baldart 4.0.1 → 4.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -5,6 +5,36 @@ All notable changes to BALDART will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [4.0.3] - 2026-06-02
9
+
10
+ **Portability fix (round 3 — final): remove fidelity-app DOMAIN example-flavor from shipped framework files.** Closes the T13 portability sweep started in v4.0.1/4.0.2 by genericizing the consumer-domain vocabulary (`merchant`/`booking`/`reservation`/`merchant-theming`, `/merchant/dashboard` routes, `customer-facing vs merchant-facing`, `FEAT-0127-merchant-points-guard`, `area:customer|merchant|admin`) that survived as illustrative example flavor. No behaviour change → **PATCH**.
11
+
12
+ > **Why.** Even in prose examples, a consumer-domain noun teaches the wrong vocabulary and trips the `contamination.js` `requires-decision` rules. The fix distinguishes genuine fidelity-domain flavor (generalized) from legitimate generic English (`customer` in marketing/security "multi-tenant … customers"), the scanner's own meta-references (`framework-edit-gate.js`, `contamination.js`), and `project-context.md`'s explanation that these opinionated tokens belong in the overlay — all of which are correct and untouched.
13
+
14
+ ### Changed — genericized domain example flavor
15
+
16
+ - **Example queries/routes** → placeholders: `wiki-curator.md` / `doc-reviewer.md` search examples (`<feature-X>` / `<entity>`); `visual-fidelity-verifier.md`, `commands/design-review.md`, `e2e-review/SKILL.md` route envelopes (`/dashboard` instead of `/merchant/dashboard`); `impact-analysis.md` worked-CR endpoint.
17
+ - **`prd.md`** — example card filename and `area:` labels reference `identity.audience_segments` instead of literal `merchant`/`customer`/`admin`.
18
+ - **`prd-card-writer.md`** — "split by audience segment (per `identity.audience_segments`)" instead of "customer-facing vs merchant-facing"; generic subsystem example.
19
+ - **`doc-writing-for-rag` reference files** (`before-after-examples.md`, `compact-templates.md`, `schemas-and-errors.md`) — added an "illustrative sample domain" disclaimer (the worked before/after corpus uses a sample API; only the *technique* is normative), rather than rewriting 290+ lines of self-contained illustration.
20
+
21
+ > **Note — out of scope, surfaced for a future pass.** Running `contamination.js` over the whole `framework/` payload also flags ~200 hard-coded **path literals** (`backlog/`, `docs/design-system/`, `src/components/…`) that should be `${paths.*}` config keys. A meaningful fraction are legitimate (config-template defaults, `PROJECT-CONFIGURATION.md` docs, canonical protocol examples), but the rest are a genuine, larger portability cleanup deserving its own dedicated pass — not bundled here.
22
+
23
+ ## [4.0.2] - 2026-06-02
24
+
25
+ **Portability fix (round 2): remove hard-coded auth/deployment project identifiers from shipped framework files.** Companion to v4.0.1 — extends the de-contamination from the database dimension to the auth and deployment dimensions, where fidelity-app-specific identifiers (`withAuth`, `withAuthNoParams`, `src/lib/auth/middleware.ts`, `src/app/api/v1/...`, `BookingTable`, `ADMIN + MERCHANT`, "Vercel Functions") leaked into self-verification examples, detection-signal lists, and template fills. No behaviour change → **PATCH**.
26
+
27
+ > **Why.** A project-specific symbol baked into a shipped detection list or CoVe example is the same frozen-spot defect as a hard-coded datastore: the consumer's auth wrapper, role names, and deploy platform are `stack.*` / overlay facts. Genuinely platform-named integrations were left untouched because they are correct: the `vercel:deploy` skill documentation (that skill *is* Vercel-specific), the multi-platform deploy tables in `/new` ("firebase: … vercel: … aws: …"), the per-platform timeout/limit tables in `api-perf-gate.md`, and the config-driven `stack_signature` example in `research-phase.md` (which already shows both a Firestore and a Supabase example).
28
+
29
+ ### Changed — generalized auth/deployment identifiers to placeholders / config keys
30
+
31
+ - **`code-reviewer.md`** + **`plan-auditor.md`** — the chain-of-verification example findings now use `<auth-wrapper>` / `<route-file>` / `<auth-module>` placeholders (resolved from `${paths.high_risk_modules}`) instead of `withAuth` + literal `src/app/api/v1/...` / `src/lib/auth/middleware.ts` paths.
32
+ - **`audit-phase.md`** — the auth-change detection signal cites "the project's auth-guard wrapper / permission helper (e.g. a `withAuth*`-style wrapper)" rather than the literal `withAuth` / `checkPermission` symbols.
33
+ - **`doc-writing-for-rag`** (SKILL + `compact-templates.md`) — endpoint template fills use `<authWrapper>` / `<ROLE_A>` / `<ROLE_B>` instead of `withAuthNoParams` / `ADMIN + MERCHANT`.
34
+ - **`api-perf-gate.md`** — the upload red-flag cites "the platform's request-body limit (e.g. 4.5MB on Vercel Functions — per `stack.deployment`)".
35
+ - **`validation-phase.md`** — the logic-marker grep list covers datastore-access patterns per `stack.database` (not only `prisma` / `firestore.collection`).
36
+ - **`wiki-curator.md`**, **`doc-reviewer.md`** — illustrative example queries/paths use `<authWrapper>` / `<DomainType>` / `src/lib/<module>.ts#<symbol>` placeholders.
37
+
8
38
  ## [4.0.1] - 2026-06-02
9
39
 
