+
auth interact with `<feature-X>`?", "what touches `<entity>`?").
|
|
123
123
|
- `search_synthesis(question, level="local")` — entity-centric retrieval
|
|
124
124
|
(specific identifier lookups; equivalent to `mode="local"`).
|
|
125
125
|
- `search_docs(mode="drift")` — GraphRAG DRIFT (`global` → scoped `local`),
|
|
@@ -393,7 +393,7 @@ function whose **identity** matters to the doc's correctness — you SHOULD add
|
|
|
393
393
|
a `code_refs:` entry to the doc's frontmatter that anchors the prose to a
|
|
394
394
|
compiler-stable SCIP symbol ID.
|
|
395
395
|
|
|
396
|
-
**Why**: prose paths like `src/lib
|
|
396
|
+
**Why**: prose paths like `src/lib/<module>.ts#<symbol>` rot silently
|
|
397
397
|
on rename. SCIP (Sourcegraph Code Intelligence Protocol) emits refactor-stable
|
|
398
398
|
symbol IDs that survive moves and renames as long as the index is rebuilt.
|
|
399
399
|
Research on LLM-driven doc-code traceability using SCIP-style anchors reports
|
|
@@ -306,9 +306,9 @@ Emit findings of type `simulation_failure` with the failing step number and the
|
|
|
306
306
|
|
|
307
307
|
After Challenge Pass and Simulation Pass, for EACH surviving HIGH/MEDIUM finding, generate 2–3 verification questions and execute them:
|
|
308
308
|
|
|
309
|
-
For example, finding "Card lists
|
|
310
|
-
1. `Does the file exist?` → `test -f
|
|
311
|
-
2. `Is the function at line 45?` → `grep -n "function
|
|
309
|
+
For example, finding "Card lists `<auth-module>:45` but the function `<auth-wrapper>` is at line 67" (where `<auth-module>` / `<auth-wrapper>` are the project's auth guard, resolved from `${paths.high_risk_modules}`):
|
|
310
|
+
1. `Does the file exist?` → `test -f <auth-module>`
|
|
311
|
+
2. `Is the function at line 45?` → `grep -n "function <auth-wrapper>" <auth-module>`
|
|
312
312
|
3. `Does the proposed signature match?` → read 5 lines around the actual location
|
|
313
313
|
|
|
314
314
|
Drop findings whose verification fails (i.e. the finding itself was wrong). Record them under "Hallucinated findings dropped (CoVe)".
|
|
@@ -211,14 +211,14 @@ Cards MUST be as atomic as possible to enable parallel execution:
|
|
|
211
211
|
|
|
212
212
|
**Splitting heuristics:**
|
|
213
213
|
- Split by concern: data model vs API vs UI vs docs
|
|
214
|
-
- Split by
|
|
214
|
+
- Split by audience segment (per `identity.audience_segments`)
|
|
215
215
|
- Split by module: each independent module = its own card
|
|
216
216
|
- Keep tightly coupled work together (e.g., a type + its only consumer)
|
|
217
217
|
|
|
218
218
|
**Anti-patterns to avoid:**
|
|
219
219
|
- Monolithic "Phase 1-7" cards embedding an entire feature
|
|
220
220
|
- XL cards with 15+ files — always split these
|
|
221
|
-
- Cards that mix independent subsystems (e.g.,
|
|
221
|
+
- Cards that mix independent subsystems (e.g., a service API + an unrelated feature's UI)
|
|
222
222
|
|
|
223
223
|
## Card Structure (MANDATORY — zero tolerance)
|
|
224
224
|
|
|
@@ -502,7 +502,7 @@ Before creating cards, scan `backlog/*.yml` to determine the next available numb
|
|
|
502
502
|
|
|
503
503
|
| Prefix | When to use | Example |
|
|
504
504
|
|--------|-------------|---------|
|
|
505
|
-
| `FEAT-NNNN-slug.yml` | Feature work | `FEAT-0127-
|
|
505
|
+
| `FEAT-NNNN-slug.yml` | Feature work | `FEAT-0127-user-rewards-guard.yml` |
