siesa-agents 2.1.1 → 2.1.3

package/claude/commands/BMad/tasks/nfr-assess.md

@@ -0,0 +1,349 @@
+# /nfr-assess Task
+
+When this command is used, execute the following task:
+
+<!-- Powered by BMAD™ Core -->
+
+# nfr-assess
+
+Quick NFR validation focused on the core four: security, performance, reliability, maintainability.
+
+## Inputs
+
+```yaml
+required:
+  - story_id: '{epic}.{story}' # e.g., "1.3"
+  - story_path: `bmad-core/core-config.yaml` for the `devStoryLocation`
+
+optional:
+  - architecture_refs: `bmad-core/core-config.yaml` for the `architecture.architectureFile`
+  - technical_preferences: `bmad-core/core-config.yaml` for the `technicalPreferences`
+  - acceptance_criteria: From story file
+```
+
+## Purpose
+
+Assess non-functional requirements for a story and generate:
+
+1. YAML block for the gate file's `nfr_validation` section
+2. Brief markdown assessment saved to `qa.qaLocation/assessments/{epic}.{story}-nfr-{YYYYMMDD}.md`
+
+## Process
+
+### 0. Fail-safe for Missing Inputs
+
+If story_path or story file can't be found:
+
+- Still create assessment file with note: "Source story not found"
+- Set all selected NFRs to CONCERNS with notes: "Target unknown / evidence missing"
+- Continue with assessment to provide value
+
+### 1. Elicit Scope
+
+**Interactive mode:** Ask which NFRs to assess
+**Non-interactive mode:** Default to core four (security, performance, reliability, maintainability)
+
+```text
+Which NFRs should I assess? (Enter numbers or press Enter for default)
+[1] Security (default)
+[2] Performance (default)
+[3] Reliability (default)
+[4] Maintainability (default)
+[5] Usability
+[6] Compatibility
+[7] Portability
+[8] Functional Suitability
+
+> [Enter for 1-4]
+```
+
+### 2. Check for Thresholds
+
+Look for NFR requirements in:
+
+- Story acceptance criteria
+- `docs/architecture/*.md` files
+- `docs/technical-preferences.md`
+
+**Interactive mode:** Ask for missing thresholds
+**Non-interactive mode:** Mark as CONCERNS with "Target unknown"
+
+```text
+No performance requirements found. What's your target response time?
+> 200ms for API calls
+
+No security requirements found. Required auth method?
+> JWT with refresh tokens
+```
+
+**Unknown targets policy:** If a target is missing and not provided, mark status as CONCERNS with notes: "Target unknown"
+
+### 3. Quick Assessment
+
+For each selected NFR, check:
+
+- Is there evidence it's implemented?
+- Can we validate it?
+- Are there obvious gaps?
+
+### 4. Generate Outputs
+
+## Output 1: Gate YAML Block
+
+Generate ONLY for NFRs actually assessed (no placeholders):
+
+```yaml
+# Gate YAML (copy/paste):
+nfr_validation:
+  _assessed: [security, performance, reliability, maintainability]
+  security:
+    status: CONCERNS
+    notes: 'No rate limiting on auth endpoints'
+  performance:
+    status: PASS
+    notes: 'Response times < 200ms verified'
+  reliability:
+    status: PASS
+    notes: 'Error handling and retries implemented'
+  maintainability:
+    status: CONCERNS
+    notes: 'Test coverage at 65%, target is 80%'
+```
+
+## Deterministic Status Rules
+
+- **FAIL**: Any selected NFR has critical gap or target clearly not met
+- **CONCERNS**: No FAILs, but any NFR is unknown/partial/missing evidence
+- **PASS**: All selected NFRs meet targets with evidence
+
+## Quality Score Calculation
+
+```
+quality_score = 100
+- 20 for each FAIL attribute
+- 10 for each CONCERNS attribute
+Floor at 0, ceiling at 100
+```
+
+If `technical-preferences.md` defines custom weights, use those instead.
