ma-agents 3.1.0 → 3.3.0

package/.roo/skills/verify-hardened-docker-skill/scripts/verify-docker-hardening.sh

@@ -0,0 +1,439 @@
+#!/bin/bash
+#
+# verify-docker-hardening.sh
+# Comprehensive Docker security verification script
+# Checks Dockerfile, docker-compose.yml, and running containers
+# against CIS, OWASP, and NIST standards
+#
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+IMAGE_NAME="${1:-contacts-app}"
+CONTAINER_NAME="${2:-contacts-app}"
+EXIT_CODE=0
+
+# Counters
+TOTAL_CHECKS=0
+PASSED_CHECKS=0
+FAILED_CHECKS=0
+WARNING_CHECKS=0
+
+# Helper functions
+print_header() {
+    echo ""
+    echo -e "${BLUE}========================================${NC}"
+    echo -e "${BLUE}$1${NC}"
+    echo -e "${BLUE}========================================${NC}"
+}
+
+print_check() {
+    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
+    echo -ne "  [$TOTAL_CHECKS] $1... "
+}
+
+pass() {
+    PASSED_CHECKS=$((PASSED_CHECKS + 1))
+    echo -e "${GREEN}✅ PASS${NC}"
+}
+
+fail() {
+    FAILED_CHECKS=$((FAILED_CHECKS + 1))
+    EXIT_CODE=2
+    echo -e "${RED}❌ FAIL${NC}"
+    [ -n "$1" ] && echo -e "      ${RED}→ $1${NC}"
+}
+
+warn() {
+    WARNING_CHECKS=$((WARNING_CHECKS + 1))
+    echo -e "${YELLOW}⚠️  WARN${NC}"
+    [ -n "$1" ] && echo -e "      ${YELLOW}→ $1${NC}"
+}
+
+critical() {
+    FAILED_CHECKS=$((FAILED_CHECKS + 1))
+    EXIT_CODE=1
+    echo -e "${RED}🚨 CRITICAL${NC}"
+    [ -n "$1" ] && echo -e "      ${RED}→ $1${NC}"
+}
+
+# Start verification
+echo -e "${BLUE}🔍 Docker Security Verification${NC}"
+echo -e "${BLUE}================================${NC}"
+echo "Image: $IMAGE_NAME"
+echo "Container: $CONTAINER_NAME"
+
+# ============================================================================
+# 1. Dockerfile Verification
+# ============================================================================
+print_header "1. Dockerfile Security"
+
+if [ ! -f "Dockerfile" ]; then
+    print_check "Dockerfile exists"
+    critical "Dockerfile not found in current directory"
+    EXIT_CODE=5
+    exit $EXIT_CODE
+fi
+
+# Check for specific version tags
+print_check "Specific version tags (no :latest)"
+if grep -qE "^FROM.*:(latest|alpine)$" Dockerfile; then
+    fail "Using :latest or unversioned :alpine tag"
+else
+    pass
+fi
+
+# Check for non-root user
+print_check "Non-root user configured"
+if grep -qE "^USER (root|[0-9]+)" Dockerfile; then
+    if grep -qE "^USER root" Dockerfile; then
+        fail "Running as root user"
+    else
+        pass
+    fi
+elif grep -qE "^USER [a-zA-Z]" Dockerfile; then
+    pass
+else
+    fail "No USER directive found"
+fi
+
+# Check for HEALTHCHECK
+print_check "HEALTHCHECK instruction"
+if grep -q "^HEALTHCHECK" Dockerfile; then
+    pass
+else
+    warn "Missing HEALTHCHECK instruction"
+fi
+
+# Check for hardcoded secrets
+print_check "No hardcoded secrets in ENV/ARG"
+if grep -iE "^(ENV|ARG).*(SECRET|PASSWORD|KEY|TOKEN|CLIENT_ID)=" Dockerfile | grep -v "REACT_APP_API_BASE_URL" > /dev/null; then
+    fail "Potential hardcoded secrets found"
+else
+    pass
+fi
+
+# Check for multi-stage build
+print_check "Multi-stage build pattern"
+if [ $(grep -c "^FROM" Dockerfile) -ge 2 ]; then
+    pass
+else
+    warn "Not using multi-stage build"
+fi
+
+# Check for Alpine base images
+print_check "Minimal Alpine base images"
+if grep -qE "^FROM.*alpine" Dockerfile; then
+    pass
+else
