@brunosps00/dev-workflow 0.4.7 → 0.6.0

package/scaffold/en/commands/dw-revert-task.md

@@ -0,0 +1,114 @@
+<system_instructions>
+You are a safe task reverter. Your job is to revert the commits of a specific task created by `/dw-run-task`, protecting against destructive revert if subsequent tasks depend on it.
+
+<critical>This command is potentially destructive (it alters git history on the active branch). ALWAYS present the plan and ask for user confirmation BEFORE executing any `git revert`.</critical>
+
+## When to Use
+- Use to undo a specific task that was implemented and committed but needs to be reverted (requirement change, implementation error not caught by validation, decision reversed)
+- Do NOT use to undo multiple tasks at once (revert one at a time)
+- Do NOT use if the task has already been pushed to remote and merged into main (then a revert PR is required)
+
+## Pipeline Position
+**Predecessor:** `/dw-run-task` or `/dw-run-plan` that created the task commits | **Successor:** re-run the task or change the plan
+
+## Input Variables
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `{{PRD_PATH}}` | Active PRD path | `.dw/spec/prd-my-feature` |
+| `{{TASK_NUMBER}}` | Task number to revert | `3` (for task 3.0) |
+
+## Workflow
+
+### 1. Identify task commits
+
+- Read `{{PRD_PATH}}/tasks.md` and `{{PRD_PATH}}/{{TASK_NUMBER}}_task.md`
+- Identify commits related to the task via:
+  - `git log --grep="task {{TASK_NUMBER}}"` or
+  - `git log --grep="Task {{TASK_NUMBER}}"` or
+  - Manual intersection: commits on the branch between the last commit of task {{TASK_NUMBER - 1}} and the marker commit of task {{TASK_NUMBER}} in tasks.md
+- List hashes and messages to the user
+
+### 2. Dependency Check (Required)
+
+<critical>Before proposing the revert, check whether subsequent tasks depend on this task's artifacts.</critical>
+
+- Read `tasks.md` and identify tasks with `{{TASK_NUMBER}}` in their `blockedBy` field or "Depends on" section
+- For each dependent task:
+  - Check whether it has been executed (`- [x]` checkbox)
+  - If YES: reverting this task would cascade — STOP and present the conflict to the user
+  - If NO: OK, the pending task can be re-executed after the revert
+
+### 3. Present Plan
+
+Show the user:
+
+```
+REVERT PLAN — Task {{TASK_NUMBER}}
+
+Commits to revert (in reverse order):
+  - <hash_N> <message>
+  - <hash_N-1> <message>
+  ...
+
+Affected dependent tasks:
+  - Task X.Y (pending, can be re-executed after revert)
+  - [OR: ⚠️ Task X.Y already executed — conflict, STOP]
+
+Artifacts to update after revert:
+  - {{PRD_PATH}}/tasks.md (re-mark task {{TASK_NUMBER}} as pending)
+  - {{PRD_PATH}}/tasks/{{TASK_NUMBER}}_memory.md (add "reverted on YYYY-MM-DD" note)
+
+Proceed? [y/N]
+```
+
+Wait for explicit confirmation.
+
+### 4. Execute Revert
+
+Only after `y`/`yes`:
+
+```bash
+# For each commit, in reverse order:
+git revert --no-edit <hash>
+```
+
+If conflicts occur during revert: STOP, report conflicts, and wait for the user to resolve manually. DO NOT force.
+
+### 5. Update Artifacts
+
+After a successful revert:
+- In `tasks.md`: change `- [x]` to `- [ ]` on task {{TASK_NUMBER}}'s line
+- In `tasks/{{TASK_NUMBER}}_memory.md`: append:
+  ```
+  ## Revert on YYYY-MM-DD
+  - Reason: [fill with the user-provided reason]
+  - Reverted commits: [hashes]
+  ```
+- Invoke `dw-memory` to promote the note to `MEMORY.md` if it's cross-task relevant
+
+### 6. Report
+
+- List of reverted commits (and the revert commits created)
+- Status of updated artifacts
+- Suggested next step (`/dw-run-task {{TASK_NUMBER}}` to re-run, or `/dw-create-tasks` if scope changed)
+
+## Required Behavior
+
+<critical>NEVER use `git reset --hard` or `git rebase -i` as an alternative to revert. Revert preserves history and is safe on shared branches.</critical>
+
+<critical>NEVER force the revert if dependent tasks have already been executed. In that case, present the conflict and ask for user decision (also revert dependents, or cancel).</critical>
+
+<critical>NEVER proceed without explicit `y`/`yes` confirmation from the user.</critical>
+
+## Complementary Skills
+
+| Skill | Trigger |
+|-------|---------|
+| `dw-memory` | **ALWAYS** — when updating the task memory with the revert note, apply the promotion test to decide whether it goes into shared `MEMORY.md` |
+
+## Inspired by
+
+Compozy has no analogous command. This is a dev-workflow-native pattern, motivated by a gap identified during analysis: "if a task fails or needs to be reverted after commit, there is no safe mechanism to revert only that task."
+
+</system_instructions>