|
|
506
506
|
| `BUG-NNNN-slug.yml` | Bug fixes | `BUG-0071-issue-197-dashboard-bugs.yml` |
|
|
507
507
|
| `UI-NNNN-slug.yml` | UI-only changes | `UI-0090-remove-install-pwa-cta.yml` |
|
|
508
508
|
| `DOC-NNNN-slug.yml` | Documentation only | `DOC-0001-privacy-policy-draft.yml` |
|
|
@@ -647,7 +647,7 @@ priority: HIGH
|
|
|
647
647
|
owner_agent: coder
|
|
648
648
|
|
|
649
649
|
github_issue: NNN # GitHub issue number
|
|
650
|
-
labels: [bug, area
|
|
650
|
+
labels: [bug, area:<segment>] # area:<segment> — values from identity.audience_segments
|
|
651
651
|
|
|
652
652
|
clarity_analysis: # MANDATORY per AGENTS.md for all bug cards
|
|
653
653
|
expected_behavior: "[What should happen]"
|
|
@@ -52,7 +52,7 @@ The orchestrator (`/e2e-review`) invokes you with this JSON payload:
|
|
|
52
52
|
```json
|
|
53
53
|
{
|
|
54
54
|
"card_id": "FEAT-XXXX",
|
|
55
|
-
"route": "/
|
|
55
|
+
"route": "/dashboard",
|
|
56
56
|
"viewport": { "width": 1440, "height": 900 },
|
|
57
57
|
"implementation_screenshot_path": "/abs/path/to/impl.png",
|
|
58
58
|
"mockup_source": {
|
|
@@ -183,7 +183,7 @@ Inflating or suppressing severity to match the mode is a protocol violation.
|
|
|
183
183
|
```json
|
|
184
184
|
{
|
|
185
185
|
"status": "completed" | "skipped" | "error",
|
|
186
|
-
"route": "/
|
|
186
|
+
"route": "/dashboard",
|
|
187
187
|
"mockup_source_level": "figma" | "local" | "compliance-only" | "skip",
|
|
188
188
|
"viewport": { "width": 1440, "height": 900 },
|
|
189
189
|
"compliance_score": 0.87,
|
|
@@ -102,12 +102,12 @@ exposed via dedicated MCP tools alongside `search_docs`:
|
|
|
102
102
|
- `search_synthesis(question, level="global")` — community-summary retrieval.
|
|
103
103
|
Use for **relational / cross-cutting** questions where the answer involves
|
|
104
104
|
multiple modules at once. Examples:
|
|
105
|
-
- "How does auth interact with
|
|
106
|
-
- "What touches the
|
|
107
|
-
- "Which areas share the
|
|
105
|
+
- "How does auth interact with `<feature-X>`?"
|
|
106
|
+
- "What touches the `<entity>` collection/table?"
|
|
107
|
+
- "Which areas share the `<shared-pattern>` (e.g. a theming/layout) pattern?"
|
|
108
108
|
- `search_synthesis(question, level="local")` — entity-centric retrieval
|
|
109
109
|
(delegates to the existing `local` mode). Use for **specific lookups** —
|
|
110
|
-
"what is
|
|
110
|
+
"what is `<authWrapper>`?", "show me the `<DomainType>` type definition".
|
|
111
111
|
- `search_docs(query, mode="drift")` (or the dedicated `search_drift` tool) —
|
|
112
112
|
the GraphRAG DRIFT pattern: first pick candidate communities via `global`,
|
|
113
113
|
then run a scoped `local` retrieval for each. Use when a question is both
|
|
@@ -11,7 +11,7 @@ This command supports two output modes, detected from the input prompt:
|
|
|
11
11
|
|
|
12
12
|
### Mode A — Interactive (default)
|
|
13
13
|
|
|
14
|
-
When the user invokes `/design-review` directly (input is a natural-language route reference, e.g. `/design-review /
|
|
14
|
+
When the user invokes `/design-review` directly (input is a natural-language route reference, e.g. `/design-review /dashboard`), produce the **Markdown report** described in steps 1–5 below. Use the Blockers/High/Medium/Nitpicks template from `agents/design-review.md` § Report Template.
