@brunosps00/dev-workflow 0.5.0 → 0.6.0

package/README.md

@@ -10,7 +10,7 @@ npx @brunosps00/dev-workflow init
 
 This will:
 1. Ask you to select a language (English or Portuguese)
-2. Create `.dw/commands/` with 26 workflow commands
+2. Create `.dw/commands/` with 27 workflow commands
 3. Create `.dw/templates/` with document templates (PRD, TechSpec, Tasks, ADR, etc.)
 4. Create `.dw/rules/` (populated by `/dw-analyze-project`)
 5. Install bundled skills (`dw-verify`, `dw-memory`, `dw-review-rigor`, `ui-ux-pro-max`, `security-review`, etc.) to `.agents/skills/`
@@ -77,6 +77,9 @@ Performs a formal Level 3 code review before PR creation, verifying PRD complian
 #### `/dw-refactoring-analysis`
 Audits the codebase for code smells and refactoring opportunities using Martin Fowler's catalog. Detects bloaters, change preventers, dispensables, couplers, conditional complexity, and DRY violations, then maps each to a concrete refactoring technique with before/after code sketches. Includes coupling/cohesion metrics, SOLID analysis, and a prioritized action plan (P0-P3).
 
+#### `/dw-security-check`
+Rigid multi-layer security check for **TypeScript, Python, C#, and Rust** projects. Combines OWASP static review (language-aware, via the bundled `security-review` skill), Trivy SCA/secret/IaC scanning (`trivy fs` + `trivy config`), and native lockfile audit (`npm audit` / `pip-audit` / `dotnet list package --vulnerable` / `cargo audit`). Consults Context7 MCP for framework-version-specific best practices (Next.js, Django, ASP.NET Core, Actix/Axum/Rocket, etc.). Hard gates: any CRITICAL or HIGH finding produces REJECTED status, blocking `/dw-code-review`, `/dw-review-implementation`, and `/dw-generate-pr`. No bypass flag. Requires Trivy (install via `install-deps`).
+
 ### Git & PR
 
 #### `/dw-commit`
@@ -164,7 +167,7 @@ All wrappers point to `.dw/commands/` as the single source of truth.
 ```
 your-project/
 ├── .dw/
-│   ├── commands/          # 26 workflow command files
+│   ├── commands/          # 27 workflow command files
 │   ├── templates/         # Document templates (PRD, TechSpec, etc.)
 │   ├── rules/             # Project-specific rules (run /dw-analyze-project)
 │   ├── references/        # Reference documentation
@@ -214,6 +217,7 @@ Installed via `npx @brunosps00/dev-workflow install-deps`:
 | **Context7 MCP** | Contextual documentation lookup for AI assistants | [upstash/context7-mcp](https://github.com/upstash/context7-mcp) |
 | **react-doctor** | Health score and diagnostics for React projects | [react.doctor](https://www.react.doctor/) |
 | **GSD (get-shit-done-cc)** | Optional engine: parallel execution, plan verification, codebase intelligence, cross-session persistence | [gsd-build/get-shit-done](https://github.com/gsd-build/get-shit-done) |
+| **Trivy** | Native binary scanner used by `/dw-security-check` for CVE, secret, and IaC scanning. `install-deps` detects presence and prints OS-specific install instructions (brew / curl script / choco / Docker) — does not install automatically. | [aquasecurity.github.io/trivy](https://aquasecurity.github.io/trivy/) |
 
 ## Options
 

package/lib/constants.js

@@ -25,6 +25,7 @@ const COMMANDS = {
     { name: 'dw-run-plan', description: 'Execute ALL tasks sequentially until the plan is complete' },
     { name: 'dw-run-qa', description: 'Run visual QA with browser automation, E2E tests, and accessibility' },
     { name: 'dw-run-task', description: 'Execute a single task with built-in validation and testing' },
+    { name: 'dw-security-check', description: 'Run a rigid multi-layer security check (OWASP static + Trivy SCA/IaC + native audit) for TS, Python, C#, or Rust projects' },
     { name: 'dw-update', description: 'Update dev-workflow to the latest version published on npm without leaving the agent session' },
   ],
   'pt-br': [
@@ -53,6 +54,7 @@ const COMMANDS = {
     { name: 'dw-run-plan', description: 'Executar TODAS as tasks sequencialmente ate completar o plano' },
     { name: 'dw-run-qa', description: 'Executar QA visual com automacao de browser, testes E2E e acessibilidade' },
     { name: 'dw-run-task', description: 'Executar uma task com validacao e testes integrados' },
+    { name: 'dw-security-check', description: 'Check de seguranca rigido multi-camada (OWASP estatico + Trivy SCA/IaC + audit nativo) para projetos TS, Python, C# ou Rust' },
     { name: 'dw-update', description: 'Atualizar o dev-workflow para a versao mais recente publicada no npm sem sair da sessao do agente' },
   ],
 };

package/lib/install-deps.js

