bigpowers 2.32.0 → 2.34.0

package/.pi/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.32.0",
+  "version": "2.34.0",
   "description": "70 skills — 61 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/migrate-spec.md

@@ -204,6 +204,63 @@ If skip is chosen, add to handoff: "Adversarial review: skipped — review manua
 
 → verify: `test -f specs/archive/MIGRATION-AUDIT.md && echo "audit completed" || echo "audit skipped or not performed"`
 
+### Step 7 — Post-migration: Optional two-pass spec writing gate
+
+After Steps 1–6, offer the user an optional two-pass spec writing workflow (spec-kit learning):
+
+Prompt: "Use two-pass spec writing (user journeys first, then technical)? [yes / no]"
+
+If **yes**, initialize the gate in `specs/state.yaml`:
+
+```yaml
+two_pass_spec:
+  journey_pass: pending
+  technical_pass: pending
+  approved_at: null
+```
+
+The journey pass must be marked "complete" by the user (after stakeholder approval of user-journey specs) before the technical pass begins:
+
+```yaml
+two_pass_spec:
+  journey_pass: complete
+  approved_at: "2026-06-26T12:00:00Z"
+  technical_pass: pending
+```
+
+Inform the user: "Journey pass is pending. Run `elaborate-spec` for user journeys, get stakeholder approval, then update `two_pass_spec.journey_pass: complete` in state.yaml before proceeding to technical specs."
+
+If **no**, skip the two-pass gate. Proceed directly to plan-work.
+
+→ verify: `grep -q 'two_pass_spec:' specs/state.yaml && echo "two-pass gate initialized" || echo "two-pass gate not activated"`
+
+### Step 8 — Post-migration: Optional methodology doc template
+
+After Steps 1–7, offer the user an optional analytical framework scaffold (GSD learning):
+
+Prompt: "Create a methodology doc? [yes / no]"
+
+If **yes**, present a checklist of analytical lenses:
+
+```
+Which lenses to include in specs/tech-architecture/METHODOLOGY_LATEST.md?
+
+[x] Cost of Delay (CD3)           — Priority & trade-off assessment
+[ ] STRIDE                        — Security threat modeling
+[ ] F.I.R.S.T                     — Test quality principles
+[ ] Bayesian Updating            — Probabilistic decision-making
+[ ] OWASP Top 10                 — Web security framework
+```
+
+Copy the template from `migrate-spec/templates/METHODOLOGY_LATEST.md` to `specs/tech-architecture/METHODOLOGY_LATEST.md`.
+- Active lenses remain uncommented
+- Unselected lenses are left commented out
+- Populate `{{project_name}}` with the migrated project's name
+
+If **no**, skip. Add note to handoff: "Methodology doc: skipped — can be added later via `cp migrate-spec/templates/METHODOLOGY_LATEST.md specs/tech-architecture/`"
+
+→ verify: `test -f specs/tech-architecture/METHODOLOGY_LATEST.md && echo "methodology doc created" || echo "methodology doc skipped"`
+
 
 ## Artifact Mapping Summary
 
@@ -505,13 +562,13 @@ Optional enhancements to offer the user after migration. Present as checkboxes.
 
 ### From GSD
 
-- [ ] **`specs/tech-architecture/METHODOLOGY_LATEST.md`** — Standing analytical lenses. Agents read before planning.
+- [x] **`specs/tech-architecture/METHODOLOGY_LATEST.md`** — Standing analytical lenses. Agents read before planning. (adopted: optional Step 8 template scaffold)
 - [x] **`handoff` block in state.yaml** — Last skill, last step, required reading for next session. (adopted: mandatory in Step 4 output)
 - [x] **ID tracking in SCOPE_LATEST.yaml** — FR/UJ IDs for spec → plan → verification traceability. (adopted in Step 3 transform)
 
 ### From spec-kit
 
-- [ ] **Two-pass spec writing** — User-journey pass first, then technical-decisions pass.
+- [x] **Two-pass spec writing** — User-journey pass first, then technical-decisions pass. (adopted: optional post-migration gate)
 - [ ] **Explicit inter-phase gate** — "Approve to proceed?" at end of `elaborate-spec`.
 - [ ] **Epic task isolation** — Each task completable in isolation; `depends-on` explicit in epic YAML.
 