|
|
15
15
|
|
|
16
16
|
### Mode B — Programmatic (invoked by `/e2e-review`)
|
|
17
17
|
|
|
@@ -23,7 +23,7 @@ When the input contains a JSON envelope with `"mode": "programmatic"` at any pos
|
|
|
23
23
|
{
|
|
24
24
|
"mode": "programmatic",
|
|
25
25
|
"card_id": "FEAT-XXXX",
|
|
26
|
-
"route": "/
|
|
26
|
+
"route": "/dashboard",
|
|
27
27
|
"viewport": { "width": 1440, "height": 900 },
|
|
28
28
|
"dev_server_port": 3000,
|
|
29
29
|
"registry_paths": {
|
|
@@ -46,7 +46,7 @@ When the input contains a JSON envelope with `"mode": "programmatic"` at any pos
|
|
|
46
46
|
{
|
|
47
47
|
"status": "completed" | "skipped" | "error",
|
|
48
48
|
"source": "design-review",
|
|
49
|
-
"route": "/
|
|
49
|
+
"route": "/dashboard",
|
|
50
50
|
"viewport": { "width": 1440, "height": 900 },
|
|
51
51
|
"findings": [
|
|
52
52
|
{
|
|
@@ -110,7 +110,7 @@ When the user invokes `/design-review`, do the following (in both modes — only
|
|
|
110
110
|
- Read `${paths.design_system}/tokens-reference.md`.
|
|
111
111
|
- Read `${paths.design_system}/components/<Name>.md` for every primitive expected on the route.
|
|
112
112
|
When the flag is `false`, skip the registry reads. In Mode A flag the gap in the final report and recommend `/design-system-init`. In Mode B add the gap to the `gaps[]` array of the JSON output.
|
|
113
|
-
1. Start with the route or component specified (e.g., `/
|
|
113
|
+
1. Start with the route or component specified (e.g., `/dashboard`) and open it in the MCP browser. In Mode B, use the `dev_server_port` from the input envelope to construct `http://localhost:<port><route>`.
|
|
114
114
|
2. Follow the Quick Visual Check in `agents/design-review.md` and run Phases 0‑7 (interaction, responsiveness, polish, accessibility, robustness, code health, content/console).
|
|
115
115
|
3. Capture at least one full-page screenshot at the viewport from the input (default 1440px) and note console errors. In Mode B save the screenshot at `/tmp/design-review/<route-slug>.png` and cite it in `evidence.screenshot_path`.
|
|
116
116
|
4. **Mode A**: report findings using the Markdown template in `agents/design-review.md` (Blockers/High/Medium/Nitpicks). **Mode B**: assemble the JSON output described above, normalizing severity per the table.
|
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
# Before/After Examples — Wave 1+2+3 Compression
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
> **Illustrative sample domain.** The endpoints, routes, and entity names below
|
|
4
|
+
> (booking/rooms, menu/items, reservations planner, etc.) are a SAMPLE domain used
|
|
5
|
+
> only to demonstrate the doc-compaction techniques — they are not part of any
|
|
6
|
+
> consumer's API. Apply the *technique* (the before→after transformation), not the
|
|
7
|
+
> example's vocabulary, to your own `${paths.references_dir}` docs.
|
|
8
|
+
|
|
9
|
+
Concrete cases validated on a real corpus. For each example: before, after, technique applied.
|
|
4
10
|
|
|
5
11
|
## Example 1 — API Endpoint (booking.md)
|
|
6
12
|
|
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
# Compact Templates
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
> **Illustrative sample domain.** Endpoint paths, routes, roles, and entity names in
|
|
4
|
+
> the filled examples below are a SAMPLE domain for demonstrating the template shapes —
|
|
5
|
+
> substitute your project's own (auth wrapper, roles from `identity.audience_segments`,
|
|
6
|
+
> routes, entities). Only the template *structure* is normative.
|
|
7
|
+
|
|
8
|
+
Templates validated on 45 files across 3 compression waves. Each template includes: before/after, line count, critical notes.
