bigpowers 2.38.0 → 2.39.0

package/.pi/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.38.0",
+  "version": "2.39.0",
   "description": "71 skills — 70 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/verify-work.md

@@ -33,8 +33,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 
 ## Verify sub-operations
 

package/.pi/skills/verify-work/SKILL.md

@@ -35,8 +35,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 
 ## Verify sub-operations
 

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [2.39.0](https://github.com/danielvm-git/bigpowers/compare/v2.38.0...v2.39.0) (2026-06-27)
+
+
+### Features
+
+* **verify-work:** add Phase 5 security scan gate ([a0a8b1e](https://github.com/danielvm-git/bigpowers/commit/a0a8b1e4362a727bc642c70e037c478ba45b25c1))
+
 # [2.38.0](https://github.com/danielvm-git/bigpowers/compare/v2.37.0...v2.38.0) (2026-06-27)
 
 

package/SKILL-INDEX.md

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
 
-**Generated:** 2026-06-27T16:39:38Z
+**Generated:** 2026-06-27T16:40:22Z
 **Skills:** 71
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.38.0",
+  "version": "2.39.0",
   "description": "70 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/skills-lock.json

@@ -333,7 +333,7 @@
     },
     "verify-work": {
       "description": "Multi-phase UAT gate — cold-start smoke, build, typecheck, lint, tests, step-by-step manual verification, gaps-closure loop. Use after execute-plan or develop-tdd, before audit-code.",
-      "sha256": "44f96eac8380c15b",
+      "sha256": "7ea4ccf0ed1303fb",
       "path": "verify-work/SKILL.md"
     },
     "visual-dashboard": {

package/verify-work/SKILL.md

@@ -34,8 +34,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 
 ## Verify sub-operations