sdd-mcp-server 3.0.2 → 3.1.0

package/rules/git-workflow.md

@@ -0,0 +1,92 @@
+---
+name: git-workflow
+description: Git commit and branching conventions
+priority: 80
+alwaysActive: true
+---
+
+# Git Workflow Rules
+
+## Commit Messages
+
+### Format
+```
+<type>(<scope>): <subject>
+
+<body>
+
+<footer>
+```
+
+### Types
+- **feat**: New feature
+- **fix**: Bug fix
+- **docs**: Documentation only changes
+- **style**: Code style changes (formatting, semicolons)
+- **refactor**: Code change that neither fixes a bug nor adds a feature
+- **perf**: Performance improvement
+- **test**: Adding or updating tests
+- **chore**: Build process or auxiliary tool changes
+
+### Subject Line
+- Use imperative mood ("add" not "added")
+- No period at the end
+- Maximum 50 characters
+- Capitalize first letter
+
+### Body
+- Explain "what" and "why", not "how"
+- Wrap at 72 characters
+- Separate from subject with blank line
+
+### Examples
+```
+feat(auth): add JWT token refresh endpoint
+
+Implement automatic token refresh to improve user experience.
+Tokens are refreshed 5 minutes before expiration.
+
+Closes #123
+```
+
+```
+fix(api): handle null response from external service
+
+The external payment API occasionally returns null instead of
+an error object. This caused unhandled exceptions in production.
+
+Fixes #456
+```
+
+## Branching Strategy
+
+### Branch Types
+- **main/master**: Production-ready code
+- **develop**: Integration branch for features
+- **feature/**: New features (`feature/add-user-auth`)
+- **fix/**: Bug fixes (`fix/login-validation`)
+- **refactor/**: Code refactoring (`refactor/better-architecture`)
+
+### Branch Naming
+- Use lowercase with hyphens
+- Include ticket number if applicable
+- Keep names descriptive but concise
+
+## Pull Requests
+
+### Before Creating PR
+- Rebase on latest target branch
+- Run all tests locally
+- Update documentation if needed
+- Self-review your changes
+
+### PR Description
+- Reference related issues
+- Describe what changed and why
+- Include testing instructions
+- Add screenshots for UI changes
+
+### Review Process
+- Address all review comments
+- Don't force-push after review started
+- Squash commits when merging (if team policy)

package/rules/sdd-workflow.md

@@ -0,0 +1,116 @@
+---
+name: sdd-workflow
+description: Spec-Driven Development process rules
+priority: 85
+alwaysActive: true
+---
+
+# SDD Workflow Rules
+
+## Spec-Driven Development Process
+
+### Phase Order
+Follow the SDD phases in strict order:
+
+1. **Initialize** (`sdd-init`)
+   - Define feature name and description
+   - Answer clarification questions
+   - Create spec directory structure
+
+2. **Requirements** (`sdd-requirements`)
+   - Generate EARS-formatted requirements
+   - Define acceptance criteria
+   - Identify constraints and assumptions
+
+3. **Design** (`sdd-design`)
+   - Create technical design specifications
+   - Define component architecture
+   - Document interfaces and data flows
+
+4. **Tasks** (`sdd-tasks`)
+   - Break down into implementable tasks
+   - Apply TDD methodology
+   - Estimate complexity
+
+5. **Implement** (`sdd-implement`)
+   - Follow TDD (Red-Green-Refactor)
+   - Reference steering documents
+   - Update spec status
+
+## EARS Requirements Format
+
+Use Easy Approach to Requirements Syntax:
+
+| Pattern | Template | Use Case |
+|---------|----------|----------|
+| Ubiquitous | The `<system>` SHALL `<action>` | Always true |
+| Event-Driven | WHEN `<trigger>` THEN the `<system>` SHALL `<action>` | Response to event |
+| State-Driven | WHILE `<state>` THE `<system>` SHALL `<action>` | During state |
+| Optional | WHERE `<feature>` THE `<system>` SHALL `<action>` | Configurable |
+| Unwanted | IF `<condition>` THEN the `<system>` SHALL `<action>` | Exception |
+
+### Example
+```markdown
+## FR-1: User Authentication
+WHEN a user submits valid credentials
+THEN the system SHALL authenticate the user and return a session token
+
+**Acceptance Criteria:**
+1. Token expires after 24 hours of inactivity
+2. Invalid credentials return 401 error
+3. Rate limiting prevents brute force attempts
+```
+
+## Steering Documents
+
+### Always Reference
+- `.spec/steering/tdd-guideline.md` - TDD methodology
+- `.spec/steering/principles.md` - SOLID, DRY, KISS, YAGNI
+- `.spec/steering/linus-review.md` - Code review standards
+
+### When to Reference
+- Before writing any code, review relevant steering docs
+- During code review, verify compliance
+- When refactoring, ensure principles are maintained
+
+## Approval Gates
+
+### Requirements Approval
+Before proceeding to design:
+- [ ] All requirements use EARS format
+- [ ] Each requirement is testable
+- [ ] Acceptance criteria are specific
+- [ ] Constraints are documented
+
+### Design Approval
+Before proceeding to tasks:
+- [ ] Architecture diagram included
+- [ ] Interfaces defined
+- [ ] Dependencies identified
+- [ ] Security considerations addressed
+
+### Tasks Approval
+Before proceeding to implementation:
+- [ ] Tasks follow TDD structure
+- [ ] Complexity estimated
+- [ ] Dependencies mapped
+- [ ] Steering doc references included
+
+## Spec File Locations
+
+```
+.spec/
+├── steering/          # Project-wide rules
+│   ├── product.md
+│   ├── tech.md
+│   ├── structure.md
+│   ├── tdd-guideline.md
+│   ├── principles.md
+│   └── linus-review.md
+└── specs/             # Feature specifications
+    └── {feature-name}/
+        ├── spec.json
+        ├── requirements.md
+        ├── design.md
+        └── tasks.md
+```