@@ -699,4 +756,9 @@ handoff:
     - specs/tech-architecture/TECH_STACK_LATEST.md
     - specs/release-plan.yaml
   next_skill: survey-context
+
+two_pass_spec:  # Optional: only if user activates two-pass spec writing gate
+  journey_pass: pending
+  technical_pass: pending
+  approved_at: null
 ```

package/.pi/skills/migrate-spec/SKILL.md

@@ -206,6 +206,63 @@ If skip is chosen, add to handoff: "Adversarial review: skipped — review manua
 
 → verify: `test -f specs/archive/MIGRATION-AUDIT.md && echo "audit completed" || echo "audit skipped or not performed"`
 
+### Step 7 — Post-migration: Optional two-pass spec writing gate
+
+After Steps 1–6, offer the user an optional two-pass spec writing workflow (spec-kit learning):
+
+Prompt: "Use two-pass spec writing (user journeys first, then technical)? [yes / no]"
+
+If **yes**, initialize the gate in `specs/state.yaml`:
+
+```yaml
+two_pass_spec:
+  journey_pass: pending
+  technical_pass: pending
+  approved_at: null
+```
+
+The journey pass must be marked "complete" by the user (after stakeholder approval of user-journey specs) before the technical pass begins:
+
+```yaml
+two_pass_spec:
+  journey_pass: complete
+  approved_at: "2026-06-26T12:00:00Z"
+  technical_pass: pending
+```
+
+Inform the user: "Journey pass is pending. Run `elaborate-spec` for user journeys, get stakeholder approval, then update `two_pass_spec.journey_pass: complete` in state.yaml before proceeding to technical specs."
+
+If **no**, skip the two-pass gate. Proceed directly to plan-work.
+
+→ verify: `grep -q 'two_pass_spec:' specs/state.yaml && echo "two-pass gate initialized" || echo "two-pass gate not activated"`
+
+### Step 8 — Post-migration: Optional methodology doc template
+
+After Steps 1–7, offer the user an optional analytical framework scaffold (GSD learning):
+
+Prompt: "Create a methodology doc? [yes / no]"
+
+If **yes**, present a checklist of analytical lenses:
+
+```
+Which lenses to include in specs/tech-architecture/METHODOLOGY_LATEST.md?
+
+[x] Cost of Delay (CD3)           — Priority & trade-off assessment
+[ ] STRIDE                        — Security threat modeling
+[ ] F.I.R.S.T                     — Test quality principles
+[ ] Bayesian Updating            — Probabilistic decision-making
+[ ] OWASP Top 10                 — Web security framework
+```
+
+Copy the template from `migrate-spec/templates/METHODOLOGY_LATEST.md` to `specs/tech-architecture/METHODOLOGY_LATEST.md`.
+- Active lenses remain uncommented
+- Unselected lenses are left commented out
+- Populate `{{project_name}}` with the migrated project's name
+
+If **no**, skip. Add note to handoff: "Methodology doc: skipped — can be added later via `cp migrate-spec/templates/METHODOLOGY_LATEST.md specs/tech-architecture/`"
+
+→ verify: `test -f specs/tech-architecture/METHODOLOGY_LATEST.md && echo "methodology doc created" || echo "methodology doc skipped"`
+
 
 ## Artifact Mapping Summary
 
@@ -507,13 +564,13 @@ Optional enhancements to offer the user after migration. Present as checkboxes.
 
 ### From GSD
 
-- [ ] **`specs/tech-architecture/METHODOLOGY_LATEST.md`** — Standing analytical lenses. Agents read before planning.
+- [x] **`specs/tech-architecture/METHODOLOGY_LATEST.md`** — Standing analytical lenses. Agents read before planning. (adopted: optional Step 8 template scaffold)
 - [x] **`handoff` block in state.yaml** — Last skill, last step, required reading for next session. (adopted: mandatory in Step 4 output)
 - [x] **ID tracking in SCOPE_LATEST.yaml** — FR/UJ IDs for spec → plan → verification traceability. (adopted in Step 3 transform)
 
 ### From spec-kit
 
-- [ ] **Two-pass spec writing** — User-journey pass first, then technical-decisions pass.
+- [x] **Two-pass spec writing** — User-journey pass first, then technical-decisions pass. (adopted: optional post-migration gate)
 - [ ] **Explicit inter-phase gate** — "Approve to proceed?" at end of `elaborate-spec`.
 - [ ] **Epic task isolation** — Each task completable in isolation; `depends-on` explicit in epic YAML.
 
@@ -701,4 +758,9 @@ handoff:
     - specs/tech-architecture/TECH_STACK_LATEST.md
     - specs/release-plan.yaml
   next_skill: survey-context
+
+two_pass_spec:  # Optional: only if user activates two-pass spec writing gate
+  journey_pass: pending
+  technical_pass: pending
+  approved_at: null
 ```

