@planu/cli 4.4.2 → 4.5.0

package/dist/engine/skill-registry/index.js

@@ -1,6 +1,7 @@
 // engine/skill-registry/index.ts — Barrel for skill registry engine (SPEC-150)
 export { searchAllRegistries } from './unified-search.js';
 export { installSkill, isSkillInstalled, readSkillManifest } from './installer.js';
+export { scanSkillSecurity } from './skill-security-scanner.js';
 export { searchAnthropicSkills, fetchAnthropicSkillContent, clearAnthropicCache, } from './anthropic-adapter.js';
 export { searchSkillsSh } from './skillssh-adapter.js';
 export { searchAgentSkills } from './agentskill-adapter.js';

package/dist/engine/skill-registry/installer.d.ts

@@ -1,4 +1,4 @@
-import type { SkillInstallResult, SkillManifest } from '../../types/index.js';
+import type { SkillInstallOptions, SkillInstallResult, SkillManifest } from '../../types/index.js';
 /**
  * Read the skill manifest from disk.
  * Returns an empty manifest if the file does not exist or cannot be parsed.
@@ -18,5 +18,5 @@ export declare function isSkillInstalled(projectPath: string, skillName: string)
  *  4. Update the local manifest.
  *  5. Return the install result with security flags.
  */
-export declare function installSkill(skillName: string, source: string, projectPath: string): Promise<SkillInstallResult>;
+export declare function installSkill(skillName: string, source: string, projectPath: string, options?: SkillInstallOptions): Promise<SkillInstallResult>;
 //# sourceMappingURL=installer.d.ts.map

