bigpowers 2.9.0 → 2.10.0

package/.pi/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.9.0",
+  "version": "2.10.0",
   "description": "64 skills — 61 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"

package/.pi/prompts/develop-tdd.md

@@ -67,6 +67,66 @@ After all tests pass: extract duplication, deepen modules, apply SOLID principle
 
 After every behavior cycle, run the verify command from the active epic task. Show evidence before declaring the step done.
 
+### 6a. CI dry-run sub-step (when modifying workflows)
+
+If this cycle modified files in `.github/workflows/`, run a CI dry-run before pushing:
+
+```bash
+# 1. Check for workflow file changes
+CHANGED_WORKFLOWS=$(git diff --name-only HEAD | grep '\.github/workflows/' || true)
+if [ -n "$CHANGED_WORKFLOWS" ]; then
+  echo "==> CI dry-run: workflow files changed"
+  echo "    $CHANGED_WORKFLOWS"
+
+  # 2. Validate YAML syntax
+  if command -v yamllint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      yamllint "$f" && echo "  OK: $f passes YAML lint" || echo "  WARN: $f has YAML issues"
+    done
+  else
+    # Fallback: Python YAML parse
+    for f in $CHANGED_WORKFLOWS; do
+      python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null && \
+        echo "  OK: $f YAML syntax valid" || \
+        echo "  FAIL: $f has YAML syntax errors"
+    done
+  fi
+
+  # 3. Run actionlint if available
+  if command -v actionlint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      actionlint "$f" && echo "  OK: $f passes actionlint" || echo "  WARN: $f has actionlint issues"
+    done
+  fi
+
+  # 4. Check common pitfalls
+  for f in $CHANGED_WORKFLOWS; do
+    # Missing permissions block
+    if ! grep -q 'permissions:' "$f"; then
+      echo "  WARNING: $f missing permissions block — add one for security"
+    fi
+    # npm publish without NPM_TOKEN
+    if grep -q 'npm publish\|npx semantic-release' "$f" && ! grep -q 'NPM_TOKEN' "$f"; then
+      echo "  WARNING: $f has npm publish/semantic-release but no NPM_TOKEN in secrets"
+    fi
+    # Hardcoded Node versions
+    if grep -q 'node-version: [0-9]' "$f"; then
+      echo "  NOTE: $f has hardcoded Node version — consider node-version-file: .nvmrc"
+    fi
+  done
+
+  # 5. Suggest local dry-run
+  if command -v act &>/dev/null; then
+    echo "  SUGGESTION: Run 'act push --dry-run' to test workflows locally"
+  fi
+fi
+```
+
+Checklist:
+- [ ] YAML syntax validated for all changed workflow files
+- [ ] No missing permissions, secrets, or hardcoded versions flagged
+- [ ] Local dry-run suggested if `act` is available
+
 ### 7. Manual Verification Handover
 
 Once all tests pass: locate the Verification Script in the active epic capsule, present it to the user step-by-step, and wait for confirmation of behavioral correctness.

package/.pi/prompts/release-branch.md

@@ -107,6 +107,52 @@ gh pr merge --squash --delete-branch
 mv specs/epics/eNN-slug specs/epics/archive/
 ```
 
+### 7b. CI verification (solo-local and team-pr)
+
+> **HARD GATE** — Do NOT declare success until CI completes. A push that fails CI is a regression, not a release.
+
+After push (solo-local step 5 or team-pr step 7), verify the CI workflow completes successfully:
+
+```bash
+echo "==> Polling CI for main branch..."
+TIMEOUT=600   # 10 minutes
+INTERVAL=30   # poll every 30 seconds
+ELAPSED=0
+
+while [ $ELAPSED -lt $TIMEOUT ]; do
+  CI_JSON=$(gh run list --limit 1 --branch main --workflow CI --json status,conclusion,headSha,databaseId 2>/dev/null)
+  CI_STATUS=$(echo "$CI_JSON" | jq -r '.[0].status // "unknown"')
+  CI_CONCLUSION=$(echo "$CI_JSON" | jq -r '.[0].conclusion // ""')
+  CI_SHA=$(echo "$CI_JSON" | jq -r '.[0].headSha // ""')
+  CI_ID=$(echo "$CI_JSON" | jq -r '.[0].databaseId // ""')
+
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "success" ]; then
+    echo "OK: CI passed for $(git rev-parse --short HEAD)"
+    bp-yaml-set.sh specs/state.yaml release.ci_verified true 2>/dev/null || \
+      echo "  (bp-yaml-set not available — manually set release.ci_verified: true in state.yaml)"
+    break
+  fi
+
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "failure" ]; then
+    echo "FAIL: CI failed for $(git rev-parse --short HEAD)"
+    echo "  Run URL: https://github.com/$(gh repo view --json nameWithOwner -q .nameWithOwner)/actions/runs/$CI_ID"
+    echo "  Handoff to fix-bug with the failure URL above."
+    return 1
+  fi
+
+  sleep $INTERVAL
+  ELAPSED=$((ELAPSED + INTERVAL))
+  echo "  Waiting... (${ELAPSED}s / ${TIMEOUT}s)"
+done
+
+echo "FAIL: CI did not complete within ${TIMEOUT}s timeout"
+return 1
+```
+
+- [ ] CI workflow passes after push
+- [ ] `release.ci_verified: true` documented in state.yaml
+- On failure: `handoff.next_skill = fix-bug` with the CI failure URL
+
 ### 8. Clean up worktree
 
