bigpowers 2.39.0 → 2.41.0

package/.pi/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.39.0",
+  "version": "2.41.0",
   "description": "71 skills — 70 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/investigate-bug.md

@@ -25,6 +25,8 @@ Get a brief description of the issue from the user. If they haven't provided one
 
 Do NOT ask follow-up questions yet. Start investigating immediately.
 
+> **Security-impact assessment** — After capturing the problem, assess and document: `Security impact: NONE / LOW / MEDIUM / HIGH / CRITICAL`. If HIGH or CRITICAL, assign bug severity HIGH and document the exploit path in findings. If MEDIUM+, include exploit path in the bug file. Document "no security exploit path identified" for NONE/LOW.
+
 ### 2. Explore and diagnose (4-phase RCA)
 
 Run the 4-phase root-cause analysis via the `diagnose-root` skill (Reproduce → Isolate → Hypothesize → Verify). That skill is the canonical RCA engine — do not re-implement the phases here.

package/.pi/prompts/release-branch.md

@@ -44,6 +44,13 @@ git log main...HEAD --oneline | grep -vE "^[a-f0-9]+ (feat|fix|docs|style|refact
 
 - [ ] Overall coverage ≥ 80%; business logic coverage ≥ 95%
 
+### 2a. Security gate
+
+- [ ] `specs/security/REVIEW.md` exists and is fresh (matches current branch diff)
+- [ ] No unresolved HIGH findings with confidence ≥ 8 (or all documented in `specs/security/EXCEPTIONS.md` with sign-off rationale)
+
+If REVIEW.md is missing or stale → run `security-review` inline. Findings block the merge unless documented in EXCEPTIONS.md.
+
 ### 3. Diff review
 
 - [ ] All commits intentional, no secrets, CONVENTIONS.md compliance

package/.pi/prompts/validate-fix.md

@@ -60,6 +60,11 @@ For every bug fixed, add at least one prevention layer:
 - [ ] At least one hardening mechanism added
 - [ ] Hardening mechanism is tested
 
+> **Security recurrence hardening** — If the bug's security-impact assessment (from investigate-bug) was MEDIUM or higher, additionally check:
+> - [ ] Security regression test added (covers the exploit path)
+> - [ ] False-positive exclusion rule added (if applicable)
+> - [ ] Threat model updated (if impact was HIGH+)
+
 ### 6. Update the bug file and registry.yaml
 
 Find the most recent `specs/bugs/BUG-*.md` file and append the resolution:

package/.pi/skills/investigate-bug/SKILL.md

@@ -27,6 +27,8 @@ Get a brief description of the issue from the user. If they haven't provided one
 
 Do NOT ask follow-up questions yet. Start investigating immediately.
 
+> **Security-impact assessment** — After capturing the problem, assess and document: `Security impact: NONE / LOW / MEDIUM / HIGH / CRITICAL`. If HIGH or CRITICAL, assign bug severity HIGH and document the exploit path in findings. If MEDIUM+, include exploit path in the bug file. Document "no security exploit path identified" for NONE/LOW.
+
 ### 2. Explore and diagnose (4-phase RCA)
 
 Run the 4-phase root-cause analysis via the `diagnose-root` skill (Reproduce → Isolate → Hypothesize → Verify). That skill is the canonical RCA engine — do not re-implement the phases here.

package/.pi/skills/release-branch/SKILL.md

@@ -46,6 +46,13 @@ git log main...HEAD --oneline | grep -vE "^[a-f0-9]+ (feat|fix|docs|style|refact
 
 - [ ] Overall coverage ≥ 80%; business logic coverage ≥ 95%
 
+### 2a. Security gate
+
+- [ ] `specs/security/REVIEW.md` exists and is fresh (matches current branch diff)
+- [ ] No unresolved HIGH findings with confidence ≥ 8 (or all documented in `specs/security/EXCEPTIONS.md` with sign-off rationale)
+
+If REVIEW.md is missing or stale → run `security-review` inline. Findings block the merge unless documented in EXCEPTIONS.md.
+
 ### 3. Diff review
 
 - [ ] All commits intentional, no secrets, CONVENTIONS.md compliance

package/.pi/skills/validate-fix/SKILL.md

@@ -62,6 +62,11 @@ For every bug fixed, add at least one prevention layer:
 - [ ] At least one hardening mechanism added
 - [ ] Hardening mechanism is tested
 
+> **Security recurrence hardening** — If the bug's security-impact assessment (from investigate-bug) was MEDIUM or higher, additionally check:
+> - [ ] Security regression test added (covers the exploit path)
+> - [ ] False-positive exclusion rule added (if applicable)
+> - [ ] Threat model updated (if impact was HIGH+)
+
 ### 6. Update the bug file and registry.yaml
 
 Find the most recent `specs/bugs/BUG-*.md` file and append the resolution:

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [2.41.0](https://github.com/danielvm-git/bigpowers/compare/v2.40.0...v2.41.0) (2026-06-27)
+
+
+### Features
+
+* **investigate-bug validate-fix:** add security impact and hardening ([b67ca83](https://github.com/danielvm-git/bigpowers/commit/b67ca8343a39a51dab6305897e0ba81cc7d5623c))
+
+# [2.40.0](https://github.com/danielvm-git/bigpowers/compare/v2.39.0...v2.40.0) (2026-06-27)
+
+
+### Features
+
+* **release-branch:** add security gate before diff review ([c861f40](https://github.com/danielvm-git/bigpowers/commit/c861f404b417d68fbc500df7b98e532c0a6d3d81))
+
 # [2.39.0](https://github.com/danielvm-git/bigpowers/compare/v2.38.0...v2.39.0) (2026-06-27)
 
 

package/SKILL-INDEX.md

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
 
-**Generated:** 2026-06-27T16:40:22Z
+**Generated:** 2026-06-27T16:42:29Z
 **Skills:** 71
 
 ---

package/investigate-bug/SKILL.md

@@ -26,6 +26,8 @@ Get a brief description of the issue from the user. If they haven't provided one
 
 Do NOT ask follow-up questions yet. Start investigating immediately.
 
+> **Security-impact assessment** — After capturing the problem, assess and document: `Security impact: NONE / LOW / MEDIUM / HIGH / CRITICAL`. If HIGH or CRITICAL, assign bug severity HIGH and document the exploit path in findings. If MEDIUM+, include exploit path in the bug file. Document "no security exploit path identified" for NONE/LOW.
+
 ### 2. Explore and diagnose (4-phase RCA)
 
 Run the 4-phase root-cause analysis via the `diagnose-root` skill (Reproduce → Isolate → Hypothesize → Verify). That skill is the canonical RCA engine — do not re-implement the phases here.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.39.0",
+  "version": "2.41.0",
   "description": "70 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/release-branch/SKILL.md

@@ -45,6 +45,13 @@ git log main...HEAD --oneline | grep -vE "^[a-f0-9]+ (feat|fix|docs|style|refact
 
 - [ ] Overall coverage ≥ 80%; business logic coverage ≥ 95%
 
+### 2a. Security gate
+
+- [ ] `specs/security/REVIEW.md` exists and is fresh (matches current branch diff)
+- [ ] No unresolved HIGH findings with confidence ≥ 8 (or all documented in `specs/security/EXCEPTIONS.md` with sign-off rationale)
+
+If REVIEW.md is missing or stale → run `security-review` inline. Findings block the merge unless documented in EXCEPTIONS.md.
+
 ### 3. Diff review
 
 - [ ] All commits intentional, no secrets, CONVENTIONS.md compliance

package/skills-lock.json

@@ -148,7 +148,7 @@
     },
     "investigate-bug": {
       "description": "Investigate a bug or issue by exploring the codebase to find root cause, then write a TDD-based fix plan to specs/bugs/BUG-*.md. Use when user reports a bug, wants to investigate a problem, mentions \"triage\", or wants to plan a fix.",
-      "sha256": "698885ce631631c4",
+      "sha256": "46e956e627f24b46",
       "path": "investigate-bug/SKILL.md"
     },
     "kickoff-branch": {
@@ -208,7 +208,7 @@
     },
     "release-branch": {
       "description": "Make the merge/PR/keep/discard decision for a feature branch, verify coverage gates, create the PR with gh, and clean up the worktree. Use when a feature is done and ready to ship, or when user says \"release\", \"merge\", or \"open a PR\".",
-      "sha256": "fd5e968246ce07bd",
+      "sha256": "0514cbd9163e4e87",
       "path": "release-branch/SKILL.md"
     },
     "request-review": {
@@ -328,7 +328,7 @@
     },
     "validate-fix": {
       "description": "Prove a fix works before declaring done — re-run the failing test, run the full suite, typecheck, lint, and harden against recurrence. Use after implementing a bug fix, when user says \"is this fixed?\", or before closing an investigation.",
-      "sha256": "80fc28e511a501dc",
+      "sha256": "f559f4b8dcf03c4a",
       "path": "validate-fix/SKILL.md"
     },
     "verify-work": {

package/validate-fix/SKILL.md

@@ -61,6 +61,11 @@ For every bug fixed, add at least one prevention layer:
 - [ ] At least one hardening mechanism added
 - [ ] Hardening mechanism is tested
 
+> **Security recurrence hardening** — If the bug's security-impact assessment (from investigate-bug) was MEDIUM or higher, additionally check:
+> - [ ] Security regression test added (covers the exploit path)
+> - [ ] False-positive exclusion rule added (if applicable)
+> - [ ] Threat model updated (if impact was HIGH+)
+
 ### 6. Update the bug file and registry.yaml
 
 Find the most recent `specs/bugs/BUG-*.md` file and append the resolution: