Full-stack with all 10 roles โ database, UI, auth, security, 2 sprints
โฑ ~90 min ยท 2 Sprints ยท Solo Mode ยท Intermediate
Project 01 taught the core loop with 7 roles. This project adds the 3 remaining roles: ๐๏ธ @dba for database schema design, ๐จ @ux for accessible frontend, and ๐ก๏ธ @sec for security hardening. You'll also learn story splitting, sprint refinement, and mid-sprint status tracking.
| Role | What they do in this project | When |
|---|---|---|
๐ @po | Creates stories from your requirements, splits oversized stories, accepts completed work | Story creation, sprint review, acceptance |
๐ @sm | Facilitates 2 sprints, tracks velocity across sprints, runs retros | Sprint ceremonies |
๐๏ธ @arch | Evaluates full-stack architecture (API + DB + frontend), checks architecture impact during refinement | Project setup, sprint refinement |
๐จโ๐ป @lead | Reviews code quality, assesses story feasibility during refinement | Code review, sprint refinement |
โจ๏ธ @dev | Implements auth, CRUD, frontend with TDD | Implementation |
๐งช @qa | Verifies Definition of Done, checks coverage across 6 stories | DoD verification |
๐ @devops | Runs CI pipeline, handles deployment of full-stack app | CI/CD, deploy |
๐๏ธ @dba | Designs users and tasks schema, writes migrations, validates foreign keys and indexes | Before coding starts |
๐จ @ux | Ensures WCAG AA accessibility, keyboard navigation, responsive design on all forms | Frontend stories |
๐ก๏ธ @sec | Scans dependencies for CVEs, reviews auth code for vulnerabilities, enforces password hashing | Security review story |
Same flow as Project 01 โ create the project, initialize memory, scaffold the stack. Abbreviated here.
"I want to build a task management web app with user auth, a web frontend, and a database. Users should register, log in, create/edit/delete tasks, organize by lists, and filter by status."
/agile-explore-brainstorm/agile-explore-brainstorm I need a full-stack task management app: REST API with auth, a web frontend, and a relational database. Should support registration, login with JWT, and CRUD on tasks. Needs to be testable and deployable.
๐๏ธ @arch responds with a scoring matrix:
## /agile-explore-brainstorm โ Results
### Problem Statement
Full-stack task management app with auth, REST API,
relational DB, and web frontend. Constraints: testable,
deployable, JWT auth.
### Scoring Matrix
| Approach | Feasibility | Maintainability | Performance | Risk | Total |
|------------------------|------------|-----------------|-------------|------|-------|
| Express + PostgreSQL | 9/10 | 9/10 | 8/10 | 8/10 | 34 |
| + Vanilla HTML/CSS/JS | | | | | |
| Fastify + PostgreSQL | 8/10 | 8/10 | 9/10 | 7/10 | 32 |
| + React SPA | | | | | |
| Django + PostgreSQL | 8/10 | 9/10 | 7/10 | 8/10 | 32 |
| + Django Templates | | | | | |
| Go + PostgreSQL | 7/10 | 9/10 | 10/10 | 6/10 | 32 |
| + HTMX | | | | | |
### Recommendation
Express + PostgreSQL + Vanilla frontend scores highest.
Simple stack, easy to test, no build step for frontend.
### What Would Change This
- If you need rich interactivity โ React SPA
- If you prefer Python โ Django
- If performance is critical โ Go + HTMX"Let's go with Express + PostgreSQL + Vanilla HTML/CSS/JS. I want to keep the frontend simple."
๐ฌ "Set up the Express + PostgreSQL project with a vanilla
frontend, bcrypt for passwords, and JWT for auth.
Then run /agile-setup-init."
โ @dev scaffolds: package.json, src/, public/, db/migrations/
โ /agile-setup-init scans and populates memory files
### Detected Stack
- Language: JavaScript (Node.js 20)
- Framework: Express 4.x
- Database: PostgreSQL 16
- Frontend: Vanilla HTML/CSS/JS (in public/)
- Auth: bcrypt + jsonwebtoken
- Test Framework: Jest + Supertest
- Package Manager: npm
/agile-setup-onboard โ Generates coding rules
/agile-setup-health โ โ
All checks passPhase 1 complete. Scaffolded project, initialized memory, coding rules set. Zero features built yet โ Sprint 0 is about foundations.
/agile-story-create does NOT invent features. You describe what you need, and @po structures it. This hasn't changed from Project 01.
