sdlc-workflow 1.0.10 → 1.1.0

package/README.md

@@ -5,10 +5,12 @@ Scaffold SDLC workflow docs and templates into your project. Works with **Cursor
 ## Flow
 
 ```
-User Request → PO → Business BA → Architect → Technical BA → QE (docs) → Dev → QE (testing) → Deploy (Docker Compose + K8s)
+User Request → PO → Business BA → Design (if app/web) → Architect → Technical BA → QE (docs) → Dev → QE (testing) → Security + PE audit → [fix loop until no issues] → Deploy (Docker Compose + K8s)
 ```
 
 - **Trigger:** When you send an **idea** or **feature request**, the agent should run the **full pipeline** (PO → … → Deploy) in sequence, one sub-agent/role per phase — not handle everything in one go or stop after one phase. See `docs/sdlc/ORCHESTRATION.md`.
+- **Design (optional):** For app/web projects, after Business BA → invoke **Pencil.dev** (MCP) to design; **PO + Business BA review** until approved; then Architect + Technical BA. UX drives technical decisions.
+- **Security + Principle Engineer:** After implementation and QE testing → security + logic audit; **fix loop** (Dev fixes → re-audit) until all issues resolved; sign-off before Deploy.
 - **Each role runs as a sub-agent** (see `docs/sdlc/agents/`).
 - **After completion** → deploy immediately with **Docker Compose** (local/staging) and **Kubernetes** (production) — `docs/sdlc/deploy/`.
 - **QE (docs)**: Test plan, test cases
@@ -54,6 +56,8 @@ docs/sdlc/
 │       ├── api-spec.template.md
 │       ├── team-breakdown.template.md
 │       └── README.md
+├── design/                   # Design (optional, app/web): after BA, before Architect; Pencil.dev .pen; PO+BA review until approved
+│   └── README.md
 ├── architecture/             # Architect
 │   ├── adr.template.md
 │   └── README.md
@@ -74,9 +78,13 @@ docs/sdlc/
 │   ├── embedded/             # Senior Embedded 10+ yrs — firmware, IoT
 │   ├── data-ml/              # Senior Data/ML 10+ yrs
 │   └── platform/             # Senior Platform 10+ yrs — CI/CD, infra
+├── security/                 # Security team: audit security risk (after implementation)
+│   └── README.md
+├── principle-engineer/       # Principle engineer: audit logic, architecture (after implementation)
+│   └── README.md
 ├── agents/                   # Sub-agent specs (each role = sub-agent)
 │   └── README.md
-└── deploy/                   # After completion → Docker Compose + K8s
+└── deploy/                   # After Security + PE sign-off (fix loop until no issues) → Docker Compose + K8s
     ├── README.md
     ├── docker-compose.yml.template
     └── k8s/

package/bin/cli.js

@@ -163,6 +163,7 @@ async function generateFromInline(cwd) {
     join(base, "qe"),
     join(base, "qe", "qe-lead"),
     join(base, "qe", "senior-qe"),
+    join(base, "design"),
     join(base, "dev", "tech-lead"),
     join(base, "dev", "senior-developer"),
     join(base, "dev", "frontend"),
@@ -171,6 +172,8 @@ async function generateFromInline(cwd) {
     join(base, "dev", "embedded"),
     join(base, "dev", "data-ml"),
     join(base, "dev", "platform"),
+    join(base, "security"),
+    join(base, "principle-engineer"),
     join(base, "agents"),
     join(base, "deploy"),
     join(base, "deploy", "k8s"),
@@ -197,6 +200,7 @@ async function generateFromInline(cwd) {
     ["qe/README.md", QE_README],
     ["qe/qe-lead/README.md", QE_LEAD_README],
     ["qe/senior-qe/README.md", QE_SENIOR_README],
+    ["design/README.md", DESIGN_README],
     ["dev/tech-lead/README.md", DEV_TECH_LEAD_README],
     ["dev/senior-developer/README.md", DEV_SENIOR_README],
     ["dev/implementation-roles.template.md", DEV_IMPLEMENTATION_ROLES_TEMPLATE],
@@ -206,6 +210,8 @@ async function generateFromInline(cwd) {
     ["dev/embedded/README.md", DEV_EMBEDDED_README],
     ["dev/data-ml/README.md", DEV_DATA_ML_README],
     ["dev/platform/README.md", DEV_PLATFORM_README],
+    ["security/README.md", SECURITY_README],
+    ["principle-engineer/README.md", PRINCIPLE_ENGINEER_README],
     ["agents/README.md", AGENTS_README],
     ["deploy/README.md", DEPLOY_README],
     ["deploy/docker-compose.yml.template", DOCKER_COMPOSE_TEMPLATE],
@@ -233,14 +239,17 @@ globs: docs/sdlc/**/*, **/*.md
 
