Plans

Plan: Rename plan-to-html → markdown-to-html, bundle assets, HTML5-first rendering

Panel decision: Reject All Blocking Issues Resolved — Ready for Implementation

Generated: 2026-05-18T00:00:00Z · Updated: 2026-05-18 (blocking issues resolved) · Source: rename-plan-to-html-to-markdown-to-html.md · Reviewers: PM · Lead Developer · UX Designer (unavailable) · Lead Frontend Engineer · Accessibility Expert · Security Expert

File rename-plan-to-html-to-markdown-to-html-review.html
Path docs/plans/rename-plan-to-html-to-markdown-to-html-review.html

1. Executive Summary

The plan is technically detailed, cites correct project conventions throughout, and identifies a real and valid problem set (rename friction, setup fragility, asset drift). Four of five available reviewers recommended “approve with changes.” Two reviewers — Accessibility Expert and Security Expert — issued outright reject verdicts on grounds that apply to every single HTML file the skill would generate: no output-encoding policy (stored-XSS risk), no path-safety validation, no WCAG Level A requirements (lang, <title>, skip navigation), unlabeled step checkboxes, and no focus indicators in bundled CSS. These are systematic failures in the output contract, not edge cases.

Note: the UX Designer reviewer was unavailable after two spawn attempts; that domain was not assessed.

Panel decision: RejectAll Blocking Issues Resolved

2. Role-by-Role Review

Product Manager

Approval
Approve with changes
Works well
MAJOR version bump correctly identified; --setup deprecation handler is right; all steps follow three-part structure with machine-checkable verify lines; Interview Summary preserves rationale for non-obvious choices.
Critical concerns
Version mismatch (1.22.1 vs. 1.23.0 reference in Step 19 creates ambiguity); no backward-compat alias for renamed command; build script fragility is silent for users.
Missing requirements
Success metrics; release readiness / rollout strategy; business goals for the change.
Key improvements
Add “Current version: 1.22.1 → New: 2.0.0” to Context; add runtime asset validation in SKILL.md Step 1; convert “split into two PRs” to blocking Unresolved Question; add Success Metrics section.

Lead Developer

Approval
Approve with changes
Works well
Correct git mv preserving history; graceful degrade on missing ## Steps; SVG geometry is numeric eliminating LLM drift; --setup deprecation handler is correct.
Critical concerns
accent-color-only <progress> is a UX regression on dark themes; build script has no deterministic extraction algorithm; mode detection ANY-of-three is too permissive for ADRs/RFCs.
Key improvements
Revert to custom .progress-fill div; replace extraction heuristic with <!-- BUILD-EXTRACT:NAME START/END --> markers; tighten mode detection; add backward-compat alias skill (Step 7.5); add plugin.json version-field check (Step 19.5).
UX Designer — Reviewer unavailable — not assessed

Lead Frontend Engineer

Approval
Approve with changes
Works well
accent-color browser support rationale correct; IntersectionObserver kept over :target CSS is technically correct; <details open> first-section default is sound; print rules for all new visuals are specific and complete.
Critical concerns
Build script extraction fragility — silently malformed themes.css causes browser to drop entire <style> block; pseudo-element ownership conflict in Step 12 causes non-deterministic LLM output.
Key improvements
Use <span class="step-chip"> real element (frees both pseudo-elements); add scroll-rail IIFE extension step before build step; define --color-success in all four themes; add complete allowed-tools list.

Accessibility Expert

Approval
Reject
Works well
SC 1.4.1 color+icon for status chips is correct; native <details>/<summary> is right; <progress> exposes role="progressbar" automatically; “Expand all” mitigates screen reader section-expansion burden.
Critical concerns
  • CC-1 (SC 1.1.1): SVG uses aria-label only — must add <title id="…"> child + aria-labelledby.
  • CC-2 (SC 4.1.2): Scroll-spy toggles .active CSS class only; aria-current="true" must be toggled programmatically.
  • CC-3 (SC 1.3.1): Step checkboxes have no confirmed <label> wrapping; screen reader users completely excluded from primary plan-tracking feature.
  • CC-4 (SC 2.4.7/2.4.11): No :focus-visible styles in assets/themes.css; all keyboard users cannot determine focus position.
Missing Level A
<html lang> (SC 3.1.1), <title> element (SC 2.4.2), skip navigation link (SC 2.4.1) — all absent from every generated HTML document.

Security Expert

Approval
Reject
Works well
Dropping Bash(mkdir *) satisfies least privilege; deprecating --setup eliminates the user-writable cache as an attack surface; bundled assets improve supply-chain integrity.
Critical concerns
  • CWE-79 (OWASP A03): No HTML encoding policy — markdown with <script>, javascript: links, or <img onerror> produces stored-XSS in every generated file.
  • CWE-79 SVG sub-case: Section titles in SVG <text> without encoding allow </text><script>… breakouts.
  • CWE-1287: Build script extracts JS from 577-line markdown spec; contributor editing html-spec.md can inject JS into every plugin install.
  • CWE-22: No path traversal validation; skill reads arbitrary paths from $ARGUMENTS.

3. Highest-Risk Issues

  • [Security / CWE-79] No HTML output-encoding policy. Every generated HTML file is an XSS vector. Resolved: Step 0.
  • [A11y / SC 1.3.1] Step checkboxes are unlabeled. Screen reader users are completely excluded from the primary plan-tracking feature. Resolved: Step 0.5.
  • [A11y / SC 2.4.7+2.4.11] No focus indicators in bundled CSS. All keyboard users cannot determine focus position on any interactive element. Resolved: Step 0.75.
  • [Lead Dev + Frontend] Build script extraction is architecturally fragile. Silently malformed themes.css causes the browser to drop the entire <style> block with no user-facing error. Resolved: Step 5.
  • [A11y / SC 3.1.1 + 2.4.2 + 2.4.1] Four WCAG Level A failures in every generated HTML document: missing lang, <title>, skip navigation, unlabeled checkboxes. Legal exposure under ADA Title III / European Accessibility Act (June 2025). Resolved: Steps 0.5, 0.75.
  • [UX] Unassessed domain: UX Designer review not conducted. Usability, information architecture, onboarding, and error states are unknown risks.

4. Blocking Issues

All 8 blocking issues resolved — addressed in plan steps on 2026-05-18. Plan status updated to in-progress.

  1. [Security + Frontend] No output-encoding/sanitization policy. → Resolved: Step 0 adds ## Security and Encoding to reference/html-spec.md.
  2. [A11y] No focus indicators in assets/themes.css. → Resolved: Step 0.75 adds :focus-visible styles for all interactive elements (SC 2.4.7 + SC 2.4.11).
  3. [A11y] Step checkboxes lack label association. → Resolved: Step 0.5 now specifies <label class="step-label"><input class="step-checkbox" type="checkbox">…</label> (SC 1.3.1); Step 12 cross-references.
  4. [A11y] WCAG Level A omissions. → Resolved: Step 0.5 adds <html lang>, <title>, skip nav link to HTML template.
  5. [Lead Dev + Frontend] Build script extraction algorithm unspecified. → Resolved: Step 5 adopts <!-- BUILD-EXTRACT:NAME START/END --> marker approach.
  6. [PM] Version baseline ambiguity. → Resolved: Context states “Current: 1.22.1 → New: 2.0.0”.
  7. [A11y + Security] Scroll-spy IIFE omits aria-current. → Resolved: Step 6 extends IIFE to toggle aria-current="true" alongside .active class.
  8. [Security] No path traversal defense. → Resolved: Step 0.9 adds realpath validation, workspace boundary check, symlink rejection (CWE-22).