package/rules/security.md

@@ -0,0 +1,89 @@
+---
+name: security
+description: Security best practices aligned with OWASP Top 10
+priority: 99
+alwaysActive: true
+---
+
+# Security Rules
+
+## OWASP Top 10 Alignment
+
+### A01: Broken Access Control
+- Implement proper authentication checks before sensitive operations
+- Use principle of least privilege for permissions
+- Validate user authorization for every request
+- Never expose internal IDs directly to users
+
+### A02: Cryptographic Failures
+- Never store passwords in plain text - use bcrypt or similar
+- Use HTTPS for all external communications
+- Don't hardcode secrets in source code
+- Use secure random number generators for tokens
+
+### A03: Injection
+- Always use parameterized queries for database operations
+- Validate and sanitize all user inputs
+- Escape output data appropriately for context (HTML, SQL, etc.)
+- Never use `eval()` or similar dynamic code execution
+
+### A04: Insecure Design
+- Apply defense in depth - multiple layers of security
+- Implement rate limiting for APIs
+- Design with security in mind from the start
+- Use secure defaults
+
+### A05: Security Misconfiguration
+- Disable unnecessary features and services
+- Keep dependencies updated
+- Remove default credentials
+- Configure proper error handling (no stack traces in production)
+
+### A06: Vulnerable Components
+- Regularly audit and update dependencies
+- Use `npm audit` or similar tools
+- Pin dependency versions in production
+- Monitor security advisories
+
+### A07: Authentication Failures
+- Implement strong password policies
+- Use multi-factor authentication where possible
+- Protect against brute force attacks
+- Secure session management
+
+### A08: Data Integrity Failures
+- Validate data integrity with checksums
+- Use code signing for releases
+- Verify software updates are from trusted sources
+
+### A09: Logging Failures
+- Log security-relevant events
+- Never log sensitive data (passwords, tokens, PII)
+- Ensure logs are tamper-proof
+- Monitor logs for suspicious activity
+
+### A10: Server-Side Request Forgery (SSRF)
+- Validate and sanitize URLs before making requests
+- Use allowlists for external services
+- Don't expose internal services to user-controlled URLs
+
+## Code Security Practices
+
+### Input Validation
+```typescript
+// Always validate user input
+function processUserInput(input: unknown): ValidatedInput {
+  if (typeof input !== 'string') {
+    throw new ValidationError('Input must be a string');
+  }
+  if (input.length > MAX_INPUT_LENGTH) {
+    throw new ValidationError('Input too long');
+  }
+  return sanitize(input);
+}
+```
+
+### Error Handling
+- Never expose internal errors to users
+- Log errors with context for debugging
+- Return generic error messages to clients

