@brunosps00/dev-workflow 0.7.0 → 0.8.1

package/README.md

@@ -10,7 +10,7 @@ npx @brunosps00/dev-workflow init
 
 This will:
 1. Ask you to select a language (English or Portuguese)
-2. Create `.dw/commands/` with 27 workflow commands
+2. Create `.dw/commands/` with 31 workflow commands
 3. Create `.dw/templates/` with document templates (PRD, TechSpec, Tasks, ADR, etc.)
 4. Create `.dw/rules/` (populated by `/dw-analyze-project`)
 5. Install bundled skills (`dw-verify`, `dw-memory`, `dw-review-rigor`, `ui-ux-pro-max`, `security-review`, etc.) to `.agents/skills/`
@@ -63,10 +63,10 @@ Executes a one-off change with workflow guarantees (validation, atomic commit) w
 ### Quality
 
 #### `/dw-run-qa`
-Validates the implementation against PRD, TechSpec, and Tasks using Playwright MCP for E2E browser automation. Tests happy paths, edge cases, negative flows, and regressions while verifying WCAG 2.2 accessibility compliance. Generates a QA report, documents bugs with screenshot evidence, and detects stub/placeholder pages.
+Validates the implementation against PRD, TechSpec, and Tasks. **Mode-aware**: in UI mode, drives Playwright MCP for E2E browser tests with happy paths, edge cases, negative flows, regressions, WCAG 2.2 accessibility, and screenshot evidence. In API mode (auto-detected when no UI deps are in the manifest, or forced via `--api`), composes per-RF `.http` / pytest+httpx / supertest / WebApplicationFactory / reqwest scripts from the bundled `api-testing-recipes` skill, executes them, and writes JSONL request/response logs to `QA/logs/api/` as evidence. The matrix expands to {200 happy / 4xx validation/auth/authz/not-found/conflict / 5xx / contract drift / cross-tenant denial}. Optional `--from-openapi` adds a baseline derived from the project's OpenAPI spec. Generates a QA report, documents bugs with mode-aware evidence, and detects stub/placeholder pages (UI) or unmapped spec endpoints (API).
 
 #### `/dw-fix-qa`
-Fixes bugs found during QA testing with evidence-driven retesting via Playwright MCP. Runs iterative cycles of identify, fix, retest, updating `QA/bugs.md` and `QA/qa-report.md` with status and retest evidence including screenshots and logs.
+Fixes bugs found during QA testing with evidence-driven retesting. **Mode-aware**: in UI mode replays the failing flow via Playwright MCP and saves a retest screenshot; in API mode replays the failing `.http`/recipe and appends a `verdict: PASS|FAIL` JSONL line to `QA/logs/api/BUG-NN-retest.log`. Runs iterative cycles of identify, fix, retest, updating `QA/bugs.md` and `QA/qa-report.md` with status and mode-correct evidence.
 
 #### `/dw-review-implementation`
 Compares documented requirements (PRD + TechSpec + Tasks) against actual code as a Level 2 review. Maps each requirement to endpoints and tasks with evidence, identifies gaps, partial implementations, and extra undocumented code. Does not execute fixes — waits for user instruction.
@@ -80,6 +80,9 @@ Audits the codebase for code smells and refactoring opportunities using Martin F
 #### `/dw-security-check`
 Rigid multi-layer security check for **TypeScript, Python, C#, and Rust** projects. Combines OWASP static review (language-aware, via the bundled `security-review` skill), Trivy SCA/secret/IaC scanning (`trivy fs` + `trivy config`), and native lockfile audit (`npm audit` / `pip-audit` / `dotnet list package --vulnerable` / `cargo audit`). Consults Context7 MCP for framework-version-specific best practices (Next.js, Django, ASP.NET Core, Actix/Axum/Rocket, etc.). Hard gates: any CRITICAL or HIGH finding produces REJECTED status, blocking `/dw-code-review`, `/dw-review-implementation`, and `/dw-generate-pr`. No bypass flag. Requires Trivy (install via `install-deps`).
 
