bmad-plus 0.9.2 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +39 -0
- package/README.md +1 -1
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +30 -0
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +10 -0
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/lawful-basis-record.md +48 -0
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/gdpr-osint.md +48 -0
- package/package.json +3 -1
- package/tools/build/README.md +78 -0
- package/tools/build/adapters.config.js +117 -0
- package/tools/build/generate-adapters.js +485 -0
- package/tools/build/generate.js +284 -0
- package/tools/build/generated-adapters/.codex/AGENTS.md +121 -0
- package/tools/build/generated-adapters/.cursor/rules/bmad-plus.mdc +126 -0
- package/tools/build/generated-adapters/.opencode/AGENTS.md +121 -0
- package/tools/build/generated-adapters/AGENTS.md +119 -0
- package/tools/build/generated-adapters/CLAUDE.md +122 -0
- package/tools/build/generated-adapters/CONVENTIONS.md +121 -0
- package/tools/build/generated-adapters/GEMINI.md +126 -0
- package/tools/build/generated-adapters/README.md +79 -0
- package/tools/cli/bmad-plus-cli.js +11 -0
- package/tools/cli/commands/install.js +46 -0
- package/tools/cli/commands/memory-journal-cmd.js +311 -0
- package/tools/cli/lib/README-memory-journal.md +125 -0
- package/tools/cli/lib/memory-journal.js +0 -0
- package/tools/cli/lib/packs.js +195 -108
- package/tools/cli/lib/python-provision.js +508 -0
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,45 @@ All notable changes to BMAD+ will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [0.12.0] — 2026-07-02
|
|
9
|
+
|
|
10
|
+
### Added — Load-bearing activation (north-star Pillars 3, 4, 5)
|
|
11
|
+
- **Pillar 4 executable:** `evals/_runner/providers.py` — a provider-neutral model gateway (anthropic / openai / generic-HTTP adapters selected by `BMAD_EVAL_PROVIDER`, default deterministic **mock** so `--self-check` and CI never hit the network). `run_agent(spec, model)` now routes through it; the eval harness genuinely runs (3/3 specs pass).
|
|
12
|
+
- **Pillar 3 portable via MCP:** `mcp-server/tools/memory_tools.py` exposes `memory.recall` / `memory.write` / `memory.reinforce` as MCP tools that shell out to the same `bmad mem --json` CLI (single source of truth) — MCP-capable CLIs and the CLI can never diverge. Registered additively in `server.py`.
|
|
13
|
+
- **Pillar 5 adopt mode:** `tools/build/generate-adapters.js --adopt` can generate the REAL repo-root adapters + AGENTS.md spine from the registry; hand-authored instructions live in `tools/build/adapters.config.js` and are injected so no tool loses content. `.gitattributes` pins LF on the adopted files (avoids the CRLF drift class). Root adoption is opt-in and NOT applied in this release.
|
|
14
|
+
|
|
15
|
+
### Fixed
|
|
16
|
+
- Adapter `--check` is now EOL-insensitive; `.gitattributes` pins LF on `tools/build/**` + registry so a Windows clone doesn't false-positive drift. Verified from a **fresh clone**: `npm ci` + `npm test` (333/333) + both drift-checks green.
|
|
17
|
+
|
|
18
|
+
### Verified
|
|
19
|
+
- `npm test` **333 passed / 16 suites**; `build:check` + `generate-adapters --check` no drift; `run.py --self-check` 3/3; edited Python parses.
|
|
20
|
+
|
|
21
|
+
## [0.11.0] — 2026-07-02
|
|
22
|
+
|
|
23
|
+
### Added — Karpathy loop CLI + multi-CLI adapters (north-star Pillars 3 & 5)
|
|
24
|
+
- **`bmad mem` command (Pillar 3):** `recall <query>` / `write` / `reinforce` expose the memory-journal (append/recall + Elo reward + governance guard) from the CLI, so the learning loop is usable from any driving tool. `tests/unit/memory-journal-cmd.test.js`.
|
|
25
|
+
- **Multi-CLI adapter generator (Pillar 5):** `tools/build/generate-adapters.js` generates the per-CLI wrappers (CLAUDE.md, GEMINI.md, `.codex/AGENTS.md`, `.cursor/rules`, `.opencode/AGENTS.md`, CONVENTIONS.md) from `registry.yaml` — counts/names computed, never typed — with a `--check` drift gate. Generated previews live under `tools/build/generated-adapters/`. `tests/unit/generate-adapters.test.js`.