package/dist/engine/skill-registry/installer.js

@@ -3,10 +3,13 @@
 // Manages the local manifest (manifest.json) tracking all installed skills.
 import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
+import * as os from 'node:os';
 import { fetchAnthropicSkillContent } from './anthropic-adapter.js';
 import { getBuiltInSkillEntry } from './builtin-catalog-adapter.js';
+import { scanSkillSecurity } from './skill-security-scanner.js';
 const SKILLS_DIR = '.claude/skills';
 const MANIFEST_FILE = 'manifest.json';
+const BLOCKING_SEVERITIES = new Set(['HIGH', 'CRITICAL']);
 /** Return the absolute path to the project's skills directory. */
 function skillsRoot(projectPath) {
     return path.join(projectPath, SKILLS_DIR);
@@ -48,18 +51,15 @@ function upsertManifestEntry(manifest, entry) {
         : [...manifest.skills, entry];
     return { ...manifest, skills };
 }
-/** Install a skill from the Anthropic (GitHub) source. */
-async function installFromAnthropic(skillName, installDir) {
+/** Prepare a skill from the Anthropic (GitHub) source. */
+async function prepareFromAnthropic(skillName) {
     const content = await fetchAnthropicSkillContent(skillName);
     if (!content) {
         throw new Error(`Skill "${skillName}" not found in the Anthropic skills repository. ` +
             'Check the skill name and try again.');
     }
-    await fs.mkdir(installDir, { recursive: true });
-    const skillMdPath = path.join(installDir, 'SKILL.md');
-    await fs.writeFile(skillMdPath, content.skillMd, 'utf-8');
     const hasScripts = content.files.some((f) => f.startsWith('scripts/') || f === 'scripts');
-    return { filesWritten: [skillMdPath], hasScripts };
+    return { content: content.skillMd, hasScripts };
 }
 /** Build a YAML frontmatter block for a skill entry if model/effort are defined. */
 function buildFrontmatter(entry) {
@@ -76,10 +76,9 @@ function buildFrontmatter(entry) {
     lines.push('---', '');
     return lines.join('\n');
 }
-/** Install a built-in skill from the local catalog, generating a SKILL.md. */
-async function installFromBuiltIn(skillName, installDir) {
+/** Prepare a built-in skill from the local catalog, generating a SKILL.md. */
+function prepareFromBuiltIn(skillName) {
     const entry = getBuiltInSkillEntry(skillName);
-    await fs.mkdir(installDir, { recursive: true });
     let content;
     if (entry) {
         const frontmatter = buildFrontmatter(entry);
@@ -109,13 +108,10 @@ async function installFromBuiltIn(skillName, installDir) {
             `Consult the Planu documentation.`,
         ].join('\n');
     }
-    const skillMdPath = path.join(installDir, 'SKILL.md');
-    await fs.writeFile(skillMdPath, content, 'utf-8');
-    return { filesWritten: [skillMdPath], hasScripts: false };
+    return { content, hasScripts: false };
 }
-/** Install a skill placeholder for skillssh/agentskill sources (no direct file API yet). */
-async function installFromExternal(skillName, source, installDir) {
-    await fs.mkdir(installDir, { recursive: true });
+/** Prepare a skill placeholder for skillssh/agentskill sources (no direct file API yet). */
+function prepareFromExternal(skillName, source) {
     const placeholder = [
         `# ${skillName}`,
         '',
@@ -124,9 +120,55 @@ async function installFromExternal(skillName, source, installDir) {
         '',
         'Run `planu registry install` again to refresh this skill.',
     ].join('\n');
+    return { content: placeholder, hasScripts: false };
+}
+function shouldScanSource(source) {
+    return source !== 'builtin';
+}
+async function writePreparedSkill(prepared, installDir) {
+    await fs.mkdir(installDir, { recursive: true });
     const skillMdPath = path.join(installDir, 'SKILL.md');
-    await fs.writeFile(skillMdPath, placeholder, 'utf-8');
-    return { filesWritten: [skillMdPath], hasScripts: false };
+    await fs.writeFile(skillMdPath, prepared.content, 'utf-8');
+    return {
+        filesWritten: [skillMdPath],
+        hasScripts: prepared.hasScripts,
+        version: prepared.version,
+    };
+}
+async function scanPreparedSkill(prepared, skillName, source, options) {
+    if (!shouldScanSource(source)) {
+        return undefined;
+    }
+    const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'planu-skill-scan-'));
+    try {
+        await fs.writeFile(path.join(tempDir, 'SKILL.md'), prepared.content, 'utf-8');
+        const scan = await scanSkillSecurity(tempDir, skillName);
+        if (BLOCKING_SEVERITIES.has(scan.severity) || scan.recommendation === 'DO_NOT_INSTALL') {
+            throw new Error(`Skill "${skillName}" blocked by security scan: ${scan.severity} risk, recommendation ${scan.recommendation}.`);
+        }
+        return scan;
+    }
+    catch (err) {
+        if (options.scannerUnavailablePolicy === 'allow' &&
+            err instanceof Error &&
+            err.name === 'SkillSecurityScannerUnavailableError') {
+            return {
+                scanner: 'skillspector',
+                scannedAt: new Date().toISOString(),
+                score: 100,
+                severity: 'UNKNOWN',
+                recommendation: 'UNKNOWN',
+                issuesCount: 0,
+                command: 'skillspector scan <skillDir> --no-llm --format json',
+                available: false,
+                error: err.message,
+            };
+        }
+        throw err;
+    }
+    finally {
+        await fs.rm(tempDir, { recursive: true, force: true });
+    }
 }
 /**
  * Install a skill from the specified source into the project's .claude/skills/ directory.
@@ -138,27 +180,15 @@ async function installFromExternal(skillName, source, installDir) {
  *  4. Update the local manifest.
  *  5. Return the install result with security flags.
  */
-export async function installSkill(skillName, source, projectPath) {
+export async function installSkill(skillName, source, projectPath, options = {}) {
     const installDir = path.join(skillsRoot(projectPath), skillName);
-    let filesWritten;
-    let hasScripts;
-    let version;
-    if (source === 'anthropic') {
-        const result = await installFromAnthropic(skillName, installDir);
-        filesWritten = result.filesWritten;
-        hasScripts = result.hasScripts;
-        version = result.version;
-    }
-    else if (source === 'builtin') {
-        const result = await installFromBuiltIn(skillName, installDir);
-        filesWritten = result.filesWritten;
-        hasScripts = result.hasScripts;
-    }
-    else {
-        const result = await installFromExternal(skillName, source, installDir);
-        filesWritten = result.filesWritten;
-        hasScripts = result.hasScripts;
-    }
+    const prepared = source === 'anthropic'
+        ? await prepareFromAnthropic(skillName)
+        : source === 'builtin'
+            ? prepareFromBuiltIn(skillName)
+            : prepareFromExternal(skillName, source);
+    const securityScan = await scanPreparedSkill(prepared, skillName, source, options);
+    const { filesWritten, hasScripts, version } = await writePreparedSkill(prepared, installDir);
     const manifest = await readSkillManifest(projectPath);
     const entry = {
         name: skillName,
@@ -166,6 +196,7 @@ export async function installSkill(skillName, source, projectPath) {
         version,
         installedAt: new Date().toISOString(),
         path: installDir,
+        securityScan,
     };
     await writeSkillManifest(projectPath, upsertManifestEntry(manifest, entry));
     return {
@@ -175,6 +206,7 @@ export async function installSkill(skillName, source, projectPath) {
         filesWritten,
         hasScripts,
         version,
+        securityScan,
     };
 }
 //# sourceMappingURL=installer.js.map

package/dist/engine/skill-registry/skill-security-scanner.d.ts

@@ -0,0 +1,12 @@
+import type { SkillSecurityScanResult } from '../../types/index.js';
+export declare class SkillSecurityScannerUnavailableError extends Error {
+    constructor(skillName: string, cause: unknown);
+}
+/**
+ * Scan a prepared skill directory using SkillSpector static analysis only.
+ *
+ * SkillSpector returns exit code 1 for high-risk reports. Planu still parses stdout
+ * in that case because the report is valid and should drive the gate decision.
+ */
+export declare function scanSkillSecurity(skillDir: string, skillName: string): Promise<SkillSecurityScanResult>;
+//# sourceMappingURL=skill-security-scanner.d.ts.map

package/dist/engine/skill-registry/skill-security-scanner.js

@@ -0,0 +1,87 @@
+// engine/skill-registry/skill-security-scanner.ts — SPEC-1081
+// Optional SkillSpector adapter for scanning external AI agent skills.
+import { execFile } from 'node:child_process';
+const SCANNER = 'skillspector';
+const COMMAND = 'skillspector scan <skillDir> --no-llm --format json';
+export class SkillSecurityScannerUnavailableError extends Error {
+    constructor(skillName, cause) {
+        const detail = cause instanceof Error ? cause.message : String(cause);
+        super(`Skill security scanner unavailable for "${skillName}". Command: ${COMMAND}. ${detail}`);
+        this.name = 'SkillSecurityScannerUnavailableError';
+    }
+}
+function normalizeSeverity(value) {
+    if (value === 'LOW' || value === 'MEDIUM' || value === 'HIGH' || value === 'CRITICAL') {
+        return value;
+    }
+    return 'UNKNOWN';
+}
+function normalizeRecommendation(value) {
+    if (value === 'SAFE' || value === 'CAUTION' || value === 'DO_NOT_INSTALL') {
+        return value;
+    }
+    return 'UNKNOWN';
+}
+function normalizeScore(value) {
+    if (typeof value !== 'number' || !Number.isFinite(value)) {
+        return 100;
+    }
+    return Math.max(0, Math.min(100, value));
+}
+function parseReport(stdout, skillName) {
+    let parsed;
+    try {
+        parsed = JSON.parse(stdout);
+    }
+    catch (err) {
+        throw new SkillSecurityScannerUnavailableError(skillName, err);
+    }
+    const risk = parsed.risk_assessment ?? {};
+    const version = parsed.metadata?.skillspector_version;
+    return {
+        scanner: SCANNER,
+        scannerVersion: typeof version === 'string' ? version : undefined,
+        scannedAt: new Date().toISOString(),
+        score: normalizeScore(risk.score),
+        severity: normalizeSeverity(risk.severity),
+        recommendation: normalizeRecommendation(risk.recommendation),
+        issuesCount: Array.isArray(parsed.issues) ? parsed.issues.length : 0,
+        command: COMMAND,
+        available: true,
+    };
+}
+function runSkillSpector(skillDir) {
+    return new Promise((resolve, reject) => {
+        execFile(SCANNER, ['scan', skillDir, '--no-llm', '--format', 'json'], (err, stdout) => {
+            if (err) {
+                const error = err instanceof Error ? err : new Error('Unknown execFile error');
+                reject(Object.assign(error, { stdout }));
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+/**
+ * Scan a prepared skill directory using SkillSpector static analysis only.
+ *
+ * SkillSpector returns exit code 1 for high-risk reports. Planu still parses stdout
+ * in that case because the report is valid and should drive the gate decision.
+ */
+export async function scanSkillSecurity(skillDir, skillName) {
+    try {
+        const stdout = await runSkillSpector(skillDir);
+        return parseReport(stdout, skillName);
+    }
+    catch (err) {
+        if (typeof err === 'object' &&
+            err !== null &&
+            'stdout' in err &&
+            typeof err.stdout === 'string' &&
+            err.stdout.trim().length > 0) {
+            return parseReport(err.stdout, skillName);
+        }
+        throw new SkillSecurityScannerUnavailableError(skillName, err);
+    }
+}
+//# sourceMappingURL=skill-security-scanner.js.map

