@planu/cli 4.4.2 → 4.4.3

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [4.4.3] - 2026-06-09
+
+### Features
+- feat(SPEC-1081): add skill security scan gate
+- feat(SPEC-1082): add implementation contract readiness
+
+
 ## [4.4.2] - 2026-06-05
 
 ### Bug Fixes

package/dist/engine/implementation-contract/common.d.ts

@@ -0,0 +1,5 @@
+export declare const IMPLEMENTATION_CONTRACT_SECTION = "Implementation Contract";
+export declare const IMPLEMENTATION_CONTRACT_SUBSECTIONS: readonly ["User Outcome", "Behavior Contract", "File-Level Work Plan", "Acceptance-To-Verification Map", "Edge Cases And Failure Modes", "Non-Goals And Forbidden Approaches", "Verification Commands"];
+export declare function hasImplementationContract(specBody: string): boolean;
+export declare function extractTopLevelSection(body: string, sectionName: string): string;
+//# sourceMappingURL=common.d.ts.map

package/dist/engine/implementation-contract/common.js

@@ -0,0 +1,30 @@
+export const IMPLEMENTATION_CONTRACT_SECTION = 'Implementation Contract';
+export const IMPLEMENTATION_CONTRACT_SUBSECTIONS = [
+    'User Outcome',
+    'Behavior Contract',
+    'File-Level Work Plan',
+    'Acceptance-To-Verification Map',
+    'Edge Cases And Failure Modes',
+    'Non-Goals And Forbidden Approaches',
+    'Verification Commands',
+];
+export function hasImplementationContract(specBody) {
+    return extractTopLevelSection(specBody, IMPLEMENTATION_CONTRACT_SECTION).trim().length > 0;
+}
+export function extractTopLevelSection(body, sectionName) {
+    const normalized = body.replace(/\r\n/g, '\n');
+    const headingRe = new RegExp(`^##\\s+${escapeRegex(sectionName)}[ \\t]*$`, 'm');
+    const match = headingRe.exec(normalized);
+    if (!match) {
+        return '';
+    }
+    const start = match.index + match[0].length;
+    const nextRe = /^##\s+\S/gm;
+    nextRe.lastIndex = start;
+    const next = nextRe.exec(normalized);
+    return normalized.slice(start, next ? next.index : normalized.length).trim();
+}
+function escapeRegex(input) {
+    return input.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+//# sourceMappingURL=common.js.map

package/dist/engine/implementation-contract/evaluator.d.ts

@@ -0,0 +1,3 @@
+import type { ImplementationContractIssue } from '../../types/index.js';
+export declare function evaluateImplementationContract(specBody: string, acceptanceCriteria: string[]): ImplementationContractIssue[];
+//# sourceMappingURL=evaluator.d.ts.map

package/dist/engine/implementation-contract/evaluator.js

@@ -0,0 +1,105 @@
+import { extractTopLevelSection, IMPLEMENTATION_CONTRACT_SECTION, IMPLEMENTATION_CONTRACT_SUBSECTIONS, } from './common.js';
+const FILLER_PATTERNS = [
+    /\bTBD\b/i,
+    /\bN\/A\b/i,
+    /\bimplement correctly\b/i,
+    /\bhandle errors\b/i,
+    /\bto be determined\b/i,
+];
+export function evaluateImplementationContract(specBody, acceptanceCriteria) {
+    const contract = extractTopLevelSection(specBody, IMPLEMENTATION_CONTRACT_SECTION);
+    if (contract.trim().length === 0) {
+        return [
+            {
+                code: 'contract_missing',
+                message: 'Implementation Contract is missing — add user outcome, behavior, file plan, verification map, edge cases, non-goals, and commands.',
+            },
+        ];
+    }
+    const issues = [];
+    const sections = new Map(IMPLEMENTATION_CONTRACT_SUBSECTIONS.map((section) => [
+        section,
+        extractSubsection(contract, section),
+    ]));
+    for (const [section, content] of sections.entries()) {
+        if (content === null) {
+            issues.push({
+                code: 'contract_subsection_missing',
+                message: `Implementation Contract subsection "${section}" is missing.`,
+            });
+            continue;
+        }
+        const trimmed = content.trim();
+        if (trimmed.length === 0) {
+            issues.push({
+                code: 'contract_subsection_empty',
+                message: `Implementation Contract subsection "${section}" is empty.`,
+            });
+        }
+        for (const pattern of FILLER_PATTERNS) {
+            if (pattern.test(trimmed)) {
+                issues.push({
+                    code: 'contract_filler',
+                    message: `Implementation Contract subsection "${section}" contains filler text.`,
+                });
+                break;
+            }
+        }
+        if (/\bNeeds decision:/i.test(trimmed)) {
+            issues.push({
+                code: 'contract_needs_decision',
+                message: `Implementation Contract subsection "${section}" still has unresolved Needs decision items.`,
+            });
+        }
+    }
+    const map = sections.get('Acceptance-To-Verification Map') ?? '';
+    for (const criterion of acceptanceCriteria) {
+        if (!criterionHasVerification(criterion, map)) {
+            issues.push({
+                code: 'contract_unmapped_criterion',
+                message: `Acceptance criterion is not mapped to verification evidence: ${criterion}`,
+            });
+        }
+    }
+    if (/\bmanual verification\b/i.test(map) &&
+        !/\b(given|when|then|step|observe|click|run)\b/i.test(map)) {
+        issues.push({
+            code: 'contract_manual_verification_vague',
+            message: 'Manual verification in the Implementation Contract must include exact observable steps.',
+        });
+    }
+    return issues;
+}
+function extractSubsection(sectionBody, subsectionName) {
+    const headingRe = new RegExp(`^###\\s+${escapeRegex(subsectionName)}[ \\t]*$`, 'm');
+    const match = headingRe.exec(sectionBody);
+    if (!match) {
+        return null;
+    }
+    const start = match.index + match[0].length;
+    const nextRe = /^###\s+\S/gm;
+    nextRe.lastIndex = start;
+    const next = nextRe.exec(sectionBody);
+    return sectionBody.slice(start, next ? next.index : sectionBody.length);
+}
+function criterionHasVerification(criterion, map) {
+    const normalizedCriterion = normalize(criterion);
+    if (normalizedCriterion.length === 0) {
+        return true;
+    }
+    const short = normalizedCriterion.slice(0, 48);
+    const normalizedMap = normalize(map);
+    return (normalizedMap.includes(short) &&
+        /\b(unit test|integration test|cli\/tool result|typecheck\/lint command|snapshot\/golden fixture|manual verification|pnpm|vitest|test)\b/i.test(map));
+}
+function normalize(value) {
+    return value
+        .replace(/[`*_()[\]:]/g, ' ')
+        .replace(/\s+/g, ' ')
+        .trim()
+        .toLowerCase();
+}
+function escapeRegex(input) {
+    return input.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+//# sourceMappingURL=evaluator.js.map

package/dist/engine/implementation-contract/index.d.ts

@@ -0,0 +1,4 @@
+export * from './common.js';
+export * from './renderer.js';
+export * from './evaluator.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/engine/implementation-contract/index.js