 1. **PO** — PRD, user stories → docs/sdlc/po/{epic-slug}/ (one folder per epic)
 2. **Business BA** — FRS, process flows → docs/sdlc/ba/business/{epic-slug}/ (one folder per epic)
-3. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
-4. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
-5. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
-6. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + implementation roles by project (FE, Backend, Mobile, Embedded, Data/ML, Platform) → docs/sdlc/dev/{role}/
-7. **QE (testing)** — QE Lead (15+ yrs automation: strategy, framework, review) + Senior QE (10+ yrs, automation) → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
-8. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
-
-**Each role runs as a sub-agent.** See docs/sdlc/agents/
+3. **Design (if app/web)** — Pencil.dev designs → docs/sdlc/design/{epic-slug}/; **PO + BA review** → loop until approved
+4. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
+5. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
+6. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
+7. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + implementation roles → docs/sdlc/dev/{role}/
+8. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/
+9. **Security** — Audit security risk → docs/sdlc/security/
+10. **Principle Engineer** — Audit logic, architecture → docs/sdlc/principle-engineer/
+11. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/ (after Security + PE sign-off; fix loop until no issues)
+
+**Each role runs as a sub-agent.** Design uses Pencil.dev MCP; UX drives tech. See docs/sdlc/agents/
 Full workflow: docs/sdlc/SDLC-WORKFLOW.md
 `;
 
@@ -258,7 +267,7 @@ Sequential workflow; **each role runs as a sub-agent**. Each phase produces docs
 **When the user sends an idea, feature request, or new requirement:**
 1. **Trigger the pipeline** and run it **continuously through deployment** (Phase 1 → 2 → … → 7).
 2. **One role per phase.** For each phase, act **only** as that role (e.g. only PO in phase 1, only Business BA in phase 2). Produce that phase's outputs into the correct folder, then **continue to the next phase** without waiting for the user.
-3. **Run in order:** PO → Business BA → Architect → Technical BA → QE (docs) → Dev → QE (testing) → Deploy. Do not stop after one phase unless the user explicitly asks to stop.
+3. **Run in order:** PO → Business BA → **Design (if app/web, PO+BA review loop)** → Architect → Technical BA → QE (docs) → Dev → QE (testing) → **Security + Principle Engineer audit → fix loop until all issues resolved** → Deploy. Do not stop after one phase unless the user explicitly asks to stop.
 
 **Note:** In Cursor and similar tools there is a single agent per conversation. "Sub-agent" means **one role per phase** — the same agent must adopt exactly one role per phase and run phases in sequence (do not mix roles in one step). If the platform later supports spawning separate agents per phase, use that; otherwise this single agent simulates the pipeline by switching role each phase.
 
@@ -267,7 +276,7 @@ Sequential workflow; **each role runs as a sub-agent**. Each phase produces docs
 ## Flow Overview
 
 \`\`\`
-User Request → PO → Business BA → Architect → Technical BA → QE (docs) → Dev → QE (testing) → Deploy (Docker Compose + K8s)
+User Request → PO → Business BA → Design (if app/web) → Architect → Technical BA → QE (docs) → Dev → QE (testing) → Security + PE audit → [fix loop until no issues] → Deploy (Docker Compose + K8s)
 \`\`\`
 
 **Determine current phase** before acting. If user sent an idea, assume Phase 0 and start from Phase 1.
@@ -289,18 +298,33 @@ User Request → PO → Business BA → Architect → Technical BA → QE (docs)
 
 **Role**: Break down from business perspective.
 **Deliverables**: Business process flows, functional requirements, use cases, glossary.
-**Output**: \`docs/sdlc/ba/business/{epic-slug}/\` — **one folder per epic** (same slug as PO; e.g. \`ba/business/job-scheduler-event-bus/functional-requirements.md\`). Do not merge all epics into one file. **Handoff to Architect.**
+**Output**: \`docs/sdlc/ba/business/{epic-slug}/\` — **one folder per epic** (same slug as PO). Do not merge all epics into one file. **Handoff to Design (if app/web) or Architect.**
 
-## Phase 3: Architect
+## Phase 3: Design (optional — app/web only)
+
+**When:** Project has UI (web, mobile app). Skip for API-only, library, CLI, data/ML, platform without UI.
+
+**Role**: Invoke **Pencil.dev** sub-agent (MCP) to create UI/UX designs from idea + PO + Business BA docs. Design **before** Architect so UX drives technical decisions.
+**Output**: \`docs/sdlc/design/{epic-slug}/\` — .pen designs.
+
+**Review loop:**
+1. **PO review**: Design aligns with epic brief, user stories, acceptance criteria?
+2. **Business BA review**: Design matches functional requirements, process flows?
+3. **If not approved**: Capture feedback → redesign with Pencil.dev → repeat until PO and BA approve.
+4. **If approved** → **Handoff to Architect.**
+
+## Phase 4: Architect
 
