sdlc-workflow 1.0.11 → 1.2.0

package/README.md

@@ -5,13 +5,15 @@ Scaffold SDLC workflow docs and templates into your project. Works with **Cursor
 ## Flow
 
 ```
-User Request → PO → Business BA → Architect → Technical BA → Design (if app/web, PO+BA review loop) → QE (docs) → Dev → QE (testing) → Deploy (Docker Compose + K8s)
+User Request → PO → Business BA → Design (if app/web) → Architect → Technical BA → QE (docs) → Dev → QE (testing + UAT) → Security + PE audit → [fix loop until no issues] → Deploy → Maintenance
 ```
 
 - **Trigger:** When you send an **idea** or **feature request**, the agent should run the **full pipeline** (PO → … → Deploy) in sequence, one sub-agent/role per phase — not handle everything in one go or stop after one phase. See `docs/sdlc/ORCHESTRATION.md`.
-- **Design (optional):** For app/web projects, after Technical BA → invoke **Pencil.dev** (MCP) to design; **PO + Business BA review** until approved; then QE + Dev.
+- **Design (optional):** For app/web projects, after Business BA → create **design specs** (Markdown) + optional **HTML wireframes**; **PO + Business BA review** until approved; then Architect + Technical BA. UX drives technical decisions.
+- **Security + Principle Engineer:** After implementation and QE testing → security + logic audit; **fix loop** (Dev fixes → re-audit) until all issues resolved; sign-off before Deploy.
 - **Each role runs as a sub-agent** (see `docs/sdlc/agents/`).
 - **After completion** → deploy immediately with **Docker Compose** (local/staging) and **Kubernetes** (production) — `docs/sdlc/deploy/`.
+- **Maintenance:** After Deploy → monitoring, bug fixes, patches, dependency updates, performance tuning — `docs/sdlc/maintenance/`.
 - **QE (docs)**: Test plan, test cases
 - **Dev**: After docs phase → **run implementation immediately**. Tech Lead (review, merge) + Senior Dev (implement, Unit Test ≥90%)
 - **QE (testing)**: QE Lead (15+ yrs automation: strategy, framework, review) + Senior QE (10+ yrs, write automation tests)
@@ -55,11 +57,11 @@ docs/sdlc/
 │       ├── api-spec.template.md
 │       ├── team-breakdown.template.md
 │       └── README.md
+├── design/                   # Design (optional, app/web): after BA, before Architect; design specs + wireframes; PO+BA review until approved
+│   └── README.md
 ├── architecture/             # Architect
 │   ├── adr.template.md
 │   └── README.md
-├── design/                   # Design (optional, app/web): Pencil.dev .pen; PO+BA review until approved
-│   └── README.md
 ├── qe/                       # QE (one folder per epic: qe/{epic-slug}/)
 │   ├── test-case.template.md
 │   ├── README.md
@@ -77,15 +79,21 @@ docs/sdlc/
 │   ├── embedded/             # Senior Embedded 10+ yrs — firmware, IoT
 │   ├── data-ml/              # Senior Data/ML 10+ yrs
 │   └── platform/             # Senior Platform 10+ yrs — CI/CD, infra
+├── security/                 # Security team: audit security risk (after implementation)
+│   └── README.md
+├── principle-engineer/       # Principle engineer: audit logic, architecture (after implementation)
+│   └── README.md
 ├── agents/                   # Sub-agent specs (each role = sub-agent)
 │   └── README.md
-└── deploy/                   # After completion → Docker Compose + K8s
-    ├── README.md
-    ├── docker-compose.yml.template
-    └── k8s/
-        ├── deployment.yaml.template
-        ├── service.yaml.template
-        └── ingress.yaml.template
+├── deploy/                   # After Security + PE sign-off (fix loop until no issues) → Docker Compose + K8s
+│   ├── README.md
+│   ├── docker-compose.yml.template
+│   └── k8s/
+│       ├── deployment.yaml.template
+│       ├── service.yaml.template
+│       └── ingress.yaml.template
+└── maintenance/              # After Deploy → monitoring, bug fixes, patches, runbooks
+    └── README.md
 
 .cursor/rules/
 └── sdlc-workflow.mdc         # Cursor rule

package/bin/cli.js

@@ -172,9 +172,12 @@ async function generateFromInline(cwd) {
     join(base, "dev", "embedded"),
     join(base, "dev", "data-ml"),
     join(base, "dev", "platform"),
+    join(base, "security"),
+    join(base, "principle-engineer"),
     join(base, "agents"),
     join(base, "deploy"),
     join(base, "deploy", "k8s"),
+    join(base, "maintenance"),
   ];
 
   for (const d of dirs) {
@@ -199,6 +202,7 @@ async function generateFromInline(cwd) {
     ["qe/qe-lead/README.md", QE_LEAD_README],
     ["qe/senior-qe/README.md", QE_SENIOR_README],
     ["design/README.md", DESIGN_README],
+    ["design/design-spec.template.md", DESIGN_SPEC_TEMPLATE],
     ["dev/tech-lead/README.md", DEV_TECH_LEAD_README],
     ["dev/senior-developer/README.md", DEV_SENIOR_README],
     ["dev/implementation-roles.template.md", DEV_IMPLEMENTATION_ROLES_TEMPLATE],
@@ -208,12 +212,15 @@ async function generateFromInline(cwd) {
     ["dev/embedded/README.md", DEV_EMBEDDED_README],
     ["dev/data-ml/README.md", DEV_DATA_ML_README],
     ["dev/platform/README.md", DEV_PLATFORM_README],
+    ["security/README.md", SECURITY_README],
+    ["principle-engineer/README.md", PRINCIPLE_ENGINEER_README],
     ["agents/README.md", AGENTS_README],
     ["deploy/README.md", DEPLOY_README],
     ["deploy/docker-compose.yml.template", DOCKER_COMPOSE_TEMPLATE],
     ["deploy/k8s/deployment.yaml.template", K8S_DEPLOYMENT_TEMPLATE],
     ["deploy/k8s/service.yaml.template", K8S_SERVICE_TEMPLATE],
     ["deploy/k8s/ingress.yaml.template", K8S_INGRESS_TEMPLATE],
+    ["maintenance/README.md", MAINTENANCE_README],
   ];
 
   for (const [rel, content] of files) {
@@ -235,15 +242,18 @@ globs: docs/sdlc/**/*, **/*.md
 
 1. **PO** — PRD, user stories → docs/sdlc/po/{epic-slug}/ (one folder per epic)
 2. **Business BA** — FRS, process flows → docs/sdlc/ba/business/{epic-slug}/ (one folder per epic)
-3. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
-4. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
-5. **Design (if app/web)** — Pencil.dev designs → docs/sdlc/design/{epic-slug}/; **PO + BA review** → loop until approved
+3. **Design (if app/web)** — Design specs + wireframes → docs/sdlc/design/{epic-slug}/; **PO + BA review** → loop until approved
+4. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
+5. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
 6. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
 7. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + implementation roles → docs/sdlc/dev/{role}/
-8. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/
-9. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
+8. **QE (testing + UAT)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) + UAT → docs/sdlc/qe/{epic-slug}/
+9. **Security** — Audit security risk → docs/sdlc/security/
+10. **Principle Engineer** — Audit logic, architecture → docs/sdlc/principle-engineer/
+11. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/ (after Security + PE sign-off; fix loop until no issues)
+12. **Maintenance** — Monitoring, bug fixes, patches, dependency updates → docs/sdlc/maintenance/
 