@@ -25,13 +25,47 @@ function run() {
       check: null,
       install: 'npx get-shit-done-cc@latest --claude --codex --copilot --opencode --local -y',
     },
+    {
+      name: 'Trivy (security scanner)',
+      check: 'trivy --version',
+      install: null,
+      instructions: [
+        'Trivy is a native binary and cannot be installed via npm. Install it using your OS package manager:',
+        '  macOS:    brew install trivy',
+        '  Linux:    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin',
+        '  Windows:  choco install trivy   (or: scoop install trivy)',
+        '  Docker:   docker pull aquasec/trivy:latest   (use via alias or wrapper)',
+        '',
+        'Once installed, /dw-security-check will use it for CVE, secret, and IaC scanning.',
+      ],
+    },
   ];
 
   let installed = 0;
   let skipped = 0;
   let failed = 0;
+  let missing = 0;
 
   for (const dep of deps) {
+    // Detect-only dependencies (install === null): check presence, print instructions if missing
+    if (dep.install === null) {
+      process.stdout.write(`  Checking ${dep.name}...`);
+      try {
+        execSync(dep.check, { stdio: 'pipe', timeout: 10000 });
+        console.log(' \x1b[32m✓ already installed\x1b[0m');
+        installed++;
+      } catch (err) {
+        console.log(' \x1b[33m— not found\x1b[0m');
+        if (Array.isArray(dep.instructions)) {
+          for (const line of dep.instructions) {
+            console.log(`    ${line}`);
+          }
+        }
+        missing++;
+      }
+      continue;
+    }
+
     process.stdout.write(`  Installing ${dep.name}...`);
     try {
       execSync(dep.install, { stdio: 'pipe', timeout: 300000 });
@@ -45,7 +79,11 @@ function run() {
   }
 
   console.log(`\n  ${'='.repeat(40)}`);
-  console.log(`  Done! ${installed} installed, ${skipped} skipped, ${failed} failed`);
+  const parts = [`${installed} installed`];
+  if (skipped) parts.push(`${skipped} skipped`);
+  if (missing) parts.push(`${missing} require manual install (see instructions above)`);
+  if (failed) parts.push(`${failed} failed`);
+  console.log(`  Done! ${parts.join(', ')}`);
   console.log();
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@brunosps00/dev-workflow",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "AI-driven development workflow commands for any project. Scaffolds a complete PRD-to-PR pipeline with multi-platform AI assistant support.",
   "bin": {
     "dev-workflow": "./bin/dev-workflow.js"

package/scaffold/en/commands/dw-code-review.md

@@ -23,6 +23,7 @@ When available in the project under `./.agents/skills/`, use these skills as ana
 
 - `dw-review-rigor`: **ALWAYS** — applies de-duplication (same pattern in N files = 1 finding), severity ordering (critical → high → medium → low), verify-before-flag, skip-what-linter-catches, and signal-over-volume. The report's "Issues Found" table follows this discipline.
 - `dw-verify`: **ALWAYS** — invoked before emitting an `APPROVED` or `APPROVED WITH CAVEATS` verdict. Without a VERIFICATION REPORT PASS (test + lint + build), the verdict cannot be APPROVED.
+- `/dw-security-check`: **ALWAYS for TS/Python/C#/Rust projects** — invoked as step 6.7 (Security Layer) before emitting a verdict. If the project uses a supported language and `security-check.md` is missing OR has REJECTED status, the verdict is **REJECTED** — no exception.
 - `security-review`: use when auth, authorization, external input, upload, SQL, external integration, secrets, SSRF, XSS, or sensitive surfaces are present
 - `vercel-react-best-practices`: use when the diff touches React/Next.js to review rendering, fetching, bundle, hydration, and performance patterns
 
@@ -214,6 +215,15 @@ If prior reviews exist in `{{PRD_PATH}}/reviews/` or a previous `{{PRD_PATH}}/dw
 
 <critical>Invoke `dw-verify` and include the VERIFICATION REPORT at the start of the report. Without PASS, the verdict can only be `REJECTED` — never `APPROVED` or `APPROVED WITH CAVEATS`.</critical>
 
+### 6.7. Security Layer (Required for TS/Python/C#/Rust projects)
+
+<critical>For TypeScript/JavaScript, Python, C#, or Rust projects whose diff touches code, invoke `/dw-security-check` with the same `{{PRD_PATH}}`. Without a `security-check.md` present in the PRD OR with a status other than CLEAN / PASSED WITH OBSERVATIONS, the verdict is **REJECTED** — no exception.</critical>
+
+- If `/dw-security-check` returns **REJECTED**: automatic verdict **REJECTED**. Include the security-check's CRITICAL/HIGH findings with appropriate severity in the final report's "Issues Found" section.