 **Role**: Design system architecture and technology choices.
 **Deliverables**: System context, container diagram, ADRs, tech stack, cross-cutting concerns.
+**Input**: Business BA + Design (if app/web) — design informs architecture.
 **Output**: \`docs/sdlc/architecture/\` — **Handoff to Technical BA.**
 
-## Phase 4: Technical BA
+## Phase 5: Technical BA
 
-**Role**: Translate business + architecture into implementable specs.
+**Role**: Translate business + architecture + design into implementable specs.
 **Deliverables**: API specs, DB schema, team breakdown, acceptance criteria per ticket.
+**Input**: Architect + Design (if app/web) — design informs API/screen contracts.
 **Output**: \`docs/sdlc/ba/technical/\` — **Handoff to QE + Dev.**
 
 ## Phase 5a: QE (Docs phase)
@@ -336,13 +360,22 @@ User Request → PO → Business BA → Architect → Technical BA → QE (docs)
 - **QE Lead (15+ yrs automation)**: Test strategy, framework choice, automation architecture, review test code. Output per epic: \`docs/sdlc/qe/{epic-slug}/\`
 - **Senior QE (10+ yrs)**: Write automation tests per QE Lead's strategy. Output per epic: \`docs/sdlc/qe/{epic-slug}/\` (e.g. automation/ or test files there)
 
-**Output**: Automation tests, test report. **Handoff to Deploy.**
+**Output**: Automation tests, test report. **Handoff to Security + Principle Engineer.**
+
+## Phase 8: Security + Principle Engineer (audit → fix loop)
 
-## Phase 7: Deploy
+**Trigger**: After QE testing sign-off.
+**Roles** (can run in parallel):
+- **Security team**: Audit security risk (OWASP, auth, secrets, infra). Output: \`docs/sdlc/security/\`
+- **Principle Engineer**: Audit logic, architecture alignment, correctness. Output: \`docs/sdlc/principle-engineer/\`
 
-**Trigger**: After QE sign-off.
+**Fix loop**: If issues found → **Dev fixes** → re-audit by Security + Principle Engineer. **Repeat until all issues resolved.** Only when sign-off → **Handoff to Deploy.**
+
+## Phase 9: Deploy
+
+**Trigger**: After Security + Principle Engineer sign-off.
 **Role**: Deploy with **Docker Compose** (local/staging) and **Kubernetes** (production).
-**Output**: \`docs/sdlc/deploy/\` — docker-compose.yml, k8s manifests. Deploy right after pipeline completes.
+**Output**: \`docs/sdlc/deploy/\` — docker-compose.yml, k8s manifests.
 
 ## Quick Phase Checklist
 
@@ -351,14 +384,16 @@ User Request → PO → Business BA → Architect → Technical BA → QE (docs)
 | 0 | Discovery | Raw request |
 | 1 | PO | PRD, user stories |
 | 2 | Business BA | FRS, process flows |
-| 3 | Architect | ADRs, system diagrams |
-| 4 | Technical BA | API specs, tech breakdown |
-| 5a | QE (docs) | Test plan, test cases |
-| 5b | Dev | Code, unit tests (≥90%) |
-| 6 | QE (testing) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, sign-off |
-| 7 | Deploy | Docker Compose + K8s |
-
-**Sub-agents**: Each role = one sub-agent (PO, Business BA, Architect, Technical BA, QE Lead, Senior QE, Tech Lead, Senior Dev). See docs/sdlc/agents/
+| 3 | Design (if app/web) | Pencil.dev designs; PO+BA review until approved |
+| 4 | Architect | ADRs, system diagrams |
+| 5 | Technical BA | API specs, tech breakdown |
+| 6 | QE (docs) | Test plan, test cases |
+| 7 | Dev | Code, unit tests (≥90%) |
+| 8 | QE (testing) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, sign-off |
+| 9 | Security + Principle Engineer | Security + logic audit; fix loop until all issues resolved; sign-off → Deploy |
+| 10 | Deploy | Docker Compose + K8s |
+
+**Sub-agents**: Each role = one sub-agent. Design uses Pencil.dev MCP. See docs/sdlc/agents/
 See reference.md for templates.
 `;
 
@@ -366,8 +401,9 @@ const CURSOR_REFERENCE_MD = `# SDLC Workflow — Reference
 
 ## Folder structure: one per epic/feature (PO and Business BA)
 
-- **PO**: \`docs/sdlc/po/{epic-slug}/\` — one folder per epic (e.g. \`job-scheduler-event-bus\`). Files: epic-brief.md, user-stories.md. Do not put all epics in one file.
+- **PO**: \`docs/sdlc/po/{epic-slug}/\` — one folder per epic. Files: epic-brief.md, user-stories.md. Do not put all epics in one file.
 - **Business BA**: \`docs/sdlc/ba/business/{epic-slug}/\` — same slug as PO. Files: functional-requirements.md, process-flows.md. Do not merge all epics into one file.
+- **Design (if app/web)**: \`docs/sdlc/design/{epic-slug}/\` — same slug as PO/BA. Pencil.dev .pen designs; PO+BA review until approved.
 - **QE**: \`docs/sdlc/qe/{epic-slug}/\` — same slug as PO/BA. Files: test-plan.md, test-cases.md, automation artifacts. Do not put all epics in one file.
 