package/scaffold/en/commands/dw-review-implementation.md

@@ -23,6 +23,13 @@ This is **Review Level 2**:
 
 This command is called automatically by `/dw-run-plan` at the end of all tasks, but can also be executed manually.
 
+## Complementary Skills
+
+| Skill | Trigger |
+|-------|---------|
+| `dw-review-rigor` | **ALWAYS** — when listing gaps between PRD/TechSpec and code, apply de-duplication (same gap in N modules = 1 entry), severity ordering, and verify-intent-before-flag |
+| `/dw-security-check` | **ALWAYS for TS/Python/C#/Rust projects whose diff touches code** — findings become a "Security Gaps" category in the interactive corrections cycle. If status is REJECTED, the gaps are blocking. |
+
 ## Input Variables
 
 | Variable | Description | Example |
@@ -36,6 +43,16 @@ Analyze the implementation by comparing:
 2. Technical specifications from the TechSpec
 3. Tasks defined in tasks.md
 4. Actually implemented code (via git diff/status)
+5. **Security of the implemented code** (via `/dw-security-check` for TS/Python/C#/Rust projects)
+
+## Security Layer (Required for TS/Python/C#/Rust projects)
+
+<critical>If the project uses TypeScript, Python, C#, or Rust and the diff touches code (not just docs), INVOKE `/dw-security-check {{PRD_PATH}}` before listing gaps. The status and findings returned feed the "Security Gaps" section of the Level 2 report.</critical>
+
+- **REJECTED** status from security-check → CRITICAL/HIGH findings become **blocking** gaps in the interactive corrections cycle (equivalent to a critical missing feature)
+- **PASSED WITH OBSERVATIONS** → MEDIUM/LOW findings become recommendations in the cycle
+- **CLEAN** → "Security Gaps: None" section in the report
+- Project in an unsupported language → note in the report indicating the security layer was skipped
 
 ## Files to Read (Required)
 

package/scaffold/en/commands/dw-run-plan.md

@@ -9,6 +9,13 @@ You are an assistant specialized in sequential execution of development plans. Y
 ## Pipeline Position
 **Predecessor:** `/dw-create-tasks` | **Successor:** `/dw-code-review` then `/dw-generate-pr`
 
+## Complementary Skills
+
+| Skill | Trigger |
+|-------|---------|
+| `dw-memory` | **ALWAYS** — reads `MEMORY.md` before starting and applies promotion test + compaction between tasks |
+| `dw-verify` | **ALWAYS** — invoked before the Level 2 Final Review and before declaring "Plan Complete" |
+
 ## Objective
 
 Execute ALL pending tasks in a project sequentially and automatically, marking each as completed after successful implementation (each task already includes Level 1 validation), and performing a **final Level 2 review (PRD compliance) with a corrections cycle**.
@@ -62,10 +69,19 @@ For each pending task (in sequential order):
    - If there are errors, report and PAUSE for manual correction
    - If successful, continue to next task
 