5. Important but Non-Blocking Improvements

  1. [PM] Convert “split into two PRs” from Next Step to a blocking Unresolved Question gating implementation.
  2. [Lead Dev] Add backward-compat alias skill for plan-to-html — delegation + deprecation notice; remove in 3.0.0.
  3. [Lead Dev] Tighten mode detection from ANY-of-three to (## Steps exists) OR (status: AND Plan: H1).
  4. [Lead Dev + Frontend] Revert <progress> to custom .progress-fill div — accent-color regression on dark themes.
  5. [Frontend] Use <span class="step-chip"> real element for status chip (frees both pseudo-elements for timeline).
  6. [Frontend] Add complete allowed-tools list to Step 3.
  7. [PM] Add Success Metrics section.
  8. [Security] Add CSP meta tag to generated HTML.
  9. [A11y] Add prefers-reduced-motion block to assets/themes.css.
  10. [Lead Dev + Frontend] New step: author JS (aria-current, scroll-rail, “Expand all”) in spec before build step — ordering bug in original plan.
  11. [A11y] <section aria-labelledby> on every generated section.
  12. [A11y] <nav aria-label="Page sections"> on sidebar nav.

6. UX Recommendations

UX Designer unavailable — the following are UX-adjacent concerns from other reviewers.

  1. [PM] Add one-sentence doc-mode value proposition: “targets users who want plan + generic markdown rendering inside Claude Code without leaving the session to invoke Pandoc or mdconvert.”
  2. [A11y] “Expand all” button must reflect toggle state via aria-expanded or text switching (“Expand all” / “Collapse all”).
  3. [A11y] “Expand all” JS must use details.open = true/false — not CSS class toggling — so AT announces the open attribute change.
  4. [PM] Add empty/error state message for unrecognised input: “Could not determine render mode; defaulting to doc-mode.”

7. Accessibility Requirements

Level A (must-fix, blocking)

  • SC 3.1.1<html lang="…"> on every generated document.
  • SC 2.4.2<title>{H1 text} — markdown-to-html</title> in <head>.
  • SC 2.4.1 — Skip nav link as first focusable body element.
  • SC 1.3.1 — Each step checkbox wrapped in <label> or associated via aria-labelledby.
  • SC 1.1.1 — SVG: <title id="…"> child referenced by aria-labelledby.

Level AA (must-fix, blocking)

  • SC 2.4.7 / 2.4.11:focus-visible styles for all interactive elements.
  • SC 4.1.2 — Scroll-spy IIFE: toggle aria-current="true" on active nav link.
  • SC 4.1.2 — “Expand all” button: aria-expanded="false/true", stable label.
  • SC 1.4.3 / 1.4.11 — Document contrast ratios for all four themes.
  • SC 1.4.12 — No height: on text-containing containers; require min-height:.

Level AA (important, non-blocking)

  • Each <section> carries aria-labelledby="{heading-id}".
  • Sidebar <nav aria-label="Page sections">.
  • <span class="step-status" aria-live="polite"> updated by checkbox IIFE.
  • @media (prefers-reduced-motion: reduce) block in assets/themes.css.

8. Frontend Implementation Considerations

  1. Pseudo-element ownership: ::before = timeline dot; ::after = timeline connector; status chip = <span class="step-chip"> real element.
  2. Build script fence handling: Use <!-- BUILD-EXTRACT:NAME START/END --> markers; awk extraction; strip fence delimiter lines before writing to assets/.
  3. Scroll-spy extension must precede build step (ordering bug in original plan — Step 6 now inserted).
  4. --color-success must be defined in all four body.theme-* blocks.
  5. SKILL.md line-count budget: current 340 lines + additions may approach 500-line limit; move flag-parsing to reference/rendering-modes.md if needed.
  6. Complete allowed-tools: Agent, AskUserQuestion, Bash(open *), Bash(./scripts/build-assets.sh *), Glob, Grep, Read, TodoWrite, Write.
  7. --async flag carry-forward must be explicitly resolved in Step 9 flag inventory.
  8. Mobile breakpoint alignment: verify 768px matches existing ## Responsive Layout breakpoint in html-spec.md.

9. Security Requirements

Blocking

  1. Output encoding policy in reference/html-spec.md: body text/headings/step text → HTML-entity encode &amp; &lt; &gt; &quot; &#39;; attribute values → attribute-encode; SVG <text> → entity-encode; link URLs → allow only http, https, mailto, #-fragments; code blocks → <pre><code> entity-encoded; raw HTML → escaped as literal text.
  2. Path traversal defense in SKILL.md Step 1: realpath, workspace boundary check, .md extension check, symlink rejection.
  3. --theme= allow-list validation before interpolating into <body class="theme-{value}">.

