npm - bigpowers - Versions diffs - 2.9.0 → 2.11.0 - Mend

bigpowers 2.9.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/.pi/package.json +2 -2
package/.pi/prompts/deploy.md +164 -0
package/.pi/prompts/develop-tdd.md +60 -0
package/.pi/prompts/release-branch.md +46 -0
package/.pi/skills/deploy/SKILL.md +166 -0
package/.pi/skills/develop-tdd/SKILL.md +60 -0
package/.pi/skills/release-branch/SKILL.md +46 -0
package/CHANGELOG.md +14 -0
package/CONVENTIONS.md +1 -0
package/SKILL-INDEX.md +45 -44
package/deploy/SKILL.md +165 -0
package/develop-tdd/SKILL.md +60 -0
package/package.json +1 -1
package/release-branch/SKILL.md +46 -0
package/scripts/generate-skill-index.sh +1 -0
package/skills-lock.json +7 -2

package/.pi/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "bigpowers",
-  "version": "2.9.0",
-  "description": "64 skills — 61 agent skills for spec-driven, test-first software development by solo developers",
+  "version": "2.11.0",
+  "description": "65 skills — 61 agent skills for spec-driven, test-first software development by solo developers",
   "keywords": [
     "pi-package"
   ],

package/.pi/prompts/deploy.md ADDED Viewed

@@ -0,0 +1,164 @@
+---
+description: "Build → verify artifact → deploy → wait → smoke deployment pipeline. Platform-agnostic (MCP or CLI), with configurable timeout, retry with exponential backoff, and integrated health-check. The deploy half of CI/CD: run after build to push to production."
+---
+# Deploy
+> **HARD GATE** — Do not deploy without running tests first. Run `test` or your CI suite before this skill.
+>
+> **HARD GATE** — Use this skill from a CI/CD pipeline or post-merge on `main`/`master`. Never deploy from a feature branch.
+>
+> **HARD GATE** — The deploy skill orchestrates deployment; the `smoke-test` skill validates post-deploy health. Chain them: `deploy → smoke-test`.
+Orchestrate a full build-to-deployment pipeline: build the artifact, verify it exists and is non-empty, invoke a platform deploy tool (MCP or CLI), poll until the deploy completes or times out, then run a baseline smoke test against the live URL.
+## Pipeline Stages
+```
+build → verify artifact → deploy → wait/retry → smoke
+```
+| Stage | Description | Failure mode |
+|-------|-------------|-------------|
+| Build | Execute the project's build command | Non-zero exit: report build error |
+| Verify | Check artifact exists and is non-empty | Missing/empty: report artifact path |
+| Deploy | Invoke platform deploy tool (MCP, Vercel CLI, rsync, etc.) | Non-zero exit: report deploy error |
+| Wait | Poll deploy status every 30s up to `DEPLOY_TIMEOUT` (default 5 min) | Timeout: report exceeded |
+| Smoke | `curl -sSf $DEPLOY_URL` as baseline health check | Non-200: report failure |
+## Process
+### 1. Detect build command
+Read project manifest files in order to determine the build command:
+| Manifest | Build command |
+|----------|--------------|
+| `package.json` | `npm run build` (or `scripts.build` value) |
+| `Cargo.toml` | `cargo build --release` |
+| `pyproject.toml` / `setup.py` | Depends on build backend (`poetry build`, `pip install -e .`, etc.) |
+| `Makefile` | `make build` or first target named `build` |
+| `AGENTS.md` / `CLAUDE.md` | Look for `build:` in project commands section |
+If no manifest is found, prompt the user with: "No detected build command. Pass `--build 'npm run build'` or specify the command."
+### 2. Build the artifact
+```bash
+npm run build
+```
+Or the detected command from step 1. If the build fails, exit non-zero and report the build output.
+### 3. Verify the artifact
+```bash
+ARTIFACT_DIR="${ARTIFACT_DIR:-dist}"
+if [ ! -d "$ARTIFACT_DIR" ] || [ -z "$(ls -A "$ARTIFACT_DIR" 2>/dev/null)" ]; then
+  echo "FAIL: build artifact not found at $ARTIFACT_DIR"
+  exit 1
+fi
+```
+Configurable via `$ARTIFACT_DIR` environment variable (default: `dist/`).
+### 4. Deploy to platform
+Platform-agnostic — supports multiple deployment targets via environment variables:
+| Platform | Env var | Example |
+|----------|---------|---------|
+| Vercel | `VERCEL_TOKEN`, `VERCEL_PROJECT_ID` | `vercel deploy --prod --token $VERCEL_TOKEN` |
+| Netlify | `NETLIFY_AUTH_TOKEN`, `NETLIFY_SITE_ID` | `netlify deploy --prod --auth $NETLIFY_AUTH_TOKEN --dir $ARTIFACT_DIR` |
+| BigBase MCP | MCP tool call | `mcp deploy` via BigBase server |
+| rsync/SSH | `DEPLOY_SSH_USER`, `DEPLOY_SSH_HOST`, `DEPLOY_SSH_PATH` | `rsync -avz $ARTIFACT_DIR/ $DEPLOY_SSH_USER@$DEPLOY_SSH_HOST:$DEPLOY_SSH_PATH` |
+| Custom | `DEPLOY_COMMAND` | Run any deploy command string |
+The deploy tool is selected by which environment variables are set. If none are configured:
+```bash
+echo "No deploy target configured. Set one of: VERCEL_TOKEN, NETLIFY_AUTH_TOKEN, DEPLOY_SSH_USER+DEPLOY_SSH_HOST, DEPLOY_COMMAND, or MCP deploy tool."
+exit 1
+```
+### 5. Wait and poll status
+After invoking the deploy command, poll for completion:
+```bash
+DEPLOY_TIMEOUT="${DEPLOY_TIMEOUT:-300}"   # seconds (default 5 minutes)
+DEPLOY_POLL_INTERVAL="${DEPLOY_POLL_INTERVAL:-30}"  # seconds
+start_time=$(date +%s)
+while true; do
+  elapsed=$(( $(date +%s) - start_time ))
+  if [ "$elapsed" -ge "$DEPLOY_TIMEOUT" ]; then
+    echo "FAIL: deploy status polling timed out after ${DEPLOY_TIMEOUT}s"
+    exit 1
+  fi
+  status=$(get_deploy_status)  # platform-specific status check
+  if [ "$status" = "ready" ] || [ "$status" = "done" ]; then
+    echo "Deploy completed in ${elapsed}s"
+    break
+  fi
+  sleep "$DEPLOY_POLL_INTERVAL"
+done
+```
+Use exponential backoff for retries on transient failures:
+```bash
+RETRY_MAX="${RETRY_MAX:-3}"
+base_delay=2
+for attempt in $(seq 1 "$RETRY_MAX"); do
+  if deploy_command; then
+    break
+  fi
+  if [ "$attempt" -eq "$RETRY_MAX" ]; then
+    echo "FAIL: deploy failed after ${RETRY_MAX} attempts"
+    exit 1
+  fi
+  sleep $(( base_delay * 2 ** (attempt - 1) ))
+done
+```
+### 6. Baseline smoke test
+```bash
+DEPLOY_URL="${DEPLOY_URL:?DEPLOY_URL must be set}"
+if curl -sSf "$DEPLOY_URL" > /dev/null 2>&1; then
+  echo "OK: $DEPLOY_URL responds with HTTP 200"
+else
+  echo "FAIL: $DEPLOY_URL is not responding with HTTP 200"
+  exit 1
+fi
+```
+For comprehensive health-checking, chain to the `smoke-test` skill:
+```bash
+# After deploy success
+bash scripts/run-smoke.sh "$DEPLOY_URL"
+```
+## Configuration
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `ARTIFACT_DIR` | `dist` | Build output directory |
+| `DEPLOY_URL` | *(required)* | Live URL for smoke test |
+| `DEPLOY_TIMEOUT` | `300` | Max wait for deploy completion (seconds) |
+| `DEPLOY_POLL_INTERVAL` | `30` | Polling interval (seconds) |
+| `RETRY_MAX` | `3` | Max deploy retry attempts |
+| `BUILD_COMMAND` | *(auto-detect)* | Override build command |
+## Verification
+→ verify: `test -f deploy/SKILL.md && grep -q 'name: deploy' deploy/SKILL.md && echo OK`
+→ verify: `grep -qi 'build\|artifact\|deploy\|smoke' deploy/SKILL.md && echo OK`
+→ verify: `grep -ci 'package.json\|Cargo.toml\|Makefile\|manifest' deploy/SKILL.md | awk '{if($1>=1) print "OK"; else print "FAIL"}'`
+→ verify: `grep -ci 'timeout\|poll\|status\|retry\|backoff' deploy/SKILL.md | awk '{if($1>=2) print "OK"; else print "FAIL"}'`
+→ verify: `grep -q 'curl.*DEPLOY_URL\|smoke\|health' deploy/SKILL.md && echo OK`

