bigpowers 2.34.1 → 2.35.0

package/security-review/REFERENCE-vuln-categories.md

@@ -0,0 +1,103 @@
+# Vulnerability Categories — Detection Guidance
+
+Each category: vulnerable pattern → safe pattern → code example.
+
+## SQL Injection
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | String interpolation in SQL queries: `f"SELECT * FROM users WHERE id = {uid}"` |
+| **Safe** | Parameterized queries / ORM: `cursor.execute("SELECT * FROM users WHERE id = %s", (uid,))` |
+| **Look for** | f-strings, `+` concatenation, `format()` in query builders; raw SQL in ORM `.raw()` / `.execute()` |
+| **False-positive guard** | Not a FP if the input is user-controlled (HTTP param, file, env var, CLI arg). Env vars are trusted (see exclusion rules). |
+
+## Cross-Site Scripting (XSS)
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | `element.innerHTML = userInput`, `dangerouslySetInnerHTML={{__html: userInput}}` |
+| **Safe** | `element.textContent = userInput`, React JSX (auto-escaped), template engines with auto-escaping |
+| **Look for** | `.innerHTML`, `document.write()`, `dangerouslySetInnerHTML`, `v-html` (Vue), `bypassSecurityTrustHtml` (Angular) |
+| **False-positive guard** | React/Angular components without unsafe methods are NOT vulnerable (see exclusion rules). |
+
+## Server-Side Request Forgery (SSRF)
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | User-controlled URL passed to server-side HTTP client: `requests.get(user_url)` |
+| **Safe** | URL allowlist validation, internal-network blocking, protocol/host restriction |
+| **Look for** | User input → `fetch`, `requests.get`, `axios.get`, `urllib`, `curl`, `http.get`; host control only (path-only is excluded) |
+
+## Command Injection
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | User input in shell commands: `os.system(f"ping {host}")`, `subprocess.run(f"grep {pattern} file", shell=True)` |
+| **Safe** | `subprocess.run(["ping", host])` with arguments as list; `shlex.quote()` |
+| **Look for** | `shell=True`, `os.system`, `os.popen`, `exec()`, `eval()`, `$()`, backticks |
+| **False-positive guard** | Shell scripts without untrusted user input are generally not exploitable. |
+
+## Authentication/Authorization Bypass
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | Missing auth check on protected endpoint; JWT without signature verification; hardcoded admin tokens |
+| **Safe** | Consistent auth middleware; JWT with `RS256`/`HS256` verification; role-based access control |
+| **Look for** | Routes without auth decorators; `@login_required` / `@require_auth` missing; JWT without `.verify()`; client-side auth checks only |
+
+## Unsafe Deserialization
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | `pickle.load(user_data)`, `yaml.load(user_input)`, `JSON.parse()` on untrusted tokens, `eval(input())` |
