smart-spec-kit-mcp 2.1.1 → 2.1.3

package/starter-kit/prompts/validate.md

@@ -0,0 +1,89 @@
+# Validation Prompt
+
+## Purpose
+
+Execute validation checks against customizable rules after specific workflow phases.
+
+## Validation Types
+
+Spec-Kit supports multiple validation types:
+
+1. **Security Validation** - Check security rules compliance
+2. **RGPD Validation** - Check GDPR/RGPD compliance
+3. **Architecture Validation** - Check architecture principles
+4. **Custom Validation** - Check custom project rules
+
+## Process
+
+### 1. Load Rules
+
+Load the appropriate rules file from `.spec-kit/rules/`:
+- `security-rules.md` for security validation
+- `rgpd-rules.md` for RGPD/GDPR validation
+- Custom files as defined by user
+
+### 2. Load Target Document
+
+Load the document to validate:
+- For **spec** phase: Load from `specs/*-spec.md`
+- For **plan** phase: Load from `specs/plan.md`
+- For **implementation** phase: Analyze recent code changes
+
+### 3. Evaluate Each Rule
+
+For each rule in the rules file:
+
+1. Determine if the rule is applicable to this feature
+2. Check if the requirement is addressed
+3. Mark status: ✅ Compliant | ⚠️ Partial | ❌ Non-Compliant | ➖ N/A
+4. Document evidence or gaps
+
+### 4. Generate Report
+
+Create a validation report with:
+- Summary statistics
+- Critical issues (blocking)
+- Warnings (should fix)
+- Recommendations (nice to have)
+
+## Validation Triggers
+
+Validations can be triggered:
+
+- **Manually**: `speckit: validate security` or `speckit: validate rgpd`
+- **In Workflow**: As a step in feature-full or custom workflows
+- **After Phase**: Automatically after spec or implementation
+
+## Output
+
+Save validation reports to:
+- `specs/validations/{type}-{date}.md`
+
+## Instructions for Copilot
+
+When performing validation:
+
+1. **Be Thorough**: Check every applicable rule
+2. **Be Specific**: Cite specific sections or code that address rules
+3. **Be Constructive**: Provide actionable recommendations
+4. **Be Honest**: Mark non-compliant if not addressed, don't assume
+
+## Custom Rules
+
+Users can create custom rules files in `.spec-kit/rules/`:
+
+```markdown
+# My Custom Rules
+
+## Category Name
+
+### RULE-001: Rule Title
+- [ ] Checklist item 1
+- [ ] Checklist item 2
+
+### RULE-002: Another Rule
+- [ ] Check this
+- [ ] Check that
+```
+
+Then trigger with: `speckit: validate my-custom-rules`

package/starter-kit/rules/rgpd-rules.md

@@ -0,0 +1,187 @@
+# RGPD/GDPR Validation Rules
+
+These rules are used by Spec-Kit to validate GDPR compliance after specification or implementation phases.
+
+> **Customization**: Edit this file to match your organization's data protection policies and local regulations.
+
+---
+
+## Data Identification
+
+### RGPD-001: Personal Data Inventory
+- [ ] All personal data collected is identified and documented
+- [ ] Data categories are classified (standard, sensitive, special)
+- [ ] Data sources are documented (user input, API, third-party)
+
+### RGPD-002: Data Mapping
+- [ ] Data flow is documented (collection → processing → storage → deletion)
+- [ ] All data processors are identified
+- [ ] Cross-border transfers documented (if applicable)
+
+---
+
+## Legal Basis (Article 6)
+
+### RGPD-010: Lawful Processing
+- [ ] Legal basis for each processing activity is documented
+  - [ ] Consent (freely given, specific, informed, unambiguous)
+  - [ ] Contract execution
+  - [ ] Legal obligation
+  - [ ] Vital interests
+  - [ ] Public interest
+  - [ ] Legitimate interests (with balancing test)
+
+### RGPD-011: Consent Management
+- [ ] Consent is obtained before processing (if consent-based)
+- [ ] Consent can be withdrawn as easily as given
+- [ ] Consent records are maintained
+- [ ] Age verification for minors (< 16 years)
+
+---
+
+## Data Subject Rights (Articles 12-22)
+
+### RGPD-020: Right to Information (Art. 13-14)
+- [ ] Privacy notice provided at data collection
+- [ ] Purpose of processing clearly stated
+- [ ] Data retention period communicated
+- [ ] Third-party sharing disclosed
+
+### RGPD-021: Right of Access (Art. 15)
+- [ ] Users can request copy of their data
+- [ ] Response within 30 days
+- [ ] Data provided in machine-readable format
+
+### RGPD-022: Right to Rectification (Art. 16)
+- [ ] Users can correct inaccurate data
+- [ ] Users can complete incomplete data
+- [ ] Updates propagated to third parties
+
+### RGPD-023: Right to Erasure / RTBF (Art. 17)
+- [ ] Users can request data deletion
+- [ ] Deletion includes backups (within reasonable time)
+- [ ] Third parties notified of erasure requests
+- [ ] Exceptions documented (legal retention, public interest)
+
+### RGPD-024: Right to Data Portability (Art. 20)
+- [ ] Data exportable in structured format (JSON, CSV)
+- [ ] Direct transfer to another controller (if feasible)
+
+### RGPD-025: Right to Object (Art. 21)
+- [ ] Users can object to processing
+- [ ] Objection mechanism easily accessible
+- [ ] Processing stops unless compelling grounds exist
+
+---
+
+## Data Protection Principles
+
+### RGPD-030: Data Minimization
+- [ ] Only necessary data collected
+- [ ] No "nice to have" data collection
+- [ ] Optional fields clearly marked
+
+### RGPD-031: Purpose Limitation
+- [ ] Data used only for stated purposes
+- [ ] New purposes require new consent/basis
+- [ ] No data repurposing without user knowledge
+
+### RGPD-032: Storage Limitation
+- [ ] Retention periods defined for each data type
+- [ ] Automatic deletion after retention period
+- [ ] Archival vs. active data distinguished
+
+### RGPD-033: Accuracy
+- [ ] Data kept up-to-date
+- [ ] Users can update their data
+- [ ] Inaccurate data corrected promptly
+
+---
+
+## Security Measures (Article 32)
+
+### RGPD-040: Technical Measures
+- [ ] Encryption at rest and in transit
+- [ ] Pseudonymization where possible
+- [ ] Access controls implemented
+- [ ] Regular security testing
+
+### RGPD-041: Organizational Measures
+- [ ] Staff trained on data protection
+- [ ] Data protection policies documented
+- [ ] Incident response procedures in place
+
+---
+
+## Third Parties & Processors
+
+### RGPD-050: Processor Agreements (Art. 28)
+- [ ] DPA (Data Processing Agreement) with all processors
+- [ ] Processor security measures verified
+- [ ] Sub-processors documented and approved
+
+### RGPD-051: International Transfers
+- [ ] Adequacy decision exists (for destination country)
+- [ ] Standard Contractual Clauses (SCCs) in place
+- [ ] Supplementary measures if required
+
+---
+
+## Documentation & Accountability
+
+### RGPD-060: Records of Processing (Art. 30)
+- [ ] Processing activities documented
+- [ ] ROPA (Record of Processing Activities) maintained
+- [ ] Available for supervisory authority
+
+### RGPD-061: DPIA (Art. 35)
+- [ ] DPIA required? (high-risk processing)
+- [ ] DPIA completed if required
+- [ ] Residual risks documented and accepted
+
+---
+
+## Validation Instructions
+
+When validating against these rules:
+
+1. **For Specifications**: Verify that data protection requirements are documented and RGPD compliance is designed-in
+2. **For Implementation**: Verify that code implements data protection measures and user rights mechanisms
+3. **Mark Status**:
+   - ✅ **Compliant**: Rule is fully addressed
+   - ⚠️ **Partial**: Rule is partially addressed, needs improvement
+   - ❌ **Non-Compliant**: Rule is not addressed, blocking issue
+   - ➖ **N/A**: Rule does not apply to this feature
+
+## Report Format
+
+```markdown
+## RGPD Compliance Report
+
+**Feature**: {feature_name}
+**Date**: {date}
+**Phase**: {spec|implementation}
+**DPO Review Required**: {yes|no}
+
+### Data Inventory
+| Data Type | Category | Legal Basis | Retention | Processors |
+|-----------|----------|-------------|-----------|------------|
+| email     | Personal | Consent     | 2 years   | SendGrid   |
+
+### Summary
+- Compliant: X rules
+- Partial: X rules
+- Non-Compliant: X rules
+- N/A: X rules
+
+### Findings
+
+#### Critical Issues (Blocking)
+{list blocking compliance issues}
+
+#### Warnings
+{list partial compliance items}
+
+#### Recommendations
+{list improvements for future}
+```