+5. **Memory compaction between tasks**
+   - Invoke `dw-memory` with compaction flag on `MEMORY.md` every 3 completed tasks (or when the file exceeds ~150 lines)
+   - Ensure the next task reads a lean, up-to-date `MEMORY.md`
+
 ### 3. Final Comprehensive Review
 
 When all tasks are completed:
 
+0. **Final Verification (Required before Level 2)**
+   - Invoke `dw-verify` with the project's verify command (test + lint + build, or the documented gate command)
+   - Only proceed with Level 2 if the VERIFICATION REPORT is PASS
+   - If FAIL: fix the root cause, re-verify, and only then open the PRD-compliance review
+
 1. **Execute General Review**
    - Follow `.dw/commands/dw-review-implementation.md` for ALL tasks
    - Generate a complete gap report and recommendations
@@ -102,7 +118,9 @@ When all tasks are completed:
      - No more recommendations, OR
      - User decides that remaining items are acceptable
 
-4. **Final Report**
+4. **Final Report (after final dw-verify PASS)**
+
+   <critical>Before declaring "PLAN COMPLETE" or "COMPLETE WITH PENDING ITEMS", invoke `dw-verify` one last time after the last correction. Without PASS, do not emit the final report.</critical>
 
    ```
    ===================================================

package/scaffold/en/commands/dw-run-task.md

@@ -18,6 +18,8 @@ When available in the project at `./.agents/skills/`, use these skills as specia
 
 | Skill | Trigger |
 |-------|---------|
+| `dw-verify` | **ALWAYS** — invoked before the commit to produce a Verification Report with fresh evidence |
+| `dw-memory` | **ALWAYS** — reads workflow memory at task start and updates it at task end (promotion test) |
 | `vercel-react-best-practices` | Task touches React rendering, hydration, data fetching, bundle, cache, or performance |
 | `webapp-testing` | Task has interactive frontend needing E2E validation in a real browser |
 
@@ -51,6 +53,7 @@ If `.planning/intel/` does NOT exist:
 - Review the PRD context
 - Verify tech spec requirements (including testing strategy)
 - Understand dependencies from previous tasks
+- **Invoke `dw-memory`**: read `.dw/spec/prd-[name]/MEMORY.md` (shared) and `.dw/spec/prd-[name]/tasks/[num]_memory.md` (task-local, create if missing) — decisions, constraints and handoff notes from earlier tasks are mandatory context
 
 ### 2. Task Analysis
 Analyze considering:
@@ -170,9 +173,19 @@ Format in tasks.md (add after marking the task as completed):
 - **If FAILURE**: Fix the issues and re-execute the validation
 - **DO NOT generate a report file** - only output in the terminal
 
+## Final Verification (Required before commit)
+
+<critical>Invoke the `dw-verify` skill before any "task complete" claim. Produce a VERIFICATION REPORT with the project's real verify command (test + lint + build) and exit code 0. Without a PASS report, DO NOT proceed to the commit.</critical>
+
+## Memory Update (Required before commit)
+
+Invoke `dw-memory` to:
+- Update `tasks/[num]_memory.md` with files touched, non-obvious decisions, and handoff notes
+- Apply the **promotion test** (next task needs it? durable? not obvious from repo?) and only promote what passes to `MEMORY.md`
+
 ## Automatic Commit (Required)
 
