@brunosps00/dev-workflow 0.5.0 → 0.6.1

package/README.md

@@ -10,7 +10,7 @@ npx @brunosps00/dev-workflow init
 
 This will:
 1. Ask you to select a language (English or Portuguese)
-2. Create `.dw/commands/` with 26 workflow commands
+2. Create `.dw/commands/` with 27 workflow commands
 3. Create `.dw/templates/` with document templates (PRD, TechSpec, Tasks, ADR, etc.)
 4. Create `.dw/rules/` (populated by `/dw-analyze-project`)
 5. Install bundled skills (`dw-verify`, `dw-memory`, `dw-review-rigor`, `ui-ux-pro-max`, `security-review`, etc.) to `.agents/skills/`
@@ -29,7 +29,7 @@ npx @brunosps00/dev-workflow install-deps
 ### Planning
 
 #### `/dw-brainstorm`
-Facilitates structured ideation before opening a PRD or implementation. Explores multiple directions — conservative, balanced, and bold — with trade-offs for each, then converges on concrete next steps. No code is written or files modified.
+Facilitates structured ideation before opening a PRD or implementation. Explores multiple directions — conservative, balanced, and bold — with trade-offs for each, then converges on concrete next steps. **Product-aware**: when PRDs or rules exist, automatically reads them to produce a Feature Inventory and tags each option as `[IMPROVES: <feature>]`, `[CONSOLIDATES: <A>+<B>]`, or `[NEW]`. With optional `--onepager` flag, generates a durable one-pager at `.dw/spec/ideas/<slug>.md` that `/dw-create-prd` can consume to reduce clarification questions. Inspired by [`addyosmani/agent-skills@idea-refine`](https://skills.sh/addyosmani/agent-skills/idea-refine), adapted to product-level (features) rather than code-level grounding. No code is written or project files modified by the brainstorm itself.
 
 #### `/dw-autopilot`
 Full pipeline orchestrator that takes a wish and automatically runs the entire development flow: codebase intelligence, research (conditional), brainstorm, PRD, techspec, tasks, execution, QA, review, and commit. Stops at 3 gates: PRD approval, tasks approval, and PR confirmation. With GSD installed, leverages plan verification and parallel execution.
@@ -77,6 +77,9 @@ Performs a formal Level 3 code review before PR creation, verifying PRD complian
 #### `/dw-refactoring-analysis`
 Audits the codebase for code smells and refactoring opportunities using Martin Fowler's catalog. Detects bloaters, change preventers, dispensables, couplers, conditional complexity, and DRY violations, then maps each to a concrete refactoring technique with before/after code sketches. Includes coupling/cohesion metrics, SOLID analysis, and a prioritized action plan (P0-P3).
 
+#### `/dw-security-check`
+Rigid multi-layer security check for **TypeScript, Python, C#, and Rust** projects. Combines OWASP static review (language-aware, via the bundled `security-review` skill), Trivy SCA/secret/IaC scanning (`trivy fs` + `trivy config`), and native lockfile audit (`npm audit` / `pip-audit` / `dotnet list package --vulnerable` / `cargo audit`). Consults Context7 MCP for framework-version-specific best practices (Next.js, Django, ASP.NET Core, Actix/Axum/Rocket, etc.). Hard gates: any CRITICAL or HIGH finding produces REJECTED status, blocking `/dw-code-review`, `/dw-review-implementation`, and `/dw-generate-pr`. No bypass flag. Requires Trivy (install via `install-deps`).
+
 ### Git & PR
 
 #### `/dw-commit`
@@ -164,7 +167,7 @@ All wrappers point to `.dw/commands/` as the single source of truth.
 ```
 your-project/
 ├── .dw/
-│   ├── commands/          # 26 workflow command files
+│   ├── commands/          # 27 workflow command files
 │   ├── templates/         # Document templates (PRD, TechSpec, etc.)
 │   ├── rules/             # Project-specific rules (run /dw-analyze-project)
 │   ├── references/        # Reference documentation
@@ -214,6 +217,7 @@ Installed via `npx @brunosps00/dev-workflow install-deps`:
 | **Context7 MCP** | Contextual documentation lookup for AI assistants | [upstash/context7-mcp](https://github.com/upstash/context7-mcp) |
 | **react-doctor** | Health score and diagnostics for React projects | [react.doctor](https://www.react.doctor/) |
 | **GSD (get-shit-done-cc)** | Optional engine: parallel execution, plan verification, codebase intelligence, cross-session persistence | [gsd-build/get-shit-done](https://github.com/gsd-build/get-shit-done) |
+| **Trivy** | Native binary scanner used by `/dw-security-check` for CVE, secret, and IaC scanning. `install-deps` detects presence and prints OS-specific install instructions (brew / curl script / choco / Docker) — does not install automatically. | [aquasecurity.github.io/trivy](https://aquasecurity.github.io/trivy/) |
 
 ## Options
 

package/lib/constants.js

@@ -25,6 +25,7 @@ const COMMANDS = {
     { name: 'dw-run-plan', description: 'Execute ALL tasks sequentially until the plan is complete' },
     { name: 'dw-run-qa', description: 'Run visual QA with browser automation, E2E tests, and accessibility' },
     { name: 'dw-run-task', description: 'Execute a single task with built-in validation and testing' },
+    { name: 'dw-security-check', description: 'Run a rigid multi-layer security check (OWASP static + Trivy SCA/IaC + native audit) for TS, Python, C#, or Rust projects' },
     { name: 'dw-update', description: 'Update dev-workflow to the latest version published on npm without leaving the agent session' },
   ],
   'pt-br': [
@@ -53,6 +54,7 @@ const COMMANDS = {
     { name: 'dw-run-plan', description: 'Executar TODAS as tasks sequencialmente ate completar o plano' },
     { name: 'dw-run-qa', description: 'Executar QA visual com automacao de browser, testes E2E e acessibilidade' },
     { name: 'dw-run-task', description: 'Executar uma task com validacao e testes integrados' },
+    { name: 'dw-security-check', description: 'Check de seguranca rigido multi-camada (OWASP estatico + Trivy SCA/IaC + audit nativo) para projetos TS, Python, C# ou Rust' },
     { name: 'dw-update', description: 'Atualizar o dev-workflow para a versao mais recente publicada no npm sem sair da sessao do agente' },
   ],
 };

package/lib/install-deps.js

@@ -25,13 +25,47 @@ function run() {
       check: null,
       install: 'npx get-shit-done-cc@latest --claude --codex --copilot --opencode --local -y',
     },
+    {
+      name: 'Trivy (security scanner)',
+      check: 'trivy --version',
+      install: null,
+      instructions: [
+        'Trivy is a native binary and cannot be installed via npm. Install it using your OS package manager:',
+        '  macOS:    brew install trivy',
+        '  Linux:    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin',
+        '  Windows:  choco install trivy   (or: scoop install trivy)',
+        '  Docker:   docker pull aquasec/trivy:latest   (use via alias or wrapper)',
+        '',
+        'Once installed, /dw-security-check will use it for CVE, secret, and IaC scanning.',
+      ],
+    },
   ];
 
   let installed = 0;
   let skipped = 0;
   let failed = 0;
+  let missing = 0;
 
   for (const dep of deps) {
+    // Detect-only dependencies (install === null): check presence, print instructions if missing
+    if (dep.install === null) {
+      process.stdout.write(`  Checking ${dep.name}...`);
+      try {
+        execSync(dep.check, { stdio: 'pipe', timeout: 10000 });
+        console.log(' \x1b[32m✓ already installed\x1b[0m');
+        installed++;
+      } catch (err) {
+        console.log(' \x1b[33m— not found\x1b[0m');
+        if (Array.isArray(dep.instructions)) {
+          for (const line of dep.instructions) {
+            console.log(`    ${line}`);
+          }
+        }
+        missing++;