 ## PO: Epic Brief Template
@@ -383,6 +419,9 @@ FR-001: [Title] — Description, Trigger, Process Flow, Output, Constraints
 ## Technical BA: API Spec
 POST /api/v1/[resource] — Purpose, Request, Response, Contract
 
+## Design (if app/web)
+Pencil.dev MCP — create .pen designs from idea + PO + BA (before Architect; UX drives tech). Output: docs/sdlc/design/{epic-slug}/. PO + BA review until approved; loop if not aligned. Handoff to Architect.
+
 ## QE: Test Case
 TC-001: [Scenario] — Precondition, Steps, Expected, Links to AC
 
@@ -395,11 +434,13 @@ TC-001: [Scenario] — Precondition, Steps, Expected, Links to AC
 - Senior Dev (10+ yrs): implement, Unit Test ≥90% → docs/sdlc/dev/senior-developer/
 - By project (all Senior 10+ yrs): Senior Frontend, Backend, Mobile, Embedded, Data/ML, Platform → docs/sdlc/dev/{role}/
 
-## Sub-agents
-Each role = sub-agent. See docs/sdlc/agents/
+## Security + Principle Engineer (after implementation)
+- Security team: audit security risk → docs/sdlc/security/
+- Principle Engineer: audit logic, architecture → docs/sdlc/principle-engineer/
+- **Fix loop**: If issues → Dev fixes → re-audit; repeat until all resolved. Sign-off → Deploy
 
 ## Deploy
-After completion → Docker Compose + K8s. See docs/sdlc/deploy/
+After Security + Principle Engineer sign-off → Docker Compose + K8s. See docs/sdlc/deploy/
 `;
 
 const AGENTS_MD_CONTENT = `## SDLC Workflow
@@ -410,14 +451,16 @@ When working on requirements, features, or handoffs, follow these phases:
 
 1. **PO** — PRD, user stories → docs/sdlc/po/{epic-slug}/ (one folder per epic)
 2. **Business BA** — FRS, process flows → docs/sdlc/ba/business/{epic-slug}/ (one folder per epic)
-3. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
-4. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
-5. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
-6. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + Senior Dev → docs/sdlc/dev/{role}/
-7. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
-8. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
-
-After the docs phase, the Dev team runs implementation immediately. See docs/sdlc/agents/
+3. **Design (if app/web)** — Pencil.dev designs → docs/sdlc/design/{epic-slug}/; **PO + BA review** until approved
+4. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
+5. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
+6. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
+7. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + Senior Dev → docs/sdlc/dev/{role}/
+8. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
+9. **Security + Principle Engineer** — Security + logic audit; **fix loop** (Dev fixes → re-audit) until all issues resolved; sign-off before Deploy
+10. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
+
+Design before Architect (UX drives tech). After the docs phase, the Dev team runs implementation immediately. See docs/sdlc/agents/
 `;
 
 const CLAUDE_SDLC_CONTENT = `## SDLC Workflow
@@ -426,14 +469,16 @@ const CLAUDE_SDLC_CONTENT = `## SDLC Workflow
 
 1. **PO** — PRD, user stories → docs/sdlc/po/{epic-slug}/ (one folder per epic)
 2. **Business BA** — FRS, process flows → docs/sdlc/ba/business/{epic-slug}/ (one folder per epic)
-3. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
-4. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
-5. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
-6. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + Senior Dev → docs/sdlc/dev/{role}/
-7. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
-8. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
-
-After the docs phase (Technical BA + QE docs), the Dev team runs implementation immediately. See docs/sdlc/agents/
+3. **Design (if app/web)** — Pencil.dev designs → docs/sdlc/design/{epic-slug}/; **PO + BA review** until approved
+4. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
+5. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
+6. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
+7. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + Senior Dev → docs/sdlc/dev/{role}/
+8. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
+9. **Security + Principle Engineer** — Security + logic audit; **fix loop** (Dev fixes → re-audit) until all issues resolved; sign-off before Deploy
+10. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
+
+Design before Architect (UX drives tech). After the docs phase, Dev runs implementation immediately. See docs/sdlc/agents/
 `;
 
 const SDLC_WORKFLOW_MD = `# SDLC Workflow (Multi-Role)
@@ -450,7 +495,7 @@ For Cursor, see .cursor/rules/sdlc-workflow.mdc
 ## Flow
 