+
+## Output 2: Brief Assessment Report
+
+**ALWAYS save to:** `qa.qaLocation/assessments/{epic}.{story}-nfr-{YYYYMMDD}.md`
+
+```markdown
+# NFR Assessment: {epic}.{story}
+
+Date: {date}
+Reviewer: Quinn
+
+<!-- Note: Source story not found (if applicable) -->
+
+## Summary
+
+- Security: CONCERNS - Missing rate limiting
+- Performance: PASS - Meets <200ms requirement
+- Reliability: PASS - Proper error handling
+- Maintainability: CONCERNS - Test coverage below target
+
+## Critical Issues
+
+1. **No rate limiting** (Security)
+   - Risk: Brute force attacks possible
+   - Fix: Add rate limiting middleware to auth endpoints
+
+2. **Test coverage 65%** (Maintainability)
+   - Risk: Untested code paths
+   - Fix: Add tests for uncovered branches
+
+## Quick Wins
+
+- Add rate limiting: ~2 hours
+- Increase test coverage: ~4 hours
+- Add performance monitoring: ~1 hour
+```
+
+## Output 3: Story Update Line
+
+**End with this line for the review task to quote:**
+
+```
+NFR assessment: qa.qaLocation/assessments/{epic}.{story}-nfr-{YYYYMMDD}.md
+```
+
+## Output 4: Gate Integration Line
+
+**Always print at the end:**
+
+```
+Gate NFR block ready → paste into qa.qaLocation/gates/{epic}.{story}-{slug}.yml under nfr_validation
+```
+
+## Assessment Criteria
+
+### Security
+
+**PASS if:**
+
+- Authentication implemented
+- Authorization enforced
+- Input validation present
+- No hardcoded secrets
+
+**CONCERNS if:**
+
+- Missing rate limiting
+- Weak encryption
+- Incomplete authorization
+
+**FAIL if:**
+
+- No authentication
+- Hardcoded credentials
+- SQL injection vulnerabilities
+
+### Performance
+
+**PASS if:**
+
+- Meets response time targets
+- No obvious bottlenecks
+- Reasonable resource usage
+
+**CONCERNS if:**
+
+- Close to limits
+- Missing indexes
+- No caching strategy
+
+**FAIL if:**
+
+- Exceeds response time limits
+- Memory leaks
+- Unoptimized queries
+
+### Reliability
+
+**PASS if:**
+
+- Error handling present
+- Graceful degradation
+- Retry logic where needed
+
+**CONCERNS if:**
+
+- Some error cases unhandled
+- No circuit breakers
+- Missing health checks
+
+**FAIL if:**
+
+- No error handling
+- Crashes on errors
+- No recovery mechanisms
+
+### Maintainability
+
+**PASS if:**
+
+- Test coverage meets target
+- Code well-structured
+- Documentation present
+
+**CONCERNS if:**
+
+- Test coverage below target
+- Some code duplication
+- Missing documentation
+
+**FAIL if:**
+
+- No tests
+- Highly coupled code
+- No documentation
+
+## Quick Reference
+
+### What to Check
+
+```yaml
+security:
+  - Authentication mechanism
+  - Authorization checks
+  - Input validation
+  - Secret management
+  - Rate limiting
+
+performance:
+  - Response times
+  - Database queries
+  - Caching usage
+  - Resource consumption
+
+reliability:
+  - Error handling
+  - Retry logic
+  - Circuit breakers
+  - Health checks
+  - Logging
+
+maintainability:
+  - Test coverage
+  - Code structure
+  - Documentation
+  - Dependencies
+```
+
+## Key Principles
+
+- Focus on the core four NFRs by default
+- Quick assessment, not deep analysis
+- Gate-ready output format
+- Brief, actionable findings
+- Skip what doesn't apply
+- Deterministic status rules for consistency
+- Unknown targets → CONCERNS, not guesses
+
+---
+
+## Appendix: ISO 25010 Reference
+
+<details>
+<summary>Full ISO 25010 Quality Model (click to expand)</summary>
+
+### All 8 Quality Characteristics
+
+1. **Functional Suitability**: Completeness, correctness, appropriateness
+2. **Performance Efficiency**: Time behavior, resource use, capacity
+3. **Compatibility**: Co-existence, interoperability
+4. **Usability**: Learnability, operability, accessibility
+5. **Reliability**: Maturity, availability, fault tolerance
+6. **Security**: Confidentiality, integrity, authenticity
+7. **Maintainability**: Modularity, reusability, testability
+8. **Portability**: Adaptability, installability
+
+Use these when assessing beyond the core four.
+
+</details>
+
+<details>
+<summary>Example: Deep Performance Analysis (click to expand)</summary>
+
+```yaml
+performance_deep_dive:
+  response_times:
+    p50: 45ms
+    p95: 180ms
+    p99: 350ms
+  database:
+    slow_queries: 2
+    missing_indexes: ['users.email', 'orders.user_id']
+  caching:
+    hit_rate: 0%
+    recommendation: 'Add Redis for session data'
+  load_test:
+    max_rps: 150
+    breaking_point: 200 rps
+```
+
+</details>

package/claude/commands/BMad/tasks/qa-gate.md

@@ -0,0 +1,167 @@
+# /qa-gate Task
+
+When this command is used, execute the following task:
+
+<!-- Powered by BMAD™ Core -->
+
+# qa-gate
+
+Create or update a quality gate decision file for a story based on review findings.
+
+## Purpose
+
+Generate a standalone quality gate file that provides a clear pass/fail decision with actionable feedback. This gate serves as an advisory checkpoint for teams to understand quality status.
+
+## Prerequisites
+
+- Story has been reviewed (manually or via review-story task)
+- Review findings are available
+- Understanding of story requirements and implementation
+
+## Gate File Location
+
+**ALWAYS** check the `bmad-core/core-config.yaml` for the `qa.qaLocation/gates`
+
+Slug rules:
+
+- Convert to lowercase
+- Replace spaces with hyphens
+- Strip punctuation
+- Example: "User Auth - Login!" becomes "user-auth-login"
+
+## Minimal Required Schema
+
+```yaml
+schema: 1
+story: '{epic}.{story}'
+gate: PASS|CONCERNS|FAIL|WAIVED
+status_reason: '1-2 sentence explanation of gate decision'
+reviewer: 'Quinn'
+updated: '{ISO-8601 timestamp}'
+top_issues: [] # Empty array if no issues
+waiver: { active: false } # Only set active: true if WAIVED
+```
+
+## Schema with Issues
+
+```yaml
+schema: 1
+story: '1.3'
+gate: CONCERNS
+status_reason: 'Missing rate limiting on auth endpoints poses security risk.'
+reviewer: 'Quinn'
+updated: '2025-01-12T10:15:00Z'
+top_issues:
+  - id: 'SEC-001'
+    severity: high # ONLY: low|medium|high
+    finding: 'No rate limiting on login endpoint'
+    suggested_action: 'Add rate limiting middleware before production'
+  - id: 'TEST-001'
+    severity: medium
+    finding: 'No integration tests for auth flow'
+    suggested_action: 'Add integration test coverage'
+waiver: { active: false }
+```
+
+## Schema when Waived
+
+```yaml
+schema: 1
+story: '1.3'
+gate: WAIVED
+status_reason: 'Known issues accepted for MVP release.'
+reviewer: 'Quinn'
+updated: '2025-01-12T10:15:00Z'
+top_issues:
+  - id: 'PERF-001'
+    severity: low
+    finding: 'Dashboard loads slowly with 1000+ items'
+    suggested_action: 'Implement pagination in next sprint'
+waiver:
+  active: true
+  reason: 'MVP release - performance optimization deferred'
+  approved_by: 'Product Owner'
+```
+
+## Gate Decision Criteria
+
+### PASS
+
+- All acceptance criteria met
+- No high-severity issues
+- Test coverage meets project standards
+
+### CONCERNS
+
+- Non-blocking issues present
+- Should be tracked and scheduled
+- Can proceed with awareness
+
+### FAIL
+
+- Acceptance criteria not met
+- High-severity issues present
+- Recommend return to InProgress
+
+### WAIVED
+
+- Issues explicitly accepted
+- Requires approval and reason
+- Proceed despite known issues
+
+## Severity Scale
+
+**FIXED VALUES - NO VARIATIONS:**
+
+- `low`: Minor issues, cosmetic problems
+- `medium`: Should fix soon, not blocking
+- `high`: Critical issues, should block release
+
+## Issue ID Prefixes
+
+- `SEC-`: Security issues
+- `PERF-`: Performance issues
+- `REL-`: Reliability issues
+- `TEST-`: Testing gaps
+- `MNT-`: Maintainability concerns
+- `ARCH-`: Architecture issues
+- `DOC-`: Documentation gaps
+- `REQ-`: Requirements issues
+
+## Output Requirements
+
+1. **ALWAYS** create gate file at: `qa.qaLocation/gates` from `bmad-core/core-config.yaml`
+2. **ALWAYS** append this exact format to story's QA Results section:
+
+   ```text
+   Gate: {STATUS} → qa.qaLocation/gates/{epic}.{story}-{slug}.yml
+   ```
+
+3. Keep status_reason to 1-2 sentences maximum
+4. Use severity values exactly: `low`, `medium`, or `high`
+
+## Example Story Update
+
+After creating gate file, append to story's QA Results section:
+
+```markdown
+## QA Results
+
+### Review Date: 2025-01-12
+
+### Reviewed By: Quinn (Test Architect)
+
+[... existing review content ...]
+
+### Gate Status
+
+Gate: CONCERNS → qa.qaLocation/gates/{epic}.{story}-{slug}.yml
+```
+
+## Key Principles
+
+- Keep it minimal and predictable
+- Fixed severity scale (low/medium/high)
+- Always write to standard path
+- Always update story with gate reference
+- Clear, actionable findings