+#### `/dw-deps-audit`
+Supply-chain remediation orchestrator for **TypeScript, Python, C#, and Rust** projects. Runs three detection signals — `npm/pnpm/pip-audit/dotnet/cargo audit` for known CVEs, the `outdated` companions for stale versions, and an OSV.dev + GitHub Advisories cross-check (with a hardcoded fallback list of historical malicious-package incidents like `event-stream`, `ua-parser-js`, `node-ipc`) for supply-chain attacks. Classifies findings into COMPROMISED / CRITICAL / HIGH / OUTDATED-MAJOR / OUTDATED-MINOR tiers, maps each affected package to the files that import it and the tests that cover those files, then drafts a per-package update plan with three options (Conservative / Balanced / Bold) and trade-offs. Modes: `--scan-only` (CI), `--plan` (default — no file writes), `--execute` (applies updates with scoped tests, one `/dw-fix-qa` retry, atomic commits, and `/dw-run-qa` as final gate; reverts and marks BLOCKED if recovery fails). Complementary to `/dw-security-check`: that one is the single-shot gate, this one is the planner-and-remediator.
+
 ### Git & PR
 
 #### `/dw-commit`
@@ -91,6 +94,16 @@ Pushes the branch to remote and creates a Pull Request on GitHub with a structur
 #### `/dw-revert-task`
 Safely reverts the commits of a specific task created by `/dw-run-task`, with dependency-aware checks (blocks if subsequent tasks already executed depend on it) and explicit user confirmation. Updates `tasks.md` to re-mark the task as pending.
 
+### Project Bootstrap
+
+#### `/dw-new-project`
+Bootstraps a new project from an empty directory. Runs a wide stack interview (frontend/backend/fullstack, language, framework, db, cache, queue, email, storage, search, auth, observability, reverse proxy, scheduler, CI, linter), then wraps the right official `create-*` tools (`pnpm create next-app`, `pnpm create vite`, `pnpm dlx create-t3-app`, `dotnet new webapi`, `cargo new`, etc.) to scaffold the apps. Composes a `docker-compose.dev.yml` from the bundled `docker-compose-recipes` skill (postgres, redis, mailhog by default for email-in-dev, minio, meilisearch, jaeger, traefik, etc.), seeds `.env.example`, root scripts (`dev:up`/`down`/`logs`/`reset`), `.gitignore`/`.dockerignore`, GitHub Action, README with port table, and a minimal `.dw/rules/index.md`. Hard gate: presents a one-pager + plan and waits for explicit approval before touching disk.
+
+### Containerization
+
+#### `/dw-dockerize`
+Reads an existing project, detects language / framework / package manager / runtime infra deps (postgres, redis, queue, email, storage, search, OTel) by parsing manifests and import statements, then proposes Docker artifacts. Modes: `--dev` (default if no Dockerfile exists) generates `docker-compose.dev.yml` + `Dockerfile.dev` from the bundled `docker-compose-recipes` skill; `--prod` generates a multi-stage `Dockerfile` (Conservative slim / Balanced alpine / Bold distroless — brainstormed with trade-offs) + optional `docker-compose.prod.yml` with non-root user, healthcheck, no secrets baked in; `--both` ships both; `--audit` (default if Docker artifacts already exist) reports findings against `security-review/infrastructure/docker.md` without overwriting. Hard gate: presents the file tree and waits for approval before any write. Sister command to `/dw-new-project` — they share the `docker-compose-recipes` bundled skill.
+
 ### Architectural Decisions
 
 #### `/dw-adr`
@@ -116,6 +129,9 @@ Generates a functional documentation dossier with screen mapping, E2E flows, and
 #### `/dw-help`
 Displays the complete guide of available commands, integration flows, and when to use each one. Can be invoked without arguments for the full guide or with a specific command name for a detailed section.
 
+#### `/dw-find-skills`
+Discovers skills from the open agent skills ecosystem (`npx skills` / [skills.sh](https://skills.sh/)) when no `dw-*` already covers the request. Checks the leaderboard first, then runs `npx skills find <query>` if needed, vets each candidate (install count, source reputation, GitHub stars), and presents 1–3 options with the install commands. Asks whether to install globally (`-g`, lands in `~/.agents/skills/`) or locally (this repo) before running `npx skills add`. Falls back to `/dw-brainstorm` or `/dw-quick` when no skill matches. Ports the `find-skills` Claude superpowers skill into a `dw-*` command so every supported platform gets the same discovery on-ramp.
+
 ## Workflow
 
 ```
@@ -167,7 +183,7 @@ All wrappers point to `.dw/commands/` as the single source of truth.
 ```
 your-project/
 ├── .dw/
-│   ├── commands/          # 27 workflow command files
+│   ├── commands/          # 31 workflow command files
 │   ├── templates/         # Document templates (PRD, TechSpec, etc.)
 │   ├── rules/             # Project-specific rules (run /dw-analyze-project)
 │   ├── references/        # Reference documentation

package/lib/constants.js

@@ -11,11 +11,15 @@ const COMMANDS = {
     { name: 'dw-create-tasks', description: 'Breaks the PRD and techspec into tasks small enough to ship one at a time.' },
     { name: 'dw-create-techspec', description: 'Translates a finished PRD into a techspec the team can actually build from.' },
     { name: 'dw-deep-research', description: 'Researches a topic across sources, tracks citations, and flags claims that don\'t check out.' },
+    { name: 'dw-deps-audit', description: 'Finds outdated and supply-chain-compromised packages, drafts a per-package update plan, and runs scoped QA after each upgrade.' },
+    { name: 'dw-dockerize', description: 'Reads a project, detects the stack and runtime deps, then proposes Dockerfile and docker-compose for dev and prod with explicit trade-offs.' },
+    { name: 'dw-find-skills', description: 'Searches the npx skills ecosystem for a skill matching what you need, vets it, and installs it where you choose.' },
     { name: 'dw-fix-qa', description: 'Fixes bugs found in QA and retests them with screenshot evidence until they stay fixed.' },
     { name: 'dw-functional-doc', description: 'Maps screens and user flows into a functional doc, validated end-to-end with Playwright.' },
     { name: 'dw-generate-pr', description: 'Pushes the branch and opens a PR with a body that explains what changed and how to test it.' },
     { name: 'dw-help', description: 'Lists every command and the flows that connect them. Pass a keyword for a contextual shortcut.' },
     { name: 'dw-intel', description: 'Answers questions about the codebase using its own rules and intel as the source of truth.' },
+    { name: 'dw-new-project', description: 'Interviews you about stack and infra, then scaffolds a working monorepo with docker-compose for dev, .env, scripts, CI, and seeded rules.' },
     { name: 'dw-quick', description: 'Runs a small, well-defined change with workflow guarantees, no PRD needed.' },
     { name: 'dw-redesign-ui', description: 'Audits a frontend page, proposes design directions you choose from, then ships the redesign.' },
     { name: 'dw-refactoring-analysis', description: 'Catalogs code smells in Fowler\'s vocabulary and ranks them by impact, P0 to P3.' },
@@ -40,11 +44,15 @@ const COMMANDS = {
     { name: 'dw-create-tasks', description: 'Quebra PRD e techspec em tasks pequenas o suficiente para entregar uma de cada vez.' },
     { name: 'dw-create-techspec', description: 'Traduz um PRD pronto em um techspec que o time consegue construir de fato.' },
     { name: 'dw-deep-research', description: 'Pesquisa um topico em varias fontes, rastreia citacoes e marca o que nao confere.' },
+    { name: 'dw-deps-audit', description: 'Encontra pacotes desatualizados e comprometidos por supply-chain, monta plano de update por pacote e roda QA do que foi afetado.' },
+    { name: 'dw-dockerize', description: 'Le um projeto, detecta stack e deps de runtime, e propoe Dockerfile e docker-compose para dev e prod com trade-offs explicitos.' },
+    { name: 'dw-find-skills', description: 'Busca no ecossistema npx skills uma skill que resolva o que voce precisa, valida e instala onde voce escolher.' },
     { name: 'dw-fix-qa', description: 'Corrige bugs do QA e retesta com evidencia em screenshot ate ficarem estaveis.' },
     { name: 'dw-functional-doc', description: 'Mapeia telas e fluxos em um dossie funcional, validado E2E com Playwright.' },
     { name: 'dw-generate-pr', description: 'Faz push da branch e abre um PR com corpo explicando o que mudou e como testar.' },
     { name: 'dw-help', description: 'Lista todos os commands e os fluxos que os conectam. Passe uma keyword para atalho contextual.' },
     { name: 'dw-intel', description: 'Responde perguntas sobre o codebase usando suas proprias rules e intel como fonte.' },
+    { name: 'dw-new-project', description: 'Entrevista voce sobre stack e infra, depois faz scaffold de um monorepo com docker-compose para dev, .env, scripts, CI e rules seed.' },
     { name: 'dw-quick', description: 'Roda uma mudanca pequena e bem definida com garantias do workflow, sem precisar de PRD.' },
     { name: 'dw-redesign-ui', description: 'Audita uma pagina frontend, propoe direcoes de design que voce escolhe, e entrega o redesign.' },
     { name: 'dw-refactoring-analysis', description: 'Cataloga code smells no vocabulario de Fowler e ranqueia por impacto, P0 a P3.' },

package/lib/install-deps.js

@@ -39,6 +39,19 @@ function run() {
         'Once installed, /dw-security-check will use it for CVE, secret, and IaC scanning.',
       ],
     },
+    {
+      name: 'Docker + Docker Compose',
+      check: 'docker --version && (docker compose version || docker-compose --version)',
+      install: null,
+      instructions: [
+        'Docker is required by /dw-new-project and /dw-dockerize for dev dependency seeding and image generation.',
+        '  macOS:    https://docs.docker.com/desktop/install/mac-install/',
+        '  Windows:  https://docs.docker.com/desktop/install/windows-install/',
+        '  Linux:    https://docs.docker.com/engine/install/  (then enable the Compose plugin: https://docs.docker.com/compose/install/linux/)',
+        '',
+        'Verify after install:  docker --version && docker compose version',
+      ],
+    },
   ];
 
   let installed = 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@brunosps00/dev-workflow",
-  "version": "0.7.0",
+  "version": "0.8.1",
   "description": "AI-driven development workflow commands for any project. Scaffolds a complete PRD-to-PR pipeline with multi-platform AI assistant support.",
   "bin": {
     "dev-workflow": "./bin/dev-workflow.js"

package/scaffold/en/commands/dw-deps-audit.md

@@ -0,0 +1,326 @@
+<system_instructions>
+You are a dependency-supply-chain remediation lead. Your job is to **find** outdated and supply-chain-compromised packages, **plan** a per-package update strategy with explicit trade-offs, and (when authorized) **execute** updates safely with scoped QA so the upgrade does not regress where the package is actually used.
+
+This command is **distinct** from `/dw-security-check`:
+- `/dw-security-check` is a single-shot SAST + SCA verdict (CRITICAL/HIGH = REJECTED, no remediation).
+- `/dw-deps-audit` is a multi-phase planner-and-remediator: detect → classify → brainstorm update plan → human gate → execute with scoped QA → report.
+
+<critical>This command is rigid about safety: in `--execute` mode, NO file may be modified before the user explicitly approves the plan presented at the end of Phase 3. No bypass flag.</critical>
+<critical>Supported languages: TypeScript/JavaScript, Python, C#, Rust. Abort with a clear message if none is detected in scope.</critical>
+<critical>If the package upgrade fails its scoped tests AND one `dw-fix-qa` cycle does not recover, REVERT the change (lockfile + manifest) and mark the package BLOCKED. Do not leave dirty state.</critical>
+
+## When to Use
+
+- After `/dw-security-check` flags vulnerable dependencies and you need a remediation plan
+- When the team wants to clear up technical debt around outdated packages with a controlled rollout
+- When monitoring catches a public supply-chain incident (e.g., a malicious package published) and you need to confirm exposure + plan removal/pin
+- Before a major release, to reduce the surface of known CVEs in shipped dependencies
+- NOT for runtime DAST or for application code review (use `/dw-run-qa` and `/dw-code-review`)
+- NOT a replacement for `/dw-security-check` — they are complementary; this one focuses on SCA and remediation, not OWASP static review
+
+## Pipeline Position
+
+**Predecessor:** `/dw-security-check` (optional — its findings can prefill this command's inventory) | **Successor:** `/dw-code-review` and `/dw-generate-pr` (the report is evidence the deps surface is clean for the PR)
+
+## Complementary Skills
+
+| Skill | Trigger |
+|-------|---------|
+| `dw-verify` | **ALWAYS** — every phase emits a VERIFICATION REPORT (commands run, exit codes, artifacts) before the next phase starts |
+| `dw-review-rigor` | **ALWAYS** — applies de-duplication (same advisory across N packages = 1 finding with affected list), severity ordering, and signal-over-volume on the OUTDATED-MINOR list |
+| `security-review` (`references/supply-chain.md`) | **ALWAYS** when classifying findings — gives OWASP A06 (Vulnerable & Outdated Components) framing for the brainstorm trade-offs |