10
40
  **Portability fix: remove hard-coded `Firestore` assumptions from shipped framework files (T13 follow-up).** The v4.0.0 portability pass guarded most stack-specific checks behind `stack.database`, but a residual set of agent checklists and methodology blocks still *assumed* Firestore as the datastore — contamination that is dead-false (or misleading) on any non-Firestore consumer. No behaviour change for correctly-configured projects → **PATCH**.
package/VERSION CHANGED
@@ -1 +1 @@
1
- 4.0.1
1
+ 4.0.3
@@ -266,10 +266,10 @@ Emit findings of type `simulation_failure` with the file:line of the breaking br
266
266
 
267
267
  After Challenge Pass + Diff Simulation, for EACH surviving HIGH/MEDIUM finding generate 2–3 verification questions and execute them via grep/read:
268
268
 
269
- Example finding: "withAuth missing on POST handler at `src/app/api/v1/foo/route.ts:45`":
270
- 1. `Does the file exist?` → `test -f src/app/api/v1/foo/route.ts`
271
- 2. `Is there really no withAuth import or wrapper?` → `grep -n "withAuth" src/app/api/v1/foo/route.ts`
272
- 3. `Is the route actually public per docs?` → `grep -l "api/v1/foo" docs/references/api/`
269
+ Example finding: "auth wrapper missing on POST handler at `<route-file>:45`" (here `<auth-wrapper>` is the project's auth guard — e.g. a `withAuth*`-style wrapper; resolve from `${paths.high_risk_modules}`):
270
+ 1. `Does the file exist?` → `test -f <route-file>`
271
+ 2. `Is there really no auth import or wrapper?` → `grep -n "<auth-wrapper>" <route-file>`
272
+ 3. `Is the route actually public per docs?` → `grep -l "<route-path>" ${paths.references_dir}/api/`
273
273
 
274
274
  Drop findings whose verification fails. Record dropped findings under "Hallucinated findings dropped (CoVe)".
275
275
 
@@ -119,7 +119,7 @@ the flags above.
119
119
  `docs/ops/graph-communities-scheduling.md`:
120
120
  - `search_synthesis(question, level="global")` — community-summary
121
121
  retrieval. Use for relational / cross-cutting questions ("how does
122
- auth interact with booking?", "what touches reservations?").
122
+ auth interact with `<feature-X>`?", "what touches `<entity>`?").
123
123
  - `search_synthesis(question, level="local")` — entity-centric retrieval
124
124
  (specific identifier lookups; equivalent to `mode="local"`).
125
125
  - `search_docs(mode="drift")` — GraphRAG DRIFT (`global` → scoped `local`),
@@ -393,7 +393,7 @@ function whose **identity** matters to the doc's correctness — you SHOULD add
393
393
  a `code_refs:` entry to the doc's frontmatter that anchors the prose to a
394
394
  compiler-stable SCIP symbol ID.
395
395
 