-**Each role runs as a sub-agent.** Design uses Pencil.dev MCP. See docs/sdlc/agents/
+**Each role runs as a sub-agent.** Design before Architect (UX drives tech). See docs/sdlc/agents/
 Full workflow: docs/sdlc/SDLC-WORKFLOW.md
 `;
 
@@ -261,7 +271,7 @@ Sequential workflow; **each role runs as a sub-agent**. Each phase produces docs
 **When the user sends an idea, feature request, or new requirement:**
 1. **Trigger the pipeline** and run it **continuously through deployment** (Phase 1 → 2 → … → 7).
 2. **One role per phase.** For each phase, act **only** as that role (e.g. only PO in phase 1, only Business BA in phase 2). Produce that phase's outputs into the correct folder, then **continue to the next phase** without waiting for the user.
-3. **Run in order:** PO → Business BA → Architect → Technical BA → **Design (if app/web)** → QE (docs) → Dev → QE (testing) → Deploy. If Design: **PO + BA review** design; loop until approved before QE/Dev. Do not stop after one phase unless the user explicitly asks to stop.
+3. **Run in order:** PO → Business BA → **Design (if app/web, PO+BA review loop)** → Architect → Technical BA → QE (docs) → Dev → QE (testing + UAT) → **Security + Principle Engineer audit → fix loop until all issues resolved** → Deploy → Maintenance. Do not stop after one phase unless the user explicitly asks to stop.
 
 **Note:** In Cursor and similar tools there is a single agent per conversation. "Sub-agent" means **one role per phase** — the same agent must adopt exactly one role per phase and run phases in sequence (do not mix roles in one step). If the platform later supports spawning separate agents per phase, use that; otherwise this single agent simulates the pipeline by switching role each phase.
 
@@ -270,7 +280,7 @@ Sequential workflow; **each role runs as a sub-agent**. Each phase produces docs
 ## Flow Overview
 
 \`\`\`
-User Request → PO → Business BA → Architect → Technical BA → Design (if app/web, PO+BA review loop) → QE (docs) → Dev → QE (testing) → Deploy (Docker Compose + K8s)
+User Request → PO → Business BA → Design (if app/web) → Architect → Technical BA → QE (docs) → Dev → QE (testing + UAT) → Security + PE audit → [fix loop until no issues] → Deploy → Maintenance
 \`\`\`
 
 **Determine current phase** before acting. If user sent an idea, assume Phase 0 and start from Phase 1.
@@ -292,32 +302,34 @@ User Request → PO → Business BA → Architect → Technical BA → Design (i
 
 **Role**: Break down from business perspective.
 **Deliverables**: Business process flows, functional requirements, use cases, glossary.
-**Output**: \`docs/sdlc/ba/business/{epic-slug}/\` — **one folder per epic** (same slug as PO; e.g. \`ba/business/job-scheduler-event-bus/functional-requirements.md\`). Do not merge all epics into one file. **Handoff to Architect.**
+**Output**: \`docs/sdlc/ba/business/{epic-slug}/\` — **one folder per epic** (same slug as PO). Do not merge all epics into one file. **Handoff to Design (if app/web) or Architect.**
 
-## Phase 3: Architect
-
-**Role**: Design system architecture and technology choices.
-**Deliverables**: System context, container diagram, ADRs, tech stack, cross-cutting concerns.
-**Output**: \`docs/sdlc/architecture/\` — **Handoff to Technical BA.**
-
-## Phase 4: Technical BA
-
-**Role**: Translate business + architecture into implementable specs.
-**Deliverables**: API specs, DB schema, team breakdown, acceptance criteria per ticket.
-**Output**: \`docs/sdlc/ba/technical/\` — **Handoff to Design (if app/web) or QE + Dev.**
-
-## Phase 4b: Design (optional — app/web only)
+## Phase 3: Design (optional — app/web only)
 
 **When:** Project has UI (web, mobile app). Skip for API-only, library, CLI, data/ML, platform without UI.
 
-**Role**: Invoke **Pencil.dev** sub-agent (MCP) to create UI/UX designs from idea + PO + Business BA + Technical BA docs.
-**Output**: \`docs/sdlc/design/{epic-slug}/\` — .pen designs.
+**Role**: Create UI/UX design specs (Markdown) and optional HTML wireframes from idea + PO + Business BA docs. Design **before** Architect so UX drives technical decisions.
+**Output**: \`docs/sdlc/design/{epic-slug}/\` — design-spec.md + optional wireframes/.
 
 **Review loop:**
 1. **PO review**: Design aligns with epic brief, user stories, acceptance criteria?
 2. **Business BA review**: Design matches functional requirements, process flows?
-3. **If not approved**: Capture feedback → redesign with Pencil.dev → repeat until PO and BA approve.
-4. **If approved** → **Handoff to QE + Dev.**
+3. **If not approved**: Capture feedback → redesign → repeat until PO and BA approve.
+4. **If approved** → **Handoff to Architect.**
+
+## Phase 4: Architect
+
+**Role**: Design system architecture and technology choices.
+**Deliverables**: System context, container diagram, ADRs, tech stack, cross-cutting concerns.
+**Input**: Business BA + Design (if app/web) — design informs architecture.
+**Output**: \`docs/sdlc/architecture/\` — **Handoff to Technical BA.**
+
+## Phase 5: Technical BA
+
+**Role**: Translate business + architecture + design into implementable specs.
+**Deliverables**: API specs, DB schema, team breakdown, acceptance criteria per ticket.
+**Input**: Architect + Design (if app/web) — design informs API/screen contracts.
+**Output**: \`docs/sdlc/ba/technical/\` — **Handoff to QE + Dev.**
 
 ## Phase 5a: QE (Docs phase)
 
@@ -341,7 +353,7 @@ User Request → PO → Business BA → Architect → Technical BA → Design (i
 
 **Requirements**: Unit Test coverage **≥ 90%**.
 
-**Output**: Code + unit tests. **Handoff to QE (testing).**
+**Output**: Code + unit tests. **Handoff to QE (testing + UAT).**
 
 ## Phase 6: QE (Testing phase — automation)
 
@@ -352,13 +364,22 @@ User Request → PO → Business BA → Architect → Technical BA → Design (i
 - **QE Lead (15+ yrs automation)**: Test strategy, framework choice, automation architecture, review test code. Output per epic: \`docs/sdlc/qe/{epic-slug}/\`
 - **Senior QE (10+ yrs)**: Write automation tests per QE Lead's strategy. Output per epic: \`docs/sdlc/qe/{epic-slug}/\` (e.g. automation/ or test files there)
 
-**Output**: Automation tests, test report. **Handoff to Deploy.**
+**Output**: Automation tests, test report. **Handoff to Security + Principle Engineer.**
 
-## Phase 7: Deploy
+## Phase 8: Security + Principle Engineer (audit → fix loop)
 
-**Trigger**: After QE sign-off.
+**Trigger**: After QE testing sign-off.
+**Roles** (can run in parallel):
+- **Security team**: Audit security risk (OWASP, auth, secrets, infra). Output: \`docs/sdlc/security/\`
+- **Principle Engineer**: Audit logic, architecture alignment, correctness. Output: \`docs/sdlc/principle-engineer/\`
+
+**Fix loop**: If issues found → **Dev fixes** → re-audit by Security + Principle Engineer. **Repeat until all issues resolved.** Only when sign-off → **Handoff to Deploy.**
+
+## Phase 9: Deploy
+
+**Trigger**: After Security + Principle Engineer sign-off.
 **Role**: Deploy with **Docker Compose** (local/staging) and **Kubernetes** (production).
-**Output**: \`docs/sdlc/deploy/\` — docker-compose.yml, k8s manifests. Deploy right after pipeline completes.
+**Output**: \`docs/sdlc/deploy/\` — docker-compose.yml, k8s manifests.
 