package/dist/engine/spec-format/bdd-parser.js

@@ -83,6 +83,15 @@ export function renderBddScenariosYaml(scenarios) {
     for (const scenario of scenarios) {
         lines.push(`  - title: "${escapeYaml(scenario.title)}"`);
         lines.push(`    done: ${String(scenario.done)}`);
+        if (scenario.tests && scenario.tests.length > 0) {
+            lines.push(`    tests:`);
+            for (const test of scenario.tests) {
+                lines.push(`      - path: ${test.path}`);
+                if (test.line !== undefined) {
+                    lines.push(`        line: ${String(test.line)}`);
+                }
+            }
+        }
         lines.push(`    steps:`);
         for (const step of scenario.steps) {
             lines.push(`      - keyword: ${step.keyword}`);

package/dist/engine/spec-format/lean-spec-generator.js

@@ -55,7 +55,7 @@ export function generateLeanSpecContent(input) {
     ];
     let acLines;
     if (acFormat === 'bdd') {
-        acLines = buildBddLines(description, extraCriteria, input.criteriaOverride);
+        acLines = buildBddLines(description, extraCriteria, input.criteriaOverride, input.scenarioTestPaths ?? []);
     }
     else {
         acLines = buildCheckboxLines(description, extraCriteria, input.criteriaOverride);
@@ -88,7 +88,7 @@ function buildCheckboxLines(description, extraCriteria, criteriaOverride) {
     ];
 }
 /** Build BDD scenario lines. */
-function buildBddLines(description, extraCriteria, criteriaOverride) {
+function buildBddLines(description, extraCriteria, criteriaOverride, scenarioTestPaths) {
     let scenarios = parseBddScenarios(description);
     // Fallback: convert checkbox criteria to BDD scenarios
     if (scenarios.length === 0) {
@@ -108,6 +108,14 @@ function buildBddLines(description, extraCriteria, criteriaOverride) {
             });
         }
     }
+    if (scenarioTestPaths.length > 0) {
+        scenarios = scenarios.map((scenario) => ({
+            ...scenario,
+            tests: scenario.tests && scenario.tests.length > 0
+                ? scenario.tests
+                : scenarioTestPaths.map((path) => ({ path })),
+        }));
+    }
     return renderBddScenariosYaml(scenarios);
 }
 /** Extract acceptance criteria from description. Looks for checkbox patterns or generates a default.

package/dist/tools/challenge-spec/implementation-contract-challenge-scenarios.d.ts

@@ -0,0 +1,3 @@
+import type { FailureScenario, Spec } from '../../types/index.js';
+export declare function generateImplementationContractChallengeScenarios(spec: Spec, specContent: string): FailureScenario[];
+//# sourceMappingURL=implementation-contract-challenge-scenarios.d.ts.map