@@ -0,0 +1,4 @@
+export * from './common.js';
+export * from './renderer.js';
+export * from './evaluator.js';
+//# sourceMappingURL=index.js.map

package/dist/engine/implementation-contract/renderer.d.ts

@@ -0,0 +1,4 @@
+import type { ImplementationContractInput } from '../../types/index.js';
+export declare function buildImplementationContractSection(input: ImplementationContractInput): string;
+export declare function appendImplementationContractIfMissing(specBody: string, input: ImplementationContractInput): string;
+//# sourceMappingURL=renderer.d.ts.map

package/dist/engine/implementation-contract/renderer.js

@@ -0,0 +1,98 @@
+import { hasImplementationContract, IMPLEMENTATION_CONTRACT_SECTION } from './common.js';
+export function buildImplementationContractSection(input) {
+    const criteria = input.criteria.length > 0 ? input.criteria : fallbackCriteria();
+    const testFiles = input.files.test.map((file) => file.path);
+    const verificationCommands = input.verificationCommands.length > 0
+        ? input.verificationCommands
+        : ['pnpm typecheck', 'pnpm lint', 'pnpm test'];
+    const lines = [
+        `## ${IMPLEMENTATION_CONTRACT_SECTION}`,
+        '### User Outcome',
+        firstConcreteSentence(input.description) ??
+            'Needs decision: define the exact user-visible outcome this spec must deliver.',
+        '',
+        '### Behavior Contract',
+        ...renderBehaviorContract(criteria),
+        '- Inputs: use the user request and existing project conventions as the source of truth.',
+        '- Outputs: update canonical `spec.md` behavior without creating sidecar implementation docs.',
+        '- State changes: persist only the files and metadata required by the spec workflow.',
+        '- Errors: missing implementation detail must surface as `Needs decision:` instead of generic filler.',
+        '',
+        '### File-Level Work Plan',
+        ...renderFilePlan(input.files),
+        '',
+        '### Acceptance-To-Verification Map',
+        ...criteria.map((criterion, index) => renderVerificationRow(criterion.text, index + 1, testFiles, verificationCommands)),
+        '',
+        '### Edge Cases And Failure Modes',
+        '- Generated specs with too little context must use `Needs decision:` placeholders.',
+        '- Existing specs without this section must remain readable and must not be rewritten by readiness checks.',
+        '- A heading with filler text must not count as a usable implementation contract.',
+        '- Manual verification must include exact observable steps when no automated proof is practical.',
+        '',
+        '### Non-Goals And Forbidden Approaches',
+        ...renderNonGoals(input.outOfScope),
+        '',
+        '### Verification Commands',
+        ...verificationCommands.map((command) => `- \`${command}\``),
+        '',
+    ];
+    return lines.join('\n');
+}
+export function appendImplementationContractIfMissing(specBody, input) {
+    if (hasImplementationContract(specBody)) {
+        return specBody.endsWith('\n') ? specBody : `${specBody}\n`;
+    }
+    return `${specBody.trimEnd()}\n\n${buildImplementationContractSection(input)}`;
+}
+function fallbackCriteria() {
+    return [
+        {
+            text: 'Needs decision: define at least one acceptance criterion with executable verification.',
+            done: false,
+        },
+    ];
+}
+function firstConcreteSentence(description) {
+    const body = description
+        .replace(/^---[\s\S]*?---/, '')
+        .replace(/^#{1,6}\s+.+$/gm, '')
+        .split('\n')
+        .map((line) => line.trim())
+        .find((line) => line.length >= 24 && !line.startsWith('-'));
+    if (!body) {
+        return null;
+    }
+    return body.replace(/\s+/g, ' ').slice(0, 240);
+}
+function renderFilePlan(files) {
+    const lines = [];
+    for (const [label, entries] of [
+        ['Create', files.create],
+        ['Modify', files.modify],
+        ['Test', files.test],
+    ]) {
+        for (const entry of entries) {
+            lines.push(`- ${label}: \`${entry.path}\` (${entry.status})`);
+        }
+    }
+    return lines.length > 0 ? lines : ['- Needs decision: identify expected source and test files.'];
+}
+function renderBehaviorContract(criteria) {
+    return criteria.map((criterion, index) => `- Expected behavior AC${String(index + 1)}: ${criterion.text}`);
+}
+function renderVerificationRow(criterion, index, testFiles, commands) {
+    const test = testFiles[0];
+    if (test) {
+        return `- AC${String(index)}: ${criterion} -> unit test \`${test}\` plus \`${commands[0] ?? 'pnpm test'}\`.`;
+    }
+    return `- AC${String(index)}: ${criterion} -> Needs decision: choose unit test, integration test, CLI/tool result, snapshot/golden fixture, or exact manual verification.`;
+}
+function renderNonGoals(outOfScope) {
+    const base = [
+        '- Do not create durable sidecar implementation docs outside canonical `spec.md`.',
+        '- Do not treat headings or filler text as implementation-ready detail.',
+    ];
+    return outOfScope.length > 0 ? [...base, ...outOfScope.map((item) => `- ${item}`)] : base;
+}
+//# sourceMappingURL=renderer.js.map