 ## Quick Phase Checklist
 
@@ -367,15 +388,17 @@ User Request → PO → Business BA → Architect → Technical BA → Design (i
 | 0 | Discovery | Raw request |
 | 1 | PO | PRD, user stories |
 | 2 | Business BA | FRS, process flows |
-| 3 | Architect | ADRs, system diagrams |
-| 4 | Technical BA | API specs, tech breakdown |
-| 4b | Design (if app/web) | Pencil.dev designs; PO+BA review until approved |
-| 5a | QE (docs) | Test plan, test cases |
-| 5b | Dev | Code, unit tests (≥90%) |
-| 6 | QE (testing) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, sign-off |
-| 7 | Deploy | Docker Compose + K8s |
-
-**Sub-agents**: Each role = one sub-agent. Design uses Pencil.dev MCP. See docs/sdlc/agents/
+| 3 | Design (if app/web) | Design specs + wireframes; PO+BA review until approved |
+| 4 | Architect | ADRs, system diagrams |
+| 5 | Technical BA | API specs, tech breakdown |
+| 6 | QE (docs) | Test plan, test cases |
+| 7 | Dev | Code, unit tests (≥90%) |
+| 8 | QE (testing + UAT) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, UAT, sign-off |
+| 9 | Security + Principle Engineer | Security + logic audit; fix loop until all issues resolved; sign-off → Deploy |
+| 10 | Deploy | Docker Compose + K8s |
+| 11 | Maintenance | Monitoring, bug fixes, patches, dependency updates |
+
+**Sub-agents**: Each role = one sub-agent. Design before Architect (UX drives tech). See docs/sdlc/agents/
 See reference.md for templates.
 `;
 
@@ -385,7 +408,7 @@ const CURSOR_REFERENCE_MD = `# SDLC Workflow — Reference
 
 - **PO**: \`docs/sdlc/po/{epic-slug}/\` — one folder per epic. Files: epic-brief.md, user-stories.md. Do not put all epics in one file.
 - **Business BA**: \`docs/sdlc/ba/business/{epic-slug}/\` — same slug as PO. Files: functional-requirements.md, process-flows.md. Do not merge all epics into one file.
-- **Design (if app/web)**: \`docs/sdlc/design/{epic-slug}/\` — same slug as PO/BA. Pencil.dev .pen designs; PO+BA review until approved.
+- **Design (if app/web)**: \`docs/sdlc/design/{epic-slug}/\` — same slug as PO/BA. Design specs (Markdown) + optional HTML wireframes; PO+BA review until approved.
 - **QE**: \`docs/sdlc/qe/{epic-slug}/\` — same slug as PO/BA. Files: test-plan.md, test-cases.md, automation artifacts. Do not put all epics in one file.
 
 ## PO: Epic Brief Template
@@ -402,7 +425,7 @@ FR-001: [Title] — Description, Trigger, Process Flow, Output, Constraints
 POST /api/v1/[resource] — Purpose, Request, Response, Contract
 
 ## Design (if app/web)
-Pencil.dev MCP — create .pen designs from idea + PO + BA + Technical BA. Output: docs/sdlc/design/{epic-slug}/. PO + BA review until approved; loop if not aligned.
+Design specs (Markdown) + optional HTML wireframes from idea + PO + BA (before Architect; UX drives tech). Output: docs/sdlc/design/{epic-slug}/. PO + BA review until approved; loop if not aligned. Handoff to Architect.
 
 ## QE: Test Case
 TC-001: [Scenario] — Precondition, Steps, Expected, Links to AC
@@ -416,11 +439,16 @@ TC-001: [Scenario] — Precondition, Steps, Expected, Links to AC
 - Senior Dev (10+ yrs): implement, Unit Test ≥90% → docs/sdlc/dev/senior-developer/
 - By project (all Senior 10+ yrs): Senior Frontend, Backend, Mobile, Embedded, Data/ML, Platform → docs/sdlc/dev/{role}/
 
-## Sub-agents
-Each role = sub-agent. See docs/sdlc/agents/
+## Security + Principle Engineer (after implementation)
+- Security team: audit security risk → docs/sdlc/security/
+- Principle Engineer: audit logic, architecture → docs/sdlc/principle-engineer/
+- **Fix loop**: If issues → Dev fixes → re-audit; repeat until all resolved. Sign-off → Deploy
 
 ## Deploy
-After completion → Docker Compose + K8s. See docs/sdlc/deploy/
+After Security + Principle Engineer sign-off → Docker Compose + K8s. See docs/sdlc/deploy/
+
+## Maintenance
+After Deploy → ongoing: monitoring, bug fixes, patches, dependency updates, performance tuning. Significant new features → loop back to PO for new epic. See docs/sdlc/maintenance/
 `;
 
 const AGENTS_MD_CONTENT = `## SDLC Workflow
@@ -431,32 +459,36 @@ When working on requirements, features, or handoffs, follow these phases:
 
 1. **PO** — PRD, user stories → docs/sdlc/po/{epic-slug}/ (one folder per epic)
 2. **Business BA** — FRS, process flows → docs/sdlc/ba/business/{epic-slug}/ (one folder per epic)
-3. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
-4. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
-5. **Design (if app/web)** — Pencil.dev designs → docs/sdlc/design/{epic-slug}/; **PO + BA review** until approved; then QE + Dev
+3. **Design (if app/web)** — Design specs + wireframes → docs/sdlc/design/{epic-slug}/; **PO + BA review** until approved
+4. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
+5. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
 6. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
 7. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + Senior Dev → docs/sdlc/dev/{role}/
-8. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
-9. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
+8. **QE (testing + UAT)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) + UAT → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
+9. **Security + Principle Engineer** — Security + logic audit; **fix loop** (Dev fixes → re-audit) until all issues resolved; sign-off before Deploy
+10. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
+11. **Maintenance** — Monitoring, bug fixes, patches, dependency updates → docs/sdlc/maintenance/
 
-Design: invoke Pencil.dev MCP; PO and BA review design; loop until approved. After the docs phase, the Dev team runs implementation immediately. See docs/sdlc/agents/
+Design before Architect (UX drives tech). After the docs phase, the Dev team runs implementation immediately. See docs/sdlc/agents/
 `;
 
 const CLAUDE_SDLC_CONTENT = `## SDLC Workflow
 
-**Trigger on idea:** When the user sends an idea, feature request, or requirement, run the pipeline continuously: Phase 1 (PO) → 2 → … → 7 (Deploy). One role per phase (single agent = switch role each phase). Do not stop after one phase unless the user asks.
+**Trigger on idea:** When the user sends an idea, feature request, or requirement, run the pipeline continuously: Phase 1 (PO) → 2 → … → Deploy → Maintenance. One role per phase (single agent = switch role each phase). Do not stop after one phase unless the user asks.
 