/agile-story-create Users need to register with email and password, with validation โ email must be unique, password at least 8 characters
๐ @po creates the story:
๐ @po responds:
## /agile-story-create โ Story Created
### Story US-001
**As a** new user,
**I want** to register with email and password,
**so that** I can create an account and start managing tasks.
### Acceptance Criteria
**AC-1: Happy path โ register with valid credentials**
- **Given** the API is running
- **When** I send POST /auth/register with
{"email": "alice@example.com", "password": "securepass123"}
- **Then** I receive 201 with user ID and email (no password
in response)
**AC-2: Edge case โ duplicate email**
- **Given** alice@example.com already exists
- **When** I send POST /auth/register with the same email
- **Then** I receive 409 with "email already registered"
**AC-3: Error case โ weak password**
- **Given** the API is running
- **When** I send POST /auth/register with
{"email": "bob@example.com", "password": "123"}
- **Then** I receive 400 with "password must be at least
8 characters"
### INVEST Check: โ
All pass
### Estimate: 3 points
> Added to: .memory/backlog/product.md/agile-story-create Users need to log in and receive a JWT token for API access. Invalid credentials should return a clear error.
๐ @po responds:
### Story US-002 (3 pts)
**As a** registered user,
**I want** to log in with my email and password and receive
a JWT token,
**so that** I can authenticate subsequent API requests.
### Acceptance Criteria
- AC-1: Valid login returns 200 + JWT token
- AC-2: Wrong password returns 401 "invalid credentials"
- AC-3: Non-existent email returns 401 "invalid credentials"
(same message โ no email enumeration)
### INVEST Check: โ
All pass
> Added to: .memory/backlog/product.md/agile-story-create I need CRUD endpoints for tasks: create, list, update status, delete. Each task belongs to a user and requires auth. Tasks have a title, description, and status (pending/in-progress/done).
๐ @po responds:
### Story US-003 (13 pts) โ ๏ธ TOO LARGE
**As a** logged-in user,
**I want** to create, list, update, and delete tasks,
**so that** I can manage my work.
### INVEST Check
| Criterion | Status |
|-------------|--------|
| Independent | โ
|
| Negotiable | โ
|
| Valuable | โ
|
| Estimable | โ
|
| Small | โ 13 pts exceeds 8 pt limit |
| Testable | โ
|
โ ๏ธ Recommendation: Split this story. 13 points covers
4 distinct operations โ too much for one story./agile-story-split/agile-story-split US-003 --strategy workflow-steps
๐ @po splits US-003 into independently deliverable sub-stories:
๐ @po responds:
## /agile-story-split โ Results
### Original: US-003 (13 pts) โ RETIRED
### Split Strategy: workflow-steps
Each sub-story covers one workflow step that delivers
value independently.
---
### US-003a: Create task (3 pts)
**As a** logged-in user,
**I want** to create a new task with title and description,
**so that** I can track work I need to do.
**Acceptance Criteria:**
- AC-1: POST /tasks with valid JWT creates task โ 201
- AC-2: Task is linked to authenticated user
- AC-3: Missing title โ 400
- AC-4: No JWT โ 401
**INVEST Check:**
| I | N | V | E | S | T |
|---|---|---|---|---|---|
| โ
| โ
| โ
| โ
| โ
| โ
|
---
### US-003b: List and filter tasks (2 pts)
**As a** logged-in user,
**I want** to list my tasks and filter by status,
**so that** I can focus on what matters now.
**Acceptance Criteria:**
- AC-1: GET /tasks returns only MY tasks โ 200
- AC-2: GET /tasks?status=done filters correctly
- AC-3: No JWT โ 401
**INVEST Check:**
| I | N | V | E | S | T |
|---|---|---|---|---|---|
| โ
| โ
| โ
| โ
| โ
| โ
|
---
### US-003c: Update and delete tasks (3 pts)
**As a** logged-in user,
**I want** to update a task's status and delete tasks,
**so that** I can track progress and clean up.
**Acceptance Criteria:**
- AC-1: PUT /tasks/:id updates status โ 200
- AC-2: DELETE /tasks/:id removes task โ 204
- AC-3: Updating/deleting another user's task โ 403
- AC-4: Task not found โ 404
**INVEST Check:**
| I | N | V | E | S | T |
|---|---|---|---|---|---|
| โ
| โ
| โ
| โ
| โ
| โ
|
---
### Split Summary
| Story | Points | Status |
|--------|--------|------------|
| US-003 | 13 | โ Retired |
| US-003a| 3 | โ
Ready |
| US-003b| 2 | โ
Ready |
| US-003c| 3 | โ
Ready |
| Total | 8 | (was 13) |
Splitting also refined the estimates โ total dropped from
13 to 8 because the uncertainty was in the combined scope.Splitting isn't just about size โ it reduces uncertainty. The original 13-point estimate included risk padding for "too many unknowns in one story." Once split, each piece is clear and the total drops to 8 points.