|
|
26
|
+
|
|
27
|
+
### Changed — Compliance (govern, don't cut)
|
|
28
|
+
- **CG-02 — OSINT pack governed:** added a mandatory **Phase −1 Lawful Basis Gate** to the OSINT skill (lawful basis Art. 6, Art. 9 condition for psychoprofiles, purpose, retention, DSAR) + a lawful-basis/ROPA record template + a GDPR-OSINT reference + a governance block in the dossier template. The capability is kept in full; lawful use is now explicit and auditable. See `audit/2026-07-01/CG-RESOLUTION.md`.
|
|
29
|
+
- **CG-01 — trademark:** `bmad-plus` name kept by owner decision.
|
|
30
|
+
|
|
31
|
+
### Verified
|
|
32
|
+
- `npm test` **325 passed / 16 suites**; `npm run build:check` no drift; `generate-adapters.js --check` no drift.
|
|
33
|
+
|
|
34
|
+
## [0.10.0] — 2026-07-02
|
|
35
|
+
|
|
36
|
+
### Added — Platform-spine foundations (north-star Phase 2)
|
|
37
|
+
Built as **new files only** (no existing core file modified); test suite grew from 176/10 to **258 passed / 13 suites**. Cut nothing; multi-tool/multi-model preserved.
|
|
38
|
+
|
|
39
|
+
- **Registry-as-SSOT (Pillar 1) — ACTIVE:** `registry.yaml` (repo root) is now the single source of truth for all 9 packs. `tools/cli/lib/packs.js` is **generated from it** (`npm run build`), no longer hand-maintained. `tools/build/generate.js` provides the generator + `npm run build:check` drift gate; `tests/unit/generate.test.js` (14 tests) proves the generated `PACKS`/`PACK_ORDER`/`EXPECTED_AGENTS` strictly equal the shipped module. This kills the 5-place pack-registry drift at its root.
|
|
40
|
+
- **Python provisioning (Pillar 2):** `tools/cli/lib/python-provision.js` — detect python≥3.11, pick uv/pipx/venv, create isolated env, install requirements, verify entry (shell-safe, testable).
|
|
41
|
+
- **Karpathy learning layer (Pillar 3):** `tools/cli/lib/memory-journal.js` — `journal.ndjson` append/recall, Elo/decayed reward update (eval+acceptance+ci), governance guard (promotions PROPOSED, never auto-applied).
|
|
42
|
+
- **Eval harness (Pillar 4 — the moat):** `evals/` schema + Forge/Shield/Sentinel golden specs + fixtures + `run.py --self-check`, provider-neutral model backend seam.
|
|
43
|
+
- **CI:** `.github/workflows/platform.yml` — registry drift-check + eval self-check, blocking, SHA-pinned.
|
|
44
|
+
|
|
45
|
+
Pillar 1 is wired (packs.js generated + `npm run build`/`build:check`). Remaining integration (provisioning called from install, memory exposed via MCP, generated multi-CLI adapters) lands next as its own tested commit — see `audit/2026-07-01/PHASE-2-STATUS.md`.
|
|
46
|
+
|
|
8
47
|
## [0.9.2] — 2026-07-01
|
|
9
48
|
|
|
10
49
|
### Security — Phase 1 remediation (exploitable findings)
|
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# 🚀 BMAD+ — Augmented Multi-Agent AI Framework
|
|
2
2
|
|
|
3
|
-
[](CHANGELOG.md)
|
|
4
4
|
[](https://github.com/bmad-code-org/BMAD-METHOD)
|
|
5
5
|
[](LICENSE)
|
|
6
6
|
|
|
@@ -17,6 +17,36 @@ description: >
|
|
|
17
17
|
Systematic intelligence gathering on individuals. From a name or handle to a scored
|
|
18
18
|
dossier with psychoprofile, career map, and entry points.
|
|
19
19
|
|
|
20
|
+
## Phase −1 — Lawful Basis Gate (MANDATORY, runs before anything else)
|
|
21
|
+
|
|
22
|
+
> Profiling a **named natural person** — especially building a psychoprofile — is
|
|
23
|
+
> processing of personal data (and, for inferred personality/health/political traits,
|
|
24
|
+
> **special-category data**) under the GDPR and analogous laws. This gate is not
|
|
25
|
+
> optional. Governed by the Shield (GRC) pack. **Do NOT start Phase 0** on a named
|
|
26
|
+
> person until it passes.
