Software Engineering 1.0 Redux

Overview

This section is hands on end2end turning the thoughts on Software Engineering 1.0 Redux from the previous pages into reality.

Exploratory

Pre-existing documentation.

Pre-Code

Tip

All of these pre-code outputs were created with a Gemini Gem loaded with a BMAD-Method Full Stack team loaded (modified to add a security agent).

• This gives a guided interactive experience with different Software Engineering roles.

Phase	Input	Chat History	Output
Planning	Pre-existing documentation	Chat history	Product Brief, PRD, UX requirements, Architecture document.
Security Review	Product Brief, PRD, UX requirements, Architecture document.	Chat history	- Security review documents - Changes to the architecture document by the architect based on the security agent's findings
Document Preparation for development consumption	- PRD - Security Story Report from Security Analyst	- Chat history - Chat history	- User Stories - Security Stories ("S-" prefix) - Security Test Cases
Security Review	Newly published Securing Agentic Applications Guide, OWASP Gen AI Security Project - Agentic Security Initiative Version 1.0 July 28, 2025	- Chat history	- Changes to the architecture document, and security documents, based on the security agent's review of the newly published OWASP guide - Changes to 2 Security Stories
GUI	Architecture Document	-BMAD UX Sally chat - Gemini Pro 2.5 Chat to create mockup GUI	Interactive Mockup on Gemini Pro 2.5 Canvas

Phases are shown in chronological order - note that a second security review was done based on a newly published OWASP guide.

Code

Phase	Input	Chat History	Output
Kanban (via Gitbub Project) to plan and track work	- User Stories - Security Stories ("S-" prefix) - Security Test Cases	Chat history	Kanban Board of Stories
Code Review	Deliberately Vulnerable test app for test and demo purposes	-	Vulnerability Report that includes independent analysis and triage of results, and confidence levels

Phase: Existing Exploratory Documentation

In the exploratory part of the project at the start I had some existing documentation:

1. A Cost Analysis was created by using
   1. ChatGPT and Gemini Reasoning models to create an analysis
   2. Getting them to cross-review each other's output and amending their own output as a result
   3. Then taking the amended ChatGPT version as it was more succinct which is what I was looking for.
   4. The cost analysis was a back-of-napkin effort to understand likely operational costs early to see if these were a show-stopper or not.
2. Research Documents using ChatGPT and Gemini Research models and Anthropic
3. ADRs using an existing competed example I liked, and redoing it for the architecture decisions I had made using ChatGPT and Gemini Reasoning models and Anthropic.
4. Some Functional Requirements and use cases and user stories (in a Doc format) from MITRE CWE team.

Phase: BMAD The Planning Workflow

Having reviewed and played with some of the SWE agents, the BMAD-Method was closest to my views on Software 1.0 Redux, so this is used here.

There's 2 BMad Workflows:

• The Planning Workflow
• The Core Development Cycle

See the updated BMAD flows detailing the Security activities I added:

• The Planning Workflow
• The Core Development Cycle

BMAD The Planning Workflow

BMAD method breaks down the requirements and other upstream artifacts into epics and stories, enabling Claude Code to generate structured code and docs with little human intervention (Level 4 Autonomy).

Key Planning Phases

• Optional Analysis: Analyst conducts market research and competitive analysis
• Project Brief: Foundation document created by Analyst or user
• PRD Creation: PM transforms brief into comprehensive product requirements
• Architecture Design: Architect creates technical foundation based on PRD
• Validation & Alignment: PO ensures all documents are consistent and complete
• Refinement: Updates to epics, stories, and documents as needed
• Environment Transition: Critical switch from web UI to IDE for development workflow
• Document Preparation: PO shards large documents for development consumption

Here we build the Upstream Software Engineering Artifacts.

Specifically these are the artifacts that are built with the workflow below.

Setup

The BMAD-METHOD is used.

Specifically, the Fastest Start: Web UI Full Stack Team at your disposal part where you create a Gemini GEM with a BMAD-provided text file.

• All these documents are created via a browser interface (Gemini GEM) so the process is IDE-independent!
• Gemini's long-context window allows it to keep the various documents produced in context so it can make consistent changes across them all.