package/starter-kit/rules/security-rules.md

@@ -0,0 +1,138 @@
+# Security Validation Rules
+
+These rules are used by Spec-Kit to validate security compliance after specification or implementation phases.
+
+> **Customization**: Edit this file to match your organization's security policies.
+
+---
+
+## Authentication & Authorization
+
+### AUTH-001: Authentication Required
+- [ ] All endpoints accessing sensitive data require authentication
+- [ ] Authentication mechanism is industry-standard (OAuth2, OIDC, SAML)
+- [ ] No credentials stored in plain text
+
+### AUTH-002: Authorization Controls
+- [ ] Role-based access control (RBAC) implemented
+- [ ] Principle of least privilege applied
+- [ ] Authorization checked on every request (not just UI)
+
+### AUTH-003: Session Management
+- [ ] Session tokens are cryptographically secure
+- [ ] Session timeout implemented
+- [ ] Session invalidation on logout
+
+---
+
+## Data Protection
+
+### DATA-001: Data at Rest
+- [ ] Sensitive data encrypted at rest (AES-256 or equivalent)
+- [ ] Encryption keys managed securely (HSM, Key Vault)
+- [ ] Database credentials not hardcoded
+
+### DATA-002: Data in Transit
+- [ ] TLS 1.2+ required for all communications
+- [ ] Certificate validation enabled
+- [ ] No sensitive data in URLs
+
+### DATA-003: Data Sanitization
+- [ ] Input validation on all user inputs
+- [ ] Output encoding to prevent XSS
+- [ ] Parameterized queries to prevent SQL injection
+
+---
+
+## API Security
+
+### API-001: Input Validation
+- [ ] All inputs validated (type, length, format, range)
+- [ ] Request size limits enforced
+- [ ] File upload restrictions (type, size)
+
+### API-002: Rate Limiting
+- [ ] Rate limiting implemented on all endpoints
+- [ ] Brute force protection on authentication
+- [ ] DDoS mitigation considered
+
+### API-003: Error Handling
+- [ ] No stack traces exposed to users
+- [ ] Generic error messages for security failures
+- [ ] Detailed errors logged server-side only
+
+---
+
+## Infrastructure
+
+### INFRA-001: Secrets Management
+- [ ] Secrets stored in secure vault (Azure Key Vault, AWS Secrets Manager)
+- [ ] No secrets in source code or config files
+- [ ] Secrets rotated regularly
+
+### INFRA-002: Logging & Monitoring
+- [ ] Security events logged (auth failures, access denied)
+- [ ] No sensitive data in logs
+- [ ] Logs protected from tampering
+
+### INFRA-003: Dependencies
+- [ ] Dependencies scanned for vulnerabilities
+- [ ] Regular security updates applied
+- [ ] No known vulnerable dependencies
+
+---
+
+## Compliance Checks
+
+### COMP-001: OWASP Top 10
+- [ ] Injection vulnerabilities addressed
+- [ ] Broken authentication prevented
+- [ ] Sensitive data exposure mitigated
+- [ ] XXE attacks prevented
+- [ ] Broken access control fixed
+- [ ] Security misconfiguration avoided
+- [ ] XSS vulnerabilities prevented
+- [ ] Insecure deserialization handled
+- [ ] Components with known vulnerabilities updated
+- [ ] Insufficient logging addressed
+
+---
+
+## Validation Instructions
+
+When validating against these rules:
+
+1. **For Specifications**: Verify that security requirements are documented and address each applicable rule
+2. **For Implementation**: Verify that code implements the security controls described in the specification
+3. **Mark Status**:
+   - ✅ **Compliant**: Rule is fully addressed
+   - ⚠️ **Partial**: Rule is partially addressed, needs improvement
+   - ❌ **Non-Compliant**: Rule is not addressed, blocking issue
+   - ➖ **N/A**: Rule does not apply to this feature
+
+## Report Format
+
+```markdown
+## Security Validation Report
+
+**Feature**: {feature_name}
+**Date**: {date}
+**Phase**: {spec|implementation}
+
+### Summary
+- Compliant: X rules
+- Partial: X rules
+- Non-Compliant: X rules
+- N/A: X rules
+
+### Findings
+
+#### Critical Issues
+{list critical non-compliant items}
+
+#### Warnings
+{list partial compliance items}
+
+#### Recommendations
+{list improvements}
+```