|
|
27
|
+
|
|
28
|
+
Before any investigation of a named/identifiable person, establish and record:
|
|
29
|
+
|
|
30
|
+
1. **Lawful basis (GDPR Art. 6)** — which applies? (consent, contract, legal
|
|
31
|
+
obligation, vital interests, public task, or **legitimate interest** with a
|
|
32
|
+
documented balancing test). For psychoprofiling / special-category inferences,
|
|
33
|
+
also an **Art. 9** condition (explicit consent, or another Art. 9(2) exemption).
|
|
34
|
+
2. **Purpose** — the specific, explicit, legitimate purpose (purpose limitation).
|
|
35
|
+
Reject open-ended "find everything" with no purpose.
|
|
36
|
+
3. **Data-subject rights & retention** — who is the controller, retention period,
|
|
37
|
+
and how a DSAR / erasure request will be honored.
|
|
38
|
+
|
|
39
|
+
**Record it** using `assets/lawful-basis-record.md` and put the completed header at
|
|
40
|
+
the top of the dossier (see `assets/dossier-template.md` governance block).
|
|
41
|
+
|
|
42
|
+
**If the operator cannot state a lawful basis and purpose → DECLINE** the named-person
|
|
43
|
+
profiling. Offer the non-personal alternatives instead (company/product/market
|
|
44
|
+
research, or investigation of a public entity), which do not require this gate.
|
|
45
|
+
|
|
46
|
+
This gate does not restrict lawful, authorized use (due diligence with a basis,
|
|
47
|
+
security research, investigations you are mandated to run) — it makes that basis
|
|
48
|
+
explicit and auditable. See `references/gdpr-osint.md`.
|
|
49
|
+
|
|
20
50
|
## Phase Router
|
|
21
51
|
|
|
22
52
|
Determine entry point from context:
|
|
@@ -3,6 +3,16 @@
|
|
|
3
3
|
|
|
4
4
|
---
|
|
5
5
|
|
|
6
|
+
**⚖️ governance / lawful basis** *(Phase −1 gate — required before this dossier exists)*
|
|
7
|
+
- controller: {controller_name}
|
|
8
|
+
- lawful basis (Art. 6): {basis} {legitimate_interest_balancing_ref_if_LI}
|
|
9
|
+
- special-category condition (Art. 9, if psychoprofile): {art9_condition_or_NA}
|
|
10
|
+
- purpose: {specific_purpose}
|
|
11
|
+
- retention: {retention_period} · DSAR/erasure contact: {dsar_contact}
|
|
12
|
+
- recorded: {date} · see `assets/lawful-basis-record.md`
|
|
13
|
+
|
|
14
|
+
---
|
|
15
|
+
|
|
6
16
|
**контакты и соцсети**
|
|
7
17
|
- telegram: {handle} {status}
|
|
8
18
|
- linkedin: {url} {status}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# Lawful Basis Record — OSINT investigation (GDPR Phase −1 gate)
|
|
2
|
+
|
|
3
|
+
Complete this BEFORE profiling a named natural person. It doubles as the ROPA
|
|
4
|
+
(Record of Processing Activities) entry for this investigation. Governed by Shield (GRC).