/agile-story-estimate
## /agile-story-estimate โ Results
| Story | Title | Points |
|---------|-----------------------|--------|
| US-001 | User registration | 3 |
| US-002 | Login + JWT | 3 |
| US-003a | Create task | 3 |
| US-003b | List and filter tasks | 2 |
| US-003c | Update and delete | 3 |
**Total backlog**: 14 points/agile-sprint-planning
๐ @sm facilitates:
## Sprint Planning Output
### Sprint 1 Goal
"Deliver user registration, login, and full task CRUD
behind authentication"
### Sprint Backlog
| Story | Title | Points | Priority |
|---------|-----------------------|--------|----------|
| US-001 | User registration | 3 | P1 |
| US-002 | Login + JWT | 3 | P1 |
| US-003a | Create task | 3 | P1 |
| US-003b | List and filter tasks | 2 | P2 |
| US-003c | Update and delete | 3 | P2 |
### Capacity Check
- Team velocity (first sprint): 14 points (aggressive)
- Committed this sprint: 14 points
- Capacity utilization: 100%
### Risks
- First sprint โ no historical velocity
- Auth stories must complete before task stories can
be tested end-to-endThis is new! Before any coding starts, @dba designs the schema with migrations. In Project 01, the database was a simple SQLite file. Here, we need a proper relational schema with foreign keys, indexes, and migration scripts.
"We need tables for users and tasks. Design the schema. Users have email and password. Tasks have title, description, status, and belong to a user."
๐๏ธ @dba designs the full schema with migrations:
๐๏ธ @dba responds:
## Database Schema Design
### Table: users
| Column | Type | Constraints |
|---------------|---------------|---------------------------------|
| id | SERIAL | PRIMARY KEY |
| email | VARCHAR(255) | UNIQUE, NOT NULL |
| password_hash | VARCHAR(255) | NOT NULL |
| created_at | TIMESTAMPTZ | NOT NULL DEFAULT NOW() |
### Table: tasks
| Column | Type | Constraints |
|-------------|---------------|-----------------------------------|
| id | SERIAL | PRIMARY KEY |
| user_id | INTEGER | NOT NULL, FK โ users(id) ON DELETE CASCADE |
| title | VARCHAR(255) | NOT NULL |
| description | TEXT | NULLABLE |
| status | VARCHAR(20) | NOT NULL DEFAULT 'pending' |
| | | CHECK (status IN ('pending', |
| | | 'in-progress', 'done')) |
| created_at | TIMESTAMPTZ | NOT NULL DEFAULT NOW() |
### Indexes
- users(email) โ UNIQUE index (implicit from constraint)
- tasks(user_id) โ speeds up "list my tasks" queries
- tasks(user_id, status) โ composite for filtered queries
### Migration: UP (001_create_users_and_tasks.sql)
CREATE TABLE users (
id SERIAL PRIMARY KEY,
email VARCHAR(255) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE TABLE tasks (
id SERIAL PRIMARY KEY,
user_id INTEGER NOT NULL
REFERENCES users(id) ON DELETE CASCADE,
title VARCHAR(255) NOT NULL,
description TEXT,
status VARCHAR(20) NOT NULL DEFAULT 'pending'
CHECK (status IN ('pending','in-progress','done')),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_tasks_user_id ON tasks(user_id);
CREATE INDEX idx_tasks_user_status
ON tasks(user_id, status);
### Migration: DOWN
DROP TABLE IF EXISTS tasks;
DROP TABLE IF EXISTS users;
### Validation
| Check | Status |
|------------------------|--------|
| Reversibility (down) | โ
Clean drop in correct order |
| Data types | โ
VARCHAR for bounded, TEXT for unbounded |
| Naming conventions | โ
snake_case, singular table names |
| Foreign keys | โ
ON DELETE CASCADE โ tasks removed with user |
| Indexes | โ
Covers primary query patterns |
| Password storage | โ
Column is password_hash, not password |@dba caught three things you might have missed: the composite index for filtered queries, the CHECK constraint on status values, and ON DELETE CASCADE so orphaned tasks don't pile up. Schema design before coding prevents painful migrations later.
/agile-code-branch feature US-001 user-registration
โจ๏ธ @dev: Branch created
- Branch: feature/US-001-user-registration
- From: develop (up to date)
- Linked to: US-001/agile-story-plan US-001
๐จโ๐ป @lead: Implementation Plan for US-001
Phase 1: Run migration
- Execute 001_create_users_and_tasks.sql
Phase 2: Auth middleware
- JWT verification middleware for protected routes
Phase 3: Registration endpoint
- POST /auth/register route
- Hash password with bcrypt (cost 12)
- Check email uniqueness (handle DB constraint error)
- Return 201 with user ID + email (never return hash)
Phase 4: Validation
- Email format validation
- Password length check (min 8)
- Return 400 with specific error messages
Confidence: 9/10/agile-code-tdd US-001
// test/auth.test.js
test('POST /auth/register creates user', async () => {
const res = await request(app)
.post('/auth/register')
.send({ email: 'alice@example.com',
password: 'securepass123' });
expect(res.status).toBe(201);
expect(res.body).toHaveProperty('id');
expect(res.body.email).toBe('alice@example.com');
expect(res.body).not.toHaveProperty('password');
expect(res.body).not.toHaveProperty('password_hash');
});
// Result: โ FAIL โ route doesn't exist yet// src/routes/auth.js
router.post('/register', async (req, res) => {
const { email, password } = req.body;
const hash = await bcrypt.hash(password, 12);
const result = await db.query(
'INSERT INTO users (email, password_hash) VALUES ($1, $2) RETURNING id, email',
[email, hash]
);
res.status(201).json(result.rows[0]);
});
// Result: โ
PASS// Extract bcrypt + DB logic to UserService
// Tests still pass โ
โจ๏ธ @dev repeats Red โ Green โ Refactor for AC-2 (duplicate email โ 409) and AC-3 (weak password โ 400).