package/starter-kit/workflows/bugfix.yaml

@@ -0,0 +1,99 @@
+# Bugfix Workflow
+# Streamlined process for bug fixes with validation checkpoints
+
+name: bugfix
+displayName: "Bug Fix"
+description: "Structured workflow for analyzing, fixing, and validating bug corrections"
+
+metadata:
+  version: "1.0"
+  author: "Spec-Kit"
+  tags:
+    - bugfix
+    - hotfix
+    - correction
+
+template: bugfix-report.md
+defaultAgent: SpecAgent
+
+steps:
+  - id: analyze-bug
+    name: "Analyze Bug & Root Cause"
+    action: fetch_ado
+    description: |
+      Retrieve the bug work item from Azure DevOps and analyze:
+      - Reproduction steps
+      - Error logs and stack traces
+      - Affected components
+      - User impact assessment
+      
+      Identify the root cause of the issue.
+    outputs:
+      - bug_data
+      - root_cause_analysis
+
+  - id: plan-fix
+    name: "Plan Correction"
+    action: call_agent
+    agent: PlanAgent
+    description: |
+      Create a correction plan including:
+      - Proposed fix approach
+      - Files/components to modify
+      - Potential side effects
+      - Rollback strategy if needed
+      
+      Keep the fix minimal and focused.
+    inputs:
+      source: "root_cause_analysis"
+    outputs:
+      - fix_plan
+
+  - id: security-check
+    name: "Security Validation"
+    action: review
+    agent: GovAgent
+    description: |
+      Quick security review of the proposed fix:
+      - [ ] No new vulnerabilities introduced
+      - [ ] Input validation maintained
+      - [ ] No sensitive data exposure
+      - [ ] Authentication/Authorization intact
+    inputs:
+      document: "fix_plan"
+    outputs:
+      - security_clearance
+
+  - id: implement-fix
+    name: "Implement & Test"
+    action: generate_content
+    description: |
+      Implement the fix following the plan:
+      1. Write the code fix
+      2. Add unit tests for the bug scenario
+      3. Add regression tests
+      4. Update documentation if needed
+      
+      Ensure test coverage for the fixed code path.
+    inputs:
+      plan: "fix_plan"
+    outputs:
+      - code_changes
+      - test_cases
+
+  - id: final-review
+    name: "Final Review"
+    action: review
+    agent: GovAgent
+    description: |
+      Final validation before merge:
+      - [ ] Fix addresses root cause
+      - [ ] No regression introduced
+      - [ ] Tests pass
+      - [ ] Code review approved
+      - [ ] Documentation updated
+    inputs:
+      changes: "code_changes"
+      tests: "test_cases"
+    outputs:
+      - approval_status