package/.pi/prompts/develop-tdd.md CHANGED Viewed

@@ -67,6 +67,66 @@ After all tests pass: extract duplication, deepen modules, apply SOLID principle
 After every behavior cycle, run the verify command from the active epic task. Show evidence before declaring the step done.
+### 6a. CI dry-run sub-step (when modifying workflows)
+If this cycle modified files in `.github/workflows/`, run a CI dry-run before pushing:
+```bash
+# 1. Check for workflow file changes
+CHANGED_WORKFLOWS=$(git diff --name-only HEAD | grep '\.github/workflows/' || true)
+if [ -n "$CHANGED_WORKFLOWS" ]; then
+  echo "==> CI dry-run: workflow files changed"
+  echo "    $CHANGED_WORKFLOWS"
+  # 2. Validate YAML syntax
+  if command -v yamllint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      yamllint "$f" && echo "  OK: $f passes YAML lint" || echo "  WARN: $f has YAML issues"
+    done
+  else
+    # Fallback: Python YAML parse
+    for f in $CHANGED_WORKFLOWS; do
+      python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null && \
+        echo "  OK: $f YAML syntax valid" || \
+        echo "  FAIL: $f has YAML syntax errors"
+    done
+  fi
+  # 3. Run actionlint if available
+  if command -v actionlint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      actionlint "$f" && echo "  OK: $f passes actionlint" || echo "  WARN: $f has actionlint issues"
+    done
+  fi
+  # 4. Check common pitfalls
+  for f in $CHANGED_WORKFLOWS; do
+    # Missing permissions block
+    if ! grep -q 'permissions:' "$f"; then
+      echo "  WARNING: $f missing permissions block — add one for security"
+    fi
+    # npm publish without NPM_TOKEN
+    if grep -q 'npm publish\|npx semantic-release' "$f" && ! grep -q 'NPM_TOKEN' "$f"; then
+      echo "  WARNING: $f has npm publish/semantic-release but no NPM_TOKEN in secrets"
+    fi
+    # Hardcoded Node versions
+    if grep -q 'node-version: [0-9]' "$f"; then
+      echo "  NOTE: $f has hardcoded Node version — consider node-version-file: .nvmrc"
+    fi
+  done
+  # 5. Suggest local dry-run
+  if command -v act &>/dev/null; then
+    echo "  SUGGESTION: Run 'act push --dry-run' to test workflows locally"
+  fi
+fi
+```
+Checklist:
+- [ ] YAML syntax validated for all changed workflow files
+- [ ] No missing permissions, secrets, or hardcoded versions flagged
+- [ ] Local dry-run suggested if `act` is available
 ### 7. Manual Verification Handover
 Once all tests pass: locate the Verification Script in the active epic capsule, present it to the user step-by-step, and wait for confirmation of behavioral correctness.

package/.pi/prompts/release-branch.md CHANGED Viewed

@@ -107,6 +107,52 @@ gh pr merge --squash --delete-branch
 mv specs/epics/eNN-slug specs/epics/archive/
 ```
+### 7b. CI verification (solo-local and team-pr)
+> **HARD GATE** — Do NOT declare success until CI completes. A push that fails CI is a regression, not a release.
+After push (solo-local step 5 or team-pr step 7), verify the CI workflow completes successfully:
+```bash
+echo "==> Polling CI for main branch..."
+TIMEOUT=600   # 10 minutes
+INTERVAL=30   # poll every 30 seconds
+ELAPSED=0
+while [ $ELAPSED -lt $TIMEOUT ]; do
+  CI_JSON=$(gh run list --limit 1 --branch main --workflow CI --json status,conclusion,headSha,databaseId 2>/dev/null)
+  CI_STATUS=$(echo "$CI_JSON" | jq -r '.[0].status // "unknown"')
+  CI_CONCLUSION=$(echo "$CI_JSON" | jq -r '.[0].conclusion // ""')
+  CI_SHA=$(echo "$CI_JSON" | jq -r '.[0].headSha // ""')
+  CI_ID=$(echo "$CI_JSON" | jq -r '.[0].databaseId // ""')
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "success" ]; then
+    echo "OK: CI passed for $(git rev-parse --short HEAD)"
+    bp-yaml-set.sh specs/state.yaml release.ci_verified true 2>/dev/null || \
+      echo "  (bp-yaml-set not available — manually set release.ci_verified: true in state.yaml)"
+    break
+  fi
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "failure" ]; then
+    echo "FAIL: CI failed for $(git rev-parse --short HEAD)"
+    echo "  Run URL: https://github.com/$(gh repo view --json nameWithOwner -q .nameWithOwner)/actions/runs/$CI_ID"
+    echo "  Handoff to fix-bug with the failure URL above."
+    return 1
+  fi
+  sleep $INTERVAL
+  ELAPSED=$((ELAPSED + INTERVAL))
+  echo "  Waiting... (${ELAPSED}s / ${TIMEOUT}s)"
+done
+echo "FAIL: CI did not complete within ${TIMEOUT}s timeout"
+return 1
+```
+- [ ] CI workflow passes after push
+- [ ] `release.ci_verified: true` documented in state.yaml
+- On failure: `handoff.next_skill = fix-bug` with the CI failure URL
 ### 8. Clean up worktree
 ```bash