+    warn "Not using Alpine base images"
+fi
+
+# ============================================================================
+# 2. docker-compose.yml Verification
+# ============================================================================
+print_header "2. docker-compose.yml Security"
+
+if [ ! -f "docker-compose.yml" ]; then
+    print_check "docker-compose.yml exists"
+    warn "docker-compose.yml not found (optional)"
+else
+    # Check for read-only filesystem
+    print_check "Read-only root filesystem"
+    if grep -q "read_only: true" docker-compose.yml; then
+        pass
+    else
+        fail "Missing read_only: true"
+    fi
+
+    # Check for no-new-privileges
+    print_check "No new privileges"
+    if grep -q "no-new-privileges:true" docker-compose.yml; then
+        pass
+    else
+        fail "Missing security_opt: no-new-privileges:true"
+    fi
+
+    # Check for capability dropping
+    print_check "Capabilities dropped"
+    if grep -q "cap_drop:" docker-compose.yml; then
+        pass
+    else
+        fail "Missing cap_drop configuration"
+    fi
+
+    # Check for tmpfs mounts
+    print_check "Tmpfs mounts for writable dirs"
+    if grep -q "tmpfs:" docker-compose.yml; then
+        pass
+    else
+        fail "Missing tmpfs mounts"
+    fi
+
+    # Check for resource limits
+    print_check "Memory limits configured"
+    if grep -q "memory:" docker-compose.yml; then
+        pass
+    else
+        warn "Missing memory limits"
+    fi
+
+    print_check "CPU limits configured"
+    if grep -q "cpus:" docker-compose.yml; then
+        pass
+    else
+        warn "Missing CPU limits"
+    fi
+
+    # Check for health check
+    print_check "Healthcheck configured"
+    if grep -q "healthcheck:" docker-compose.yml; then
+        pass
+    else
+        warn "Missing healthcheck configuration"
+    fi
+
+    # Check for privileged mode
+    print_check "Not running in privileged mode"
+    if grep -q "privileged: true" docker-compose.yml; then
+        critical "Running in privileged mode"
+    else
+        pass
+    fi
+fi
+
+# ============================================================================
+# 3. .dockerignore Verification
+# ============================================================================
+print_header "3. .dockerignore Configuration"
+
+if [ ! -f ".dockerignore" ]; then
+    print_check ".dockerignore exists"
+    warn ".dockerignore not found"
+else
+    print_check ".env excluded from Docker context"
+    if grep -qE "^\.env$" .dockerignore; then
+        pass
+    else
+        critical ".env not in .dockerignore - secret leakage risk!"
+    fi
+
+    print_check "node_modules excluded"
+    if grep -q "node_modules" .dockerignore; then
+        pass
+    else
+        warn "node_modules not excluded"
+    fi
+
+    print_check ".git excluded"
+    if grep -qE "^\.git" .dockerignore; then
+        pass
+    else
+        warn ".git not excluded"
+    fi
+fi
+
+# ============================================================================
+# 4. Image Security Scanning
+# ============================================================================
+print_header "4. Image Vulnerability Scanning"
+
+# Check if image exists
+if ! docker images --format "{{.Repository}}" | grep -q "^${IMAGE_NAME}$"; then
+    print_check "Docker image exists"
+    warn "Image '$IMAGE_NAME' not found locally. Skipping image scans."
