npm - dw-kit - Versions diffs - 1.3.0 → 1.3.5 - Mend

dw-kit 1.3.0 → 1.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/.claude/hooks/supply-chain-scan.sh +102 -0
package/.claude/rules/dw.md +2 -0
package/.claude/settings.json +13 -1
package/.claude/skills/dw-execute/SKILL.md +30 -7
package/.claude/skills/dw-handoff/SKILL.md +14 -3
package/.claude/skills/dw-plan/SKILL.md +103 -6
package/.claude/skills/dw-research/SKILL.md +18 -4
package/.claude/skills/dw-retroactive/SKILL.md +84 -200
package/.claude/skills/dw-task-init/SKILL.md +45 -33
package/.dw/core/ROLES.md +257 -257
package/.dw/security/ioc-namespaces.json +40 -0
package/CLAUDE.md +3 -1
package/MIGRATION-v1.3.md +5 -4
package/README.md +14 -2
package/package.json +2 -1
package/src/cli.mjs +27 -0
package/src/commands/doctor.mjs +21 -0
package/src/commands/init.mjs +45 -2
package/src/commands/metrics.mjs +21 -1
package/src/commands/security-scan.mjs +427 -0
package/src/commands/upgrade.mjs +54 -0
package/src/lib/cut-analysis.mjs +79 -0
package/src/lib/gitignore.mjs +86 -0
package/src/lib/sc-install.mjs +93 -0
package/src/lib/sc-scanner.mjs +272 -0
package/src/lib/sc-sync.mjs +198 -0
package/src/lib/telemetry.mjs +7 -0

package/.dw/core/ROLES.md CHANGED Viewed

@@ -1,257 +1,257 @@
-<!-- core-version: 1.0 -->
-# Team Roles & Authority
-> **Nguyên tắc**: Roles = capabilities, không phải hierarchy.
-> Config `team.roles` quyết định phases nào available, không phải quality tier.
----
-## Role Overview
-| Role | Ký hiệu config | Core responsibility | Decision authority |
-|------|----------------|--------------------|--------------------|
-| Developer | `dev` | Implementation, testing | Code-level decisions |
-| Tech Lead | `techlead` | Architecture, code standards | Architecture decisions, plan approval |
-| Business Analyst | `ba` | Requirements, user stories | Requirements sign-off |
-| QC Engineer | `qc` | Test planning, quality verification | QA sign-off (Layer 4) |
-| Product Manager | `pm` | Progress visibility, metrics | Sprint planning, backlog priority |
-> `dev` luôn required. Các roles khác là optional — không có thì phase đó gracefully degrade.
----
-## Developer (`dev`)
-**Trách nhiệm chính**: Research → Plan → Execute → Commit
-### Phases Developer Owns
-| Phase | Responsibility |
-|-------|---------------|
-| Initialize | Tạo task docs, scope assessment |
-| Understand | Codebase research, context gathering |
-| Plan | Solution design, subtask breakdown |
-| Execute | Implementation, TDD, subtask commits |
-| Verify | Self-review (Layer 1), automated gates (Layer 2) |
-| Close | Commit, effort log, handoff |
-### Decision Authority
-- Code implementation decisions
-- Library/dependency choices (minor)
-- Subtask ordering và approach (trong scope của plan approved)
-- **DỪNG và hỏi khi**: architecture change, API contract change, scope expansion
-### Best Practices
-- Commit nhỏ, thường xuyên (mỗi subtask = 1 commit)
-- Update progress file sau mỗi subtask
-- Không implement ngoài scope plan đã approve
-- Phát hiện giả định sai → ghi Changelog + hỏi TL trước khi tiếp tục
----
-## Tech Lead (`techlead`)
-**Trách nhiệm chính**: Architecture quality, standards enforcement, plan approval
-### Phases TL Owns
-| Phase | Responsibility |
-|-------|---------------|
-| Plan | Architecture review, approve plan trước Execute |
-| Execute | Unblock architecture decisions during implementation |
-| Verify | Code review (Layer 3 — architecture focus) |
-| Close | Final technical sign-off |
-### Decision Authority
-- Architecture decisions (service boundaries, patterns, data models)
-- Plan approval: **explicit gate** — Execute không bắt đầu khi chưa có TL approve
-- A/B testing resolution: TL chọn approach khi hai approaches không rõ ưu/nhược
-- Technical debt acknowledgment: quyết định "acceptable" hay "must fix"
-### Architecture Review Checklist
-```
-[ ] Approach consistent với codebase patterns?