/agile-code-ci โ โ
All green (8/8 tests pass)
/agile-code-commit โ feat(auth): add user registration endpoint
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved (Score: 9/10)
(๐ต S3: consider adding email format validation with regex)
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE (coverage 91%)
/agile-story-accept โ โ
ACCEPTED (3 points)/agile-code-branch feature US-002 login-jwt
/agile-story-plan US-002
/agile-code-tdd US-002
๐ด Test: POST /auth/login with valid creds โ 200 + token โ โ
๐ข Implement: compare bcrypt hash, sign JWT โ โ
๐ด Test: Wrong password โ 401 "invalid credentials" โ โ
๐ข Add check โ โ
๐ด Test: Non-existent email โ 401 (same message) โ โ
๐ข Add check (no email enumeration) โ โ
/agile-code-ci โ โ
All green (14/14 tests)
/agile-code-commit โ feat(auth): add login endpoint with JWT
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved (Score: 8/10)
(๐ก S2: JWT secret should come from env var, not hardcoded)
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE
/agile-story-accept โ โ
ACCEPTED (3 points)/agile-code-branch feature US-003a create-task
/agile-story-plan US-003a
/agile-code-tdd US-003a
๐ด Test: POST /tasks with JWT creates task โ โ
๐ข Implement route + JWT middleware โ โ
๐ด Test: Task linked to authenticated user โ โ
๐ข Extract user_id from JWT payload โ โ
๐ด Test: No JWT โ 401 โ โ
๐ข Auth middleware rejects โ โ
๐๏ธ @dba reviews the task creation query:
๐๏ธ @dba: Query Review
โ
Parameterized query ($1, $2, $3) โ no SQL injection
โ
user_id from JWT, not from request body
โ
RETURNING clause avoids extra SELECT/agile-code-ci โ โ
All green (20/20 tests)
/agile-code-commit โ feat(tasks): add create task endpoint
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE
/agile-story-accept โ โ
ACCEPTED (3 points)/agile-code-branch feature US-003b list-filter-tasks
/agile-story-plan US-003b
/agile-code-tdd US-003b
๐ด Test: GET /tasks returns only MY tasks โ โ
๐ข WHERE user_id = $1 โ โ
๐ด Test: GET /tasks?status=done filters โ โ
๐ข Add optional WHERE clause โ โ
/agile-code-ci โ โ
All green
/agile-code-commit โ feat(tasks): add list and filter endpoints
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE
/agile-story-accept โ โ
ACCEPTED (2 points)/agile-code-branch feature US-003c update-delete-tasks
/agile-story-plan US-003c
/agile-code-tdd US-003c
๐ด Test: PUT /tasks/:id updates status โ โ
๐ข Implement update handler โ โ
๐ด Test: DELETE /tasks/:id removes task โ โ
๐ข Implement delete handler โ โ
๐ด Test: Update another user's task โ 403 โ โ
๐ข Add ownership check โ โ
๐ด Test: Task not found โ 404 โ โ
๐ข Add not-found check โ โ
/agile-code-ci โ โ
All green (32/32 tests)
/agile-code-commit โ feat(tasks): add update and delete endpoints
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved
(๐ก S2: extract ownership check to reusable middleware)
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE
/agile-story-accept โ โ
ACCEPTED (3 points)/agile-sprint-daily/agile-sprint-daily
๐ @sm: Daily Standup โ Sprint 1, Day 3
### Progress
- โ
US-001 (Registration) โ ACCEPTED
- โ
US-002 (Login + JWT) โ ACCEPTED
- ๐ US-003a (Create task) โ IN PROGRESS (TDD phase)
- ๐ US-003b (List/filter) โ TODO
- ๐ US-003c (Update/delete) โ TODO
### Burndown
Day 1: 14 pts remaining
Day 2: 8 pts remaining (US-001 + US-002 done)
Day 3: 5 pts remaining (US-003a almost done)
### Blockers: None/agile-sprint-status/agile-sprint-status
๐ @sm provides a mid-sprint dashboard:
๐ @sm responds:
## /agile-sprint-status โ Sprint 1 Dashboard
### Sprint Health
| Metric | Value | Status |
|-------------------|----------------|--------|
| Sprint Goal | Auth + CRUD API| ๐ข |
| Days Elapsed | 3 / 5 | |
| Points Completed | 9 / 14 | ๐ข |
| Points Remaining | 5 | |
| Stories Done | 3 / 5 | |
| Burndown Trend | On track | ๐ข |
### Story Status
| Story | Title | Pts | Status |
|---------|--------------------|-----|-------------|
| US-001 | Registration | 3 | โ
Accepted |
| US-002 | Login + JWT | 3 | โ
Accepted |
| US-003a | Create task | 3 | โ
Accepted |