Important, non-blocking

  1. CSP meta tag in generated HTML.
  2. localStorage per-document scoping via hash of location.pathname.
  3. set -euo pipefail + quoted variable expansions in build-assets.sh.
  4. assets/scripts.js capability allow-list (no fetch, XMLHttpRequest, eval, Function); CI lint enforces.
  5. Adversarial test fixtures in Step 20 (xss-suite.md).
  6. README security model subsection.

10. Technical Feasibility Concerns

  1. Build script extraction must use explicit markers (not heuristics) — resolved in updated Step 5.
  2. <progress> accent-color is a regression on dark themes — resolved in updated Step 8 (revert to custom .progress-fill div).
  3. Mode detection tightened from ANY-of-three to (## Steps) OR (status: AND Plan: H1) — resolved in updated Step 9.
  4. P1/P2 scope split must be answered before implementation — added to Unresolved Questions.
  5. SVG output determinism requires golden-output test fixture.
  6. plugin.json must not contain a version field — Step 19.5 added.

11. Open Questions Before Development

Scope

  • Should this be split into P1 (rename + bundle) and P2 (doc-mode + visuals)? Must be answered before implementation begins.
  • Is the current plan-interview marketplace.json version definitively 1.22.1 with no in-flight work?
  • Has the hard-rename (no alias) decision been confirmed? Is the external caller population known?
  • Is doc-mode in scope for this release, or a separate follow-on?

Technical

  • Are themes.css / scripts.js linked as external files or inlined verbatim in output HTML?
  • Does --async carry forward to markdown-to-html?
  • What is the existing responsive breakpoint in html-spec.md?
  • Is --color-success a new CSS variable added to all four themes?

Accessibility & Security

  • Which screen readers/browsers are in the designated support matrix?
  • Is generated HTML for public distribution or internal only? (Determines legal exposure profile.)
  • Is assets/scripts.js inlined or linked?
  • Is there an input markdown size cap?
  • Are generated HTML files ever served from an authenticated web origin?

12. Recommended Changes to the Plan

All changes below have been applied as inline edits to the source plan file.

  1. Added version baseline (“Current: 1.22.1 → New: 2.0.0” + user-impact statement) to Context.
  2. Added Step 0: ## Security and Encoding prerequisite to reference/html-spec.md.
  3. Added Step 0.5: WCAG Level A requirements (lang, <title>, skip nav) to HTML template.
  4. Added Step 0.75: :focus-visible styles requirement to assets/themes.css specification.
  5. Added Step 0.9: path traversal defense to SKILL.md Step 1.
  6. Replaced Step 5 vague extraction description with explicit <!-- BUILD-EXTRACT:NAME START/END --> marker approach + dynamic version comment via jq.
  7. Added Step 6: author JS (aria-current, scroll-rail, “Expand all”) in html-spec.md before build step.
  8. Added Step 7.5: backward-compat alias skill for plan-to-html.
  9. Updated Step 8: revert <progress> to custom .progress-fill div; documented as deliberate non-swap.
  10. Updated Step 9: tightened mode detection to (## Steps) OR (status: AND Plan: H1).
  11. Updated Step 12: <span class="step-chip"> real element + <span class="step-status" aria-live="polite">; SVG with <title> + aria-labelledby.
  12. Added Step 19.5: verify plugin.json has no version field.
  13. Added Step 18: security + accessibility verification to end-to-end test.
  14. Added Success Metrics section.
  15. Promoted “split into two PRs” to blocking Unresolved Question.
  16. Updated Interview Summary table to reflect three panel decision overrides.