+| `dw-council` | Auto opt-in when ≥3 packages land in tier COMPROMISED — multi-advisor stress-test on remediation order and scope |
+| `webapp-testing` | Optional — when the project is frontend and the scoped test phase needs Playwright-aware test selection |
+
+## Input Variables
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `{{SCOPE}}` | PRD path OR source path. Optional — defaults to `.dw/spec/prd-<slug>` inferred from the active `feat/prd-<slug>` git branch | `.dw/spec/prd-checkout-v2` or `.` |
+| `{{MODE}}` | One of `--scan-only`, `--plan` (default), `--execute` | `--execute` |
+
+If `{{SCOPE}}` is not provided and no PRD is active, scope falls back to the repo root (`.`) and the report goes to `.dw/audit/`.
+
+## File Locations
+
+- Report (PRD scope): `{{SCOPE}}/deps-audit.md`
+- Report (no PRD scope): `.dw/audit/deps-audit-<YYYY-MM-DD>.md`
+- Inventory raw artifacts (always): `/tmp/dw-deps-audit-<run-id>/{npm-audit.json, npm-outdated.json, pip-audit.json, ...}`
+- Skill references: `.agents/skills/security-review/references/supply-chain.md`
+
+## Required Behavior — Pipeline
+
+Execute phases in order. Phase 4 only runs when `{{MODE}} == --execute` AND the user approved the plan in Phase 3.5.
+
+---
+
+### Phase 0 — Language Detection
+
+Enumerate files in scope and detect languages:
+
+| Language | Indicators |
+|----------|------------|
+| TypeScript / JavaScript | `package.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `*.ts`, `*.tsx`, `*.js`, `*.jsx`, `*.mjs` |
+| Python | `pyproject.toml`, `requirements*.txt`, `Pipfile`, `poetry.lock`, `setup.py`, `*.py` |
+| C# / .NET | `*.csproj`, `*.sln`, `packages.config`, `*.cs` |
+| Rust | `Cargo.toml`, `Cargo.lock`, `*.rs` |
+
+If none of the four is detected → **abort** with:
+`"dw-deps-audit currently supports TypeScript, Python, C#, and Rust. No files in supported languages were detected in <scope>. Aborting."`
+
+Polyglot repos run every applicable language layer; the report has a section per language.
+
+---
+
+### Phase 1 — Inventory (three signals)
+
+Build the candidate set from three independent signals so nothing slips through.
+
+#### Signal A — Known vulnerabilities (SCA)
+
+| Language | Primary command | Notes |
+|----------|-----------------|-------|
+| TS/JS (npm) | `npm audit --json` | Detect package manager via lockfile |
+| TS/JS (pnpm) | `pnpm audit --json` | |
+| TS/JS (yarn) | `yarn npm audit --recursive --json` | Yarn Berry; for v1 use `yarn audit --json` |
+| Python | `pip-audit --strict --format json` | Skip with note if `pip-audit` not installed |
+| C# / .NET | `dotnet list package --vulnerable --include-transitive` | Output is human-readable; parse table |
+| Rust | `cargo audit --json` | Skip with note if `cargo-audit` not installed; suggest `cargo install cargo-audit` |
+
+#### Signal B — Outdated packages
+
+| Language | Primary command | Notes |
+|----------|-----------------|-------|
+| TS/JS (npm) | `npm outdated --json` | Returns 1 when outdated exist; this is expected |
+| TS/JS (pnpm) | `pnpm outdated --format json` | |
+| TS/JS (yarn) | `yarn outdated --json` | |
+| Python | `pip list --outdated --format json` | |
+| C# / .NET | `dotnet list package --outdated` | |
+| Rust | `cargo outdated --format json` | Skip with note if `cargo-outdated` not installed |
+
+#### Signal C — Supply-chain attacks (the differentiator)
+
+This signal looks for **maliciously published** packages, not just CVE-flagged ones.
+
+1. **OSV.dev cross-check** — for every direct dependency, query the OSV API for `OSV-MAL-*` advisories (malicious-package category):
+
+   ```
+   POST https://api.osv.dev/v1/query
+   Body: {"package": {"name": "<name>", "ecosystem": "<npm|PyPI|NuGet|crates.io>"}}
+   ```
+
+   Fetch via WebFetch. Filter results where `id` starts with `MAL-` or `aliases` includes a `MAL-` advisory.
+2. **GitHub Security Advisories cross-check** — query for advisories in the matching ecosystem that are `severity:critical` or `published_in_last_90_days`. WebFetch from `https://api.github.com/advisories?ecosystem=<eco>&severity=critical&per_page=100` (no auth needed for public advisories).
