From bee-pm-team
Gate 6: Technology choices document - explicit, versioned, validated technology selections with justifications. Large Track only. HARD BLOCK: Must load Bee Standards and PROJECT_RULES.md before proceeding.
npx claudepluginhub luanrodrigues/ia-frmwrk --plugin bee-pm-teamThis skill uses the workspace's default tool permissions.
**Every technology choice must be explicit, versioned, validated against Bee Standards, and justified.**
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Every technology choice must be explicit, versioned, validated against Bee Standards, and justified.
Using vague or "latest" dependencies creates:
The Dependency Map answers: WHAT specific products, versions, packages, and infrastructure we'll use. The Dependency Map never answers: HOW to implement features (that's Tasks/Subtasks).
This is a HARD GATE. Do NOT proceed without loading Bee Standards and TRD decisions.
Read docs/pre-dev/{feature-name}/trd.md and extract: deployment.model, tech_stack.primary, project_technologies[]
If TRD metadata missing: BLOCKER → Go back to TRD (Gate 3) and complete Step 0.4
| Standard | URL | Purpose |
|---|---|---|
| typescript.md | https://raw.githubusercontent.com/luanrodrigues/ia-frmwrk/master/dev-team/docs/standards/typescript.md | TypeScript patterns |
| frontend.md | https://raw.githubusercontent.com/luanrodrigues/ia-frmwrk/master/dev-team/docs/standards/frontend.md | Frontend patterns |
| sre.md | https://raw.githubusercontent.com/luanrodrigues/ia-frmwrk/master/dev-team/docs/standards/sre.md | Observability, logging |
Bee Standards = coding patterns, observability, logging, error handling (shared across ALL projects) PROJECT_RULES.md = specific technologies, versions, database choices (specific to THIS project)
Using TRD project_technologies[], create docs/PROJECT_RULES.md with: deployment model, tech stack, per-category decisions (PRD requirement, technology, version, rationale, cloud service, on-premise alternative), version matrix, security/compliance.
| Pressure | Response |
|---|---|
| "TRD doesn't have technology decisions" | "Go back to TRD (Gate 3) and complete Step 0.4 (PRD analysis)." |
| "Bee Standards are optional" | "Bee Standards define coding patterns. PROJECT_RULES.md defines technologies. Both needed." |
| "Just use defaults" | "Defaults come from PRD analysis in TRD. Read TRD first." |
| "Skip to save time" | "PROJECT_RULES.md is the output. Cannot skip the output." |
| Phase | Activities |
|---|---|
| 1. Evaluation | Bee Standards loaded (Step 0); PROJECT_RULES.md loaded; Data Model (Gate 5), API Design (Gate 4), TRD (Gate 3) passed; map TRD components to tech candidates; validate against Bee Standards; map Data Model to storage; map API contracts to protocols; check team expertise; estimate costs |
| 2. Selection | Per technology: check Bee Standards (mandatory/prohibited), check PROJECT_RULES.md overrides, specify exact version, list alternatives with trade-offs, verify compatibility, check security (CVEs), validate licenses, calculate costs |
| 3. Gate 6 Validation | All dependencies explicit, no conflicts, no critical CVEs, licenses compliant, team expertise, costs documented, all components mapped |
Exact package names with versions (laravel/framework@^11.0), tech stack with constraints (PHP 8.3+, PostgreSQL 16), infrastructure specs (Valkey 8, MinIO), external SDKs, dev tools, security deps, monitoring tools, compatibility matrices, license summary, cost analysis
Implementation code, how to use dependencies, task breakdowns, setup instructions, architectural patterns (TRD), business requirements (PRD)
@v1.27.0 not @latest or ^1.0.0>=, document whycomposer.lock, package-lock.json, etc.| Excuse | Reality |
|---|---|
| "Latest version is always best" | Latest is untested in your context. Pick specific, validate. |
| "I'll use flexible version ranges" | Ranges cause non-reproducible builds. Lock versions. |
| "Version numbers don't matter much" | They matter critically. Specify or face build failures. |
| "We can update versions later" | Document constraints now. Future you needs context. |
| "The team knows the stack already" | Document it anyway. Teams change, memories fade. |
| "Security scanning can happen in CI" | Security analysis must happen before committing. Do it now. |
| "We'll figure out costs in production" | Costs must be estimated before building. Calculate now. |
| "Compatibility issues will surface in tests" | Validate compatibility NOW. Don't wait for failures. |
| "License compliance is legal's problem" | You're responsible for your dependencies. Check licenses. |
| "I'll just use what the project template has" | Templates may be outdated/insecure. Validate explicitly. |
If you catch yourself writing any of these in a Dependency Map, STOP:
@latest, @next, ^X.Y.Z without justificationWhen you catch yourself: Stop and specify the exact version after proper analysis.
