bms-speckit-plugin 5.0.0 → 5.1.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "bms-speckit",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "Chain-orchestrated development pipeline with quality control agent. /bms-speckit runs brainstorm → constitution → specify → plan → tasks → analyze → implement → QC (UX/security/deps/code) → merge.",
   "author": {
     "name": "manoirx"

package/blueprints/bms-speckit-pipeline.yaml

@@ -209,11 +209,14 @@ chain_sequence:
       on_failure: continue
       max_retries: 0
 
-  - step_id: step_9_implement
+  - step_id: step_9_implement_with_rolling_qc
     skill_id: speckit.implement
     action: execute_loop
     phase: 2
-    description: Execute all tasks with TDD workflow via ralph-loop
+    description: >
+      Execute tasks with rolling QC — each task goes through implement → inline
+      QC (build/lint/test/security) → fix → commit cycle before moving to the
+      next task. Catches bugs at the source, not at the end.
     timeout_seconds: 3600
     input:
       tasks_path: "{{step_6_tasks.artifacts}}"
@@ -231,27 +234,41 @@ chain_sequence:
       max_retries: 3
     opinionated_prompts:
       system_context: >
-        Systematically execute speckit.implement to complete every task.
-        Enforce TDD: write and pass tests before marking any task complete.
-        Ensure code quality through linting, static analysis, and consistent
-        architecture with reusable components and centralized business logic.
-        Maintain atomic commits after each successful task.
-        After all tasks: invoke speckit.analyze for full validation,
-        apply improvements, re-run all tests, confirm zero regression.
-        Only output FINISHED after everything is validated.
+        For EACH task, execute this rolling QC cycle:
+
+        1. IMPLEMENT — write code following TDD (tests first, then implementation)
+        2. INLINE QC — immediately after implementation, run:
+           a. Build/compile — fix any type or build errors
+           b. Lint — fix all lint errors and warnings
+           c. Test suite — run ALL tests (not just new ones), fix any failures
+           d. Security quick scan — check for hardcoded secrets, SQL injection,
+              XSS, unvalidated input in the code you just wrote
+           e. UX check — if UI code was changed, verify error messages are
+              actionable, loading states exist, and user feedback is present
+        3. FIX — fix every issue found in step 2, then re-run checks
+        4. COMMIT — only commit when build + lint + tests all pass with zero errors
+        5. NEXT TASK — proceed to the next task
+
+        Do NOT batch QC at the end. Each task must pass its own QC cycle
+        before moving on. This is the rolling review pattern.
+
+        After ALL tasks complete: invoke speckit.analyze for a full cross-task
+        validation pass. Apply improvements, re-run all tests, confirm zero
+        regression. Only output FINISHED after everything is validated.
 
-  - step_id: step_10_quality_control
+  - step_id: step_10_final_quality_gate
     agent_id: bms-speckit:quality-control
     action: dispatch_agent
     phase: 2
     description: >
-      Dispatch the quality-control agent to perform a 5-dimension audit:
-      code errors, security, dependency health, UX/UI, and accessibility.
-      The agent fixes all issues it can and reports the rest.
+      Final comprehensive QC sweep by the quality-control agent. Since inline
+      QC already caught per-task issues, this focuses on cross-cutting concerns:
+      dependency health, deep security audit, overall UX consistency, and
+      accessibility compliance.
     timeout_seconds: 900
     post_action:
       commit: true
-      message: "fix(speckit): quality control — fix code errors, security, UX, deps"
+      message: "fix(speckit): final QC — security, deps, UX consistency, accessibility"
       push: true
     error_handling:
       on_failure: stop
@@ -259,14 +276,16 @@ chain_sequence:
     opinionated_prompts:
       system_context: >
         Dispatch the quality-control agent (bms-speckit:quality-control).
-        The agent runs 5 audit phases:
-        A. Code Errors — build, lint, test (must all pass)
-        B. Security — secrets, injection, auth, npm/pip audit
-        C. Dependencies — outdated, vulnerable, unused packages
-        D. UX/UI — user feedback, error messages, loading states
-        E. Accessibility — alt text, labels, keyboard nav
-        The agent fixes everything it can autonomously.
-        Only proceed to merge when the agent reports all checks pass.
+        Inline QC already caught per-task build/lint/test issues during
+        implementation. This final sweep focuses on cross-cutting concerns:
+        A. Security deep scan — npm/pip audit, auth flow review, CORS, secrets
+        B. Dependencies — outdated packages, vulnerable deps, unused packages
+        C. UX consistency — consistent error handling, feedback patterns across
+           all features, empty states, responsive design
+        D. Accessibility — alt text, form labels, keyboard nav, heading hierarchy
+        E. Integration check — verify all components work together end-to-end
+        Fix everything possible. Flag major dependency updates for user review.
+        Only proceed to merge when all checks pass.
 
   - step_id: step_11_merge
     skill_id: internal.git_merge_to_main

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bms-speckit-plugin",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "Chain-orchestrated development pipeline: /bms-speckit takes requirements and runs brainstorm → constitution → specify → plan → tasks → analyze → implement → verify with per-step error handling",
   "files": [
     ".claude-plugin/",

package/skills/bms-speckit-auto/SKILL.md

@@ -92,29 +92,35 @@ After all steps complete, return: the feature name, number of tasks created, and
 ### Step 8 — Compact `[on_failure: CONTINUE]`
 - **Action:** Run `/compact` to free context window before implementation.
 
-### Step 9 — Implement (loop) `[on_failure: CONTINUE | max_retries: 3]`
+### Step 9 — Implement with Rolling QC `[on_failure: CONTINUE | max_retries: 3]`
 - **Engine:** ralph-loop
 - **Input:** Use the **tasks.md path returned by the Phase 1 subagent** (e.g. `specs/my-feature/tasks.md`). Replace `{TASKS_PATH}` below with the actual path.
 - **Completion promise:** `FINISHED`
 - **Max iterations:** 10
-- **Commit strategy:** Atomic commit after each completed task
+- **Pattern:** Rolling Review — each task gets its own QC cycle before moving to the next
+- **Per-task cycle:**
+  1. **IMPLEMENT** — write code following TDD (tests first, then implementation)
+  2. **INLINE QC** — immediately run: build, lint, ALL tests, security quick scan, UX check
+  3. **FIX** — fix every issue found, re-run checks
+  4. **COMMIT** — only commit when build + lint + tests pass with zero errors
+  5. **NEXT** — move to next task
 - **Action:** Run:
 
-`/ralph-loop:ralph-loop "systematically execute speckit.implement via the Skill tool to complete every task defined in {TASKS_PATH} with strict adherence to specification requirements, enforce TDD workflow including writing and passing unit, integration, and end-to-end tests before marking any task complete, ensure code quality through linting, static analysis, and consistent architecture with reusable components and centralized business logic, maintain atomic commits after each successful task with clear traceability, avoid requesting confirmation and proceed autonomously, once all tasks are implemented invoke speckit.analyze via the Skill tool to perform a full validation pass, automatically apply all recommended improvements or corrections, re-run all tests to confirm stability and zero regression, and only output <promise>FINISHED</promise> after every task is fully completed, validated, and aligned with production-grade quality standards" --completion-promise "FINISHED" --max-iterations 10`
+`/ralph-loop:ralph-loop "systematically execute speckit.implement via the Skill tool to complete every task defined in {TASKS_PATH} with strict adherence to specification requirements. IMPORTANT: apply rolling QC after EACH task — after implementing a task run build and fix build errors, run linter and fix lint errors, run ALL tests (not just new ones) and fix failures, check for hardcoded secrets and injection vulnerabilities in code you just wrote, verify UI code has actionable error messages and loading states — only commit when build plus lint plus tests all pass with zero errors, then proceed to next task. Do NOT batch QC at the end. Maintain atomic commits after each successful task with clear traceability, avoid requesting confirmation and proceed autonomously, once all tasks are implemented invoke speckit.analyze via the Skill tool to perform a full validation pass, automatically apply all recommended improvements or corrections, re-run all tests to confirm stability and zero regression, and only output <promise>FINISHED</promise> after every task is fully completed, validated, and aligned with production-grade quality standards" --completion-promise "FINISHED" --max-iterations 10`
 