package/.pi/skills/deploy/SKILL.md ADDED Viewed

@@ -0,0 +1,166 @@
+---
+name: deploy
+description: "\"Build → verify artifact → deploy → wait → smoke deployment pipeline. Platform-agnostic (MCP or CLI), with configurable timeout, retry with exponential backoff, and integrated health-check. The deploy half of CI/CD: run after build to push to production.\""
+model: sonnet
+---
+# Deploy
+> **HARD GATE** — Do not deploy without running tests first. Run `test` or your CI suite before this skill.
+>
+> **HARD GATE** — Use this skill from a CI/CD pipeline or post-merge on `main`/`master`. Never deploy from a feature branch.
+>
+> **HARD GATE** — The deploy skill orchestrates deployment; the `smoke-test` skill validates post-deploy health. Chain them: `deploy → smoke-test`.
+Orchestrate a full build-to-deployment pipeline: build the artifact, verify it exists and is non-empty, invoke a platform deploy tool (MCP or CLI), poll until the deploy completes or times out, then run a baseline smoke test against the live URL.
+## Pipeline Stages
+```
+build → verify artifact → deploy → wait/retry → smoke
+```
+| Stage | Description | Failure mode |
+|-------|-------------|-------------|
+| Build | Execute the project's build command | Non-zero exit: report build error |
+| Verify | Check artifact exists and is non-empty | Missing/empty: report artifact path |
+| Deploy | Invoke platform deploy tool (MCP, Vercel CLI, rsync, etc.) | Non-zero exit: report deploy error |
+| Wait | Poll deploy status every 30s up to `DEPLOY_TIMEOUT` (default 5 min) | Timeout: report exceeded |
+| Smoke | `curl -sSf $DEPLOY_URL` as baseline health check | Non-200: report failure |
+## Process
+### 1. Detect build command
+Read project manifest files in order to determine the build command:
+| Manifest | Build command |
+|----------|--------------|
+| `package.json` | `npm run build` (or `scripts.build` value) |
+| `Cargo.toml` | `cargo build --release` |
+| `pyproject.toml` / `setup.py` | Depends on build backend (`poetry build`, `pip install -e .`, etc.) |
+| `Makefile` | `make build` or first target named `build` |
+| `AGENTS.md` / `CLAUDE.md` | Look for `build:` in project commands section |
+If no manifest is found, prompt the user with: "No detected build command. Pass `--build 'npm run build'` or specify the command."
+### 2. Build the artifact
+```bash
+npm run build
+```
+Or the detected command from step 1. If the build fails, exit non-zero and report the build output.
+### 3. Verify the artifact
+```bash
+ARTIFACT_DIR="${ARTIFACT_DIR:-dist}"
+if [ ! -d "$ARTIFACT_DIR" ] || [ -z "$(ls -A "$ARTIFACT_DIR" 2>/dev/null)" ]; then
+  echo "FAIL: build artifact not found at $ARTIFACT_DIR"
+  exit 1
+fi
+```
+Configurable via `$ARTIFACT_DIR` environment variable (default: `dist/`).
+### 4. Deploy to platform
+Platform-agnostic — supports multiple deployment targets via environment variables:
+| Platform | Env var | Example |
+|----------|---------|---------|
+| Vercel | `VERCEL_TOKEN`, `VERCEL_PROJECT_ID` | `vercel deploy --prod --token $VERCEL_TOKEN` |
+| Netlify | `NETLIFY_AUTH_TOKEN`, `NETLIFY_SITE_ID` | `netlify deploy --prod --auth $NETLIFY_AUTH_TOKEN --dir $ARTIFACT_DIR` |
+| BigBase MCP | MCP tool call | `mcp deploy` via BigBase server |
+| rsync/SSH | `DEPLOY_SSH_USER`, `DEPLOY_SSH_HOST`, `DEPLOY_SSH_PATH` | `rsync -avz $ARTIFACT_DIR/ $DEPLOY_SSH_USER@$DEPLOY_SSH_HOST:$DEPLOY_SSH_PATH` |
+| Custom | `DEPLOY_COMMAND` | Run any deploy command string |
+The deploy tool is selected by which environment variables are set. If none are configured:
+```bash
+echo "No deploy target configured. Set one of: VERCEL_TOKEN, NETLIFY_AUTH_TOKEN, DEPLOY_SSH_USER+DEPLOY_SSH_HOST, DEPLOY_COMMAND, or MCP deploy tool."
+exit 1
+```
+### 5. Wait and poll status
+After invoking the deploy command, poll for completion:
+```bash
+DEPLOY_TIMEOUT="${DEPLOY_TIMEOUT:-300}"   # seconds (default 5 minutes)
+DEPLOY_POLL_INTERVAL="${DEPLOY_POLL_INTERVAL:-30}"  # seconds
+start_time=$(date +%s)
+while true; do
+  elapsed=$(( $(date +%s) - start_time ))
+  if [ "$elapsed" -ge "$DEPLOY_TIMEOUT" ]; then
+    echo "FAIL: deploy status polling timed out after ${DEPLOY_TIMEOUT}s"
+    exit 1
+  fi
+  status=$(get_deploy_status)  # platform-specific status check
+  if [ "$status" = "ready" ] || [ "$status" = "done" ]; then
+    echo "Deploy completed in ${elapsed}s"
+    break
+  fi
+  sleep "$DEPLOY_POLL_INTERVAL"
+done
+```
+Use exponential backoff for retries on transient failures:
+```bash
+RETRY_MAX="${RETRY_MAX:-3}"
+base_delay=2
+for attempt in $(seq 1 "$RETRY_MAX"); do
+  if deploy_command; then
+    break
+  fi
+  if [ "$attempt" -eq "$RETRY_MAX" ]; then
+    echo "FAIL: deploy failed after ${RETRY_MAX} attempts"
+    exit 1
+  fi
+  sleep $(( base_delay * 2 ** (attempt - 1) ))
+done
+```
+### 6. Baseline smoke test
+```bash
+DEPLOY_URL="${DEPLOY_URL:?DEPLOY_URL must be set}"
+if curl -sSf "$DEPLOY_URL" > /dev/null 2>&1; then
+  echo "OK: $DEPLOY_URL responds with HTTP 200"
+else
+  echo "FAIL: $DEPLOY_URL is not responding with HTTP 200"
+  exit 1
+fi
+```
+For comprehensive health-checking, chain to the `smoke-test` skill:
+```bash
+# After deploy success
+bash scripts/run-smoke.sh "$DEPLOY_URL"
+```
+## Configuration
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `ARTIFACT_DIR` | `dist` | Build output directory |
+| `DEPLOY_URL` | *(required)* | Live URL for smoke test |
+| `DEPLOY_TIMEOUT` | `300` | Max wait for deploy completion (seconds) |
+| `DEPLOY_POLL_INTERVAL` | `30` | Polling interval (seconds) |
+| `RETRY_MAX` | `3` | Max deploy retry attempts |
+| `BUILD_COMMAND` | *(auto-detect)* | Override build command |
+## Verification
+→ verify: `test -f deploy/SKILL.md && grep -q 'name: deploy' deploy/SKILL.md && echo OK`
+→ verify: `grep -qi 'build\|artifact\|deploy\|smoke' deploy/SKILL.md && echo OK`
+→ verify: `grep -ci 'package.json\|Cargo.toml\|Makefile\|manifest' deploy/SKILL.md | awk '{if($1>=1) print "OK"; else print "FAIL"}'`
+→ verify: `grep -ci 'timeout\|poll\|status\|retry\|backoff' deploy/SKILL.md | awk '{if($1>=2) print "OK"; else print "FAIL"}'`
+→ verify: `grep -q 'curl.*DEPLOY_URL\|smoke\|health' deploy/SKILL.md && echo OK`

package/.pi/skills/develop-tdd/SKILL.md CHANGED Viewed

@@ -69,6 +69,66 @@ After all tests pass: extract duplication, deepen modules, apply SOLID principle
 After every behavior cycle, run the verify command from the active epic task. Show evidence before declaring the step done.
+### 6a. CI dry-run sub-step (when modifying workflows)
+If this cycle modified files in `.github/workflows/`, run a CI dry-run before pushing:
+```bash
+# 1. Check for workflow file changes
+CHANGED_WORKFLOWS=$(git diff --name-only HEAD | grep '\.github/workflows/' || true)
+if [ -n "$CHANGED_WORKFLOWS" ]; then
+  echo "==> CI dry-run: workflow files changed"
+  echo "    $CHANGED_WORKFLOWS"
+  # 2. Validate YAML syntax
+  if command -v yamllint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      yamllint "$f" && echo "  OK: $f passes YAML lint" || echo "  WARN: $f has YAML issues"
+    done
+  else
+    # Fallback: Python YAML parse
+    for f in $CHANGED_WORKFLOWS; do
+      python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null && \
+        echo "  OK: $f YAML syntax valid" || \
+        echo "  FAIL: $f has YAML syntax errors"
+    done
+  fi
+  # 3. Run actionlint if available
+  if command -v actionlint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      actionlint "$f" && echo "  OK: $f passes actionlint" || echo "  WARN: $f has actionlint issues"
+    done
+  fi
+  # 4. Check common pitfalls
+  for f in $CHANGED_WORKFLOWS; do
+    # Missing permissions block
+    if ! grep -q 'permissions:' "$f"; then
+      echo "  WARNING: $f missing permissions block — add one for security"
+    fi
+    # npm publish without NPM_TOKEN
+    if grep -q 'npm publish\|npx semantic-release' "$f" && ! grep -q 'NPM_TOKEN' "$f"; then
+      echo "  WARNING: $f has npm publish/semantic-release but no NPM_TOKEN in secrets"
+    fi
+    # Hardcoded Node versions
+    if grep -q 'node-version: [0-9]' "$f"; then
+      echo "  NOTE: $f has hardcoded Node version — consider node-version-file: .nvmrc"
+    fi
+  done
+  # 5. Suggest local dry-run
+  if command -v act &>/dev/null; then
+    echo "  SUGGESTION: Run 'act push --dry-run' to test workflows locally"
+  fi
+fi
+```
+Checklist:
+- [ ] YAML syntax validated for all changed workflow files
+- [ ] No missing permissions, secrets, or hardcoded versions flagged
+- [ ] Local dry-run suggested if `act` is available
 ### 7. Manual Verification Handover
 Once all tests pass: locate the Verification Script in the active epic capsule, present it to the user step-by-step, and wait for confirmation of behavioral correctness.

package/.pi/skills/release-branch/SKILL.md CHANGED Viewed

@@ -109,6 +109,52 @@ gh pr merge --squash --delete-branch
 mv specs/epics/eNN-slug specs/epics/archive/
 ```
+### 7b. CI verification (solo-local and team-pr)
+> **HARD GATE** — Do NOT declare success until CI completes. A push that fails CI is a regression, not a release.
+After push (solo-local step 5 or team-pr step 7), verify the CI workflow completes successfully:
+```bash
+echo "==> Polling CI for main branch..."
+TIMEOUT=600   # 10 minutes
+INTERVAL=30   # poll every 30 seconds
+ELAPSED=0
+while [ $ELAPSED -lt $TIMEOUT ]; do
+  CI_JSON=$(gh run list --limit 1 --branch main --workflow CI --json status,conclusion,headSha,databaseId 2>/dev/null)
+  CI_STATUS=$(echo "$CI_JSON" | jq -r '.[0].status // "unknown"')
+  CI_CONCLUSION=$(echo "$CI_JSON" | jq -r '.[0].conclusion // ""')
+  CI_SHA=$(echo "$CI_JSON" | jq -r '.[0].headSha // ""')
+  CI_ID=$(echo "$CI_JSON" | jq -r '.[0].databaseId // ""')
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "success" ]; then
+    echo "OK: CI passed for $(git rev-parse --short HEAD)"
+    bp-yaml-set.sh specs/state.yaml release.ci_verified true 2>/dev/null || \
+      echo "  (bp-yaml-set not available — manually set release.ci_verified: true in state.yaml)"
+    break
+  fi
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "failure" ]; then
+    echo "FAIL: CI failed for $(git rev-parse --short HEAD)"
+    echo "  Run URL: https://github.com/$(gh repo view --json nameWithOwner -q .nameWithOwner)/actions/runs/$CI_ID"
+    echo "  Handoff to fix-bug with the failure URL above."
+    return 1
+  fi
+  sleep $INTERVAL
+  ELAPSED=$((ELAPSED + INTERVAL))
+  echo "  Waiting... (${ELAPSED}s / ${TIMEOUT}s)"
+done
+echo "FAIL: CI did not complete within ${TIMEOUT}s timeout"
+return 1
+```
+- [ ] CI workflow passes after push
+- [ ] `release.ci_verified: true` documented in state.yaml
+- On failure: `handoff.next_skill = fix-bug` with the CI failure URL
 ### 8. Clean up worktree
 ```bash

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,17 @@
+# [2.11.0](https://github.com/danielvm-git/bigpowers/compare/v2.10.0...v2.11.0) (2026-06-20)
+### Features
+* **skills:** add deploy pipeline — build, verify, deploy, wait, smoke ([35a8530](https://github.com/danielvm-git/bigpowers/commit/35a85309c7ded6faffbf7aad52838b1b9140087f))
+# [2.10.0](https://github.com/danielvm-git/bigpowers/compare/v2.9.0...v2.10.0) (2026-06-20)
+### Features
+* **skills:** add CI verify and dry-run to skills ([e751564](https://github.com/danielvm-git/bigpowers/commit/e75156478b7c23f4e32ed78eec644916f14dd3c4))
 # [2.9.0](https://github.com/danielvm-git/bigpowers/compare/v2.8.0...v2.9.0) (2026-06-20)

package/CONVENTIONS.md CHANGED Viewed

@@ -205,5 +205,6 @@ name must return < 5 results across the repo.
 |-------|----------------------|-----------|
 | `terse-mode` | adjective-noun | `enable-terse` implies a toggle; `terse-mode` names a mode state |
 | `visual-dashboard` | adjective-noun | `view-dashboard` implies read-only; `show-dashboard` collides with `show` verbs |
+| `deploy` | single verb | Well-known DevOps single-word concept; renames like `deploy-app` or `deploy-service` are redundant since deploy always targets an application |
 Any new exception requires an entry in this table before the skill is published.