| US-003b | List/filter tasks | 2 | ๐ In Progress |
| US-003c | Update/delete | 3 | ๐ Todo |
### Risks
- None โ on track to complete all stories/agile-sprint-review/agile-sprint-review
## Sprint 1 Review
### Sprint Goal: "Auth + Task CRUD API"
### Sprint Goal Met: โ
Yes
| Story | Title | Pts | Status |
|---------|--------------------|-----|-------------|
| US-001 | Registration | 3 | โ
Accepted |
| US-002 | Login + JWT | 3 | โ
Accepted |
| US-003a | Create task | 3 | โ
Accepted |
| US-003b | List/filter tasks | 2 | โ
Accepted |
| US-003c | Update/delete | 3 | โ
Accepted |
### Velocity
- Committed: 14 points
- Completed: 14 points (100%)
- First sprint โ this becomes the baseline
### Demo Summary (โจ๏ธ @dev)
- Registration: POST /auth/register โ 201
- Login: POST /auth/login โ 200 + JWT
- Create task: POST /tasks (with JWT) โ 201
- List tasks: GET /tasks?status=pending โ 200
- Update: PUT /tasks/1 โ 200
- Delete: DELETE /tasks/1 โ 204
- All endpoints require auth except register/login/agile-sprint-retro/agile-sprint-retro
## Sprint 1 Retrospective
### What Went Well
- Story splitting reduced US-003 from 13 to 8 pts
- @dba schema design prevented migration issues
- TDD caught the email enumeration issue early (US-002)
### What To Improve
- No frontend yet โ users can't interact without curl
- JWT secret was hardcoded (caught in PR review)
- No security review done yet
### Action Items
| Action | Owner | Due |
|-------------------------------|--------|-----------|
| Move JWT secret to env var | @dev | Sprint 2 |
| Build frontend | @dev | Sprint 2 |
| Security review before ship | @sec | Sprint 2 |/agile-memory-learn๐ @sm: Learnings captured
โ Saved to: .memory/episodic/learnings.md
- Sprint 1 velocity: 14 points
- Story splitting effectiveness: 13 pts โ 8 pts (3 stories)
- @dba schema-first approach saved rework
- Action items tracked for Sprint 2/agile-sprint-refineThis is new! Before Sprint 2 planning, the team refines upcoming stories to make sure they're "Ready" โ clear enough to start immediately.
/agile-sprint-refine
Multiple roles collaborate during refinement:
๐ @po + ๐จโ๐ป @lead + ๐๏ธ @arch respond:
## /agile-sprint-refine โ Refinement Session
### ๐ @po presents upcoming stories:
Three stories are candidates for Sprint 2:
1. Auth UI (login + registration forms)
2. Task dashboard (list, filter, create, edit, delete)
3. Security review (auth, data handling, dependencies)
### ๐จโ๐ป @lead assesses feasibility:
| Story | Feasibility | Concerns |
|------------|-------------|------------------------------|
| Auth UI | ๐ข High | Straightforward forms |
| Dashboard | ๐ข High | More complex but well-scoped |
| Security | ๐ข High | Review + fix, not new code |
### ๐๏ธ @arch checks architecture impact:
- Auth UI: No backend changes โ consumes existing API
- Dashboard: No backend changes โ consumes existing API
- Security: May require backend fixes (depends on
findings)
- Frontend files go in public/ โ no build step needed
### Refinement Outcome
| Story | Previous Status | New Status |
|------------|-----------------|-------------|
| Auth UI | Unrefined | โ
Ready |
| Dashboard | Unrefined | โ
Ready |
| Security | Unrefined | โ
Ready |
All 3 stories are Ready for Sprint 2 planning./agile-story-create I need a login page and registration form that works on mobile and is accessible โ proper labels, keyboard navigation, error messages visible to screen readers
๐ @po: Story US-004 created (5 pts)
**As a** user,
**I want** a login and registration page that is accessible
and works on mobile,
**so that** I can use the app from any device.
Acceptance Criteria:
- AC-1: Registration form with email, password, confirm password
- AC-2: Login form with email, password
- AC-3: Form validation with visible error messages
- AC-4: WCAG AA compliant (contrast, labels, focus)
- AC-5: Works on screens 320px and above/agile-story-create I need a task dashboard showing all tasks with filter by status and ability to create, edit, and delete tasks. Should be responsive.
