fix: correct 3 broken file refs and enforce validator as CI quality gate

[alexeyv]

What

• Fixed 3 broken file references in 2 source files
• Enabled --strict mode on the file reference validator so broken references now fail CI instead of logging warnings and exiting 0

Why

The validator (tools/validate-file-refs.js) has always supported --strict mode but was invoked without it in CI, making it advisory-only. Broken references could be merged undetected indefinitely.

Three references were broken and confirmed by running the validator in strict mode:

1. src/bmm/workflows/3-solutioning/create-architecture/workflow.md line 39 — installed_path referenced bmm/workflows/3-solutioning/architecture but the directory is named create-architecture
2. src/bmm/workflows/4-implementation/create-story/checklist.md lines 36 and 66 — referenced core/tasks/validate-workflow.xml which does not exist; the actual file is core/tasks/workflow.xml

How

• Corrected the 3 broken paths in the 2 affected files
• Added --strict to validate:refs in package.json — no changes needed in the CI workflow YAML itself, which already calls npm run validate:refs
• Validator now passes clean: 0 broken references across 467 refs in 214 files

Related

Fixes the enforcement gap described in #1626.

[augmentcode]

🤖 Augment PR Summary

Summary: Fixes three broken workflow/documentation file references and updates the validate:refs npm script to run the file-ref validator in strict mode.


Why: Ensures broken references now fail CI (quality gate) instead of only emitting warnings, preventing undetected link rot.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three configuration and documentation files are updated to tighten file reference validation and standardize workflow framework references. The validate:refs npm script is enhanced with a --strict flag, and workflow files are updated to use the new workflow.xml framework instead of validate-workflow.xml.

Changes

Cohort / File(s)	Summary
NPM Script Configuration package.json	Added --strict flag to validate:refs script to enable stricter file reference validation during CI workflows.
Workflow Framework References src/bmm/workflows/3-solutioning/create-architecture/workflow.md, src/bmm/workflows/4-implementation/create-story/checklist.md	Updated installed_path and framework references from old validation structure to new workflow.xml framework; adjusted dependent path configurations accordingly.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• validate-file-refs.js runs warning-only — broken refs never fail CI #1626: Main change directly enables strict mode for validate-file-refs.js tool to ensure broken references fail CI as requested.

Possibly related PRs

• fix(bmm): resolve dead references and syntax errors in agents and workflows #1164: Both PRs update workflow validation references; main PR changes validate-workflow.xml → workflow.xml in checklist.md while related PR modifies similar validation references in workflow context.
• feat: cross-file reference validator for BMAD source files #1494: Introduced the validate-file-refs.js tool that this PR now invokes with the --strict flag.
• feat: extend Layer 1 file-ref validator to scan CSV workflow-file references #1573: Modifies the validate-file-refs.js script implementation to add CSV support; this PR changes how the script is invoked in package.json.

Suggested reviewers

• bmadcode

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main changes: fixing broken file references and enforcing the validator as a CI quality gate, which is the core purpose of this PR.
Description check	✅ Passed	The description comprehensively explains what was changed, why it was necessary, and how the changes were implemented, with specific details about the broken references and validator behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

src/bmm/workflows/4-implementation/create-story/checklist.md (2)

189-189: ⚠️ Potential issue | 🟡 Minor

Duplicate "Step 5" labels create navigational ambiguity for AI agents.

The document contains two distinct sections each labeled "Step 5" — one in the SYSTEMATIC RE-ANALYSIS APPROACH and one in the INTERACTIVE IMPROVEMENT PROCESS. Since AI agents executing workflows navigate by step label, a step-by-label lookup will be ambiguous or resolve to whichever Step 5 appears first in context. The second block's steps should be renumbered relative to its own section, or the section headers should be disambiguated (e.g., "Phase 2, Step 5").

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/bmm/workflows/4-implementation/create-story/checklist.md` at line 189,
The document has two sections both labeled "Step 5" causing ambiguous
step-by-label navigation; update the second occurrence inside the "INTERACTIVE
IMPROVEMENT PROCESS" (or its sub-steps) so labels are unique—either renumber its
steps (e.g., to "Step 1/Step 2..." within that section or continue the global
sequence) or disambiguate the section header (e.g., "Phase 2 — Step 5") to
ensure any step-by-label lookup (references to "Step 5" in the SYSTEMATIC
RE-ANALYSIS APPROACH and INTERACTIVE IMPROVEMENT PROCESS) maps unambiguously to
a single target.