+| **Safe** | `yaml.safe_load()`, `json.loads()` (safe for JSON), `pickle.load(weights_only=True)` (PyTorch), schema validation |
+| **Look for** | `pickle.load`, `yaml.load` (not safe_load), `torch.load(weights_only=False)`, `eval`, `marshal.load`, `node-serialize` |
+
+## Path Traversal
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | User input in file paths: `open(f"/data/{filename}")`, `path.join(base, user_path)` |
+| **Safe** | Path normalization + prefix check: `os.path.realpath(path).startswith(BASE_DIR)`; allowlist of valid filenames |
+| **Look for** | `open()`, `read_file()`, `os.path.join` with user input; `../` traversal without normalization |
+
+## Insecure Direct Object Reference (IDOR)
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | API endpoint uses user-supplied ID without ownership check: `GET /api/order/{order_id}` — returns any user's order |
+| **Safe** | Ownership verification: verify `order.user_id == current_user.id` before returning data |
+| **Look for** | CRUD endpoints that accept IDs without authorization; horizontal/vertical privilege checks missing |
+
+## Weak Cryptography
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | MD5/SHA1 for passwords; ECB mode; hardcoded keys; `random` module (not `secrets`); short key lengths |
+| **Safe** | `bcrypt`/`argon2` for passwords; AES-GCM; `secrets` module; RSA 2048+; proper IV generation |
+| **Look for** | `md5`, `sha1`, `DES`, `ECB`, `PKCS1_v1_5`, `random` for crypto, hardcoded `key=`, `Crypto.Cipher` without AEAD |
+
+## Secrets Exposure
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | Hardcoded API keys, passwords, tokens in source code; secrets in logs; secrets in client-side code |
+| **Safe** | Environment variables; secret manager (AWS Secrets Manager, HashiCorp Vault); `.env` excluded from VCS |
+| **Look for** | `API_KEY=`, `password=`, `secret=`, `token=` in code; AWS keys, GitHub tokens, Stripe keys, JWTs in source |
+| **False-positive guard** | Secrets stored on disk but otherwise secured ARE excluded. Logging high-value secrets IS a vuln. Logging URLs is safe. |
+
+## Template Injection (SSTI)
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | User input in template rendering: `Template(user_input).render()`, `render_template_string(user_input)` |
+| **Safe** | Static templates; input passed as context variable, not template string |
+| **Look for** | `render_template_string`, `Template()()` with user string; `eval` in template context; `${user_input}` in JS template literals on server |
+
+## NoSQL Injection
+
+| Aspect | Detail |
+|--------|--------|
+| **Vulnerable** | User input in MongoDB queries: `db.users.find({username: user_input})` where input is `{"$gt": ""}` |
+| **Safe** | Schema validation; type checking on query params; ORM sanitization |
+| **Look for** | MongoDB `$where`, `$gt`, `$regex` from user input; raw mongo queries without type coercion |

