@planu/cli 4.4.2 → 4.5.0

package/dist/types/elicitation.d.ts

@@ -1,4 +1,5 @@
 import type { InteractiveQuestion } from './clarification.js';
+import type { InteractiveOption } from './interactive-question.js';
 /** Primitive field types supported by the MCP elicitation protocol. */
 export type ElicitationFieldType = 'text' | 'number' | 'boolean' | 'enum' | 'multi-select';
 /** Shared base for all elicitation field definitions. */
@@ -174,6 +175,26 @@ export type ElicitOrFallbackOutcome = {
  * - 'technical': inferred from codebase signals; elicitation is skipped
  */
 export type DecisionType = 'policy' | 'business' | 'technical';
+export type DecisionGapKind = 'behavior' | 'permission' | 'provider' | 'billing-model' | 'data' | 'failure' | 'scope';
+export interface DecisionGap {
+    id: string;
+    kind: DecisionGapKind;
+    header: string;
+    question: string;
+    evidence: string[];
+    impact: string;
+    options: InteractiveOption[];
+    multiSelect: boolean;
+    blocking: boolean;
+}
+export interface QuestionGroundingContext {
+    gap: DecisionGap;
+    requestText: string;
+}
+export interface QuestionGroundingResult {
+    passed: boolean;
+    reason?: string;
+}
 /**
  * Outcome when the decision was already cached in conventions.json.
  * The caller can return this value immediately without prompting the user.

package/dist/types/skill-registry.d.ts

@@ -69,6 +69,63 @@ export interface SkillInstallResult {
     hasScripts: boolean;
     /** Installed version, if available. */
     version?: string;
+    /** Security scan summary for this install, when the skill source was scanned. */
+    securityScan?: SkillSecurityScanResult;
+}
+/** Severity labels returned by the skill security scanner. */
+export type SkillSecuritySeverity = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL' | 'UNKNOWN';
+/** Recommendation labels returned by the skill security scanner. */
+export type SkillSecurityRecommendation = 'SAFE' | 'CAUTION' | 'DO_NOT_INSTALL' | 'UNKNOWN';
+/** Policy to use when the external skill security scanner cannot run. */
+export type SkillSecurityScannerUnavailablePolicy = 'fail-closed' | 'allow';
+/** Options controlling skill security scanning during installation. */
+export interface SkillInstallOptions {
+    /** Policy for scanner execution failures. Defaults to fail-closed for external skills. */
+    scannerUnavailablePolicy?: SkillSecurityScannerUnavailablePolicy;
+}
+/** In-memory skill content prepared before writing to host skill directories. */
+export interface PreparedSkillInstallContent {
+    /** SKILL.md content to write or scan. */
+    content: string;
+    /** Whether the source skill advertises executable script files. */
+    hasScripts: boolean;
+    /** Installed version, if available. */
+    version?: string;
+}
+/** Normalized security scan summary persisted by Planu. */
+export interface SkillSecurityScanResult {
+    /** Scanner name. */
+    scanner: 'skillspector';
+    /** Scanner version, if reported by the scanner. */
+    scannerVersion?: string;
+    /** ISO 8601 timestamp when Planu ran or recorded the scan. */
+    scannedAt: string;
+    /** Numeric risk score, 0-100. */
+    score: number;
+    /** Risk severity label. */
+    severity: SkillSecuritySeverity;
+    /** Scanner recommendation. */
+    recommendation: SkillSecurityRecommendation;
+    /** Number of findings/issues reported by the scanner. */
+    issuesCount: number;
+    /** Exact scanner command shape used, without secrets or environment values. */
+    command: string;
+    /** Whether the scanner completed successfully. */
+    available: boolean;
+    /** Optional failure reason when available=false. */
+    error?: string;
+}
+/** Minimal JSON shape emitted by SkillSpector in --format json mode. */
+export interface SkillSpectorJsonReport {
+    risk_assessment?: {
+        score?: unknown;
+        severity?: unknown;
+        recommendation?: unknown;
+    };
+    issues?: unknown[];
+    metadata?: {
+        skillspector_version?: unknown;
+    };
 }
 /** Manifest tracking all skills installed in a project. */
 export interface SkillManifest {
@@ -95,6 +152,8 @@ export interface InstalledSkillEntry {
     sourceStatus?: 'active' | 'source-unavailable';
     /** Absolute path to the installed skill directory. */
     path: string;
+    /** Security scan summary captured during installation, when available. */
+    securityScan?: SkillSecurityScanResult;
 }
 /** SPEC-668: Result of a skills TTL refresh operation. */
 export interface SkillTTLRefreshResult {

package/dist/types/spec-format.d.ts

@@ -22,6 +22,10 @@ export interface BddScenario {
     title: string;
     steps: BddStep[];
     done: boolean;
+    tests?: {
+        path: string;
+        line?: number;
+    }[];
 }
 /** Input for lean spec generation. */
 export interface LeanSpecInput {
@@ -38,6 +42,8 @@ export interface LeanSpecInput {
     groundingTechnicalReferences?: TechnicalReferenceGroundingRecord[];
     /** SPEC-481: Acceptance criteria format. Defaults to 'checkbox'. */
     acFormat?: 'checkbox' | 'bdd';
+    /** SPEC-1082: Test links to attach to generated BDD scenarios when available. */
+    scenarioTestPaths?: string[];
 }
 /** A file entry in the unified spec.md Technical section. */
 export interface LeanFileEntry {
@@ -121,4 +127,19 @@ export interface LeanTechnicalInput {
     filesToModify?: LeanFileEntry[];
     filesToTest?: LeanFileEntry[];
 }
+export interface ImplementationContractInput {
+    description: string;
+    criteria: LeanCriterion[];
+    files: {
+        create: LeanFileEntry[];
+        modify: LeanFileEntry[];
+        test: LeanFileEntry[];
+    };
+    outOfScope: string[];
+    verificationCommands: string[];
+}
+export interface ImplementationContractIssue {
+    code: 'contract_missing' | 'contract_subsection_missing' | 'contract_subsection_empty' | 'contract_filler' | 'contract_needs_decision' | 'contract_unmapped_criterion' | 'contract_manual_verification_vague';
+    message: string;
+}
 //# sourceMappingURL=spec-format.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@planu/cli",
-  "version": "4.4.2",
+  "version": "4.5.0",
   "description": "Planu — MCP Server for Spec Driven Development with native Rust acceleration for hot paths. Cross-platform (Linux/macOS/Windows, x64/arm64, glibc/musl).",
   "type": "module",
   "main": "dist/index.js",
@@ -34,14 +34,14 @@
     "packageName": "@planu/core"
   },
   "optionalDependencies": {
-    "@planu/core-darwin-arm64": "4.4.2",
-    "@planu/core-darwin-x64": "4.4.2",
-    "@planu/core-linux-arm64-gnu": "4.4.2",
-    "@planu/core-linux-arm64-musl": "4.4.2",
-    "@planu/core-linux-x64-gnu": "4.4.2",
-    "@planu/core-linux-x64-musl": "4.4.2",
-    "@planu/core-win32-arm64-msvc": "4.4.2",
-    "@planu/core-win32-x64-msvc": "4.4.2"
+    "@planu/core-darwin-arm64": "4.5.0",
+    "@planu/core-darwin-x64": "4.5.0",
+    "@planu/core-linux-arm64-gnu": "4.5.0",
+    "@planu/core-linux-arm64-musl": "4.5.0",
+    "@planu/core-linux-x64-gnu": "4.5.0",
+    "@planu/core-linux-x64-musl": "4.5.0",
+    "@planu/core-win32-arm64-msvc": "4.5.0",
+    "@planu/core-win32-x64-msvc": "4.5.0"
   },
   "engines": {
     "node": ">=24.0.0"
@@ -129,7 +129,7 @@
   ],
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
-    "@anthropic-ai/sdk": "^0.100.1",
+    "@anthropic-ai/sdk": "^0.104.1",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "glob": "^13.0.6",
     "yaml": "^2.9.0",
@@ -170,7 +170,7 @@
     "@commitlint/cli": "^21.0.2",
     "@commitlint/config-conventional": "^21.0.2",
     "@eslint/js": "^10.0.1",
-    "@napi-rs/cli": "^3.7.0",
+    "@napi-rs/cli": "^3.7.1",
     "@secretlint/secretlint-rule-no-homedir": "^13.0.2",
     "@secretlint/secretlint-rule-preset-recommend": "^13.0.2",
     "@semantic-release/changelog": "^6.0.3",
@@ -181,8 +181,8 @@
     "@semantic-release/release-notes-generator": "^14.1.1",
     "@stryker-mutator/core": "^9.6.1",
     "@stryker-mutator/vitest-runner": "^9.6.1",
-    "@supabase/supabase-js": "^2.107.0",
-    "@types/node": "^25.9.1",
+    "@supabase/supabase-js": "^2.108.1",
+    "@types/node": "^25.9.2",
     "@vitejs/plugin-vue": "^6.0.7",
     "@vitest/coverage-v8": "^4.1.8",
     "@vue/test-utils": "^2.4.11",
@@ -190,19 +190,19 @@
     "eslint-config-prettier": "^10.1.8",
     "eslint-import-resolver-typescript": "^4.4.5",
     "eslint-plugin-import": "^2.32.0",
-    "happy-dom": "^20.10.1",
+    "happy-dom": "^20.10.2",
     "husky": "^9.1.7",
     "javascript-obfuscator": "^5.4.3",
-    "knip": "^6.15.0",
+    "knip": "^6.16.1",
     "lint-staged": "^17.0.7",
     "madge": "^8.0.0",
-    "prettier": "^3.8.3",
+    "prettier": "^3.8.4",
     "secretlint": "^13.0.2",
-    "semantic-release": "^25.0.3",
+    "semantic-release": "^25.0.5",
     "tsc-alias": "^1.8.17",
     "type-coverage": "^2.29.7",
     "typescript": "^6.0.3",
-    "typescript-eslint": "^8.60.1",
+    "typescript-eslint": "^8.61.0",
     "vite": "^8.0.16",
     "vitest": "^4.1.8",
     "vue": "^3.5.35"