+    echo "      Run 'docker build -t $IMAGE_NAME .' to build the image."
+else
+    # Check if trivy is installed
+    if ! command -v trivy &> /dev/null; then
+        print_check "Trivy scanner installed"
+        warn "Trivy not installed. Skipping vulnerability scans."
+        echo "      Install: brew install aquasecurity/trivy/trivy (macOS)"
+        echo "             : apt-get install trivy (Linux)"
+    else
+        # Scan for CRITICAL vulnerabilities
+        print_check "No CRITICAL vulnerabilities"
+        if trivy image --quiet --severity CRITICAL --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
+            pass
+        else
+            critical "CRITICAL vulnerabilities found. Run: trivy image --severity CRITICAL $IMAGE_NAME"
+        fi
+
+        # Scan for HIGH vulnerabilities
+        print_check "No HIGH vulnerabilities"
+        if trivy image --quiet --severity HIGH --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
+            pass
+        else
+            fail "HIGH vulnerabilities found. Run: trivy image --severity HIGH $IMAGE_NAME"
+        fi
+
+        # Scan for leaked secrets
+        print_check "No leaked secrets in image"
+        if trivy image --quiet --scanners secret --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
+            pass
+        else
+            critical "Secrets detected in image! Run: trivy image --scanners secret $IMAGE_NAME"
+        fi
+    fi
+
+    # Check image size
+    print_check "Optimized image size (< 100MB)"
+    IMAGE_SIZE=$(docker images --format "{{.Size}}" "$IMAGE_NAME" | head -1 | sed 's/MB//' | sed 's/GB/*1024/' | bc 2>/dev/null || echo "0")
+    if [ -n "$IMAGE_SIZE" ] && [ "$IMAGE_SIZE" != "0" ]; then
+        if (( $(echo "$IMAGE_SIZE < 100" | bc -l) )); then
+            pass
+        else
+            warn "Image size is ${IMAGE_SIZE}MB (recommended < 100MB)"
+        fi
+    else
+        warn "Could not determine image size"
+    fi
+
+    # Check for .env in image
+    print_check ".env file not baked into image"
+    if docker run --rm "$IMAGE_NAME" sh -c "ls -la / 2>/dev/null | grep -q .env"; then
+        critical ".env file found in image! Secrets leaked!"
+    else
+        pass
+    fi
+fi
+
+# ============================================================================
+# 5. Runtime Security (if container is running)
+# ============================================================================
+print_header "5. Runtime Security Verification"
+
+if ! docker ps --filter "name=$CONTAINER_NAME" --format "{{.Names}}" | grep -q "^$CONTAINER_NAME$"; then
+    echo -e "${YELLOW}  Container '$CONTAINER_NAME' is not running.${NC}"
+    echo -e "${YELLOW}  Run 'docker-compose up -d' to enable runtime checks.${NC}"
+else
+    # Check container runs as non-root
+    print_check "Container runs as non-root"
+    CONTAINER_USER=$(docker exec "$CONTAINER_NAME" whoami 2>/dev/null || echo "root")
+    if [ "$CONTAINER_USER" != "root" ]; then
+        pass
+    else
+        critical "Container running as root user!"
+    fi
+
+    # Check user ID is not 0
+    print_check "User ID is not 0 (root)"
+    USER_ID=$(docker exec "$CONTAINER_NAME" id -u 2>/dev/null || echo "0")
+    if [ "$USER_ID" != "0" ]; then
+        pass
+    else
+        critical "Container running with UID 0 (root)!"
+    fi
+
+    # Check read-only filesystem
+    print_check "Root filesystem is read-only"