package/SKILL-INDEX.md CHANGED Viewed

@@ -3,8 +3,8 @@
 > **DO NOT EDIT** — This file is auto-generated by `scripts/generate-skill-index.sh`.
 > Edit `SKILL.md` source files or `skills-lock.json` instead. Run `bash scripts/sync-skills.sh` to regenerate.
-**Generated:** 2026-06-20T21:29:33Z
-**Skills:** 64
+**Generated:** 2026-06-20T21:48:09Z
+**Skills:** 65
 ---
@@ -15,11 +15,11 @@
 | Discover | 6 | `elaborate-spec, map-codebase, research-first, search-skills, survey-context, using-bigpowers` |
 | Design | 7 | `deepen-architecture, define-language, define-success, design-interface, grill-me, grill-with-docs, model-domain` |
 | Plan | 9 | `assess-impact, change-request, plan-refactor, plan-release, plan-work, run-planning, scope-work, seed-conventions, slice-tasks` |
-| Build | 14 | `align-grid, build-epic, craft-skill, develop-tdd, execute-plan, guard-git, hook-commits, kickoff-branch, orchestrate-project, publish-package, setup-environment, spike-prototype, wire-ci, wire-observability` |
+| Build | 15 | `align-grid, build-epic, craft-skill, deploy, develop-tdd, execute-plan, guard-git, hook-commits, kickoff-branch, orchestrate-project, publish-package, setup-environment, spike-prototype, wire-ci, wire-observability` |
 | Verify | 12 | `audit-code, diagnose-root, enforce-first, fix-bug, inspect-quality, investigate-bug, request-review, respond-review, run-evals, trace-requirement, validate-fix, verify-work` |
 | Release | 2 | `commit-message, release-branch` |
 | Sustain | 13 | `compose-workflow, delegate-task, dispatch-agents, edit-document, evolve-skill, migrate-spec, organize-workspace, reset-baseline, session-state, simulate-agents, stocktake-skills, terse-mode, write-document` |
-| **TOTAL** | **63** | |
+| **TOTAL** | **64** | |
 ---
@@ -52,46 +52,47 @@
 | 23 | Build | `align-grid` | "Build editorial/magazine/report webpages on a GENUINE Müller-Brockmann modular | ✅ Active |
 | 24 | Build | `build-epic` | Eight-step epic build cycle — reads state.yaml, execution-status.yaml, and one | ✅ Active |
 | 25 | Build | `craft-skill` | Create new bigpowers skills with proper structure, progressive disclosure, and b | ✅ Active |
-| 26 | Build | `develop-tdd` | Test-driven development with red-green-refactor loop using vertical slices. Use  | ✅ Active |
-| 27 | Build | `execute-plan` | Batch-execute tasks from the active epic capsule sequentially, with a human chec | ✅ Active |
-| 28 | Build | `guard-git` | Block dangerous git commands (push, force push, reset --hard, clean, branch -D,  | ✅ Active |
-| 29 | Build | `hook-commits` | Set up pre-commit hooks with lint-staged (Prettier), type checking, and tests in | ✅ Active |
-| 30 | Build | `kickoff-branch` | Create a git worktree and feature branch, then verify a clean test baseline befo | ✅ Active |
-| 31 | Build | `orchestrate-project` | Meta-skill that enforces the 6-phase core loop (discover → elaborate → plan  | ✅ Active |
-| 32 | Build | `publish-package` | "Package registry publishing for npm, crates.io, PyPI, and Homebrew. Verifies pr | ✅ Active |
-| 33 | Build | `setup-environment` | Pre-install dependencies and configure tools before development work begins. Use | ✅ Active |
-| 34 | Build | `spike-prototype` | Throw-away prototype for unknown problem spaces. Output is learning notes in spe | ✅ Active |
-| 35 | Build | `wire-ci` | "CI pipeline setup with pre-built templates and local validation. Generates GitH | ✅ Active |
-| 36 | Build | `wire-observability` | Add structured JSON logging, observability commands, and idempotent setup script | ✅ Active |
-| 37 | Verify | `audit-code` | Self-review checklist for the coding agent to run before dispatching a reviewer. | ✅ Active |
-| 38 | Verify | `diagnose-root` | Run 4-phase root cause analysis — reproduce, isolate, hypothesize, verify. Use | ✅ Active |
-| 39 | Verify | `enforce-first` | Apply the F.I.R.S.T test quality rubric (Fast, Independent, Repeatable, Self-Val | ✅ Active |
-| 40 | Verify | `fix-bug` | Bug fix orchestrator — active_flow fix_bug; reads specs/bugs/BUG-*.md; chains  | ✅ Active |
-| 41 | Verify | `inspect-quality` | Interactive QA session where user reports bugs or issues conversationally, and t | ✅ Active |
-| 42 | Verify | `investigate-bug` | Investigate a bug or issue by exploring the codebase to find root cause, then wr | ✅ Active |
-| 43 | Verify | `request-review` | Dispatch a fresh reviewer agent with a clean context to critique the code after  | ✅ Active |
-| 44 | Verify | `respond-review` | Act on a reviewer agent's feedback systematically — categorize findings, apply | ✅ Active |
-| 45 | Verify | `run-evals` | Eval-Driven Development — define capability and regression evals before buildi | ✅ Active |
-| 46 | Verify | `trace-requirement` | Link story IDs from specs/release-plan.yaml + epic capsule directories to the im | ✅ Active |
-| 47 | Verify | `validate-fix` | Prove a fix works before declaring done — re-run the failing test, run the ful | ✅ Active |
-| 48 | Verify | `verify-work` | Multi-phase UAT gate — cold-start smoke, build, typecheck, lint, tests, step-b | ✅ Active |
-| 49 | Release | `commit-message` | Reviews working-tree changes, then drafts a Conventional Commits title/body and  | ✅ Active |
-| 50 | Release | `release-branch` | Make the merge/PR/keep/discard decision for a feature branch, verify coverage ga | ✅ Active |
-| 51 | Sustain | `compose-workflow` | Chain multiple bigpowers skills into a custom workflow recipe saved in specs/. U | ✅ Active |
-| 52 | Sustain | `delegate-task` | Delegate one complex task to a single subagent, review its work in two stages be | ✅ Active |
-| 53 | Sustain | `dispatch-agents` | Dispatch multiple subagents in parallel on independent tasks. No waiting between | ✅ Active |
-| 54 | Sustain | `edit-document` | Edit and improve documents by restructuring sections, improving clarity, and tig | ✅ Active |
-| 55 | Sustain | `evolve-skill` | Benchmark-gated skill evolution — consume bigpowers-benchmark report, propose  | ✅ Active |