|
|
4
9
|
|
|
5
10
|
## API Endpoint Template
|
|
6
11
|
|
|
@@ -9,7 +14,7 @@ Template validati su 45 file in 3 wave di compressione. Ogni template include: b
|
|
|
9
14
|
```markdown
|
|
10
15
|
### POST /api/v1/domain/resource
|
|
11
16
|
|
|
12
|
-
**Auth**:
|
|
17
|
+
**Auth**: `<authWrapper>` | **Access**: `<ROLE_A>` + `<ROLE_B>`
|
|
13
18
|
|
|
14
19
|
**Body**:
|
|
15
20
|
| Field | Type | Required | Desc |
|
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
# Schemas & Errors — Central Reference Files
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
> **Illustrative sample domain.** Error codes, routes, and entity names in the
|
|
4
|
+
> examples below are a SAMPLE domain — substitute your own. Only the protocol
|
|
5
|
+
> (central schema/error files, anchor cross-referencing) is normative.
|
|
6
|
+
|
|
7
|
+
Protocol for using and extending `${paths.api_schemas}` and `${paths.api_errors}` (typically `docs/references/api/schemas.md` and `docs/references/errors.md`).
|
|
4
8
|
|
|
5
9
|
> **Note**: the schema names and domain sections below come from a real project (a multi-merchant fidelity/loyalty platform) and are kept as a concrete example. Replace them with your own domain entities when applying this skill to a new project — the project-specific domain vocabulary lives in `.baldart/overlays/doc-writing-for-rag.md`.
|
|
6
10
|
|
|
@@ -154,7 +154,7 @@ system constraints into a machine-readable verification plan.
|
|
|
154
154
|
{
|
|
155
155
|
"card_id": "FEAT-XXXX",
|
|
156
156
|
"title": "...",
|
|
157
|
-
"routes": ["/
|
|
157
|
+
"routes": ["/dashboard", "/dashboard/edit"],
|
|
158
158
|
"personas": [{"name": "merchant", "auth": "password", "creds": {...}}],
|
|
159
159
|
"data_prerequisites": ["seed merchant 'demo'", "create one paid booking"],
|
|
160
160
|
"scenarios": [
|
|
@@ -162,11 +162,11 @@ system constraints into a machine-readable verification plan.
|
|
|
162
162
|
"id": "AC-1",
|
|
163
163
|
"name": "Merchant can update store hours",
|
|
164
164
|
"gherkin": "Feature: ...",
|
|
165
|
-
"routes_touched": ["/
|
|
165
|
+
"routes_touched": ["/settings/hours"]
|
|
166
166
|
}
|
|
167
167
|
],
|
|
168
168
|
"non_functional_checks": ["loads in < 2s on slow 3G"],
|
|
169
|
-
"mockup_refs": [{"route": "/
|
|
169
|
+
"mockup_refs": [{"route": "/dashboard", "level": "local", "path": "mockups/dashboard.png"}]
|
|
170
170
|
}
|
|
171
171
|
```
|
|
172
172
|
|
|
@@ -336,7 +336,7 @@ For each `route` in `plan.routes[]`:
|
|
|
336
336
|
Input payload:
|
|
337
337
|
{
|
|
338
338
|
"card_id": "FEAT-XXXX",
|
|
339
|
-
"route": "/
|
|
339
|
+
"route": "/dashboard",
|
|
340
340
|
"viewport": { "width": 1440, "height": 900 },
|
|
341
341
|
"implementation_screenshot_path": ".baldart/e2e-review/FEAT-XXXX/screenshots/merchant-dashboard.png",
|
|
342
342
|
"mockup_source": { ... },
|
|
@@ -70,7 +70,7 @@ Scan the PRD text for these keywords. Each match = a finding.