+- If it returns **PASSED WITH OBSERVATIONS**: may proceed to APPROVED WITH CAVEATS, listing medium/low observations as caveats.
+- If it returns **CLEAN**: proceeds normally to a verdict based on the remaining criteria.
+- Projects in languages not supported by security-check (Go, Java, PHP, Ruby, etc.) → skip this step with a visible note in the code-review report.
+
 ### 7. Generate Code Review Report (Required)
 
 Save to `{{PRD_PATH}}/dw-code-review.md`:

package/scaffold/en/commands/dw-generate-pr.md

@@ -14,8 +14,11 @@ You are an assistant specialized in creating well-documented Pull Requests. Your
 | Skill | Trigger |
 |-------|---------|
 | `dw-verify` | **ALWAYS** — invoked before `git push`. Without a VERIFICATION REPORT PASS in the current session AFTER the last code edit, the PR **CANNOT** be created. |
+| `/dw-security-check` | **ALWAYS for TS/Python/C#/Rust projects** — `security-check.md` with status ≠ REJECTED is required for supported-language projects. |
 
-<critical>Hard gate: if the current session has no VERIFICATION REPORT PASS from `dw-verify` produced AFTER the last edit/commit, STOP and invoke `dw-verify` before proceeding. A PR is a permanent artifact — it demands the highest verification standard.</critical>
+<critical>Hard gate 1 (verify): if the current session has no VERIFICATION REPORT PASS from `dw-verify` produced AFTER the last edit/commit, STOP and invoke `dw-verify` before proceeding. A PR is a permanent artifact — it demands the highest verification standard.</critical>
+
+<critical>Hard gate 2 (security): for TS/Python/C#/Rust projects, if `{{PRD_PATH}}/security-check.md` is missing OR has REJECTED status, STOP and invoke `/dw-security-check` before proceeding. HIGH/CRITICAL vulnerabilities CANNOT reach the PR. For other languages (Go, Java, etc.), this gate is skipped with a note.</critical>
 
 ## Usage
 

package/scaffold/en/commands/dw-help.md

@@ -25,6 +25,7 @@ You are a workspace help assistant. When invoked, present the user with a comple
 | design, ui, redesign | `/dw-redesign-ui` | Audit + propose + implement visual |
 | decision, adr, architecture | `/dw-adr` | Record an Architecture Decision Record |
 | debate, council, stress-test, opinions | `/dw-brainstorm --council` or `/dw-create-techspec --council` | Invokes `dw-council` for a multi-advisor debate |
+| security, vulnerability, owasp, trivy, cve | `/dw-security-check` | Rigid multi-layer check (OWASP static + Trivy SCA/IaC + native audit) for TS/Python/C#/Rust |
 | revert, rollback task | `/dw-revert-task` | Safe revert with dependency checks |
 | hotfix, quick change | `/dw-quick` | One-off task with guarantees, no PRD |
 | resume, where I left off | `/dw-resume` | Restore previous session context |
@@ -148,6 +149,7 @@ This workspace uses an AI command system that automates the full development cyc
 | `/dw-review-implementation` | Compares PRD vs code (FRs, endpoints, tasks) | PRD path | Gap report |
 | `/dw-code-review` | Formal code review (quality, rules, tests) | PRD path | `code-review.md` |
 | `/dw-refactoring-analysis` | Audit code smells and refactoring opportunities (Fowler's catalog) | PRD path | `refactoring-analysis.md` |
+| `/dw-security-check` | Rigid security check (OWASP static + Trivy SCA/IaC + native audit) for TS/Python/C#/Rust | PRD path or code | `security-check.md` |
 
 ### Versioning
 

package/scaffold/en/commands/dw-review-implementation.md

@@ -28,6 +28,7 @@ This command is called automatically by `/dw-run-plan` at the end of all tasks,
 | Skill | Trigger |
 |-------|---------|
 | `dw-review-rigor` | **ALWAYS** — when listing gaps between PRD/TechSpec and code, apply de-duplication (same gap in N modules = 1 entry), severity ordering, and verify-intent-before-flag |
+| `/dw-security-check` | **ALWAYS for TS/Python/C#/Rust projects whose diff touches code** — findings become a "Security Gaps" category in the interactive corrections cycle. If status is REJECTED, the gaps are blocking. |
 
 ## Input Variables
 
@@ -42,6 +43,16 @@ Analyze the implementation by comparing:
 2. Technical specifications from the TechSpec
 3. Tasks defined in tasks.md
 4. Actually implemented code (via git diff/status)
+5. **Security of the implemented code** (via `/dw-security-check` for TS/Python/C#/Rust projects)
+
+## Security Layer (Required for TS/Python/C#/Rust projects)
+
+<critical>If the project uses TypeScript, Python, C#, or Rust and the diff touches code (not just docs), INVOKE `/dw-security-check {{PRD_PATH}}` before listing gaps. The status and findings returned feed the "Security Gaps" section of the Level 2 report.</critical>
+
+- **REJECTED** status from security-check → CRITICAL/HIGH findings become **blocking** gaps in the interactive corrections cycle (equivalent to a critical missing feature)
+- **PASSED WITH OBSERVATIONS** → MEDIUM/LOW findings become recommendations in the cycle
+- **CLEAN** → "Security Gaps: None" section in the report
+- Project in an unsupported language → note in the report indicating the security layer was skipped
 
 ## Files to Read (Required)
 

package/scaffold/en/commands/dw-security-check.md

@@ -0,0 +1,271 @@
+<system_instructions>
+You are a rigorous security auditor. Your job is to perform a **multi-layer security check** on a dev-workflow project — static OWASP review (language-aware for TypeScript, Python, and C#), Trivy dependency/secret/IaC scanning, and native lockfile audit — and emit a blocking verdict with no bypass.