 \`\`\`
-User Request → PO → Business BA → Architect → Technical BA → QE (docs) → Dev → QE (testing) → Deploy
+User Request → PO → Business BA → Design (if app/web) → Architect → Technical BA → QE (docs) → Dev → QE (testing) → Security + PE audit → [fix loop] → Deploy
 \`\`\`
 
 ## Phase Checklist
@@ -460,14 +505,16 @@ User Request → PO → Business BA → Architect → Technical BA → QE (docs)
 | 0 | Discovery | Raw request |
 | 1 | PO | PRD, user stories |
 | 2 | Business BA | FRS, process flows |
-| 3 | Architect | ADRs, system diagrams |
-| 4 | Technical BA | API specs, tech breakdown |
-| 5a | QE (docs) | Test plan, test cases |
-| 5b | Dev | Code, unit tests (≥90%) |
-| 6 | QE (testing) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, sign-off |
-| 7 | Deploy | Docker Compose + K8s |
+| 3 | Design (if app/web) | Pencil.dev designs; PO+BA review until approved |
+| 4 | Architect | ADRs, system diagrams |
+| 5 | Technical BA | API specs, tech breakdown |
+| 6 | QE (docs) | Test plan, test cases |
+| 7 | Dev | Code, unit tests (≥90%) |
+| 8 | QE (testing) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, sign-off |
+| 9 | Security + Principle Engineer | Security + logic audit; fix loop until all issues resolved; sign-off → Deploy |
+| 10 | Deploy | Docker Compose + K8s |
 
-**Sub-agents**: Each role runs as a sub-agent (PO, Business BA, Architect, Technical BA, QE Lead, Senior QE, Tech Lead, Senior Dev). See docs/sdlc/agents/
+**Sub-agents**: Each role runs as a sub-agent. See docs/sdlc/agents/
 
 ## Phase Details
 
@@ -479,12 +526,18 @@ User Request → PO → Business BA → Architect → Technical BA → QE (docs)
 - Functional requirements, process flows, use cases
 - Output: \`docs/sdlc/ba/business/{epic-slug}/\` — **one folder per epic** (same slug as PO); do not merge into one file
 
-### Phase 3: Architect
-- System context, container diagram, ADRs, tech stack
+### Phase 3: Design (optional — app/web only)
+- Invoke **Pencil.dev** (MCP) to design based on idea + PO + BA docs. **Design before Architect so UX drives tech.**
+- Output: \`docs/sdlc/design/{epic-slug}/\` — .pen designs
+- **PO + Business BA review**: Both check design vs epic/FRS; if not aligned → feedback → redesign loop until approved
+- When approved → handoff to Architect
+
+### Phase 4: Architect
+- System context, container diagram, ADRs, tech stack. Input: Business BA + Design (if app/web)
 - Output: \`docs/sdlc/architecture/\`
 
-### Phase 4: Technical BA
-- API specs, DB schema, team breakdown
+### Phase 5: Technical BA
+- API specs, DB schema, team breakdown. Input: Architect + Design (if app/web)
 - Output: \`docs/sdlc/ba/technical/\`
 
 ### Phase 5a: QE (Docs)
@@ -501,9 +554,15 @@ User Request → PO → Business BA → Architect → Technical BA → QE (docs)
 ### Phase 6: QE (Testing — automation)
 - **QE Lead (15+ yrs automation)**: Test strategy, framework choice, automation architecture; review test code. Output per epic: \`docs/sdlc/qe/{epic-slug}/\`
 - **Senior QE (10+ yrs)**: Write automation tests per QE Lead's strategy. Output per epic: \`docs/sdlc/qe/{epic-slug}/\`
+- **Handoff to Security + Principle Engineer**
+
+### Phase 7: Security + Principle Engineer (audit → fix loop)
+- **Security team**: Audit security risk (OWASP, auth, secrets, infra). Output: \`docs/sdlc/security/\`
+- **Principle Engineer**: Audit logic, architecture alignment, correctness. Output: \`docs/sdlc/principle-engineer/\`
+- **Fix loop**: If issues found → Dev fixes → Security + PE re-audit. **Repeat until all issues resolved.** Sign-off → **Handoff to Deploy**
 
-### Phase 7: Deploy
-- After pipeline completes → deploy with **Docker Compose** (local/staging) and **Kubernetes** (production)
+### Phase 8: Deploy
+- After Security + Principle Engineer sign-off → deploy with **Docker Compose** (local/staging) and **Kubernetes** (production)
 - Output: \`docs/sdlc/deploy/\` — docker-compose.yml, k8s/
 
 See [reference.md](./reference.md) for templates.
@@ -515,24 +574,26 @@ const ORCHESTRATION_MD = `# Pipeline orchestration
 
 When the user sends an **idea**, **feature request**, or **requirement** (e.g. "I want a login page", "We need an API for X"):
 
-1. **Trigger the full pipeline** and run **Phase 1 → 2 → … → 7 in sequence**.
+1. **Trigger the full pipeline** and run **Phase 1 → 2 → … → 10 in sequence**.
 2. **One role per phase:** For each phase, act only as that role, write outputs to the correct \`docs/sdlc/...\` folder, then **continue to the next phase** without asking the user to "run next step".
 3. **Run through to Deploy.** Do not stop after PO, BA, or Dev unless the user explicitly says to stop.
 