๐ @po: Story US-005 created (5 pts)
**As a** logged-in user,
**I want** a task dashboard where I can see, filter, create,
edit, and delete tasks,
**so that** I can manage my work visually.
Acceptance Criteria:
- AC-1: Dashboard shows all user's tasks
- AC-2: Filter dropdown for status (all, pending, in-progress, done)
- AC-3: "New Task" button opens create form
- AC-4: Edit button on each task
- AC-5: Delete button with confirmation
- AC-6: Responsive layout (mobile โ desktop)/agile-story-create The app needs a security review before we can ship โ check auth implementation, data handling, and dependencies for known vulnerabilities
๐ @po: Story US-006 created (3 pts)
**As a** product owner,
**I want** a security review of auth, data handling, and
dependencies,
**so that** we can ship with confidence.
Acceptance Criteria:
- AC-1: Dependency scan โ no critical CVEs
- AC-2: Auth code reviewed โ no credential leaks
- AC-3: All S0/S1 findings fixed and re-verified/agile-sprint-planning
๐ @sm facilitates:
## Sprint 2 Planning
### Sprint 2 Goal
"Deliver usable frontend with auth UI, task dashboard,
and pass security review"
### Sprint Backlog
| Story | Title | Pts | Priority |
|--------|--------------------|-----|----------|
| US-004 | Auth UI | 5 | P1 |
| US-005 | Task dashboard | 5 | P1 |
| US-006 | Security review | 3 | P1 |
### Capacity Check
- Historical velocity (Sprint 1): 14 points
- Committed this sprint: 13 points
- Capacity utilization: 93%
- Buffer for security fixes: โ
Available/agile-code-branch feature US-004 auth-ui
โจ๏ธ @dev: Branch created
- Branch: feature/US-004-auth-ui
- From: develop (up to date)
- Linked to: US-004/agile-story-plan US-004
๐จโ๐ป @lead + ๐จ @ux: Implementation Plan for US-004
Phase 1: HTML structure
- Semantic HTML: form, fieldset, label, input
- Registration form + login form (two pages or tabs)
Phase 2: CSS styling
- Mobile-first responsive design
- WCAG AA color contrast (4.5:1 minimum)
- Focus-visible styles for keyboard nav
Phase 3: JavaScript
- Form validation with aria-describedby for errors
- Fetch API calls to /auth/register and /auth/login
- Store JWT in memory (not localStorage โ XSS risk)
- Redirect to dashboard on success
Phase 4: Accessibility
- All inputs have associated labels
- Error messages linked with aria-describedby
- Focus management on form submission errors
Confidence: 8/10/agile-code-tdd US-004
โจ๏ธ @dev implements the auth UI with TDD. After implementation, ๐จ @ux performs the accessibility review. This is the key new content:
๐จ @ux: Accessibility Review โ US-004
## Accessibility Audit Report
### WCAG AA Compliance Checklist
| # | Criterion | Status | Detail |
|----|----------------------------|--------|---------------------------------|
| 1 | Color contrast (text) | โ
| 7.2:1 ratio (exceeds 4.5:1) |
| 2 | Color contrast (UI) | โ
| 4.8:1 ratio (exceeds 3:1) |
| 3 | Keyboard navigation | โ
| Tab order: email โ password โ |
| | | | confirm โ submit. Logical flow. |
| 4 | Focus indicator visible | โ
| 3px solid outline on :focus- |
| | | | visible |
| 5 | Screen reader | โ
| All inputs have <label for=""> |
| | | | Error messages use aria- |
| | | | describedby + role="alert" |
| 6 | Semantic HTML | โ
| <form>, <fieldset>, <legend>, |
| | | | <label>, <button type="submit"> |
| 7 | Form labels | โ
| Every input has explicit label |
| 8 | Error messages | โ
| Inline, visible, linked to |
| | | | input via aria-describedby |
| 9 | Focus management | โ
| On error: focus moves to first |
| | | | invalid field |
| 10 | No reliance on color alone | โ
| Errors use icon + text + color |
### Responsive Verification
| Breakpoint | Layout | Status |
|------------|----------------|--------|
| 320px | Single column | โ
|
| 768px | Single column | โ
|
| 1024px | Centered card | โ
|
| 1280px | Centered card | โ
|
| 1920px | Centered card | โ
|
### Overall Score: 10/10 โ WCAG AA Compliant
No accessibility issues found./agile-code-ci โ โ
All green
/agile-code-commit โ feat(ui): add accessible auth pages
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved (Score: 9/10)
๐จโ๐ป @lead: Clean semantic HTML, good separation
๐จ @ux: Accessibility checklist passed
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE
/agile-story-accept โ โ
ACCEPTED (5 points)/agile-code-branch feature US-005 task-dashboard
/agile-story-plan US-005
/agile-code-tdd US-005
๐ด Test: Dashboard renders task list โ โ
๐ข Implement fetch + render โ โ
๐ด Test: Filter dropdown filters tasks โ โ
๐ข Add filter logic โ โ
๐ด Test: Create task form submits โ โ
๐ข Add create form + API call โ โ
๐ด Test: Delete button removes task โ โ
๐ข Add delete with confirmation โ โ
๐จ @ux: Accessibility Review โ US-005
### WCAG AA Compliance Checklist
| Criterion | Status | Detail |
|------------------------|--------|-------------------------------|
| Color contrast | โ
| All text meets 4.5:1 |
| Keyboard navigation | โ
| Tab through tasks, filter, |
| | | action buttons |
| Screen reader | โ
| Task list uses role="list", |
| | | status changes announced |
| | | via aria-live="polite" |
| Delete confirmation | โ
| Dialog uses role="alertdialog"|
| | | focus trapped inside |
| Filter dropdown | โ
| <select> with <label> |
### Responsive Verification
| 320px | 768px | 1024px | 1280px | 1920px |
|-------|-------|--------|--------|--------|
| โ
| โ
| โ
| โ
| โ
|
Score: 10/10 โ Accessible/agile-code-ci โ โ
All green
/agile-code-commit โ feat(ui): add task dashboard with filters
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE
/agile-story-accept โ โ
ACCEPTED (5 points)This is new! ๐ก๏ธ @sec performs two types of security checks: dependency scanning and code review.