-At the end of the task (after Level 1 validation passes), **always** commit (no push):
+At the end of the task (after Level 1 validation + dw-verify PASS + dw-memory update), **always** commit (no push):
 
 ```bash
 git status

package/scaffold/en/commands/dw-security-check.md

@@ -0,0 +1,271 @@
+<system_instructions>
+You are a rigorous security auditor. Your job is to perform a **multi-layer security check** on a dev-workflow project — static OWASP review (language-aware for TypeScript, Python, and C#), Trivy dependency/secret/IaC scanning, and native lockfile audit — and emit a blocking verdict with no bypass.
+
+<critical>This command is rigid. CRITICAL or HIGH findings produce REJECTED status. There is NO `--skip`, `--ignore`, or allowlist flag. Findings are fixed or the verdict stands.</critical>
+<critical>Supported languages in this release: TypeScript/JavaScript, Python, C#, Rust. If none is detected in scope, abort with a clear message.</critical>
+
+## When to Use
+- Before `/dw-code-review` as the security layer for any TS/Python/C#/Rust project
+- Before `/dw-generate-pr` to ensure no HIGH/CRITICAL vulnerabilities ship
+- Automatically invoked by `/dw-review-implementation` when the diff touches code in a supported language
+- Manually when auditing dependencies after adding a new package
+- NOT for auto-fix (this command detects; remediation is manual or via `/dw-fix-qa`)
+- NOT for DAST — this is SAST + SCA + IaC scanning (`/dw-run-qa` covers runtime)
+
+## Pipeline Position
+**Predecessor:** `/dw-run-plan` or `/dw-run-task` (code committed) | **Successor:** `/dw-code-review` (which hard-gates on this command's output for supported languages)
+
+## Complementary Skills
+
+| Skill | Trigger |
+|-------|---------|
+| `security-review` | **ALWAYS** — primary OWASP knowledge base; language-specific rules live in `languages/{typescript,python,csharp}.md`, cross-cutting topics in `references/*.md` |
+| `dw-review-rigor` | **ALWAYS** — applies de-duplication (same pattern in N files = 1 finding), severity ordering, verify-intent-before-flag, skip-what-linter-catches, and signal-over-volume |
+| `dw-verify` | **ALWAYS** — a VERIFICATION REPORT (Trivy command + exit code + summary) must be present before any status is emitted |
+
+## Input Variables
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `{{SCOPE}}` | PRD path OR source path. Optional — defaults to `.dw/spec/prd-<slug>` inferred from `feat/prd-<slug>` git branch | `.dw/spec/prd-checkout-v2` or `src/` |
+
+If `{{SCOPE}}` is not provided and no PRD is active, abort and ask the user to specify.
+
+## File Locations
+
+- Report (PRD scope): `{{SCOPE}}/security-check.md`
+- Report (non-PRD scope): stdout
+- Language reference files: `.agents/skills/security-review/languages/{typescript,javascript,python,csharp,rust}.md`
+- Cross-cutting OWASP refs: `.agents/skills/security-review/references/*.md`
+
+## Required Behavior — Pipeline (execute in order, no bypass)
+
+### 0. Detect Languages in Scope
+
+Enumerate files in scope and detect languages:
+
+| Language | Indicators |
+|----------|------------|
+| TypeScript / JavaScript | `tsconfig.json`, `package.json`, `*.ts`, `*.tsx`, `*.js`, `*.jsx`, `*.mjs` |
+| Python | `pyproject.toml`, `requirements*.txt`, `Pipfile`, `poetry.lock`, `setup.py`, `*.py` |
+| C# / .NET | `*.csproj`, `*.sln`, `packages.config`, `Directory.Build.props`, `*.cs`, `*.cshtml`, `*.razor` |
+| Rust | `Cargo.toml`, `Cargo.lock`, `*.rs`, `rust-toolchain.toml` |
+
+- If **none** of the four is detected → **abort** with:
+  `"dw-security-check currently supports TypeScript, Python, C#, and Rust. No files in supported languages were detected in <scope>. Aborting."`
+- If **one or more** are detected → proceed; polyglot repos run every applicable language layer and the report has a section per language.