+      }
+      continue;
+    }
+
     process.stdout.write(`  Installing ${dep.name}...`);
     try {
       execSync(dep.install, { stdio: 'pipe', timeout: 300000 });
@@ -45,7 +79,11 @@ function run() {
   }
 
   console.log(`\n  ${'='.repeat(40)}`);
-  console.log(`  Done! ${installed} installed, ${skipped} skipped, ${failed} failed`);
+  const parts = [`${installed} installed`];
+  if (skipped) parts.push(`${skipped} skipped`);
+  if (missing) parts.push(`${missing} require manual install (see instructions above)`);
+  if (failed) parts.push(`${failed} failed`);
+  console.log(`  Done! ${parts.join(', ')}`);
   console.log();
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@brunosps00/dev-workflow",
-  "version": "0.5.0",
+  "version": "0.6.1",
   "description": "AI-driven development workflow commands for any project. Scaffolds a complete PRD-to-PR pipeline with multi-platform AI assistant support.",
   "bin": {
     "dev-workflow": "./bin/dev-workflow.js"

package/scaffold/en/commands/dw-brainstorm.md

@@ -13,8 +13,10 @@ You are a brainstorming facilitator for the current workspace. This command exis
 
 ## Flags
 
-- **(default)**: normal brainstorm with 3-7 options (conservative, balanced, bold) and trade-offs
+- **(default)**: normal brainstorm with 3-7 options (conservative, balanced, bold) and trade-offs. If the product has PRDs or rules, a **Product Inventory** is produced automatically and each option carries a classification tag.
+- **`--onepager`**: at the end of the brainstorm, generate a durable one-pager at `.dw/spec/ideas/<slug>.md` (using `.dw/templates/idea-onepager.md`) with Feature Inventory + Classification & Rationale + MVP Scope + Not Doing + Assumptions. Use when you want a persisted product artifact before moving to `/dw-create-prd`.
 - **`--council`**: after the normal brainstorm, invoke the `dw-council` skill to stress-test the top 2-3 options via 3-5 archetypes (pragmatic-engineer, architect-advisor, security-advocate, product-mind, devils-advocate). Useful when the choice is high-impact and there is genuine dissent between paths.
+- Flags are composable: `--onepager --council` produces the one-pager after the council debate.
 
 ## Decision Flowchart: Brainstorm vs Direct PRD
 
@@ -46,6 +48,7 @@ When available in the project under `./.agents/skills/`, use these skills to enr
 ## Template Reference
 
 - Brainstorm matrix template: `.dw/templates/brainstorm-matrix.md` (relative to workspace root)
+- Durable one-pager template: `.dw/templates/idea-onepager.md` (used with `--onepager` flag)
 
 Use this command when the user wants to:
 - Generate ideas for product, UX, architecture, or automation
@@ -56,37 +59,57 @@ Use this command when the user wants to:
 
 ## Required Behavior
 
+<critical>The brainstorm is a **product-level** phase, not technical. DO NOT dive into architecture, stack, endpoints, schemas. That's the techspec's job. Here we work user journeys, value, features, and boundaries.</critical>
+
 1. Start by summarizing the problem in 1 to 3 sentences.
-2. If essential context is missing, ask short and objective questions before expanding.
-3. Structure the brainstorm into multiple directions, avoiding locking in too early on a single answer.
-4. For each direction, make explicit:
-   - Core idea
+2. **Reframe as "How Might We"**: turn the raw idea into `How might we [verb] for [user] so that [outcome]?`. This pulls the team out of premature "solution mode".
+3. **Product Inventory (required if the product exists)**:
+   - If `.dw/spec/prd-*/` has PRDs OR `.dw/rules/index.md` exists, read these artifacts to map the **current product's feature inventory** (product level, not code level).
+   - Sources to consult: `.dw/spec/prd-*/prd.md` (Overview / Main Features / User Stories sections), `.dw/rules/index.md` and `.dw/rules/<module>.md`, `.planning/intel/` if present.
+   - Produce a **short Feature Inventory (5-12 bullets)** before diverging: "the product today does X, Y, Z".
+   - If the project is greenfield (no PRDs or rules), record: "Feature Inventory: greenfield — no product artifacts yet".
+4. If essential context is missing for the user (problem, persona, expected value), ask short and objective questions before expanding.
+5. Structure the brainstorm into multiple directions, avoiding locking in too early on a single answer.
+6. For each direction (3-7), make explicit:
+   - **Required classification tag**: `[IMPROVES: <existing feature>]` | `[CONSOLIDATES: <feat A> + <feat B>]` | `[NEW]`
+   - Core idea (in product language — journey, value, boundary)
    - Benefits
    - Risks or limitations
    - Approximate effort level
-5. Whenever it makes sense, include conservative, balanced, and bold alternatives.
-6. If the topic involves the current workspace, use repository context to make the ideas more concrete.
-7. Close with a pragmatic recommendation and clear next steps.
+7. Whenever it makes sense, include conservative, balanced, and bold alternatives.
+8. Close with a pragmatic recommendation and clear next steps.
+9. **If the `--onepager` flag is present**: at the end, generate `.dw/spec/ideas/<slug>.md` using `.dw/templates/idea-onepager.md`, filling Feature Inventory, Classification & Rationale, Recommended Direction (product language), MVP Scope (user stories), Not Doing, Key Assumptions, and Open Questions. Report the path to the user.
 
 ## Preferred Response Format
 
-### 1. Framing
+### 1. How Might We
+- Reframed sentence
+
+### 2. Product Inventory
+- 5-12 bullets of mapped existing features (or "greenfield")
+
+### 3. Framing
 - Objective
 - Constraints
 - Decision criteria
 
-### 2. Options
-- Present 3 to 7 distinct options
+### 4. Options (matrix `brainstorm-matrix.md`)
+- 3 to 7 distinct options
+- Each option with `[IMPROVES] / [CONSOLIDATES] / [NEW]` tag
 - Avoid listing superficial variations of the same idea
 
-### 3. Convergence
+### 5. Convergence
 - Recommend 1 or 2 paths
 - Explain why they win in the current context
 
-### 4. Next Steps
+### 6. One-pager (if `--onepager`)
+- Path of the created file at `.dw/spec/ideas/<slug>.md`
+
+### 7. Next Steps
 - Short and actionable list
 - If appropriate, suggest which command to use next:
-  - `/dw-create-prd`
+  - `/dw-create-prd` (main successor; accepts the one-pager as input, reducing clarification questions)
+  - `/dw-quick` (if it's a small IMPROVES that fits in a single task, ≤3 files)
   - `/dw-create-techspec`
   - `/dw-create-tasks`
   - `/dw-bugfix`
@@ -113,8 +136,20 @@ Depending on the request, this command may produce:
 ## Closing
 
 At the end, always leave the user in one of these situations:
-- With a clear recommendation
+- With a clear recommendation (including an IMPROVES/CONSOLIDATES/NEW classification)
 - With better questions to decide
 - With a next workspace command to follow
+- With the one-pager at `.dw/spec/ideas/<slug>.md` (if `--onepager` was used)
+
+## Inspired by
+
+The codebase-grounded idea refinement pattern is inspired by [`addyosmani/agent-skills@idea-refine`](https://skills.sh/addyosmani/agent-skills/idea-refine) (Addy Osmani, Google — 1.4K+ installs). Adaptations for dev-workflow:
+
+- **Product level, not code level**: while `idea-refine` uses Glob/Grep/Read over `src/*`, here we read **PRDs + rules + intel** to map the **feature inventory** of the product. The brainstorm stays product-focused.
+- **Explicit classification** (IMPROVES / CONSOLIDATES / NEW) as dev-workflow-native discipline — forces the team to decide whether the idea is new, consolidates existing features, or improves one, before opening a PRD.
+- Output at `.dw/spec/ideas/<slug>.md` (sibling of `prd-<slug>/`) instead of `docs/ideas/` — preserves dev-workflow path conventions.
+- Integration with the existing pipeline: `/dw-create-prd` accepts the one-pager as input, reducing clarification questions.
+
+Credit: Addy Osmani and the `idea-refine` pattern.
 
 </system_instructions>

package/scaffold/en/commands/dw-code-review.md

@@ -23,6 +23,7 @@ When available in the project under `./.agents/skills/`, use these skills as ana
 
 - `dw-review-rigor`: **ALWAYS** — applies de-duplication (same pattern in N files = 1 finding), severity ordering (critical → high → medium → low), verify-before-flag, skip-what-linter-catches, and signal-over-volume. The report's "Issues Found" table follows this discipline.
 - `dw-verify`: **ALWAYS** — invoked before emitting an `APPROVED` or `APPROVED WITH CAVEATS` verdict. Without a VERIFICATION REPORT PASS (test + lint + build), the verdict cannot be APPROVED.
+- `/dw-security-check`: **ALWAYS for TS/Python/C#/Rust projects** — invoked as step 6.7 (Security Layer) before emitting a verdict. If the project uses a supported language and `security-check.md` is missing OR has REJECTED status, the verdict is **REJECTED** — no exception.
 - `security-review`: use when auth, authorization, external input, upload, SQL, external integration, secrets, SSRF, XSS, or sensitive surfaces are present
 - `vercel-react-best-practices`: use when the diff touches React/Next.js to review rendering, fetching, bundle, hydration, and performance patterns
 
@@ -214,6 +215,15 @@ If prior reviews exist in `{{PRD_PATH}}/reviews/` or a previous `{{PRD_PATH}}/dw
 
 <critical>Invoke `dw-verify` and include the VERIFICATION REPORT at the start of the report. Without PASS, the verdict can only be `REJECTED` — never `APPROVED` or `APPROVED WITH CAVEATS`.</critical>
 
+### 6.7. Security Layer (Required for TS/Python/C#/Rust projects)
+
+<critical>For TypeScript/JavaScript, Python, C#, or Rust projects whose diff touches code, invoke `/dw-security-check` with the same `{{PRD_PATH}}`. Without a `security-check.md` present in the PRD OR with a status other than CLEAN / PASSED WITH OBSERVATIONS, the verdict is **REJECTED** — no exception.</critical>
+
+- If `/dw-security-check` returns **REJECTED**: automatic verdict **REJECTED**. Include the security-check's CRITICAL/HIGH findings with appropriate severity in the final report's "Issues Found" section.
+- If it returns **PASSED WITH OBSERVATIONS**: may proceed to APPROVED WITH CAVEATS, listing medium/low observations as caveats.
+- If it returns **CLEAN**: proceeds normally to a verdict based on the remaining criteria.
+- Projects in languages not supported by security-check (Go, Java, PHP, Ruby, etc.) → skip this step with a visible note in the code-review report.
+
 ### 7. Generate Code Review Report (Required)
 
 Save to `{{PRD_PATH}}/dw-code-review.md`:

package/scaffold/en/commands/dw-create-prd.md

@@ -9,7 +9,15 @@
     - Do NOT use when requirements are still vague and unexplored (use `/dw-brainstorm` first)
 
     ## Pipeline Position
-    **Predecessor:** `/dw-brainstorm` (optional) | **Successor:** `/dw-create-techspec`
+    **Predecessor:** `/dw-brainstorm` (optional; may pass a one-pager as input) | **Successor:** `/dw-create-techspec`
+
+    ## One-pager as Input (optional)
+
+    If `.dw/spec/ideas/<slug>.md` exists (produced by `/dw-brainstorm --onepager`), **read it before asking questions**. The one-pager already provides: Problem Statement, product Feature Inventory, Classification (IMPROVES/CONSOLIDATES/NEW), Recommended Direction, MVP Scope, Not Doing, Key Assumptions, and Open Questions.
+
+    With a valid one-pager (all fields filled), **reduce the minimum clarification questions from 7 to 4** — focus only on remaining gaps (e.g., specific acceptance criteria, concrete success metrics, error flows, edge cases). DO NOT repeat questions already answered in the one-pager.
+
+    In the final PRD, add an "Idea Origin" section citing the one-pager and preserving the classification tag.
 
     ## Requirement Clarity Guide
 
@@ -71,6 +79,7 @@
     - What is NOT in scope
     - **Impacted projects** (consult `.dw/rules/index.md` to identify which systems are affected)
     - <critical>DO NOT GENERATE THE PRD WITHOUT FIRST ASKING AT LEAST 7 CLARIFICATION QUESTIONS</critical>
+    - <critical>**EXCEPTION**: If a one-pager at `.dw/spec/ideas/<slug>.md` was passed as input and all its fields are filled, the minimum drops to **4 questions** — focus on gaps (acceptance criteria, metrics, edge cases). DO NOT repeat questions already answered in the one-pager.</critical>
 
     ### 2. Plan (Required)
     Create a PRD development plan including:

package/scaffold/en/commands/dw-generate-pr.md

@@ -14,8 +14,11 @@ You are an assistant specialized in creating well-documented Pull Requests. Your
 | Skill | Trigger |
 |-------|---------|
 | `dw-verify` | **ALWAYS** — invoked before `git push`. Without a VERIFICATION REPORT PASS in the current session AFTER the last code edit, the PR **CANNOT** be created. |
+| `/dw-security-check` | **ALWAYS for TS/Python/C#/Rust projects** — `security-check.md` with status ≠ REJECTED is required for supported-language projects. |
 
-<critical>Hard gate: if the current session has no VERIFICATION REPORT PASS from `dw-verify` produced AFTER the last edit/commit, STOP and invoke `dw-verify` before proceeding. A PR is a permanent artifact — it demands the highest verification standard.</critical>
+<critical>Hard gate 1 (verify): if the current session has no VERIFICATION REPORT PASS from `dw-verify` produced AFTER the last edit/commit, STOP and invoke `dw-verify` before proceeding. A PR is a permanent artifact — it demands the highest verification standard.</critical>
+
+<critical>Hard gate 2 (security): for TS/Python/C#/Rust projects, if `{{PRD_PATH}}/security-check.md` is missing OR has REJECTED status, STOP and invoke `/dw-security-check` before proceeding. HIGH/CRITICAL vulnerabilities CANNOT reach the PR. For other languages (Go, Java, etc.), this gate is skipped with a note.</critical>
 
 ## Usage
 

package/scaffold/en/commands/dw-help.md

@@ -25,6 +25,8 @@ You are a workspace help assistant. When invoked, present the user with a comple
 | design, ui, redesign | `/dw-redesign-ui` | Audit + propose + implement visual |
 | decision, adr, architecture | `/dw-adr` | Record an Architecture Decision Record |
 | debate, council, stress-test, opinions | `/dw-brainstorm --council` or `/dw-create-techspec --council` | Invokes `dw-council` for a multi-advisor debate |
+| security, vulnerability, owasp, trivy, cve | `/dw-security-check` | Rigid multi-layer check (OWASP static + Trivy SCA/IaC + native audit) for TS/Python/C#/Rust |
+| refine, refinement, idea, one-pager | `/dw-brainstorm --onepager` | Idea refinement with Product Inventory + classification (IMPROVES/CONSOLIDATES/NEW) + durable one-pager |
 | revert, rollback task | `/dw-revert-task` | Safe revert with dependency checks |
 | hotfix, quick change | `/dw-quick` | One-off task with guarantees, no PRD |
 | resume, where I left off | `/dw-resume` | Restore previous session context |
@@ -148,6 +150,7 @@ This workspace uses an AI command system that automates the full development cyc
 | `/dw-review-implementation` | Compares PRD vs code (FRs, endpoints, tasks) | PRD path | Gap report |
 | `/dw-code-review` | Formal code review (quality, rules, tests) | PRD path | `code-review.md` |
 | `/dw-refactoring-analysis` | Audit code smells and refactoring opportunities (Fowler's catalog) | PRD path | `refactoring-analysis.md` |
+| `/dw-security-check` | Rigid security check (OWASP static + Trivy SCA/IaC + native audit) for TS/Python/C#/Rust | PRD path or code | `security-check.md` |
 
 ### Versioning
 

package/scaffold/en/commands/dw-quick.md

@@ -7,6 +7,7 @@ You are a quick task executor. This command exists to implement one-off changes
 ## When to Use
 - Use for small changes that don't justify the full pipeline (PRD -> TechSpec -> Tasks)
 - Use for hotfixes, config adjustments, dependency updates, one-off refactors
+- Use when invoked after `/dw-brainstorm --onepager` and the one-pager carries `[IMPROVES]` classification with an MVP Scope fitting in ≤3 files (skip-PRD path)
 - Do NOT use for new features with multiple requirements (use `/dw-create-prd`)
 - Do NOT use for complex bugs (use `/dw-bugfix`)
 
@@ -28,13 +29,14 @@ You are a quick task executor. This command exists to implement one-off changes
 ## Required Behavior
 
 1. Read `.dw/rules/` to understand project patterns and conventions
-2. Summarize the change in 1-2 sentences and confirm scope with the user
-3. If the change seems too large (>3 files, >100 lines), warn and suggest `/dw-create-prd`
-4. Implement the change following project conventions
-5. Run relevant existing tests (unit, integration)
-6. Run lint if configured in the project
-7. Invoke `dw-verify` and include the VERIFICATION REPORT in the output before committing. Without PASS, DO NOT commit.
-8. Create atomic semantic commit with the change
+2. **If a one-pager exists** at `.dw/spec/ideas/<slug>.md` and was passed as input, read it first. If classification is `[IMPROVES]` and MVP Scope fits in ≤3 files, proceed. If `[NEW]` or `[CONSOLIDATES]` with larger scope, warn and redirect to `/dw-create-prd`.
+3. Summarize the change in 1-2 sentences and confirm scope with the user
+4. If the change seems too large (>3 files, >100 lines), warn and suggest `/dw-create-prd`
+5. Implement the change following project conventions
+6. Run relevant existing tests (unit, integration)
+7. Run lint if configured in the project
+8. Invoke `dw-verify` and include the VERIFICATION REPORT in the output before committing. Without PASS, DO NOT commit.
+9. Create atomic semantic commit with the change
 
 ## GSD Integration
 

package/scaffold/en/commands/dw-review-implementation.md

@@ -28,6 +28,7 @@ This command is called automatically by `/dw-run-plan` at the end of all tasks,
 | Skill | Trigger |
 |-------|---------|
 | `dw-review-rigor` | **ALWAYS** — when listing gaps between PRD/TechSpec and code, apply de-duplication (same gap in N modules = 1 entry), severity ordering, and verify-intent-before-flag |
+| `/dw-security-check` | **ALWAYS for TS/Python/C#/Rust projects whose diff touches code** — findings become a "Security Gaps" category in the interactive corrections cycle. If status is REJECTED, the gaps are blocking. |
 
 ## Input Variables
 
@@ -42,6 +43,16 @@ Analyze the implementation by comparing:
 2. Technical specifications from the TechSpec
 3. Tasks defined in tasks.md
 4. Actually implemented code (via git diff/status)
+5. **Security of the implemented code** (via `/dw-security-check` for TS/Python/C#/Rust projects)
+
+## Security Layer (Required for TS/Python/C#/Rust projects)
+
+<critical>If the project uses TypeScript, Python, C#, or Rust and the diff touches code (not just docs), INVOKE `/dw-security-check {{PRD_PATH}}` before listing gaps. The status and findings returned feed the "Security Gaps" section of the Level 2 report.</critical>
+
+- **REJECTED** status from security-check → CRITICAL/HIGH findings become **blocking** gaps in the interactive corrections cycle (equivalent to a critical missing feature)
+- **PASSED WITH OBSERVATIONS** → MEDIUM/LOW findings become recommendations in the cycle
+- **CLEAN** → "Security Gaps: None" section in the report
+- Project in an unsupported language → note in the report indicating the security layer was skipped
 
 ## Files to Read (Required)