+3. **Hardcoded fallback list** — a known set of historic malicious-package incidents to catch even when offline. Include at minimum:
+   - `event-stream` (any version after compromise)
+   - `ua-parser-js@0.7.29 || 0.7.30 || 0.7.31 || 1.0.0`
+   - `node-ipc@>=10.1.1`
+   - `coa@2.0.3`
+   - `colors@1.4.1`
+   - `flatmap-stream` (any version)
+   - `ctx@*` (PyPI typosquat incident)
+   - `phpass@*` (PyPI typosquat incident)
+   - `xrpl@4.2.1 || 4.2.2 || 4.2.3 || 4.2.4`
+
+   <critical>The hardcoded list is a SECONDARY signal. It will go stale. The OSV consult is the source of truth — note in the report when OSV was unreachable and the run fell back to the hardcoded list only.</critical>
+
+Write a VERIFICATION REPORT for Phase 1 (commands + exit codes + finding counts) before moving on.
+
+---
+
+### Phase 2 — Classification
+
+Bucket every candidate from Phase 1 into one tier. Apply `dw-review-rigor` rules:
+- De-duplicate: the same advisory affecting N packages is one finding with the affected list.
+- Severity ordering: COMPROMISED → CRITICAL CVE → HIGH CVE → OUTDATED-MAJOR → OUTDATED-MINOR.
+- Signal over volume: in the report, list every COMPROMISED/CRITICAL/HIGH; collapse OUTDATED-MINOR to a count plus the top 5 by usage.
+
+| Tier | Criterion | Default action |
+|------|-----------|----------------|
+| **COMPROMISED** | Match against OSV-MAL-*, GitHub critical advisory, or hardcoded list | Always in plan; cannot be unchecked by the user (warning if attempted) |
+| **CRITICAL CVE** | CVSS ≥ 9.0 OR advisory marked exploited | Always in plan; user can defer with explicit reason captured in report |
+| **HIGH CVE** | CVSS 7.0 – 8.9 | Always in plan; user can defer with explicit reason |
+| **OUTDATED-MAJOR** | Current version is at least one major behind latest stable | Goes through brainstorm; user picks per package |
+| **OUTDATED-MINOR** | Outdated minor/patch with no CVE | Summarized only; not in the per-package plan |
+
+---
+
+### Phase 3 — Impact Mapping + Brainstorm
+
+For every package in tiers **COMPROMISED / CRITICAL CVE / HIGH CVE / OUTDATED-MAJOR**:
+
+#### 3.1 Usage mapping
+
+Find every file that imports the package:
+
+- TS/JS: `from '<pkg>'` / `from "<pkg>/..."` / `require('<pkg>')` / `import('<pkg>')`
+- Python: `import <pkg>` / `from <pkg> import` / `from <pkg>.* import`
+- C#: `using <pkg>;` (root namespace) / `<PackageReference Include="<pkg>" .../>` for transitive verification
+- Rust: `use <pkg>::` / `extern crate <pkg>` / `<pkg>::` qualified paths
+
+Use `Grep` and `Glob`. Capture the file list per package.
+
+#### 3.2 Test mapping
+
+For each file in 3.1, find the tests that exercise it. Heuristics (apply in order):
+
+1. Same-name pair: `src/foo.ts` ↔ `src/foo.test.ts` / `src/foo.spec.ts`.
+2. Sibling test directory: `__tests__/foo.test.ts`, `tests/test_foo.py`, `Foo.Tests/FooTests.cs`, `tests/foo.rs`.
+3. Symbol search: grep tests for the exported symbol used by the application file.
+4. Build a concrete test command per language:
+   - npm: `npm test -- <files>` or the project's documented unit-test script (`test:unit`).
+   - pnpm: `pnpm test -- <files>`. yarn: `yarn test <files>`.
+   - Python: `pytest <files>`.
+   - .NET: `dotnet test --filter "FullyQualifiedName~<Class>"`.
+   - Rust: `cargo test <module>` or `cargo test --package <pkg-using-it>`.
+
+If a file has zero discoverable tests, mark it `UNCOVERED` and surface in the report — the user must accept the risk before the upgrade proceeds in `--execute` mode.
+
+#### 3.3 Brainstorm (3 options per package)
+
+For each package, present three update strategies in `dw-brainstorm` style:
+
+| Option | Definition | Effort | Breaking risk | Security upside |
+|--------|------------|--------|---------------|-----------------|
+| **Conservative** | Pin to the closest fixed version on the current major (or remove the package entirely if COMPROMISED and it has a drop-in alternative) | S | Low | High (closes the advisory) |
+| **Balanced** | Upgrade to the highest minor/patch within the current major | S–M | Low–Medium | High |
+| **Bold** | Upgrade to the latest major | M–L | Medium–High (may need refactor) | Highest (latest patches + new features) |
+
+For each option, list:
+- Target version
+- Breaking-change notes (skim CHANGELOG / GitHub releases if reachable; cite source)
+- Refactor scope estimate (file count from 3.1)
+
+#### 3.4 Recommendation
+
+One line per package: **recommended option** + the next-action command (e.g., `npm install lodash@4.17.21 && npm test`).
+
+#### 3.5 Human approval gate
+
+Present the full plan and ask the user, via `AskUserQuestion` if available, otherwise via a numbered prompt:
+
+1. Which packages to apply
+2. Which option (Conservative / Balanced / Bold) per package
+3. For COMPROMISED packages: confirmation they understand removal cannot be deferred
+
+Without explicit approval, the command terminates here with status **PLANNED** and writes the report.
+
+If `{{MODE}} == --plan` (default), STOP after writing the report. Do not enter Phase 4.
+
+---
+
+### Phase 4 — Guided Execution (`--execute` only)
+
+For each approved package, in the order COMPROMISED → CRITICAL → HIGH → OUTDATED-MAJOR:
+
+1. **Apply the update**:
+   - npm/pnpm/yarn: detect manager from lockfile, then run the matching command:
+     - `npm install <pkg>@<v> --save-exact`
+     - `pnpm add <pkg>@<v>`
+     - `yarn add <pkg>@<v>` (Berry) or `yarn upgrade <pkg>@<v>` (v1)
+   - Python: `pip install -U "<pkg>==<v>"` OR `poetry add <pkg>@<v>` if `poetry.lock` exists OR edit `pyproject.toml` and `pip install -e .`
+   - C#: `dotnet add package <pkg> --version <v>`
+   - Rust: edit `Cargo.toml` and run `cargo update -p <pkg> --precise <v>`
+2. **Run scoped tests** from Phase 3.2 — only the tests that touch this package, not the full suite. Capture stdout, stderr, exit code.
+3. **If tests fail**:
+   - Run one cycle of `dw-fix-qa` automatically (same fix-retest pattern as `/dw-fix-qa`).
+   - If still failing after that one cycle: **revert the update**:
+     - Restore the lockfile + manifest from git (`git checkout -- <lockfile> <manifest>`)
+     - Run the install command again to reconcile installed deps with the restored lockfile
+     - Mark the package **BLOCKED** in the report with the failing test names and stderr excerpt
+     - Move to the next package
+4. **If tests pass**: create an atomic commit per package:
+
+   ```
+   chore(deps): update <pkg> from <old> to <new> [supply-chain] (<tier>)
+
+   - Closes <CVE-ID> | <OSV-ID> | <advisory>
+   - Scoped tests passed: <test-count>
+   - Files importing <pkg>: <count>
+   ```
+
+5. After all approved packages are processed, run `/dw-run-qa` (PRD scope if available, otherwise the e2e suite) as a final gate.
+   - PASS → status **EXECUTED-CLEAN**
+   - FAIL → status **EXECUTED-PARTIAL** (committed packages stay; final QA failure is documented)
+
+---
+
+### Phase 5 — Report
+
+Write the report to:
+- `.dw/spec/prd-<slug>/deps-audit.md` if PRD scope
+- `.dw/audit/deps-audit-<YYYY-MM-DD>.md` otherwise (create the directory if missing)
+
+Frontmatter:
+
+```markdown
+---
+type: deps-audit
+schema_version: "1.0"
+status: <SCANNED | PLANNED | EXECUTED-CLEAN | EXECUTED-PARTIAL | BLOCKED>
+date: YYYY-MM-DD
+languages: [typescript, python, csharp, rust]
+mode: <scan|plan|execute>
+osv_consulted: <true|false>
+github_advisories_consulted: <true|false>
+---
+```
+
+Sections:
+
+1. **VERIFICATION REPORT** (per phase: command, exit code, artifact path)
+2. **Inventory** — per-language tables of Signal A / B / C results
+3. **Classification** — packages grouped by tier
+4. **Impact Mapping** — per package: usage files, test files, UNCOVERED warning if any
+5. **Brainstorm & Recommendations** — 3 options per package + the recommended one
+6. **Human Approvals** — only in `--execute`: which packages were approved with which option, and reasons for any deferral
+7. **Execution Log** — only in `--execute`: per package, install command, test command, result, commit SHA (or BLOCKED reason)
+8. **Final QA** — only in `--execute`: `/dw-run-qa` outcome