-| 56 | Sustain | `migrate-spec` | Detect GSD, spec-kit, or BMAD spec artifacts and transform them into bigpowers Y | ✅ Active |
-| 57 | Sustain | `organize-workspace` | Scans the active workspace for disposable artifacts—logs, caches, stale build  | ✅ Active |
-| 58 | Sustain | `reset-baseline` | Restore the project to a known clean state between agent runs or experiments. Us | ✅ Active |
-| 59 | Sustain | `session-state` | Track implementation decisions and progress in specs/state.yaml to prevent conte | ✅ Active |
-| 60 | Sustain | `simulate-agents` | Run Mock User and Auditor agents against a feature in fresh contexts before huma | ✅ Active |
-| 61 | Sustain | `stocktake-skills` | Sequential subagent batch audit of the bigpowers skill catalog — Quick Scan (c | ✅ Active |
-| 62 | Sustain | `terse-mode` | Fallback ultra-compressed communication mode. Cuts token usage ~75% by dropping  | ✅ Active |
-| 63 | Sustain | `write-document` | Write, organize, and sync high-integrity technical documents using the BMAD meth | ✅ Active |
-**Total: 63 active skills.**
+| 26 | Build | `deploy` | "Build → verify artifact → deploy → wait → smoke deployment pipeline. Pl | ✅ Active |
+| 27 | Build | `develop-tdd` | Test-driven development with red-green-refactor loop using vertical slices. Use  | ✅ Active |
+| 28 | Build | `execute-plan` | Batch-execute tasks from the active epic capsule sequentially, with a human chec | ✅ Active |
+| 29 | Build | `guard-git` | Block dangerous git commands (push, force push, reset --hard, clean, branch -D,  | ✅ Active |
+| 30 | Build | `hook-commits` | Set up pre-commit hooks with lint-staged (Prettier), type checking, and tests in | ✅ Active |
+| 31 | Build | `kickoff-branch` | Create a git worktree and feature branch, then verify a clean test baseline befo | ✅ Active |
+| 32 | Build | `orchestrate-project` | Meta-skill that enforces the 6-phase core loop (discover → elaborate → plan  | ✅ Active |
+| 33 | Build | `publish-package` | "Package registry publishing for npm, crates.io, PyPI, and Homebrew. Verifies pr | ✅ Active |
+| 34 | Build | `setup-environment` | Pre-install dependencies and configure tools before development work begins. Use | ✅ Active |
+| 35 | Build | `spike-prototype` | Throw-away prototype for unknown problem spaces. Output is learning notes in spe | ✅ Active |
+| 36 | Build | `wire-ci` | "CI pipeline setup with pre-built templates and local validation. Generates GitH | ✅ Active |
+| 37 | Build | `wire-observability` | Add structured JSON logging, observability commands, and idempotent setup script | ✅ Active |
+| 38 | Verify | `audit-code` | Self-review checklist for the coding agent to run before dispatching a reviewer. | ✅ Active |
+| 39 | Verify | `diagnose-root` | Run 4-phase root cause analysis — reproduce, isolate, hypothesize, verify. Use | ✅ Active |
+| 40 | Verify | `enforce-first` | Apply the F.I.R.S.T test quality rubric (Fast, Independent, Repeatable, Self-Val | ✅ Active |
+| 41 | Verify | `fix-bug` | Bug fix orchestrator — active_flow fix_bug; reads specs/bugs/BUG-*.md; chains  | ✅ Active |
+| 42 | Verify | `inspect-quality` | Interactive QA session where user reports bugs or issues conversationally, and t | ✅ Active |
+| 43 | Verify | `investigate-bug` | Investigate a bug or issue by exploring the codebase to find root cause, then wr | ✅ Active |
+| 44 | Verify | `request-review` | Dispatch a fresh reviewer agent with a clean context to critique the code after  | ✅ Active |
+| 45 | Verify | `respond-review` | Act on a reviewer agent's feedback systematically — categorize findings, apply | ✅ Active |
+| 46 | Verify | `run-evals` | Eval-Driven Development — define capability and regression evals before buildi | ✅ Active |
+| 47 | Verify | `trace-requirement` | Link story IDs from specs/release-plan.yaml + epic capsule directories to the im | ✅ Active |
+| 48 | Verify | `validate-fix` | Prove a fix works before declaring done — re-run the failing test, run the ful | ✅ Active |
+| 49 | Verify | `verify-work` | Multi-phase UAT gate — cold-start smoke, build, typecheck, lint, tests, step-b | ✅ Active |
+| 50 | Release | `commit-message` | Reviews working-tree changes, then drafts a Conventional Commits title/body and  | ✅ Active |
+| 51 | Release | `release-branch` | Make the merge/PR/keep/discard decision for a feature branch, verify coverage ga | ✅ Active |
+| 52 | Sustain | `compose-workflow` | Chain multiple bigpowers skills into a custom workflow recipe saved in specs/. U | ✅ Active |
+| 53 | Sustain | `delegate-task` | Delegate one complex task to a single subagent, review its work in two stages be | ✅ Active |
+| 54 | Sustain | `dispatch-agents` | Dispatch multiple subagents in parallel on independent tasks. No waiting between | ✅ Active |
+| 55 | Sustain | `edit-document` | Edit and improve documents by restructuring sections, improving clarity, and tig | ✅ Active |
+| 56 | Sustain | `evolve-skill` | Benchmark-gated skill evolution — consume bigpowers-benchmark report, propose  | ✅ Active |
+| 57 | Sustain | `migrate-spec` | Detect GSD, spec-kit, or BMAD spec artifacts and transform them into bigpowers Y | ✅ Active |
+| 58 | Sustain | `organize-workspace` | Scans the active workspace for disposable artifacts—logs, caches, stale build  | ✅ Active |
+| 59 | Sustain | `reset-baseline` | Restore the project to a known clean state between agent runs or experiments. Us | ✅ Active |
+| 60 | Sustain | `session-state` | Track implementation decisions and progress in specs/state.yaml to prevent conte | ✅ Active |
+| 61 | Sustain | `simulate-agents` | Run Mock User and Auditor agents against a feature in fresh contexts before huma | ✅ Active |
+| 62 | Sustain | `stocktake-skills` | Sequential subagent batch audit of the bigpowers skill catalog — Quick Scan (c | ✅ Active |
+| 63 | Sustain | `terse-mode` | Fallback ultra-compressed communication mode. Cuts token usage ~75% by dropping  | ✅ Active |
+| 64 | Sustain | `write-document` | Write, organize, and sync high-integrity technical documents using the BMAD meth | ✅ Active |
+**Total: 64 active skills.**
 ---

package/deploy/SKILL.md ADDED Viewed

@@ -0,0 +1,165 @@
+---
+name: deploy
+description: "Build → verify artifact → deploy → wait → smoke deployment pipeline. Platform-agnostic (MCP or CLI), with configurable timeout, retry with exponential backoff, and integrated health-check. The deploy half of CI/CD: run after build to push to production."
+model: sonnet
+---
+# Deploy
+> **HARD GATE** — Do not deploy without running tests first. Run `test` or your CI suite before this skill.
+>
+> **HARD GATE** — Use this skill from a CI/CD pipeline or post-merge on `main`/`master`. Never deploy from a feature branch.
+>
+> **HARD GATE** — The deploy skill orchestrates deployment; the `smoke-test` skill validates post-deploy health. Chain them: `deploy → smoke-test`.
+Orchestrate a full build-to-deployment pipeline: build the artifact, verify it exists and is non-empty, invoke a platform deploy tool (MCP or CLI), poll until the deploy completes or times out, then run a baseline smoke test against the live URL.
+## Pipeline Stages
+```
+build → verify artifact → deploy → wait/retry → smoke
+```
+| Stage | Description | Failure mode |
+|-------|-------------|-------------|
+| Build | Execute the project's build command | Non-zero exit: report build error |
+| Verify | Check artifact exists and is non-empty | Missing/empty: report artifact path |
+| Deploy | Invoke platform deploy tool (MCP, Vercel CLI, rsync, etc.) | Non-zero exit: report deploy error |
+| Wait | Poll deploy status every 30s up to `DEPLOY_TIMEOUT` (default 5 min) | Timeout: report exceeded |
+| Smoke | `curl -sSf $DEPLOY_URL` as baseline health check | Non-200: report failure |
+## Process
+### 1. Detect build command
+Read project manifest files in order to determine the build command:
+| Manifest | Build command |
+|----------|--------------|
+| `package.json` | `npm run build` (or `scripts.build` value) |
+| `Cargo.toml` | `cargo build --release` |
+| `pyproject.toml` / `setup.py` | Depends on build backend (`poetry build`, `pip install -e .`, etc.) |
+| `Makefile` | `make build` or first target named `build` |
+| `AGENTS.md` / `CLAUDE.md` | Look for `build:` in project commands section |
+If no manifest is found, prompt the user with: "No detected build command. Pass `--build 'npm run build'` or specify the command."
+### 2. Build the artifact
+```bash
+npm run build
+```
+Or the detected command from step 1. If the build fails, exit non-zero and report the build output.
+### 3. Verify the artifact
+```bash
+ARTIFACT_DIR="${ARTIFACT_DIR:-dist}"
+if [ ! -d "$ARTIFACT_DIR" ] || [ -z "$(ls -A "$ARTIFACT_DIR" 2>/dev/null)" ]; then
+  echo "FAIL: build artifact not found at $ARTIFACT_DIR"
+  exit 1
+fi
+```
+Configurable via `$ARTIFACT_DIR` environment variable (default: `dist/`).
+### 4. Deploy to platform
+Platform-agnostic — supports multiple deployment targets via environment variables:
+| Platform | Env var | Example |
+|----------|---------|---------|
+| Vercel | `VERCEL_TOKEN`, `VERCEL_PROJECT_ID` | `vercel deploy --prod --token $VERCEL_TOKEN` |
+| Netlify | `NETLIFY_AUTH_TOKEN`, `NETLIFY_SITE_ID` | `netlify deploy --prod --auth $NETLIFY_AUTH_TOKEN --dir $ARTIFACT_DIR` |
+| BigBase MCP | MCP tool call | `mcp deploy` via BigBase server |
+| rsync/SSH | `DEPLOY_SSH_USER`, `DEPLOY_SSH_HOST`, `DEPLOY_SSH_PATH` | `rsync -avz $ARTIFACT_DIR/ $DEPLOY_SSH_USER@$DEPLOY_SSH_HOST:$DEPLOY_SSH_PATH` |
+| Custom | `DEPLOY_COMMAND` | Run any deploy command string |
+The deploy tool is selected by which environment variables are set. If none are configured:
+```bash
+echo "No deploy target configured. Set one of: VERCEL_TOKEN, NETLIFY_AUTH_TOKEN, DEPLOY_SSH_USER+DEPLOY_SSH_HOST, DEPLOY_COMMAND, or MCP deploy tool."
+exit 1
+```
+### 5. Wait and poll status
+After invoking the deploy command, poll for completion:
+```bash
+DEPLOY_TIMEOUT="${DEPLOY_TIMEOUT:-300}"   # seconds (default 5 minutes)
+DEPLOY_POLL_INTERVAL="${DEPLOY_POLL_INTERVAL:-30}"  # seconds
+start_time=$(date +%s)
+while true; do
+  elapsed=$(( $(date +%s) - start_time ))
+  if [ "$elapsed" -ge "$DEPLOY_TIMEOUT" ]; then
+    echo "FAIL: deploy status polling timed out after ${DEPLOY_TIMEOUT}s"
+    exit 1
+  fi
+  status=$(get_deploy_status)  # platform-specific status check
+  if [ "$status" = "ready" ] || [ "$status" = "done" ]; then
+    echo "Deploy completed in ${elapsed}s"
+    break
+  fi
+  sleep "$DEPLOY_POLL_INTERVAL"
+done
+```
+Use exponential backoff for retries on transient failures:
+```bash
+RETRY_MAX="${RETRY_MAX:-3}"
+base_delay=2
+for attempt in $(seq 1 "$RETRY_MAX"); do
+  if deploy_command; then
+    break
+  fi
+  if [ "$attempt" -eq "$RETRY_MAX" ]; then
+    echo "FAIL: deploy failed after ${RETRY_MAX} attempts"
+    exit 1
+  fi
+  sleep $(( base_delay * 2 ** (attempt - 1) ))
+done
+```
+### 6. Baseline smoke test
+```bash
+DEPLOY_URL="${DEPLOY_URL:?DEPLOY_URL must be set}"
+if curl -sSf "$DEPLOY_URL" > /dev/null 2>&1; then
+  echo "OK: $DEPLOY_URL responds with HTTP 200"
+else
+  echo "FAIL: $DEPLOY_URL is not responding with HTTP 200"
+  exit 1
+fi
+```
+For comprehensive health-checking, chain to the `smoke-test` skill:
+```bash
+# After deploy success
+bash scripts/run-smoke.sh "$DEPLOY_URL"
+```
+## Configuration
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `ARTIFACT_DIR` | `dist` | Build output directory |
+| `DEPLOY_URL` | *(required)* | Live URL for smoke test |
+| `DEPLOY_TIMEOUT` | `300` | Max wait for deploy completion (seconds) |
+| `DEPLOY_POLL_INTERVAL` | `30` | Polling interval (seconds) |
+| `RETRY_MAX` | `3` | Max deploy retry attempts |
+| `BUILD_COMMAND` | *(auto-detect)* | Override build command |
+## Verification
+→ verify: `test -f deploy/SKILL.md && grep -q 'name: deploy' deploy/SKILL.md && echo OK`
+→ verify: `grep -qi 'build\|artifact\|deploy\|smoke' deploy/SKILL.md && echo OK`
+→ verify: `grep -ci 'package.json\|Cargo.toml\|Makefile\|manifest' deploy/SKILL.md | awk '{if($1>=1) print "OK"; else print "FAIL"}'`
+→ verify: `grep -ci 'timeout\|poll\|status\|retry\|backoff' deploy/SKILL.md | awk '{if($1>=2) print "OK"; else print "FAIL"}'`
+→ verify: `grep -q 'curl.*DEPLOY_URL\|smoke\|health' deploy/SKILL.md && echo OK`