package/security-review/SKILL.md

@@ -0,0 +1,63 @@
+---
+name: security-review
+description: >
+  AI-powered security analysis of code changes — traces data flow, detects
+  injection, auth bypass, secrets exposure, and unsafe deserialization across
+  files. Use when reviewing pending changes, before release-branch, during
+  verify-work Phase 5, during build-epic Step 0 threat modeling, or when
+  the user says "security review" or "scan for vulns".
+---
+
+# Security Review
+
+> **HARD GATE** — Requires git context (branch with merge-base or diff). Never
+> writes files outside `specs/security/`. Findings below confidence 8/10 are
+> suppressed. **→ verify:** `git rev-parse HEAD >/dev/null 2>&1 && echo "ok" || echo "BLOCKED"`
+
+## 5-phase scan
+
+| # | Phase | What |
+|---|-------|------|
+| 1 | **Scope Resolution** | Detect diff via `git diff --merge-base origin/HEAD`; resolve languages/frameworks from dependency files |
+| 2 | **Context Research** | Identify existing security patterns, sanitization, auth model in the codebase |
+| 3 | **Vulnerability Assessment** | Trace user input → sink; check auth boundaries, crypto, deserialization, path ops |
+| 4 | **False-Positive Filtering** | Cross-check each finding against exclusion rules; reject confidence < 8 |
+| 5 | **Report Generation** | Output structured markdown: file:line, severity, category, exploit scenario, fix |
+
+## Categories
+
+Covered: SQLi, XSS, SSRF, command injection, auth bypass, unsafe deserialization, path traversal, IDOR, crypto flaws, secrets exposure, template injection, NoSQLi
+
+## Integration points
+
+| Skill | Touchpoint |
+|-------|------------|
+| `build-epic` | Step 0 — threat-model epic scope → `specs/security/epics/<id>/THREAT_MODEL.md` |
+| `plan-work` | `security:` field (none/low/medium/high) on story tasks |
+| `plan-release` | +2 WSJF risk boost for HIGH+ risk epics |
+| `audit-code` | Checklist: "diff scanned — no unaddressed HIGH findings" |
+| `request-review` | Inject threat model categories + false-positive rules into reviewer prompt |
+| `investigate-bug` | Security-impact assessment in RCA (NONE→CRITICAL) |
+| `validate-fix` | Recurrence hardening check for security bugs |
+| `verify-work` | Phase 5 — blocks on HIGH findings ≥ 8 confidence |
+| `release-branch` | Hard gate — blocks merge if unresolved HIGH findings |
+
+## Report format
+
+Each finding: **`File:Line` — Severity — Category**
+- Description: how the vulnerability manifests
+- Exploit scenario: concrete attack path
+- Recommendation: fix with code example
+
+## Reference files
+
+- [Vuln categories](REFERENCE-vuln-categories.md) — detection guidance per vuln type
+- [False positives](REFERENCE-false-positives.md) — hard exclusions + precedent
+- [Confidence rubric](REFERENCE-confidence-rubric.md) — scoring methodology (0–10)
+
+## Verify
+
+```bash
+test -d specs/security && echo "OK: specs/security/ exists" || mkdir -p specs/security
+grep -q "Merge-base\|merge.base\|git diff" SKILL.md && echo "OK: git context verified"
+```

