BMAD-METHOD

Commit Graph

Author	SHA1	Message	Date
Brian	2b76d03316	feat(web-bundles): release packager + manifest for bmadcode.com/web-bundles/ (#2424 ) * feat(web-bundles): add release packager + bundle manifest Adds the infrastructure for shipping web bundles as downloadable ZIPs attached to a GitHub Release, consumed by the upcoming bmadcode.com/web-bundles/ page. - web-bundles/bundles.json — manifest with persona, tagline, description, accent color, motif key, knowledge files, and feature flags (web-browsing, deep-research, stitch integration) for each of the 6 bundles. Top-level releaseTag and downloadUrlPattern so the consuming page can construct download URLs without hardcoding. - tools/bundle-web-bundles.js — packager that zips each bundle dir into dist/web-bundles/{slug}.zip and prints the gh release create command. Zero dependencies; uses system zip. - .gitignore — exclude dist/web-bundles/ build artifacts. The web-bundles-v1.0.0 release on GitHub is currently in draft state with the 6 zips attached; it'll be published in coordination with the Ghost site page going live. * fix(web-bundles): single-source release tag, sharper bundle copy - Remove downloadUrlPattern from bundles.json — the consuming page derives the URL from releaseTag, so version bumps now touch one field instead of two. - product-brief-coach: drop "one-page" (briefs are whatever length the product earns). - brainstorming-coach: real numbers — 60 techniques across 10 categories — with concrete examples (SCAMPER, Drunk History Retelling, Nature's Solutions, Six Thinking Hats, etc.) so the card actually communicates the surprising breadth. * fix(web-bundles): harden release script per PR review - Verify the zip CLI is on PATH up front with a clear install hint, instead of crashing mid-zip with an opaque execSync error. - Wrap JSON.parse in try/catch; validate the manifest shape (bundles array non-empty, releaseTag present, slug present per entry) before trying to package, so config errors fail with a targeted message. - Catch zip failures per-bundle and surface the failing slug. - Refuse to print the gh release command when zero bundles were packaged (would otherwise mislead the user into creating an empty release). - Derive --title from manifest.releaseTag so the printed command can never drift from the actual tag (was previously hardcoded "Web Bundles v1" while the tag had moved to v1.0.0). - Remove the stale `web-bundles-v1` example from the file header. Addresses augmentcode bot review comments on PR #2424. * docs(web-bundles): rewrite copy to actually sell what each bundle does The JSON drives the bmadcode.com/web-bundles/ page; previous copy was generic and undersold the actual capabilities. Rewrote each tagline + description to lead with concrete, differentiating facts pulled directly from each bundle's SKILL.md: - Brainstorming Coach: 60 techniques across 10 categories with specific names (SCAMPER, Drunk History Retelling, Nature's Solutions, Shadow Work Mining, Superposition Collapse); calls out the 4 routes (browse, recommend, random, progressive) and the ~100-idea quantity-unlocks-quality target. - Product Brief Coach: names the three intent modes (Create / Update / Validate) and the two working paths (Fast / Coaching); surfaces the [ASSUMPTION] tag system and the Addendum. - PRFAQ Coach: details the 4 stages (Ignition / Press Release / Customer FAQ / Internal FAQ + Verdict), the 9 press release sections, the weasel-word list ("best-in-class", "seamless"), and that it adapts for commercial, internal, OSS, community. - PRD Coach: spells out the two entry points (Vision+Features vs Journey-led), named-protagonist journeys, glossary discipline, stable ID system (FR-1..N, SM-C1..N), and the 7-dimension validation rubric. - UX Coach: leads with the two-spine contract (DESIGN.md + EXPERIENCE.md), Don Norman framing, named-protagonist journeys, surface closure as the test, and Stitch integration. - Market & Industry Research: leads with Deep Research as the engine, names Porter and Christensen as anchors, lists the 6 deliverable sections, and frames the deliverable as synthesis not a research dump. * fix(web-bundles): security hardening + strict bundle validation Two issues raised by coderabbit on the latest commit: 1. Shell injection surface: execSync was building the zip command with a template literal that interpolated bundle.slug from JSON. Even with our controlled inputs, a slug with shell metacharacters would break quoting. Switched to execFileSync with an argument array (no shell) and added a strict ^[a-z0-9][a-z0-9-]*$ slug regex enforced before any FS or zip call. 2. Missing bundle directories were [SKIP]-warned but the script still printed the release command, allowing an incomplete release to ship cleanly. Now treated as fatal: any missing or invalid slug blocks the printed gh command and exits non-zero with the offending slugs listed.	2026-05-25 11:43:55 -05:00

Author

SHA1

Message

Date

Brian

2b76d03316

feat(web-bundles): release packager + manifest for bmadcode.com/web-bundles/ (#2424 )

* feat(web-bundles): add release packager + bundle manifest

Adds the infrastructure for shipping web bundles as downloadable ZIPs
attached to a GitHub Release, consumed by the upcoming
bmadcode.com/web-bundles/ page.