/agile-code-branch feature US-006 security-review
โจ๏ธ @dev: Branch created
- Branch: feature/US-006-security-review
- From: develop (up to date)
- Linked to: US-006/agile-security-scan/agile-security-scan
๐ก๏ธ @sec responds:
## /agile-security-scan โ Dependency Audit
### Scan Summary
- Packages scanned: 147
- Direct dependencies: 12
- Transitive dependencies: 135
### Findings
| # | Package | Severity | CVE | Finding | Fix |
|----|----------------|----------|----------------|----------------------------|-----------------------|
| 1 | lodash@4.17.20 | ๐ด HIGH | CVE-2021-23337 | Prototype pollution via | Upgrade to โฅ4.17.21 |
| | | | | template function | |
| 2 | express@4.18.1 | ๐ก MED | CVE-2024-29041 | Path traversal in static | Upgrade to โฅ4.19.2 |
| | | | | file serving | |
### Recommended Actions
1. npm audit fix (resolves both)
2. Add npm audit to CI pipeline
3. Pin major versions in package.json
### Post-Fix Verification
After fix: 0 vulnerabilities found โ
/agile-security-review/agile-security-review
๐ก๏ธ @sec responds:
## /agile-security-review โ Code Audit
### Scope
Files reviewed: src/routes/auth.js, src/middleware/jwt.js,
src/services/UserService.js, public/js/auth.js
### Findings
| # | Severity | File | Line | Finding | Recommendation |
|----|----------|-------------------------|------|----------------------------------------|------------------------------------------|
| 1 | ๐ด S0 | src/routes/auth.js | 14 | Password stored as plain text in | MUST use bcrypt.hash() before INSERT. |
| | | | | development seed script | Remove seed script or hash seed |
| | | | | | passwords. |
| 2 | ๐ก S2 | src/routes/auth.js | 28 | No rate limiting on POST /auth/login | Add express-rate-limit: max 5 |
| | | | | | attempts per 15 minutes per IP. |
| 3 | ๐ก S2 | src/middleware/jwt.js | 7 | JWT expiry set to 30 days | Reduce to 1 hour with refresh token, |
| | | | | | or 24 hours without. |
| 4 | ๐ต S3 | public/js/auth.js | 22 | JWT stored in localStorage | Store in httpOnly cookie or memory |
| | | | | | only. localStorage is XSS-accessible. |
### Severity Summary
| Severity | Count | Action Required |
|----------|-------|--------------------------|
| ๐ด S0 | 1 | MUST fix before release |
| ๐ก S2 | 2 | SHOULD fix this sprint |
| ๐ต S3 | 1 | COULD fix (improvement) |
### Verdict: โ BLOCKED โ 1 S0 finding must be resolvedThe seed script inserts test users with unhashed passwords directly into the database. This is a critical security flaw โ if the seed script ever runs in production, passwords are exposed. @sec blocks the release until this is fixed.
"Fix the S0 finding โ hash all passwords in the seed script. Use TDD."