-1. **PO** — PRD, user stories → docs/sdlc/po/{epic-slug}/ (one folder per epic)
-2. **Business BA** — FRS, process flows → docs/sdlc/ba/business/{epic-slug}/ (one folder per epic)
-3. **Architect** — ADRs, diagrams → docs/sdlc/architecture/
-4. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
-5. **Design (if app/web)** — Pencil.dev designs → docs/sdlc/design/{epic-slug}/; **PO + BA review** until approved
+1. **PO** — PRD, user stories, feasibility assessment → docs/sdlc/po/{epic-slug}/ (one folder per epic)
+2. **Business BA** — FRS, NFR, process flows → docs/sdlc/ba/business/{epic-slug}/ (one folder per epic)
+3. **Design (if app/web)** — Design specs + wireframes → docs/sdlc/design/{epic-slug}/; **PO + BA review** until approved
+4. **Architect** — ADRs, diagrams, security by design → docs/sdlc/architecture/
+5. **Technical BA** — API specs, team breakdown → docs/sdlc/ba/technical/
 6. **QE (docs)** — Test plan, test cases → docs/sdlc/qe/{epic-slug}/ (one folder per epic)
-7. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + Senior Dev → docs/sdlc/dev/{role}/
-8. **QE (testing)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
-9. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
+7. **Dev** — After docs phase → **run implementation immediately**. Tech Lead + Senior Dev → docs/sdlc/dev/{role}/. Security shift-left: OWASP checks, dependency audit in CI
+8. **QE (testing + UAT)** — QE Lead (15+ yrs automation) + Senior QE (10+ yrs) + UAT → docs/sdlc/qe/{epic-slug}/ (same folder per epic)
+9. **Security + Principle Engineer** — Security + logic audit; **fix loop** (Dev fixes → re-audit) until all issues resolved; sign-off before Deploy
+10. **Deploy** — Docker Compose + K8s → docs/sdlc/deploy/
+11. **Maintenance** — Monitoring, bug fixes, patches, dependency updates → docs/sdlc/maintenance/
 
-Design: Pencil.dev MCP; PO and BA review; loop until approved. After the docs phase, Dev runs implementation immediately. See docs/sdlc/agents/
+Design before Architect (UX drives tech). After the docs phase, Dev runs implementation immediately. See docs/sdlc/agents/
 `;
 
 const SDLC_WORKFLOW_MD = `# SDLC Workflow (Multi-Role)
@@ -473,7 +505,7 @@ For Cursor, see .cursor/rules/sdlc-workflow.mdc
 ## Flow
 
 \`\`\`
-User Request → PO → Business BA → Architect → Technical BA → Design (if app/web, PO+BA review loop) → QE (docs) → Dev → QE (testing) → Deploy
+User Request → PO → Business BA → Design (if app/web) → Architect → Technical BA → QE (docs) → Dev → QE (testing + UAT) → Security + PE audit → [fix loop] → Deploy → Maintenance
 \`\`\`
 
 ## Phase Checklist
@@ -483,59 +515,76 @@ User Request → PO → Business BA → Architect → Technical BA → Design (i
 | 0 | Discovery | Raw request |
 | 1 | PO | PRD, user stories |
 | 2 | Business BA | FRS, process flows |
-| 3 | Architect | ADRs, system diagrams |
-| 4 | Technical BA | API specs, tech breakdown |
-| 4b | Design (if app/web) | Pencil.dev designs; PO+BA review until approved |
-| 5a | QE (docs) | Test plan, test cases |
-| 5b | Dev | Code, unit tests (≥90%) |
-| 6 | QE (testing) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, sign-off |
-| 7 | Deploy | Docker Compose + K8s |
-
-**Sub-agents**: Each role runs as a sub-agent (PO, Business BA, Architect, Technical BA, QE Lead, Senior QE, Tech Lead, Senior Dev). See docs/sdlc/agents/
+| 3 | Design (if app/web) | Design specs + wireframes; PO+BA review until approved |
+| 4 | Architect | ADRs, system diagrams |
+| 5 | Technical BA | API specs, tech breakdown |
+| 6 | QE (docs) | Test plan, test cases |
+| 7 | Dev | Code, unit tests (≥90%) |
+| 8 | QE (testing + UAT) | QE Lead (15+ yrs automation) + Senior QE (10+ yrs), automation, UAT, sign-off |
+| 9 | Security + Principle Engineer | Security + logic audit; fix loop until all issues resolved; sign-off → Deploy |
+| 10 | Deploy | Docker Compose + K8s |
+| 11 | Maintenance | Monitoring, bug fixes, patches, dependency updates |
+
+**Sub-agents**: Each role runs as a sub-agent. See docs/sdlc/agents/
 
 ## Phase Details
 
 ### Phase 1: PO
-- Epic brief, user stories, acceptance criteria
+- Feasibility study (technical, operational, economic), epic brief, user stories, acceptance criteria
 - Output: \`docs/sdlc/po/{epic-slug}/\` — **one folder per epic**; do not put all epics in one file
 
 ### Phase 2: Business BA
-- Functional requirements, process flows, use cases
+- Functional requirements (FR), **non-functional requirements (NFR)** (performance, scalability, availability, security, usability), process flows, use cases
 - Output: \`docs/sdlc/ba/business/{epic-slug}/\` — **one folder per epic** (same slug as PO); do not merge into one file
 
-### Phase 3: Architect
-- System context, container diagram, ADRs, tech stack
+### Phase 3: Design (optional — app/web only)
+- Create design specs (Markdown) + optional HTML wireframes based on idea + PO + BA docs. **Design before Architect so UX drives tech.**
+- Output: \`docs/sdlc/design/{epic-slug}/\` — design-spec.md + optional wireframes/
+- **PO + Business BA review**: Both check design vs epic/FRS; if not aligned → feedback → redesign loop until approved
+- When approved → handoff to Architect
+
+### Phase 4: Architect
+- System context, container diagram, ADRs, tech stack, **security by design** (threat model, auth architecture, encryption, secrets mgmt). Input: Business BA (FR + NFR) + Design (if app/web)
 - Output: \`docs/sdlc/architecture/\`
 
-### Phase 4: Technical BA
-- API specs, DB schema, team breakdown
+### Phase 5: Technical BA
+- API specs, DB schema, team breakdown. Input: Architect + Design (if app/web)
 - Output: \`docs/sdlc/ba/technical/\`
 
-### Phase 4b: Design (optional — app/web only)
-- Invoke **Pencil.dev** (MCP) to design based on idea + PO + BA + Technical BA docs
-- Output: \`docs/sdlc/design/{epic-slug}/\` — .pen designs
-- **PO + Business BA review**: Both check design vs epic/FRS; if not aligned → feedback → redesign loop until approved
-- When approved → handoff to QE + Dev
-
 ### Phase 5a: QE (Docs)
 - Test plan, test cases
 - Output: \`docs/sdlc/qe/{epic-slug}/\` — **one folder per epic**; do not put all epics in one file
 - **After docs phase → Dev team runs implementation immediately** (no extra gate)
 