Tip

The created files are available via

• the Google Gem Canvas
• the prompt response when you request a specific document

Observation

I was impressed how well this setup worked!

• following a logical workflow and prompting for choices or input at each stage (and not getting lost)
• allowing me to request Gemini Gem to output a document at any time (so I could review and version control it before changes)
• allowing me to refine the content or ask questions across all the documents as required e.g. if I suggested a change that impacted multiple documents then this was detected by Gemini and the updates made. This ensured consistency across the artefacts.

Some choices / decisions were deliberately postponed e.g. data exchange formats and schemas per Principle #3 - Assume variability; preserve options. This results in a PARTIAL Status at this point.

Interaction with BMAD Gemini Gem

Success

See the full chat history of creating a Product Brief, PRD, UX requirements, Architecture document.

Tip

I worked the pre-existing document content into the The Planning Workflow by providing the content to the BMAD Persona at the relevant time via the prompt.

Phase: Security Review

BMAD-Method did not have a dedicated Security persona or security documents (but does include some basic security checks)

Other Threat Modeling solutions could be used to create these security documents

• See example security artifacts

Tip

The different Threat Modeling solutions had different features I liked, so I decided to build a BMAD Method Security Agent with all the features I wanted.

The BMAD Method Security Agent fits in the BMAD Planning Workflow

• It reviews the existing documents, creates security documents including threat models, security test cases, and security updates to the architecture document.
• Unlike the other solutions, this Security Agent can also be used during the code implementation phase.

Adding a BMAD Method Security Agent

I added a Security Agent to BMAD per commits from Crashedmind. The commit descriptions give the details.

You can browse through the files e.g.:

• Security Agent
• Security Tasks

Tip

The Security Agent creates these Security review documents

Document	Description
security_assessment.md	Initial security assessment and analysis
threat_model.md	Complete STRIDE threat model
dread.md	Quantitative DREAD risk assessment
security_story_report.md	Actionable security user stories
https://github.com/CWE-ChatBot/CWE-ChatBot/tree/main/docs/security/bmad_fullagent_security/security_test_cases.md	Security test cases and validation scenarios
security_architecture_checklist.md	Architecture checklist validation
compliance_audit.md	GDPR compliance audit

Building the Bundles

The builder gathers all the relevant files for all the agents into single files in https://github.com/CyberSecAI/BMAD-METHOD/tree/feature/add-new-agent-security/dist/teams

• e.g. team-fullstack.txt contains all the agents including security, and all the other files they need.

Create a Gemini Gem with the FullStack team

• https://gemini.google.com/
• Explore Gems
• New Gems
• CopyNPaste team-fullstack.txt into instructions
• Save

Using the BMAD Method Security Agent via the Gemini Gem with FullStack team

1. Collate the project brief, prd, architecture etc... md files into one file (e.g. using gitingest)
2. At the prompt say "here's my existing documentation" and copyNpaste the collated md file into the prompt
3. Click the Submit Arrow
4. The workflow kicks off

Success

See the

• full chat history using the Security Agent.
• full chat history creating and using the Security Agent (Video)
• output security artifacts.

• changes to the architecture document by the architect based on the security agent's findings

  • "| July 23, 2025 | 2.0 | Integrated security agent's findings (WAF, AI Guardrails, DoS Protection, Enhanced Logging). | Winston (Architect) |"

Document Preparation for development

Key Planning Phases

When to move to the IDE: Once you have your PRD, Architecture, optional UX and Briefs - its time to switch over to the IDE to shard your docs, and start implementing the actual code!

Coming soon..

Phase: Core Development Cycle

Vulnerability Assessment Analyst Tanya

"Use for performing security scans, identifying and documenting software vulnerabilities, analyzing code for weaknesses, validating patches, assessing system configurations, verifying compliance with security standards, and generating vulnerability reports for audit or remediation purposes."