package/dist/tools/challenge-spec/implementation-contract-challenge-scenarios.js

@@ -0,0 +1,51 @@
+import { evaluateImplementationContract } from '../../engine/implementation-contract/index.js';
+import { parseFrontmatterScenarios } from '../../engine/validator/spec-compliance-runner.js';
+export function generateImplementationContractChallengeScenarios(spec, specContent) {
+    const criteria = parseFrontmatterScenarios(specContent).map((scenario) => scenario.title);
+    const issues = evaluateImplementationContract(stripFrontmatter(specContent), criteria);
+    if (issues.length === 0) {
+        return [];
+    }
+    const missingEdges = !/\b(edge cases?|failure modes?)\b/i.test(specContent);
+    const missingBoundaries = !/\b(no-touch|forbidden|non-goals?|out of scope)\b/i.test(specContent);
+    const scenarios = [];
+    scenarios.push({
+        scenario: `[${spec.id}] Implementation Contract Gap: spec leaves the implementer to infer required behavior, file scope, verification, or missing decisions.`,
+        probability: 'high',
+        impact: 'high',
+        currentHandling: issues
+            .map((issue) => issue.message)
+            .slice(0, 3)
+            .join('; '),
+        requiredHandling: 'Add or repair ## Implementation Contract before coding: user outcome, behavior contract, file-level work plan, acceptance-to-verification map, edge cases, non-goals, and verification commands.',
+        dataConsistency: 'Do not start implementation until the spec states what persistent files or state may change.',
+        userExperience: 'The planner should ask for concrete missing decisions instead of sending an ambiguous spec to the implementer.',
+    });
+    if (missingEdges) {
+        scenarios.push({
+            scenario: `[${spec.id}] Missing Edge Cases: implementation may pass happy-path criteria while failing required failure modes.`,
+            probability: 'medium',
+            impact: 'high',
+            currentHandling: 'Edge cases and failure modes are not explicit in the spec.',
+            requiredHandling: 'Add concrete edge cases and failure modes to ## Implementation Contract before approval.',
+            dataConsistency: 'State-changing behavior must define rollback or no-write behavior for failures.',
+            userExperience: 'Users should not discover undefined behavior during implementation review.',
+        });
+    }
+    if (missingBoundaries) {
+        scenarios.push({
+            scenario: `[${spec.id}] Missing No-Touch Boundaries: implementer may refactor unrelated code or satisfy the wording with an architecture-violating shortcut.`,
+            probability: 'medium',
+            impact: 'high',
+            currentHandling: 'No non-goals, forbidden approaches, or no-touch areas are explicit.',
+            requiredHandling: 'Add non-goals, forbidden approaches, and no-touch areas to the implementation contract.',
+            dataConsistency: 'Unrelated persistent formats and stores must not change without explicit scope.',
+            userExperience: 'The implementer receives bounded work instead of open-ended refactoring permission.',
+        });
+    }
+    return scenarios;
+}
+function stripFrontmatter(raw) {
+    return raw.replace(/^---\n[\s\S]*?\n---\n?/, '');
+}
+//# sourceMappingURL=implementation-contract-challenge-scenarios.js.map

package/dist/tools/challenge-spec.js

@@ -14,6 +14,7 @@ import { prioritizeScenarios, buildPrioritizedSummary } from '../engine/challeng
 import { checkContradictions as checkScopeContradictions } from '../engine/scope-boundaries/index.js';
 import { buildChallengeSpecSummary } from '../engine/human-summary.js';
 import { generateAgentChallengeScenarios, isAgentSpec, } from './challenge-spec/agent-challenge-scenarios.js';
+import { generateImplementationContractChallengeScenarios } from './challenge-spec/implementation-contract-challenge-scenarios.js';
 import { getPlatformChallenges } from './challenge-spec/platform-challenge-scenarios.js';
 import { generateSecurityChallengeScenarios } from './challenge-spec/security-challenge-scenarios.js';
 import { generatePrivacyChallengeScenarios } from './challenge-spec/privacy-challenge-scenarios.js';
@@ -150,6 +151,9 @@ export async function handleChallengeSpec(args, server) {
     if (isAgentSpec(spec, specContent)) {
         failureScenarios.push(...generateAgentChallengeScenarios(spec, specContent, knowledge));
     }
+    if (focusAreas.includes('failures')) {
+        failureScenarios.push(...generateImplementationContractChallengeScenarios(spec, specContent));
+    }
     // 5h. SPEC-015a: Smart contract, bot, and IoT challenges
     failureScenarios.push(...getPlatformChallenges(spec, specContent, knowledge));
     // 5i. SPEC-029: Security authorization and STRIDE challenges

package/dist/tools/create-spec/question-generator.d.ts

@@ -1,4 +1,4 @@
 import type { InteractiveQuestion, ProjectKnowledge } from '../../types/index.js';
-/** Generate clarification questions based on description gaps and project context. */
+/** Generate clarification questions based on request-specific missing decisions. */
 export declare function generateInteractiveQuestions(description: string, knowledge: ProjectKnowledge | null): InteractiveQuestion[];
 //# sourceMappingURL=question-generator.d.ts.map