+    if docker exec "$CONTAINER_NAME" sh -c "touch /test 2>/dev/null"; then
+        fail "Root filesystem is writable"
+        docker exec "$CONTAINER_NAME" sh -c "rm /test 2>/dev/null" || true
+    else
+        pass
+    fi
+
+    # Check tmpfs is writable
+    print_check "Tmpfs mount is writable"
+    if docker exec "$CONTAINER_NAME" sh -c "touch /tmp/test 2>/dev/null && rm /tmp/test 2>/dev/null"; then
+        pass
+    else
+        warn "Tmpfs mount /tmp is not writable"
+    fi
+
+    # Check health status
+    print_check "Container is healthy"
+    HEALTH_STATUS=$(docker inspect --format='{{.State.Health.Status}}' "$CONTAINER_NAME" 2>/dev/null || echo "none")
+    if [ "$HEALTH_STATUS" = "healthy" ]; then
+        pass
+    elif [ "$HEALTH_STATUS" = "none" ]; then
+        warn "No health check configured"
+    else
+        fail "Container health status: $HEALTH_STATUS"
+    fi
+
+    # Check capabilities
+    print_check "Capabilities dropped"
+    CAPS_DROPPED=$(docker inspect --format='{{.HostConfig.CapDrop}}' "$CONTAINER_NAME" 2>/dev/null || echo "[]")
+    if echo "$CAPS_DROPPED" | grep -q "ALL"; then
+        pass
+    else
+        warn "Not all capabilities dropped"
+    fi
+
+    # Check memory limit
+    print_check "Memory limit enforced"
+    MEMORY_LIMIT=$(docker inspect --format='{{.HostConfig.Memory}}' "$CONTAINER_NAME" 2>/dev/null || echo "0")
+    if [ "$MEMORY_LIMIT" != "0" ]; then
+        pass
+    else
+        warn "No memory limit set"
+    fi
+fi
+
+# ============================================================================
+# 6. Git Secret Protection
+# ============================================================================
+print_header "6. Git Secret Protection"
+
+if [ -d ".git" ]; then
+    # Check .env in .gitignore
+    print_check ".env in .gitignore"
+    if [ -f ".gitignore" ] && grep -qE "^\.env$" .gitignore; then
+        pass
+    else
+        critical ".env not in .gitignore! Secrets may be committed!"
+    fi
+
+    # Check .env.example exists
+    print_check ".env.example exists (template)"
+    if [ -f ".env.example" ]; then
+        pass
+    else
+        warn ".env.example not found"
+    fi
+
+    # Check if .env is committed
+    print_check ".env not committed to git"
+    if git ls-files --error-unmatch .env > /dev/null 2>&1; then
+        critical ".env is tracked by git! Remove immediately!"
+    else
+        pass
+    fi
+else
+    echo -e "${YELLOW}  Not a git repository. Skipping git checks.${NC}"
+fi
+
+# ============================================================================
+# Summary
+# ============================================================================
+print_header "Verification Summary"
+
+echo ""
+echo "  Total checks:    $TOTAL_CHECKS"
+echo -e "  ${GREEN}Passed:          $PASSED_CHECKS${NC}"
+echo -e "  ${YELLOW}Warnings:        $WARNING_CHECKS${NC}"
+echo -e "  ${RED}Failed:          $FAILED_CHECKS${NC}"
+echo ""
+
+if [ $FAILED_CHECKS -eq 0 ]; then
+    echo -e "${GREEN}✅ All critical security checks passed!${NC}"
+    if [ $WARNING_CHECKS -gt 0 ]; then
+        echo -e "${YELLOW}⚠️  $WARNING_CHECKS warning(s) - consider addressing these.${NC}"
+    fi
+else
+    echo -e "${RED}❌ $FAILED_CHECKS security check(s) failed!${NC}"
+    echo -e "${RED}   Please fix the issues above before deploying.${NC}"
+fi
+
+echo ""
+
+exit $EXIT_CODE