package/rules/testing.md

@@ -0,0 +1,85 @@
+---
+name: testing
+description: Testing requirements and best practices
+priority: 95
+alwaysActive: true
+---
+
+# Testing Rules
+
+## Test-Driven Development (TDD)
+
+Follow the Red-Green-Refactor cycle:
+1. **RED**: Write a failing test that defines expected behavior
+2. **GREEN**: Write minimum code to make the test pass
+3. **REFACTOR**: Clean up code while keeping tests green
+
+## Test Organization
+
+### File Structure
+- Test files should mirror source structure
+- Name test files as `{source-file}.test.ts`
+- Group tests in `__tests__` directories or alongside source files
+
+### Test Structure
+```typescript
+describe('ComponentName', () => {
+  describe('methodName', () => {
+    it('should describe expected behavior', () => {
+      // Arrange - Set up test data
+      // Act - Execute the code
+      // Assert - Verify results
+    });
+  });
+});
+```
+
+## Test Quality
+
+### Test Naming
+- Use descriptive names that explain the scenario
+- Pattern: `should {expected behavior} when {condition}`
+- Examples:
+  - `should return empty array when directory is empty`
+  - `should throw error for invalid input`
+
+### Test Independence
+- Each test should be independent and isolated
+- Use `beforeEach` to reset state between tests
+- Never rely on test execution order
+
+### Assertions
+- One logical assertion per test (can have multiple `expect` calls)
+- Test behavior, not implementation
+- Include both positive and negative test cases
+
+## Coverage Requirements
+
+### Minimum Coverage
+- Aim for 80% code coverage for new code
+- Critical paths require 100% coverage
+- Cover edge cases and error conditions
+
+### What to Test
+- Public API methods
+- Edge cases and boundary conditions
+- Error handling paths
+- Integration points
+
+### What Not to Test
+- Third-party library internals
+- Simple getters/setters without logic
+- Framework-generated code
+
+## Mocking
+
+### When to Mock
+- External services and APIs
+- File system operations
+- Network requests
+- Time-dependent code
+
+### Mock Best Practices
+- Mock at the boundary, not internal implementation
+- Verify mock interactions when relevant
+- Reset mocks in `beforeEach`

package/sdd-entry.js

@@ -12,7 +12,7 @@
  *   npx sdd-mcp-server                     # MCP: Start MCP server
  */
 
-const CLI_COMMANDS = ['install', 'install-skills', 'migrate-kiro'];
+const CLI_COMMANDS = ['install', 'install-skills', 'migrate-kiro', 'migrate-steering'];
 const args = process.argv.slice(2);
 const command = args[0];
 

