npm - bigpowers - Versions diffs - 2.37.0 → 2.39.0 - Mend

bigpowers 2.37.0 → 2.39.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/.pi/package.json +1 -1
package/.pi/prompts/audit-code.md +1 -0
package/.pi/prompts/request-review.md +1 -0
package/.pi/prompts/verify-work.md +3 -2
package/.pi/skills/audit-code/SKILL.md +1 -0
package/.pi/skills/request-review/SKILL.md +1 -0
package/.pi/skills/verify-work/SKILL.md +3 -2
package/CHANGELOG.md +14 -0
package/SKILL-INDEX.md +1 -1
package/audit-code/SKILL.md +1 -0
package/package.json +1 -1
package/request-review/SKILL.md +1 -0
package/skills-lock.json +3 -3
package/verify-work/SKILL.md +3 -2

package/.pi/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.37.0",
+  "version": "2.39.0",
   "description": "71 skills — 70 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/audit-code.md CHANGED Viewed

@@ -25,6 +25,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 ### Provenance & Metadata

package/.pi/prompts/request-review.md CHANGED Viewed

@@ -25,6 +25,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 ### 2. Dispatch the reviewer agent

package/.pi/prompts/verify-work.md CHANGED Viewed

@@ -33,8 +33,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 ## Verify sub-operations

package/.pi/skills/audit-code/SKILL.md CHANGED Viewed

@@ -27,6 +27,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 ### Provenance & Metadata

package/.pi/skills/request-review/SKILL.md CHANGED Viewed

@@ -27,6 +27,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 ### 2. Dispatch the reviewer agent

package/.pi/skills/verify-work/SKILL.md CHANGED Viewed

@@ -35,8 +35,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 ## Verify sub-operations

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,17 @@
+# [2.39.0](https://github.com/danielvm-git/bigpowers/compare/v2.38.0...v2.39.0) (2026-06-27)
+### Features
+* **verify-work:** add Phase 5 security scan gate ([a0a8b1e](https://github.com/danielvm-git/bigpowers/commit/a0a8b1e4362a727bc642c70e037c478ba45b25c1))
+# [2.38.0](https://github.com/danielvm-git/bigpowers/compare/v2.37.0...v2.38.0) (2026-06-27)
+### Features
+* **audit-code request-review:** add security gate and focus ([092bc61](https://github.com/danielvm-git/bigpowers/commit/092bc6139764f34babb35d0705eb2b628aa4abf7))
 # [2.37.0](https://github.com/danielvm-git/bigpowers/compare/v2.36.0...v2.37.0) (2026-06-27)

package/SKILL-INDEX.md CHANGED Viewed

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
-**Generated:** 2026-06-27T16:38:24Z
+**Generated:** 2026-06-27T16:40:22Z
 **Skills:** 71
 ---

package/audit-code/SKILL.md CHANGED Viewed

@@ -26,6 +26,7 @@ Run this self-review before asking anyone else to look at the code. The goal is
 - [ ] No `[SLOP]` packages without documented human approval
 - [ ] No secrets in diff (`sk-`, `ghp_`, `AKIA`, `.env` values) — see `guard-git` patterns
 - [ ] OWASP Top 10 spot-check: injection, broken auth, sensitive data exposure, misconfiguration (see `docs/references/security-threats.md`)
+- [ ] Security: diff scanned — no unaddressed HIGH findings (or deviations documented in `specs/security/EXCEPTIONS.md`)
 ### Provenance & Metadata

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.37.0",
+  "version": "2.39.0",
   "description": "70 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/request-review/SKILL.md CHANGED Viewed

@@ -26,6 +26,7 @@ Write a self-contained brief for the reviewer agent. Include:
 - What CONVENTIONS.md requires
 - What the verify command is
 - What you're most uncertain about (where you want fresh eyes)
+- **Security focus** — If the epic has a `specs/security/epics/<id>/THREAT_MODEL.md`, include the relevant vulnerability categories as reviewer focal points. Also include the false-positive exclusion rules so the reviewer avoids known-safe patterns. Tag the review as `security-sensitive: true` if THREAT_MODEL risk is HIGH+.
 ### 2. Dispatch the reviewer agent

package/skills-lock.json CHANGED Viewed

@@ -13,7 +13,7 @@
     },
     "audit-code": {
       "description": "Self-review checklist for the coding agent to run before dispatching a reviewer. Checks CONVENTIONS.md compliance, Boy Scout Rule, test coverage, types, and SOLID. Produces a pass/fail checklist. Use before request-review, before committing, or when user asks for a code quality check.",
-      "sha256": "8192ebe6f66a9f91",
+      "sha256": "2e67f9125e0bec7c",
       "path": "audit-code/SKILL.md"
     },
     "audit-plan": {
@@ -213,7 +213,7 @@
     },
     "request-review": {
       "description": "Dispatch a fresh reviewer agent with a clean context to critique the code after audit-code passes. The reviewer has no shared state with the coding agent and gives a genuine second opinion. Use after audit-code passes, before committing, or when user wants an independent code review.",
-      "sha256": "7ad5fa131cb9fe7f",
+      "sha256": "b2498ecdf55104b6",
       "path": "request-review/SKILL.md"
     },
     "research-first": {
@@ -333,7 +333,7 @@
     },
     "verify-work": {
       "description": "Multi-phase UAT gate — cold-start smoke, build, typecheck, lint, tests, step-by-step manual verification, gaps-closure loop. Use after execute-plan or develop-tdd, before audit-code.",
-      "sha256": "44f96eac8380c15b",
+      "sha256": "7ea4ccf0ed1303fb",
       "path": "verify-work/SKILL.md"
     },
     "visual-dashboard": {

package/verify-work/SKILL.md CHANGED Viewed

@@ -34,8 +34,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 ## Verify sub-operations