+
+<critical>This command is rigid. CRITICAL or HIGH findings produce REJECTED status. There is NO `--skip`, `--ignore`, or allowlist flag. Findings are fixed or the verdict stands.</critical>
+<critical>Supported languages in this release: TypeScript/JavaScript, Python, C#, Rust. If none is detected in scope, abort with a clear message.</critical>
+
+## When to Use
+- Before `/dw-code-review` as the security layer for any TS/Python/C#/Rust project
+- Before `/dw-generate-pr` to ensure no HIGH/CRITICAL vulnerabilities ship
+- Automatically invoked by `/dw-review-implementation` when the diff touches code in a supported language
+- Manually when auditing dependencies after adding a new package
+- NOT for auto-fix (this command detects; remediation is manual or via `/dw-fix-qa`)
+- NOT for DAST — this is SAST + SCA + IaC scanning (`/dw-run-qa` covers runtime)
+
+## Pipeline Position
+**Predecessor:** `/dw-run-plan` or `/dw-run-task` (code committed) | **Successor:** `/dw-code-review` (which hard-gates on this command's output for supported languages)
+
+## Complementary Skills
+
+| Skill | Trigger |
+|-------|---------|
+| `security-review` | **ALWAYS** — primary OWASP knowledge base; language-specific rules live in `languages/{typescript,python,csharp}.md`, cross-cutting topics in `references/*.md` |
+| `dw-review-rigor` | **ALWAYS** — applies de-duplication (same pattern in N files = 1 finding), severity ordering, verify-intent-before-flag, skip-what-linter-catches, and signal-over-volume |
+| `dw-verify` | **ALWAYS** — a VERIFICATION REPORT (Trivy command + exit code + summary) must be present before any status is emitted |
+
+## Input Variables
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `{{SCOPE}}` | PRD path OR source path. Optional — defaults to `.dw/spec/prd-<slug>` inferred from `feat/prd-<slug>` git branch | `.dw/spec/prd-checkout-v2` or `src/` |
+
+If `{{SCOPE}}` is not provided and no PRD is active, abort and ask the user to specify.
+
+## File Locations
+
+- Report (PRD scope): `{{SCOPE}}/security-check.md`
+- Report (non-PRD scope): stdout
+- Language reference files: `.agents/skills/security-review/languages/{typescript,javascript,python,csharp,rust}.md`
+- Cross-cutting OWASP refs: `.agents/skills/security-review/references/*.md`
+
+## Required Behavior — Pipeline (execute in order, no bypass)
+
+### 0. Detect Languages in Scope
+
+Enumerate files in scope and detect languages:
+
+| Language | Indicators |
+|----------|------------|
+| TypeScript / JavaScript | `tsconfig.json`, `package.json`, `*.ts`, `*.tsx`, `*.js`, `*.jsx`, `*.mjs` |
+| Python | `pyproject.toml`, `requirements*.txt`, `Pipfile`, `poetry.lock`, `setup.py`, `*.py` |
+| C# / .NET | `*.csproj`, `*.sln`, `packages.config`, `Directory.Build.props`, `*.cs`, `*.cshtml`, `*.razor` |
+| Rust | `Cargo.toml`, `Cargo.lock`, `*.rs`, `rust-toolchain.toml` |
+
+- If **none** of the four is detected → **abort** with:
+  `"dw-security-check currently supports TypeScript, Python, C#, and Rust. No files in supported languages were detected in <scope>. Aborting."`
+- If **one or more** are detected → proceed; polyglot repos run every applicable language layer and the report has a section per language.
+
+Record the detected language(s) — they drive which `languages/*.md` file(s) the static review consults and which native audit command runs.
+
+### 1. Static Code Review (Language-Aware)
+
+For each detected language, invoke the `security-review` skill using the corresponding reference file(s) as the primary guide:
+
+- **TS/JS** → `languages/typescript.md` + `languages/javascript.md`
+- **Python** → `languages/python.md`
+- **C#** → `languages/csharp.md`
+- **Rust** → `languages/rust.md`
+- **Cross-cutting** (all languages) → `references/{injection,xss,csrf,ssrf,cryptography,authentication,authorization,deserialization,supply-chain,secrets,file-security,api-security}.md` as applicable
+
+Apply the `dw-review-rigor` five rules:
+1. De-duplicate: same pattern in N files → 1 finding with affected file list
+2. Severity ordering: CRITICAL → HIGH → MEDIUM → LOW
+3. Verify intent before flagging: adjacent comments, ADRs, tests, `.dw/rules/`
+4. Skip what the linter catches
+5. Signal over volume: keep all CRITICAL/HIGH; prune MEDIUM/LOW to the most impactful
+
+### 1.5. Context7 MCP — Framework Best Practices (MANDATORY when framework detected)
+
+<critical>When the scope has a detectable framework, you MUST consult Context7 MCP for current best practices before applying framework-specific checks. Offline knowledge may be outdated.</critical>
+
+Framework detection and query:
+
+| Language | Framework detection source | Example Context7 queries |
+|----------|----------------------------|--------------------------|
+| TS/JS | `package.json` deps | `"next.js 14 security best practices app router"`, `"nestjs 10 authentication guards"`, `"remix v2 csrf"` |
+| Python | `pyproject.toml` / `requirements.txt` | `"django 5 security checklist"`, `"fastapi pydantic validation"`, `"flask-login secure cookies"` |
+| C# | `*.csproj` `PackageReference` | `"asp.net core 8 jwt bearer"`, `"blazor server antiforgery"`, `"minimal apis authorization"` |
+| Rust | `Cargo.toml` `[dependencies]` | `"actix-web 4 security middleware"`, `"axum 0.7 extractor auth"`, `"rocket 0.5 forms csrf"`, `"sqlx query macros"` |
+
+For each detected framework+version:
+1. Build the query with framework name + detected major/minor version + the topic (auth, CSP, cookies, server actions, etc.)
+2. Invoke Context7 MCP
+3. Incorporate the returned guidance as live context when reviewing framework-specific code
+4. If a Context7 result contradicts offline knowledge in `languages/*.md`, **Context7 wins** — cite the source in the finding
+
+If Context7 MCP is unavailable in the environment:
+- Degrade to offline knowledge only
+- **Add a visible warning** in the report: `⚠️ Context7 MCP unavailable — framework-version-specific checks used offline knowledge; best practices for <framework@version> may be stale.`
+
+### 2. Dependency + Secret + IaC Scan (Trivy)
+
+<critical>Trivy must be installed. If missing, abort with: `"Trivy not found. Install via 'brew install trivy' (macOS) or equivalent; see 'npx @brunosps00/dev-workflow install-deps' instructions."`</critical>
+
+Run:
+
+```bash
+trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL --exit-code 1 --format json --output /tmp/dw-trivy-fs.json <scope-path>
+```
+
+Parse the JSON output. The scan covers:
+- **Vulnerabilities** in manifests: `package.json`/`package-lock.json`/`pnpm-lock.yaml`/`yarn.lock` (TS/JS), `requirements*.txt`/`Pipfile.lock`/`poetry.lock` (Python), `*.csproj`/`packages.lock.json` (C# / NuGet)
+- **Secrets**: API keys, tokens, private keys accidentally committed
+- **Misconfig**: surface-level — subsumed by step 3 for IaC
+
+Capture the exact command and exit code; include both in the VERIFICATION REPORT (step 5).
+
+### 3. IaC Config Scan (Trivy)
+
+Run:
+
+```bash
+trivy config --severity HIGH,CRITICAL --format json --output /tmp/dw-trivy-config.json <scope-path>
+```
+
+Covers Dockerfile, Kubernetes manifests, Terraform, CloudFormation, GitHub Actions workflows, Helm charts, AWS CDK.
+
+### 4. Native Lockfile Audit (language-specific, second signal)
+
+For each detected language, run the native audit tool (if available). Treat its output as a second signal — Trivy is primary; this catches gaps.
+
+| Language | Primary command | Fallback |
+|----------|-----------------|----------|
+| TS/JS (npm) | `npm audit --production --audit-level=high --json` | `npm audit --production` (human) |
+| TS/JS (pnpm) | `pnpm audit --prod --audit-level high --json` | — |
+| TS/JS (yarn) | `yarn npm audit --severity high --recursive --json` | — |
+| Python | `pip-audit --strict --format json` | skip with note if `pip-audit` missing |
+| C# | `dotnet list package --vulnerable --include-transitive` | — |
+| Rust | `cargo audit --json` | skip with note if `cargo-audit` not installed (install via `cargo install cargo-audit`); optionally `cargo deny check advisories` |
+
+If the tool returns exit ≠ 0 or reports HIGH/CRITICAL, escalate to REJECTED (same policy as Trivy).
+
+### 5. VERIFICATION REPORT (dw-verify)
+
+Before emitting a status, produce a VERIFICATION REPORT per `dw-verify` skill. Required shape:
+
+```
+VERIFICATION REPORT
+-------------------
+Claim: Security check complete for <scope> (languages: <list>)
+Commands:
+  - trivy fs ... --exit-code 1       → exit <N>, findings: C=<x> H=<y>
+  - trivy config ...                 → exit <N>, findings: C=<x> H=<y>
+  - <native audit>                   → exit <N>, findings: ...
+Executed: just now, after all changes
+Static review: <X> findings (C=<a> H=<b> M=<c> L=<d>)
+Framework context: Context7 MCP [consulted | unavailable]
+Verdict: <CLEAN | PASSED WITH OBSERVATIONS | REJECTED>
+```
+
+### 6. Emit Status (rigid gates)
+
+| Condition | Status |
+|-----------|--------|
+| Any CRITICAL finding (static OR Trivy OR native audit) | **REJECTED** |
+| Any HIGH finding | **REJECTED** |
+| Only MEDIUM / LOW findings | **PASSED WITH OBSERVATIONS** |
+| Zero findings | **CLEAN** |
+
+<critical>No finding is "accepted as caveat" at HIGH or above. The user may choose to fix and re-run, or raise the issue as an ADR documenting why the risk is accepted — but this command's verdict does not change.</critical>
+
+## Report Format
+
+Save to `{{SCOPE}}/security-check.md` (when PRD scope) with frontmatter:
+
+```markdown
+---
+type: security-check
+schema_version: "1.0"
+status: <CLEAN | PASSED WITH OBSERVATIONS | REJECTED>
+date: YYYY-MM-DD
+languages: [typescript, python, csharp, rust]
+---
+
+# Security Check — <feature name>
+
+## Status: <STATUS>
+
+<short summary>
+
+## VERIFICATION REPORT
+<the block from step 5>
+
+## Findings
+
+### Critical (<count>)
+- **[CRITICAL]** `path/to/file.ts:42` — <title ≤72 chars>
+  <description>
+  <remediation>
+  Also affects: <other paths if de-duplicated>
+  Evidence: <snippet or CVE id>
+
+### High (<count>)
+...
+
+### Medium (<count>)
+...
+
+### Low (<count>)
+...
+
+## Dependency Vulnerabilities (Trivy)
+
+| CVE | Package | Installed | Fixed in | Severity | Path |
+|-----|---------|-----------|----------|----------|------|
+| CVE-... | ... | ... | ... | CRITICAL | package-lock.json |
+
+## Secrets Found (Trivy)
+
+| Rule | File | Line |
+|------|------|------|
+| aws-access-key-id | src/config.ts | 14 |
+
+## IaC Misconfigurations (Trivy config)
+
+| Rule | File | Severity | Description |
+|------|------|----------|-------------|
+| AVD-DS-0002 | Dockerfile | HIGH | Running as root |
+
+## Framework Best Practices (Context7)
+
+For each framework consulted, one paragraph summarizing the guidance applied.
+
+If Context7 was unavailable, include the warning block.
+
+## Well-Implemented Aspects
+- <short list for tone calibration; does not affect verdict>
+
+## Recommendations
+1. <action for blocking findings>
+2. <action for observations>
+```
+
+## Integration With Other dw-* Commands
+
+- **`/dw-code-review`** (Level 3): for TS/Python/C#/Rust projects, invokes this command as step 6.7 "Security Layer" and hard-gates on the result. APPROVED cannot be emitted if `security-check.md` is missing or REJECTED.
+- **`/dw-review-implementation`** (Level 2): for TS/Python/C#/Rust projects that touch code, invokes this command and maps its findings into a "Security Gaps" category in the interactive corrections cycle.
+- **`/dw-generate-pr`**: hard gate — for supported-language projects, blocks the PR if `security-check.md` is missing or REJECTED from the current session.
+- **`/dw-bugfix --analysis`**: if the root cause area involves auth / secrets / external input, suggests running this command before the fix.
+
+## Critical Rules
+
+- <critical>NO bypass flag. The command does not accept `--skip`, `--ignore`, `--allowlist`.</critical>
+- <critical>Trivy is required. If missing, abort with install instructions. Do NOT silently skip the SCA layer.</critical>
+- <critical>Context7 MCP is consulted when frameworks are detected. Degradation to offline mode must be visible in the report.</critical>
+- Do NOT modify source code — this command detects only.
+- Do NOT re-flag findings already tracked as accepted in a prior ADR (`.dw/spec/*/adrs/adr-*.md` with status `Accepted` and topic covering the finding).
+- If running without PRD scope (raw path), emit the report to stdout — do not write to arbitrary locations.
+
+## Error Handling
+
+- Trivy missing → abort with install instructions (see `install-deps`)
+- `.dw/spec/<slug>/` missing → check if scope is a raw path; otherwise abort asking for explicit scope
+- Native audit tool missing (e.g., `pip-audit`) → skip with visible note in report; do not fail
+- Context7 MCP unavailable → visible warning in report; do not fail
+- Scope contains 0 files of supported languages → abort (see step 0)
+
+## Inspired by
+
+`dw-security-check` is dev-workflow-native. Conceptually inspired by the open-source skills surfaced via `/find-skills` (`supercent-io/skills-template@security-best-practices`, `hoodini/ai-agents-skills@owasp-security`, `github/awesome-copilot@agent-owasp-compliance`), but implemented from scratch with native integration to dev-workflow's primitives (`dw-verify`, `dw-review-rigor`, `security-review`) and Trivy — none of which those skills integrate.
+
+</system_instructions>

package/scaffold/pt-br/commands/dw-code-review.md

@@ -23,6 +23,7 @@ Quando disponíveis no projeto em `./.agents/skills/`, use estas skills como apo
 
 - `dw-review-rigor`: **SEMPRE** — aplica de-duplication (mesmo pattern em N arquivos = 1 finding), severity ordering (critical → high → medium → low), verify-before-flag, skip-what-linter-catches, e signal-over-volume. A tabela "Problemas Encontrados" do relatório segue essa disciplina.
 - `dw-verify`: **SEMPRE** — invocada antes de emitir verdict `APROVADO` ou `APROVADO COM RESSALVAS`. Sem VERIFICATION REPORT PASS (test + lint + build), o verdict não pode sair como APROVADO.
+- `/dw-security-check`: **SEMPRE para projetos TS/Python/C#/Rust** — invocado como step 6.7 (Camada de Segurança) antes de emitir verdict. Se o projeto usa linguagem suportada e `security-check.md` não existe OU tem status REJECTED, o verdict é **REPROVADO** — sem exceção.
 - `security-review`: use quando auth, autorização, input externo, upload, SQL, integração externa, secrets, SSRF, XSS ou superfícies sensíveis estiverem presentes
 - `vercel-react-best-practices`: use quando o diff tocar React/Next.js para revisar padrões de renderização, fetching, bundle, hidratação e performance
 
@@ -198,6 +199,15 @@ Se houver reviews anteriores em `{{PRD_PATH}}/reviews/` ou `{{PRD_PATH}}/dw-code
 
 <critical>Invocar `dw-verify` e incluir o VERIFICATION REPORT no início do relatório. Sem PASS, o verdict só pode ser `REPROVADO` — nunca `APROVADO` ou `APROVADO COM RESSALVAS`.</critical>
 
+### 6.7. Camada de Segurança (Obrigatório para projetos TS/Python/C#/Rust)
+
+<critical>Para projetos em TypeScript/JavaScript, Python, C# ou Rust que tiveram código modificado no diff, invocar `/dw-security-check` com o mesmo `{{PRD_PATH}}`. Sem `security-check.md` presente no PRD OU com status diferente de CLEAN/PASSED WITH OBSERVATIONS, o verdict é **REPROVADO** — sem exceção.</critical>
+
+- Se `/dw-security-check` retornar **REJECTED**: verdict automático **REPROVADO**. Incluir na seção "Problemas Encontrados" do relatório final os findings CRITICAL/HIGH do security-check com severity apropriada.
+- Se retornar **PASSED WITH OBSERVATIONS**: pode seguir para APROVADO COM RESSALVAS, listando as observations medium/low como ressalvas.
+- Se retornar **CLEAN**: prossegue normalmente para o verdict baseado nos demais critérios.
+- Projetos em linguagens não suportadas pelo security-check (Go, Java, PHP, Ruby etc.) → pular este step com nota visível no relatório de code-review.