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [2.34.0](https://github.com/danielvm-git/bigpowers/compare/v2.33.0...v2.34.0) (2026-06-26)
+
+
+### Features
+
+* **migrate-spec:** add methodology doc template scaffold ([beba70c](https://github.com/danielvm-git/bigpowers/commit/beba70cbc6a4728aff8b121668440af7ca8abf45))
+
+# [2.33.0](https://github.com/danielvm-git/bigpowers/compare/v2.32.0...v2.33.0) (2026-06-26)
+
+
+### Features
+
+* **migrate-spec:** add two-pass spec writing gate ([6d33173](https://github.com/danielvm-git/bigpowers/commit/6d331735554df2d29adab6fdf5ef72844821f5bd))
+
 # [2.32.0](https://github.com/danielvm-git/bigpowers/compare/v2.31.0...v2.32.0) (2026-06-26)
 
 

package/SKILL-INDEX.md

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
 
-**Generated:** 2026-06-26T22:59:59Z
+**Generated:** 2026-06-26T23:03:36Z
 **Skills:** 70
 
 ---

package/migrate-spec/REFERENCE.md

@@ -132,13 +132,13 @@ Optional enhancements to offer the user after migration. Present as checkboxes.
 
 ### From GSD
 
-- [ ] **`specs/tech-architecture/METHODOLOGY_LATEST.md`** — Standing analytical lenses. Agents read before planning.
+- [x] **`specs/tech-architecture/METHODOLOGY_LATEST.md`** — Standing analytical lenses. Agents read before planning. (adopted: optional Step 8 template scaffold)
 - [x] **`handoff` block in state.yaml** — Last skill, last step, required reading for next session. (adopted: mandatory in Step 4 output)
 - [x] **ID tracking in SCOPE_LATEST.yaml** — FR/UJ IDs for spec → plan → verification traceability. (adopted in Step 3 transform)
 
 ### From spec-kit
 
-- [ ] **Two-pass spec writing** — User-journey pass first, then technical-decisions pass.
+- [x] **Two-pass spec writing** — User-journey pass first, then technical-decisions pass. (adopted: optional post-migration gate)
 - [ ] **Explicit inter-phase gate** — "Approve to proceed?" at end of `elaborate-spec`.
 - [ ] **Epic task isolation** — Each task completable in isolation; `depends-on` explicit in epic YAML.
 