+
+Record the detected language(s) — they drive which `languages/*.md` file(s) the static review consults and which native audit command runs.
+
+### 1. Static Code Review (Language-Aware)
+
+For each detected language, invoke the `security-review` skill using the corresponding reference file(s) as the primary guide:
+
+- **TS/JS** → `languages/typescript.md` + `languages/javascript.md`
+- **Python** → `languages/python.md`
+- **C#** → `languages/csharp.md`
+- **Rust** → `languages/rust.md`
+- **Cross-cutting** (all languages) → `references/{injection,xss,csrf,ssrf,cryptography,authentication,authorization,deserialization,supply-chain,secrets,file-security,api-security}.md` as applicable
+
+Apply the `dw-review-rigor` five rules:
+1. De-duplicate: same pattern in N files → 1 finding with affected file list
+2. Severity ordering: CRITICAL → HIGH → MEDIUM → LOW
+3. Verify intent before flagging: adjacent comments, ADRs, tests, `.dw/rules/`
+4. Skip what the linter catches
+5. Signal over volume: keep all CRITICAL/HIGH; prune MEDIUM/LOW to the most impactful
+
+### 1.5. Context7 MCP — Framework Best Practices (MANDATORY when framework detected)
+
+<critical>When the scope has a detectable framework, you MUST consult Context7 MCP for current best practices before applying framework-specific checks. Offline knowledge may be outdated.</critical>
+
+Framework detection and query:
+
+| Language | Framework detection source | Example Context7 queries |
+|----------|----------------------------|--------------------------|
+| TS/JS | `package.json` deps | `"next.js 14 security best practices app router"`, `"nestjs 10 authentication guards"`, `"remix v2 csrf"` |
+| Python | `pyproject.toml` / `requirements.txt` | `"django 5 security checklist"`, `"fastapi pydantic validation"`, `"flask-login secure cookies"` |
+| C# | `*.csproj` `PackageReference` | `"asp.net core 8 jwt bearer"`, `"blazor server antiforgery"`, `"minimal apis authorization"` |
+| Rust | `Cargo.toml` `[dependencies]` | `"actix-web 4 security middleware"`, `"axum 0.7 extractor auth"`, `"rocket 0.5 forms csrf"`, `"sqlx query macros"` |
+
+For each detected framework+version:
+1. Build the query with framework name + detected major/minor version + the topic (auth, CSP, cookies, server actions, etc.)
+2. Invoke Context7 MCP
+3. Incorporate the returned guidance as live context when reviewing framework-specific code
+4. If a Context7 result contradicts offline knowledge in `languages/*.md`, **Context7 wins** — cite the source in the finding
+
+If Context7 MCP is unavailable in the environment:
+- Degrade to offline knowledge only
+- **Add a visible warning** in the report: `⚠️ Context7 MCP unavailable — framework-version-specific checks used offline knowledge; best practices for <framework@version> may be stale.`
+
+### 2. Dependency + Secret + IaC Scan (Trivy)
+
+<critical>Trivy must be installed. If missing, abort with: `"Trivy not found. Install via 'brew install trivy' (macOS) or equivalent; see 'npx @brunosps00/dev-workflow install-deps' instructions."`</critical>
+
+Run:
+
+```bash
+trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL --exit-code 1 --format json --output /tmp/dw-trivy-fs.json <scope-path>
+```
+
+Parse the JSON output. The scan covers:
+- **Vulnerabilities** in manifests: `package.json`/`package-lock.json`/`pnpm-lock.yaml`/`yarn.lock` (TS/JS), `requirements*.txt`/`Pipfile.lock`/`poetry.lock` (Python), `*.csproj`/`packages.lock.json` (C# / NuGet)
+- **Secrets**: API keys, tokens, private keys accidentally committed
+- **Misconfig**: surface-level — subsumed by step 3 for IaC
+
+Capture the exact command and exit code; include both in the VERIFICATION REPORT (step 5).
+
+### 3. IaC Config Scan (Trivy)
+
+Run:
+
+```bash