 ## How it runs (Cursor and similar)
 
-There is **one agent** per conversation. It simulates the pipeline by **adopting one role per phase** in order: Phase 1 as PO only → Phase 2 as Business BA only → … → Phase 7 as Deploy. Do not mix roles in one step. If the tool later supports separate agents per phase, use that; otherwise this single-agent simulation is correct.
+There is **one agent** per conversation. It simulates the pipeline by **adopting one role per phase** in order: Phase 1 as PO only → Phase 2 as Business BA only → … → Phase 10 as Deploy. Do not mix roles in one step. If the tool later supports separate agents per phase, use that; otherwise this single-agent simulation is correct.
 
 ## Checklist per run
 
 - [ ] Phase 1 PO: artifacts in \`docs/sdlc/po/{epic-slug}/\` (one folder per epic)
 - [ ] Phase 2 Business BA: \`docs/sdlc/ba/business/{epic-slug}/\` (one folder per epic)
-- [ ] Phase 3 Architect: \`docs/sdlc/architecture/\`
-- [ ] Phase 4 Technical BA: \`docs/sdlc/ba/technical/\`
-- [ ] Phase 5a QE docs: \`docs/sdlc/qe/{epic-slug}/\` (one folder per epic)
-- [ ] Phase 5b Dev: code + unit tests, \`docs/sdlc/dev/\`
-- [ ] Phase 6 QE testing: automation, sign-off → \`docs/sdlc/qe/{epic-slug}/\`
-- [ ] Phase 7 Deploy: \`docs/sdlc/deploy/\`, Docker Compose + K8s
+- [ ] Phase 3 Design (if app/web): Pencil.dev designs in \`docs/sdlc/design/{epic-slug}/\`; PO+BA review until approved
+- [ ] Phase 4 Architect: \`docs/sdlc/architecture/\`
+- [ ] Phase 5 Technical BA: \`docs/sdlc/ba/technical/\`
+- [ ] Phase 6 QE docs: \`docs/sdlc/qe/{epic-slug}/\` (one folder per epic)
+- [ ] Phase 7 Dev: code + unit tests, \`docs/sdlc/dev/\`
+- [ ] Phase 8 QE testing: automation, sign-off → \`docs/sdlc/qe/{epic-slug}/\`
+- [ ] Phase 9 Security + Principle Engineer: \`docs/sdlc/security/\`, \`docs/sdlc/principle-engineer/\`; fix loop until no issues; sign-off
+- [ ] Phase 10 Deploy: \`docs/sdlc/deploy/\`, Docker Compose + K8s
 `;
 
 const REFERENCE_MD = `# SDLC Workflow — Reference
@@ -544,9 +605,12 @@ Deploy: docs/sdlc/deploy/ (Docker Compose + K8s)
 
 ## Folder structure: one per epic/feature
 
-- **PO**: \`docs/sdlc/po/{epic-slug}/\` — one folder per epic (e.g. \`job-scheduler-event-bus\`). Files inside: epic-brief.md, user-stories.md, etc. Do not put all epics in one file.
-- **Business BA**: \`docs/sdlc/ba/business/{epic-slug}/\` — same slug as PO. Files: functional-requirements.md, process-flows.md, etc. Do not merge all epics into one file.
+- **PO**: \`docs/sdlc/po/{epic-slug}/\` — one folder per epic. Files: epic-brief.md, user-stories.md. Do not put all epics in one file.
+- **Business BA**: \`docs/sdlc/ba/business/{epic-slug}/\` — same slug as PO. Files: functional-requirements.md, process-flows.md. Do not merge all epics into one file.
+- **Design (if app/web)**: \`docs/sdlc/design/{epic-slug}/\` — Pencil.dev .pen designs; PO+BA review until approved.
 - **QE**: \`docs/sdlc/qe/{epic-slug}/\` — same slug as PO/BA. Files: test-plan.md, test-cases.md, automation. Do not put all epics in one file.
+- **Security**: \`docs/sdlc/security/\` — security audit; fix loop until no issues
+- **Principle Engineer**: \`docs/sdlc/principle-engineer/\` — logic audit; fix loop until no issues
 `;
 