package/dist/tools/create-spec/question-generator.js

@@ -1,101 +1,25 @@
-// tools/create-spec/question-generator.ts — SPEC-463 / SPEC-619 / SPEC-624
-// Config-driven interactive question generation with answer pre-extraction.
-import { t } from '../../i18n/index.js';
+// tools/create-spec/question-generator.ts — SPEC-1083
+// Dynamic clarification questions grounded in the user's requested work.
 import { extractSignals } from '../../engine/elicitation/answer-extractor.js';
-import { buildTargetOptions, buildPaymentProviderOptions, buildBillingModelOptions, buildScopeOptions, buildDatabaseOptions, buildUiTypeOptions, } from '../../engine/elicitation/option-builder.js';
-import dimensionsConfig from '../../config/elicitation-dimensions.json' with { type: 'json' };
-const MAX_QUESTIONS = 4;
-const DIMENSIONS = dimensionsConfig;
-/** Generate clarification questions based on description gaps and project context. */
+import { detectDecisionGaps } from '../../engine/elicitation/decision-gap-detector.js';
+import { validateQuestionGrounding } from '../../engine/elicitation/question-grounding-gate.js';
+/** Generate clarification questions based on request-specific missing decisions. */
 export function generateInteractiveQuestions(description, knowledge) {
     const signals = extractSignals(description);
-    const questions = [];
-    for (const dim of DIMENSIONS) {
-        if (questions.length >= MAX_QUESTIONS) {
-            break;
-        }
-        if (!shouldInclude(dim, signals, knowledge)) {
-            continue;
-        }
-        questions.push({
-            question: t(dim.questionKey),
-            header: t(dim.headerKey),
-            options: buildOptions(dim.optionSet, knowledge),
-            multiSelect: dim.multiSelect,
-        });
-    }
-    return questions;
-}
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-function isSuppressed(key, signals) {
-    if (key === 'hasTarget') {
-        return signals.hasTarget;
-    }
-    if (key === 'hasScope') {
-        return signals.hasScope;
-    }
-    if (key === 'namedProvider') {
-        return signals.namedProvider !== null;
-    }
-    return false;
-}
-function hasRequiredSignal(key, signals) {
-    if (key === 'hasBilling') {
-        return signals.hasBilling;
-    }
-    if (key === 'hasDatabase') {
-        return signals.hasDatabase;
-    }
-    if (key === 'hasUi') {
-        return signals.hasUi;
-    }
-    if (key === 'hasTarget') {
-        return signals.hasTarget;
-    }
-    if (key === 'hasScope') {
-        return signals.hasScope;
-    }
-    return false;
-}
-function matchesDNA(required, knowledge) {
-    if (!knowledge) {
-        return false;
-    }
-    const database = knowledge.database;
-    const stack = knowledge.stack;
-    const framework = knowledge.framework ?? '';
-    return required.some((r) => database === r || framework === r || stack.includes(r));
-}
-function shouldInclude(dim, signals, knowledge) {
-    if (dim.suppressWhen !== undefined && isSuppressed(dim.suppressWhen, signals)) {
-        return false;
-    }
-    if (dim.requiresSignal !== undefined && !hasRequiredSignal(dim.requiresSignal, signals)) {
-        return false;
-    }
-    if (dim.requiresDNA !== undefined) {
-        return matchesDNA(dim.requiresDNA, knowledge);
-    }
-    return true;
-}
-function buildOptions(optionSet, knowledge) {
-    switch (optionSet) {
-        case 'target':
-            return buildTargetOptions();
-        case 'payment_provider':
-            return buildPaymentProviderOptions(knowledge);
-        case 'billing_model':
-            return buildBillingModelOptions();
-        case 'scope':
-            return buildScopeOptions();
-        case 'database':
-            return buildDatabaseOptions();
-        case 'uiType':
-            return buildUiTypeOptions();
-        default:
-            return [];
-    }
+    const gaps = detectDecisionGaps(signals, knowledge);
+    return gaps.flatMap((gap) => {
+        const question = {
+            question: gap.question,
+            header: gap.header,
+            options: gap.options,
+            multiSelect: gap.multiSelect,
+        };
+        return validateQuestionGrounding(question, {
+            gap,
+            requestText: description,
+        }).passed
+            ? [question]
+            : [];
+    });
 }
 //# sourceMappingURL=question-generator.js.map

