feat: add Web UI implementation with CI/CD pipeline

- Add web-ui-ci.yml GitHub Actions workflow for continuous integration
- Add Next.js web application in apps/web directory
- Configure Husky for git hooks
- Update package.json dependencies and scripts
- Update .gitignore for Next.js and web app exclusions
- Update README with Web UI features and setup instructions
- Update various package.json files with scoped @BlackUnicorn packages
- Add security configuration updates
- Update test files for new dependencies

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SchenLong

.claude/validators-node/package.json

@@ -46,9 +46,11 @@
   "license": "MIT",
   "dependencies": {
     "@aws-sdk/client-s3": "^3.980.0",
-    "@typescript-eslint/eslint-plugin": "8.54.0",
-    "@typescript-eslint/parser": "8.54.0",
+    "@typescript-eslint/eslint-plugin": "^8.54.0",
+    "@typescript-eslint/parser": "^8.54.0",
     "commander": "^14.0.2",
-    "eslint": "9.39.2"
+    "eslint": "9.39.2",
+    "eslint-config-next": "12.0.4",
+    "typescript-eslint": "8.36.0"
   }
 }

.github/workflows/web-ui-ci.yml

@@ -0,0 +1,214 @@
+name: BMAD Web UI CI
+
+on:
+  push:
+    branches: [main, develop, BMAD-CYBEROPS-RP, WEB-UI]
+    paths:
+      - 'apps/web-ui/**'
+      - '.github/workflows/web-ui-ci.yml'
+  pull_request:
+    branches: [main, develop, BMAD-CYBEROPS-RP]
+    paths:
+      - 'apps/web-ui/**'
+      - '.github/workflows/web-ui-ci.yml'
+  workflow_dispatch:
+    inputs:
+      run-e2e:
+        description: 'Run E2E tests (slower)'
+        required: false
+        default: 'false'
+        type: choice
+        options:
+          - 'true'
+          - 'false'
+      run-performance:
+        description: 'Run performance tests'
+        required: false
+        default: 'false'
+        type: choice
+        options:
+          - 'true'
+          - 'false'
+
+env:
+  NODE_VERSION: '20'
+  WORKING_DIR: './apps/web-ui'
+
+defaults:
+  run:
+    working-directory: ${{ env.WORKING_DIR }}
+
+jobs:
+  security:
+    name: Security Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.3.1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@d02c89dce7e1ba9ef629ce0680989b3a1cc72edb # v4.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: ${{ env.WORKING_DIR }}/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run security audit
+        run: npm run security:audit
+
+      - name: Run OWASP Top 10 tests
+        run: npm run test:owasp
+
+      - name: Run security tests
+        run: npm run test:security
+
+  test:
+    name: Unit & Integration Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.3.1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@d02c89dce7e1ba9ef629ce0680989b3a1cc72edb # v4.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: ${{ env.WORKING_DIR }}/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run unit tests
+        run: npm run test:unit
+
+      - name: Run integration tests
+        run: npm run test:integration
+
+      - name: Run tests with coverage
+        run: npm run test:ci
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@47309c993abb98030a35d55ef7ff34b7fa1074b5 # v4.6.2
+        with:
+          name: coverage-report
+          path: ${{ env.WORKING_DIR }}/coverage/
+          retention-days: 7
+
+  lint:
+    name: Lint & Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.3.1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@d02c89dce7e1ba9ef629ce0680989b3a1cc72edb # v4.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: ${{ env.WORKING_DIR }}/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run ESLint
+        run: npm run lint
+
+      - name: Build project
+        run: npm run build
+        env:
+          NEXT_TELEMETRY_DISABLED: 1
+
+  # E2E tests (optional - manual trigger or push)
+  e2e:
+    name: E2E Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    if: github.event.inputs.run-e2e == 'true' || github.event_name == 'push'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.3.1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@d02c89dce7e1ba9ef629ce0680989b3a1cc72edb # v4.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: ${{ env.WORKING_DIR }}/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install Playwright browsers
+        run: npx playwright install --with-deps chromium firefox webkit
+
+      - name: Run E2E tests
+        run: npm run test:e2e
+        env:
+          CI: true
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@47309c993abb98030a35d55ef7ff34b7fa1074b5 # v4.6.2
+        if: always()
+        with:
+          name: playwright-report
+          path: ${{ env.WORKING_DIR }}/playwright-report/
+          retention-days: 7
+
+  # Performance tests (optional)
+  performance:
+    name: Performance Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    if: github.event.inputs.run-performance == 'true' || github.event_name == 'push'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.3.1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@d02c89dce7e1ba9ef629ce0680989b3a1cc72edb # v4.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: ${{ env.WORKING_DIR }}/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install K6
+        run: |
+          curl https://github.com/grafana/k6/releases/download/v1.6.1/k6-v1.6.1-linux-amd64.tar.gz -L | tar xvz
+          sudo mv k6-v1.6.1-linux-amd64/k6 /usr/local/bin/
+
+      - name: Run smoke test
+        run: npm run test:perf:smoke
+
+  quality-gate:
+    name: Quality Gate
+    runs-on: ubuntu-latest
+    needs: [security, test, lint]
+    timeout-minutes: 5
+
+    steps:
+      - name: Quality Gate Passed
+        run: |
+          echo "## BMAD Web UI Quality Gate" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Status: PASSED ✅" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "All required checks passed:" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Security Tests" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Unit & Integration Tests" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Lint & Build" >> $GITHUB_STEP_SUMMARY