The original brief from a user AVSuun

Adding a Vulnerability Assessment Analyst

I wanted to give the VulnerabilityTech agent access to tools for

• Static Analysis Security Testing (SAST) - combining traditional SAST tools with LLM review
• Dependency checking

I decided to use Claude Code Sub-agents for this (announced a few days ago https://docs.anthropic.com/en/docs/claude-code/sub-agents).

• I only focused on Claude Code - not other environments that BMAD may work on.

BMAD Agents vs Claude Code Sub-Agents

Claude Code Sub-Agents

• What They Are: Specialized AI assistants with custom system prompts and tool access
• Architecture: Defined as Markdown files with YAML frontmatter in .claude/agents/
• Operation: Isolated context windows with specific expertise and granular tool permissions
• Delegation: Automatic selection by Claude Code or explicit user invocation
• Benefits: Focused expertise, faster analysis, parallel processing capabilities

BMad Framework Current State

• 12 Specialized Agents: Comprehensive personas in bmad-core/agents/
• Complex Configuration: YAML-based with dependencies and external task references
• Full Context Maintenance: Complete operating instructions and workflow definitions
• Command Syntax: *command activation with extensive persona definitions

Key Architectural Differences

1. Complexity: BMad = comprehensive personas vs Claude = focused sub-agents
2. Dependencies: BMad = external task references vs Claude = self-contained
3. Context: BMad = full context maintenance vs Claude = isolated context windows
4. Activation: BMad = explicit commands vs Claude = automatic delegation

Claude Code sub-agents Setup

See how I setup Claude Code sub-agents to work with BMAD agents that describes how BMAD agents call Claude Code sub-agents.

Four Claude Code sub-agents were added:

Claude sub-agent	Purpose
dependency-scanner	I am a specialized security analyst focused on third-party component security assessment and supply chain risk analysis. My expertise covers dependency vulnerability scanning, license compliance, and supply chain security validation according to NIST SSDF practices.
pattern-analyzer	I am a specialized security pattern analyst focused on detecting secure and insecure coding patterns across multiple programming languages. My expertise leverages language-specific security knowledge from expansion packs to validate secure coding practices and identify anti-patterns that introduce vulnerabilities.
security-reviewer	I am a Level 2 orchestrator sub-agent that coordinates comprehensive security analysis by leveraging specialized tool sub-agents. My role is to orchestrate hybrid SAST + LLM security analysis for maximum accuracy and coverage, focusing on practical, exploitable security issues that pose real risks to applications and systems.
test-validator	I am a specialized security testing analyst focused on validating the quality, coverage, and effectiveness of security tests within software projects. My expertise ensures that security testing meets NIST SSDF standards and provides robust protection against real-world threats.

I also added a tests dir to BMAD be able to test this.

• This includes a deliberately vulnerable app to test:

VulnerabilityTech Agent Report

Success

See example output report.

https://github.com/CyberSecAI/BMAD-METHOD/blob/feature/claude-code-sub-agents-integration/tests/reports/consolidated-security-report.md#%EF%B8%8F-nist-ssdf-compliance-assessment

Other Claude Code Workflows

There are other Claude Code workflows, some example are given here.

UI Designer

https://www.youtube.com/watch?v=TyGx277x9hQ

Retrospectives

https://www.youtube.com/watch?v=ai_sSQH1Pn4&t=478s

Multitasking

https://www.geeky-gadgets.com/how-to-use-git-worktrees-with-claude-code-for-seamless-multitasking/

There are UI tools built on GIT worktrees to support this.

Other non-Claude Code Workflows

Accessibility

https://github.com/scragz/kornelius/blob/main/prompts/audit/a11y.prompt

References

1. https://harper.blog/2025/02/16/my-llm-codegen-workflow-atm/
2. https://www.geeky-gadgets.com/how-to-use-git-worktrees-with-claude-code-for-seamless-multitasking/
3. https://github.com/ryoppippi/ccusage
4. https://github.com/eyaltoledano/claude-task-master/blob/main/docs/tutorial.md
5. https://www.reddit.com/r/vibecoding/comments/1lu37up/vibecoding_is_straight_chaos_without_instructions/
6. https://www.reddit.com/r/vibecoding/comments/1l5o93n/lets_talk_about_security/