-### Step 10 — Quality Control `[on_failure: STOP | max_retries: 3]`
+### Step 10 — Final Quality Gate `[on_failure: STOP | max_retries: 3]`
 - **Agent:** Dispatch `bms-speckit:quality-control` agent
-- **Purpose:** Comprehensive 5-dimension quality audit. The agent fixes all issues autonomously.
+- **Purpose:** Final comprehensive sweep. Since inline QC already caught per-task issues, this focuses on **cross-cutting concerns** that can only be detected across the full codebase.
 - **Timeout:** 900s
-- **Audit dimensions:**
-  - **A. Code Errors** — build, lint, test suite (must all pass with zero errors)
-  - **B. Security** — hardcoded secrets, injection, auth, `npm audit` / `pip audit`
-  - **C. Dependencies** — outdated packages, vulnerable deps, unused packages
-  - **D. UX/UI** — user feedback, error messages, loading states, empty states
-  - **E. Accessibility** — alt text, form labels, keyboard navigation
+- **Focus areas:**
+  - **A. Security deep scan** — `npm audit` / `pip audit`, auth flow review, CORS, secrets across all files
+  - **B. Dependencies** — outdated packages, vulnerable deps, unused packages
+  - **C. UX consistency** — consistent error handling and feedback patterns across ALL features, empty states, responsive design
+  - **D. Accessibility** — alt text, form labels, keyboard nav, heading hierarchy
+  - **E. Integration check** — verify all components work together end-to-end
 - The agent fixes everything it can. Major dependency updates are flagged for user review.
 - Only proceed to merge when the agent reports all checks pass.
-- **Post-action:** Commit all fixes and push. Message: `fix(speckit): quality control — fix code errors, security, UX, deps`
+- **Post-action:** Commit all fixes and push. Message: `fix(speckit): final QC — security, deps, UX consistency, accessibility`
 
 ### Step 11 — Merge to Main `[on_failure: STOP]`
 - **Action:** Switch to main branch, merge the feature branch (fast-forward if possible), push main to remote, then clean up the feature branch.
@@ -128,13 +134,12 @@ After all steps complete, return: the feature name, number of tasks created, and
 Phase 1 (subagent)                          Phase 2 (main context)
 ──────────────────────────────              ──────────────────────────────
 Step 1: brainstorm ──STOP── commit          Step 8:  compact
-        + knowledge search (hosxp)          Step 9:  implement (ralph-loop)
-Step 2: constitution ─STOP─┐                         commit per task
-Step 3: CLAUDE.md sync ───┘ commit          Step 10: QC agent ── commit
-                 (code/security/deps/UX/a11y)
-Step 4: specify ──────STOP── commit         Step 11: merge to main + push
-        + knowledge search (hosxp)
-Step 5: plan ─────────STOP── commit
-Step 6: tasks ────────STOP── commit
-Step 7: analyze ──────────── commit
+        + knowledge search (hosxp)          Step 9:  implement + rolling QC
+Step 2: constitution ─STOP─┐                         ┌─ implement task ─┐
+Step 3: CLAUDE.md sync ───┘ commit                   │  inline QC       │
+Step 4: specify ──────STOP── commit                  │  fix → commit    │
+        + knowledge search (hosxp)                   └─ next task ──────┘
+Step 5: plan ─────────STOP── commit         Step 10: final QC agent ── commit
+Step 6: tasks ────────STOP── commit                  (security/deps/UX/a11y)
+Step 7: analyze ──────────── commit         Step 11: merge to main + push
 ```