package/skills/sdd-commit/SKILL.md

@@ -271,20 +271,6 @@ git rebase origin/main
 git push origin feature/AUTH-123-jwt-auth
 ```
 
-## Steering Document References
-
-Apply these steering documents for commits and PRs:
-
-| Document | Purpose | Key Application |
-|----------|---------|-----------------|
-| `.spec/steering/commit.md` | Commit message conventions | Follow type prefixes, scope, and format guidelines |
-
-**Key Commit Rules:**
-1. Use type prefixes: `feat`, `fix`, `docs`, `refactor`, `test`, etc.
-2. Keep subject line under 72 characters
-3. Use imperative mood ("add" not "added")
-4. Reference issues in footer
-
 ## Quality Checklist
 
 - [ ] Commit message follows format

package/steering/product.md

@@ -0,0 +1,29 @@
+# Product Overview
+
+## Product Description
+<!-- Describe your product/project in 1-2 sentences -->
+
+**Project**: <!-- project name -->
+**Version**: <!-- current version -->
+**Type**: <!-- Web App, CLI Tool, Library, API, etc. -->
+
+## Core Features
+<!-- List the main features of your product -->
+- Feature 1
+- Feature 2
+- Feature 3
+
+## Target Use Case
+<!-- Describe the primary use case this product solves -->
+
+## Key Value Proposition
+<!-- What makes this product valuable? What problems does it solve? -->
+
+## Target Users
+<!-- Who are the primary users of this product? -->
+
+## Success Metrics
+<!-- How do you measure success for this product? -->
+
+## Technical Advantages
+<!-- What technical benefits does this architecture provide? -->

package/steering/structure.md

@@ -0,0 +1,60 @@
+# Project Structure
+
+## Directory Organization
+```
+├── src/                    # Source code
+│   ├── components/        # UI components (if applicable)
+│   ├── services/          # Business logic services
+│   ├── models/            # Data models
+│   ├── utils/             # Utility functions
+│   └── index.ts           # Entry point
+├── tests/                  # Test files
+│   ├── unit/              # Unit tests
+│   └── integration/       # Integration tests
+├── dist/                   # Build output
+├── docs/                   # Documentation
+├── .spec/                  # SDD workflow files
+│   ├── steering/          # Project steering documents
+│   └── specs/             # Feature specifications
+├── package.json            # Project configuration
+├── tsconfig.json           # TypeScript configuration (if applicable)
+└── README.md               # Project documentation
+```
+
+## Key Directories
+- **src/**: Main source code directory
+- **tests/**: Test files organized by type
+- **dist/**: Compiled/built output for production
+- **docs/**: Project documentation
+
+## Code Organization Patterns
+<!-- Describe how code is organized -->
+- Pattern 1
+- Pattern 2
+
+## File Naming Conventions
+<!-- Define naming conventions for different file types -->
+- **Source files**: <!-- e.g., kebab-case.ts -->
+- **Test files**: <!-- e.g., *.test.ts or *.spec.ts -->
+- **Configuration**: <!-- e.g., .json or .config.js -->
+- **Constants**: UPPER_SNAKE_CASE
+- **Functions/Variables**: camelCase
+- **Classes/Types**: PascalCase
+
+## Module Organization
+<!-- Describe how modules are organized -->
+
+## Architectural Principles
+- **Separation of Concerns**: Each module handles a specific responsibility
+- **Type Safety**: Use strong typing where applicable
+- **Dependency Inversion**: Depend on abstractions, not concrete implementations
+
+## Testing Structure
+- **Unit tests**: Test individual functions/components in isolation
+- **Integration tests**: Test interactions between modules
+- **E2E tests**: Test complete user workflows
+
+## Build Output
+- **Command**: <!-- e.g., npm run build -->
+- **Output directory**: <!-- e.g., dist/ -->
+- **Artifacts**: <!-- What gets generated -->

package/steering/tech.md

@@ -0,0 +1,52 @@
+# Technology Stack
+
+## Architecture
+**Type**: <!-- MVC, DDD, Clean Architecture, Microservices, etc. -->
+**Language**: <!-- Primary language -->
+**Module System**: <!-- CommonJS, ES Module, etc. -->
+**Framework**: <!-- Main framework if any -->
+**Build Tool**: <!-- Webpack, Vite, TypeScript Compiler, etc. -->
+
+## Core Technologies
+<!-- List main technologies used -->
+- **Runtime**: <!-- Node.js, Python, Go, etc. -->
+- **Language**: <!-- TypeScript, JavaScript, Python, etc. -->
+- **Framework**: <!-- Express, FastAPI, Spring Boot, etc. -->
+- **Testing**: <!-- Jest, pytest, JUnit, etc. -->
+
+## Development Environment
+- **Runtime Version**: <!-- e.g., Node.js >=18.0.0 -->
+- **Package Manager**: <!-- npm, yarn, pip, etc. -->
+- **Testing Framework**: <!-- Jest, pytest, etc. -->
+
+## Dependencies
+### Production Dependencies
+<!-- List key production dependencies -->
+
+### Development Dependencies
+<!-- List key development dependencies -->
+
+## Development Commands
+```bash
+# Start development server
+npm run dev
+
+# Build for production
+npm run build
+
+# Run tests
+npm run test
+
+# Lint code
+npm run lint
+```
+
+## Quality Assurance
+- **Linting**: <!-- ESLint, Pylint, etc. -->
+- **Type Checking**: <!-- TypeScript, mypy, etc. -->
+- **Testing**: <!-- Coverage requirements, test types -->
+
+## Deployment Configuration
+- **Containerization**: <!-- Docker, Kubernetes, etc. -->
+- **Build Process**: <!-- How to build for production -->
+- **CI/CD**: <!-- GitHub Actions, GitLab CI, etc. -->