bigpowers 2.37.0 → 2.38.0

package/.pi/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.37.0",
+  "version": "2.38.0",
   "description": "71 skills — 70 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/audit-code.md

@@ -25,6 +25,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 
 ### Provenance & Metadata
 

package/.pi/prompts/request-review.md

@@ -25,6 +25,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 
 ### 2. Dispatch the reviewer agent
 

package/.pi/skills/audit-code/SKILL.md

@@ -27,6 +27,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 
 ### Provenance & Metadata
 

package/.pi/skills/request-review/SKILL.md

@@ -27,6 +27,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 
 ### 2. Dispatch the reviewer agent
 

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [2.38.0](https://github.com/danielvm-git/bigpowers/compare/v2.37.0...v2.38.0) (2026-06-27)
+
+
+### Features
+
+* **audit-code request-review:** add security gate and focus ([092bc61](https://github.com/danielvm-git/bigpowers/commit/092bc6139764f34babb35d0705eb2b628aa4abf7))
+
 # [2.37.0](https://github.com/danielvm-git/bigpowers/compare/v2.36.0...v2.37.0) (2026-06-27)
 
 

package/SKILL-INDEX.md

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
 
-**Generated:** 2026-06-27T16:38:24Z
+**Generated:** 2026-06-27T16:39:38Z
 **Skills:** 71
 
 ---

package/audit-code/SKILL.md

@@ -26,6 +26,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 
 ### Provenance & Metadata
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.37.0",
+  "version": "2.38.0",
   "description": "70 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/request-review/SKILL.md

@@ -26,6 +26,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 
 ### 2. Dispatch the reviewer agent
 

package/skills-lock.json

@@ -13,7 +13,7 @@
     },
     "audit-code": {
       "description": "Self-review checklist for the coding agent to run before dispatching a reviewer. Checks CONVENTIONS.md compliance, Boy Scout Rule, test coverage, types, and SOLID. Produces a pass/fail checklist. Use before request-review, before committing, or when user asks for a code quality check.",
-      "sha256": "8192ebe6f66a9f91",
+      "sha256": "2e67f9125e0bec7c",
       "path": "audit-code/SKILL.md"
     },
     "audit-plan": {
@@ -213,7 +213,7 @@
     },
     "request-review": {
       "description": "Dispatch a fresh reviewer agent with a clean context to critique the code after audit-code passes. The reviewer has no shared state with the coding agent and gives a genuine second opinion. Use after audit-code passes, before committing, or when user wants an independent code review.",
-      "sha256": "7ad5fa131cb9fe7f",
+      "sha256": "b2498ecdf55104b6",
       "path": "request-review/SKILL.md"
     },
     "research-first": {