-[ ] Scalability implications acceptable?
-[ ] Security design đúng?
-[ ] API contract backward compatible (hoặc migration plan có)?
-[ ] Subtask breakdown hợp lý? Dependencies đúng?
-[ ] Risks identified và có mitigation?
-```
-### TL không có?
-- Plan vẫn proceed nhưng developer self-review architecture decisions
-- Ghi rõ trong plan: "Architecture decision by dev (no TL review)"
-- Architecture decisions nên bảo thủ hơn khi không có TL
----
-## Business Analyst (`ba`)
-**Trách nhiệm chính**: Requirements clarity, user stories, acceptance criteria
-### Phases BA Owns
-| Phase | Responsibility |
-|-------|---------------|
-| Initialize | Requirements gathering, user stories |
-| Plan | Review subtask acceptance criteria |
-| Verify | Acceptance criteria verification |
-### Decision Authority
-- Requirements sign-off: "dev builds the right thing"
-- Scope boundary: in-scope vs out-of-scope
-- Acceptance criteria: testable, specific, agreed
-### Requirements Output Format
-```markdown
-## User Story
-As a [role], I want [goal] so that [benefit].
-## Acceptance Criteria
-Given [precondition]
-When [action]
-Then [outcome]
-## Out of Scope
-- [explicitly excluded items]
-## Edge Cases to Handle
-- [edge case 1]
-- [edge case 2]
-```
-### BA không có?
-- Developer writes requirements từ conversation với stakeholder
-- Requirements review là developer + TL (không có independent BA)
-- Risk cao hơn về misunderstood requirements — tăng frequency of check-ins
----
-## QC Engineer (`qc`)
-**Trách nhiệm chính**: Test planning, independent quality verification
-### Phases QC Owns
-| Phase | Responsibility |
-|-------|---------------|
-| Plan | Test plan tạo song song với dev plan |
-| Verify | Execute test plan, Layer 4 sign-off |
-### Decision Authority
-- QA sign-off: **explicit gate** cho `thorough` depth — không thể self-approve
-- Bug severity classification
-- Regression scope: gì cần test lại sau change
-### Test Plan Structure
-```markdown
-## Test Cases
-### TC-1: [Test case name]
-- **Given**: [precondition]
-- **When**: [action]
-- **Then**: [expected result]
-- **Priority**: P1/P2/P3
-## Regression Checklist
-- [ ] [Feature 1 không bị ảnh hưởng]
-- [ ] [Feature 2 không bị ảnh hưởng]
-## Security Checklist (nếu applicable)
-- [ ] Input validation
-- [ ] Auth/authz checks
-- [ ] No data exposure
-## Performance Checklist (nếu applicable)
-- [ ] Response time acceptable
-- [ ] No N+1 queries introduced
-```
-### QC không có?
-- Developer tự execute test plan (nếu có) hoặc manual verification
-- Layer 4 QA sign-off skip — nhưng automated gates (Layer 4a) vẫn chạy
-- Risk cao hơn về undiscovered bugs
----
-## Product Manager (`pm`)
-**Trách nhiệm chính**: Progress visibility, metrics, sprint planning
-### Phases PM Owns
-| Phase | Responsibility |
-|-------|---------------|
-| Initialize | Sprint planning, priority |
-| Close | Sprint review, velocity tracking |
-| Standalone: Reports | Dashboard generation |
-### PM View
-PM không cần đọc code — PM đọc:
-- Progress files (status per subtask)
-- Dashboard reports (velocity, metrics)
-- Sprint review summaries
-### Dashboard Metrics
-| Metric | Source | Update frequency |
-|--------|--------|-----------------|
-| Tasks: done/in-progress/blocked | Progress files | Real-time |
-| Velocity | Closed tasks per sprint | Per sprint |
-| Estimate accuracy | Estimate vs actual | Per task |
-| DORA: deployment frequency | Git history | Per release |
-| DORA: lead time | Task start → deploy | Per release |
----
-## Multi-Role Workflow
-Full team workflow (tất cả roles):
-```
-BA: /dw-requirements     → requirements doc + user stories
-     ↓
-TL: /dw-arch-review      → architecture decision + approve
-     ↓
-Dev: /dw-task-init       → task docs
-Dev: /dw-research        → codebase analysis
-Dev+QC: /dw-plan         → dev plan + test plan (parallel)
-     ↓
-TL approve plan
-     ↓
-Dev: /dw-execute         → TDD implementation, commits
-     ↓
-TL: /dw-review           → architecture + code review
-     ↓
-QC: manual/auto testing  → Layer 4 verification
-     ↓
-Dev: /dw-commit          → pre-commit gates
-     ↓
-PM: /dw-dashboard        → visibility, metrics
-```
-Không phải mọi task cần full chain. `default_depth` + available roles quyết định.