package/dist/tools/create-spec.js

@@ -20,6 +20,7 @@ import { extractCriteria, generateLeanSpecContent, } from '../engine/spec-format
 import { generateLeanTechnicalContent, } from '../engine/spec-format/lean-technical-generator.js';
 import { extractFilesFromSpecBody } from '../engine/spec-format/technical-md-populator.js';
 import { buildUnifiedSpecContent } from '../engine/spec-format/unified-spec-builder.js';
+import { appendImplementationContractIfMissing } from '../engine/implementation-contract/index.js';
 import { validateEnglishOnlySpecText } from '../engine/spec-language/english-only.js';
 import { ApiKeyResolver, FallbackGenerator, OpusGenerator, } from '../engine/spec-generator/index.js';
 import { analyzeProjectForSpec, getEmptyAutopilotResult, } from './create-spec/autopilot-analyzer.js';
@@ -666,6 +667,8 @@ export async function handleCreateSpec(inputParams, server) {
                     userInput: description,
                     autopilot,
                 }));
+                const outOfScopeResolved = resolveOutOfScope(description, params.outOfScope);
+                const scenarioTestPaths = groundedTechnical.files.test.map((file) => file.path);
                 const leanSpec = generateLeanSpecContent({
                     spec,
                     description: generatedSpec.specBody,
@@ -677,6 +680,7 @@ export async function handleCreateSpec(inputParams, server) {
                     groundingCriteria,
                     groundingTechnicalReferences: groundedTechnical.records,
                     acFormat: params.acFormat,
+                    scenarioTestPaths,
                 });
                 const leanTechnical = generateLeanTechnicalContent({
                     specId: spec.id,
@@ -687,7 +691,21 @@ export async function handleCreateSpec(inputParams, server) {
                 // SPEC-709: write unified spec.md from origin — no separate technical.md.
                 // The legacy two-file output is preserved by appending the technical body
                 // as a `## Technical` section inside spec.md.
-                const unifiedSpec = buildUnifiedSpecContent(leanSpec, leanTechnical);
+                const unifiedWithoutContract = buildUnifiedSpecContent(leanSpec, leanTechnical);
+                const unifiedSpec = appendImplementationContractIfMissing(unifiedWithoutContract, {
+                    description: generatedSpec.specBody,
+                    criteria: contractCriteria.map((record) => ({ text: record.text, done: false })),
+                    files: groundedTechnical.files,
+                    outOfScope: outOfScopeResolved.items,
+                    verificationCommands: [
+                        ...(scenarioTestPaths.length > 0
+                            ? [`pnpm vitest run ${scenarioTestPaths.join(' ')}`]
+                            : []),
+                        'pnpm typecheck',
+                        'pnpm lint',
+                        'pnpm test',
+                    ],
+                });
                 const genericOutputGate = checkGenericSpecOutput(unifiedSpec);
                 if (!genericOutputGate.passed) {
                     return {
@@ -725,7 +743,6 @@ export async function handleCreateSpec(inputParams, server) {
                     throw writeErr;
                 }
                 // SPEC-612: Auto-suggest outOfScope when user did not provide any
-                const outOfScopeResolved = resolveOutOfScope(description, params.outOfScope);
                 if (outOfScopeResolved.items.length > 0) {
                     spec.outOfScope = outOfScopeResolved.items;
                 }

package/dist/tools/skill-registry/install.js

@@ -36,6 +36,15 @@ export async function handleSkillInstall(params) {
         if (result.version) {
             lines.push(`Version: ${result.version}`);
         }
+        if (result.securityScan) {
+            lines.push('');
+            if (result.securityScan.available) {
+                lines.push(`Security scan: ${result.securityScan.severity} (${result.securityScan.recommendation}) — score ${String(result.securityScan.score)}/100`);
+            }
+            else {
+                lines.push(`Security scan: unavailable (${result.securityScan.recommendation})`);
+            }
+        }
         if (splitInfo.splitApplied) {
             lines.push('');
             lines.push(`Note: Skill was split into ${String(splitInfo.referenceFiles.length + 1)} files for context efficiency (progressive disclosure).`);

package/dist/types/clarification.d.ts

@@ -13,6 +13,14 @@ export interface DescriptionSignals {
     hasUi: boolean;
     namedProvider: string | null;
     hasScope: boolean;
+    action: string | null;
+    domainObject: string | null;
+    actors: string[];
+    integrations: string[];
+    dataObjects: string[];
+    hasPermissionRisk: boolean;
+    hasDestructiveAction: boolean;
+    riskTerms: string[];
 }
 /** Which host mechanism the LLM should use to relay interactive questions. */
 export type HostHint = 'claude-code' | 'cursor' | 'codex' | 'gemini' | 'universal';