@@ -326,4 +326,9 @@ handoff:
     - specs/tech-architecture/TECH_STACK_LATEST.md
     - specs/release-plan.yaml
   next_skill: survey-context
+
+two_pass_spec:  # Optional: only if user activates two-pass spec writing gate
+  journey_pass: pending
+  technical_pass: pending
+  approved_at: null
 ```

package/migrate-spec/SKILL.md

@@ -207,6 +207,63 @@ If skip is chosen, add to handoff: "Adversarial review: skipped — review manua
 
 → verify: `test -f specs/archive/MIGRATION-AUDIT.md && echo "audit completed" || echo "audit skipped or not performed"`
 
+### Step 7 — Post-migration: Optional two-pass spec writing gate
+
+After Steps 1–6, offer the user an optional two-pass spec writing workflow (spec-kit learning):
+
+Prompt: "Use two-pass spec writing (user journeys first, then technical)? [yes / no]"
+
+If **yes**, initialize the gate in `specs/state.yaml`:
+
+```yaml
+two_pass_spec:
+  journey_pass: pending
+  technical_pass: pending
+  approved_at: null
+```
+
+The journey pass must be marked "complete" by the user (after stakeholder approval of user-journey specs) before the technical pass begins:
+
+```yaml
+two_pass_spec:
+  journey_pass: complete
+  approved_at: "2026-06-26T12:00:00Z"
+  technical_pass: pending
+```
+
+Inform the user: "Journey pass is pending. Run `elaborate-spec` for user journeys, get stakeholder approval, then update `two_pass_spec.journey_pass: complete` in state.yaml before proceeding to technical specs."
+
+If **no**, skip the two-pass gate. Proceed directly to plan-work.
+
+→ verify: `grep -q 'two_pass_spec:' specs/state.yaml && echo "two-pass gate initialized" || echo "two-pass gate not activated"`
+
+### Step 8 — Post-migration: Optional methodology doc template
+
+After Steps 1–7, offer the user an optional analytical framework scaffold (GSD learning):
+
+Prompt: "Create a methodology doc? [yes / no]"
+
+If **yes**, present a checklist of analytical lenses:
+
+```
+Which lenses to include in specs/tech-architecture/METHODOLOGY_LATEST.md?
+
+[x] Cost of Delay (CD3)           — Priority & trade-off assessment
+[ ] STRIDE                        — Security threat modeling
+[ ] F.I.R.S.T                     — Test quality principles
+[ ] Bayesian Updating            — Probabilistic decision-making
+[ ] OWASP Top 10                 — Web security framework
+```
+
+Copy the template from `migrate-spec/templates/METHODOLOGY_LATEST.md` to `specs/tech-architecture/METHODOLOGY_LATEST.md`.
+- Active lenses remain uncommented
+- Unselected lenses are left commented out
+- Populate `{{project_name}}` with the migrated project's name
+
+If **no**, skip. Add note to handoff: "Methodology doc: skipped — can be added later via `cp migrate-spec/templates/METHODOLOGY_LATEST.md specs/tech-architecture/`"
+
+→ verify: `test -f specs/tech-architecture/METHODOLOGY_LATEST.md && echo "methodology doc created" || echo "methodology doc skipped"`
+
 ---
 
 ## Artifact Mapping Summary

package/migrate-spec/templates/METHODOLOGY_LATEST.md

@@ -0,0 +1,92 @@
+# Methodology — {{project_name}}
+
+The following analytical lenses should inform `plan-work` and `audit-code` sessions.
+
+## Cost of Delay (CD3)
+
+**CD3 = Value / Duration**
+
+Use this lens when:
+- Prioritizing epics by business impact
+- Assessing the cost of deferring a story
+- Making trade-off decisions between scope and schedule
+
+Example: A feature with $10k business value and 5-day delivery window has CD3 = $10k / 5d = $2k/day.
+
+---
+
+## STRIDE (Security Threats)
+
+Structured threat modeling framework for API, auth, and data-handling code.
+
+- **Spoofing:** Can an attacker impersonate a user or service?
+- **Tampering:** Can an attacker modify data in transit or at rest?
+- **Repudiation:** Can an attacker deny performing an action?
+- **Information Disclosure:** Can an attacker access sensitive data?
+- **Denial of Service:** Can an attacker disrupt service availability?
+- **Elevation of Privilege:** Can an attacker gain admin or elevated access?
+
+Use STRIDE to review `specs/tech-architecture/TECH_STACK_LATEST.md` and spot-check `develop-tdd` for auth/API changes.
+
+---
+
+## F.I.R.S.T (Test Principles)
+
+Verify that all tests in the codebase are:
+
+- **Fast:** Run in under 5 seconds per test
+- **Independent:** No shared state or test interdependencies
+- **Repeatable:** Same result every run, no flaky timeouts
+- **Self-Validating:** Assert on observable outcomes (return values, API responses, UI state)
+- **Timely:** Written alongside code (test-first in `develop-tdd`)
+
+Use F.I.R.S.T to review test suites in `audit-code` step.
+
+---
+
+## Optional: Bayesian Updating
+
+<!--
+When evidence is ambiguous, use Bayesian reasoning to update your confidence:
+
+P(hypothesis | evidence) = P(evidence | hypothesis) × P(hypothesis) / P(evidence)
+
+Example: "We think this epic has low risk (10% prior). Code review finds 3 SQL injection opportunities. How does that shift our confidence?"
+
+P(high-risk | code-review-findings) = P(findings | high-risk) × P(high-risk) / P(findings)
+                                     = 0.7 × 0.1 / 0.15 = 47%
+
+Update: high risk is now more likely than the 10% prior.
+-->
+
+---
+
+## Optional: Threat Modeling (OWASP Top 10)
+
+<!--
+For projects with sensitive data or external APIs, model threats per OWASP Top 10:
+
+1. **Injection** — Can attackers inject SQL, NoSQL, command shell, LDAP?
+2. **Broken Authentication** — Session management, MFA, password handling?
+3. **Sensitive Data Exposure** — Encryption, tokenization, data classification?
+4. **XML External Entities (XXE)** — XML parsing, file uploads?
+5. **Broken Access Control** — Role-based access, scope, delegation?
+6. **Security Misconfiguration** — Default credentials, error messages, headers?
+7. **Cross-Site Scripting (XSS)** — Untrusted data, sanitization, CSP?
+8. **Insecure Deserialization** — Object deserialization, pickle, YAML?
+9. **Using Components with Known Vulnerabilities** — Dependencies, versions?
+10. **Insufficient Logging & Monitoring** — Audit trails, alerting, incident response?
+
+Document mitigations in `specs/tech-architecture/TECH_STACK_LATEST.md`.
+-->
+
+---
+
+## Using This Document
+
+Before starting a phase:
+- Read the relevant sections of this document
+- In `plan-work`, ensure every task considers the applicable lens
+- In `audit-code`, verify that completed work passes the lens checks
+
+Update this document as new analytical frameworks emerge or prove valuable.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.32.0",
+  "version": "2.34.0",
   "description": "61 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/skills-lock.json

@@ -163,7 +163,7 @@
     },
     "migrate-spec": {
       "description": "Detect GSD, spec-kit, or BMAD spec artifacts and transform them into bigpowers YAML layout (state.yaml, release-plan.yaml, epics/, requirements/, plans/, ADRs). Use when migrating foreign spec docs.",
-      "sha256": "353a127597cead4d",
+      "sha256": "7636756cd3421b20",
       "path": "migrate-spec/SKILL.md"
     },
     "model-domain": {