---

54-54: ⚠️ Potential issue | 🟠 Major

Missed fix: line 54 still names the non-existent validate-workflow.xml.

Lines 36 and 66 were updated to workflow.xml, but line 54 in the Required Inputs block was not. An AI agent that reads this section to determine which framework file to load now sees two contradictory names inside the same document. Since validate-workflow.xml does not exist, any agent that selects its framework from the Required Inputs list will silently fail to load the framework.

This bare filename was invisible to the file-reference validator because the validator resolves full-path patterns, not standalone filenames — which is also a systematic gap worth documenting separately (see the package.json comment).

🐛 Proposed fix

-  - **Validation framework**: `validate-workflow.xml` (handles checklist execution)
+  - **Validation framework**: `workflow.xml` (handles checklist execution)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/bmm/workflows/4-implementation/create-story/checklist.md` at line 54,
Update the "Required Inputs" block in the checklist to remove the obsolete
filename `validate-workflow.xml` and replace it with `workflow.xml` so it
matches the other references (lines previously changed at 36 and 66);
specifically edit the "Validation framework" entry in the Required Inputs
section (the text showing `validate-workflow.xml`) to read `workflow.xml` to
avoid agents trying to load a non-existent framework file.

package.json (2)

51-65: ⚠️ Potential issue | 🟠 Major

lint-staged has no validate:refs hook — broken refs can be committed without local feedback.

The *.md entry only runs markdownlint-cli2. A developer editing a workflow .md file and introducing a broken file reference will not be warned at commit time; the error surfaces only in CI after a push.

Consider adding a lint-staged entry for .md files that runs validate:refs (accepting that it will re-scan all refs, not just staged files, which is a known limitation of whole-repo validators):

🛡️ Proposed fix

     "*.md": [
-      "markdownlint-cli2"
+      "markdownlint-cli2",
+      "npm run validate:refs"
     ]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 51 - 65, The lint-staged config for "*.md" only
runs "markdownlint-cli2" and misses the repository-level refs validator, so add
the "npm run validate:refs" step to the "*.md" array in package.json's
"lint-staged" block (accepting that validate:refs is a whole-repo check); update
the "*.md" entry to run both "markdownlint-cli2" and "npm run validate:refs" so
broken file references are caught locally before commit.

---

43-46: ⚠️ Potential issue | 🟠 Major

Two independent ref-checking tools with no documented relationship — false safety is possible.

test:refs (CSV extraction testing, test/test-file-refs-csv.js) is in the test script and tests only the extractCsvRefs() function. validate:refs (comprehensive ref validation, tools/validate-file-refs.js --strict) is defined but not in the test script. The latter validates all reference patterns across YAML, markdown, XML, CSV, relative paths, exec attributes, invoke-task directives, step metadata, Load directives, and absolute path leaks.

A broken reference that test:refs does not cover (for example, an invalid exec="..." attribute in YAML or a broken relative path in markdown) will silently pass npm test because validate:refs --strict is never executed. This divergence in scope undermines the enforcement guarantee. Until validate:refs is merged into the test script or explicitly documented as a separate validation tier, the test suite creates a false sense of confidence.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 46, The test script currently runs
"test:refs" (which only exercises extractCsvRefs()) but omits "validate:refs"
(tools/validate-file-refs.js --strict), allowing many ref errors to slip by;
update package.json so the top-level "test" script includes "validate:refs"
(e.g., add an npm run validate:refs step after "test:refs") so the comprehensive
validation is executed as part of npm test, or alternatively add a clear
documented note in README explaining that "validate:refs" is a separate,
required validation tier if you intentionally keep it out of the test flow.

🧹 Nitpick comments (1)

package.json (1)

48-48: The --strict flag is correctly implemented — but validation is enforced only in CI, not in the local development loop.