package/dist/engine/readiness-checker.js

@@ -4,7 +4,8 @@ import { readSpecTechnicalSection } from './spec-format/read-technical-section.j
 import { stripFrontmatter } from './frontmatter-parser.js';
 import { loadReadinessConfig } from './readiness-config-loader.js';
 import { runEarsGate } from './ears-gate.js';
-import { findScenariosWithoutTests } from './validator/spec-compliance-runner.js';
+import { findScenariosWithoutTests, parseFrontmatterScenarios, } from './validator/spec-compliance-runner.js';
+import { evaluateImplementationContract } from './implementation-contract/index.js';
 // ── SPEC-784: Technical section quality constants ─────────────────────────────
 const TECHNICAL_MIN_CHARS = 500;
 // Detects "See technical.md", "See spec.md", or "See `<file>` technical.md" patterns
@@ -110,6 +111,14 @@ export function extractCriteriaLines(huContent) {
     }
     return criteria;
 }
+function frontmatterScenarioCriteria(raw) {
+    return parseFrontmatterScenarios(raw).map((scenario) => {
+        const tests = scenario.tests
+            ?.map((test) => `${test.path}${test.line !== undefined ? ` line ${String(test.line)}` : ''}`)
+            .join(' ') ?? '';
+        return [scenario.title, tests].filter((part) => part.trim().length > 0).join(' ');
+    });
+}
 function scoreCriteria(criteriaLines, vagueWords) {
     const blockers = [];
     const warnings = [];
@@ -397,10 +406,8 @@ export async function checkSpecReadiness(spec, mode, projectHash) {
     // When a spec uses BDD format, acceptance criteria are stored as `scenarios:` in
     // the YAML frontmatter (multi-line YAML that the simple KV parser cannot handle).
     // If no criteria were found in the body, fall back to counting frontmatter scenarios.
-    const scenarioCount = criteriaLines.length === 0 ? countFrontmatterScenarios(huRaw) : 0;
-    const effectiveCriteriaLines = scenarioCount > 0
-        ? Array.from({ length: scenarioCount }).fill('bdd-scenario')
-        : criteriaLines;
+    const scenarioCriteria = criteriaLines.length === 0 ? frontmatterScenarioCriteria(huRaw) : [];
+    const effectiveCriteriaLines = scenarioCriteria.length > 0 ? scenarioCriteria : criteriaLines;
     const hu = scoreHuCompleteness(spec);
     const criteria = scoreCriteria(effectiveCriteriaLines, vagueWords);
     const files = scoreFilesIdentified(spec, fichaContent);
@@ -416,6 +423,11 @@ export async function checkSpecReadiness(spec, mode, projectHash) {
         ...earsBlockers,
     ];
     const allWarnings = [...hu.warnings, ...criteria.warnings, ...files.warnings, ...deps.warnings];
+    if (mode === 'strict' && spec.scope !== 'trivial' && spec.difficulty >= 3) {
+        for (const issue of evaluateImplementationContract(huContent, effectiveCriteriaLines)) {
+            allBlockers.push(`${issue.code}: ${issue.message}`);
+        }
+    }
     // SPEC-732: Executable AC gate — block approved when any scenario lacks a `tests` array.
     // Only enforce when the spec uses frontmatter scenarios (BDD format).
     const bddScenarioCount = countFrontmatterScenarios(huRaw);
@@ -436,7 +448,7 @@ export async function checkSpecReadiness(spec, mode, projectHash) {
     }
     // SPEC-629: Specificity gate caps score at 60 for difficulty >= 3 specs that lack
     // concrete file paths, function names, or anticipated test breaks.
-    const specificityBlockers = checkSpecificityGate(spec, criteriaLines, fichaContent);
+    const specificityBlockers = checkSpecificityGate(spec, effectiveCriteriaLines, fichaContent);
     allBlockers.push(...specificityBlockers);
     const effectiveScore = specificityBlockers.length > 0 && spec.difficulty >= 3 ? Math.min(totalScore, 60) : totalScore;
     const breakdown = {

package/dist/engine/skill-registry/index.d.ts

@@ -1,5 +1,6 @@
 export { searchAllRegistries } from './unified-search.js';
 export { installSkill, isSkillInstalled, readSkillManifest } from './installer.js';
+export { scanSkillSecurity } from './skill-security-scanner.js';
 export { searchAnthropicSkills, fetchAnthropicSkillContent, clearAnthropicCache, } from './anthropic-adapter.js';
 export { searchSkillsSh } from './skillssh-adapter.js';
 export { searchAgentSkills } from './agentskill-adapter.js';

package/dist/engine/skill-registry/index.js

@@ -1,6 +1,7 @@
 // engine/skill-registry/index.ts — Barrel for skill registry engine (SPEC-150)
 export { searchAllRegistries } from './unified-search.js';
 export { installSkill, isSkillInstalled, readSkillManifest } from './installer.js';
+export { scanSkillSecurity } from './skill-security-scanner.js';
 export { searchAnthropicSkills, fetchAnthropicSkillContent, clearAnthropicCache, } from './anthropic-adapter.js';
 export { searchSkillsSh } from './skillssh-adapter.js';
 export { searchAgentSkills } from './agentskill-adapter.js';

package/dist/engine/skill-registry/installer.d.ts

@@ -1,4 +1,4 @@
-import type { SkillInstallResult, SkillManifest } from '../../types/index.js';
+import type { SkillInstallOptions, SkillInstallResult, SkillManifest } from '../../types/index.js';
 /**
  * Read the skill manifest from disk.
  * Returns an empty manifest if the file does not exist or cannot be parsed.
@@ -18,5 +18,5 @@ export declare function isSkillInstalled(projectPath: string, skillName: string)
  *  4. Update the local manifest.
  *  5. Return the install result with security flags.
  */
-export declare function installSkill(skillName: string, source: string, projectPath: string): Promise<SkillInstallResult>;
+export declare function installSkill(skillName: string, source: string, projectPath: string, options?: SkillInstallOptions): Promise<SkillInstallResult>;
 //# sourceMappingURL=installer.d.ts.map

package/dist/engine/skill-registry/installer.js

@@ -3,10 +3,13 @@
 // Manages the local manifest (manifest.json) tracking all installed skills.
 import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
+import * as os from 'node:os';
 import { fetchAnthropicSkillContent } from './anthropic-adapter.js';
 import { getBuiltInSkillEntry } from './builtin-catalog-adapter.js';
+import { scanSkillSecurity } from './skill-security-scanner.js';
 const SKILLS_DIR = '.claude/skills';
 const MANIFEST_FILE = 'manifest.json';
+const BLOCKING_SEVERITIES = new Set(['HIGH', 'CRITICAL']);
 /** Return the absolute path to the project's skills directory. */
 function skillsRoot(projectPath) {
     return path.join(projectPath, SKILLS_DIR);
@@ -48,18 +51,15 @@ function upsertManifestEntry(manifest, entry) {
         : [...manifest.skills, entry];
     return { ...manifest, skills };
 }
-/** Install a skill from the Anthropic (GitHub) source. */
-async function installFromAnthropic(skillName, installDir) {
+/** Prepare a skill from the Anthropic (GitHub) source. */
+async function prepareFromAnthropic(skillName) {
     const content = await fetchAnthropicSkillContent(skillName);
     if (!content) {
         throw new Error(`Skill "${skillName}" not found in the Anthropic skills repository. ` +
             'Check the skill name and try again.');
     }
-    await fs.mkdir(installDir, { recursive: true });
-    const skillMdPath = path.join(installDir, 'SKILL.md');
-    await fs.writeFile(skillMdPath, content.skillMd, 'utf-8');
     const hasScripts = content.files.some((f) => f.startsWith('scripts/') || f === 'scripts');
-    return { filesWritten: [skillMdPath], hasScripts };
+    return { content: content.skillMd, hasScripts };
 }
 /** Build a YAML frontmatter block for a skill entry if model/effort are defined. */
 function buildFrontmatter(entry) {
@@ -76,10 +76,9 @@ function buildFrontmatter(entry) {
     lines.push('---', '');
     return lines.join('\n');
 }
-/** Install a built-in skill from the local catalog, generating a SKILL.md. */
-async function installFromBuiltIn(skillName, installDir) {
+/** Prepare a built-in skill from the local catalog, generating a SKILL.md. */
+function prepareFromBuiltIn(skillName) {
     const entry = getBuiltInSkillEntry(skillName);
-    await fs.mkdir(installDir, { recursive: true });
     let content;
     if (entry) {
         const frontmatter = buildFrontmatter(entry);
@@ -109,13 +108,10 @@ async function installFromBuiltIn(skillName, installDir) {
             `Consult the Planu documentation.`,
         ].join('\n');
     }
-    const skillMdPath = path.join(installDir, 'SKILL.md');
-    await fs.writeFile(skillMdPath, content, 'utf-8');
-    return { filesWritten: [skillMdPath], hasScripts: false };
+    return { content, hasScripts: false };
 }
-/** Install a skill placeholder for skillssh/agentskill sources (no direct file API yet). */
-async function installFromExternal(skillName, source, installDir) {
-    await fs.mkdir(installDir, { recursive: true });
+/** Prepare a skill placeholder for skillssh/agentskill sources (no direct file API yet). */
+function prepareFromExternal(skillName, source) {
     const placeholder = [
         `# ${skillName}`,
         '',
@@ -124,9 +120,55 @@ async function installFromExternal(skillName, source, installDir) {
         '',
         'Run `planu registry install` again to refresh this skill.',
     ].join('\n');
+    return { content: placeholder, hasScripts: false };
+}
+function shouldScanSource(source) {
+    return source !== 'builtin';
+}
+async function writePreparedSkill(prepared, installDir) {
+    await fs.mkdir(installDir, { recursive: true });
     const skillMdPath = path.join(installDir, 'SKILL.md');
-    await fs.writeFile(skillMdPath, placeholder, 'utf-8');
-    return { filesWritten: [skillMdPath], hasScripts: false };
+    await fs.writeFile(skillMdPath, prepared.content, 'utf-8');
+    return {
+        filesWritten: [skillMdPath],
+        hasScripts: prepared.hasScripts,
+        version: prepared.version,
+    };
+}
+async function scanPreparedSkill(prepared, skillName, source, options) {
+    if (!shouldScanSource(source)) {
+        return undefined;
+    }
+    const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'planu-skill-scan-'));
+    try {
+        await fs.writeFile(path.join(tempDir, 'SKILL.md'), prepared.content, 'utf-8');
+        const scan = await scanSkillSecurity(tempDir, skillName);
+        if (BLOCKING_SEVERITIES.has(scan.severity) || scan.recommendation === 'DO_NOT_INSTALL') {
+            throw new Error(`Skill "${skillName}" blocked by security scan: ${scan.severity} risk, recommendation ${scan.recommendation}.`);
+        }
+        return scan;
+    }
+    catch (err) {
+        if (options.scannerUnavailablePolicy === 'allow' &&
+            err instanceof Error &&
+            err.name === 'SkillSecurityScannerUnavailableError') {
+            return {
+                scanner: 'skillspector',
+                scannedAt: new Date().toISOString(),
+                score: 100,
+                severity: 'UNKNOWN',
+                recommendation: 'UNKNOWN',
+                issuesCount: 0,
+                command: 'skillspector scan <skillDir> --no-llm --format json',
+                available: false,
+                error: err.message,
+            };
+        }
+        throw err;
+    }
+    finally {
+        await fs.rm(tempDir, { recursive: true, force: true });
+    }
 }
 /**
  * Install a skill from the specified source into the project's .claude/skills/ directory.
@@ -138,27 +180,15 @@ async function installFromExternal(skillName, source, installDir) {
  *  4. Update the local manifest.
  *  5. Return the install result with security flags.
  */
-export async function installSkill(skillName, source, projectPath) {
+export async function installSkill(skillName, source, projectPath, options = {}) {
     const installDir = path.join(skillsRoot(projectPath), skillName);
-    let filesWritten;
-    let hasScripts;
-    let version;
-    if (source === 'anthropic') {
-        const result = await installFromAnthropic(skillName, installDir);
-        filesWritten = result.filesWritten;
-        hasScripts = result.hasScripts;
-        version = result.version;
-    }
-    else if (source === 'builtin') {
-        const result = await installFromBuiltIn(skillName, installDir);
-        filesWritten = result.filesWritten;
-        hasScripts = result.hasScripts;
-    }
-    else {
-        const result = await installFromExternal(skillName, source, installDir);
-        filesWritten = result.filesWritten;
-        hasScripts = result.hasScripts;
-    }
+    const prepared = source === 'anthropic'
+        ? await prepareFromAnthropic(skillName)
+        : source === 'builtin'
+            ? prepareFromBuiltIn(skillName)
+            : prepareFromExternal(skillName, source);
+    const securityScan = await scanPreparedSkill(prepared, skillName, source, options);
+    const { filesWritten, hasScripts, version } = await writePreparedSkill(prepared, installDir);
     const manifest = await readSkillManifest(projectPath);
     const entry = {
         name: skillName,
@@ -166,6 +196,7 @@ export async function installSkill(skillName, source, projectPath) {
         version,
         installedAt: new Date().toISOString(),
         path: installDir,
+        securityScan,
     };
     await writeSkillManifest(projectPath, upsertManifestEntry(manifest, entry));
     return {
@@ -175,6 +206,7 @@ export async function installSkill(skillName, source, projectPath) {
         filesWritten,
         hasScripts,
         version,
+        securityScan,
     };
 }
 //# sourceMappingURL=installer.js.map

