beth-copilot 1.0.11 → 1.0.13

package/CHANGELOG.md

@@ -0,0 +1,170 @@
+# Changelog
+
+> *"Here's what changed. I don't repeat myself."*
+
+All notable changes to Beth are documented here. Format based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [1.0.13] - 2026-02-04
+
+### Fixed
+- **ENOTDIR crash during init** — Fixed `copyDirRecursive` crashing when destination path exists as a file instead of a directory. Now properly detects the conflict and provides a clear error message (or removes the file with `--force`).
+
+---
+
+## [Unreleased]
+
+### Added
+- **CLI TypeScript foundation** — Migrated CLI to TypeScript with proper build system
+- **Doctor command** — `beth doctor` validates installation and configuration
+- **Quickstart command** — `beth quickstart` for guided setup
+- **Agent schema types** — TypeScript types for agent definitions
+- **Unit tests** — 86 tests passing for CLI commands and path validation
+- **Architecture diagrams** — Interactive mermaid diagrams with zoom in README
+
+### Changed
+- **DEMO.md** — Rewritten with Beth's personality and beads integration
+- **P2 backlog completed** — Beth orchestrator references added to all agents, MCP skills updated, documentation fixes
+
+### Fixed
+- Removed unnecessary backlog.md CLI dependency
+- Fixed security-reviewer.agent.md syntax errors
+- Corrected agent/skill counts in help output
+- Allowlisted security documentation examples in Gitleaks config
+
+### Documentation
+- CLI Architecture guide (docs/CLI-ARCHITECTURE.md)
+- CLI Implementation Plan (docs/CLI-IMPLEMENTATION-PLAN.md)
+
+---
+
+## [1.0.12] - 2026-02-01
+
+### Changed
+- Added CHANGELOG.md to npm package
+
+---
+
+## [1.0.11] - 2026-02-01
+
+### Changed
+- Reverted to fire animation for BETH banner (the way it should be)
+
+### Fixed
+- SBOM regeneration for accurate dependency tracking
+
+---
+
+## [1.0.10] - 2026-01-31
+
+### Added
+- **Path validation security** — 33 tests covering traversal detection, injection prevention, and allowlist validation
+- **Work tracking for all agents** — Every agent now uses the dual tracking system (beads for agents, Backlog.md for humans)
+- **Cross-platform npm installation** — Consistent installation across macOS, Linux, and Windows
+
+### Security
+- Path validation for user-supplied binary paths to prevent command injection
+- Documented shell:true security constraints in SECURITY.md
+
+---
+
+## [1.0.6] - 2026-01-29
+
+### Added
+- **Multi-agent coordination system** — Epic patterns with dependencies, parallel execution, and hierarchical issue tracking
+- **Beads integration** — Structured work tracking with `bd` CLI for agent memory and coordination
+- **Subagent templates** — Ready-to-use patterns for spawning specialists
+
+### Changed
+- Beth instructions now include full orchestration workflows
+- Updated SYSTEM-FLOW.md with multi-agent patterns
+
+---
+
+## [1.0.5] - 2026-01-28
+
+### Added
+- Beads multi-agent coordination documentation
+
+---
+
+## [1.0.4] - 2026-01-27
+
+### Added
+- **backlog.md CLI installation prompt** — Auto-prompts during init for human-readable tracking
+- **.vscode/settings.json template** — Auto-configured agent settings for VS Code
+
+---
+
+## [1.0.3] - 2026-01-26
+
+### Added
+- **Version check** — CLI warns users when a newer version is available
+
+---
+
+## [1.0.2] - 2026-01-25
+
+### Added
+- **Security automation** — GitHub Actions workflow with npm audit, gitleaks, CodeQL, SBOM generation
+- **Pre-commit hooks** — Secret scanning with gitleaks before commits
+- **Subagent delegation settings** — Documentation for enabling autonomous agent coordination
+
+### Changed
+- Clarified Product Manager vs UX Designer roles in documentation
+
+### Fixed
+- Security hardening for enterprise production readiness
+
+---
+
+## [1.0.1] - 2026-01-24
+
+### Added
+- **Security Reviewer agent** — OWASP Top 10, compliance audits, threat modeling
+- **Security Analysis skill** — Vulnerability assessment workflows
+- **MCP setup guide** — docs/MCP-SETUP.md with all optional servers
+- **Installation guide** — docs/INSTALLATION.md with full setup instructions
+- **Dependabot configuration** — Weekly npm/GH Actions updates with grouped PRs
+
+### Changed
+- **Consolidated frontend-engineer into developer** — Developer now handles UI, full-stack, and shadcn-ui MCP integration
+- Updated all agent handoffs to include security-reviewer
+
+### Security
+- Full enterprise security review completed
+- HIGH findings addressed
+- SECURITY.md created with security policies
+
+---
+
+## [1.0.0] - 2026-01-23
+
+### Added
+- **Beth orchestrator** — The ruthless, hyper-competent AI coordinator
+- **Six specialist agents** — Product Manager, Researcher, UX Designer, Developer, Tester, (later Security Reviewer)
+- **Five skills** — PRD generation, Framer components, Vercel React best practices, Web Design guidelines, shadcn-ui
+- **npm package** — `npx beth-copilot init` for one-command installation
+- **IDEO Design Thinking workflow** — Empathize → Define → Ideate → Prototype → Test
+- **Dual tracking system** — beads for agents, Backlog.md for humans
+- **ASCII art animation** — Beth's entrance with fire effect banner
+
+### Architecture
+- Agent definition format with YAML frontmatter
+- Skills as domain-knowledge modules loaded on-demand
+- Subagent vs handoff patterns for different control levels
+- Hierarchical issue tracking for complex workflows
+
+---
+
+## What's Next
+
+See [Backlog.md](Backlog.md) for planned work:
+- MCP skill enhancements (web search, Playwright, Azure, Microsoft Learn)
+- Agent consistency review
+- Additional skills for API security and performance profiling
+
+---
+
+*"That's the history. Now stop looking backward and let's build something."*

package/README.md

@@ -73,50 +73,126 @@ Beth's team comes equipped:
 | **Framer Components** | Build custom React components with property controls |
 | **React/Next.js Best Practices** | Vercel-grade performance patterns |
 | **Web Design Guidelines** | WCAG compliance, UI review, accessibility |
+| **shadcn/ui** | Component library patterns, installation, and best practices |
 | **Security Analysis** | OWASP, threat modeling, vulnerability assessment |
 
 ## How Beth Works
 
 She doesn't micromanage. She delegates to specialists and holds them accountable.
 
-```
-Your Request
-     │
-     ▼
-┌─────────────────────────────────────────┐
-│               @Beth                      │
-│   "I don't need permission to be me."   │
-│                                          │
-│   • Analyzes your request               │
-│   • Picks the right people              │
-│   • Runs parallel ops when smart        │
-│   • Delivers results, not excuses       │
-└─────────────────────────────────────────┘
-     │
-     ├──▶ @product-manager (strategy)
-     ├──▶ @researcher (intelligence)  
-     ├──▶ @ux-designer (design)
-     ├──▶ @developer (implementation)
-     ├──▶ @tester (quality gate)
-     └──▶ @security-reviewer (protection)
+### Architecture
+
+```mermaid
+flowchart TB
+    subgraph User["👤 User"]
+        Request[User Request]
+    end
+
+    subgraph Orchestrator["🎯 Beth - The Orchestrator"]
+        Beth["@Beth<br/><i>'I don't speak dipshit'</i>"]
+        Assess[Assess Request]
+        Plan[Plan Workflow]
+        Route[Route to Specialists]
+    end
+
+    subgraph Agents["🧑‍💼 Specialist Agents"]
+        PM["@product-manager<br/>WHAT to build"]
+        Researcher["@researcher<br/>User/Market Intel"]
+        Designer["@ux-designer<br/>HOW it works"]
+        Developer["@developer<br/>Implementation"]
+        Security["@security-reviewer<br/>Protection"]
+        Tester["@tester<br/>Quality Gate"]
+    end
+
+    Request --> Beth
+    Beth --> Assess --> Plan --> Route
+    
+    Route --> PM
+    Route --> Researcher
+    Route --> Designer
+    Route --> Developer
+    Route --> Security
+    Route --> Tester
+
+    style Beth fill:#1e3a5f,color:#fff
+    style Orchestrator fill:#f0f4f8
+    style Agents fill:#f8f4f0
 ```
 
 ### The Workflow
 
-**New Feature?**
-```
-Request → Product (requirements) → Research (validation) → Design (interface) 
-       → Developer (build) → Security (review) → Tester (QA)
-```
-
-**Bug Hunt?**
-```
-Report → Tester (reproduce) → Developer (fix) → Security (verify) → Tester (confirm)
+```mermaid
+sequenceDiagram
+    participant U as User
+    participant B as Beth
+    participant PM as Product Manager
+    participant UX as UX Designer
+    participant D as Developer
+    participant S as Security
+    participant T as Tester
+
+    U->>B: "Build me a feature"
+    B->>B: Assess & Plan
+    B->>PM: Define requirements
+    PM-->>B: Requirements ready
+    B->>UX: Design the experience
+    UX-->>B: Design specs ready
+    B->>D: Implement feature
+    D-->>B: Implementation complete
+    B->>S: Security review
+    S-->>B: Security approved
+    B->>T: Test & verify
+    T-->>B: Quality verified
+    B->>U: Feature complete ✅
 ```
 