.gitignore

@@ -260,3 +260,42 @@ team/test-fixes-plan.md
 
 # Backup files - NEVER commit
 team/backups/
+
+# ===================
+# Web Applications
+# ===================
+# WebUI application - local development files
+apps/web-ui/.next/
+apps/web-ui/node_modules/
+apps/web-ui/.env
+apps/web-ui/.env.*
+apps/web-ui/*.db
+apps/web-ui/*.db-journal
+apps/web-ui/coverage/
+apps/web-ui/playwright-report/
+apps/web-ui/test-results/
+apps/web-ui/build/
+apps/web-ui/out/
+apps/web-ui/.turbo/
+apps/web-ui/.vercel
+apps/web-ui/.github/
+apps/web-ui/performance-results.json
+apps/web-ui/prisma/*.db
+apps/web-ui/prisma/*.db-journal
+apps/web-ui/prisma/*.bak
+
+# But keep source code and configuration
+!apps/web-ui/src/
+!apps/web-ui/public/
+!apps/web-ui/app/
+!apps/web-ui/*.ts
+!apps/web-ui/*.tsx
+!apps/web-ui/*.js
+!apps/web-ui/*.mjs
+!apps/web-ui/*.json
+!apps/web-ui/*.css
+!apps/web-ui/.*.example
+!apps/web-ui/prisma/migrations/
+!apps/web-ui/prisma/schema.prisma
+!apps/web-ui/README.md
+!apps/web-ui/.gitignore

.husky/pre-commit

@@ -0,0 +1,70 @@
+#!/bin/bash
+# BMAD Pre-commit Hook
+# Runs security validation and fast quality checks
+
+set -e
+
+echo "🔐 Running pre-commit checks..."
+
+# ============================================
+# Part 1: BMAD Security Validation
+# ============================================
+# Run security validation if script exists
+if [[ -f "security-validation.js" ]]; then
+    if ! node security-validation.js --quiet; then
+        echo "❌ Security validation failed!"
+        echo "   Review security-validation-results.json for details"
+        echo "   Fix security issues before committing"
+        exit 1
+    fi
+fi
+
+# Check for sensitive files
+SENSITIVE_FILES=(".bmad-key" ".bmad-token")
+for file in "${SENSITIVE_FILES[@]}"; do
+    if git diff --cached --name-only | grep -q "^$file$"; then
+        echo "❌ Attempting to commit sensitive file: $file"
+        echo "   Remove from staging area and use environment variables"
+        exit 1
+    fi
+done
+
+echo "✅ BMAD security validation passed"
+
+# ============================================
+# Part 2: BMAD Web UI Quality Checks
+# ============================================
+# Only run if web-ui files are being committed
+WEB_UI_FILES=$(git diff --cached --name-only | grep -c "^team/bmad-web-ui/" || true)
+
+if [[ "$WEB_UI_FILES" -gt 0 ]]; then
+    echo "📦 BMAD Web UI files changed, running quality checks..."
+
+    # Change to web-ui directory for commands
+    cd team/bmad-web-ui || exit 1
+
+    # Run ESLint on staged files
+    echo "🔍 Running ESLint..."
+    if ! npm run lint -- --quiet 2>/dev/null; then
+        echo "❌ ESLint failed!"
+        echo "   From web-ui dir run: npm run lint"
+        echo "   Or use: git commit --no-verify to bypass (not recommended)"
+        exit 1
+    fi
+    echo "✅ ESLint passed"
+
+    # Run security audit for high/critical vulnerabilities
+    echo "🔒 Running security audit..."
+    if ! npm run security:audit --audit-level=high 2>/dev/null; then
+        echo "⚠️  Security audit found high/critical vulnerabilities!"
+        echo "   From web-ui dir run: npm audit fix"
+        echo "   Review with: npm audit"
+        echo "   Or use: git commit --no-verify to bypass (not recommended)"
+        exit 1
+    fi
+    echo "✅ Security audit passed (no high/critical vulnerabilities)"
+
+    cd ../..
+fi
+
+echo "✅ All pre-commit checks passed!"

.husky/pre-push

@@ -0,0 +1,50 @@
+#!/bin/bash
+# BMAD Pre-push Hook
+# Runs full test suite before pushing to remote
+
+set -e
+
+echo "🚀 Running pre-push checks..."
+
+# ============================================
+# BMAD Web UI Test Suite
+# ============================================
+# Only run if web-ui files were modified in commits being pushed
+WEB_UI_FILES=$(git diff --name-only HEAD@{push} 2>/dev/null | grep -c "^team/bmad-web-ui/" || true)
+
+# Fallback: check if uncommitted changes exist in web-ui
+if [[ "$WEB_UI_FILES" -eq 0 ]]; then
+    WEB_UI_FILES=$(git diff --name-only | grep -c "^team/bmad-web-ui/" || true)
+fi
+
+if [[ "$WEB_UI_FILES" -gt 0 ]] && [[ -d "team/bmad-web-ui" ]]; then
+    echo "📦 BMAD Web UI files changed in push, running test suite..."
+
+    # Change to web-ui directory for commands
+    cd team/bmad-web-ui || exit 1
+
+    # Run the full security + integration test suite
+    echo "🧪 Running test:security..."
+    if ! npm run test:security 2>&1 | tail -20; then
+        echo "❌ Security tests failed!"
+        echo "   Run from web-ui directory: npm run test:security"
+        echo "   Or use: git push --no-verify to bypass (not recommended)"
+        exit 1
+    fi
+    echo "✅ Security tests passed"
+
+    echo "🧪 Running test:integration..."
+    if ! npm run test:integration 2>&1 | tail -20; then
+        echo "❌ Integration tests failed!"
+        echo "   Run from web-ui directory: npm run test:integration"
+        echo "   Or use: git push --no-verify to bypass (not recommended)"
+        exit 1
+    fi
+    echo "✅ Integration tests passed"
+
+    cd ../..
+else
+    echo "ℹ️  No BMAD Web UI changes detected, skipping tests"
+fi
+
+echo "✅ All pre-push checks passed!"