npm - bigpowers - Versions diffs - 2.38.0 → 2.40.0 - Mend

bigpowers 2.38.0 → 2.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/.pi/package.json +1 -1
package/.pi/prompts/release-branch.md +7 -0
package/.pi/prompts/verify-work.md +3 -2
package/.pi/skills/release-branch/SKILL.md +7 -0
package/.pi/skills/verify-work/SKILL.md +3 -2
package/CHANGELOG.md +14 -0
package/SKILL-INDEX.md +1 -1
package/package.json +1 -1
package/release-branch/SKILL.md +7 -0
package/skills-lock.json +2 -2
package/verify-work/SKILL.md +3 -2

package/.pi/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.38.0",
+  "version": "2.40.0",
   "description": "71 skills — 70 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/release-branch.md CHANGED Viewed

@@ -44,6 +44,13 @@ git log main...HEAD --oneline | grep -vE "^[a-f0-9]+ (feat|fix|docs|style|refact
 - [ ] Overall coverage ≥ 80%; business logic coverage ≥ 95%
+### 2a. Security gate
+- [ ] `specs/security/REVIEW.md` exists and is fresh (matches current branch diff)
+- [ ] No unresolved HIGH findings with confidence ≥ 8 (or all documented in `specs/security/EXCEPTIONS.md` with sign-off rationale)
+If REVIEW.md is missing or stale → run `security-review` inline. Findings block the merge unless documented in EXCEPTIONS.md.
 ### 3. Diff review
 - [ ] All commits intentional, no secrets, CONVENTIONS.md compliance

package/.pi/prompts/verify-work.md CHANGED Viewed

@@ -33,8 +33,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 ## Verify sub-operations

package/.pi/skills/release-branch/SKILL.md CHANGED Viewed

@@ -46,6 +46,13 @@ git log main...HEAD --oneline | grep -vE "^[a-f0-9]+ (feat|fix|docs|style|refact
 - [ ] Overall coverage ≥ 80%; business logic coverage ≥ 95%
+### 2a. Security gate
+- [ ] `specs/security/REVIEW.md` exists and is fresh (matches current branch diff)
+- [ ] No unresolved HIGH findings with confidence ≥ 8 (or all documented in `specs/security/EXCEPTIONS.md` with sign-off rationale)
+If REVIEW.md is missing or stale → run `security-review` inline. Findings block the merge unless documented in EXCEPTIONS.md.
 ### 3. Diff review
 - [ ] All commits intentional, no secrets, CONVENTIONS.md compliance

package/.pi/skills/verify-work/SKILL.md CHANGED Viewed

@@ -35,8 +35,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 ## Verify sub-operations

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,17 @@
+# [2.40.0](https://github.com/danielvm-git/bigpowers/compare/v2.39.0...v2.40.0) (2026-06-27)
+### Features
+* **release-branch:** add security gate before diff review ([c861f40](https://github.com/danielvm-git/bigpowers/commit/c861f404b417d68fbc500df7b98e532c0a6d3d81))
+# [2.39.0](https://github.com/danielvm-git/bigpowers/compare/v2.38.0...v2.39.0) (2026-06-27)
+### Features
+* **verify-work:** add Phase 5 security scan gate ([a0a8b1e](https://github.com/danielvm-git/bigpowers/commit/a0a8b1e4362a727bc642c70e037c478ba45b25c1))
 # [2.38.0](https://github.com/danielvm-git/bigpowers/compare/v2.37.0...v2.38.0) (2026-06-27)

package/SKILL-INDEX.md CHANGED Viewed

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
-**Generated:** 2026-06-27T16:39:38Z
+**Generated:** 2026-06-27T16:41:01Z
 **Skills:** 71
 ---

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.38.0",
+  "version": "2.40.0",
   "description": "70 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/release-branch/SKILL.md CHANGED Viewed

@@ -45,6 +45,13 @@ git log main...HEAD --oneline | grep -vE "^[a-f0-9]+ (feat|fix|docs|style|refact
 - [ ] Overall coverage ≥ 80%; business logic coverage ≥ 95%
+### 2a. Security gate
+- [ ] `specs/security/REVIEW.md` exists and is fresh (matches current branch diff)
+- [ ] No unresolved HIGH findings with confidence ≥ 8 (or all documented in `specs/security/EXCEPTIONS.md` with sign-off rationale)
+If REVIEW.md is missing or stale → run `security-review` inline. Findings block the merge unless documented in EXCEPTIONS.md.
 ### 3. Diff review
 - [ ] All commits intentional, no secrets, CONVENTIONS.md compliance

package/skills-lock.json CHANGED Viewed

@@ -208,7 +208,7 @@
     },
     "release-branch": {
       "description": "Make the merge/PR/keep/discard decision for a feature branch, verify coverage gates, create the PR with gh, and clean up the worktree. Use when a feature is done and ready to ship, or when user says \"release\", \"merge\", or \"open a PR\".",
-      "sha256": "fd5e968246ce07bd",
+      "sha256": "0514cbd9163e4e87",
       "path": "release-branch/SKILL.md"
     },
     "request-review": {
@@ -333,7 +333,7 @@
     },
     "verify-work": {
       "description": "Multi-phase UAT gate — cold-start smoke, build, typecheck, lint, tests, step-by-step manual verification, gaps-closure loop. Use after execute-plan or develop-tdd, before audit-code.",
-      "sha256": "44f96eac8380c15b",
+      "sha256": "7ea4ccf0ed1303fb",
       "path": "verify-work/SKILL.md"
     },
     "visual-dashboard": {

package/verify-work/SKILL.md CHANGED Viewed

@@ -34,8 +34,9 @@ Review answers "is the code good?"; Verify answers "does the built thing do what
 2. **Cold-start smoke** (if app): stop server, clear caches, boot from scratch.
 3. **AGENTS.md preflight** — before running default checks, call `bash scripts/bp-read-agents.sh` to detect project-specific commands. If `BP_PREFLIGHT` is set, run it instead of the default mechanical gates (or in addition to them if the project requires both). Output: `"Using preflight from AGENTS.md: <cmd>"`. Fall back to `CLAUDE.md` commands if AGENTS.md is absent.
 4. Mechanical gates: build → typecheck → lint → tests (from `CLAUDE.md` or AGENTS.md).
-5. **Step-by-step UAT** — one user-observable action at a time.
-6. **Gaps loop** — failures → log → `plan-work` → re-verify.
+5. **Security scan** — run `security-review` against the git diff (working tree vs merge-base). Parse findings report. If any HIGH findings with confidence ≥ 8 exist → **block the gate**. Write findings to `specs/security/REVIEW.md`. Allow documented exceptions via `specs/security/EXCEPTIONS.md`. MEDIUM/LOW findings warn but don't block.
+6. **Step-by-step UAT** — one user-observable action at a time.
+7. **Gaps loop** — failures → log → `plan-work` → re-verify. Unaddressed HIGH findings from step 5 feed into this loop alongside other quality gaps.
 ## Verify sub-operations