|
|
5
|
+
|
|
6
|
+
## 1. Parties
|
|
7
|
+
- **Controller:** {who decides why/how — org or person}
|
|
8
|
+
- **Operator / analyst:** {who runs the investigation}
|
|
9
|
+
- **Data subject:** {named person} — category: {public figure | employee | counterparty | other}
|
|
10
|
+
|
|
11
|
+
## 2. Purpose (purpose limitation — GDPR Art. 5(1)(b))
|
|
12
|
+
- **Specific purpose:** {e.g. pre-contract due diligence on a supplier director; NOT "find everything"}
|
|
13
|
+
- **Why OSINT is necessary & proportionate for this purpose:** {justification}
|
|
14
|
+
|
|
15
|
+
## 3. Lawful basis — GDPR Art. 6(1)
|
|
16
|
+
Select ONE and justify:
|
|
17
|
+
- [ ] (a) Consent — attach/reference the consent record
|
|
18
|
+
- [ ] (b) Contract — necessary for a contract with the data subject
|
|
19
|
+
- [ ] (c) Legal obligation — cite the obligation
|
|
20
|
+
- [ ] (d) Vital interests
|
|
21
|
+
- [ ] (e) Public task
|
|
22
|
+
- [ ] (f) **Legitimate interest** — complete the 3-part balancing test below
|
|
23
|
+
|
|
24
|
+
**Legitimate Interest Assessment (if (f)):**
|
|
25
|
+
- Purpose test (is there a legitimate interest?): {…}
|
|
26
|
+
- Necessity test (is OSINT necessary, or is there a less intrusive way?): {…}
|
|
27
|
+
- Balancing test (do the person's rights/freedoms override?): {…}
|
|
28
|
+
|
|
29
|
+
## 4. Special-category data — GDPR Art. 9 (REQUIRED if building a psychoprofile)
|
|
30
|
+
Inferring personality (MBTI/Big Five), health, political opinions, religion, sexual
|
|
31
|
+
orientation, etc. is special-category processing. Select an Art. 9(2) condition:
|
|
32
|
+
- [ ] (a) Explicit consent
|
|
33
|
+
- [ ] (e) Data manifestly made public by the data subject (document how)
|
|
34
|
+
- [ ] (f) Legal claims
|
|
35
|
+
- [ ] other: {cite}
|
|
36
|
+
- **If none applies → do NOT build the psychoprofile.** Keep the factual dossier only.
|
|
37
|
+
|
|
38
|
+
## 5. Data-subject rights & retention
|
|
39
|
+
- **Retention period:** {e.g. 90 days after purpose fulfilled, then delete}
|
|
40
|
+
- **DSAR / erasure contact:** {email/process to honor access, rectification, erasure, objection}
|
|
41
|
+
- **Transparency:** how/whether the data subject is or will be informed (Art. 14), or the exemption relied on.
|
|
42
|
+
|
|
43
|
+
## 6. Sign-off
|
|
44
|
+
- Basis confirmed by: {name} · date: {date}
|
|
45
|
+
- Shield review (if enterprise/high-risk): {ref or N/A}
|
|
46
|
+
|
|
47
|
+
> If sections 2–4 cannot be completed, the Phase −1 gate FAILS: decline the
|
|
48
|
+
> named-person profiling and use the non-personal research paths instead.
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# GDPR & OSINT — governance for the investigate skill
|
|
2
|
+
|
|
3
|
+
This pack performs OSINT on named individuals, including psychoprofiling. That is
|
|
4
|
+
personal-data processing (GDPR + analogous laws such as UK GDPR, LGPD, CCPA/CPRA).
|
|
5
|
+
BMAD+ **keeps** this capability and **governs** it — the Phase −1 lawful-basis gate
|
|
6
|
+
in `SKILL.md` makes lawful use explicit and auditable rather than removing the pack.
|
|
7
|
+
(Decision: keep + govern, 2026-07-02.)
|
|
8
|
+
|
|
9
|
+
## Why this matters
|
|
10
|
+
- Profiling and evaluating personal aspects is regulated (GDPR Art. 4(4), Art. 22, Recital 71).
|
|
11
|
+
- Inferring personality, health, political/religious views, or sexual orientation is
|
|
12
|
+
**special-category** processing (Art. 9) — a higher bar than ordinary personal data.
|
|
13
|
+
- "Publicly available" ≠ "no rules apply." Scraping public profiles is still processing;
|
|
14
|
+
you still need a lawful basis and must respect purpose limitation and data-subject rights.
|
|
15
|
+
|
|
16
|
+
## The gate, in one line
|
|
17
|
+
No lawful basis + specific purpose recorded (`assets/lawful-basis-record.md`) → no
|
|
18
|
+
named-person profiling. Non-personal research (company/product/market, public entities)
|
|
19
|
+
is unaffected.
|
|
20
|
+
|
|
21
|
+
## Legitimate interest (the common basis)
|
|
22
|
+
When relying on Art. 6(1)(f), complete the 3-part LIA in the record:
|
|
23
|
+
1. **Purpose** — a real, specific legitimate interest (due diligence, fraud/security, journalism).
|
|
24
|
+
2. **Necessity** — OSINT is necessary and proportionate; no less-intrusive route.