package/planu-native.json

@@ -1,20 +1,26 @@
 {
   "name": "dev.planu.native",
   "displayName": "Planu Native Lightweight Surface",
-  "version": "4.4.2",
+  "version": "4.5.0",
   "packageName": "@planu/cli",
   "modes": {
     "lightweight": {
       "requiresMcp": false,
       "requiresDaemon": false,
-      "hosts": ["codex", "claude-code"],
+      "hosts": [
+        "codex",
+        "claude-code"
+      ],
       "commands": [
         {
           "id": "planu.status",
           "title": "Project status",
           "description": "Show the compact Planu project snapshot without loading the MCP tool graph.",
           "invocation": "planu status",
-          "hosts": ["codex", "claude-code"],
+          "hosts": [
+            "codex",
+            "claude-code"
+          ],
           "requiresMcp": false,
           "requiresDaemon": false,
           "mapsTo": "handlePlanStatus"
@@ -24,7 +30,10 @@
           "title": "Create spec",
           "description": "Create a new spec through the CLI-backed SDD contract.",
           "invocation": "planu spec create \"<title>\"",
-          "hosts": ["codex", "claude-code"],
+          "hosts": [
+            "codex",
+            "claude-code"
+          ],
           "requiresMcp": false,
           "requiresDaemon": false,
           "mapsTo": "handleCreateSpec"
@@ -34,7 +43,10 @@
           "title": "List specs",
           "description": "List specs in the current project with optional status/type filters.",
           "invocation": "planu spec list",
-          "hosts": ["codex", "claude-code"],
+          "hosts": [
+            "codex",
+            "claude-code"
+          ],
           "requiresMcp": false,
           "requiresDaemon": false,
           "mapsTo": "handleListSpecs"
@@ -44,7 +56,10 @@
           "title": "Validate spec",
           "description": "Validate a spec against the current codebase from the native CLI surface.",
           "invocation": "planu spec validate SPEC-001",
-          "hosts": ["codex", "claude-code"],
+          "hosts": [
+            "codex",
+            "claude-code"
+          ],
           "requiresMcp": false,
           "requiresDaemon": false,
           "mapsTo": "handleValidate"
@@ -54,7 +69,10 @@
           "title": "Audit technical debt",
           "description": "Run the read-only project audit path for lightweight debt checks.",
           "invocation": "planu audit debt",
-          "hosts": ["codex", "claude-code"],
+          "hosts": [
+            "codex",
+            "claude-code"
+          ],
           "requiresMcp": false,
           "requiresDaemon": false,
           "mapsTo": "handleAudit"
@@ -64,7 +82,10 @@
           "title": "Check release readiness",
           "description": "Check local branch cleanliness and main/develop/release sync readiness.",
           "invocation": "planu release check",
-          "hosts": ["codex", "claude-code"],
+          "hosts": [
+            "codex",
+            "claude-code"
+          ],
           "requiresMcp": false,
           "requiresDaemon": false,
           "mapsTo": "releaseCommand"

package/planu-plugin.json

@@ -2,9 +2,12 @@
   "name": "dev.planu.cli",
   "displayName": "Planu — Spec Driven Development",
   "description": "Manage software specs, estimations, and autonomous SDD workflows. Language-agnostic MCP server for Claude Code.",
-  "version": "4.4.2",
+  "version": "4.5.0",
   "icon": "assets/plugin/icon.svg",
-  "command": ["npx", "@planu/cli@latest"],
+  "command": [
+    "npx",
+    "@planu/cli@latest"
+  ],
   "packageName": "@planu/cli",
   "capabilities": {
     "tools": [
@@ -23,17 +26,42 @@
       "create_skill",
       "skill_search"
     ],
-    "resources": ["planu://specs/list", "planu://specs/{id}", "planu://project/status", "planu://roadmap"],
-    "prompts": ["create-spec-from-idea", "review-spec-readiness", "generate-implementation-plan"],
-    "subagents": ["sdd-orchestrator", "spec-challenger", "test-generator"]
+    "resources": [
+      "planu://specs/list",
+      "planu://specs/{id}",
+      "planu://project/status",
+      "planu://roadmap"
+    ],
+    "prompts": [
+      "create-spec-from-idea",
+      "review-spec-readiness",
+      "generate-implementation-plan"
+    ],
+    "subagents": [
+      "sdd-orchestrator",
+      "spec-challenger",
+      "test-generator"
+    ]
   },
   "compatibility": {
     "minimumHostVersion": "1.0.0",
-    "requiredFeatures": ["mcp-tools", "file-editing"]
+    "requiredFeatures": [
+      "mcp-tools",
+      "file-editing"
+    ]
   },
   "repository": "https://github.com/planu-dev/planu",
   "author": "Planu",
   "license": "MIT",
   "homepage": "https://planu.dev",
-  "keywords": ["sdd", "spec-driven-development", "mcp", "specs", "planning", "ai", "bdd", "tdd"]
+  "keywords": [
+    "sdd",
+    "spec-driven-development",
+    "mcp",
+    "specs",
+    "planning",
+    "ai",
+    "bdd",
+    "tdd"
+  ]
 }