The validator properly parses and uses the --strict flag (it transforms warnings into errors). However, validate:refs is invoked only in the CI pipeline (line 116 of .github/workflows/*.yml), not in npm test or lint-staged. Developers running the standard local test loop (npm test) receive no feedback on broken file references until the PR reaches CI.

While this is not a systematic enforcement failure, it creates friction: developers must wait for CI feedback to catch reference issues locally detectable by npm run validate:refs.

Optional: wire validate:refs into npm test for tighter local feedback

-    "test": "npm run test:schemas && npm run test:refs && npm run test:install && npm run validate:schemas && npm run lint && npm run lint:md && npm run format:check",
+    "test": "npm run test:schemas && npm run test:refs && npm run test:install && npm run validate:schemas && npm run validate:refs && npm run lint && npm run lint:md && npm run format:check",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 48, Add the validate:refs script into the local dev
test loop so file-ref validation runs outside CI: update package.json to invoke
the existing "validate:refs" (the npm script name) as part of the "test" command
(or add it as a "pretest" script) and/or include it in the lint-staged or
pre-commit hooks so developers get immediate feedback; reference the
"validate:refs" npm script and modify the "test" (or "pretest") script entry in
package.json to run npm run validate:refs before the existing test steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 48: The CI script "validate:refs" currently passes the --strict flag
which gives a false sense of full coverage because tools/validate-file-refs.js
intentionally skips validating the "{installed_path}" interpolation; either
remove the --strict flag from the "validate:refs" npm script in package.json to
avoid gating on partial validation, or extend tools/validate-file-refs.js (the
validation logic) to treat "{installed_path}" patterns as validatable (add
parsing/lookup or explicit checks) and update docs/README to call out the new
coverage so maintainers know the limitation is addressed.

---

Outside diff comments:
In `@package.json`:
- Around line 51-65: The lint-staged config for "*.md" only runs
"markdownlint-cli2" and misses the repository-level refs validator, so add the
"npm run validate:refs" step to the "*.md" array in package.json's "lint-staged"
block (accepting that validate:refs is a whole-repo check); update the "*.md"
entry to run both "markdownlint-cli2" and "npm run validate:refs" so broken file
references are caught locally before commit.
- Around line 43-46: The test script currently runs "test:refs" (which only
exercises extractCsvRefs()) but omits "validate:refs"
(tools/validate-file-refs.js --strict), allowing many ref errors to slip by;
update package.json so the top-level "test" script includes "validate:refs"
(e.g., add an npm run validate:refs step after "test:refs") so the comprehensive
validation is executed as part of npm test, or alternatively add a clear
documented note in README explaining that "validate:refs" is a separate,
required validation tier if you intentionally keep it out of the test flow.

In `@src/bmm/workflows/4-implementation/create-story/checklist.md`:
- Line 189: The document has two sections both labeled "Step 5" causing
ambiguous step-by-label navigation; update the second occurrence inside the
"INTERACTIVE IMPROVEMENT PROCESS" (or its sub-steps) so labels are unique—either
renumber its steps (e.g., to "Step 1/Step 2..." within that section or continue
the global sequence) or disambiguate the section header (e.g., "Phase 2 — Step
5") to ensure any step-by-label lookup (references to "Step 5" in the SYSTEMATIC
RE-ANALYSIS APPROACH and INTERACTIVE IMPROVEMENT PROCESS) maps unambiguously to
a single target.
- Line 54: Update the "Required Inputs" block in the checklist to remove the
obsolete filename `validate-workflow.xml` and replace it with `workflow.xml` so
it matches the other references (lines previously changed at 36 and 66);
specifically edit the "Validation framework" entry in the Required Inputs
section (the text showing `validate-workflow.xml`) to read `workflow.xml` to
avoid agents trying to load a non-existent framework file.

---

Nitpick comments:
In `@package.json`:
- Line 48: Add the validate:refs script into the local dev test loop so file-ref
validation runs outside CI: update package.json to invoke the existing
"validate:refs" (the npm script name) as part of the "test" command (or add it
as a "pretest" script) and/or include it in the lint-staged or pre-commit hooks
so developers get immediate feedback; reference the "validate:refs" npm script
and modify the "test" (or "pretest") script entry in package.json to run npm run
validate:refs before the existing test steps.