|
|
25
|
+
3. **Balancing** — the person's rights/freedoms do not override; consider their reasonable
|
|
26
|
+
expectations, the sensitivity of the data, and any special-category inference (which
|
|
27
|
+
usually tips the balance and requires an Art. 9 condition instead).
|
|
28
|
+
|
|
29
|
+
## Special-category / psychoprofile
|
|
30
|
+
Only build the psychoprofile (MBTI/Big Five, etc.) with a valid **Art. 9(2)** condition
|
|
31
|
+
(typically explicit consent, or data manifestly made public by the subject). Otherwise
|
|
32
|
+
keep the factual dossier and skip the personality inference.
|
|
33
|
+
|
|
34
|
+
## Data-subject rights & retention
|
|
35
|
+
- Define a **retention period**; delete when the purpose is met.
|
|
36
|
+
- Provide a **DSAR/erasure** path (access, rectification, erasure, objection).
|
|
37
|
+
- Consider **transparency** (Art. 14) or a documented exemption.
|
|
38
|
+
|
|
39
|
+
## Prohibited / out of scope
|
|
40
|
+
- No profiling without a recorded basis + purpose.
|
|
41
|
+
- No use for unlawful discrimination, harassment, stalking, or unauthorized surveillance.
|
|
42
|
+
- No special-category inference without an Art. 9 condition.
|
|
43
|
+
|
|
44
|
+
## Related BMAD+ assets
|
|
45
|
+
- `SKILL.md` → Phase −1 gate.
|
|
46
|
+
- `assets/lawful-basis-record.md` → gate record + ROPA entry.
|
|
47
|
+
- Shield (GRC) pack → `gdpr-agent`, `legitimate-interest`, `dpia-sentinel`, `privacy-notice-gen`
|
|
48
|
+
for DPIA, LIA, ROPA, and privacy-notice generation at scale.
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "https://json.schemastore.org/package.json",
|
|
3
3
|
"name": "bmad-plus",
|
|
4
|
-
"version": "0.
|
|
4
|
+
"version": "0.12.0",
|
|
5
5
|
"description": "BMAD+ — Augmented AI-Driven Development Framework with multi-role agents, autopilot, and parallel execution",
|
|
6
6
|
"keywords": [
|
|
7
7
|
"bmad",
|
|
@@ -34,6 +34,8 @@
|
|
|
34
34
|
"install:bmad": "node tools/cli/bmad-plus-cli.js install",
|
|
35
35
|
"update:bmad": "node tools/cli/bmad-plus-cli.js update",
|
|
36
36
|
"doctor:bmad": "node tools/cli/bmad-plus-cli.js doctor",
|
|
37
|
+
"build": "node tools/build/generate.js --out tools/cli/lib/packs.js",
|
|
38
|
+
"build:check": "node tools/build/generate.js --check",
|
|
37
39
|
"lint": "eslint tools/ tests/",
|
|
38
40
|
"format": "prettier --write \"tools/**/*.js\" \"tests/**/*.js\"",
|
|
39
41
|
"format:check": "prettier --check \"tools/**/*.js\" \"tests/**/*.js\"",
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
# BMAD+ Build — Registry Generator (Pillar 1)
|
|
2
|
+
|
|
3
|
+
`registry.yaml` at the repo root is the **single source of truth** for the
|
|
4
|
+
9 packs, their agents, skills, data files, install layout, runtimes, and
|
|
5
|
+
compliance tags. Until now this data was hand-replicated in 5 places
|
|
6
|
+
(`tools/cli/lib/packs.js`, `src/bmad-plus/module.yaml`, `install.js`,
|
|
7
|
+
`ide-config.js`, `i18n.js`) — and they drifted.
|
|
8
|
+
|
|
9
|
+
`tools/build/generate.js` reads `registry.yaml` and generates the pack data
|
|
10
|
+
consumed by the CLI. The migration proof (`tests/unit/generate.test.js`)
|
|
11
|
+
asserts the generated `PACKS` / `PACK_ORDER` / `EXPECTED_AGENTS` are
|
|
12
|
+
**deep-strict-equal** to the hand-written `tools/cli/lib/packs.js`, so the
|
|
13
|
+
registry provably captures current reality before anything is replaced.
|
|
14
|
+
|
|
15
|
+
## Usage
|
|
16
|
+
|
|
17
|
+
```bash
|
|
18
|
+
# Print the generated packs module source (drop-in packs.js replacement)
|
|
19
|
+
node tools/build/generate.js
|
|
20
|
+
|
|
21
|
+
# Print PACKS / PACK_ORDER / EXPECTED_AGENTS as JSON
|
|
22
|
+
node tools/build/generate.js --json
|
|
23
|
+
|
|
24
|
+
# Write the generated module to a file
|
|
25
|
+
node tools/build/generate.js --out tools/cli/lib/packs.generated.js
|
|
26
|
+
|
|
27
|
+
# CI drift gate: exit 1 if registry.yaml no longer reproduces packs.js
|
|
28
|
+
# (also asserts product.version == package.json version)
|
|
29
|
+
node tools/build/generate.js --check
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
## Registry contract (fields the generator consumes)
|
|
33
|
+
|
|
34
|
+
Per pack under `packs:` in `registry.yaml`:
|
|
35
|
+
|
|
36
|
+
| Field | Maps to | Notes |
|
|
37
|
+
| --- | --- | --- |
|
|
38
|
+
| `order` | `PACK_ORDER` position | integer, unique |
|
|
39
|
+
| `cli.name` / `cli.icon` / `cli.desc` | `PACKS[id].name/icon/desc` | exact CLI strings (icon = glyph letter) |
|
|
40
|
+
| `agents` | `PACKS[id].agents` | agent ids the installer copies |
|
|
41
|
+
| `skills` | `PACKS[id].skills` | defaults to `[]` |
|
|
42
|
+
| `data` | `PACKS[id].data` | **key presence is significant** — only core & maker declare it |
|
|
43
|
+
| `external_package` | `PACKS[id].externalPackage` | osint only |
|
|
44
|
+
| `pack_dir` / `pack_src_dir` | `PACKS[id].packDir/packSrcDir` | `pack_src_dir` defaults to `packs` |
|
|
45
|
+
| `required` | `PACKS[id].required` | emitted **only when `true`** (packs.js omits it otherwise) |
|
|
46
|
+
| `install_layout` | `EXPECTED_AGENTS[id]` | `loose` → agents as directories, `packDir: null`; `packaged` → `packDir` + `doctor.pack_agents` |
|
|
47
|
+
| `doctor.pack_agents` | `EXPECTED_AGENTS[id].packAgents` | agent **filenames** inside `pack_dir` (packaged only) |
|
|
48
|
+
|
|
49
|
+
Everything else in `registry.yaml` (`display_name`, `icon_emoji`, `summary`,
|
|
50
|
+
`runtime`, `categories`, `workflows`, `governance`, `compliance_tags`,
|
|
51
|
+
`targets`, `runtimes`, `memory`, `eval`) is north-star metadata consumed by
|
|
52
|
+
future generators (module.yaml, README count tables, per-CLI adapters,
|
|
53
|
+
role-triggers) — declared once here so counts are derived, never typed.
|
|
54
|
+
|
|
55
|
+
## Editing workflow
|
|
56
|
+
|
|
57
|
+
1. Edit `registry.yaml` (never the generated data).
|
|
58
|
+
2. Run `node tools/build/generate.js --check`.
|
|
59
|
+
3. While `packs.js` is still hand-written (migration phase), sync it via
|
|
60
|
+
`node tools/build/generate.js --out tools/cli/lib/packs.js` or apply the
|
|
61
|
+
equivalent hand edit — `--check` and `tests/unit/generate.test.js`
|
|
62
|
+
(`npx jest tests/unit/generate.test.js`) both fail on any divergence.
|
|
63
|
+
|
|
64
|
+
## Migration end-state (for the orchestrator)
|
|
65
|
+
|
|
66
|
+
Once integration is approved, `tools/cli/lib/packs.js` becomes either:
|
|
67
|
+
|
|
68
|
+
- a checked-in generated file (`generate.js --out tools/cli/lib/packs.js`,
|
|
69
|
+
with `--check` as a CI/pre-commit gate), or
|
|
70
|
+
- a thin runtime re-export:
|
|
71
|
+
|
|
72
|
+
```js
|
|
73
|
+
const { loadRegistry, buildAll } = require('../../build/generate');
|
|
74
|
+
module.exports = buildAll(loadRegistry());
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
Both keep the exact `{ PACKS, PACK_ORDER, EXPECTED_AGENTS }` shape every CLI
|
|
78
|
+
command already imports, so no call site changes.
|
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* BMAD+ Build — hand-authored project instructions (Pillar 5 adoption).
|
|
3
|
+
*
|
|
4
|
+
* When the root adapters (CLAUDE.md / GEMINI.md / AGENTS.md / .cursor / .codex /
|
|
5
|
+
* .opencode / CONVENTIONS.md) were adopted as GENERATED files, every substantive
|
|
6
|
+
* hand-written instruction they contained was folded into THIS file — the UNION
|
|
7
|
+
* of all three pre-adoption root files, nothing dropped:
|
|
8
|
+
*
|
|
9
|
+
* - Agents roster (personas + Hebrew names + pack qualifiers) — from all three
|
|
10
|
+
* - Skills paths (installed `.agents/` layout AND repo `src/bmad-plus/` layout)
|
|
11
|
+
* - Project Structure — from GEMINI/AGENTS
|
|
12
|
+
* - Communication (user name + language policy) — from CLAUDE
|
|
13
|
+
* - Commit Rules (no AI co-author) — from GEMINI
|
|
14
|
+
* - Repository Maintenance Rule (README i18n sync) — from GEMINI/AGENTS
|
|
15
|
+
* - Memory Protocol (Karpathy Guardrails G1–G4 + files) — from CLAUDE
|
|
16
|
+
*
|
|
17
|
+
* These sections are injected VERBATIM into the generated spine (AGENTS.md) and
|
|
18
|
+
* into every generated adapter, so every tool keeps the full instructions even
|
|
19
|
+
* when it only auto-loads its own file.
|
|
20
|
+
*
|
|
21
|
+
* EDIT THIS FILE (never the generated root files), then regenerate:
|
|
22
|
+
* node tools/build/generate-adapters.js --adopt
|
|
23
|
+
*
|
|
24
|
+
* Numbers policy: NO counts are hand-typed here (they drift — see audit DOC-06).
|
|
25
|
+
* All counts live in the generated "Registry facts" section, derived from
|
|
26
|
+
* registry.yaml. That is why the Shield line below carries no agent count.
|
|
27
|
+
*
|
|
28
|
+
* Author: Laurent Rochetta
|
|
29
|
+
*/
|
|
30
|
+
|
|
31
|
+
'use strict';
|
|
32
|
+
|
|
33
|
+
/**
|
|
34
|
+
* Markdown lines (LF-joined by the generator). Headings are `##` level so the
|
|
35
|
+
* block nests directly under each generated file's H1.
|
|
36
|
+
*/
|
|
37
|
+
const PROJECT_INSTRUCTIONS = [
|
|
38
|
+
'## Agents',
|
|
39
|
+
'',
|
|
40
|
+
'To activate an agent, say its name or persona:',
|
|
41
|
+
'',
|
|
42
|
+
'- **Atlas** (Strategist) — Business analysis + Product management',
|
|
43
|
+
'- **Forge** (Architect-Dev) — Architecture + Development + Documentation',
|
|
44
|
+
'- **Sentinel** (Quality) — QA + UX review',
|
|
45
|
+
'- **Nexus** (Orchestrator) — Sprint management + Autopilot + Parallel execution',
|
|
46
|
+
'- **Shadow** (OSINT) — Investigation + Scraping + Psychoprofiling (if OSINT pack installed)',
|
|
47
|
+
'- **Maker** (Agent Creator) — Design, build, validate, and package new BMAD+ agents',
|
|
48
|
+
'- **Shield** (GRC) — Compliance agents for GDPR, ISO 27001, SOC 2, HIPAA, EU AI Act, DORA, NIS2 and more (derived counts: see Registry facts below)',
|
|
49
|
+
'- **Miriam** (מרים) — Business Analyst — Strategic analysis, research, product briefs (Dev Studio)',
|
|
50
|
+
'- **Huldah** (חולדה) — Technical Writer — Documentation, diagrams, editorial review (Dev Studio)',
|
|
51
|
+
'- **Yosef** (יוסף) — Product Manager — PRD, requirements, feature prioritization (Dev Studio)',
|
|
52
|
+
'- **Rachel** (רחל) — UX Designer — User experience, wireframes, empathy mapping (Dev Studio)',
|
|
53
|
+
'- **Bezalel** (בצלאל) — System Architect — Architecture, ADRs, epics & stories (Dev Studio)',
|
|
54
|
+
'- **Oholiab** (אהליאב) — Senior Engineer — TDD, sprint, code review, implementation (Dev Studio)',
|
|
55
|
+
'- **Zecher** (זכר, Memory Guardian) — Memory Archivist — Persistent cross-session memory, consolidation, project scanning, context recall, session handoffs',
|
|
56
|
+
'',
|
|
57
|
+
'## Skills',
|
|
58
|
+
'',
|
|
59
|
+
'- Installed projects load skills from `.agents/skills/`; in this repository the sources live in `src/bmad-plus/skills/` and `src/bmad-plus/agents/`.',
|
|
60
|
+
'- Each agent has a SKILL.md with capabilities, activation protocol, and role-switching rules.',
|
|
61
|
+
'- Auto-activation triggers: `.agents/data/role-triggers.yaml` (source: `src/bmad-plus/data/role-triggers.yaml`).',
|
|
62
|
+
'',
|
|
63
|
+
'## Project Structure',
|
|
64
|
+
'',
|
|
65
|
+
'- `src/bmad-plus/` — Custom module (agents, skills, data)',
|
|
66
|
+
'- `monitor/` — Upstream monitoring system (VPS)',
|
|
67
|
+
'- `mcp-server/` — Audit 360° MCP Server',
|
|
68
|
+
'- `osint-agent-package/` — OSINT package',
|
|
69
|
+
'- `upstream/` — BMAD-METHOD reference clone',
|
|
70
|
+
'',
|
|
71
|
+
'## Communication',
|
|
72
|
+
'',
|
|
73
|
+
'- User name: laurent',
|
|
74
|
+
'- Default language: Français for user-facing content, English for code and technical docs.',
|
|
75
|
+
'',
|
|
76
|
+
'## Commit Rules',
|
|
77
|
+
'',
|
|
78
|
+
'- NEVER add "Co-Authored-By: Claude" or any AI co-author attribution.',
|
|
79
|
+
'- The sole author is Laurent Rochetta.',
|
|
80
|
+
'',
|
|
81
|
+
'## Repository Maintenance Rule',
|
|
82
|
+
'',
|
|
83
|
+
'When updating the main README.md (English), you MUST synchronously update all translations in the readme-international/ directory (fr, es, de).',
|
|
84
|
+
'',
|
|
85
|
+
'## Memory Protocol (Karpathy Guardrails)',
|
|
86
|
+
'',
|
|
87
|
+
'Agents MUST follow these behavioral principles:',
|
|
88
|
+
'',
|
|
89
|
+
'### G1 — Think Before Coding',
|
|
90
|
+
'',
|
|
91
|
+
'- State assumptions explicitly. If uncertain, ask.',
|
|
92
|
+
'- Check `.agents/memory/decisions.md` for prior decisions before re-deciding.',
|
|
93
|
+
'',
|
|
94
|
+
'### G2 — Simplicity First',
|
|
95
|
+
'',
|
|
96
|
+
'- Minimum code that solves the problem. Nothing speculative.',
|
|
97
|
+
'- Check `.agents/memory/patterns.md` for existing solutions.',
|
|
98
|
+
'',
|
|
99
|
+
'### G3 — Surgical Changes',
|
|
100
|
+
'',
|
|
101
|
+
'- Touch only what you must. Match existing style.',
|
|
102
|
+
'- Log surprises in `.agents/memory/lessons.md`.',
|
|
103
|
+
'',
|
|
104
|
+
'### G4 — Goal-Driven Execution',
|
|
105
|
+
'',
|
|
106
|
+
'- Define success criteria before implementing.',
|
|
107
|
+
'- Log non-obvious decisions in `.agents/memory/decisions.md`.',
|
|
108
|
+
'',
|
|
109
|
+
'### Memory Files',
|
|
110
|
+
'',
|
|
111
|
+
'- `.agents/memory/decisions.md` — Read at session start, write when making decisions',
|
|
112
|
+
'- `.agents/memory/lessons.md` — Write when something unexpected happens',
|
|
113
|
+
'- `.agents/memory/patterns.md` — Write when a reusable pattern is validated',
|
|
114
|
+
'- `.agents/memory/context.md` — Update at session end with project state',
|
|
115
|
+
];
|
|
116
|
+
|
|
117
|
+
module.exports = { PROJECT_INSTRUCTIONS };
|