package/skills-lock.json

@@ -68,7 +68,7 @@
     },
     "deploy": {
       "description": "\"Build → verify artifact → deploy → wait → smoke deployment pipeline. Platform-agnostic (MCP or CLI), with configurable timeout, retry with exponential backoff, and integrated health-check. The deploy half of CI/CD: run after build to push to production.\"",
-      "sha256": "260894aa4f869093",
+      "sha256": "304967c4f7d0ea13",
       "path": "deploy/SKILL.md"
     },
     "design-interface": {
@@ -78,7 +78,7 @@
     },
     "develop-tdd": {
       "description": "Test-driven development with red-green-refactor loop using vertical slices. Use for features (epic tasks) or bugs (specs/bugs/BUG-*.md).",
-      "sha256": "e050f400da14eff3",
+      "sha256": "8a232210dc2c11d3",
       "path": "develop-tdd/SKILL.md"
     },
     "diagnose-root": {
@@ -163,7 +163,7 @@
     },
     "migrate-spec": {
       "description": "Detect GSD, spec-kit, or BMAD spec artifacts and transform them into bigpowers YAML layout (state.yaml, release-plan.yaml, epics/, requirements/, plans/, ADRs). Use when migrating foreign spec docs.",
-      "sha256": "7636756cd3421b20",
+      "sha256": "84077c1eaa2ec40d",
       "path": "migrate-spec/SKILL.md"
     },
     "model-domain": {
@@ -198,7 +198,7 @@
     },
     "publish-package": {
       "description": "\"Package registry publishing for npm, crates.io, PyPI, and Homebrew. Verifies prerequisites, runs the publish command, confirms success, and surfaces actionable error hints on failure.\"",
-      "sha256": "25ead1dd4d174d54",
+      "sha256": "39f5ba9b115cca6b",
       "path": "publish-package/SKILL.md"
     },
     "quick-fix": {
@@ -208,7 +208,7 @@
     },
     "release-branch": {
       "description": "Make the merge/PR/keep/discard decision for a feature branch, verify coverage gates, create the PR with gh, and clean up the worktree. Use when a feature is done and ready to ship, or when user says \"release\", \"merge\", or \"open a PR\".",
-      "sha256": "5d1e07e58d1aff44",
+      "sha256": "fd5e968246ce07bd",
       "path": "release-branch/SKILL.md"
     },
     "request-review": {
@@ -256,6 +256,11 @@
       "sha256": "34df830694a6459c",
       "path": "search-skills/SKILL.md"
     },
+    "security-review": {
+      "description": "> AI-powered security analysis of code changes — traces data flow, detects injection, auth bypass, secrets exposure, and unsafe deserialization across files. Use when reviewing pending changes, before release-branch, during verify-work Phase 5, during build-epic Step 0 threat modeling, or when the user says \"security review\" or \"scan for vulns\".",
+      "sha256": "24aeeed072282d0c",
+      "path": "security-review/SKILL.md"
+    },
     "seed-conventions": {
       "description": "Generate CLAUDE.md and CONVENTIONS.md for a brand-new project through a brief interview, and create the specs/ directory with evolved bigpowers structure (product/, tech-architecture/, verifications/, epics/archive/). Entry point for greenfield projects. Use when starting a new project from scratch, when user asks to set up AI agent conventions, or when there is no CLAUDE.md yet.",
       "sha256": "cd3a7fc52d1b0035",
@@ -283,7 +288,7 @@
     },
     "smoke-test": {
       "description": "\"Post-deploy health-check against a live URL. Validates HTTP status, response content, and critical endpoints. Runnable standalone OR as the final step of the deploy skill.\"",
-      "sha256": "402c89c31ac4fd4c",
+      "sha256": "85d2de9e87e141f7",
       "path": "smoke-test/SKILL.md"
     },
     "spike-prototype": {
@@ -313,12 +318,12 @@
     },
     "using-bigpowers": {
       "description": "One-time bootstrap that introduces the bigpowers skills system, the PMBOK lifecycle arc, and tells you which skill to call first for your situation. Use when starting with bigpowers for the first time, when user asks \"where do I start?\", or when the skills system needs to be explained.",
-      "sha256": "b150ea218b529f61",
+      "sha256": "3e73bdd359b49743",
       "path": "using-bigpowers/SKILL.md"
     },
     "validate-contracts": {
       "description": "\"Assert data shape consistency across system boundaries — live API responses against JSON Schema, key-set comparison across layers, data shape validation for migrations and exports. Catches silent data corruption before deploy.\"",
-      "sha256": "17653c7ac211c5d8",
+      "sha256": "59cf618f642fa10c",
       "path": "validate-contracts/SKILL.md"
     },
     "validate-fix": {
@@ -338,7 +343,7 @@
     },
     "wire-ci": {
       "description": "\"CI pipeline setup with pre-built templates and local validation. Generates GitHub Actions workflows, validates YAML syntax and permissions, supports dry-run via act/gh. The CI equivalent of wire-observability.\"",
-      "sha256": "dcbf6e1516f6b355",
+      "sha256": "cc3fd8faf2686be1",
       "path": "wire-ci/SKILL.md"
     },
     "wire-observability": {

package/smoke-test/REFERENCE.md

@@ -0,0 +1,162 @@
+# Smoke Test — Reference
+
+## Runner script
+
+A ready-to-use runner is provided for standalone operation:
+
+```bash
+bash scripts/run-smoke.sh [url] [smoke-checks-file]
+```
+
+The runner:
+1. Uses `$DEPLOY_URL`, `$SMOKE_CHECKS_FILE`, or CLI arguments
+2. Runs all defined checks
+3. Prints a pass/fail summary
+4. Exits 0 on all pass, non-zero on any failure
+
+
+---
+
+## Configuration reference
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SMOKE_CHECKS_FILE` | `smoke-checks.yaml` | Path to smoke checks YAML |
+| `DEPLOY_URL` / `BASE_URL` | *(required)* | Base URL for all checks |
+| `SMOKE_TIMEOUT` | `30` | Per-check timeout (seconds) |
+| `SMOKE_RETRIES` | `0` | Number of retries on failure |
+
+
+---
+
+## Verification
+
+→ verify: `test -f smoke-test/SKILL.md && grep -q 'name: smoke-test' smoke-test/SKILL.md && echo OK`
+→ verify: `grep -qi 'smoke.checks.yaml\|checklist\|expected_status\|content_signal' smoke-test/SKILL.md && echo OK`
+→ verify: `grep -ci 'pass\|fail\|summary\|report' smoke-test/SKILL.md | awk '{if($1>=2) print "OK"; else print "FAIL"}'`
+→ verify: `grep -q 'smoke-test' SKILL-INDEX.md && echo OK`
+
+---
+
+## Reference block 1
+
+```yaml
+# smoke-checks.yaml — auto-loaded if present at project root
+base_url: "https://example.com"
+checks:
+  - name: "Homepage"
+    path: "/"
+    method: GET
+    expected_status: 200
+    content_signal: "bigpowers"
+    max_response_time_ms: 3000
+
+  - name: "API Health"
+    path: "/api/health"
+    method: GET
+    expected_status: 200
+    content_signal: "ok|healthy"
+
+  - name: "API Jogos"
+    path: "/api/jogos"
+    method: GET
+    expected_status: 200
+    content_signal: "jogos|games"
+
+  - name: "Not Found handling"
+    path: "/nonexistent"
+    method: GET
+    expected_status: 404
+    content_signal: "not found|404"
+```
+
+---
+
+## Reference block 2
+
+```bash
+SMOKE_CHECKS_FILE="${SMOKE_CHECKS_FILE:-smoke-checks.yaml}"
+BASE_URL="${DEPLOY_URL:-$BASE_URL}"
+
+if [ -f "$SMOKE_CHECKS_FILE" ]; then
+  echo "Loaded smoke checks from $SMOKE_CHECKS_FILE"
+elif [ -n "$BASE_URL" ]; then
+  echo "No smoke-checks.yaml found. Using single URL check against $BASE_URL"
+else
+  echo "ERROR: No smoke-checks.yaml found and no DEPLOY_URL/BASE_URL set."
+  exit 1
+fi
+```
+
+---
+
+## Reference block 3
+
+```bash
+url="${BASE_URL}${path}"
+start_time=$(python3 -c 'import time; print(int(time.time() * 1000))')
+
+# Perform the HTTP request
+response=$(curl -s -o /tmp/smoke_body.txt -w "%{http_code}" "$url")
+response_time=$(( $(python3 -c 'import time; print(int(time.time() * 1000))') - start_time ))
+status=$response
+body=$(cat /tmp/smoke_body.txt)
+```
+
+---
+
+## Reference block 4
+
+```bash
+checks_passed=0
+checks_failed=0
+failures=""
+
+# Assert status code
+if [ "$status" -ne "${expected_status:-200}" ]; then
+  echo "  FAIL: expected status ${expected_status} but got $status"
+  checks_failed=$((checks_failed + 1))
+  failures="${failures}  - $name: HTTP $status (expected ${expected_status})\n"
+else
+  echo "  PASS: HTTP $status"
+fi
+
+# Assert content signal
+if [ -n "$content_signal" ]; then
+  if echo "$body" | grep -qiE "$content_signal"; then
+    echo "  PASS: body contains \"$content_signal\""
+  else
+    echo "  FAIL: body does not contain \"$content_signal\""
+    checks_failed=$((checks_failed + 1))
+    failures="${failures}  - $name: missing content signal \"$content_signal\"\n"
+  fi
+fi
+
+# Assert response time
+if [ -n "$max_response_time_ms" ] && [ "$response_time" -gt "$max_response_time_ms" ]; then
+  echo "  FAIL: response time ${response_time}ms exceeds ${max_response_time_ms}ms"
+  checks_failed=$((checks_failed + 1))
+  failures="${failures}  - $name: response time ${response_time}ms (max ${max_response_time_ms}ms)\n"
+fi
+```
+
+---
+
+## Reference block 5
+
+```bash
+total=$((checks_passed + checks_failed))
+echo ""
+echo "=== Smoke Test Summary ==="
+echo "Total: $total | Passed: $checks_passed | Failed: $checks_failed"
+
+if [ "$checks_failed" -gt 0 ]; then
+  echo ""
+  echo "Failures:"
+  echo -e "$failures"
+  exit 1
+else
+  echo "All checks passed."
+  exit 0
+fi
+```

package/smoke-test/SKILL.md

@@ -21,35 +21,7 @@ Can be run standalone for quick health checks or chained as the final step of th
 
 Smoke checks are defined in `smoke-checks.yaml` at the project root:
 
-```yaml
-# smoke-checks.yaml — auto-loaded if present at project root
-base_url: "https://example.com"
-checks:
-  - name: "Homepage"
-    path: "/"
-    method: GET
-    expected_status: 200
-    content_signal: "bigpowers"
-    max_response_time_ms: 3000
-
-  - name: "API Health"
-    path: "/api/health"
-    method: GET
-    expected_status: 200
-    content_signal: "ok|healthy"
-
-  - name: "API Jogos"
-    path: "/api/jogos"
-    method: GET
-    expected_status: 200
-    content_signal: "jogos|games"
-
-  - name: "Not Found handling"
-    path: "/nonexistent"
-    method: GET
-    expected_status: 404
-    content_signal: "not found|404"
-```
+See [REFERENCE.md](REFERENCE.md)
 
 Checks can also be specified inline via environment variables or CLI arguments for ad-hoc use.
 
@@ -68,102 +40,21 @@ Checks can also be specified inline via environment variables or CLI arguments f
 
 ### 1. Load smoke checks
 
-```bash
-SMOKE_CHECKS_FILE="${SMOKE_CHECKS_FILE:-smoke-checks.yaml}"
-BASE_URL="${DEPLOY_URL:-$BASE_URL}"
-
-if [ -f "$SMOKE_CHECKS_FILE" ]; then
-  echo "Loaded smoke checks from $SMOKE_CHECKS_FILE"
-elif [ -n "$BASE_URL" ]; then
-  echo "No smoke-checks.yaml found. Using single URL check against $BASE_URL"
-else
-  echo "ERROR: No smoke-checks.yaml found and no DEPLOY_URL/BASE_URL set."
-  exit 1
-fi
-```
+See [REFERENCE.md](REFERENCE.md)
 
 ### 2. Run each check
 
 For each check in the configuration, perform an HTTP request:
 
-```bash
-url="${BASE_URL}${path}"
-start_time=$(python3 -c 'import time; print(int(time.time() * 1000))')
-
-# Perform the HTTP request
-response=$(curl -s -o /tmp/smoke_body.txt -w "%{http_code}" "$url")
-response_time=$(( $(python3 -c 'import time; print(int(time.time() * 1000))') - start_time ))
-status=$response
-body=$(cat /tmp/smoke_body.txt)
-```
+See [REFERENCE.md](REFERENCE.md)
 
 ### 3. Assert results
 
-```bash
-checks_passed=0
-checks_failed=0
-failures=""
-
-# Assert status code
-if [ "$status" -ne "${expected_status:-200}" ]; then
-  echo "  FAIL: expected status ${expected_status} but got $status"
-  checks_failed=$((checks_failed + 1))
-  failures="${failures}  - $name: HTTP $status (expected ${expected_status})\n"
-else
-  echo "  PASS: HTTP $status"
-fi
-
-# Assert content signal
-if [ -n "$content_signal" ]; then
-  if echo "$body" | grep -qiE "$content_signal"; then
-    echo "  PASS: body contains \"$content_signal\""
-  else
-    echo "  FAIL: body does not contain \"$content_signal\""
-    checks_failed=$((checks_failed + 1))
-    failures="${failures}  - $name: missing content signal \"$content_signal\"\n"
-  fi
-fi
-
-# Assert response time
-if [ -n "$max_response_time_ms" ] && [ "$response_time" -gt "$max_response_time_ms" ]; then
-  echo "  FAIL: response time ${response_time}ms exceeds ${max_response_time_ms}ms"
-  checks_failed=$((checks_failed + 1))
-  failures="${failures}  - $name: response time ${response_time}ms (max ${max_response_time_ms}ms)\n"
-fi
-```
+See [REFERENCE.md](REFERENCE.md)
 
 ### 4. Generate report
 
-```bash
-total=$((checks_passed + checks_failed))
-echo ""
-echo "=== Smoke Test Summary ==="
-echo "Total: $total | Passed: $checks_passed | Failed: $checks_failed"
-
-if [ "$checks_failed" -gt 0 ]; then
-  echo ""
-  echo "Failures:"
-  echo -e "$failures"
-  exit 1
-else
-  echo "All checks passed."
-  exit 0
-fi
-```
-
-## Runner script
-
-A ready-to-use runner is provided for standalone operation:
-
-```bash
-bash scripts/run-smoke.sh [url] [smoke-checks-file]
-```
-
-The runner:
-1. Uses `$DEPLOY_URL`, `$SMOKE_CHECKS_FILE`, or CLI arguments
-2. Runs all defined checks
-3. Prints a pass/fail summary
-4. Exits 0 on all pass, non-zero on any failure
+See [REFERENCE.md](REFERENCE.md)
 
 ## Integration with deploy skill
 
@@ -173,19 +64,3 @@ The `deploy` skill references `smoke-test` as its final verification step:
 # In deploy workflow — after successful deploy
 DEPLOY_URL="$DEPLOY_URL" bash scripts/run-smoke.sh
 ```
-
-## Configuration reference
-
-| Variable | Default | Description |
-|----------|---------|-------------|
-| `SMOKE_CHECKS_FILE` | `smoke-checks.yaml` | Path to smoke checks YAML |
-| `DEPLOY_URL` / `BASE_URL` | *(required)* | Base URL for all checks |
-| `SMOKE_TIMEOUT` | `30` | Per-check timeout (seconds) |
-| `SMOKE_RETRIES` | `0` | Number of retries on failure |
-
-## Verification
-
-→ verify: `test -f smoke-test/SKILL.md && grep -q 'name: smoke-test' smoke-test/SKILL.md && echo OK`
-→ verify: `grep -qi 'smoke.checks.yaml\|checklist\|expected_status\|content_signal' smoke-test/SKILL.md && echo OK`
-→ verify: `grep -ci 'pass\|fail\|summary\|report' smoke-test/SKILL.md | awk '{if($1>=2) print "OK"; else print "FAIL"}'`
-→ verify: `grep -q 'smoke-test' SKILL-INDEX.md && echo OK`

package/using-bigpowers/SKILL.md

@@ -8,7 +8,7 @@ description: One-time bootstrap that introduces the bigpowers skills system, the
 > **HARD GATE** — **HARD GATE** — This skill is the entry point. Do NOT skip it when onboarding new users or starting a new session. It establishes the bigpowers methodology, lifecycle phases, and conventions.
 
 
-Welcome to **bigpowers** — a lifecycle of **61** agent skills for production-ready, TDD-driven software by solo developers.
+Welcome to **bigpowers** — a lifecycle of **70** agent skills for production-ready, TDD-driven software by solo developers.
 
 ## Install
 
@@ -99,7 +99,7 @@ Start the HTTP dashboard with `visual-dashboard` → `GET /api/status?projectDir
 - **Integrate:** team default is `gh pr` (team-pr); solo profile uses `land-branch.sh`. Never create GitHub issues from skills — use local Markdown files instead.
 - **One skill, one thing.** If you're unsure which skill to call, call `survey-context` — it reads your current state and recommends the next step.
 - **verify: every step.** Every epic task must have `verify: <runnable command>`. Evidence over claims.
-- **61 skills.** See `SKILL-INDEX.md`; find skills with `search-skills`.
+- **70 skills.** See `SKILL-INDEX.md`; find skills with `search-skills`.
 
 ## After this