 ### Phase 5b: Dev Teams
-- **Tech Lead (15+ yrs)**: Tech stack, review & merge. Output: \`docs/sdlc/dev/tech-lead/\`
+- **Tech Lead (15+ yrs)**: Tech stack, review & merge, **security review (Shift Left)**: OWASP check, dependency audit, SAST in CI. Output: \`docs/sdlc/dev/tech-lead/\`
 - **Implementation roles** (all Senior 10+ yrs; use only what applies): Senior Dev, Senior Frontend, Senior Backend, Senior Mobile, Senior Embedded, Senior Data/ML, Senior Platform → \`docs/sdlc/dev/{role}/\`. See \`implementation-roles.template.md\`.
-- **Requirement**: Unit Test coverage **≥ 90%**
+- **Requirement**: Unit Test coverage **≥ 90%**; security practices (input validation, no hardcoded secrets)
 - **Then**: QE starts testing phase
 
-### Phase 6: QE (Testing — automation)
+### Phase 6: QE (Testing — automation + UAT)
 - **QE Lead (15+ yrs automation)**: Test strategy, framework choice, automation architecture; review test code. Output per epic: \`docs/sdlc/qe/{epic-slug}/\`
 - **Senior QE (10+ yrs)**: Write automation tests per QE Lead's strategy. Output per epic: \`docs/sdlc/qe/{epic-slug}/\`
+- **UAT (User Acceptance Testing)**: Verify implementation against original user stories and acceptance criteria from PO; confirm business requirements are met from end-user perspective. Output: \`qe/{epic-slug}/uat-results.md\`
+- **Handoff to Security + Principle Engineer**
+
+### Phase 7: Security + Principle Engineer (audit → fix loop)
+- **Security team**: Audit security risk (OWASP, auth, secrets, infra). Output: \`docs/sdlc/security/\`
+- **Principle Engineer**: Audit logic, architecture alignment, correctness. Output: \`docs/sdlc/principle-engineer/\`
+- **Fix loop**: If issues found → Dev fixes → Security + PE re-audit. **Repeat until all issues resolved.** Sign-off → **Handoff to Deploy**
 
-### Phase 7: Deploy
-- After pipeline completes → deploy with **Docker Compose** (local/staging) and **Kubernetes** (production)
+### Phase 8: Deploy
+- After Security + Principle Engineer sign-off → deploy with **Docker Compose** (local/staging) and **Kubernetes** (production)
 - Output: \`docs/sdlc/deploy/\` — docker-compose.yml, k8s/
 
+### Phase 9: Maintenance
+- **Monitoring**: Health checks, error tracking, alerting, SLA dashboards
+- **Bug fixes**: Triage, fix, test, deploy per severity
+- **Dependency updates**: Regular security patches, library upgrades
+- **Performance tuning**: Monitor vs NFR targets; optimize bottlenecks
+- **Feature iteration**: Small enhancements from feedback; significant scope → new PO epic
+- Output: \`docs/sdlc/maintenance/\` — runbooks, incident logs
+
 See [reference.md](./reference.md) for templates.
 `;
 
@@ -545,25 +594,27 @@ const ORCHESTRATION_MD = `# Pipeline orchestration
 
 When the user sends an **idea**, **feature request**, or **requirement** (e.g. "I want a login page", "We need an API for X"):
 
-1. **Trigger the full pipeline** and run **Phase 1 → 2 → … → 7 in sequence**.
+1. **Trigger the full pipeline** and run **Phase 1 → 2 → … → 11 in sequence**.
 2. **One role per phase:** For each phase, act only as that role, write outputs to the correct \`docs/sdlc/...\` folder, then **continue to the next phase** without asking the user to "run next step".
-3. **Run through to Deploy.** Do not stop after PO, BA, or Dev unless the user explicitly says to stop.
+3. **Run through to Maintenance.** Do not stop after PO, BA, or Dev unless the user explicitly says to stop.
 
 ## How it runs (Cursor and similar)
 
-There is **one agent** per conversation. It simulates the pipeline by **adopting one role per phase** in order: Phase 1 as PO only → Phase 2 as Business BA only → … → Phase 7 as Deploy. Do not mix roles in one step. If the tool later supports separate agents per phase, use that; otherwise this single-agent simulation is correct.
+There is **one agent** per conversation. It simulates the pipeline by **adopting one role per phase** in order: Phase 1 as PO only → Phase 2 as Business BA only → … → Phase 11 as Maintenance. Do not mix roles in one step. If the tool later supports separate agents per phase, use that; otherwise this single-agent simulation is correct.
 
 ## Checklist per run
 
 - [ ] Phase 1 PO: artifacts in \`docs/sdlc/po/{epic-slug}/\` (one folder per epic)
 - [ ] Phase 2 Business BA: \`docs/sdlc/ba/business/{epic-slug}/\` (one folder per epic)
-- [ ] Phase 3 Architect: \`docs/sdlc/architecture/\`
-- [ ] Phase 4 Technical BA: \`docs/sdlc/ba/technical/\`
-- [ ] Phase 4b Design (if app/web): Pencil.dev designs in \`docs/sdlc/design/{epic-slug}/\`; PO+BA review until approved
-- [ ] Phase 5a QE docs: \`docs/sdlc/qe/{epic-slug}/\` (one folder per epic)
-- [ ] Phase 5b Dev: code + unit tests, \`docs/sdlc/dev/\`
-- [ ] Phase 6 QE testing: automation, sign-off → \`docs/sdlc/qe/{epic-slug}/\`
-- [ ] Phase 7 Deploy: \`docs/sdlc/deploy/\`, Docker Compose + K8s
+- [ ] Phase 3 Design (if app/web): design specs + wireframes in \`docs/sdlc/design/{epic-slug}/\`; PO+BA review until approved
+- [ ] Phase 4 Architect: \`docs/sdlc/architecture/\`
+- [ ] Phase 5 Technical BA: \`docs/sdlc/ba/technical/\`
+- [ ] Phase 6 QE docs: \`docs/sdlc/qe/{epic-slug}/\` (one folder per epic)
+- [ ] Phase 7 Dev: code + unit tests, \`docs/sdlc/dev/\`
+- [ ] Phase 8 QE testing + UAT: automation, UAT against user stories, sign-off → \`docs/sdlc/qe/{epic-slug}/\`
+- [ ] Phase 9 Security + Principle Engineer: \`docs/sdlc/security/\`, \`docs/sdlc/principle-engineer/\`; fix loop until no issues; sign-off
+- [ ] Phase 10 Deploy: \`docs/sdlc/deploy/\`, Docker Compose + K8s
+- [ ] Phase 11 Maintenance: monitoring, bug fixes, patches, dependency updates → \`docs/sdlc/maintenance/\`
 `;
 
 const REFERENCE_MD = `# SDLC Workflow — Reference
@@ -577,8 +628,11 @@ Deploy: docs/sdlc/deploy/ (Docker Compose + K8s)
 
