bigpowers 2.40.0 → 2.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/.pi/package.json +1 -1
  2. package/.pi/prompts/investigate-bug.md +2 -0
  3. package/.pi/prompts/validate-fix.md +5 -0
  4. package/.pi/skills/investigate-bug/SKILL.md +2 -0
  5. package/.pi/skills/validate-fix/SKILL.md +5 -0
  6. package/CHANGELOG.md +7 -0
  7. package/SKILL-INDEX.md +1 -1
  8. package/investigate-bug/SKILL.md +2 -0
  9. package/package.json +1 -1
  10. package/skills-lock.json +2 -2
  11. package/validate-fix/SKILL.md +5 -0
package/.pi/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "bigpowers",
3
- "version": "2.40.0",
3
+ "version": "2.41.0",
4
4
  "description": "71 skills — 70 agent skills for spec-driven, test-first software development by solo developers",
5
5
  "keywords": [
6
6
  "pi-package"
package/.pi/prompts/investigate-bug.md CHANGED
@@ -25,6 +25,8 @@ Get a brief description of the issue from the user. If they haven't provided one
25
25
 
26
26
  Do NOT ask follow-up questions yet. Start investigating immediately.
27
27
 
28
+ > **Security-impact assessment** — After capturing the problem, assess and document: `Security impact: NONE / LOW / MEDIUM / HIGH / CRITICAL`. If HIGH or CRITICAL, assign bug severity HIGH and document the exploit path in findings. If MEDIUM+, include exploit path in the bug file. Document "no security exploit path identified" for NONE/LOW.
29
+
28
30
  ### 2. Explore and diagnose (4-phase RCA)
29
31
 
30
32
  Run the 4-phase root-cause analysis via the `diagnose-root` skill (Reproduce → Isolate → Hypothesize → Verify). That skill is the canonical RCA engine — do not re-implement the phases here.
package/.pi/prompts/validate-fix.md CHANGED
@@ -60,6 +60,11 @@ For every bug fixed, add at least one prevention layer:
60
60
  - [ ] At least one hardening mechanism added
61
61
  - [ ] Hardening mechanism is tested
62
62
 
63
+ > **Security recurrence hardening** — If the bug's security-impact assessment (from investigate-bug) was MEDIUM or higher, additionally check:
64
+ > - [ ] Security regression test added (covers the exploit path)
65
+ > - [ ] False-positive exclusion rule added (if applicable)
66
+ > - [ ] Threat model updated (if impact was HIGH+)
67
+
63
68
  ### 6. Update the bug file and registry.yaml
64
69
 
65
70
  Find the most recent `specs/bugs/BUG-*.md` file and append the resolution:
package/.pi/skills/investigate-bug/SKILL.md CHANGED
@@ -27,6 +27,8 @@ Get a brief description of the issue from the user. If they haven't provided one
27
27
 
28
28
  Do NOT ask follow-up questions yet. Start investigating immediately.
29
29
 
30
+ > **Security-impact assessment** — After capturing the problem, assess and document: `Security impact: NONE / LOW / MEDIUM / HIGH / CRITICAL`. If HIGH or CRITICAL, assign bug severity HIGH and document the exploit path in findings. If MEDIUM+, include exploit path in the bug file. Document "no security exploit path identified" for NONE/LOW.
31
+
30
32
  ### 2. Explore and diagnose (4-phase RCA)
31
33
 
32
34
  Run the 4-phase root-cause analysis via the `diagnose-root` skill (Reproduce → Isolate → Hypothesize → Verify). That skill is the canonical RCA engine — do not re-implement the phases here.
package/.pi/skills/validate-fix/SKILL.md CHANGED
@@ -62,6 +62,11 @@ For every bug fixed, add at least one prevention layer:
62
62
  - [ ] At least one hardening mechanism added
63
63
  - [ ] Hardening mechanism is tested
64
64
 
65
+ > **Security recurrence hardening** — If the bug's security-impact assessment (from investigate-bug) was MEDIUM or higher, additionally check:
66
+ > - [ ] Security regression test added (covers the exploit path)
67
+ > - [ ] False-positive exclusion rule added (if applicable)
68
+ > - [ ] Threat model updated (if impact was HIGH+)
69
+
65
70
  ### 6. Update the bug file and registry.yaml
66
71
 
