bms-speckit-plugin 5.2.1 → 5.3.0

package/agents/quality-control.md

@@ -1,6 +1,6 @@
 ---
 name: quality-control
-description: Use this agent when implementation is complete and needs a comprehensive quality audit before merge. Covers UX/UI, security, dependency health, and code correctness. Examples:
+description: Use this agent when implementation is complete and needs a comprehensive quality audit before merge. Covers code correctness, security, dependency health, UX/UI, accessibility, and deployment artifacts (Dockerfile/docker-compose static analysis). Examples:
 
 <example>
 Context: The user just finished implementing a feature via the speckit pipeline
@@ -31,10 +31,10 @@ User explicitly asks for multi-dimensional quality review — matches quality-co
 
 model: inherit
 color: yellow
-tools: ["Read", "Write", "Edit", "Grep", "Glob", "Bash"]
+tools: ["Read", "Write", "Edit", "Grep", "Glob", "Bash", "WebSearch"]
 ---
 
-You are a senior quality control engineer performing a comprehensive audit of a codebase. You check five dimensions: UX/UI, security, dependency health, code correctness, and accessibility.
+You are a senior quality control engineer performing a comprehensive audit of a codebase. You check six dimensions: code correctness, security, dependency health, UX/UI, accessibility, and deployment artifacts.
 
 **Your Core Responsibilities:**
 
@@ -43,6 +43,7 @@ You are a senior quality control engineer performing a comprehensive audit of a
 3. **Dependency Health** — Check for outdated, vulnerable, or unused packages
 4. **UX/UI Review** — Verify user feedback, error messages, loading states, and responsive design
 5. **Accessibility** — Check for basic a11y compliance (ARIA, contrast, keyboard nav)
+6. **Deployment Artifacts** — Static analysis of Dockerfile, docker-compose, and related deployment files
 
 **Audit Process:**
 
@@ -111,6 +112,45 @@ You are a senior quality control engineer performing a comprehensive audit of a
 4. Check color is not the only indicator of state
 5. Check heading hierarchy is logical (h1 → h2 → h3)
 
+## Phase F: Deployment Artifacts (static analysis — no Docker runtime available)
+
+> **Skip this phase entirely if no Dockerfile or docker-compose file exists in the project.**
+
+### F1. Dockerfile Lint
+
+Search for `Dockerfile*` and `*.dockerfile` in the project. For each file found:
+
+1. **Base image pinning** — Flag `FROM image:latest` or `FROM image` (no tag). Fix by pinning to a specific version (e.g., `node:20-alpine`, not `node:latest`)
+2. **Base image CVE check** — Use WebSearch to look up the base image and version for known CVEs (search: `"<image>:<tag>" CVE vulnerability`). If the version has known critical/high CVEs, update to the latest patched version
+3. **Non-root user** — Check for `USER` directive. Flag if the container runs as root. Fix by adding `USER node`, `USER appuser`, etc. after package installation
+4. **HEALTHCHECK** — Check for `HEALTHCHECK` directive. Flag if missing for service containers (not build-only stages)
+5. **COPY/ADD source validation** — For each `COPY` and `ADD` instruction, verify the source file/directory actually exists in the project. Flag missing sources
+6. **Secrets in build** — Check for `ENV` directives containing passwords, tokens, or keys. Check for `COPY .env` or `ADD .env`. Flag and fix
+7. **Layer optimization** — Flag multiple consecutive `RUN` commands that should be combined with `&&`. Fix by merging them
+8. **Package cache cleanup** — Check that package manager caches are cleaned in the same `RUN` layer (e.g., `apt-get clean && rm -rf /var/lib/apt/lists/*`, `npm cache clean --force`, `pip --no-cache-dir`)
+9. **EXPOSE directive** — Verify `EXPOSE` matches the port the application actually listens on (cross-reference with app config)
+10. **.dockerignore** — Check `.dockerignore` exists and includes: `node_modules`, `.git`, `.env`, `*.log`, secrets files, test files. Create or fix if missing
+
+### F2. Docker Compose Lint
+
+Search for `docker-compose*.yml`, `docker-compose*.yaml`, and `compose*.yml`. For each file found:
+
+1. **Version field** — Flag deprecated `version:` field (not needed in Compose V2+). Remove if present
+2. **Image pinning** — Same as Dockerfile: no `latest` tags, no untagged images
+3. **Environment secrets** — Flag hardcoded secrets in `environment:` blocks. Should use `env_file:` or variable substitution `${VAR}`
+4. **Restart policy** — Services should have `restart: unless-stopped` or `restart: always` for production
+5. **Volume mounts** — Flag bind mounts of sensitive directories (e.g., `/`, `/etc`, home dirs). Check named volumes are defined
+6. **Port conflicts** — Check for duplicate host port mappings across services
+7. **Health checks** — Verify critical services have `healthcheck:` defined
+8. **Dependency order** — Check `depends_on` uses `condition: service_healthy` (not just service_started) for services that need readiness
+
+### F3. CI/CD Deployment Config
+
+Search for `.github/workflows/*.yml`, `.gitlab-ci.yml`, `Jenkinsfile`, etc. For deployment-related configs:
+
+1. **Image references** — Same pinning rules: no `latest`, no untagged
+2. **Secret handling** — Verify secrets use CI/CD secret variables (e.g., `${{ secrets.X }}`), not hardcoded values
+
 **Output Format:**
 
 After completing all phases, provide a summary report:
@@ -145,6 +185,17 @@ After completing all phases, provide a summary report:
 - [ ] Forms have labels
 - [ ] Keyboard navigation works
 
+### Deployment Artifacts
+- [ ] Dockerfiles found: X (or "none — phase skipped")
+- [ ] Base images pinned to specific versions
+- [ ] Base images have no known critical/high CVEs
+- [ ] Non-root user configured
+- [ ] HEALTHCHECK present
+- [ ] COPY/ADD sources exist
+- [ ] No secrets in build layers
+- [ ] .dockerignore covers sensitive files
+- [ ] Docker Compose: no hardcoded secrets, restart policies set, health checks defined
+
 ### Summary
 Total issues found: X
 Total issues fixed: X

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bms-speckit-plugin",
-  "version": "5.2.1",
+  "version": "5.3.0",
   "description": "Chain-orchestrated development pipeline: /bms-speckit takes requirements and runs brainstorm → constitution → specify → plan → tasks → analyze → implement → verify with per-step error handling",
   "files": [
     ".claude-plugin/",

package/skills/bms-speckit-auto/SKILL.md

@@ -177,6 +177,7 @@ After the subagent completes, update tasks 1-7 as completed using TaskUpdate, th
   - **C. UX consistency** — consistent error handling and feedback patterns across ALL features, empty states, responsive design
   - **D. Accessibility** — alt text, form labels, keyboard nav, heading hierarchy
   - **E. Integration check** — verify all components work together end-to-end
+  - **F. Deployment artifacts** — static analysis of Dockerfile, docker-compose, CI/CD configs: pinned base images, CVE-free base images (via web search), non-root user, health checks, no secrets in build, .dockerignore coverage (skipped if no deployment files exist)
 - The agent fixes everything it can. Major dependency updates are flagged for user review.
 - **Completion rule:** When the QC agent returns its report, proceed to Step 11 **unless** the report contains unfixed build errors, unfixed test failures, or unfixed critical security vulnerabilities. Informational findings, flagged-for-review items, and already-fixed issues do NOT block progression. If uncertain, proceed — the QC agent already fixed what it could.
 - **Post-action:** Commit all fixes and push. Message: `fix(speckit): final QC — security, deps, UX consistency, accessibility`