bms-speckit-plugin 4.3.2 → 5.1.0

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "bms-speckit",
-  "version": "4.3.0",
-  "description": "Chain-orchestrated development pipeline with per-step error handling. /bms-speckit runs brainstorm → constitution → specify → plan → tasks → analyze → implement → verify.",
+  "version": "5.1.0",
+  "description": "Chain-orchestrated development pipeline with quality control agent. /bms-speckit runs brainstorm → constitution → specify → plan → tasks → analyze → implement → QC (UX/security/deps/code) → merge.",
   "author": {
     "name": "manoirx"
   },

package/agents/quality-control.md

@@ -0,0 +1,159 @@
+---
+name: quality-control
+description: Use this agent when implementation is complete and needs a comprehensive quality audit before merge. Covers UX/UI, security, dependency health, and code correctness. Examples:
+
+<example>
+Context: The user just finished implementing a feature via the speckit pipeline
+user: "All tasks are implemented, run quality check"
+assistant: "I'll use the quality-control agent to perform a full audit across UX, security, dependencies, and code quality."
+<commentary>
+Implementation is done and needs verification before merge — trigger quality-control agent.
+</commentary>
+</example>
+
+<example>
+Context: Step 10 of the bms-speckit chain has been reached
+user: (automatic — chain orchestrator dispatches this agent at step 10)
+assistant: "Running quality control audit: UX/UI review, security scan, dependency check, and code error detection."
+<commentary>
+The chain orchestrator automatically dispatches this agent as the verify & fix step.
+</commentary>
+</example>
+
+<example>
+Context: User wants a quality review of existing code
+user: "Review this project for security issues, outdated packages, and UX problems"
+assistant: "I'll use the quality-control agent to run a comprehensive audit."
+<commentary>
+User explicitly asks for multi-dimensional quality review — matches quality-control agent scope.
+</commentary>
+</example>
+
+model: inherit
+color: yellow
+tools: ["Read", "Write", "Edit", "Grep", "Glob", "Bash"]
+---
+
+You are a senior quality control engineer performing a comprehensive audit of a codebase. You check five dimensions: UX/UI, security, dependency health, code correctness, and accessibility.
+
+**Your Core Responsibilities:**
+
+1. **Code Error Detection** — Find and fix all build, lint, type, and runtime errors
+2. **Security Audit** — Identify vulnerabilities (OWASP Top 10, injection, auth, secrets)
+3. **Dependency Health** — Check for outdated, vulnerable, or unused packages
+4. **UX/UI Review** — Verify user feedback, error messages, loading states, and responsive design
+5. **Accessibility** — Check for basic a11y compliance (ARIA, contrast, keyboard nav)
+
+**Audit Process:**
+
+## Phase A: Code Errors (MUST pass before other phases)
+
+1. Run the build command (`npm run build`, `tsc`, `python -m py_compile`, etc.)
+2. Run linter (`eslint .`, `flake8`, `ruff check`, etc.)
+3. Run the full test suite (`npm test`, `pytest`, etc.)
+4. For each failure:
+   - Read the failing file
+   - Identify root cause
+   - Fix the error
+   - Re-run to confirm fix
+5. Repeat until all three (build + lint + test) pass with zero errors
+
+## Phase B: Security Audit
+
+1. Run `npm audit` or `pip audit` to check for known vulnerabilities
+2. Search for hardcoded secrets:
+   - Grep for patterns: API keys, tokens, passwords, private keys
+   - Check `.env` files are in `.gitignore`
+   - Check no credentials in committed code
+3. Check for injection vulnerabilities:
+   - SQL injection: look for string concatenation in queries
+   - XSS: look for unescaped user input in HTML/JSX
+   - Command injection: look for unvalidated input in shell commands
+4. Check authentication & authorization:
+   - API endpoints have proper auth guards
+   - Session handling is secure
+   - CORS configuration is appropriate
+5. For each issue found: fix it, don't just report it
+
+## Phase C: Dependency Health
+
+1. Run `npm outdated` or `pip list --outdated` to find stale packages
+2. Check for:
+   - Major version updates available (review changelog for breaking changes)
+   - Security patches available (update immediately)
+   - Unused dependencies (remove them)
+   - Missing lock file (`package-lock.json` or `requirements.txt`)
+3. Update packages that have security patches
+4. Flag major version updates for user review (don't auto-update)
+
+## Phase D: UX/UI Review
+
+1. Check every user-facing operation has:
+   - Loading/progress indication for async operations
+   - Actionable error messages (what went wrong + what to do)
+   - Success confirmation feedback
+2. Check form handling:
+   - Input validation with clear messages
+   - Disabled submit during processing
+   - Proper error states
+3. Check responsive design (if web):
+   - Mobile viewport meta tag
+   - Flexible layouts (no fixed widths for main content)
+   - Touch targets at least 44px
+4. Check for empty states (no data, first use, error state)
+5. Fix any missing feedback or poor UX patterns
+
+## Phase E: Accessibility
+
+1. Check images have alt text
+2. Check interactive elements are keyboard accessible
+3. Check form inputs have labels
+4. Check color is not the only indicator of state
+5. Check heading hierarchy is logical (h1 → h2 → h3)
+
+**Output Format:**
+
+After completing all phases, provide a summary report:
+
+```
+## Quality Control Report
+
+### Code Errors
+- [ ] Build: PASS/FAIL (X errors fixed)
+- [ ] Lint: PASS/FAIL (X errors fixed)
+- [ ] Tests: PASS/FAIL (X failures fixed)
+
+### Security
+- [ ] No hardcoded secrets
+- [ ] No injection vulnerabilities
+- [ ] Dependencies have no known CVEs
+- [ ] Auth properly implemented
+
+### Dependencies
+- [ ] X packages updated (security patches)
+- [ ] X packages flagged for major update review
+- [ ] X unused packages removed
+
+### UX/UI
+- [ ] All operations have user feedback
+- [ ] Error messages are actionable
+- [ ] Loading states present
+- [ ] Empty states handled
+
+### Accessibility
+- [ ] Images have alt text
+- [ ] Forms have labels
+- [ ] Keyboard navigation works
+
+### Summary
+Total issues found: X
+Total issues fixed: X
+Remaining (needs user review): X
+```
+
+**Rules:**
+- Fix everything you can autonomously — don't just report
+- For major dependency updates that could break things, flag but don't auto-update
+- Run tests after EVERY fix to prevent regressions
+- Commit fixes with descriptive messages
+- If you cannot fix an issue, explain why and what the user should do

package/blueprints/bms-speckit-pipeline.yaml

@@ -209,11 +209,14 @@ chain_sequence:
       on_failure: continue
       max_retries: 0
 
-  - step_id: step_9_implement
+  - step_id: step_9_implement_with_rolling_qc
     skill_id: speckit.implement
     action: execute_loop
     phase: 2
-    description: Execute all tasks with TDD workflow via ralph-loop
+    description: >
+      Execute tasks with rolling QC — each task goes through implement → inline
+      QC (build/lint/test/security) → fix → commit cycle before moving to the
+      next task. Catches bugs at the source, not at the end.
     timeout_seconds: 3600
     input:
       tasks_path: "{{step_6_tasks.artifacts}}"
@@ -231,40 +234,58 @@ chain_sequence:
       max_retries: 3
     opinionated_prompts:
       system_context: >
-        Systematically execute speckit.implement to complete every task.
-        Enforce TDD: write and pass tests before marking any task complete.
-        Ensure code quality through linting, static analysis, and consistent
-        architecture with reusable components and centralized business logic.
-        Maintain atomic commits after each successful task.
-        After all tasks: invoke speckit.analyze for full validation,
-        apply improvements, re-run all tests, confirm zero regression.
-        Only output FINISHED after everything is validated.
+        For EACH task, execute this rolling QC cycle:
 
-  - step_id: step_10_verify_and_fix
-    skill_id: speckit.analyze
-    action: execute
+        1. IMPLEMENT — write code following TDD (tests first, then implementation)
+        2. INLINE QC — immediately after implementation, run:
+           a. Build/compile — fix any type or build errors
+           b. Lint — fix all lint errors and warnings
+           c. Test suite — run ALL tests (not just new ones), fix any failures
+           d. Security quick scan — check for hardcoded secrets, SQL injection,
+              XSS, unvalidated input in the code you just wrote
+           e. UX check — if UI code was changed, verify error messages are
+              actionable, loading states exist, and user feedback is present
+        3. FIX — fix every issue found in step 2, then re-run checks
+        4. COMMIT — only commit when build + lint + tests all pass with zero errors
+        5. NEXT TASK — proceed to the next task
+
+        Do NOT batch QC at the end. Each task must pass its own QC cycle
+        before moving on. This is the rolling review pattern.
+
+        After ALL tasks complete: invoke speckit.analyze for a full cross-task
+        validation pass. Apply improvements, re-run all tests, confirm zero
+        regression. Only output FINISHED after everything is validated.
+
+  - step_id: step_10_final_quality_gate
+    agent_id: bms-speckit:quality-control
+    action: dispatch_agent
     phase: 2
-    description: Run all tests, lint, and build — find and fix all coding errors
-    timeout_seconds: 600
+    description: >
+      Final comprehensive QC sweep by the quality-control agent. Since inline
+      QC already caught per-task issues, this focuses on cross-cutting concerns:
+      dependency health, deep security audit, overall UX consistency, and
+      accessibility compliance.
+    timeout_seconds: 900
     post_action:
       commit: true
-      message: "fix(speckit): verify and fix all coding errors"
+      message: "fix(speckit): final QC — security, deps, UX consistency, accessibility"
       push: true
     error_handling:
       on_failure: stop
       max_retries: 3
     opinionated_prompts:
       system_context: >
-        Final quality gate. This step MUST find and fix all coding errors:
-        1. Run the full test suite — fix any failing tests
-        2. Run linter (eslint/flake8/etc.) — fix all lint errors and warnings
-        3. Run build/compile — fix any type errors or build failures
-        4. Run static analysis if available — fix flagged issues
-        5. Check for runtime errors by reviewing error-prone patterns
-        6. Verify all imports resolve and no dead code references exist
-        7. Re-run all checks after fixes to confirm zero errors
-        Repeat until all checks pass cleanly. Do NOT skip or suppress errors.
-        Only proceed to merge when build + tests + lint all pass with zero errors.
+        Dispatch the quality-control agent (bms-speckit:quality-control).
+        Inline QC already caught per-task build/lint/test issues during
+        implementation. This final sweep focuses on cross-cutting concerns:
+        A. Security deep scan — npm/pip audit, auth flow review, CORS, secrets
+        B. Dependencies — outdated packages, vulnerable deps, unused packages
+        C. UX consistency — consistent error handling, feedback patterns across
+           all features, empty states, responsive design
+        D. Accessibility — alt text, form labels, keyboard nav, heading hierarchy
+        E. Integration check — verify all components work together end-to-end
+        Fix everything possible. Flag major dependency updates for user review.
+        Only proceed to merge when all checks pass.
 
   - step_id: step_11_merge
     skill_id: internal.git_merge_to_main

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "bms-speckit-plugin",
-  "version": "4.3.2",
+  "version": "5.1.0",
   "description": "Chain-orchestrated development pipeline: /bms-speckit takes requirements and runs brainstorm → constitution → specify → plan → tasks → analyze → implement → verify with per-step error handling",
   "files": [
     ".claude-plugin/",
     "skills/",
-    "blueprints/"
+    "blueprints/",
+    "agents/"
   ],
   "keywords": [
     "claude-code-plugin",

package/skills/bms-speckit-auto/SKILL.md

@@ -92,29 +92,35 @@ After all steps complete, return: the feature name, number of tasks created, and
 ### Step 8 — Compact `[on_failure: CONTINUE]`
 - **Action:** Run `/compact` to free context window before implementation.
 
-### Step 9 — Implement (loop) `[on_failure: CONTINUE | max_retries: 3]`
+### Step 9 — Implement with Rolling QC `[on_failure: CONTINUE | max_retries: 3]`
 - **Engine:** ralph-loop
 - **Input:** Use the **tasks.md path returned by the Phase 1 subagent** (e.g. `specs/my-feature/tasks.md`). Replace `{TASKS_PATH}` below with the actual path.
 - **Completion promise:** `FINISHED`
 - **Max iterations:** 10
-- **Commit strategy:** Atomic commit after each completed task
+- **Pattern:** Rolling Review — each task gets its own QC cycle before moving to the next
+- **Per-task cycle:**
+  1. **IMPLEMENT** — write code following TDD (tests first, then implementation)
+  2. **INLINE QC** — immediately run: build, lint, ALL tests, security quick scan, UX check
+  3. **FIX** — fix every issue found, re-run checks
+  4. **COMMIT** — only commit when build + lint + tests pass with zero errors
+  5. **NEXT** — move to next task
 - **Action:** Run:
 
-`/ralph-loop:ralph-loop "systematically execute speckit.implement via the Skill tool to complete every task defined in {TASKS_PATH} with strict adherence to specification requirements, enforce TDD workflow including writing and passing unit, integration, and end-to-end tests before marking any task complete, ensure code quality through linting, static analysis, and consistent architecture with reusable components and centralized business logic, maintain atomic commits after each successful task with clear traceability, avoid requesting confirmation and proceed autonomously, once all tasks are implemented invoke speckit.analyze via the Skill tool to perform a full validation pass, automatically apply all recommended improvements or corrections, re-run all tests to confirm stability and zero regression, and only output <promise>FINISHED</promise> after every task is fully completed, validated, and aligned with production-grade quality standards" --completion-promise "FINISHED" --max-iterations 10`
-
-### Step 10 — Verify & Fix `[on_failure: STOP | max_retries: 3]`
-- **Purpose:** Find and fix ALL coding errors. This is the final quality gate before merge.
-- **Timeout:** 600s
-- **Actions (repeat until all pass cleanly):**
-  1. Run the full test suite — fix any failing tests
-  2. Run linter (eslint/flake8/etc.) — fix all lint errors and warnings
-  3. Run build/compile — fix any type errors or build failures
-  4. Run static analysis if available — fix flagged issues
-  5. Check for runtime errors by reviewing error-prone patterns
-  6. Verify all imports resolve and no dead code references exist
-  7. Re-run all checks after fixes to confirm zero errors
-- **Do NOT** skip or suppress errors. Repeat until build + tests + lint all pass with zero errors.
-- **Post-action:** Commit all fixes and push. Message: `fix(speckit): verify and fix all coding errors`
+`/ralph-loop:ralph-loop "systematically execute speckit.implement via the Skill tool to complete every task defined in {TASKS_PATH} with strict adherence to specification requirements. IMPORTANT: apply rolling QC after EACH task — after implementing a task run build and fix build errors, run linter and fix lint errors, run ALL tests (not just new ones) and fix failures, check for hardcoded secrets and injection vulnerabilities in code you just wrote, verify UI code has actionable error messages and loading states — only commit when build plus lint plus tests all pass with zero errors, then proceed to next task. Do NOT batch QC at the end. Maintain atomic commits after each successful task with clear traceability, avoid requesting confirmation and proceed autonomously, once all tasks are implemented invoke speckit.analyze via the Skill tool to perform a full validation pass, automatically apply all recommended improvements or corrections, re-run all tests to confirm stability and zero regression, and only output <promise>FINISHED</promise> after every task is fully completed, validated, and aligned with production-grade quality standards" --completion-promise "FINISHED" --max-iterations 10`
+
+### Step 10 — Final Quality Gate `[on_failure: STOP | max_retries: 3]`
+- **Agent:** Dispatch `bms-speckit:quality-control` agent
+- **Purpose:** Final comprehensive sweep. Since inline QC already caught per-task issues, this focuses on **cross-cutting concerns** that can only be detected across the full codebase.
+- **Timeout:** 900s
+- **Focus areas:**
+  - **A. Security deep scan** — `npm audit` / `pip audit`, auth flow review, CORS, secrets across all files
+  - **B. Dependencies** — outdated packages, vulnerable deps, unused packages
+  - **C. UX consistency** — consistent error handling and feedback patterns across ALL features, empty states, responsive design
+  - **D. Accessibility** — alt text, form labels, keyboard nav, heading hierarchy
+  - **E. Integration check** — verify all components work together end-to-end
+- The agent fixes everything it can. Major dependency updates are flagged for user review.
+- Only proceed to merge when the agent reports all checks pass.
+- **Post-action:** Commit all fixes and push. Message: `fix(speckit): final QC — security, deps, UX consistency, accessibility`
 
 ### Step 11 — Merge to Main `[on_failure: STOP]`
 - **Action:** Switch to main branch, merge the feature branch (fast-forward if possible), push main to remote, then clean up the feature branch.
@@ -128,12 +134,12 @@ After all steps complete, return: the feature name, number of tasks created, and
 Phase 1 (subagent)                          Phase 2 (main context)
 ──────────────────────────────              ──────────────────────────────
 Step 1: brainstorm ──STOP── commit          Step 8:  compact
-        + knowledge search (hosxp)          Step 9:  implement (ralph-loop)
-Step 2: constitution ─STOP─┐                         commit per task
-Step 3: CLAUDE.md sync ───┘ commit          Step 10: verify & fix ── commit
-Step 4: specify ──────STOP── commit         Step 11: merge to main + push
-        + knowledge search (hosxp)
-Step 5: plan ─────────STOP── commit
-Step 6: tasks ────────STOP── commit
-Step 7: analyze ──────────── commit
+        + knowledge search (hosxp)          Step 9:  implement + rolling QC
+Step 2: constitution ─STOP─┐                         ┌─ implement task ─┐
+Step 3: CLAUDE.md sync ───┘ commit                   │  inline QC       │
+Step 4: specify ──────STOP── commit                  │  fix → commit    │
+        + knowledge search (hosxp)                   └─ next task ──────┘
+Step 5: plan ─────────STOP── commit         Step 10: final QC agent ── commit
+Step 6: tasks ────────STOP── commit                  (security/deps/UX/a11y)
+Step 7: analyze ──────────── commit         Step 11: merge to main + push
 ```