 const AGENTS_README = `# Sub-Agents
@@ -557,9 +621,10 @@ Every role in the SDLC runs as a **sub-agent**. Each phase is assigned to a corr
 |------|-----------|--------|--------|
 | PO | po | User request | docs/sdlc/po/{epic-slug}/ (one folder per epic) |
 | Business BA | business-ba | docs/sdlc/po/{epic-slug}/ | docs/sdlc/ba/business/{epic-slug}/ (one folder per epic) |
-| Architect | architect | docs/sdlc/ba/business/ | docs/sdlc/architecture/ |
-| Technical BA | technical-ba | docs/sdlc/architecture/ | docs/sdlc/ba/technical/ |
-| QE (docs) | qe-docs | docs/sdlc/ba/technical/ | docs/sdlc/qe/{epic-slug}/ (one folder per epic) |
+| Design (if app/web) | pencil-dev | docs/sdlc/po + docs/sdlc/ba/business/ | docs/sdlc/design/{epic-slug}/; PO+BA review until approved |
+| Architect | architect | docs/sdlc/ba/business/ + design (if any) | docs/sdlc/architecture/ |
+| Technical BA | technical-ba | docs/sdlc/architecture/ + design (if any) | docs/sdlc/ba/technical/ |
+| QE (docs) | qe-docs | docs/sdlc/ba/technical/ (+ design if any) | docs/sdlc/qe/{epic-slug}/ (one folder per epic) |
 | Tech Lead | tech-lead | Technical spec | Review, merge, docs/sdlc/dev/tech-lead/ |
 | Senior Dev | senior-dev | Spec + test plan | After docs → run implementation immediately. Code, unit tests (≥90%) |
 | Senior Frontend | frontend | UI spec, API contract | Web UI, docs/sdlc/dev/frontend/ |
@@ -570,16 +635,52 @@ Every role in the SDLC runs as a **sub-agent**. Each phase is assigned to a corr
 | Senior Platform | platform | Infra spec | CI/CD, observability, docs/sdlc/dev/platform/ |
 | QE Lead | qe-lead | Test plan | 15+ yrs automation: strategy, framework, review → docs/sdlc/qe/{epic-slug}/ |
 | Senior QE | senior-qe | Test plan + framework | Automation tests → docs/sdlc/qe/{epic-slug}/ |
-| Deploy | deploy | QE sign-off | Docker Compose + K8s, docs/sdlc/deploy/ |
+| Security | security | Code, infra | Security audit → docs/sdlc/security/; fix loop until no issues |
+| Principle Engineer | principle-engineer | Code, architecture | Logic audit → docs/sdlc/principle-engineer/; fix loop until no issues |
+| Deploy | deploy | Security + PE sign-off (after fix loop) | Docker Compose + K8s, docs/sdlc/deploy/ |
 
 Orchestrator: run each sub-agent in order; hand off output → input of the next sub-agent.
 
 **Trigger:** On user idea/request, run the full pipeline (see docs/sdlc/ORCHESTRATION.md). One role per phase; single agent simulates by switching role each phase. Do not stop after one phase until Deploy unless the user asks.
 `;
 
+const SECURITY_README = `# Security Team
+
+**When:** After implementation (Dev) and QE testing. **Before** Deploy.
+
+**Role:** Audit security risk in code, APIs, infra, and configuration. Identify vulnerabilities and recommend mitigations.
+
+**Fix loop:** If issues found → Dev fixes → re-audit. Repeat until all issues resolved; then sign-off to Deploy.
+
+## Detailed tasks
+
+- [ ] **Read implementation**: Code, API specs, infra configs (docker-compose, k8s)
+- [ ] **Security audit**: OWASP Top 10, auth/authz, injection, XSS, CSRF, secrets exposure, dependency vulns
+- [ ] **Infra/ops security**: Network, TLS, RBAC, secrets management
+- [ ] **Report**: Findings, severity, remediation; output to \`docs/sdlc/security/\`
+- [ ] **Fix loop**: If critical/high issues found → Dev fixes → re-audit. **Repeat until all issues resolved**; then sign-off to Deploy.
+`;
+
+const PRINCIPLE_ENGINEER_README = `# Principle Engineer
+
+**When:** After implementation (Dev) and QE testing. **Before** Deploy.
+
+**Role:** Audit logic, architecture alignment, design decisions, and technical quality. Ensure correctness and consistency with specs.
+
+**Fix loop:** If issues found → Dev fixes → re-audit. Repeat until all issues resolved; then sign-off to Deploy.
+
+## Detailed tasks
+
+- [ ] **Read implementation**: Code, architecture ADRs, Technical BA spec
+- [ ] **Logic audit**: Business logic correctness, edge cases, error handling, data flow
+- [ ] **Architecture audit**: Alignment with ADRs, patterns, scalability, maintainability
+- [ ] **Report**: Findings, recommendations; output to \`docs/sdlc/principle-engineer/\`
+- [ ] **Fix loop**: If critical logic/arch issues found → Dev fixes → re-audit. **Repeat until all issues resolved**; then sign-off to Deploy.
+`;
+
 const DEPLOY_README = `# Deploy
 
-After the pipeline completes (QE sign-off), deploy immediately with:
+After the pipeline completes (Security + Principle Engineer sign-off, after fix loop until no issues), deploy immediately with:
 
 - **Docker Compose** — local / staging: \`docker compose up -d\`
 - **Kubernetes** — production: \`kubectl apply -f k8s/\`
@@ -763,7 +864,7 @@ docs/sdlc/ba/business/
 - [ ] **Write use cases**: Actor, goal, preconditions, main/alternate flows, postconditions
 - [ ] **Maintain glossary**: Business terms, definitions, acronyms
 - [ ] **Map to user stories**: Trace FRs to user stories / AC
-- [ ] **Handoff to Architect**: Deliverables in \`ba/business/{epic-slug}/\`
+- [ ] **Handoff to Design (if app/web) or Architect**: Deliverables in \`ba/business/{epic-slug}/\`
 
 Use functional-requirement.template.md for FRS items.
 `;
@@ -870,6 +971,7 @@ Templates support: HTTP API, library/SDK, CLI, and all project types (see api-sp
 ## Detailed tasks
 
 - [ ] **Read Architect outputs**: ADRs, context/container diagrams, tech stack
+- [ ] **Read Design (if app/web)**: .pen designs — design informs API contracts, screen specs
 - [ ] **API/interface spec**: For each endpoint/class/command: purpose, request/response, contract (OpenAPI, TS types, CLI help)
 - [ ] **DB schema**: Tables, columns, indexes, constraints; migrations approach
 - [ ] **Team breakdown**: Map scope to teams (Backend, Frontend, Mobile, etc.) per project type; dependencies
@@ -904,6 +1006,7 @@ Use adr.template.md for new ADRs.
 ## Detailed tasks
 
 - [ ] **Read Business BA outputs**: Functional requirements, process flows, use cases
+- [ ] **Read Design (if app/web)**: .pen designs in \`design/{epic-slug}/\` — design informs architecture
 - [ ] **Context diagram**: System boundary, external actors, integrations
 - [ ] **Container diagram**: Main components/services and their responsibilities
 - [ ] **Tech stack decisions**: Languages, frameworks, databases; document in ADRs
@@ -1010,6 +1113,31 @@ const QE_SENIOR_README = `# Senior QE (10+ years exp)
 - [ ] **Output**: Automation code and docs in \`qe/{epic-slug}/\`
 `;
 
+const DESIGN_README = `# Design (optional — app/web projects only)
+
+**When:** After Business BA, **before** Architect and Technical BA. **Skip** for API-only, library, CLI, data/ML, platform projects without UI.
+
+**Why before Architect:** UX drives technical decisions — design informs architecture and API specs.
+
+**One folder per epic:** \`docs/sdlc/design/{epic-slug}/\` — same slug as PO/BA. Store .pen files and design notes there.
+
+## Flow
+
+1. **Design sub-agent (Pencil.dev)**: Create UI/UX designs based on idea + PO docs + Business BA FRS. Use Pencil MCP tools (\`batch_design\`, \`get_guidelines\`, \`get_style_guide\`, etc.) to produce .pen designs.
+2. **PO + Business BA review**: Both roles review the design against epic brief, user stories, functional requirements.
+3. **Loop until approved**: If design does not match idea/docs → return to step 1 with feedback; redesign. Repeat until PO and BA approve.
+4. **Handoff to Architect**: Once approved → proceed to Architect (design informs architecture and Technical BA).
+
+## Detailed tasks
+
+- [ ] **Invoke Pencil.dev**: Call design sub-agent (Pencil MCP) with PO epic, BA FRS as context
+- [ ] **Create designs**: Screens, flows, components in .pen format; output to \`design/{epic-slug}/\`
+- [ ] **PO review**: Check design aligns with epic brief, user stories, acceptance criteria
+- [ ] **Business BA review**: Check design matches functional requirements, process flows
+- [ ] **If not approved**: Capture feedback; loop back to design step with specific changes
+- [ ] **If approved**: Handoff to Architect; design in \`design/{epic-slug}/\`
+`;
+
 const DEV_TECH_LEAD_README = `# Tech Lead (15+ years exp)
 
 **Responsibilities**:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-workflow",
-  "version": "1.0.10",
+  "version": "1.1.0",
   "description": "Scaffold SDLC workflow docs and templates for Cursor, Claude, and dev teams",
   "type": "module",
   "bin": {