+trivy config --severity HIGH,CRITICAL --format json --output /tmp/dw-trivy-config.json <scope-path>
+```
+
+Covers Dockerfile, Kubernetes manifests, Terraform, CloudFormation, GitHub Actions workflows, Helm charts, AWS CDK.
+
+### 4. Native Lockfile Audit (language-specific, second signal)
+
+For each detected language, run the native audit tool (if available). Treat its output as a second signal — Trivy is primary; this catches gaps.
+
+| Language | Primary command | Fallback |
+|----------|-----------------|----------|
+| TS/JS (npm) | `npm audit --production --audit-level=high --json` | `npm audit --production` (human) |
+| TS/JS (pnpm) | `pnpm audit --prod --audit-level high --json` | — |
+| TS/JS (yarn) | `yarn npm audit --severity high --recursive --json` | — |
+| Python | `pip-audit --strict --format json` | skip with note if `pip-audit` missing |
+| C# | `dotnet list package --vulnerable --include-transitive` | — |
+| Rust | `cargo audit --json` | skip with note if `cargo-audit` not installed (install via `cargo install cargo-audit`); optionally `cargo deny check advisories` |
+
+If the tool returns exit ≠ 0 or reports HIGH/CRITICAL, escalate to REJECTED (same policy as Trivy).
+
+### 5. VERIFICATION REPORT (dw-verify)
+
+Before emitting a status, produce a VERIFICATION REPORT per `dw-verify` skill. Required shape:
+
+```
+VERIFICATION REPORT
+-------------------
+Claim: Security check complete for <scope> (languages: <list>)
+Commands:
+  - trivy fs ... --exit-code 1       → exit <N>, findings: C=<x> H=<y>
+  - trivy config ...                 → exit <N>, findings: C=<x> H=<y>
+  - <native audit>                   → exit <N>, findings: ...
+Executed: just now, after all changes
+Static review: <X> findings (C=<a> H=<b> M=<c> L=<d>)
+Framework context: Context7 MCP [consulted | unavailable]
+Verdict: <CLEAN | PASSED WITH OBSERVATIONS | REJECTED>
+```
+
+### 6. Emit Status (rigid gates)
+
+| Condition | Status |
+|-----------|--------|
+| Any CRITICAL finding (static OR Trivy OR native audit) | **REJECTED** |
+| Any HIGH finding | **REJECTED** |
+| Only MEDIUM / LOW findings | **PASSED WITH OBSERVATIONS** |
+| Zero findings | **CLEAN** |
+
+<critical>No finding is "accepted as caveat" at HIGH or above. The user may choose to fix and re-run, or raise the issue as an ADR documenting why the risk is accepted — but this command's verdict does not change.</critical>
+
+## Report Format
+
+Save to `{{SCOPE}}/security-check.md` (when PRD scope) with frontmatter:
+
+```markdown
+---
+type: security-check
+schema_version: "1.0"
+status: <CLEAN | PASSED WITH OBSERVATIONS | REJECTED>
+date: YYYY-MM-DD
+languages: [typescript, python, csharp, rust]
+---
+
+# Security Check — <feature name>
+
+## Status: <STATUS>
+
+<short summary>
+
+## VERIFICATION REPORT
+<the block from step 5>
+
+## Findings
+
+### Critical (<count>)
+- **[CRITICAL]** `path/to/file.ts:42` — <title ≤72 chars>
+  <description>
+  <remediation>
+  Also affects: <other paths if de-duplicated>
+  Evidence: <snippet or CVE id>
+
+### High (<count>)
+...
+
+### Medium (<count>)
+...
+
+### Low (<count>)
+...
+
+## Dependency Vulnerabilities (Trivy)
+
+| CVE | Package | Installed | Fixed in | Severity | Path |
+|-----|---------|-----------|----------|----------|------|
+| CVE-... | ... | ... | ... | CRITICAL | package-lock.json |
+
+## Secrets Found (Trivy)
+
+| Rule | File | Line |
+|------|------|------|
+| aws-access-key-id | src/config.ts | 14 |
+
+## IaC Misconfigurations (Trivy config)
+
+| Rule | File | Severity | Description |
+|------|------|----------|-------------|
+| AVD-DS-0002 | Dockerfile | HIGH | Running as root |
+
+## Framework Best Practices (Context7)
+
+For each framework consulted, one paragraph summarizing the guidance applied.
+
+If Context7 was unavailable, include the warning block.
+
+## Well-Implemented Aspects
+- <short list for tone calibration; does not affect verdict>
+
+## Recommendations
+1. <action for blocking findings>
+2. <action for observations>
+```
+
+## Integration With Other dw-* Commands
+
+- **`/dw-code-review`** (Level 3): for TS/Python/C#/Rust projects, invokes this command as step 6.7 "Security Layer" and hard-gates on the result. APPROVED cannot be emitted if `security-check.md` is missing or REJECTED.
+- **`/dw-review-implementation`** (Level 2): for TS/Python/C#/Rust projects that touch code, invokes this command and maps its findings into a "Security Gaps" category in the interactive corrections cycle.
+- **`/dw-generate-pr`**: hard gate — for supported-language projects, blocks the PR if `security-check.md` is missing or REJECTED from the current session.
+- **`/dw-bugfix --analysis`**: if the root cause area involves auth / secrets / external input, suggests running this command before the fix.
+
+## Critical Rules
+
+- <critical>NO bypass flag. The command does not accept `--skip`, `--ignore`, `--allowlist`.</critical>
+- <critical>Trivy is required. If missing, abort with install instructions. Do NOT silently skip the SCA layer.</critical>
+- <critical>Context7 MCP is consulted when frameworks are detected. Degradation to offline mode must be visible in the report.</critical>
+- Do NOT modify source code — this command detects only.
+- Do NOT re-flag findings already tracked as accepted in a prior ADR (`.dw/spec/*/adrs/adr-*.md` with status `Accepted` and topic covering the finding).
+- If running without PRD scope (raw path), emit the report to stdout — do not write to arbitrary locations.
+
+## Error Handling
+
+- Trivy missing → abort with install instructions (see `install-deps`)
+- `.dw/spec/<slug>/` missing → check if scope is a raw path; otherwise abort asking for explicit scope
+- Native audit tool missing (e.g., `pip-audit`) → skip with visible note in report; do not fail
+- Context7 MCP unavailable → visible warning in report; do not fail
+- Scope contains 0 files of supported languages → abort (see step 0)
+
+## Inspired by
+
+`dw-security-check` is dev-workflow-native. Conceptually inspired by the open-source skills surfaced via `/find-skills` (`supercent-io/skills-template@security-best-practices`, `hoodini/ai-agents-skills@owasp-security`, `github/awesome-copilot@agent-owasp-compliance`), but implemented from scratch with native integration to dev-workflow's primitives (`dw-verify`, `dw-review-rigor`, `security-review`) and Trivy — none of which those skills integrate.
+
+</system_instructions>

package/scaffold/en/commands/dw-update.md

@@ -10,8 +10,27 @@ You are an update utility. When invoked, update dev-workflow to the latest versi
 ## Pipeline Position
 **Predecessor:** (any) | **Successor:** (any)
 
+## Modes
+
+- **Update (default)**: `/dw-update` — updates to the latest version on npm
+- **Rollback**: `/dw-update --rollback` — restores the most recent snapshot in `.dw/.backup/` (created before each update)
+
 ## Behavior
 
+### 0. Snapshot Before Update (Required in default mode)
+
+Before overwriting managed files, create a snapshot:
+
+```bash
+SNAPSHOT_DIR=".dw/.backup/$(date -u +%Y%m%dT%H%M%SZ)"
+mkdir -p "$SNAPSHOT_DIR"
+cp -r .dw/commands .dw/templates .dw/references .dw/scripts "$SNAPSHOT_DIR/" 2>/dev/null
+[ -d .agents/skills ] && cp -r .agents/skills "$SNAPSHOT_DIR/agents-skills" 2>/dev/null
+echo "Snapshot saved to $SNAPSHOT_DIR"
+```
+
+Keep only the 3 most recent snapshots (remove older ones) to avoid buildup.
+
 ### 1. Record Current Version (Required)
 
 Before updating, capture the installed version so you can report the delta:
@@ -84,6 +103,26 @@ If commands/skills were updated, remind the user:
 - Run `/dw-help` after the reload to see the updated command set
 - If the release changed system dependencies (Playwright, MCPs), run `npx dev-workflow install-deps` separately
 
+## Rollback Mode
+
+If invoked with `--rollback`:
+
+1. List snapshots in `.dw/.backup/`
+2. If none exist: STOP and report "No snapshot available"
+3. If more than one exists: ask the user which to restore (default: most recent)
+4. Confirm with the user: "Restore snapshot `<path>`? This OVERWRITES `.dw/commands/`, `.dw/templates/`, `.dw/references/`, `.dw/scripts/`, and `.agents/skills/`. Proceed? [y/N]"
+5. Only after `y`: copy back
+
+```bash
+cp -r "$SNAPSHOT_DIR/commands"   .dw/
+cp -r "$SNAPSHOT_DIR/templates"  .dw/
+cp -r "$SNAPSHOT_DIR/references" .dw/ 2>/dev/null
+cp -r "$SNAPSHOT_DIR/scripts"    .dw/ 2>/dev/null
+[ -d "$SNAPSHOT_DIR/agents-skills" ] && cp -r "$SNAPSHOT_DIR/agents-skills" .agents/skills 2>/dev/null
+```
+
+6. Report: snapshot restored, version likely recovered (read from `.dw/commands/dw-help.md` or metadata if present)
+
 ## Advanced Options
 
 If the user asks for a specific version (not `@latest`):

package/scaffold/en/templates/adr-template.md

@@ -0,0 +1,56 @@
+---
+id: NNN
+status: Proposed
+title: [Short imperative title of the decision]
+date: YYYY-MM-DD
+prd: [PRD slug, e.g. prd-user-auth]
+schema_version: "1.0"
+supersedes: null
+superseded_by: null
+---
+
+# ADR-NNN: [Title]
+
+## Status
+
+Proposed | Accepted | Deprecated | Superseded by ADR-XXX
+
+## Context
+
+[Problem context. What motivating forces led to this decision?
+1-3 short paragraphs. Focus on "why are we deciding now" — do not retell the whole project history.]
+
+## Decision
+
+[The decision made. Start with a verb ("Adopt", "Use", "Migrate to", "Reject").
+1 actionable sentence, followed by 1-3 detail sentences if needed.]
+
+## Alternatives Considered
+
+1. **[Alternative 1]** — [what it was, why not chosen. 1-2 sentences.]
+2. **[Alternative 2]** — [what it was, why not chosen. 1-2 sentences.]
+3. **[Add more if relevant.]**
+
+## Consequences
+
+### Positive
+- [Positive consequence 1]
+- [Positive consequence 2]
+
+### Negative
+- [Accepted cost 1 — do not omit]
+- [Accepted cost 2]
+
+### Neutral / Mitigations
+- [Unbiased tradeoff, or mitigation plan]
+
+## Related
+
+- PRD: `.dw/spec/[prd-slug]/prd.md`
+- TechSpec: `.dw/spec/[prd-slug]/techspec.md` (if applicable)
+- Affected tasks: [task list, if applicable]
+- Related ADRs: [list, if applicable]
+
+## References
+
+- [Links to external docs, RFCs, posts, issues]

package/scaffold/en/templates/prd-template.md

@@ -1,3 +1,9 @@
+---
+type: prd
+schema_version: "1.0"
+status: draft
+---
+
 # Product Requirements Document (PRD) Template
 
 ## Overview
@@ -68,3 +74,9 @@ Implementation details will be addressed in the Technical Specification.]
 - Questions about user needs or business goals
 - Dependencies on external business factors
 - Areas requiring design or user research]
+
+## Related ADRs
+
+[List ADRs that constrain or inform this feature. Leave empty if none. Use `/dw-adr` to record a decision that emerges during execution.
+
+- `adrs/adr-NNN.md` — [short title]]

package/scaffold/en/templates/task-template.md

@@ -1,3 +1,9 @@
+---
+type: task
+schema_version: "1.0"
+status: pending
+---
+
 # Task X.0: [Main Task Title]
 
 <critical>Read the prd.md and techspec.md files in this folder. If you don't read these files your task will be invalidated.</critical>
@@ -60,3 +66,9 @@ git commit -m "feat([module]): [description]
 - [item 2]
 - Add unit tests"
 ```
+
+## Related ADRs
+
+[ADRs that constrain this task's decisions. Leave empty if none.
+
+- `adrs/adr-NNN.md` — [short title, how the decision affects this task]]

package/scaffold/en/templates/tasks-template.md

@@ -1,3 +1,9 @@
+---
+type: tasks-index
+schema_version: "1.0"
+status: draft
+---
+
 # Implementation Tasks Summary for [Feature]
 
 ## Branch