13. Conflicts or Tradeoffs Between Reviewer Recommendations

Topic Conflict Resolution
Build script extraction approach Lead Dev: <!-- BUILD-EXTRACT --> markers + awk. Frontend: awk fence heuristics. Security: invert direction, make assets/scripts.js canonical source. Adopt <!-- BUILD-EXTRACT:NAME START/END --> marker approach (Lead Dev + Frontend aligned). Add CI lint for forbidden JS patterns in assets/scripts.js to address Security’s supply-chain concern without inverting the spec-canonical principle.
<progress> accent-color parity Lead Dev: visual regression on dark themes; revert to custom div or add vendor selectors. Frontend: accent-color is acceptable progressive enhancement. Revert to custom .progress-fill div and document as deliberate non-swap. Rationale: the unfilled track browser-default gray is perceptible and user-reported themes will be dark-leaning.
Status chip implementation A11y: <span class="step-chip"> real element + aria-live supplement. Frontend: <span class="step-chip"> real element. Both aligned on element choice. No conflict — use real element AND add aria-live="polite" supplement as A11y specifies.

14. Final Decision

Panel decision: RejectAll Blocking Issues Resolved — Ready for Implementation

The plan is detailed, well-researched, and correctly applies all project conventions for versioning, git operations, and plugin structure. Two domains issued hard rejections on grounds that applied to every HTML file the skill generates: the Security Expert rejected due to the absence of an output-encoding policy (XSS risk in every invocation) and a missing path traversal defense; the Accessibility Expert rejected due to four WCAG Level A failures (lang, <title>, skip navigation, unlabeled step checkboxes) and no focus indicators in bundled CSS.

All eight blocking issues have been addressed in the plan’s implementation steps (2026-05-18). Plan status updated to in-progress with panel-review: reject-resolved. Implementation may proceed.

Full Panel Review (15-section report)

The full synthesized report is appended to the source plan file at docs/plans/rename-plan-to-html-to-markdown-to-html.md under the ## Panel Review section. The sections above (1–14) constitute the complete panel findings; the source plan contains the inline edits applied per Section 15a and the revised plan reference view (Section 15b).

Role Coverage Summary

Role Status Verdict
Product ManagerCompleteApprove with changes
Lead DeveloperCompleteApprove with changes
UX DesignerUnavailable (two spawn attempts)Not assessed
Lead Frontend EngineerCompleteApprove with changes
Accessibility ExpertComplete (respawn)Reject
Security ExpertCompleteReject

Inline Edits Applied (Section 15a)

# Section Action Summary
1## ContextappendAdded version baseline (1.22.1 → 2.0.0) + user-impact statement for external callers + doc-mode positioning sentence.
2## Stepsinsert at topAdded Step 0: Security and Encoding prerequisite for html-spec.md.
3## Stepsinsert at topAdded Step 0.5: WCAG Level A requirements (lang, <title>, skip nav).
4## Stepsinsert at topAdded Step 0.75: :focus-visible styles requirement for assets/themes.css.
5## Stepsinsert at topAdded Step 0.9: path traversal defense for SKILL.md Step 1.
6Step 5editReplaced vague extraction description with <!-- BUILD-EXTRACT:NAME START/END --> marker approach + dynamic version comment via jq.
7Step 6insert before 6.5New step: author JS (aria-current, scroll-rail, “Expand all”) in html-spec.md before build step.
8After Step 7insertStep 7.5: backward-compat alias skill for plan-to-html.
9Step 8 progress bar itemeditReverted to custom .progress-fill div; documented as deliberate non-swap with reasoning.
10Step 9 mode detectioneditTightened from ANY-of-three to (## Steps) OR (status: AND Plan: H1).
11Step 12 status chipedit<span class="step-chip"> real element + <span aria-live="polite">; explicit pseudo-element ownership.
12Step 12 SVGeditSVG updated to aria-labelledby + <title id="…"> child pattern.
13After Step 19insertStep 19.5: verify plugin.json has no version field.
14## VerificationappendStep 18: security + accessibility verification checks added.
15After VerificationinsertNew ## Success Metrics section.
16## Unresolved QuestionsappendAdded P1/P2 split as blocking Unresolved Question.
17Interview Summary tableeditUpdated three rows to reflect panel decision overrides (mode detection, build extraction, <progress>).