396
- **Why**: prose paths like `src/lib/auth/middleware.ts#withAuth` rot silently
396
+ **Why**: prose paths like `src/lib/<module>.ts#<symbol>` rot silently
397
397
  on rename. SCIP (Sourcegraph Code Intelligence Protocol) emits refactor-stable
398
398
  symbol IDs that survive moves and renames as long as the index is rebuilt.
399
399
  Research on LLM-driven doc-code traceability using SCIP-style anchors reports
@@ -306,9 +306,9 @@ Emit findings of type `simulation_failure` with the failing step number and the
306
306
 
307
307
  After Challenge Pass and Simulation Pass, for EACH surviving HIGH/MEDIUM finding, generate 2–3 verification questions and execute them:
308
308
 
309
- For example, finding "Card lists `src/lib/auth/middleware.ts:45` but the function `withAuth` is at line 67":
310
- 1. `Does the file exist?` → `test -f src/lib/auth/middleware.ts`
311
- 2. `Is the function at line 45?` → `grep -n "function withAuth" src/lib/auth/middleware.ts`
309
+ For example, finding "Card lists `<auth-module>:45` but the function `<auth-wrapper>` is at line 67" (where `<auth-module>` / `<auth-wrapper>` are the project's auth guard, resolved from `${paths.high_risk_modules}`):
310
+ 1. `Does the file exist?` → `test -f <auth-module>`
311
+ 2. `Is the function at line 45?` → `grep -n "function <auth-wrapper>" <auth-module>`
312
312
  3. `Does the proposed signature match?` → read 5 lines around the actual location
313
313
 
314
314
  Drop findings whose verification fails (i.e. the finding itself was wrong). Record them under "Hallucinated findings dropped (CoVe)".
@@ -211,14 +211,14 @@ Cards MUST be as atomic as possible to enable parallel execution:
211
211
 
212
212
  **Splitting heuristics:**
213
213
  - Split by concern: data model vs API vs UI vs docs
214
- - Split by user persona: customer-facing vs merchant-facing
214
+ - Split by audience segment (per `identity.audience_segments`)
215
215
  - Split by module: each independent module = its own card
216
216
  - Keep tightly coupled work together (e.g., a type + its only consumer)
217
217
 
218
218
  **Anti-patterns to avoid:**
219
219
  - Monolithic "Phase 1-7" cards embedding an entire feature
220
220
  - XL cards with 15+ files — always split these
221
- - Cards that mix independent subsystems (e.g., booking API + promo UI)
221
+ - Cards that mix independent subsystems (e.g., a service API + an unrelated feature's UI)
222
222
 
223
223
  ## Card Structure (MANDATORY — zero tolerance)
224
224
 
@@ -502,7 +502,7 @@ Before creating cards, scan `backlog/*.yml` to determine the next available numb
502
502
 
503
503
  | Prefix | When to use | Example |
504
504
  |--------|-------------|---------|
505
- | `FEAT-NNNN-slug.yml` | Feature work | `FEAT-0127-merchant-points-guard.yml` |
505
+ | `FEAT-NNNN-slug.yml` | Feature work | `FEAT-0127-user-rewards-guard.yml` |
506
506
  | `BUG-NNNN-slug.yml` | Bug fixes | `BUG-0071-issue-197-dashboard-bugs.yml` |
507
507
  | `UI-NNNN-slug.yml` | UI-only changes | `UI-0090-remove-install-pwa-cta.yml` |
508
508
  | `DOC-NNNN-slug.yml` | Documentation only | `DOC-0001-privacy-policy-draft.yml` |
@@ -647,7 +647,7 @@ priority: HIGH
647
647
  owner_agent: coder
648
648
 
