Once the code works and tests pass, the SDD cycle does not ship immediately. TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/davidbuenov/dbv-specs-ops/llms.txt
Use this file to discover all available pages before exploring further.
/code-simplify phase exists because working code is not the same as safe, maintainable code. This phase enforces two mandatory activities: a security audit and a refactoring pass. Neither is skippable, and neither is a courtesy — they are structural requirements of the cycle.
The guiding principle is “clarity over cleverness”: if a simpler implementation achieves the same result, the simpler one is chosen. Complexity that cannot be justified is eliminated.
The Mandatory Security Review
The security review audits all code produced during/build against three specific checks. Each check addresses a category of risk that is disproportionately common in AI-generated code.
Check 1 — Prevent secret leakage
Scan all new and modified files for hardcoded API keys, passwords, tokens, and credentials. Secrets must live in environment variables (.env) and must never be committed to source control. The assistant verifies this explicitly — it does not assume the developer already checked.
Check 2 — Validate dependencies
Every imported package, library, or module introduced during/build must be verified as a real, published package in the official registry for its ecosystem (npm, PyPI, Maven, etc.).
Check 3 — Sanitize and validate critical inputs
Review all endpoints, CLI interfaces, and other entry points that accept external input. Verify that:- Inputs are validated against expected types, lengths, and formats before processing.
- Injection attack vectors (SQL injection, command injection, prompt injection) are mitigated.
- Public-facing endpoints do not expose internal state or bypass authorization logic.
Refactoring rules
After the security review, the refactoring pass applies the “clarity over cleverness” principle:- Reduce cyclomatic complexity — break down functions that contain too many branching paths.
- Eliminate dead code — remove commented-out blocks, unused imports, and stale variables.
- Improve naming — identifiers should communicate intent without requiring a comment to explain them.
- No debug artifacts — logs, breakpoints, temporary print statements, and
TODOcomments that belong to this task (not to tracked technical debt) are removed before the phase ends.
If during the simplify pass the assistant discovers improvements that are out of scope for the current task, they are recorded in
task.md as Deuda Técnica (Technical Debt) — not silently fixed, and not silently ignored.