package/dist/engine/skill-registry/skill-security-scanner.d.ts

@@ -0,0 +1,12 @@
+import type { SkillSecurityScanResult } from '../../types/index.js';
+export declare class SkillSecurityScannerUnavailableError extends Error {
+    constructor(skillName: string, cause: unknown);
+}
+/**
+ * Scan a prepared skill directory using SkillSpector static analysis only.
+ *
+ * SkillSpector returns exit code 1 for high-risk reports. Planu still parses stdout
+ * in that case because the report is valid and should drive the gate decision.
+ */
+export declare function scanSkillSecurity(skillDir: string, skillName: string): Promise<SkillSecurityScanResult>;
+//# sourceMappingURL=skill-security-scanner.d.ts.map

package/dist/engine/skill-registry/skill-security-scanner.js

@@ -0,0 +1,87 @@
+// engine/skill-registry/skill-security-scanner.ts — SPEC-1081
+// Optional SkillSpector adapter for scanning external AI agent skills.
+import { execFile } from 'node:child_process';
+const SCANNER = 'skillspector';
+const COMMAND = 'skillspector scan <skillDir> --no-llm --format json';
+export class SkillSecurityScannerUnavailableError extends Error {
+    constructor(skillName, cause) {
+        const detail = cause instanceof Error ? cause.message : String(cause);
+        super(`Skill security scanner unavailable for "${skillName}". Command: ${COMMAND}. ${detail}`);
+        this.name = 'SkillSecurityScannerUnavailableError';
+    }
+}
+function normalizeSeverity(value) {
+    if (value === 'LOW' || value === 'MEDIUM' || value === 'HIGH' || value === 'CRITICAL') {
+        return value;
+    }
+    return 'UNKNOWN';
+}
+function normalizeRecommendation(value) {
+    if (value === 'SAFE' || value === 'CAUTION' || value === 'DO_NOT_INSTALL') {
+        return value;
+    }
+    return 'UNKNOWN';
+}
+function normalizeScore(value) {
+    if (typeof value !== 'number' || !Number.isFinite(value)) {
+        return 100;
+    }
+    return Math.max(0, Math.min(100, value));
+}
+function parseReport(stdout, skillName) {
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+    }
+    catch (err) {
+        throw new SkillSecurityScannerUnavailableError(skillName, err);
+    }
+    const risk = parsed.risk_assessment ?? {};
+    const version = parsed.metadata?.skillspector_version;
+    return {
+        scanner: SCANNER,
+        scannerVersion: typeof version === 'string' ? version : undefined,
+        scannedAt: new Date().toISOString(),
+        score: normalizeScore(risk.score),
+        severity: normalizeSeverity(risk.severity),
+        recommendation: normalizeRecommendation(risk.recommendation),
+        issuesCount: Array.isArray(parsed.issues) ? parsed.issues.length : 0,
+        command: COMMAND,
+        available: true,
+    };
+}
+function runSkillSpector(skillDir) {
+    return new Promise((resolve, reject) => {
+        execFile(SCANNER, ['scan', skillDir, '--no-llm', '--format', 'json'], (err, stdout) => {
+            if (err) {
+                const error = err instanceof Error ? err : new Error('Unknown execFile error');
+                reject(Object.assign(error, { stdout }));
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+/**
+ * Scan a prepared skill directory using SkillSpector static analysis only.
+ *
+ * SkillSpector returns exit code 1 for high-risk reports. Planu still parses stdout
+ * in that case because the report is valid and should drive the gate decision.
+ */
+export async function scanSkillSecurity(skillDir, skillName) {
+    try {
+        const stdout = await runSkillSpector(skillDir);
+        return parseReport(stdout, skillName);
+    }
+    catch (err) {
+        if (typeof err === 'object' &&
+            err !== null &&
+            'stdout' in err &&
+            typeof err.stdout === 'string' &&
+            err.stdout.trim().length > 0) {
+            return parseReport(err.stdout, skillName);
+        }
+        throw new SkillSecurityScannerUnavailableError(skillName, err);
+    }
+}
+//# sourceMappingURL=skill-security-scanner.js.map

package/dist/engine/spec-format/bdd-parser.js

@@ -83,6 +83,15 @@ export function renderBddScenariosYaml(scenarios) {
     for (const scenario of scenarios) {
         lines.push(`  - title: "${escapeYaml(scenario.title)}"`);
         lines.push(`    done: ${String(scenario.done)}`);
+        if (scenario.tests && scenario.tests.length > 0) {
+            lines.push(`    tests:`);
+            for (const test of scenario.tests) {
+                lines.push(`      - path: ${test.path}`);
+                if (test.line !== undefined) {
+                    lines.push(`        line: ${String(test.line)}`);
+                }
+            }
+        }
         lines.push(`    steps:`);
         for (const step of scenario.steps) {
             lines.push(`      - keyword: ${step.keyword}`);

package/dist/engine/spec-format/lean-spec-generator.js

@@ -55,7 +55,7 @@ export function generateLeanSpecContent(input) {
     ];
     let acLines;
     if (acFormat === 'bdd') {
-        acLines = buildBddLines(description, extraCriteria, input.criteriaOverride);
+        acLines = buildBddLines(description, extraCriteria, input.criteriaOverride, input.scenarioTestPaths ?? []);
     }
     else {
         acLines = buildCheckboxLines(description, extraCriteria, input.criteriaOverride);
@@ -88,7 +88,7 @@ function buildCheckboxLines(description, extraCriteria, criteriaOverride) {
     ];
 }
 /** Build BDD scenario lines. */
-function buildBddLines(description, extraCriteria, criteriaOverride) {
+function buildBddLines(description, extraCriteria, criteriaOverride, scenarioTestPaths) {
     let scenarios = parseBddScenarios(description);
     // Fallback: convert checkbox criteria to BDD scenarios
     if (scenarios.length === 0) {
@@ -108,6 +108,14 @@ function buildBddLines(description, extraCriteria, criteriaOverride) {
             });
         }
     }
+    if (scenarioTestPaths.length > 0) {
+        scenarios = scenarios.map((scenario) => ({
+            ...scenario,
+            tests: scenario.tests && scenario.tests.length > 0
+                ? scenario.tests
+                : scenarioTestPaths.map((path) => ({ path })),
+        }));
+    }
     return renderBddScenariosYaml(scenarios);
 }
 /** Extract acceptance criteria from description. Looks for checkbox patterns or generates a default.

package/dist/tools/challenge-spec/implementation-contract-challenge-scenarios.d.ts

@@ -0,0 +1,3 @@
+import type { FailureScenario, Spec } from '../../types/index.js';
+export declare function generateImplementationContractChallengeScenarios(spec: Spec, specContent: string): FailureScenario[];
+//# sourceMappingURL=implementation-contract-challenge-scenarios.d.ts.map

package/dist/tools/challenge-spec/implementation-contract-challenge-scenarios.js

@@ -0,0 +1,51 @@
+import { evaluateImplementationContract } from '../../engine/implementation-contract/index.js';
+import { parseFrontmatterScenarios } from '../../engine/validator/spec-compliance-runner.js';
+export function generateImplementationContractChallengeScenarios(spec, specContent) {
+    const criteria = parseFrontmatterScenarios(specContent).map((scenario) => scenario.title);
+    const issues = evaluateImplementationContract(stripFrontmatter(specContent), criteria);
+    if (issues.length === 0) {
+        return [];
+    }
+    const missingEdges = !/\b(edge cases?|failure modes?)\b/i.test(specContent);
+    const missingBoundaries = !/\b(no-touch|forbidden|non-goals?|out of scope)\b/i.test(specContent);
+    const scenarios = [];
+    scenarios.push({
+        scenario: `[${spec.id}] Implementation Contract Gap: spec leaves the implementer to infer required behavior, file scope, verification, or missing decisions.`,
+        probability: 'high',
+        impact: 'high',
+        currentHandling: issues
+            .map((issue) => issue.message)
+            .slice(0, 3)
+            .join('; '),
+        requiredHandling: 'Add or repair ## Implementation Contract before coding: user outcome, behavior contract, file-level work plan, acceptance-to-verification map, edge cases, non-goals, and verification commands.',
+        dataConsistency: 'Do not start implementation until the spec states what persistent files or state may change.',
+        userExperience: 'The planner should ask for concrete missing decisions instead of sending an ambiguous spec to the implementer.',
+    });
+    if (missingEdges) {
+        scenarios.push({
+            scenario: `[${spec.id}] Missing Edge Cases: implementation may pass happy-path criteria while failing required failure modes.`,
+            probability: 'medium',
+            impact: 'high',
+            currentHandling: 'Edge cases and failure modes are not explicit in the spec.',
+            requiredHandling: 'Add concrete edge cases and failure modes to ## Implementation Contract before approval.',
+            dataConsistency: 'State-changing behavior must define rollback or no-write behavior for failures.',
+            userExperience: 'Users should not discover undefined behavior during implementation review.',
+        });
+    }
+    if (missingBoundaries) {
+        scenarios.push({
+            scenario: `[${spec.id}] Missing No-Touch Boundaries: implementer may refactor unrelated code or satisfy the wording with an architecture-violating shortcut.`,
+            probability: 'medium',
+            impact: 'high',
+            currentHandling: 'No non-goals, forbidden approaches, or no-touch areas are explicit.',
+            requiredHandling: 'Add non-goals, forbidden approaches, and no-touch areas to the implementation contract.',
+            dataConsistency: 'Unrelated persistent formats and stores must not change without explicit scope.',
+            userExperience: 'The implementer receives bounded work instead of open-ended refactoring permission.',
+        });
+    }
+    return scenarios;
+}
+function stripFrontmatter(raw) {
+    return raw.replace(/^---\n[\s\S]*?\n---\n?/, '');
+}
+//# sourceMappingURL=implementation-contract-challenge-scenarios.js.map

package/dist/tools/challenge-spec.js

@@ -14,6 +14,7 @@ import { prioritizeScenarios, buildPrioritizedSummary } from '../engine/challeng
 import { checkContradictions as checkScopeContradictions } from '../engine/scope-boundaries/index.js';
 import { buildChallengeSpecSummary } from '../engine/human-summary.js';
 import { generateAgentChallengeScenarios, isAgentSpec, } from './challenge-spec/agent-challenge-scenarios.js';
+import { generateImplementationContractChallengeScenarios } from './challenge-spec/implementation-contract-challenge-scenarios.js';
 import { getPlatformChallenges } from './challenge-spec/platform-challenge-scenarios.js';
 import { generateSecurityChallengeScenarios } from './challenge-spec/security-challenge-scenarios.js';
 import { generatePrivacyChallengeScenarios } from './challenge-spec/privacy-challenge-scenarios.js';
@@ -150,6 +151,9 @@ export async function handleChallengeSpec(args, server) {
     if (isAgentSpec(spec, specContent)) {
         failureScenarios.push(...generateAgentChallengeScenarios(spec, specContent, knowledge));
     }
+    if (focusAreas.includes('failures')) {
+        failureScenarios.push(...generateImplementationContractChallengeScenarios(spec, specContent));
+    }
     // 5h. SPEC-015a: Smart contract, bot, and IoT challenges
     failureScenarios.push(...getPlatformChallenges(spec, specContent, knowledge));
     // 5i. SPEC-029: Security authorization and STRIDE challenges

