Architectural Mode
STRIDE threat analysis, ADR security evaluation, trust boundary mapping, Azure compliance checks (Policy, RBAC, Well-Architected Framework).
Support Agents
Five agents handle the non-linear parts of delivery: code review, security assessment, sprint planning, backlog health, and framework customization.
devsquad.review Quality
Section titled “devsquad.review ”Validate implementation against spec, ADRs, and plan with independent context.
| Produces | Review log with findings by severity |
| Handoff | to implement, specify, or plan |
| Skills | documentation-style, reasoning, quality-gate |
Key design principle: The review agent operates with clean context. It did not participate in implementation, reducing confirmation bias.
Coordinator execution model:
- Parallel checkers: Spec, ADR, code, security, and tests validation run in isolated worker contexts
- Merged verdict: The coordinator consolidates findings, classifies severity, and decides whether self-correction can proceed
Three trigger scopes:
- Pull Request: Code-level review of changes
- Work item: Task-level validation against acceptance criteria
- Feature completion: Full feature validation against spec, ADRs, and plan
Self-correction loop: maximum 2 attempts before escalating findings.
devsquad.security Security
Section titled “devsquad.security ”Security assessment in two modes: architectural (design-time) and code (implementation-time).
| Produces | Security report with findings |
| Handoff | to implement or review |
| Skills | documentation-style, reasoning |
Code Mode
OWASP vulnerability checks, dependency scanning, GitHub security alerts (code scanning, secret scanning, Dependabot).
Six security principles applied:
- CIA Triad: Confidentiality, Integrity, Availability
- Defense in Depth: Multiple layers of security controls
- Least Privilege: Minimum permissions required
- Secure by Default: Secure configuration out of the box
- Zero Trust: Verify explicitly, assume breach
- Shift Left: Security early in the lifecycle
Triggers: authentication/authorization, sensitive data, external integrations, exposed endpoints, data persistence.
devsquad.sprint Planning
Section titled “devsquad.sprint ”Sprint planning with previous sprint closure, velocity analysis, and adaptive capacity.
| Produces | docs/sprints/sprint-N.md + scope options |
| Handoff | to plan, decompose, or specify |
| Skills | documentation-style, reasoning |
Five-step execution:
- Previous sprint closure: Planned vs actual, velocity, goal achievement
- Historical velocity: Calculated from 2+ sprints of data
- Capacity calculation: Team size, availability, adjustment factors
- Backlog readiness: Flag incomplete items, missing dependencies
- Scope options: Committed vs stretch scenarios with data
Operating principles: Options not recommendations. Dependencies visible. Gaps visible. Evidence-based.
devsquad.refine Health
Section titled “devsquad.refine ”Analyze backlog health and detect inconsistencies between specs, ADRs, and work items.
| Produces | Analysis report with fixes |
| Handoff | to specify, plan, decompose, or kickoff |
| Skills | documentation-style, reasoning, work-item-creation |
Six analysis categories:
- Spec-Board Mismatch: Specs updated after tasks were created
- ADR-Implementation Gap: Decisions made but not reflected in code
- Missing Tasks: User story without task coverage
- Orphan Tasks: Tasks without parent user story
- Stale PRs: Open, unreviewed, or failing CI
- Unfinished Dependencies: Blocking tasks still open
Principles: Read-first with surgical edits. Facts, not opinions. No false positives. Configurable scope.
Execution model: devsquad.refine can fan out artifact analysis and backlog health checks into parallel workers, then merge the results into a single report.
devsquad.extend Extension
Section titled “devsquad.extend ”Guide creation of extensions for the SDD framework.
| Produces | Custom instructions, skills, agents, or hooks |
| Handoff | varies |
| Skills | documentation-style, reasoning |
Decision tree for choosing the right mechanism:
| Criterion | Mechanism |
|---|---|
| Less than 50 lines, applies to file type | Instruction |
| 50-200 lines, reusable by agents | Skill |
| Over 200 lines or needs own tools | Agent |
| Deterministic post-action validation | Hook |
| Inject MCP tools into agents | Tool Extension |
| Access external API | MCP Server |
Process: Understand need, Recommend mechanism, Check name collision, Scaffold with reference example.
What to Read Next
Section titled “What to Read Next”- Lifecycle Agents for the main delivery pipeline
- Delivery Guardrails for the philosophy behind quality enforcement