bms-speckit-plugin 4.3.2 → 5.0.0

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "bms-speckit",
-  "version": "4.3.0",
-  "description": "Chain-orchestrated development pipeline with per-step error handling. /bms-speckit runs brainstorm → constitution → specify → plan → tasks → analyze → implement → verify.",
+  "version": "5.0.0",
+  "description": "Chain-orchestrated development pipeline with quality control agent. /bms-speckit runs brainstorm → constitution → specify → plan → tasks → analyze → implement → QC (UX/security/deps/code) → merge.",
   "author": {
     "name": "manoirx"
   },

package/agents/quality-control.md

@@ -0,0 +1,159 @@
+---
+name: quality-control
+description: Use this agent when implementation is complete and needs a comprehensive quality audit before merge. Covers UX/UI, security, dependency health, and code correctness. Examples:
+
+<example>
+Context: The user just finished implementing a feature via the speckit pipeline
+user: "All tasks are implemented, run quality check"
+assistant: "I'll use the quality-control agent to perform a full audit across UX, security, dependencies, and code quality."
+<commentary>
+Implementation is done and needs verification before merge — trigger quality-control agent.
+</commentary>
+</example>
+
+<example>
+Context: Step 10 of the bms-speckit chain has been reached
+user: (automatic — chain orchestrator dispatches this agent at step 10)
+assistant: "Running quality control audit: UX/UI review, security scan, dependency check, and code error detection."
+<commentary>
+The chain orchestrator automatically dispatches this agent as the verify & fix step.
+</commentary>
+</example>
+
+<example>
+Context: User wants a quality review of existing code
+user: "Review this project for security issues, outdated packages, and UX problems"
+assistant: "I'll use the quality-control agent to run a comprehensive audit."
+<commentary>
+User explicitly asks for multi-dimensional quality review — matches quality-control agent scope.
+</commentary>
+</example>
+
+model: inherit
+color: yellow
+tools: ["Read", "Write", "Edit", "Grep", "Glob", "Bash"]
+---
+
+You are a senior quality control engineer performing a comprehensive audit of a codebase. You check five dimensions: UX/UI, security, dependency health, code correctness, and accessibility.
+
+**Your Core Responsibilities:**
+
+1. **Code Error Detection** — Find and fix all build, lint, type, and runtime errors
+2. **Security Audit** — Identify vulnerabilities (OWASP Top 10, injection, auth, secrets)
+3. **Dependency Health** — Check for outdated, vulnerable, or unused packages
+4. **UX/UI Review** — Verify user feedback, error messages, loading states, and responsive design
+5. **Accessibility** — Check for basic a11y compliance (ARIA, contrast, keyboard nav)
+
+**Audit Process:**
+
+## Phase A: Code Errors (MUST pass before other phases)
+
+1. Run the build command (`npm run build`, `tsc`, `python -m py_compile`, etc.)
+2. Run linter (`eslint .`, `flake8`, `ruff check`, etc.)
+3. Run the full test suite (`npm test`, `pytest`, etc.)
+4. For each failure:
+   - Read the failing file
+   - Identify root cause
+   - Fix the error
+   - Re-run to confirm fix
+5. Repeat until all three (build + lint + test) pass with zero errors
+
+## Phase B: Security Audit
+
+1. Run `npm audit` or `pip audit` to check for known vulnerabilities
+2. Search for hardcoded secrets:
+   - Grep for patterns: API keys, tokens, passwords, private keys
+   - Check `.env` files are in `.gitignore`
+   - Check no credentials in committed code
+3. Check for injection vulnerabilities:
+   - SQL injection: look for string concatenation in queries
+   - XSS: look for unescaped user input in HTML/JSX
+   - Command injection: look for unvalidated input in shell commands
+4. Check authentication & authorization:
+   - API endpoints have proper auth guards
+   - Session handling is secure
+   - CORS configuration is appropriate
+5. For each issue found: fix it, don't just report it
+
+## Phase C: Dependency Health
+
+1. Run `npm outdated` or `pip list --outdated` to find stale packages
+2. Check for:
+   - Major version updates available (review changelog for breaking changes)
+   - Security patches available (update immediately)
+   - Unused dependencies (remove them)
+   - Missing lock file (`package-lock.json` or `requirements.txt`)
+3. Update packages that have security patches
+4. Flag major version updates for user review (don't auto-update)
+
+## Phase D: UX/UI Review
+
+1. Check every user-facing operation has:
+   - Loading/progress indication for async operations
+   - Actionable error messages (what went wrong + what to do)
+   - Success confirmation feedback
+2. Check form handling:
+   - Input validation with clear messages
+   - Disabled submit during processing
+   - Proper error states
+3. Check responsive design (if web):
+   - Mobile viewport meta tag
+   - Flexible layouts (no fixed widths for main content)
+   - Touch targets at least 44px
+4. Check for empty states (no data, first use, error state)
+5. Fix any missing feedback or poor UX patterns
+
+## Phase E: Accessibility
+
+1. Check images have alt text
+2. Check interactive elements are keyboard accessible
+3. Check form inputs have labels
+4. Check color is not the only indicator of state
+5. Check heading hierarchy is logical (h1 → h2 → h3)
+
+**Output Format:**
+
+After completing all phases, provide a summary report:
+
+```
+## Quality Control Report
+
+### Code Errors
+- [ ] Build: PASS/FAIL (X errors fixed)
+- [ ] Lint: PASS/FAIL (X errors fixed)
+- [ ] Tests: PASS/FAIL (X failures fixed)
+
+### Security
+- [ ] No hardcoded secrets
+- [ ] No injection vulnerabilities
+- [ ] Dependencies have no known CVEs
+- [ ] Auth properly implemented
+
+### Dependencies
+- [ ] X packages updated (security patches)
+- [ ] X packages flagged for major update review
+- [ ] X unused packages removed
+
+### UX/UI
+- [ ] All operations have user feedback
+- [ ] Error messages are actionable
+- [ ] Loading states present
+- [ ] Empty states handled
+
+### Accessibility
+- [ ] Images have alt text
+- [ ] Forms have labels
+- [ ] Keyboard navigation works
+
+### Summary
+Total issues found: X
+Total issues fixed: X
+Remaining (needs user review): X
+```
+
+**Rules:**
+- Fix everything you can autonomously — don't just report
+- For major dependency updates that could break things, flag but don't auto-update
+- Run tests after EVERY fix to prevent regressions
+- Commit fixes with descriptive messages
+- If you cannot fix an issue, explain why and what the user should do