|
|
|
70
70
|
| "global counter" / "total X" / "increment count" / "contatore" | Transaction hotspot (serializes writers) | HIGH |
|
|
71
71
|
| "no limit" / "unlimited" / "senza limiti" / "illimitato" | Unbounded data growth | HIGH |
|
|
72
72
|
| "save all in document" / "embed list" / "array nel documento" | Unbounded array in doc (max 1MB, degrades at 40K) | HIGH |
|
|
73
|
-
| "upload file/image via API" / "carica file" | 4.5MB
|
|
73
|
+
| "upload file/image via API" / "carica file" | the platform's request-body limit (e.g. 4.5MB on Vercel Functions — per `stack.deployment`) | HIGH |
|
|
74
74
|
| "search by name" / "full-text search" / "cerca per nome" | Many DBs need a dedicated search index (Algolia/Typesense/Postgres FTS/Mongo Atlas Search) — DB-specific | HIGH |
|
|
75
75
|
| "page N" / "skip" / "offset" / "pagina N" | Offset pagination is inefficient in most DBs (Firestore charges for skipped docs; SQL scans them) | MEDIUM |
|
|
76
76
|
| "send email/SMS" in request path / "invia email/SMS" | Blocking I/O in request path (use waitUntil / background job) | MEDIUM |
|
|
@@ -23,7 +23,7 @@ Scan each card for security signals to decide whether the `security-reviewer` ag
|
|
|
23
23
|
| Signal | Where to look |
|
|
24
24
|
|--------|---------------|
|
|
25
25
|
| **New or modified API route** | `files_likely_touched` contains `route.ts`, `api/`, or requirements mention new endpoints |
|
|
26
|
-
| **Authentication/authorization changes** | Requirements/files mention `withAuth
|
|
26
|
+
| **Authentication/authorization changes** | Requirements/files mention the project's auth-guard wrapper or permission helper (e.g. a `withAuth*`-style wrapper / `checkPermission`-style guard — resolve from `${paths.high_risk_modules}`), or generic markers: `permissions`, login, session, token, JWT, OAuth |
|
|
27
27
|
| **Persistence-layer access rules** | `files_likely_touched` contains rule/policy files matching `stack.database` (e.g. `firestore.rules`, Supabase RLS migration, MongoDB validator) or requirements mention rule changes |
|
|
28
28
|
| **External integrations** | Requirements mention webhooks, third-party APIs, payment, SMS, email providers, or external callbacks |
|
|
29
29
|
| **File upload or media handling** | Requirements mention upload, image, file, media, or `files_likely_touched` contains upload/media paths |
|
|
@@ -248,7 +248,7 @@ touchpoints into the existing ISA table; assign new ISA-N IDs.
|
|
|
248
248
|
|
|
249
249
|
## Worked Example
|
|
250
250
|
|
|
251
|
-
**CR: "Add POST /api/v1/
|
|
251
|
+
**CR: "Add POST /api/v1/reservations/bulk-confirm for batch confirmation"**
|
|
252
252
|
|
|
253
253
|
Change type: Addition (new endpoint)
|
|
254
254
|
|
|
@@ -18,7 +18,7 @@ Mark task 5 as `in_progress`.
|
|
|
18
18
|
|
|
19
19
|
b. **UI-only scope heuristic (WARN — soft gate, not blocking)** — for each card with `owner_agent: ui-expert`:
|
|
20
20
|
- Concatenate `scope.summary`, `requirements[]`, and `acceptance_criteria[]` into one lowercase string.
|
|
21
|
-
- Grep for logic-marker substrings: `api call`, `endpoint`, `route handler`, `state machine`, `validation logic`, `business rule`, `database`, `migration`, `prisma`, `firestore.collection`, `auth flow`, `token storage`, `webhook`, `cron`.
|
|
21
|
+
- Grep for logic-marker substrings: `api call`, `endpoint`, `route handler`, `state machine`, `validation logic`, `business rule`, `database`, `migration`, and datastore-access patterns per `stack.database` (e.g. `prisma`, `.from(` / SQL client, `firestore.collection`, `db.collection`), `auth flow`, `token storage`, `webhook`, `cron`.
|
|
22
22
|
- For each marker hit, log a WARN line in the audit output:
|
|
23
23
|
`"[UI-SCOPE-WARN] Card <ID> (ui-expert) mentions '<marker>' — review whether logic belongs in a sibling coder card. See backlog-phase.md § Rule B."`
|
|
24
24
|
- The check is intentionally a soft gate: substrings like "API contract per il mock" or "consumes the auth state from `useAuth()`" are legitimate UI references. The WARN exists to prompt human review, not to block.
|