649
649
  github_issue: NNN # GitHub issue number
650
- labels: [bug, area:customer] # area:customer | area:merchant | area:admin
650
+ labels: [bug, area:<segment>] # area:<segment> values from identity.audience_segments
651
651
 
652
652
  clarity_analysis: # MANDATORY per AGENTS.md for all bug cards
653
653
  expected_behavior: "[What should happen]"
@@ -52,7 +52,7 @@ The orchestrator (`/e2e-review`) invokes you with this JSON payload:
52
52
  ```json
53
53
  {
54
54
  "card_id": "FEAT-XXXX",
55
- "route": "/merchant/dashboard",
55
+ "route": "/dashboard",
56
56
  "viewport": { "width": 1440, "height": 900 },
57
57
  "implementation_screenshot_path": "/abs/path/to/impl.png",
58
58
  "mockup_source": {
@@ -183,7 +183,7 @@ Inflating or suppressing severity to match the mode is a protocol violation.
183
183
  ```json
184
184
  {
185
185
  "status": "completed" | "skipped" | "error",
186
- "route": "/merchant/dashboard",
186
+ "route": "/dashboard",
187
187
  "mockup_source_level": "figma" | "local" | "compliance-only" | "skip",
188
188
  "viewport": { "width": 1440, "height": 900 },
189
189
  "compliance_score": 0.87,
@@ -102,12 +102,12 @@ exposed via dedicated MCP tools alongside `search_docs`:
102
102
  - `search_synthesis(question, level="global")` — community-summary retrieval.
103
103
  Use for **relational / cross-cutting** questions where the answer involves
104
104
  multiple modules at once. Examples:
105
- - "How does auth interact with booking?"
106
- - "What touches the reservations collection?"
107
- - "Which areas share the merchant-theming pattern?"
105
+ - "How does auth interact with `<feature-X>`?"
106
+ - "What touches the `<entity>` collection/table?"
107
+ - "Which areas share the `<shared-pattern>` (e.g. a theming/layout) pattern?"
108
108
  - `search_synthesis(question, level="local")` — entity-centric retrieval
109
109
  (delegates to the existing `local` mode). Use for **specific lookups** —
110
- "what is `withAuth`?", "show me the BookingTable type definition".
110
+ "what is `<authWrapper>`?", "show me the `<DomainType>` type definition".
111
111
  - `search_docs(query, mode="drift")` (or the dedicated `search_drift` tool) —
112
112
  the GraphRAG DRIFT pattern: first pick candidate communities via `global`,
113
113
  then run a scoped `local` retrieval for each. Use when a question is both
@@ -11,7 +11,7 @@ This command supports two output modes, detected from the input prompt:
11
11
 
12
12
  ### Mode A — Interactive (default)
13
13
 
14
- When the user invokes `/design-review` directly (input is a natural-language route reference, e.g. `/design-review /merchant/dashboard`), produce the **Markdown report** described in steps 1–5 below. Use the Blockers/High/Medium/Nitpicks template from `agents/design-review.md` § Report Template.
14
+ When the user invokes `/design-review` directly (input is a natural-language route reference, e.g. `/design-review /dashboard`), produce the **Markdown report** described in steps 1–5 below. Use the Blockers/High/Medium/Nitpicks template from `agents/design-review.md` § Report Template.
15
15
 