 ```bash

package/.pi/skills/develop-tdd/SKILL.md

@@ -69,6 +69,66 @@ After all tests pass: extract duplication, deepen modules, apply SOLID principle
 
 After every behavior cycle, run the verify command from the active epic task. Show evidence before declaring the step done.
 
+### 6a. CI dry-run sub-step (when modifying workflows)
+
+If this cycle modified files in `.github/workflows/`, run a CI dry-run before pushing:
+
+```bash
+# 1. Check for workflow file changes
+CHANGED_WORKFLOWS=$(git diff --name-only HEAD | grep '\.github/workflows/' || true)
+if [ -n "$CHANGED_WORKFLOWS" ]; then
+  echo "==> CI dry-run: workflow files changed"
+  echo "    $CHANGED_WORKFLOWS"
+
+  # 2. Validate YAML syntax
+  if command -v yamllint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      yamllint "$f" && echo "  OK: $f passes YAML lint" || echo "  WARN: $f has YAML issues"
+    done
+  else
+    # Fallback: Python YAML parse
+    for f in $CHANGED_WORKFLOWS; do
+      python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null && \
+        echo "  OK: $f YAML syntax valid" || \
+        echo "  FAIL: $f has YAML syntax errors"
+    done
+  fi
+
+  # 3. Run actionlint if available
+  if command -v actionlint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      actionlint "$f" && echo "  OK: $f passes actionlint" || echo "  WARN: $f has actionlint issues"
+    done
+  fi
+
+  # 4. Check common pitfalls
+  for f in $CHANGED_WORKFLOWS; do
+    # Missing permissions block
+    if ! grep -q 'permissions:' "$f"; then
+      echo "  WARNING: $f missing permissions block — add one for security"
+    fi
+    # npm publish without NPM_TOKEN
+    if grep -q 'npm publish\|npx semantic-release' "$f" && ! grep -q 'NPM_TOKEN' "$f"; then
+      echo "  WARNING: $f has npm publish/semantic-release but no NPM_TOKEN in secrets"
+    fi
+    # Hardcoded Node versions
+    if grep -q 'node-version: [0-9]' "$f"; then
+      echo "  NOTE: $f has hardcoded Node version — consider node-version-file: .nvmrc"
+    fi
+  done
+
+  # 5. Suggest local dry-run
+  if command -v act &>/dev/null; then
+    echo "  SUGGESTION: Run 'act push --dry-run' to test workflows locally"
+  fi
+fi
+```
+
+Checklist:
+- [ ] YAML syntax validated for all changed workflow files
+- [ ] No missing permissions, secrets, or hardcoded versions flagged
+- [ ] Local dry-run suggested if `act` is available
+
 ### 7. Manual Verification Handover
 
 Once all tests pass: locate the Verification Script in the active epic capsule, present it to the user step-by-step, and wait for confirmation of behavioral correctness.