-**Security Audit?**
-```
-Concern → Security (threat model) → Developer (remediation) → Tester (penetration)
+**Bug Hunt?** Tester → Developer → Security → Tester  
+**Security Audit?** Security → Developer → Tester → Security
+
+### Agent Delegation
+
+```mermaid
+flowchart TB
+    subgraph Beth["Beth (Orchestrator)"]
+        BethCore["Routes all work<br/>Spawns subagents"]
+    end
+
+    subgraph PM["Product Manager"]
+        PMCore["Requirements<br/>Priorities"]
+    end
+
+    subgraph R["Researcher"]
+        RCore["User insights<br/>Market intel"]
+    end
+
+    subgraph UX["UX Designer"]
+        UXCore["Component specs<br/>Design tokens"]
+    end
+
+    subgraph D["Developer"]
+        DCore["React/TS/Next.js<br/>Implementation"]
+    end
+
+    subgraph S["Security"]
+        SCore["Threat modeling<br/>Vulnerabilities"]
+    end
+
+    subgraph T["Tester"]
+        TCore["QA & a11y<br/>Performance"]
+    end
+
+    BethCore -->|"Product Strategy"| PMCore
+    BethCore -->|"User Research"| RCore
+    BethCore -->|"UX Design"| UXCore
+    BethCore -->|"Development"| DCore
+    BethCore -->|"Security Review"| SCore
+    BethCore -->|"Quality Assurance"| TCore
+
+    PMCore -.->|"subagent"| RCore
+    PMCore -.->|"subagent"| UXCore
+    UXCore -.->|"subagent"| DCore
+    DCore -.->|"subagent"| TCore
+    SCore -.->|"subagent"| DCore
 ```
 
 ## Quick Commands
@@ -173,6 +249,38 @@ Beth operates on a few principles:
 3. **Move fast, break enemies** — Parallel execution, aggressive timelines.
 4. **Loyalty earns trust** — Agents that perform get the good work.
 
+### IDEO Design Thinking
+
+Beth follows human-centered design methodology:
+
+```mermaid
+flowchart LR
+    subgraph Empathize["1. Empathize"]
+        E["@researcher<br/>User interviews<br/>Pain points"]
+    end
+
+    subgraph Define["2. Define"]
+        D["@product-manager<br/>Problem framing<br/>Requirements"]
+    end
+
+    subgraph Ideate["3. Ideate"]
+        I["@ux-designer<br/>Component specs<br/>Patterns"]
+    end
+
+    subgraph Prototype["4. Prototype"]
+        P["@developer<br/>Build to learn<br/>Feature spikes"]
+    end
+
+    subgraph Test["5. Test"]
+        T["@tester<br/>Validate<br/>Accessibility"]
+    end
+
+    E --> D --> I --> P --> T
+    T -.->|iterate| E
+    T -.->|iterate| D
+    T -.->|iterate| I
+```
+
 ## Quality Standards
 
 Beth doesn't ship garbage:
@@ -183,6 +291,39 @@ Beth doesn't ship garbage:
 - **Type Safety**: Full TypeScript coverage. No `any` unless you want a lecture.
 - **Test Coverage**: Unit, integration, E2E. If it's not tested, it's not done.
 
+```mermaid
+flowchart TB
+    subgraph Standards["Quality Standards"]
+        A11y["WCAG 2.1 AA<br/>Accessibility"]
+        Perf["Core Web Vitals<br/>LCP < 2.5s"]
+        Sec["OWASP Compliant<br/>Zero vulnerabilities"]
+        Type["Full TypeScript<br/>No any"]
+        Coverage["Test Coverage<br/>Unit + Integration + E2E"]
+    end
+
+    subgraph Gates["Enforcement"]
+        Designer["UX Designer<br/>reviews a11y specs"]
+        Developer["Developer<br/>implements patterns"]
+        Security["Security Reviewer<br/>audits code"]
+        Tester["Tester<br/>verifies all gates"]
+    end
+
+    A11y --> Designer
+    Perf --> Developer
+    Sec --> Security
+    Type --> Developer
+    Coverage --> Tester
+
+    Designer --> Ship{Ship?}
+    Developer --> Ship
+    Security --> Ship
+    Tester --> Ship
+
+    Ship -->|All Pass| Deploy["🚀 Deploy"]
+    Ship -->|Fail| Fix["🔧 Fix & Retry"]
+    Fix --> Gates
+```
+
 ## Why Beth?
 
 <p align="center">
@@ -220,6 +361,14 @@ Beth's agents work fine without them, but these make them smarter:
 
 Full details: [docs/MCP-SETUP.md](docs/MCP-SETUP.md)
 
+## Documentation
+
+- [Installation Guide](docs/INSTALLATION.md) — Full setup instructions
+- [MCP Setup](docs/MCP-SETUP.md) — Optional server integrations
+- [System Flow & Diagrams](docs/SYSTEM-FLOW.md) — Architecture and agent orchestration diagrams
+- [Changelog](CHANGELOG.md) — Version history and updates
+- [Security Policy](SECURITY.md) — Vulnerability reporting
+
 ## License
 
 MIT — Take it. Run it. Build empires.