----
-## Role-Depth Matrix
-| Role | Quick | Standard | Thorough |
-|------|-------|----------|----------|
-| dev | required | required | required |
-| techlead | not needed | arch decisions only | full review + approval |
-| ba | not needed | requirements check | full requirements |
-| qc | not needed | not needed | full test plan + sign-off |
-| pm | not needed | optional | dashboard |
+<!-- core-version: 1.0 -->
+# Team Roles & Authority
+> **Nguyên tắc**: Roles = capabilities, không phải hierarchy.
+> Config `team.roles` quyết định phases nào available, không phải quality tier.
+---
+## Role Overview
+| Role | Ký hiệu config | Core responsibility | Decision authority |
+|------|----------------|--------------------|--------------------|
+| Developer | `dev` | Implementation, testing | Code-level decisions |
+| Tech Lead | `techlead` | Architecture, code standards | Architecture decisions, plan approval |
+| Business Analyst | `ba` | Requirements, user stories | Requirements sign-off |
+| QC Engineer | `qc` | Test planning, quality verification | QA sign-off (Layer 4) |
+| Product Manager | `pm` | Progress visibility, metrics | Sprint planning, backlog priority |
+> `dev` luôn required. Các roles khác là optional — không có thì phase đó gracefully degrade.
+---
+## Developer (`dev`)
+**Trách nhiệm chính**: Research → Plan → Execute → Commit
+### Phases Developer Owns
+| Phase | Responsibility |
+|-------|---------------|
+| Initialize | Tạo task docs, scope assessment |
+| Understand | Codebase research, context gathering |
+| Plan | Solution design, subtask breakdown |
+| Execute | Implementation, TDD, subtask commits |
+| Verify | Self-review (Layer 1), automated gates (Layer 2) |
+| Close | Commit, effort log, handoff |
+### Decision Authority
+- Code implementation decisions
+- Library/dependency choices (minor)
+- Subtask ordering và approach (trong scope của plan approved)
+- **DỪNG và hỏi khi**: architecture change, API contract change, scope expansion
+### Best Practices
+- Commit nhỏ, thường xuyên (mỗi subtask = 1 commit)
+- Update progress file sau mỗi subtask
+- Không implement ngoài scope plan đã approve
+- Phát hiện giả định sai → ghi Changelog + hỏi TL trước khi tiếp tục
+---
+## Tech Lead (`techlead`)
+**Trách nhiệm chính**: Architecture quality, standards enforcement, plan approval
+### Phases TL Owns
+| Phase | Responsibility |
+|-------|---------------|
+| Plan | Architecture review, approve plan trước Execute |
+| Execute | Unblock architecture decisions during implementation |
+| Verify | Code review (Layer 3 — architecture focus) |
+| Close | Final technical sign-off |
+### Decision Authority
+- Architecture decisions (service boundaries, patterns, data models)
+- Plan approval: **explicit gate** — Execute không bắt đầu khi chưa có TL approve
+- A/B testing resolution: TL chọn approach khi hai approaches không rõ ưu/nhược
+- Technical debt acknowledgment: quyết định "acceptable" hay "must fix"
+### Architecture Review Checklist
+```
+[ ] Approach consistent với codebase patterns?
+[ ] Scalability implications acceptable?
+[ ] Security design đúng?
+[ ] API contract backward compatible (hoặc migration plan có)?
+[ ] Subtask breakdown hợp lý? Dependencies đúng?
+[ ] Risks identified và có mitigation?
+```
+### TL không có?