| Category | Requirements |
|---|---|
| Standards Compliance (HARD BLOCK) | Bee Standards loaded; PROJECT_RULES.md loaded; mandatory deps included (or justified); no prohibited choices (or justified); version constraints respected; deviations documented |
| Compatibility | All deps have explicit versions; version matrix complete; no known conflicts; runtime requirements specified; upgrade path documented |
| Security | All deps scanned for vulnerabilities; no critical (9.0+) or high (7.0-8.9) CVEs; security update policy documented; supply chain verified |
| Feasibility | Team has expertise or learning path; tools available; licensing allows commercial use; costs fit budget |
| Completeness | Every TRD component mapped; dev environment specified; CI/CD deps documented; monitoring stack complete |
| Documentation | License summary; cost analysis; known constraints; alternatives with rationale |
Gate Result: ✅ PASS (all checked) → Task Breakdown | ⚠️ CONDITIONAL (standards not loaded) → Complete Step 0 | ❌ FAIL (critical CVEs, incompatibilities, standards not loaded)
| Violation | Wrong | Correct |
|---|---|---|
| Vague Versions | laravel/framework (latest), PostgreSQL (current), monolog (newest stable) | laravel/framework@^11.0 with purpose, alternatives considered, trade-offs; doctrine/dbal@^3.6 with constraint; monolog/monolog@^3.5 with rationale |
| Missing Security | JWT Library: firebase/php-jwt@^6.0 (no analysis) | Package + purpose + security (CVE check date, OWASP compliance, update history) + alternatives |
| Undefined Infrastructure | Some database (probably Postgres), Cache (Redis or Valkey), Storage for files | Per component: product + version + rationale + configuration + cost (managed vs self-hosted) |
If language cannot be auto-detected, use AskUserQuestion with tech stack options (PHP Backend, TypeScript Backend, TypeScript Frontend, Full-Stack TypeScript).
| Selection | Standards to Load |
|---|---|
| TypeScript Backend | typescript.md + sre.md |
| TypeScript Frontend | frontend.md |
| Full-Stack TypeScript | typescript.md + frontend.md + sre.md |
Validation Flow: Standards loaded → Extract mandatory/prohibited/constraints → Check PROJECT_RULES.md → Validate each selection → Document compliance or justified deviations
Prefer: Semantic versioned packages, well-maintained (commits within 6 months), minimal dependency trees, standard library when sufficient Avoid: Deprecated packages (>1 year unmaintained), single-maintainer critical deps, >100 transitive deps, GPL unless compliance certain
If TRD specifies authentication/authorization requirements, include these dependencies:
Authentication dependencies are defined per tech stack in the appropriate language standards.
Implementation Requirement (from TRD):
If TRD specifies this is a licensed product/plugin, include these dependencies:
Licensing dependencies are defined per tech stack in the appropriate language standards.
Implementation Requirement (from TRD):
License Summary: Document count by type (MIT, Apache 2.0, BSD-3-Clause, Commercial), compliance actions (attribution file, legal notification, GPL verification)
Cost Analysis: Monthly breakdown by category (Compute: containers × cost, Storage: managed DB + cache + object, Network: transfer + load balancer, Third-Party: auth + email + monitoring), grand total, scaling cost per additional users, budget validation
| Factor | Points | Criteria |
|---|---|---|
| Technology Familiarity | 0-30 | Used before: 30, Similar: 20, Novel: 10 |
| Compatibility Verification | 0-25 | All verified: 25, Most checked: 15, Limited: 5 |
| Security Assessment | 0-25 | Full CVE scan: 25, Basic check: 15, No review: 5 |
| Cost Analysis | 0-20 | Detailed breakdown: 20, Rough estimates: 12, None: 5 |
Action: 80+ autonomous generation | 50-79 present alternatives | <50 ask about expertise/constraints
Output to: docs/pre-dev/{feature-name}/dependency-map.md
If you skipped loading Bee Standards, STOP and go back to Step 0.
If you wrote a Dependency Map without explicit versions, add them now or start over.
Two non-negotiable requirements:
Load standards first. Be explicit. Be specific. Lock your versions.
| Condition | Action | Severity |
|---|---|---|
| Data Model (Gate 5) not validated | STOP and complete Gate 5 first | CRITICAL |
| Bee Standards not loaded via WebFetch | STOP and load required standards | CRITICAL |
| TRD metadata missing technology decisions | STOP and complete TRD Step 0.4 | CRITICAL |
| Version uses @latest or vague range | STOP and specify exact version | HIGH |
| Critical CVE (9.0+) found in dependency | STOP and find alternative or document risk | CRITICAL |
| License incompatible with commercial use | STOP and find compliant alternative | HIGH |
These requirements are NON-NEGOTIABLE:
| Severity | Definition | Example |
|---|---|---|
| CRITICAL | Cannot proceed with dependency selection | Standards not loaded, critical CVE found |
| HIGH | Dependency violates explicitness rules | @latest used, license unclear |
| MEDIUM | Dependency incomplete but acceptable | Missing alternative documentation |
| LOW | Minor documentation gaps | Cost analysis could be more detailed |
| User Says | Your Response |
|---|---|
| "Latest version is always best" | "Cannot use @latest. Latest is untested in this context. I'll specify exact version after validation." |
| "Flexible version ranges are fine" | "Cannot use ranges. Ranges cause non-reproducible builds. I'll lock to specific versions." |
| "Security scanning can happen in CI" | "Cannot defer security. CVE analysis must happen before committing. I'll scan now." |
| "Skip Bee Standards, we know our stack" | "Cannot skip standards. Standards validate against organizational baseline. I'll load them first." |
| "License compliance is legal's problem" | "Cannot ignore licenses. You're responsible for your dependencies. I'll verify now." |