package/.pi/skills/release-branch/SKILL.md

@@ -109,6 +109,52 @@ gh pr merge --squash --delete-branch
 mv specs/epics/eNN-slug specs/epics/archive/
 ```
 
+### 7b. CI verification (solo-local and team-pr)
+
+> **HARD GATE** — Do NOT declare success until CI completes. A push that fails CI is a regression, not a release.
+
+After push (solo-local step 5 or team-pr step 7), verify the CI workflow completes successfully:
+
+```bash
+echo "==> Polling CI for main branch..."
+TIMEOUT=600   # 10 minutes
+INTERVAL=30   # poll every 30 seconds
+ELAPSED=0
+
+while [ $ELAPSED -lt $TIMEOUT ]; do
+  CI_JSON=$(gh run list --limit 1 --branch main --workflow CI --json status,conclusion,headSha,databaseId 2>/dev/null)
+  CI_STATUS=$(echo "$CI_JSON" | jq -r '.[0].status // "unknown"')
+  CI_CONCLUSION=$(echo "$CI_JSON" | jq -r '.[0].conclusion // ""')
+  CI_SHA=$(echo "$CI_JSON" | jq -r '.[0].headSha // ""')
+  CI_ID=$(echo "$CI_JSON" | jq -r '.[0].databaseId // ""')
+
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "success" ]; then
+    echo "OK: CI passed for $(git rev-parse --short HEAD)"
+    bp-yaml-set.sh specs/state.yaml release.ci_verified true 2>/dev/null || \
+      echo "  (bp-yaml-set not available — manually set release.ci_verified: true in state.yaml)"
+    break
+  fi
+
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "failure" ]; then
+    echo "FAIL: CI failed for $(git rev-parse --short HEAD)"
+    echo "  Run URL: https://github.com/$(gh repo view --json nameWithOwner -q .nameWithOwner)/actions/runs/$CI_ID"
+    echo "  Handoff to fix-bug with the failure URL above."
+    return 1
+  fi
+
+  sleep $INTERVAL
+  ELAPSED=$((ELAPSED + INTERVAL))
+  echo "  Waiting... (${ELAPSED}s / ${TIMEOUT}s)"
+done
+
+echo "FAIL: CI did not complete within ${TIMEOUT}s timeout"
+return 1
+```
+
+- [ ] CI workflow passes after push
+- [ ] `release.ci_verified: true` documented in state.yaml
+- On failure: `handoff.next_skill = fix-bug` with the CI failure URL
+
 ### 8. Clean up worktree
 
 ```bash

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [2.10.0](https://github.com/danielvm-git/bigpowers/compare/v2.9.0...v2.10.0) (2026-06-20)
+
+
+### Features
+
+* **skills:** add CI verify and dry-run to skills ([e751564](https://github.com/danielvm-git/bigpowers/commit/e75156478b7c23f4e32ed78eec644916f14dd3c4))
+
 # [2.9.0](https://github.com/danielvm-git/bigpowers/compare/v2.8.0...v2.9.0) (2026-06-20)
 
 

package/SKILL-INDEX.md

@@ -3,7 +3,7 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
 
-**Generated:** 2026-06-20T21:29:33Z
+**Generated:** 2026-06-20T21:31:11Z
 **Skills:** 64
 
 ---

package/develop-tdd/SKILL.md

@@ -68,6 +68,66 @@ After all tests pass: extract duplication, deepen modules, apply SOLID principle
 
 After every behavior cycle, run the verify command from the active epic task. Show evidence before declaring the step done.
 
+### 6a. CI dry-run sub-step (when modifying workflows)
+
+If this cycle modified files in `.github/workflows/`, run a CI dry-run before pushing:
+
+```bash
+# 1. Check for workflow file changes
+CHANGED_WORKFLOWS=$(git diff --name-only HEAD | grep '\.github/workflows/' || true)
+if [ -n "$CHANGED_WORKFLOWS" ]; then
+  echo "==> CI dry-run: workflow files changed"
+  echo "    $CHANGED_WORKFLOWS"
+
+  # 2. Validate YAML syntax
+  if command -v yamllint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      yamllint "$f" && echo "  OK: $f passes YAML lint" || echo "  WARN: $f has YAML issues"
+    done
+  else
+    # Fallback: Python YAML parse
+    for f in $CHANGED_WORKFLOWS; do
+      python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null && \
+        echo "  OK: $f YAML syntax valid" || \
+        echo "  FAIL: $f has YAML syntax errors"
+    done
+  fi
+
+  # 3. Run actionlint if available
+  if command -v actionlint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      actionlint "$f" && echo "  OK: $f passes actionlint" || echo "  WARN: $f has actionlint issues"
+    done
+  fi
+
+  # 4. Check common pitfalls
+  for f in $CHANGED_WORKFLOWS; do
+    # Missing permissions block
+    if ! grep -q 'permissions:' "$f"; then
+      echo "  WARNING: $f missing permissions block — add one for security"
+    fi
+    # npm publish without NPM_TOKEN
+    if grep -q 'npm publish\|npx semantic-release' "$f" && ! grep -q 'NPM_TOKEN' "$f"; then
+      echo "  WARNING: $f has npm publish/semantic-release but no NPM_TOKEN in secrets"
+    fi
+    # Hardcoded Node versions
+    if grep -q 'node-version: [0-9]' "$f"; then
+      echo "  NOTE: $f has hardcoded Node version — consider node-version-file: .nvmrc"
+    fi
+  done
+
+  # 5. Suggest local dry-run
+  if command -v act &>/dev/null; then
+    echo "  SUGGESTION: Run 'act push --dry-run' to test workflows locally"
+  fi
+fi
+```
+
+Checklist:
+- [ ] YAML syntax validated for all changed workflow files
+- [ ] No missing permissions, secrets, or hardcoded versions flagged
+- [ ] Local dry-run suggested if `act` is available
+
 ### 7. Manual Verification Handover
 