package/dist/tools/create-spec.js

@@ -20,6 +20,7 @@ import { extractCriteria, generateLeanSpecContent, } from '../engine/spec-format
 import { generateLeanTechnicalContent, } from '../engine/spec-format/lean-technical-generator.js';
 import { extractFilesFromSpecBody } from '../engine/spec-format/technical-md-populator.js';
 import { buildUnifiedSpecContent } from '../engine/spec-format/unified-spec-builder.js';
+import { appendImplementationContractIfMissing } from '../engine/implementation-contract/index.js';
 import { validateEnglishOnlySpecText } from '../engine/spec-language/english-only.js';
 import { ApiKeyResolver, FallbackGenerator, OpusGenerator, } from '../engine/spec-generator/index.js';
 import { analyzeProjectForSpec, getEmptyAutopilotResult, } from './create-spec/autopilot-analyzer.js';
@@ -666,6 +667,8 @@ export async function handleCreateSpec(inputParams, server) {
                     userInput: description,
                     autopilot,
                 }));
+                const outOfScopeResolved = resolveOutOfScope(description, params.outOfScope);
+                const scenarioTestPaths = groundedTechnical.files.test.map((file) => file.path);
                 const leanSpec = generateLeanSpecContent({
                     spec,
                     description: generatedSpec.specBody,
@@ -677,6 +680,7 @@ export async function handleCreateSpec(inputParams, server) {
                     groundingCriteria,
                     groundingTechnicalReferences: groundedTechnical.records,
                     acFormat: params.acFormat,
+                    scenarioTestPaths,
                 });
                 const leanTechnical = generateLeanTechnicalContent({
                     specId: spec.id,
@@ -687,7 +691,21 @@ export async function handleCreateSpec(inputParams, server) {
                 // SPEC-709: write unified spec.md from origin — no separate technical.md.
                 // The legacy two-file output is preserved by appending the technical body
                 // as a `## Technical` section inside spec.md.
-                const unifiedSpec = buildUnifiedSpecContent(leanSpec, leanTechnical);
+                const unifiedWithoutContract = buildUnifiedSpecContent(leanSpec, leanTechnical);
+                const unifiedSpec = appendImplementationContractIfMissing(unifiedWithoutContract, {
+                    description: generatedSpec.specBody,
+                    criteria: contractCriteria.map((record) => ({ text: record.text, done: false })),
+                    files: groundedTechnical.files,
+                    outOfScope: outOfScopeResolved.items,
+                    verificationCommands: [
+                        ...(scenarioTestPaths.length > 0
+                            ? [`pnpm vitest run ${scenarioTestPaths.join(' ')}`]
+                            : []),
+                        'pnpm typecheck',
+                        'pnpm lint',
+                        'pnpm test',
+                    ],
+                });
                 const genericOutputGate = checkGenericSpecOutput(unifiedSpec);
                 if (!genericOutputGate.passed) {
                     return {
@@ -725,7 +743,6 @@ export async function handleCreateSpec(inputParams, server) {
                     throw writeErr;
                 }
                 // SPEC-612: Auto-suggest outOfScope when user did not provide any
-                const outOfScopeResolved = resolveOutOfScope(description, params.outOfScope);
                 if (outOfScopeResolved.items.length > 0) {
                     spec.outOfScope = outOfScopeResolved.items;
                 }

package/dist/tools/skill-registry/install.js

@@ -36,6 +36,15 @@ export async function handleSkillInstall(params) {
         if (result.version) {
             lines.push(`Version: ${result.version}`);
         }
+        if (result.securityScan) {
+            lines.push('');
+            if (result.securityScan.available) {
+                lines.push(`Security scan: ${result.securityScan.severity} (${result.securityScan.recommendation}) — score ${String(result.securityScan.score)}/100`);
+            }
+            else {
+                lines.push(`Security scan: unavailable (${result.securityScan.recommendation})`);
+            }
+        }
         if (splitInfo.splitApplied) {
             lines.push('');
             lines.push(`Note: Skill was split into ${String(splitInfo.referenceFiles.length + 1)} files for context efficiency (progressive disclosure).`);

package/dist/types/skill-registry.d.ts

@@ -69,6 +69,63 @@ export interface SkillInstallResult {
     hasScripts: boolean;
     /** Installed version, if available. */
     version?: string;
+    /** Security scan summary for this install, when the skill source was scanned. */
+    securityScan?: SkillSecurityScanResult;
+}
+/** Severity labels returned by the skill security scanner. */
+export type SkillSecuritySeverity = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL' | 'UNKNOWN';
+/** Recommendation labels returned by the skill security scanner. */
+export type SkillSecurityRecommendation = 'SAFE' | 'CAUTION' | 'DO_NOT_INSTALL' | 'UNKNOWN';
+/** Policy to use when the external skill security scanner cannot run. */
+export type SkillSecurityScannerUnavailablePolicy = 'fail-closed' | 'allow';
+/** Options controlling skill security scanning during installation. */
+export interface SkillInstallOptions {
+    /** Policy for scanner execution failures. Defaults to fail-closed for external skills. */
+    scannerUnavailablePolicy?: SkillSecurityScannerUnavailablePolicy;
+}
+/** In-memory skill content prepared before writing to host skill directories. */
+export interface PreparedSkillInstallContent {
+    /** SKILL.md content to write or scan. */
+    content: string;
+    /** Whether the source skill advertises executable script files. */
+    hasScripts: boolean;
+    /** Installed version, if available. */
+    version?: string;
+}
+/** Normalized security scan summary persisted by Planu. */
+export interface SkillSecurityScanResult {
+    /** Scanner name. */
+    scanner: 'skillspector';
+    /** Scanner version, if reported by the scanner. */
+    scannerVersion?: string;
+    /** ISO 8601 timestamp when Planu ran or recorded the scan. */
+    scannedAt: string;
+    /** Numeric risk score, 0-100. */
+    score: number;
+    /** Risk severity label. */
+    severity: SkillSecuritySeverity;
+    /** Scanner recommendation. */
+    recommendation: SkillSecurityRecommendation;
+    /** Number of findings/issues reported by the scanner. */
+    issuesCount: number;
+    /** Exact scanner command shape used, without secrets or environment values. */
+    command: string;
+    /** Whether the scanner completed successfully. */
+    available: boolean;
+    /** Optional failure reason when available=false. */
+    error?: string;
+}
+/** Minimal JSON shape emitted by SkillSpector in --format json mode. */
+export interface SkillSpectorJsonReport {
+    risk_assessment?: {
+        score?: unknown;
+        severity?: unknown;
+        recommendation?: unknown;
+    };
+    issues?: unknown[];
+    metadata?: {
+        skillspector_version?: unknown;
+    };
 }
 /** Manifest tracking all skills installed in a project. */
 export interface SkillManifest {
@@ -95,6 +152,8 @@ export interface InstalledSkillEntry {
     sourceStatus?: 'active' | 'source-unavailable';
     /** Absolute path to the installed skill directory. */
     path: string;
+    /** Security scan summary captured during installation, when available. */
+    securityScan?: SkillSecurityScanResult;
 }
 /** SPEC-668: Result of a skills TTL refresh operation. */
 export interface SkillTTLRefreshResult {