package/README.md

@@ -1,6 +1,6 @@
 # ma-agents
 
-A universal NPX tool to install AI coding agent skills. Write skills once, install them across Claude Code, Gemini, Copilot, Cline, Cursor, and Kilocode.
+A universal NPX tool to install AI coding agent skills. Write skills once, install them across Claude Code, Gemini, Copilot, Cline, Cursor, Kilocode, and Roo Code.
 
 ## Installation & Usage
 
@@ -60,7 +60,11 @@ The `_bmad-output/` folder is **intentionally tracked in version control** as pr
 `_bmad-output/` holds all AI-generated planning artifacts produced by BMAD agents:
 
 - **`planning-artifacts/`** — PRDs, architecture documents, UX designs
-- **`implementation-artifacts/`** — Epics, user stories, sprint status
+- **`implementation-artifacts/`** — Epics, user stories, sprint status, backlog
+  - **`sprints/`** — Sprint entity YAML files (`sprint-{id}.yaml`)
+  - **`done/`** — Archived completed stories and bugs
+  - **`backlog.yaml`** — Flat prioritized backlog (generated)
+  - **`sprint-status.yaml`** — Sprint status (derived, auto-regenerated)
 - **`methodology/`** — BMAD-METHOD training materials and onboarding presentation
 
 ### Why it is version-controlled
@@ -111,13 +115,14 @@ The file is version-controlled as part of `_bmad-output/` project knowledge. Com
 | Cursor | `.cursor/skills/` | `generic` | `.cursor/cursor.md` |
 | Kilocode | `.kilocode/skills/` | `generic` | `.kilocode/kilocode.md` |
 | Cline | `.cline/skills/` | `cline` | `.cline/clinerules.md` |
+| Roo Code | `.roo/skills/` | `generic` | `.roo/rules/00-ma-agents.md` |
 | SRE Agent (Alex) | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/sre.md` |
 | DevOps Agent (Amit) | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/devops.md` |
 | Cyber Analyst (Yael) | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/cyber.md` |
 | Joseph (MIL-STD-498) | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/mil498.md` |
 | Antigravity | `_bmad/skills/` | `generic` | `_bmad/bmm/agents/antigravity.md` |
 
-## Available Skills (28)
+## Available Skills (34)
 
 | Skill ID | Domain | Description |
 | :--- | :--- | :--- |
@@ -154,6 +159,13 @@ The file is version-controlled as part of `_bmad-output/` project knowledge. Com
 | `self-signed-cert` | Security | Automated Root CA and self-signed certificate generation |
 | `docker-image-signing` | Security | Automated cryptographic signing for Docker images |
 | `docker-hardening-verification` | Security | Audits images for least-privilege and OpenShift compatibility |
+| **Sprint Management** | | |
+| `add-sprint` | Agile | Create sprint entities with capacity, ISO dates, and structured YAML schema |
+| `generate-backlog` | Agile | Generate or refresh a flat prioritized backlog from epics and bug stories |
+| `add-to-sprint` | Agile | Assign backlog items to a sprint with capacity enforcement |
+| `remove-from-sprint` | Agile | Remove items from a sprint and return to unassigned backlog |
+| `cleanup-done` | Agile | Archive done items to `done/` and remove from sprint/backlog tracking |
+| `prioritize-backlog` | Agile | Reprioritize backlog using severity, value, dependencies, and type |
 
 ## Automated Skill Discovery
 
@@ -242,6 +254,36 @@ The integration includes a suite of specialized playbooks:
 - **Security & Trust**: Vault secrets, certificate generation, and vulnerability scanning.
 - **Diagnostics**: Advanced health checks across K8s, Docker, and Podman.
 
+#### Sprint Management (v3.1+)
+
+`ma-agents` includes a complete sprint management system built on first-class YAML entities:
+
+**Data Model:**
+- **Sprint entities** at `sprints/sprint-{id}.yaml` — capacity, dates, assigned items, status lifecycle (`planning` -> `active` -> `closed`)
+- **Flat backlog** at `backlog.yaml` — prioritized list of stories and bugs, independent of epic grouping
+- **Bug lifecycle** — bugs are first-class backlog items with severity, type classification, and the same lifecycle as stories
+- **Derived sprint-status.yaml** — auto-regenerated from backlog + sprint files (no manual maintenance)
+
+**Workflows:**
+
+| Command | Description |
+|---------|-------------|
+| `/add-sprint` | Create a sprint with capacity limits and optional ISO dates |
+| `/generate-backlog` | Build or refresh the flat backlog from epics and bug files |
+| `/add-to-sprint` | Assign backlog items to a sprint (dual-write: backlog + sprint file) |
+| `/remove-from-sprint` | Return items from sprint to backlog (status preserved) |
+| `/cleanup-done` | Archive completed items to `done/`, auto-close empty sprints |
+| `/prioritize-backlog` | Reorder backlog — full, quick-adjust, or AI-suggested modes |
+| `/sprint-status-view` | View sprint capacity, items, backlog, and regenerate sprint-status.yaml |
+| `/create-bug-story` | Create a structured bug with severity, type, and automatic backlog entry |
+
+**Key Design Principles:**
+- **Dual-write consistency**: assigning/removing items updates both `backlog.yaml` and the sprint file atomically
+- **Single-active sprint**: only one sprint can be `active` at a time
+- **Done item archival**: completed work moves to `done/` subfolder, freeing sprint capacity
+- **Priority is independent of epics**: stories from different epics interleave by priority, not epic order
+- **Concurrency guards**: sprint files use `last_modified` timestamps to detect external modifications
+
 ### Install Options (Direct)
 ```bash
 # Default: installs to project-level paths (current directory)
@@ -436,6 +478,11 @@ ma-agents/
 │   ├── bmad.js                 # BMAD-METHOD integration and injection logic
 │   ├── bmad-cache/             # Pre-bundled BMAD external modules (bmb, cis, gds, tea)
 │   ├── bmad-customizations/    # BMAD persona templates (.md) and YAML configs
+│   ├── bmad-extension/         # Extension module: sprint management, bug tracking, agent skills
+│   │   ├── skills/             # SKILL.md packages (add-sprint, generate-backlog, etc.)
+│   │   ├── workflows/          # Legacy workflow copies (redirects to SKILL.md)
+│   │   ├── module.yaml         # Extension module definition
+│   │   └── module-help.csv     # Skill registry with descriptions and output paths
 │   ├── bmad-workflows/         # Specialized BMAD playbooks (SRE, Cyber, etc.)
 │   └── mil498-templates/       # MIL-STD-498 DID library (SRS, SSS, SSDD, etc.)
 ├── scripts/

package/lib/agents.js

@@ -135,6 +135,29 @@ const agents = [
     instructionFiles: ['.cline/clinerules.md', '.clinerules'],
     injectionStrategy: { position: 'top', skipPatterns: ['---'] }
   },
+  {
+    id: 'roo-code',
+    name: 'Roo Code',
+    version: '1.0.0',
+    category: 'ide',
+    description: 'Roo Code AI Assistant (Enhanced Cline fork)',
+    skillsDir: '.roo/skills',
+    getProjectPath: () => path.join(process.cwd(), '.roo', 'skills'),
+    getGlobalPath: () => {
+      const platform = os.platform();
+      if (platform === 'win32') {
+        return path.join(os.homedir(), 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'skills');
+      } else if (platform === 'darwin') {
+        return path.join(os.homedir(), 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'skills');
+      } else {
+        return path.join(os.homedir(), '.config', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'skills');
+      }
+    },
+    fileExtension: '.md',
+    template: 'generic',
+    instructionFiles: ['.roo/rules/00-ma-agents.md'],
+    injectionStrategy: { position: 'top', skipPatterns: ['---'] }
+  },
   {
     id: 'cursor',
     name: 'Cursor',

package/lib/bmad-extension/module-help.csv

@@ -29,9 +29,13 @@ ma-skills,4-implementation,Vault Secrets,cyber-vault-secrets,,skill:cyber-vault-