package/develop-tdd/SKILL.md CHANGED Viewed

@@ -68,6 +68,66 @@ After all tests pass: extract duplication, deepen modules, apply SOLID principle
 After every behavior cycle, run the verify command from the active epic task. Show evidence before declaring the step done.
+### 6a. CI dry-run sub-step (when modifying workflows)
+If this cycle modified files in `.github/workflows/`, run a CI dry-run before pushing:
+```bash
+# 1. Check for workflow file changes
+CHANGED_WORKFLOWS=$(git diff --name-only HEAD | grep '\.github/workflows/' || true)
+if [ -n "$CHANGED_WORKFLOWS" ]; then
+  echo "==> CI dry-run: workflow files changed"
+  echo "    $CHANGED_WORKFLOWS"
+  # 2. Validate YAML syntax
+  if command -v yamllint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      yamllint "$f" && echo "  OK: $f passes YAML lint" || echo "  WARN: $f has YAML issues"
+    done
+  else
+    # Fallback: Python YAML parse
+    for f in $CHANGED_WORKFLOWS; do
+      python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null && \
+        echo "  OK: $f YAML syntax valid" || \
+        echo "  FAIL: $f has YAML syntax errors"
+    done
+  fi
+  # 3. Run actionlint if available
+  if command -v actionlint &>/dev/null; then
+    for f in $CHANGED_WORKFLOWS; do
+      actionlint "$f" && echo "  OK: $f passes actionlint" || echo "  WARN: $f has actionlint issues"
+    done
+  fi
+  # 4. Check common pitfalls
+  for f in $CHANGED_WORKFLOWS; do
+    # Missing permissions block
+    if ! grep -q 'permissions:' "$f"; then
+      echo "  WARNING: $f missing permissions block — add one for security"
+    fi
+    # npm publish without NPM_TOKEN
+    if grep -q 'npm publish\|npx semantic-release' "$f" && ! grep -q 'NPM_TOKEN' "$f"; then
+      echo "  WARNING: $f has npm publish/semantic-release but no NPM_TOKEN in secrets"
+    fi
+    # Hardcoded Node versions
+    if grep -q 'node-version: [0-9]' "$f"; then
+      echo "  NOTE: $f has hardcoded Node version — consider node-version-file: .nvmrc"
+    fi
+  done
+  # 5. Suggest local dry-run
+  if command -v act &>/dev/null; then
+    echo "  SUGGESTION: Run 'act push --dry-run' to test workflows locally"
+  fi
+fi
+```
+Checklist:
+- [ ] YAML syntax validated for all changed workflow files
+- [ ] No missing permissions, secrets, or hardcoded versions flagged
+- [ ] Local dry-run suggested if `act` is available
 ### 7. Manual Verification Handover
 Once all tests pass: locate the Verification Script in the active epic capsule, present it to the user step-by-step, and wait for confirmation of behavioral correctness.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bigpowers",
-  "version": "2.9.0",
+  "version": "2.11.0",
   "description": "61 agent skills for spec-driven, test-first software development by solo developers",
   "main": "index.js",
   "scripts": {

package/release-branch/SKILL.md CHANGED Viewed

@@ -108,6 +108,52 @@ gh pr merge --squash --delete-branch
 mv specs/epics/eNN-slug specs/epics/archive/
 ```
+### 7b. CI verification (solo-local and team-pr)
+> **HARD GATE** — Do NOT declare success until CI completes. A push that fails CI is a regression, not a release.
+After push (solo-local step 5 or team-pr step 7), verify the CI workflow completes successfully:
+```bash
+echo "==> Polling CI for main branch..."
+TIMEOUT=600   # 10 minutes
+INTERVAL=30   # poll every 30 seconds
+ELAPSED=0
+while [ $ELAPSED -lt $TIMEOUT ]; do
+  CI_JSON=$(gh run list --limit 1 --branch main --workflow CI --json status,conclusion,headSha,databaseId 2>/dev/null)
+  CI_STATUS=$(echo "$CI_JSON" | jq -r '.[0].status // "unknown"')
+  CI_CONCLUSION=$(echo "$CI_JSON" | jq -r '.[0].conclusion // ""')
+  CI_SHA=$(echo "$CI_JSON" | jq -r '.[0].headSha // ""')
+  CI_ID=$(echo "$CI_JSON" | jq -r '.[0].databaseId // ""')
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "success" ]; then
+    echo "OK: CI passed for $(git rev-parse --short HEAD)"
+    bp-yaml-set.sh specs/state.yaml release.ci_verified true 2>/dev/null || \
+      echo "  (bp-yaml-set not available — manually set release.ci_verified: true in state.yaml)"
+    break
+  fi
+  if [ "$CI_STATUS" = "completed" ] && [ "$CI_CONCLUSION" = "failure" ]; then
+    echo "FAIL: CI failed for $(git rev-parse --short HEAD)"
+    echo "  Run URL: https://github.com/$(gh repo view --json nameWithOwner -q .nameWithOwner)/actions/runs/$CI_ID"
+    echo "  Handoff to fix-bug with the failure URL above."
+    return 1
+  fi
+  sleep $INTERVAL
+  ELAPSED=$((ELAPSED + INTERVAL))
+  echo "  Waiting... (${ELAPSED}s / ${TIMEOUT}s)"
+done
+echo "FAIL: CI did not complete within ${TIMEOUT}s timeout"
+return 1
+```
+- [ ] CI workflow passes after push
+- [ ] `release.ci_verified: true` documented in state.yaml
+- On failure: `handoff.next_skill = fix-bug` with the CI failure URL
 ### 8. Clean up worktree
 ```bash

package/scripts/generate-skill-index.sh CHANGED Viewed

@@ -56,6 +56,7 @@ PHASE_MAP=(
   [orchestrate-project]="Build"
   [guard-git]="Build"
   [hook-commits]="Build"
+  [deploy]="Build"
   # Verify
   [verify-work]="Verify"
   [validate-fix]="Verify"

package/skills-lock.json CHANGED Viewed

@@ -61,6 +61,11 @@
       "sha256": "9e3b8bd7274def42",
       "path": "delegate-task/SKILL.md"
     },
+    "deploy": {
+      "description": "\"Build → verify artifact → deploy → wait → smoke deployment pipeline. Platform-agnostic (MCP or CLI), with configurable timeout, retry with exponential backoff, and integrated health-check. The deploy half of CI/CD: run after build to push to production.\"",
+      "sha256": "260894aa4f869093",
+      "path": "deploy/SKILL.md"
+    },
     "design-interface": {
       "description": "Generate multiple radically different interface designs for a module using parallel sub-agents, then compare trade-offs. Based on \"Design It Twice\" from A Philosophy of Software Design. Use when user wants to design an API, explore interface options, compare module shapes, or mentions \"design it twice\".",
       "sha256": "c93e3fe065857cb8",
@@ -68,7 +73,7 @@
     },
     "develop-tdd": {
       "description": "Test-driven development with red-green-refactor loop using vertical slices. Use for features (epic tasks) or bugs (specs/bugs/BUG-*.md).",
-      "sha256": "af45529ecb20d449",
+      "sha256": "4002d960b18436cd",
       "path": "develop-tdd/SKILL.md"
     },
     "diagnose-root": {
@@ -193,7 +198,7 @@
     },
     "release-branch": {
       "description": "Make the merge/PR/keep/discard decision for a feature branch, verify coverage gates, create the PR with gh, and clean up the worktree. Use when a feature is done and ready to ship, or when user says \"release\", \"merge\", or \"open a PR\".",
-      "sha256": "70fc37ac4e22143d",
+      "sha256": "6b2df2c92230d098",
       "path": "release-branch/SKILL.md"
     },
     "request-review": {