 - **PO**: \`docs/sdlc/po/{epic-slug}/\` — one folder per epic. Files: epic-brief.md, user-stories.md. Do not put all epics in one file.
 - **Business BA**: \`docs/sdlc/ba/business/{epic-slug}/\` — same slug as PO. Files: functional-requirements.md, process-flows.md. Do not merge all epics into one file.
-- **Design (if app/web)**: \`docs/sdlc/design/{epic-slug}/\` — Pencil.dev .pen designs; PO+BA review until approved.
+- **Design (if app/web)**: \`docs/sdlc/design/{epic-slug}/\` — design specs (Markdown) + optional HTML wireframes; PO+BA review until approved.
 - **QE**: \`docs/sdlc/qe/{epic-slug}/\` — same slug as PO/BA. Files: test-plan.md, test-cases.md, automation. Do not put all epics in one file.
+- **Security**: \`docs/sdlc/security/\` — security audit; fix loop until no issues
+- **Principle Engineer**: \`docs/sdlc/principle-engineer/\` — logic audit; fix loop until no issues
+- **Maintenance**: \`docs/sdlc/maintenance/\` — monitoring, bug fixes, patches, runbooks
 `;
 
 const AGENTS_README = `# Sub-Agents
@@ -589,9 +643,9 @@ Every role in the SDLC runs as a **sub-agent**. Each phase is assigned to a corr
 |------|-----------|--------|--------|
 | PO | po | User request | docs/sdlc/po/{epic-slug}/ (one folder per epic) |
 | Business BA | business-ba | docs/sdlc/po/{epic-slug}/ | docs/sdlc/ba/business/{epic-slug}/ (one folder per epic) |
-| Architect | architect | docs/sdlc/ba/business/ | docs/sdlc/architecture/ |
-| Technical BA | technical-ba | docs/sdlc/architecture/ | docs/sdlc/ba/technical/ |
-| Design (if app/web) | pencil-dev | docs/sdlc/po + ba + technical | docs/sdlc/design/{epic-slug}/; PO+BA review until approved |
+| Design (if app/web) | design | docs/sdlc/po + docs/sdlc/ba/business/ | docs/sdlc/design/{epic-slug}/; PO+BA review until approved |
+| Architect | architect | docs/sdlc/ba/business/ + design (if any) | docs/sdlc/architecture/ |
+| Technical BA | technical-ba | docs/sdlc/architecture/ + design (if any) | docs/sdlc/ba/technical/ |
 | QE (docs) | qe-docs | docs/sdlc/ba/technical/ (+ design if any) | docs/sdlc/qe/{epic-slug}/ (one folder per epic) |
 | Tech Lead | tech-lead | Technical spec | Review, merge, docs/sdlc/dev/tech-lead/ |
 | Senior Dev | senior-dev | Spec + test plan | After docs → run implementation immediately. Code, unit tests (≥90%) |
@@ -603,16 +657,55 @@ Every role in the SDLC runs as a **sub-agent**. Each phase is assigned to a corr
 | Senior Platform | platform | Infra spec | CI/CD, observability, docs/sdlc/dev/platform/ |
 | QE Lead | qe-lead | Test plan | 15+ yrs automation: strategy, framework, review → docs/sdlc/qe/{epic-slug}/ |
 | Senior QE | senior-qe | Test plan + framework | Automation tests → docs/sdlc/qe/{epic-slug}/ |
-| Deploy | deploy | QE sign-off | Docker Compose + K8s, docs/sdlc/deploy/ |
+| Security | security | Code, infra | Security audit → docs/sdlc/security/; fix loop until no issues |
+| Principle Engineer | principle-engineer | Code, architecture | Logic audit → docs/sdlc/principle-engineer/; fix loop until no issues |
+| Deploy | deploy | Security + PE sign-off (after fix loop) | Docker Compose + K8s, docs/sdlc/deploy/ |
+| Maintenance | maintenance | Live application | Monitoring, bug fixes, patches, docs/sdlc/maintenance/ |
 
 Orchestrator: run each sub-agent in order; hand off output → input of the next sub-agent.
 
 **Trigger:** On user idea/request, run the full pipeline (see docs/sdlc/ORCHESTRATION.md). One role per phase; single agent simulates by switching role each phase. Do not stop after one phase until Deploy unless the user asks.
 `;
 
+const SECURITY_README = `# Security Team
+
+**When:** After implementation (Dev) and QE testing. **Before** Deploy.
+
+**Role:** Audit security risk in code, APIs, infra, and configuration. Identify vulnerabilities and recommend mitigations.
+
+**Fix loop:** If issues found → Dev fixes → re-audit. Repeat until all issues resolved; then sign-off to Deploy.
+
+## Detailed tasks
+
+- [ ] **Read implementation**: Code, API specs, infra configs (docker-compose, k8s)
+- [ ] **Security audit**: OWASP Top 10, auth/authz, injection, XSS, CSRF, secrets exposure, dependency vulns
+- [ ] **Infra/ops security**: Network, TLS, RBAC, secrets management
+- [ ] **Report**: Findings, severity, remediation; output to \`docs/sdlc/security/\`
+- [ ] **Fix loop**: If critical/high issues found → Dev fixes → re-audit. **Repeat until all issues resolved**; then sign-off to Deploy.
+`;
+
+const PRINCIPLE_ENGINEER_README = `# Principle Engineer
+
+**When:** After implementation (Dev) and QE testing. **Before** Deploy.
+
+**Role:** Audit logic, architecture alignment, design decisions, and technical quality. Ensure correctness and consistency with specs.
+
+**Fix loop:** If issues found → Dev fixes → re-audit. Repeat until all issues resolved; then sign-off to Deploy.
+
+## Detailed tasks
+
+- [ ] **Read implementation**: Code, architecture ADRs, Technical BA spec
+- [ ] **Logic audit**: Business logic correctness, edge cases, error handling, data flow
+- [ ] **Architecture audit**: Alignment with ADRs, patterns, scalability, maintainability
+- [ ] **Report**: Findings, recommendations; output to \`docs/sdlc/principle-engineer/\`
+- [ ] **Fix loop**: If critical logic/arch issues found → Dev fixes → re-audit. **Repeat until all issues resolved**; then sign-off to Deploy.
+`;
+
 const DEPLOY_README = `# Deploy
 
-After the pipeline completes (QE sign-off), deploy immediately with:
+After the pipeline completes (Security + Principle Engineer sign-off, after fix loop until no issues), deploy immediately with:
+
+**After Deploy → Maintenance phase**: monitoring, bug fixes, patches, dependency updates.
 
 - **Docker Compose** — local / staging: \`docker compose up -d\`
 - **Kubernetes** — production: \`kubectl apply -f k8s/\`
@@ -724,6 +817,12 @@ const PO_EPIC_TEMPLATE = `# Epic: [Name]
 ## Priority
 Must have / Should have / Could have
 
+## Feasibility Assessment
+- **Technical**: [Can we build this with current tech/team? Any unknowns?]
+- **Operational**: [Can we deploy, run, and support this? Any ops constraints?]
+- **Economic**: [ROI justification; cost vs. value]
+- **Go / No-go**: [Recommended | Needs further investigation | Not recommended]
+
 ## Dependencies & Risks
 - ...
 `;
@@ -738,6 +837,7 @@ const PO_README = `# PO (Product Owner)
 
 ## Detailed tasks
 
+- [ ] **Feasibility study**: Assess technical feasibility (can we build it?), operational feasibility (can we run it?), economic feasibility (is the ROI worth it?). Document go/no-go recommendation
 - [ ] **Clarify vision**: Capture business problem, goals, success metrics
 - [ ] **Define scope**: Boundaries, in/out of scope, MVP vs later
 - [ ] **Write epic brief**: Problem, success metrics, high-level approach, project type
@@ -767,6 +867,18 @@ const BA_FR_TEMPLATE = `## FR-001: [Title]
 
 **Constraints**: [Compliance, SLA, etc.]
 
+---
+
+## NFR-001: [Title]
+
+**Category**: [Performance | Scalability | Availability | Security | Usability | Accessibility | Compliance — pick one]
+
+**Description**: [What quality attribute the system must meet]
+
+**Metric / Target**: [e.g. response time < 200ms p95, 99.9% uptime, WCAG 2.1 AA]
+
+**Measurement**: [How to verify — load test, monitoring, audit]
+
 ---
 *Use for any project type: product feature (UI/API), library behaviour, CLI behaviour, data pipeline, or platform capability.*
 `;
@@ -790,13 +902,14 @@ docs/sdlc/ba/business/
 
 ## Detailed tasks
 
-- [ ] **Read PO outputs**: Epic brief, user stories, acceptance criteria
+- [ ] **Read PO outputs**: Epic brief, user stories, acceptance criteria, feasibility assessment
 - [ ] **Define functional requirements**: For each requirement: type, description, trigger, process flow, output, constraints (use FR-001, FR-002...)
+- [ ] **Define non-functional requirements (NFR)**: Performance (response time, throughput), scalability (load targets), availability (SLA/uptime), security (auth, encryption, compliance), usability, accessibility. Use NFR-001, NFR-002...
 - [ ] **Document process flows**: Step-by-step business flows (e.g. BPMN, flowcharts, numbered lists)
 - [ ] **Write use cases**: Actor, goal, preconditions, main/alternate flows, postconditions
 - [ ] **Maintain glossary**: Business terms, definitions, acronyms
-- [ ] **Map to user stories**: Trace FRs to user stories / AC
-- [ ] **Handoff to Architect**: Deliverables in \`ba/business/{epic-slug}/\`
+- [ ] **Map to user stories**: Trace FRs + NFRs to user stories / AC
+- [ ] **Handoff to Design (if app/web) or Architect**: Deliverables in \`ba/business/{epic-slug}/\`
 
 Use functional-requirement.template.md for FRS items.
 `;
@@ -903,6 +1016,7 @@ Templates support: HTTP API, library/SDK, CLI, and all project types (see api-sp
 ## Detailed tasks
 
 - [ ] **Read Architect outputs**: ADRs, context/container diagrams, tech stack
+- [ ] **Read Design (if app/web)**: design-spec.md + wireframes — design informs API contracts, screen specs
 - [ ] **API/interface spec**: For each endpoint/class/command: purpose, request/response, contract (OpenAPI, TS types, CLI help)
 - [ ] **DB schema**: Tables, columns, indexes, constraints; migrations approach
 - [ ] **Team breakdown**: Map scope to teams (Backend, Frontend, Mobile, etc.) per project type; dependencies
@@ -937,11 +1051,13 @@ Use adr.template.md for new ADRs.
 ## Detailed tasks
 
 - [ ] **Read Business BA outputs**: Functional requirements, process flows, use cases
+- [ ] **Read Design (if app/web)**: design-spec.md in \`design/{epic-slug}/\` — design informs architecture
 - [ ] **Context diagram**: System boundary, external actors, integrations
 - [ ] **Container diagram**: Main components/services and their responsibilities
 - [ ] **Tech stack decisions**: Languages, frameworks, databases; document in ADRs
 - [ ] **ADR per decision**: Context, decision, consequences (scope: backend, frontend, mobile, etc.)
-- [ ] **Non-functional alignment**: Performance, security, scalability, compliance
+- [ ] **Non-functional alignment**: Performance, security, scalability, compliance — reference NFRs from Business BA
+- [ ] **Security by design (Shift Left)**: Threat model (STRIDE/attack surface), auth/authz architecture, data encryption at rest/transit, secrets management approach, dependency security policy. Document in ADR
 - [ ] **Handoff to Technical BA**: Architecture docs, ADRs in \`architecture/\`
 `;
 
@@ -982,7 +1098,8 @@ const QE_README = `# QE (Quality Engineering)
 
 - [ ] **QE Lead**: Test strategy, framework, review test code
 - [ ] **Senior QE**: Write automation tests per test plan
-- [ ] **Sign-off**: Regression, coverage, release readiness in \`qe/{epic-slug}/\`
+- [ ] **UAT (User Acceptance Testing)**: Verify against original user stories and acceptance criteria from PO; confirm business requirements are met from end-user perspective. Document UAT results in \`qe/{epic-slug}/uat-results.md\`
+- [ ] **Sign-off**: Regression, coverage, UAT pass, release readiness in \`qe/{epic-slug}/\`
 
 Example:
 \`\`\`
@@ -998,7 +1115,7 @@ docs/sdlc/qe/
 
 Two phases:
 1. **Docs phase** — Test plan, test cases per epic in \`qe/{epic-slug}/\`. Done → **Dev runs implementation immediately**.
-2. **Testing phase** — After Dev completes unit tests: QE Lead (15+ yrs automation: strategy, framework, review) + Senior QE (automation) output to the same \`qe/{epic-slug}/\` (or subfolders there).
+2. **Testing phase** — After Dev completes unit tests: QE Lead (15+ yrs automation: strategy, framework, review) + Senior QE (automation) + **UAT** (verify against user stories/AC) output to the same \`qe/{epic-slug}/\` (or subfolders there).
 
 Use test-case.template.md for test cases.
 `;
@@ -1045,25 +1162,99 @@ const QE_SENIOR_README = `# Senior QE (10+ years exp)
 
 const DESIGN_README = `# Design (optional — app/web projects only)
 
-**When:** After Technical BA, before QE and Dev. **Skip** for API-only, library, CLI, data/ML, platform projects without UI.
+**When:** After Business BA, **before** Architect and Technical BA. **Skip** for API-only, library, CLI, data/ML, platform projects without UI.
+
+**Why before Architect:** UX drives technical decisions — design informs architecture and API specs.
+
+**One folder per epic:** \`docs/sdlc/design/{epic-slug}/\` — same slug as PO/BA. Store design specs and wireframes there.
+
+## Output format
 
-**One folder per epic:** \`docs/sdlc/design/{epic-slug}/\` — same slug as PO/BA. Store .pen files and design notes there.
+- **design-spec.md** — Markdown design spec: screen inventory, component hierarchy, user flows, responsive breakpoints, interaction notes.
+- **wireframes/*.html** (optional) — Static HTML/CSS wireframes; open in any browser, no external tools needed. Keep them simple (layout + structure, not pixel-perfect).
 
 ## Flow
 
-1. **Design sub-agent (Pencil.dev)**: Create UI/UX designs based on idea + PO docs + Business BA FRS + Technical BA spec. Use Pencil MCP tools (\`batch_design\`, \`get_guidelines\`, \`get_style_guide\`, etc.) to produce .pen designs.
-2. **PO + Business BA review**: Both roles review the design against epic brief, user stories, functional requirements.
+1. **Design sub-agent**: Create UI/UX design specs based on idea + PO docs + Business BA FRS. Write \`design-spec.md\` describing every screen, component, and user flow. Optionally generate HTML wireframes for key screens.
+2. **PO + Business BA review**: Both roles review the design spec against epic brief, user stories, functional requirements.
 3. **Loop until approved**: If design does not match idea/docs → return to step 1 with feedback; redesign. Repeat until PO and BA approve.
-4. **Handoff to QE + Dev**: Once approved → proceed to QE (docs) and Dev.
+4. **Handoff to Architect**: Once approved → proceed to Architect (design informs architecture and Technical BA).
 
 ## Detailed tasks
 
-- [ ] **Invoke Pencil.dev**: Call design sub-agent (Pencil MCP) with PO epic, BA FRS, Technical BA spec as context
-- [ ] **Create designs**: Screens, flows, components in .pen format; output to \`design/{epic-slug}/\`
+- [ ] **Gather context**: Read PO epic brief, BA FRS, user stories as input
+- [ ] **Screen inventory**: List all screens/pages with purpose and key elements
+- [ ] **Component hierarchy**: Define reusable components, layout structure, navigation
+- [ ] **User flows**: Document step-by-step flows for each user story (include happy path + error states)
+- [ ] **Responsive breakpoints**: Define mobile / tablet / desktop behavior
+- [ ] **Write design-spec.md**: Full design spec in Markdown; output to \`design/{epic-slug}/\`
+- [ ] **HTML wireframes** (optional): Generate static HTML/CSS wireframes for key screens in \`design/{epic-slug}/wireframes/\`
 - [ ] **PO review**: Check design aligns with epic brief, user stories, acceptance criteria
 - [ ] **Business BA review**: Check design matches functional requirements, process flows
 - [ ] **If not approved**: Capture feedback; loop back to design step with specific changes
-- [ ] **If approved**: Handoff to QE and Dev; design in \`design/{epic-slug}/\`
+- [ ] **If approved**: Handoff to Architect; design in \`design/{epic-slug}/\`
+`;
+
+const DESIGN_SPEC_TEMPLATE = `# Design Spec: [Epic Name]
+
+## Overview
+[Brief description of what this design covers and the problem it solves]
+
+## Screen Inventory
+
+| # | Screen / Page | Purpose | Key Elements |
+|---|--------------|---------|--------------|
+| 1 | | | |
+
+## User Flows
+
+### Flow 1: [Flow Name]
+1. User lands on [screen]
+2. User [action] → [result]
+3. ...
+
+**Happy path:** ...
+**Error states:** ...
+
+## Component Hierarchy
+
+\`\`\`
+App
+├── Layout
+│   ├── Header (nav, user menu)
+│   ├── Sidebar (optional)
+│   └── Main Content
+│       ├── [Component A]
+│       └── [Component B]
+└── Footer
+\`\`\`
+
+## Screen Details
+
+### Screen: [Name]
+- **URL / Route:** \`/path\`
+- **Purpose:** ...
+- **Layout:** [description or ASCII wireframe]
+- **Components:** [list key components]
+- **Interactions:** [click, hover, form submit behaviors]
+- **Data:** [what data is displayed / submitted]
+
+## Responsive Breakpoints
+
+| Breakpoint | Width | Layout Changes |
+|-----------|-------|---------------|
+| Mobile | < 768px | Single column, hamburger nav |
+| Tablet | 768–1024px | ... |
+| Desktop | > 1024px | Full layout |
+
+## Design Tokens (optional)
+
+- **Primary color:** ...
+- **Typography:** ...
+- **Spacing:** ...
+
+## Notes
+[Any additional context, constraints, or decisions]
 `;
 
 const DEV_TECH_LEAD_README = `# Tech Lead (15+ years exp)
@@ -1079,7 +1270,8 @@ const DEV_TECH_LEAD_README = `# Tech Lead (15+ years exp)
 - [ ] **Tech stack decision**: Languages, frameworks, libraries; document in ADR
 - [ ] **Project setup**: Repo structure, tooling, lint, format, CI baseline
 - [ ] **Code review**: Architecture alignment, patterns, test coverage, security
-- [ ] **Merge approval**: Enforce quality gates before merge
+- [ ] **Security review (Shift Left)**: OWASP Top 10 check, input validation, auth/authz, secrets not hardcoded, dependency audit (npm audit / pip audit / etc.), SAST scan in CI
+- [ ] **Merge approval**: Enforce quality gates before merge (tests, coverage, security scan pass)
 - [ ] **Tech guidance**: Resolve technical disputes; mentor team
 - [ ] **Output**: ADRs, review checklist in \`dev/tech-lead/\`
 `;
@@ -1095,8 +1287,9 @@ const DEV_SENIOR_README = `# Senior Developer (10+ years exp)
 
 - [ ] **Read Technical BA spec**: API, schema, team breakdown
 - [ ] **Implement feature**: Code per spec; follow Tech Lead stack
+- [ ] **Security practices (Shift Left)**: Input validation, parameterized queries, no hardcoded secrets, follow Architect's security ADR
 - [ ] **Unit tests**: Coverage **≥ 90%**; edge cases, error paths
-- [ ] **PR**: Lint, tests passing; request Tech Lead review
+- [ ] **PR**: Lint, tests, security scan passing; request Tech Lead review
 - [ ] **Output**: Code + implementation notes in \`dev/senior-developer/\`
 `;
 
@@ -1230,4 +1423,22 @@ const DEV_PLATFORM_README = `# Senior Platform (10+ years exp) — infra, CI/CD
 - [ ] **Output**: Pipelines, infra code, runbooks in \`dev/platform/\`
 `;
 
+const MAINTENANCE_README = `# Maintenance
+
+**When:** After Deploy — ongoing throughout the product lifecycle.
+
+**Role:** Monitor production health, fix bugs, apply patches, upgrade dependencies, and evolve features based on user feedback.
+
+## Detailed tasks
+
+- [ ] **Monitoring setup**: Health checks, error tracking (Sentry, Datadog, etc.), alerting, SLA dashboards
+- [ ] **Bug triage**: Prioritize production bugs; severity classification (P0–P3)
+- [ ] **Bug fixes**: Follow Dev workflow (branch → fix → unit test → PR → review → deploy)
+- [ ] **Dependency updates**: Regular security patches, library upgrades; run audit tools
+- [ ] **Performance tuning**: Monitor metrics vs NFR targets; optimize bottlenecks
+- [ ] **Feature iteration**: Small enhancements from user feedback → loop back to PO for new epics if scope is significant
+- [ ] **Documentation**: Keep runbooks, incident logs, and post-mortems up to date
+- [ ] **Output**: Patches, updates, runbooks in \`docs/sdlc/maintenance/\`
+`;
+
 main();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-workflow",
-  "version": "1.0.11",
+  "version": "1.2.0",
   "description": "Scaffold SDLC workflow docs and templates for Cursor, Claude, and dev teams",
   "type": "module",
   "bin": {