+
 ### 7. Gerar Relatório de Code Review (Obrigatório)
 
 Salvar em `{{PRD_PATH}}/dw-code-review.md`:

package/scaffold/pt-br/commands/dw-generate-pr.md

@@ -14,8 +14,11 @@
     | Skill | Gatilho |
     |-------|---------|
     | `dw-verify` | **SEMPRE** — invocada antes do `git push`. Sem VERIFICATION REPORT PASS na sessão após a última edição de código, o PR **NÃO** pode ser criado. |
+    | `/dw-security-check` | **SEMPRE para projetos TS/Python/C#/Rust** — `security-check.md` com status ≠ REJECTED é obrigatório para projetos em linguagem suportada. |
 
-    <critical>Hard gate: se a sessão atual não tem um VERIFICATION REPORT PASS de `dw-verify` produzido APÓS a última edição/commit, PARAR e invocar `dw-verify` antes de prosseguir. PR é um artefato permanente — exige o maior rigor de verificação.</critical>
+    <critical>Hard gate 1 (verify): se a sessão atual não tem um VERIFICATION REPORT PASS de `dw-verify` produzido APÓS a última edição/commit, PARAR e invocar `dw-verify` antes de prosseguir. PR é um artefato permanente — exige o maior rigor de verificação.</critical>
+
+    <critical>Hard gate 2 (security): para projetos TS/Python/C#/Rust, se `{{PRD_PATH}}/security-check.md` não existir OU tiver status REJECTED, PARAR e invocar `/dw-security-check` antes de prosseguir. Vulnerabilidades HIGH/CRITICAL NÃO podem chegar ao PR. Para outras linguagens (Go, Java, etc.), este gate é pulado com nota.</critical>
 
     ## Uso
 

package/scaffold/pt-br/commands/dw-help.md

@@ -25,6 +25,7 @@ Você é um assistente de ajuda do workspace. Quando invocado, apresente ao usu
 | design, ui, redesign | `/dw-redesign-ui` | Auditoria + propostas + implementação visual |
 | decisão, adr, arquitetura | `/dw-adr` | Registrar Architecture Decision Record |
 | debate, council, stress-test, opiniões | `/dw-brainstorm --council` ou `/dw-create-techspec --council` | Invoca `dw-council` para debate multi-advisor |
+| security, segurança, vulnerabilidade, owasp, trivy, cve | `/dw-security-check` | Check multi-camada rígido (OWASP estático + Trivy SCA/IaC + audit nativo) para TS/Python/C#/Rust |
 | reverter, rollback de task | `/dw-revert-task` | Revert seguro com check de dependências |
 | hotfix, mudança rápida | `/dw-quick` | Task pontual com garantias sem PRD |
 | retomar, onde parei | `/dw-resume` | Restaura contexto da sessão anterior |
@@ -135,6 +136,7 @@ Este workspace utiliza um sistema de comandos AI que automatiza o ciclo completo
 | `/dw-review-implementation` | Compara PRD vs código (FRs, endpoints, tasks) | Path do PRD | Relatório de gaps |
 | `/dw-code-review` | Code review formal (qualidade, rules, testes) | Path do PRD | `code-review.md` |
 | `/dw-refactoring-analysis` | Auditoria de code smells e oportunidades de refatoração (catálogo Fowler) | Path do PRD | `refactoring-analysis.md` |
+| `/dw-security-check` | Check de segurança rígido (OWASP estático + Trivy SCA/IaC + audit nativo) para TS/Python/C#/Rust | Path do PRD ou código | `security-check.md` |
 
 ### Versionamento
 

package/scaffold/pt-br/commands/dw-review-implementation.md

@@ -28,6 +28,7 @@
     | Skill | Gatilho |
     |-------|---------|
     | `dw-review-rigor` | **SEMPRE** — ao listar gaps entre PRD/TechSpec e código, aplicar de-duplication (mesmo gap em N módulos = 1 entrada), severity ordering e verify-intent-before-flag |
+    | `/dw-security-check` | **SEMPRE para projetos TS/Python/C#/Rust com diff que toca código** — os findings viram uma categoria "Security Gaps" no ciclo interativo de correções. Se status REJECTED, os gaps são bloqueantes. |
 
     ## Variáveis de Entrada
 
@@ -42,6 +43,16 @@
     2. Especificações técnicas da TechSpec
     3. Tasks definidas no tasks.md
     4. Código efetivamente implementado (via git diff/status)
+    5. **Segurança do código implementado** (via `/dw-security-check` para projetos TS/Python/C#/Rust)
+
+    ## Camada de Segurança (Obrigatório para projetos TS/Python/C#/Rust)
+
+    <critical>Se o projeto usa TypeScript, Python, C# ou Rust e o diff toca código (não apenas docs), INVOCAR `/dw-security-check {{PRD_PATH}}` antes de listar gaps. O status e findings retornados alimentam a seção "Security Gaps" do relatório de Nível 2.</critical>
+
+    - Status **REJECTED** do security-check → os findings CRITICAL/HIGH viram gaps **bloqueantes** no ciclo interativo de correções (equivalente a gap de funcionalidade crítica não implementada)
+    - Status **PASSED WITH OBSERVATIONS** → os findings MEDIUM/LOW viram recomendações no ciclo
+    - Status **CLEAN** → seção "Security Gaps: Nenhum" no relatório
+    - Projeto em linguagem não suportada → nota no relatório indicando que a camada de segurança foi pulada
 
     ## Arquivos a Ler (Obrigatório)