โจ๏ธ @dev fixes with TDD:
๐ด Test: seed users have bcrypt-hashed passwords โ โ
๐ข Update seed script to use bcrypt.hash() โ โ
๐ด Test: seed users can log in โ โ
๐ข Verify login works with hashed seed passwords โ โ
Also fixes S2 findings:
- Added express-rate-limit to login endpoint
- Reduced JWT expiry to 24 hours/agile-security-review
๐ก๏ธ @sec: Re-review Results
| # | Previous Finding | Status |
|---|--------------------------|------------------|
| 1 | ๐ด S0: Plain text passwords | โ
FIXED โ bcrypt |
| 2 | ๐ก S2: No rate limiting | โ
FIXED โ 5/15min|
| 3 | ๐ก S2: JWT 30-day expiry | โ
FIXED โ 24 hrs |
| 4 | ๐ต S3: localStorage JWT | โณ Deferred |
### Verdict: โ
PASSED โ No S0/S1 findings remain
S3 finding accepted as known risk for v1.0.0./agile-code-ci โ โ
All green
/agile-code-commit โ fix(security): hash seed passwords,
add rate limiting, reduce JWT expiry
/agile-code-pr โ PR created
/agile-code-pr-review โ โ
Approved
๐ก๏ธ @sec: Security review passed
๐จโ๐ป @lead: Code quality good
/agile-code-merge โ Squash merged to develop
/agile-story-dod โ โ
DONE
/agile-story-accept โ โ
ACCEPTED (3 points)/agile-sprint-status
๐ @sm: Sprint 2 Dashboard
- Sprint Goal Met: โ
Yes
- Points Completed: 13/13 (100%)
- All 3 stories accepted/agile-sprint-review
## Sprint 2 Review
### Sprint Goal: "Frontend + Security Review"
### Sprint Goal Met: โ
Yes
| Story | Title | Pts | Status |
|--------|--------------------|-----|-------------|
| US-004 | Auth UI | 5 | โ
Accepted |
| US-005 | Task dashboard | 5 | โ
Accepted |
| US-006 | Security review | 3 | โ
Accepted |
### Velocity
- Sprint 1: 14 points
- Sprint 2: 13 points
- Average: 13.5 points/sprint/agile-sprint-retro
## Sprint 2 Retrospective
### What Went Well
- @ux caught accessibility issues during planning (not after)
- @sec found the plain text password flaw before release
- Story refinement made Sprint 2 planning fast
### What To Improve
- Should run /agile-security-scan earlier (Sprint 1)
- localStorage JWT deferred โ needs follow-up
### Action Items
| Action | Owner | Due |
|---------------------------------|-------|---------|
| Move JWT to httpOnly cookie | @dev | v1.1.0 |
| Add /agile-security-scan to CI | @devops| v1.1.0 |/agile-memory-learn
๐ @sm: Learnings captured
โ Saved to: .memory/episodic/learnings.md
- Sprint 2 velocity: 13 points
- @sec caught S0 flaw โ validates security review step
- @ux accessibility-first approach works better than
retrofitting
- Average velocity: 13.5 pts/sprint/agile-ship-changelog/agile-ship-changelog
## Changelog: v1.0.0 โ 2026-04-04
### Added
- POST /auth/register โ user registration with
validation (US-001)
- POST /auth/login โ JWT authentication (US-002)
- POST /tasks โ create task (US-003a)
- GET /tasks โ list tasks with status filter (US-003b)
- PUT /tasks/:id โ update task status (US-003c)
- DELETE /tasks/:id โ delete task (US-003c)
- Login and registration UI โ accessible, responsive
(US-004)
- Task dashboard UI โ filter, create, edit, delete
(US-005)
### Security
- Dependency audit โ 0 vulnerabilities (US-006)
- Password hashing with bcrypt (cost 12)
- Rate limiting on login endpoint (5/15min)
- JWT expiry reduced to 24 hours/agile-ship-release/agile-ship-release v1.0.0
๐ @devops: Release v1.0.0
Branch: release/v1.0.0 from develop
CI: โ
Green (all 48 tests pass)
Merged to main โ
Tagged: v1.0.0 โ
Back-merged to develop โ
/agile-ship-deploy/agile-ship-deploy
๐ @devops: Deployed v1.0.0
Database migration: โ
Applied
API health check: โ
/health โ 200
Frontend served: โ
Static files at /
Smoke tests: โ
Register โ Login โ Create task โ List โ Done| Metric | Value |
|---|---|
| Sprints completed | 2 |
| Stories completed | 8/8 (including 3 from split) |
| Story points delivered | 27 (Sprint 1: 14, Sprint 2: 13) |
| Sprint goals met | โ Both |
| Release version | v1.0.0 |
| Test count | 48 tests |
| Security findings fixed | 3 (1 S0, 2 S2) |
| Accessibility score | WCAG AA compliant |
| Roles involved | All 10: @po, @sm, @arch, @lead, @dev, @qa, @devops, @dba, @ux, @sec |
These commands were used here but NOT in Project 01:
| Command | What It Does | Where Used |
|---|---|---|
โ
/agile-story-split | Splits oversized stories into independently deliverable sub-stories | US-003 โ US-003a/b/c |
โ
/agile-sprint-refine | Refines upcoming stories to "Ready" status before planning | Before Sprint 2 planning |
โ
/agile-sprint-status | Shows mid-sprint dashboard with burndown, story statuses | During Sprint 1 and Sprint 2 |
โ
/agile-security-scan | Scans dependencies for known CVEs | US-006 security review |
โ
/agile-security-review | Reviews code for security vulnerabilities | US-006 security review |
All 10 roles contributed. ๐๏ธ @dba designed the schema before a single line of code was written โ proper foreign keys, indexes, and migrations prevented rework. ๐จ @ux ensured every form is accessible โ keyboard navigation, screen reader support, responsive down to 320px. ๐ก๏ธ @sec caught a critical password storage flaw before it shipped โ plain text passwords in the seed script would have been a real vulnerability.
Each role has a specific job โ and together they produce software that's correct, secure, accessible, and well-structured. The framework doesn't add ceremony for ceremony's sake. Every check exists because it catches real problems.
What does @dba do before coding starts?
What does @ux check that @lead doesn't?
Why did US-003 need splitting?