- web-bundles/bundles.json — manifest with persona, tagline, description,
  accent color, motif key, knowledge files, and feature flags
  (web-browsing, deep-research, stitch integration) for each of the 6
  bundles. Top-level releaseTag and downloadUrlPattern so the
  consuming page can construct download URLs without hardcoding.
- tools/bundle-web-bundles.js — packager that zips each bundle dir into
  dist/web-bundles/{slug}.zip and prints the gh release create command.
  Zero dependencies; uses system zip.
- .gitignore — exclude dist/web-bundles/ build artifacts.

The web-bundles-v1.0.0 release on GitHub is currently in draft state
with the 6 zips attached; it'll be published in coordination with the
Ghost site page going live.

* fix(web-bundles): single-source release tag, sharper bundle copy

- Remove downloadUrlPattern from bundles.json — the consuming page
  derives the URL from releaseTag, so version bumps now touch one
  field instead of two.
- product-brief-coach: drop "one-page" (briefs are whatever length
  the product earns).
- brainstorming-coach: real numbers — 60 techniques across 10
  categories — with concrete examples (SCAMPER, Drunk History
  Retelling, Nature's Solutions, Six Thinking Hats, etc.) so the
  card actually communicates the surprising breadth.

* fix(web-bundles): harden release script per PR review

- Verify the zip CLI is on PATH up front with a clear install
  hint, instead of crashing mid-zip with an opaque execSync error.
- Wrap JSON.parse in try/catch; validate the manifest shape (bundles
  array non-empty, releaseTag present, slug present per entry) before
  trying to package, so config errors fail with a targeted message.
- Catch zip failures per-bundle and surface the failing slug.
- Refuse to print the gh release command when zero bundles were
  packaged (would otherwise mislead the user into creating an empty
  release).
- Derive --title from manifest.releaseTag so the printed command can
  never drift from the actual tag (was previously hardcoded
  "Web Bundles v1" while the tag had moved to v1.0.0).
- Remove the stale `web-bundles-v1` example from the file header.

Addresses augmentcode bot review comments on PR #2424.

* docs(web-bundles): rewrite copy to actually sell what each bundle does

The JSON drives the bmadcode.com/web-bundles/ page; previous copy
was generic and undersold the actual capabilities. Rewrote each
tagline + description to lead with concrete, differentiating facts
pulled directly from each bundle's SKILL.md:

- Brainstorming Coach: 60 techniques across 10 categories with
  specific names (SCAMPER, Drunk History Retelling, Nature's
  Solutions, Shadow Work Mining, Superposition Collapse); calls
  out the 4 routes (browse, recommend, random, progressive) and
  the ~100-idea quantity-unlocks-quality target.
- Product Brief Coach: names the three intent modes (Create /
  Update / Validate) and the two working paths (Fast / Coaching);
  surfaces the [ASSUMPTION] tag system and the Addendum.
- PRFAQ Coach: details the 4 stages (Ignition / Press Release /
  Customer FAQ / Internal FAQ + Verdict), the 9 press release
  sections, the weasel-word list ("best-in-class", "seamless"),
  and that it adapts for commercial, internal, OSS, community.
- PRD Coach: spells out the two entry points (Vision+Features
  vs Journey-led), named-protagonist journeys, glossary
  discipline, stable ID system (FR-1..N, SM-C1..N), and the
  7-dimension validation rubric.
- UX Coach: leads with the two-spine contract (DESIGN.md +
  EXPERIENCE.md), Don Norman framing, named-protagonist
  journeys, surface closure as the test, and Stitch integration.
- Market & Industry Research: leads with Deep Research as the
  engine, names Porter and Christensen as anchors, lists the 6
  deliverable sections, and frames the deliverable as synthesis
  not a research dump.

* fix(web-bundles): security hardening + strict bundle validation

Two issues raised by coderabbit on the latest commit:

1. Shell injection surface: execSync was building the zip command
   with a template literal that interpolated bundle.slug from JSON.
   Even with our controlled inputs, a slug with shell metacharacters
   would break quoting. Switched to execFileSync with an argument
   array (no shell) and added a strict ^[a-z0-9][a-z0-9-]*$ slug
   regex enforced before any FS or zip call.

2. Missing bundle directories were [SKIP]-warned but the script
   still printed the release command, allowing an incomplete release
   to ship cleanly. Now treated as fatal: any missing or invalid slug
   blocks the printed gh command and exits non-zero with the offending
   slugs listed.

2026-05-25 11:43:55 -05:00

1 Commits