16
16
  ### Mode B — Programmatic (invoked by `/e2e-review`)
17
17
 
@@ -23,7 +23,7 @@ When the input contains a JSON envelope with `"mode": "programmatic"` at any pos
23
23
  {
24
24
  "mode": "programmatic",
25
25
  "card_id": "FEAT-XXXX",
26
- "route": "/merchant/dashboard",
26
+ "route": "/dashboard",
27
27
  "viewport": { "width": 1440, "height": 900 },
28
28
  "dev_server_port": 3000,
29
29
  "registry_paths": {
@@ -46,7 +46,7 @@ When the input contains a JSON envelope with `"mode": "programmatic"` at any pos
46
46
  {
47
47
  "status": "completed" | "skipped" | "error",
48
48
  "source": "design-review",
49
- "route": "/merchant/dashboard",
49
+ "route": "/dashboard",
50
50
  "viewport": { "width": 1440, "height": 900 },
51
51
  "findings": [
52
52
  {
@@ -110,7 +110,7 @@ When the user invokes `/design-review`, do the following (in both modes — only
110
110
  - Read `${paths.design_system}/tokens-reference.md`.
111
111
  - Read `${paths.design_system}/components/<Name>.md` for every primitive expected on the route.
112
112
  When the flag is `false`, skip the registry reads. In Mode A flag the gap in the final report and recommend `/design-system-init`. In Mode B add the gap to the `gaps[]` array of the JSON output.
113
- 1. Start with the route or component specified (e.g., `/merchant/dashboard`) and open it in the MCP browser. In Mode B, use the `dev_server_port` from the input envelope to construct `http://localhost:<port><route>`.
113
+ 1. Start with the route or component specified (e.g., `/dashboard`) and open it in the MCP browser. In Mode B, use the `dev_server_port` from the input envelope to construct `http://localhost:<port><route>`.
114
114
  2. Follow the Quick Visual Check in `agents/design-review.md` and run Phases 0‑7 (interaction, responsiveness, polish, accessibility, robustness, code health, content/console).
115
115
  3. Capture at least one full-page screenshot at the viewport from the input (default 1440px) and note console errors. In Mode B save the screenshot at `/tmp/design-review/<route-slug>.png` and cite it in `evidence.screenshot_path`.
116
116
  4. **Mode A**: report findings using the Markdown template in `agents/design-review.md` (Blockers/High/Medium/Nitpicks). **Mode B**: assemble the JSON output described above, normalizing severity per the table.
@@ -48,7 +48,7 @@ Do NOT load for:
48
48
  ```markdown
49
49
  ### POST /api/v1/domain/resource
50
50
 
51
- **Auth**: withAuthNoParams | **Access**: ADMIN + MERCHANT
51
+ **Auth**: `<authWrapper>` | **Access**: `<ROLE_A>` + `<ROLE_B>`
52
52
 
53
53
  **Body**:
54
54
  | Field | Type | Required | Desc |
@@ -1,6 +1,12 @@
1
1
  # Before/After Examples — Wave 1+2+3 Compression
2
2
 
3
- Casi concreti validati sul corpus reale. Per ogni esempio: prima, dopo, tecnica applicata.
3
+ > **Illustrative sample domain.** The endpoints, routes, and entity names below
4
+ > (booking/rooms, menu/items, reservations planner, etc.) are a SAMPLE domain used
5
+ > only to demonstrate the doc-compaction techniques — they are not part of any
6
+ > consumer's API. Apply the *technique* (the before→after transformation), not the
7
+ > example's vocabulary, to your own `${paths.references_dir}` docs.
8
+
9
+ Concrete cases validated on a real corpus. For each example: before, after, technique applied.
4
10
 
5
11
  ## Example 1 — API Endpoint (booking.md)
6
12
 
@@ -1,6 +1,11 @@
1
1
  # Compact Templates
2
2
 
3
- Template validati su 45 file in 3 wave di compressione. Ogni template include: before/after, line count, note critiche.
3
+ > **Illustrative sample domain.** Endpoint paths, routes, roles, and entity names in
4
+ > the filled examples below are a SAMPLE domain for demonstrating the template shapes —
5
+ > substitute your project's own (auth wrapper, roles from `identity.audience_segments`,
6
+ > routes, entities). Only the template *structure* is normative.
7
+
8
+ Templates validated on 45 files across 3 compression waves. Each template includes: before/after, line count, critical notes.
4
9
 
5
10
  ## API Endpoint Template
6
11
 
@@ -9,7 +14,7 @@ Template validati su 45 file in 3 wave di compressione. Ogni template include: b
9
14
  ```markdown
10
15
  ### POST /api/v1/domain/resource
11
16
 
12
- **Auth**: withAuthNoParams | **Access**: ADMIN + MERCHANT
17
+ **Auth**: `<authWrapper>` | **Access**: `<ROLE_A>` + `<ROLE_B>`
13
18
 
14
19
  **Body**:
15
20
  | Field | Type | Required | Desc |
@@ -1,6 +1,10 @@
1
1
  # Schemas & Errors — Central Reference Files
2
2
 
3
- Protocollo per usare e estendere `${paths.api_schemas}` e `${paths.api_errors}` (typically `docs/references/api/schemas.md` and `docs/references/errors.md`).
3
+ > **Illustrative sample domain.** Error codes, routes, and entity names in the
4
+ > examples below are a SAMPLE domain — substitute your own. Only the protocol
5
+ > (central schema/error files, anchor cross-referencing) is normative.
6
+
7
+ Protocol for using and extending `${paths.api_schemas}` and `${paths.api_errors}` (typically `docs/references/api/schemas.md` and `docs/references/errors.md`).
4
8
 
5
9
  > **Note**: the schema names and domain sections below come from a real project (a multi-merchant fidelity/loyalty platform) and are kept as a concrete example. Replace them with your own domain entities when applying this skill to a new project — the project-specific domain vocabulary lives in `.baldart/overlays/doc-writing-for-rag.md`.
6
10
 
@@ -154,7 +154,7 @@ system constraints into a machine-readable verification plan.
154
154
  {
155
155
  "card_id": "FEAT-XXXX",
156
156
  "title": "...",
157
- "routes": ["/merchant/dashboard", "/merchant/dashboard/edit"],
157
+ "routes": ["/dashboard", "/dashboard/edit"],
158
158
  "personas": [{"name": "merchant", "auth": "password", "creds": {...}}],
159
159
  "data_prerequisites": ["seed merchant 'demo'", "create one paid booking"],
160
160
  "scenarios": [
@@ -162,11 +162,11 @@ system constraints into a machine-readable verification plan.
162
162
  "id": "AC-1",
163
163
  "name": "Merchant can update store hours",
164
164
  "gherkin": "Feature: ...",
165
- "routes_touched": ["/merchant/settings/hours"]
165
+ "routes_touched": ["/settings/hours"]
166
166
  }
167
167
  ],
168
168
  "non_functional_checks": ["loads in < 2s on slow 3G"],
169
- "mockup_refs": [{"route": "/merchant/dashboard", "level": "local", "path": "mockups/dashboard.png"}]
169
+ "mockup_refs": [{"route": "/dashboard", "level": "local", "path": "mockups/dashboard.png"}]
170
170
  }
171
171
  ```
172
172
 
@@ -336,7 +336,7 @@ For each `route` in `plan.routes[]`:
336
336
  Input payload:
337
337
  {
338
338
  "card_id": "FEAT-XXXX",
339
- "route": "/merchant/dashboard",
339
+ "route": "/dashboard",
340
340
  "viewport": { "width": 1440, "height": 900 },
341
341
  "implementation_screenshot_path": ".baldart/e2e-review/FEAT-XXXX/screenshots/merchant-dashboard.png",
342
342
  "mockup_source": { ... },
@@ -70,7 +70,7 @@ Scan the PRD text for these keywords. Each match = a finding.
70
70
  | "global counter" / "total X" / "increment count" / "contatore" | Transaction hotspot (serializes writers) | HIGH |
71
71
  | "no limit" / "unlimited" / "senza limiti" / "illimitato" | Unbounded data growth | HIGH |
72
72
  | "save all in document" / "embed list" / "array nel documento" | Unbounded array in doc (max 1MB, degrades at 40K) | HIGH |
73
- | "upload file/image via API" / "carica file" | 4.5MB payload limit on Vercel Functions | HIGH |
73
+ | "upload file/image via API" / "carica file" | the platform's request-body limit (e.g. 4.5MB on Vercel Functions — per `stack.deployment`) | HIGH |
74
74
  | "search by name" / "full-text search" / "cerca per nome" | Many DBs need a dedicated search index (Algolia/Typesense/Postgres FTS/Mongo Atlas Search) — DB-specific | HIGH |
75
75
  | "page N" / "skip" / "offset" / "pagina N" | Offset pagination is inefficient in most DBs (Firestore charges for skipped docs; SQL scans them) | MEDIUM |
76
76
  | "send email/SMS" in request path / "invia email/SMS" | Blocking I/O in request path (use waitUntil / background job) | MEDIUM |
@@ -23,7 +23,7 @@ Scan each card for security signals to decide whether the `security-reviewer` ag
23
23
  | Signal | Where to look |
24
24
  |--------|---------------|
25
25
  | **New or modified API route** | `files_likely_touched` contains `route.ts`, `api/`, or requirements mention new endpoints |
26
- | **Authentication/authorization changes** | Requirements/files mention `withAuth`, `checkPermission`, `permissions`, login, session, token, JWT, OAuth |
26
+ | **Authentication/authorization changes** | Requirements/files mention the project's auth-guard wrapper or permission helper (e.g. a `withAuth*`-style wrapper / `checkPermission`-style guard — resolve from `${paths.high_risk_modules}`), or generic markers: `permissions`, login, session, token, JWT, OAuth |
27
27
  | **Persistence-layer access rules** | `files_likely_touched` contains rule/policy files matching `stack.database` (e.g. `firestore.rules`, Supabase RLS migration, MongoDB validator) or requirements mention rule changes |
28
28
  | **External integrations** | Requirements mention webhooks, third-party APIs, payment, SMS, email providers, or external callbacks |
29
29
  | **File upload or media handling** | Requirements mention upload, image, file, media, or `files_likely_touched` contains upload/media paths |
@@ -248,7 +248,7 @@ touchpoints into the existing ISA table; assign new ISA-N IDs.
248
248
 
249
249
  ## Worked Example
250
250
 
251
- **CR: "Add POST /api/v1/merchant/reservations/bulk-confirm for batch confirmation"**
251
+ **CR: "Add POST /api/v1/reservations/bulk-confirm for batch confirmation"**
252
252
 
253
253
  Change type: Addition (new endpoint)
254
254
 
@@ -18,7 +18,7 @@ Mark task 5 as `in_progress`.
18
18
 
19
19
  b. **UI-only scope heuristic (WARN — soft gate, not blocking)** — for each card with `owner_agent: ui-expert`:
20
20
  - Concatenate `scope.summary`, `requirements[]`, and `acceptance_criteria[]` into one lowercase string.
21
- - Grep for logic-marker substrings: `api call`, `endpoint`, `route handler`, `state machine`, `validation logic`, `business rule`, `database`, `migration`, `prisma`, `firestore.collection`, `auth flow`, `token storage`, `webhook`, `cron`.
21
+ - Grep for logic-marker substrings: `api call`, `endpoint`, `route handler`, `state machine`, `validation logic`, `business rule`, `database`, `migration`, and datastore-access patterns per `stack.database` (e.g. `prisma`, `.from(` / SQL client, `firestore.collection`, `db.collection`), `auth flow`, `token storage`, `webhook`, `cron`.
22
22
  - For each marker hit, log a WARN line in the audit output:
23
23
  `"[UI-SCOPE-WARN] Card <ID> (ui-expert) mentions '<marker>' — review whether logic belongs in a sibling coder card. See backlog-phase.md § Rule B."`
24
24
  - The check is intentionally a soft gate: substrings like "API contract per il mock" or "consumes the auth state from `useAuth()`" are legitimate UI references. The WARN exists to prompt human review, not to block.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "baldart",
3
- "version": "4.0.1",
3
+ "version": "4.0.3",
4
4
  "description": "Claude Agent Framework - Reusable framework for coordinating AI agents and humans in software projects",
5
5
  "bin": {
6
6
  "baldart": "./bin/baldart.js"