 Once all tests pass: locate the Verification Script in the active epic capsule, present it to the user step-by-step, and wait for confirmation of behavioral correctness.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.9.0",
+  "version": "2.10.0",
   "description": "61 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/release-branch/SKILL.md

@@ -108,6 +108,52 @@ gh pr merge --squash --delete-branch
 mv specs/epics/eNN-slug specs/epics/archive/
 ```
 
+### 7b. CI verification (solo-local and team-pr)
+
+> **HARD GATE** — Do NOT declare success until CI completes. A push that fails CI is a regression, not a release.
+
+After push (solo-local step 5 or team-pr step 7), verify the CI workflow completes successfully:
+
+```bash
+echo "==> Polling CI for main branch..."
+TIMEOUT=600   # 10 minutes
+INTERVAL=30   # poll every 30 seconds
+ELAPSED=0
+
+while [ $ELAPSED -lt $TIMEOUT ]; do
+  CI_JSON=$(gh run list --limit 1 --branch main --workflow CI --json status,conclusion,headSha,databaseId 2>/dev/null)
+  CI_STATUS=$(echo "$CI_JSON" | jq -r '.[0].status // "unknown"')
+  CI_CONCLUSION=$(echo "$CI_JSON" | jq -r '.[0].conclusion // ""')
+  CI_SHA=$(echo "$CI_JSON" | jq -r '.[0].headSha // ""')
+  CI_ID=$(echo "$CI_JSON" | jq -r '.[0].databaseId // ""')
+
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "success" ]; then
+    echo "OK: CI passed for $(git rev-parse --short HEAD)"
+    bp-yaml-set.sh specs/state.yaml release.ci_verified true 2>/dev/null || \
+      echo "  (bp-yaml-set not available — manually set release.ci_verified: true in state.yaml)"
+    break
+  fi
+
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "failure" ]; then
+    echo "FAIL: CI failed for $(git rev-parse --short HEAD)"
+    echo "  Run URL: https://github.com/$(gh repo view --json nameWithOwner -q .nameWithOwner)/actions/runs/$CI_ID"
+    echo "  Handoff to fix-bug with the failure URL above."
+    return 1
+  fi
+
+  sleep $INTERVAL
+  ELAPSED=$((ELAPSED + INTERVAL))
+  echo "  Waiting... (${ELAPSED}s / ${TIMEOUT}s)"
+done
+
+echo "FAIL: CI did not complete within ${TIMEOUT}s timeout"
+return 1
+```
+
+- [ ] CI workflow passes after push
+- [ ] `release.ci_verified: true` documented in state.yaml
+- On failure: `handoff.next_skill = fix-bug` with the CI failure URL
+
 ### 8. Clean up worktree
 
 ```bash

package/skills-lock.json

@@ -68,7 +68,7 @@
     },
     "develop-tdd": {
       "description": "Test-driven development with red-green-refactor loop using vertical slices. Use for features (epic tasks) or bugs (specs/bugs/BUG-*.md).",
-      "sha256": "af45529ecb20d449",
+      "sha256": "4002d960b18436cd",
       "path": "develop-tdd/SKILL.md"
     },
     "diagnose-root": {
@@ -193,7 +193,7 @@
     },
     "release-branch": {
       "description": "Make the merge/PR/keep/discard decision for a feature branch, verify coverage gates, create the PR with gh, and clean up the worktree. Use when a feature is done and ready to ship, or when user says \"release\", \"merge\", or \"open a PR\".",
-      "sha256": "70fc37ac4e22143d",
+      "sha256": "6b2df2c92230d098",
       "path": "release-branch/SKILL.md"
     },
     "request-review": {