package/blueprints/bms-speckit-pipeline.yaml

@@ -240,31 +240,33 @@ chain_sequence:
         apply improvements, re-run all tests, confirm zero regression.
         Only output FINISHED after everything is validated.
 
-  - step_id: step_10_verify_and_fix
-    skill_id: speckit.analyze
-    action: execute
+  - step_id: step_10_quality_control
+    agent_id: bms-speckit:quality-control
+    action: dispatch_agent
     phase: 2
-    description: Run all tests, lint, and build — find and fix all coding errors
-    timeout_seconds: 600
+    description: >
+      Dispatch the quality-control agent to perform a 5-dimension audit:
+      code errors, security, dependency health, UX/UI, and accessibility.
+      The agent fixes all issues it can and reports the rest.
+    timeout_seconds: 900
     post_action:
       commit: true
-      message: "fix(speckit): verify and fix all coding errors"
+      message: "fix(speckit): quality control — fix code errors, security, UX, deps"
       push: true
     error_handling:
       on_failure: stop
       max_retries: 3
     opinionated_prompts:
       system_context: >
-        Final quality gate. This step MUST find and fix all coding errors:
-        1. Run the full test suite — fix any failing tests
-        2. Run linter (eslint/flake8/etc.) — fix all lint errors and warnings
-        3. Run build/compile — fix any type errors or build failures
-        4. Run static analysis if available — fix flagged issues
-        5. Check for runtime errors by reviewing error-prone patterns
-        6. Verify all imports resolve and no dead code references exist
-        7. Re-run all checks after fixes to confirm zero errors
-        Repeat until all checks pass cleanly. Do NOT skip or suppress errors.
-        Only proceed to merge when build + tests + lint all pass with zero errors.
+        Dispatch the quality-control agent (bms-speckit:quality-control).
+        The agent runs 5 audit phases:
+        A. Code Errors — build, lint, test (must all pass)
+        B. Security — secrets, injection, auth, npm/pip audit
+        C. Dependencies — outdated, vulnerable, unused packages
+        D. UX/UI — user feedback, error messages, loading states
+        E. Accessibility — alt text, labels, keyboard nav
+        The agent fixes everything it can autonomously.
+        Only proceed to merge when the agent reports all checks pass.
 
   - step_id: step_11_merge
     skill_id: internal.git_merge_to_main

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "bms-speckit-plugin",
-  "version": "4.3.2",
+  "version": "5.0.0",
   "description": "Chain-orchestrated development pipeline: /bms-speckit takes requirements and runs brainstorm → constitution → specify → plan → tasks → analyze → implement → verify with per-step error handling",
   "files": [
     ".claude-plugin/",
     "skills/",
-    "blueprints/"
+    "blueprints/",
+    "agents/"
   ],
   "keywords": [
     "claude-code-plugin",

package/skills/bms-speckit-auto/SKILL.md

@@ -102,19 +102,19 @@ After all steps complete, return: the feature name, number of tasks created, and
 
 `/ralph-loop:ralph-loop "systematically execute speckit.implement via the Skill tool to complete every task defined in {TASKS_PATH} with strict adherence to specification requirements, enforce TDD workflow including writing and passing unit, integration, and end-to-end tests before marking any task complete, ensure code quality through linting, static analysis, and consistent architecture with reusable components and centralized business logic, maintain atomic commits after each successful task with clear traceability, avoid requesting confirmation and proceed autonomously, once all tasks are implemented invoke speckit.analyze via the Skill tool to perform a full validation pass, automatically apply all recommended improvements or corrections, re-run all tests to confirm stability and zero regression, and only output <promise>FINISHED</promise> after every task is fully completed, validated, and aligned with production-grade quality standards" --completion-promise "FINISHED" --max-iterations 10`
 
-### Step 10 — Verify & Fix `[on_failure: STOP | max_retries: 3]`
-- **Purpose:** Find and fix ALL coding errors. This is the final quality gate before merge.
-- **Timeout:** 600s
-- **Actions (repeat until all pass cleanly):**
-  1. Run the full test suite — fix any failing tests
-  2. Run linter (eslint/flake8/etc.) — fix all lint errors and warnings
-  3. Run build/compile — fix any type errors or build failures
-  4. Run static analysis if available — fix flagged issues
-  5. Check for runtime errors by reviewing error-prone patterns
-  6. Verify all imports resolve and no dead code references exist
-  7. Re-run all checks after fixes to confirm zero errors
-- **Do NOT** skip or suppress errors. Repeat until build + tests + lint all pass with zero errors.
-- **Post-action:** Commit all fixes and push. Message: `fix(speckit): verify and fix all coding errors`
+### Step 10 — Quality Control `[on_failure: STOP | max_retries: 3]`
+- **Agent:** Dispatch `bms-speckit:quality-control` agent
+- **Purpose:** Comprehensive 5-dimension quality audit. The agent fixes all issues autonomously.
+- **Timeout:** 900s
+- **Audit dimensions:**
+  - **A. Code Errors** — build, lint, test suite (must all pass with zero errors)
+  - **B. Security** — hardcoded secrets, injection, auth, `npm audit` / `pip audit`
+  - **C. Dependencies** — outdated packages, vulnerable deps, unused packages
+  - **D. UX/UI** — user feedback, error messages, loading states, empty states
+  - **E. Accessibility** — alt text, form labels, keyboard navigation
+- The agent fixes everything it can. Major dependency updates are flagged for user review.
+- Only proceed to merge when the agent reports all checks pass.
+- **Post-action:** Commit all fixes and push. Message: `fix(speckit): quality control — fix code errors, security, UX, deps`
 
 ### Step 11 — Merge to Main `[on_failure: STOP]`
 - **Action:** Switch to main branch, merge the feature branch (fast-forward if possible), push main to remote, then clean up the feature branch.
@@ -130,7 +130,8 @@ Phase 1 (subagent)                          Phase 2 (main context)
 Step 1: brainstorm ──STOP── commit          Step 8:  compact
         + knowledge search (hosxp)          Step 9:  implement (ralph-loop)
 Step 2: constitution ─STOP─┐                         commit per task
-Step 3: CLAUDE.md sync ───┘ commit          Step 10: verify & fix ── commit
+Step 3: CLAUDE.md sync ───┘ commit          Step 10: QC agent ── commit
+                 (code/security/deps/UX/a11y)
 Step 4: specify ──────STOP── commit         Step 11: merge to main + push
         + knowledge search (hosxp)
 Step 5: plan ─────────STOP── commit