package/dist/types/spec-format.d.ts

@@ -22,6 +22,10 @@ export interface BddScenario {
     title: string;
     steps: BddStep[];
     done: boolean;
+    tests?: {
+        path: string;
+        line?: number;
+    }[];
 }
 /** Input for lean spec generation. */
 export interface LeanSpecInput {
@@ -38,6 +42,8 @@ export interface LeanSpecInput {
     groundingTechnicalReferences?: TechnicalReferenceGroundingRecord[];
     /** SPEC-481: Acceptance criteria format. Defaults to 'checkbox'. */
     acFormat?: 'checkbox' | 'bdd';
+    /** SPEC-1082: Test links to attach to generated BDD scenarios when available. */
+    scenarioTestPaths?: string[];
 }
 /** A file entry in the unified spec.md Technical section. */
 export interface LeanFileEntry {
@@ -121,4 +127,19 @@ export interface LeanTechnicalInput {
     filesToModify?: LeanFileEntry[];
     filesToTest?: LeanFileEntry[];
 }
+export interface ImplementationContractInput {
+    description: string;
+    criteria: LeanCriterion[];
+    files: {
+        create: LeanFileEntry[];
+        modify: LeanFileEntry[];
+        test: LeanFileEntry[];
+    };
+    outOfScope: string[];
+    verificationCommands: string[];
+}
+export interface ImplementationContractIssue {
+    code: 'contract_missing' | 'contract_subsection_missing' | 'contract_subsection_empty' | 'contract_filler' | 'contract_needs_decision' | 'contract_unmapped_criterion' | 'contract_manual_verification_vague';
+    message: string;
+}
 //# sourceMappingURL=spec-format.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@planu/cli",
-  "version": "4.4.2",
+  "version": "4.4.3",
   "description": "Planu — MCP Server for Spec Driven Development with native Rust acceleration for hot paths. Cross-platform (Linux/macOS/Windows, x64/arm64, glibc/musl).",
   "type": "module",
   "main": "dist/index.js",
@@ -34,14 +34,14 @@
     "packageName": "@planu/core"
   },
   "optionalDependencies": {
-    "@planu/core-darwin-arm64": "4.4.2",
-    "@planu/core-darwin-x64": "4.4.2",
-    "@planu/core-linux-arm64-gnu": "4.4.2",
-    "@planu/core-linux-arm64-musl": "4.4.2",
-    "@planu/core-linux-x64-gnu": "4.4.2",
-    "@planu/core-linux-x64-musl": "4.4.2",
-    "@planu/core-win32-arm64-msvc": "4.4.2",
-    "@planu/core-win32-x64-msvc": "4.4.2"
+    "@planu/core-darwin-arm64": "4.4.3",
+    "@planu/core-darwin-x64": "4.4.3",
+    "@planu/core-linux-arm64-gnu": "4.4.3",
+    "@planu/core-linux-arm64-musl": "4.4.3",
+    "@planu/core-linux-x64-gnu": "4.4.3",
+    "@planu/core-linux-x64-musl": "4.4.3",
+    "@planu/core-win32-arm64-msvc": "4.4.3",
+    "@planu/core-win32-x64-msvc": "4.4.3"
   },
   "engines": {
     "node": ">=24.0.0"
@@ -129,7 +129,7 @@
   ],
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
-    "@anthropic-ai/sdk": "^0.100.1",
+    "@anthropic-ai/sdk": "^0.104.1",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "glob": "^13.0.6",
     "yaml": "^2.9.0",
@@ -181,8 +181,8 @@
     "@semantic-release/release-notes-generator": "^14.1.1",
     "@stryker-mutator/core": "^9.6.1",
     "@stryker-mutator/vitest-runner": "^9.6.1",
-    "@supabase/supabase-js": "^2.107.0",
-    "@types/node": "^25.9.1",
+    "@supabase/supabase-js": "^2.108.1",
+    "@types/node": "^25.9.2",
     "@vitejs/plugin-vue": "^6.0.7",
     "@vitest/coverage-v8": "^4.1.8",
     "@vue/test-utils": "^2.4.11",
@@ -190,19 +190,19 @@
     "eslint-config-prettier": "^10.1.8",
     "eslint-import-resolver-typescript": "^4.4.5",
     "eslint-plugin-import": "^2.32.0",
-    "happy-dom": "^20.10.1",
+    "happy-dom": "^20.10.2",
     "husky": "^9.1.7",
     "javascript-obfuscator": "^5.4.3",
-    "knip": "^6.15.0",
+    "knip": "^6.16.1",
     "lint-staged": "^17.0.7",
     "madge": "^8.0.0",
-    "prettier": "^3.8.3",
+    "prettier": "^3.8.4",
     "secretlint": "^13.0.2",
     "semantic-release": "^25.0.3",
     "tsc-alias": "^1.8.17",
     "type-coverage": "^2.29.7",
     "typescript": "^6.0.3",
-    "typescript-eslint": "^8.60.1",
+    "typescript-eslint": "^8.61.0",
     "vite": "^8.0.16",
     "vitest": "^4.1.8",
     "vue": "^3.5.35"

package/planu-native.json

@@ -1,7 +1,7 @@
 {
   "name": "dev.planu.native",
   "displayName": "Planu Native Lightweight Surface",
-  "version": "4.4.2",
+  "version": "4.4.3",
   "packageName": "@planu/cli",
   "modes": {
     "lightweight": {

package/planu-plugin.json

@@ -2,7 +2,7 @@
   "name": "dev.planu.cli",
   "displayName": "Planu — Spec Driven Development",
   "description": "Manage software specs, estimations, and autonomous SDD workflows. Language-agnostic MCP server for Claude Code.",
-  "version": "4.4.2",
+  "version": "4.4.3",
   "icon": "assets/plugin/icon.svg",
   "command": ["npx", "@planu/cli@latest"],
   "packageName": "@planu/cli",