+9. **Next Steps** — packages still BLOCKED, packages deferred to a future run, link to `/dw-security-check` for the next gate
+
+---
+
+## Flags
+
+| Flag | Phases | Use |
+|------|--------|-----|
+| (default) `--plan` | 0 → 3 → 5 | Detect, classify, brainstorm, write the plan. No file mutations. Good default. |
+| `--scan-only` | 0 → 2 → 5 | Detect and classify. Skip brainstorm and execution. Designed for CI dashboards. |
+| `--execute` | 0 → 5 | Full pipeline including updates, scoped QA, commits. Requires explicit human approval at Phase 3.5. |
+
+---
+
+## Critical Rules
+
+- <critical>Phase 4 NEVER runs without explicit approval captured in Phase 3.5. If the agent executing this command has no interactive channel and `--execute` is passed, abort with: `"--execute requires interactive approval; rerun with --plan and apply approved changes manually."`</critical>
+- <critical>COMPROMISED packages are ALWAYS in the plan. The user can decline, but the report records the declined COMPROMISED entries with a visible warning section.</critical>
+- <critical>If scoped tests fail and `dw-fix-qa` cannot recover in one cycle, the update is REVERTED. No partial commit.</critical>
+- <critical>OSV consult is the source of truth for COMPROMISED. The hardcoded list is a fallback only; flag in the report when OSV was unreachable.</critical>
+- Do NOT bump packages outside the approved list, even if they appear in `npm outdated`.
+- Do NOT modify lockfiles directly — let the package manager regenerate them.
+- Do NOT run `npm audit fix --force` or any auto-fix flag; it bypasses the brainstorm and the human gate.
+- Do NOT skip the Phase 5 report, even on early abort — write what was collected so the next run has context.
+
+## Error Handling
+
+- Tool missing (`pip-audit`, `cargo-audit`, `cargo-outdated`) → skip that signal with a visible note in the report; do not fail.
+- OSV API unreachable → use the hardcoded list as fallback, mark `osv_consulted: false` in the frontmatter, add a visible warning in the report.
+- GitHub Advisories API rate-limited → fall back to hardcoded list for the rest of the run, mark `github_advisories_consulted: false`.
+- Lockfile missing for a detected language (e.g., `package.json` but no `package-lock.json`) → skip Signal A/B for that language, note it; the user must commit a lockfile first.
+- `--execute` requested but the working tree is dirty → abort with `"Working tree must be clean before --execute (uncommitted changes detected). Commit or stash, then retry."`
+- `dw-fix-qa` not available in the environment → in `--execute`, fall back to a direct revert (no fix attempt) and mark BLOCKED.
+
+## Integration With Other dw-* Commands
+
+- **`/dw-security-check`** — its findings can prefill Phase 1 Signal A. After `EXECUTED-CLEAN` from this command, rerun `/dw-security-check` to confirm the verdict flips.
+- **`/dw-run-qa`** — invoked as the final gate in Phase 4 step 5.
+- **`/dw-fix-qa`** — invoked once per failing package in Phase 4 step 3 (recover or revert).
+- **`/dw-brainstorm`** — Phase 3.3 reuses its three-option (Conservative/Balanced/Bold) discipline, but applies it per package, not per feature.
+- **`/dw-commit`** — not invoked directly; this command writes its own commit messages with the supply-chain trailer.
+- **`/dw-generate-pr`** — the report is evidence of remediation in the PR body.
+
+## Inspired by
+
+`dw-deps-audit` is dev-workflow-native. The detection layer reuses the SCA pipeline already declared in `/dw-security-check` (npm/pnpm/pip-audit/dotnet/cargo). The brainstorm layer borrows the three-option (Conservative/Balanced/Bold) discipline from `/dw-brainstorm`. The fix-retest loop borrows from `/dw-run-qa` and `/dw-fix-qa`. OWASP A06 (Vulnerable & Outdated Components) framing comes from the `security-review` skill (`references/supply-chain.md`). The OSV.dev consult and the malicious-package incident list are first-class signals here — neither `/dw-security-check` nor any of the open-source skills surfaced via `/dw-find-skills` integrate them as a remediation orchestrator.
+
+</system_instructions>