67
72
  Find the most recent `specs/bugs/BUG-*.md` file and append the resolution:
package/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ # [2.41.0](https://github.com/danielvm-git/bigpowers/compare/v2.40.0...v2.41.0) (2026-06-27)
2
+
3
+
4
+ ### Features
5
+
6
+ * **investigate-bug validate-fix:** add security impact and hardening ([b67ca83](https://github.com/danielvm-git/bigpowers/commit/b67ca8343a39a51dab6305897e0ba81cc7d5623c))
7
+
1
8
  # [2.40.0](https://github.com/danielvm-git/bigpowers/compare/v2.39.0...v2.40.0) (2026-06-27)
2
9
 
3
10
 
package/SKILL-INDEX.md CHANGED
@@ -3,7 +3,7 @@
3
3
  > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
4
4
  > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
5
5
 
6
- **Generated:** 2026-06-27T16:41:01Z
6
+ **Generated:** 2026-06-27T16:42:29Z
7
7
  **Skills:** 71
8
8
 
9
9
  ---
package/investigate-bug/SKILL.md CHANGED
@@ -26,6 +26,8 @@ Get a brief description of the issue from the user. If they haven't provided one
26
26
 
27
27
  Do NOT ask follow-up questions yet. Start investigating immediately.
28
28
 
29
+ > **Security-impact assessment** — After capturing the problem, assess and document: `Security impact: NONE / LOW / MEDIUM / HIGH / CRITICAL`. If HIGH or CRITICAL, assign bug severity HIGH and document the exploit path in findings. If MEDIUM+, include exploit path in the bug file. Document "no security exploit path identified" for NONE/LOW.
30
+
29
31
  ### 2. Explore and diagnose (4-phase RCA)
30
32
 
31
33
  Run the 4-phase root-cause analysis via the `diagnose-root` skill (Reproduce → Isolate → Hypothesize → Verify). That skill is the canonical RCA engine — do not re-implement the phases here.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "bigpowers",
3
- "version": "2.40.0",
3
+ "version": "2.41.0",
4
4
  "description": "70 agent skills for spec-driven, test-first software development by solo developers",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/skills-lock.json CHANGED
@@ -148,7 +148,7 @@
148
148
  },
149
149
  "investigate-bug": {
150
150
  "description": "Investigate a bug or issue by exploring the codebase to find root cause, then write a TDD-based fix plan to specs/bugs/BUG-*.md. Use when user reports a bug, wants to investigate a problem, mentions \"triage\", or wants to plan a fix.",
151
- "sha256": "698885ce631631c4",
151
+ "sha256": "46e956e627f24b46",
152
152
  "path": "investigate-bug/SKILL.md"
153
153
  },
154
154
  "kickoff-branch": {
@@ -328,7 +328,7 @@
328
328
  },
329
329
  "validate-fix": {
330
330
  "description": "Prove a fix works before declaring done — re-run the failing test, run the full suite, typecheck, lint, and harden against recurrence. Use after implementing a bug fix, when user says \"is this fixed?\", or before closing an investigation.",
331
- "sha256": "80fc28e511a501dc",
331
+ "sha256": "f559f4b8dcf03c4a",
332
332
  "path": "validate-fix/SKILL.md"
333
333
  },
334
334
  "verify-work": {
package/validate-fix/SKILL.md CHANGED
@@ -61,6 +61,11 @@ For every bug fixed, add at least one prevention layer:
61
61
  - [ ] At least one hardening mechanism added
62
62
  - [ ] Hardening mechanism is tested
63
63
 
64
+ > **Security recurrence hardening** — If the bug's security-impact assessment (from investigate-bug) was MEDIUM or higher, additionally check:
65
+ > - [ ] Security regression test added (covers the exploit path)
66
+ > - [ ] False-positive exclusion rule added (if applicable)
67
+ > - [ ] Threat model updated (if impact was HIGH+)
68
+
64
69
  ### 6. Update the bug file and registry.yaml
65
70
 
66
71
  Find the most recent `specs/bugs/BUG-*.md` file and append the resolution: