npm - bigpowers - Versions diffs - 2.36.0 → 2.38.0 - Mend

bigpowers 2.36.0 → 2.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/.pi/package.json +1 -1
package/.pi/prompts/audit-code.md +1 -0
package/.pi/prompts/plan-release.md +2 -0
package/.pi/prompts/plan-work.md +1 -1
package/.pi/prompts/request-review.md +1 -0
package/.pi/skills/audit-code/SKILL.md +1 -0
package/.pi/skills/plan-release/SKILL.md +2 -0
package/.pi/skills/plan-work/SKILL.md +1 -1
package/.pi/skills/request-review/SKILL.md +1 -0
package/CHANGELOG.md +14 -0
package/SKILL-INDEX.md +1 -1
package/audit-code/SKILL.md +1 -0
package/package.json +1 -1
package/plan-release/SKILL.md +2 -0
package/plan-work/SKILL.md +1 -1
package/request-review/SKILL.md +1 -0
package/skills-lock.json +4 -4

package/.pi/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.36.0",
+  "version": "2.38.0",
   "description": "71 skills — 70 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/audit-code.md CHANGED Viewed

@@ -25,6 +25,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 ### Provenance & Metadata

package/.pi/prompts/plan-release.md CHANGED Viewed

@@ -47,6 +47,8 @@ From the conversation context, define:
 WSJF-sort epics: score = (Business Value + Time Criticality + Risk Reduction) / Job Size. Highest score first.
+> **Security risk boost:** If an epic's `specs/security/epics/<id>/THREAT_MODEL.md` identifies HIGH or CRITICAL risk, add +2 to the WSJF numerator (BV + TC + RR + 2) to reflect the urgency of addressing security concerns before they ship. Document the boost in the epic's note field in release-plan.yaml.
 ### 2. Write acceptance criteria (Gherkin)
 For each story, write at least one happy-path and one edge-case scenario (countable format §17 if maturity ≥ 3).

package/.pi/prompts/plan-work.md CHANGED Viewed

@@ -42,7 +42,7 @@ If this plan touches an existing module, run `assess-impact` first to understand
 2. **Draft steps** — Break implementation into the smallest possible steps where each step leaves the codebase working, has one observable outcome, and can be verified with a single command. Red-flag check: name any rationalization you caught before moving to step 3.
-3. **Write capsule story spec + tasks** — Output two files inside the active epic capsule. See [REFERENCE.md](REFERENCE.md) for file formats and the plan-template.
+3. **Write capsule story spec + tasks** — Output two files inside the active epic capsule. See [REFERENCE.md](REFERENCE.md) for file formats and the plan-template. Each task optionally includes a `security:` field (`none` / `low` / `medium` / `high`) sourced from the epic's `specs/security/epics/<id>/THREAT_MODEL.md`. Tasks with `security: medium` or `security: high` MUST include "no new security findings in affected paths" in their verify steps.
 4. **Verify step format** — Every step MUST follow: `N. <What to do> → verify: <runnable command>`. See [REFERENCE.md](REFERENCE.md) for good/bad examples.

package/.pi/prompts/request-review.md CHANGED Viewed

@@ -25,6 +25,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 ### 2. Dispatch the reviewer agent

package/.pi/skills/audit-code/SKILL.md CHANGED Viewed

@@ -27,6 +27,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 ### Provenance & Metadata

package/.pi/skills/plan-release/SKILL.md CHANGED Viewed

@@ -49,6 +49,8 @@ From the conversation context, define:
 WSJF-sort epics: score = (Business Value + Time Criticality + Risk Reduction) / Job Size. Highest score first.
+> **Security risk boost:** If an epic's `specs/security/epics/<id>/THREAT_MODEL.md` identifies HIGH or CRITICAL risk, add +2 to the WSJF numerator (BV + TC + RR + 2) to reflect the urgency of addressing security concerns before they ship. Document the boost in the epic's note field in release-plan.yaml.
 ### 2. Write acceptance criteria (Gherkin)
 For each story, write at least one happy-path and one edge-case scenario (countable format §17 if maturity ≥ 3).

package/.pi/skills/plan-work/SKILL.md CHANGED Viewed

@@ -44,7 +44,7 @@ If this plan touches an existing module, run `assess-impact` first to understand
 2. **Draft steps** — Break implementation into the smallest possible steps where each step leaves the codebase working, has one observable outcome, and can be verified with a single command. Red-flag check: name any rationalization you caught before moving to step 3.
-3. **Write capsule story spec + tasks** — Output two files inside the active epic capsule. See [REFERENCE.md](REFERENCE.md) for file formats and the plan-template.
+3. **Write capsule story spec + tasks** — Output two files inside the active epic capsule. See [REFERENCE.md](REFERENCE.md) for file formats and the plan-template. Each task optionally includes a `security:` field (`none` / `low` / `medium` / `high`) sourced from the epic's `specs/security/epics/<id>/THREAT_MODEL.md`. Tasks with `security: medium` or `security: high` MUST include "no new security findings in affected paths" in their verify steps.
 4. **Verify step format** — Every step MUST follow: `N. <What to do> → verify: <runnable command>`. See [REFERENCE.md](REFERENCE.md) for good/bad examples.

package/.pi/skills/request-review/SKILL.md CHANGED Viewed

@@ -27,6 +27,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 ### 2. Dispatch the reviewer agent

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,17 @@
+# [2.38.0](https://github.com/danielvm-git/bigpowers/compare/v2.37.0...v2.38.0) (2026-06-27)
+### Features
+* **audit-code request-review:** add security gate and focus ([092bc61](https://github.com/danielvm-git/bigpowers/commit/092bc6139764f34babb35d0705eb2b628aa4abf7))
+# [2.37.0](https://github.com/danielvm-git/bigpowers/compare/v2.36.0...v2.37.0) (2026-06-27)
+### Features
+* **plan-work plan-release:** add security field and risk boost ([cf8c516](https://github.com/danielvm-git/bigpowers/commit/cf8c51647629b167a14800ac7db34dc5d44f5922))
 # [2.36.0](https://github.com/danielvm-git/bigpowers/compare/v2.35.0...v2.36.0) (2026-06-27)

package/SKILL-INDEX.md CHANGED Viewed

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
-**Generated:** 2026-06-27T16:37:32Z
+**Generated:** 2026-06-27T16:39:38Z
 **Skills:** 71
 ---

package/audit-code/SKILL.md CHANGED Viewed

@@ -26,6 +26,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 ### Provenance & Metadata

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.36.0",
+  "version": "2.38.0",
   "description": "70 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/plan-release/SKILL.md CHANGED Viewed

@@ -48,6 +48,8 @@ From the conversation context, define:
 WSJF-sort epics: score = (Business Value + Time Criticality + Risk Reduction) / Job Size. Highest score first.
+> **Security risk boost:** If an epic's `specs/security/epics/<id>/THREAT_MODEL.md` identifies HIGH or CRITICAL risk, add +2 to the WSJF numerator (BV + TC + RR + 2) to reflect the urgency of addressing security concerns before they ship. Document the boost in the epic's note field in release-plan.yaml.
 ### 2. Write acceptance criteria (Gherkin)
 For each story, write at least one happy-path and one edge-case scenario (countable format §17 if maturity ≥ 3).

package/plan-work/SKILL.md CHANGED Viewed

@@ -43,7 +43,7 @@ If this plan touches an existing module, run `assess-impact` first to understand
 2. **Draft steps** — Break implementation into the smallest possible steps where each step leaves the codebase working, has one observable outcome, and can be verified with a single command. Red-flag check: name any rationalization you caught before moving to step 3.
-3. **Write capsule story spec + tasks** — Output two files inside the active epic capsule. See [REFERENCE.md](REFERENCE.md) for file formats and the plan-template.
+3. **Write capsule story spec + tasks** — Output two files inside the active epic capsule. See [REFERENCE.md](REFERENCE.md) for file formats and the plan-template. Each task optionally includes a `security:` field (`none` / `low` / `medium` / `high`) sourced from the epic's `specs/security/epics/<id>/THREAT_MODEL.md`. Tasks with `security: medium` or `security: high` MUST include "no new security findings in affected paths" in their verify steps.
 4. **Verify step format** — Every step MUST follow: `N. <What to do> → verify: <runnable command>`. See [REFERENCE.md](REFERENCE.md) for good/bad examples.

package/request-review/SKILL.md CHANGED Viewed

@@ -26,6 +26,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 ### 2. Dispatch the reviewer agent

package/skills-lock.json CHANGED Viewed

@@ -13,7 +13,7 @@
     },
     "audit-code": {
       "description": "Self-review checklist for the coding agent to run before dispatching a reviewer. Checks CONVENTIONS.md compliance, Boy Scout Rule, test coverage, types, and SOLID. Produces a pass/fail checklist. Use before request-review, before committing, or when user asks for a code quality check.",
-      "sha256": "8192ebe6f66a9f91",
+      "sha256": "2e67f9125e0bec7c",
       "path": "audit-code/SKILL.md"
     },
     "audit-plan": {
@@ -188,12 +188,12 @@
     },
     "plan-release": {
       "description": "\"RELEASE-INDEX BUILDER — Sequence elaborated epics into specs/release-plan.yaml with WSJF ordering and BCP baselines. NOT a planning-spine substitute: it does not scope work (scope-work) or write story tasks (plan-work). Use after elaborate-spec when the user wants a versioned release index of epics.\"",
-      "sha256": "352d54fe911757ad",
+      "sha256": "d664fde0d07e88ba",
       "path": "plan-release/SKILL.md"
     },
     "plan-work": {
       "description": "\"PLANNING SPINE STEP 3 of 3 — Plan the work: write detailed implementation tasks into the active epic capsule (specs/epics/eNN-slug/). Produces countable-story-format .md specs and runnable -tasks.yaml files. Use after slice-tasks (step 2). Not a substitute for scope-work (step 1) or slice-tasks (step 2).\"",
-      "sha256": "2e171101c1e24469",
+      "sha256": "30a021b06af25f08",
       "path": "plan-work/SKILL.md"
     },
     "publish-package": {
@@ -213,7 +213,7 @@
     },
     "request-review": {
       "description": "Dispatch a fresh reviewer agent with a clean context to critique the code after audit-code passes. The reviewer has no shared state with the coding agent and gives a genuine second opinion. Use after audit-code passes, before committing, or when user wants an independent code review.",
-      "sha256": "7ad5fa131cb9fe7f",
+      "sha256": "b2498ecdf55104b6",
       "path": "request-review/SKILL.md"
     },
     "research-first": {