 ma-skills,4-implementation,Verify Docker Users,cyber-verify-docker-users,,skill:cyber-verify-docker-users,bmad-cyber-verify-docker-users,false,bmm-cyber,,"Verify Docker image user configurations and hardening compliance.",output_folder,"verification report",
 ma-skills,4-implementation,Verify Image Signature,cyber-verify-image-signature,,skill:cyber-verify-image-signature,bmad-cyber-verify-image-signature,false,bmm-cyber,,"Verify Docker image signatures for supply chain integrity.",output_folder,"verification report",
 ma-skills,4-implementation,Vulnerability Scan,cyber-vulnerability-scan,,skill:cyber-vulnerability-scan,bmad-cyber-vulnerability-scan,false,bmm-cyber,,"Orchestrate vulnerability scanning across project components.",output_folder,"scan report",
-ma-skills,4-implementation,Create Bug Story,create-bug-story,,skill:create-bug-story,create-bug-story,false,bmm-dev,,"Create a structured bug story from a detected defect and add to backlog.",_bmad-output/implementation-artifacts,"bug story",
-ma-skills,4-implementation,Add Sprint,add-sprint,,skill:add-sprint,add-sprint,false,bmm-sm,,"Create a new sprint with capacity limits and optional start/end context.",_bmad-output/implementation-artifacts,"sprint plan",
+ma-skills,4-implementation,Create Bug Story,create-bug-story,,skill:create-bug-story,create-bug-story,false,bmm-dev,,"Create a structured bug story with severity and type classification, add to backlog.yaml.",_bmad-output/implementation-artifacts,"bug story",
+ma-skills,4-implementation,Add Sprint,add-sprint,,skill:add-sprint,add-sprint,false,bmm-sm,,"Create a new sprint entity with capacity limits and optional ISO dates (YAML schema).",_bmad-output/implementation-artifacts/sprints,"sprint entity",
 ma-skills,4-implementation,Modify Sprint,modify-sprint,,skill:modify-sprint,modify-sprint,false,bmm-sm,,"Modify existing sprint — add/remove items, change capacity, update metadata.",_bmad-output/implementation-artifacts,"sprint plan",
-ma-skills,4-implementation,Add to Sprint,add-to-sprint,,skill:add-to-sprint,add-to-sprint,false,bmm-sm,,"Assign backlog items (stories + bugs) to a sprint using multi-criteria prioritization.",_bmad-output/implementation-artifacts,"sprint plan",
+ma-skills,4-implementation,Add to Sprint,add-to-sprint,,skill:add-to-sprint,add-to-sprint,false,bmm-sm,,"Assign backlog items to a sprint from flat prioritized backlog.",_bmad-output/implementation-artifacts,"sprint plan",
 ma-skills,4-implementation,Project Context Expansion,project-context-expansion,,skill:project-context-expansion,project-context-expansion,false,bmm-sm,,"Post-retrospective companion to update project-context.md with new rules.",_bmad-output,"project context",
-ma-skills,4-implementation,Sprint Status View,sprint-status-view,,skill:sprint-status-view,sprint-status-view,false,bmm-sm,,"View sprint progress with assigned items and remaining capacity.",_bmad-output/implementation-artifacts,"status display",
+ma-skills,4-implementation,Sprint Status View,sprint-status-view,,skill:sprint-status-view,sprint-status-view,false,bmm-sm,,"View sprint status with capacity, items, and backlog. Regenerates sprint-status.yaml.",_bmad-output/implementation-artifacts,"status display",
+ma-skills,4-implementation,Generate Backlog,generate-backlog,,skill:generate-backlog,generate-backlog,false,bmm-sm,,"Generate or refresh flat backlog from epics and bug stories.",_bmad-output/implementation-artifacts,"backlog",
+ma-skills,4-implementation,Remove from Sprint,remove-from-sprint,,skill:remove-from-sprint,remove-from-sprint,false,bmm-sm,,"Remove items from a sprint and return to unassigned backlog.",_bmad-output/implementation-artifacts,"sprint plan",
+ma-skills,4-implementation,Cleanup Done,cleanup-done,,skill:cleanup-done,cleanup-done,false,bmm-sm,,"Archive done items — move files to done/ and remove from sprint/backlog.",_bmad-output/implementation-artifacts,"archived items",
+ma-skills,4-implementation,Prioritize Backlog,prioritize-backlog,,skill:prioritize-backlog,prioritize-backlog,false,bmm-sm,,"Reprioritize backlog using multiple criteria — severity, value, dependencies.",_bmad-output/implementation-artifacts,"backlog",