+- Plan vẫn proceed nhưng developer self-review architecture decisions
+- Ghi rõ trong plan: "Architecture decision by dev (no TL review)"
+- Architecture decisions nên bảo thủ hơn khi không có TL
+---
+## Business Analyst (`ba`)
+**Trách nhiệm chính**: Requirements clarity, user stories, acceptance criteria
+### Phases BA Owns
+| Phase | Responsibility |
+|-------|---------------|
+| Initialize | Requirements gathering, user stories |
+| Plan | Review subtask acceptance criteria |
+| Verify | Acceptance criteria verification |
+### Decision Authority
+- Requirements sign-off: "dev builds the right thing"
+- Scope boundary: in-scope vs out-of-scope
+- Acceptance criteria: testable, specific, agreed
+### Requirements Output Format
+```markdown
+## User Story
+As a [role], I want [goal] so that [benefit].
+## Acceptance Criteria
+Given [precondition]
+When [action]
+Then [outcome]
+## Out of Scope
+- [explicitly excluded items]
+## Edge Cases to Handle
+- [edge case 1]
+- [edge case 2]
+```
+### BA không có?
+- Developer writes requirements từ conversation với stakeholder
+- Requirements review là developer + TL (không có independent BA)
+- Risk cao hơn về misunderstood requirements — tăng frequency of check-ins
+---
+## QC Engineer (`qc`)
+**Trách nhiệm chính**: Test planning, independent quality verification
+### Phases QC Owns
+| Phase | Responsibility |
+|-------|---------------|
+| Plan | Test plan tạo song song với dev plan |
+| Verify | Execute test plan, Layer 4 sign-off |
+### Decision Authority
+- QA sign-off: **explicit gate** cho `thorough` depth — không thể self-approve
+- Bug severity classification
+- Regression scope: gì cần test lại sau change
+### Test Plan Structure
+```markdown
+## Test Cases
+### TC-1: [Test case name]
+- **Given**: [precondition]
+- **When**: [action]
+- **Then**: [expected result]
+- **Priority**: P1/P2/P3
+## Regression Checklist
+- [ ] [Feature 1 không bị ảnh hưởng]
+- [ ] [Feature 2 không bị ảnh hưởng]
+## Security Checklist (nếu applicable)
+- [ ] Input validation
+- [ ] Auth/authz checks
+- [ ] No data exposure
+## Performance Checklist (nếu applicable)
+- [ ] Response time acceptable
+- [ ] No N+1 queries introduced
+```
+### QC không có?
+- Developer tự execute test plan (nếu có) hoặc manual verification
+- Layer 4 QA sign-off skip — nhưng automated gates (Layer 4a) vẫn chạy
+- Risk cao hơn về undiscovered bugs
+---
+## Product Manager (`pm`)
+**Trách nhiệm chính**: Progress visibility, metrics, sprint planning
+### Phases PM Owns
+| Phase | Responsibility |
+|-------|---------------|
+| Initialize | Sprint planning, priority |
+| Close | Sprint review, velocity tracking |
+| Standalone: Reports | Dashboard generation |
+### PM View
+PM không cần đọc code — PM đọc:
+- Progress files (status per subtask)
+- Dashboard reports (velocity, metrics)
+- Sprint review summaries
+### Dashboard Metrics
+| Metric | Source | Update frequency |
+|--------|--------|-----------------|
+| Tasks: done/in-progress/blocked | Progress files | Real-time |
+| Velocity | Closed tasks per sprint | Per sprint |
+| Estimate accuracy | Estimate vs actual | Per task |
+| DORA: deployment frequency | Git history | Per release |
+| DORA: lead time | Task start → deploy | Per release |
+---
+## Multi-Role Workflow
+Full team workflow (tất cả roles):
+```
+BA: /dw:requirements     → requirements doc + user stories
+     ↓
+TL: /dw:arch-review      → architecture decision + approve
+     ↓
+Dev: /dw:task-init       → task docs
+Dev: /dw:research        → codebase analysis
+Dev+QC: /dw:plan         → dev plan + test plan (parallel)
+     ↓
+TL approve plan
+     ↓
+Dev: /dw:execute         → TDD implementation, commits
+     ↓
+TL: /dw:review           → architecture + code review
+     ↓
+QC: manual/auto testing  → Layer 4 verification
+     ↓
+Dev: /dw:commit          → pre-commit gates
+     ↓
+PM: /dw:dashboard        → visibility, metrics
+```
+Không phải mọi task cần full chain. `default_depth` + available roles quyết định.
+---
+## Role-Depth Matrix
+| Role | Quick | Standard | Thorough |
+|------|-------|----------|----------|
+| dev | required | required | required |
+| techlead | not needed | arch decisions only | full review + approval |
+| ba | not needed | requirements check | full requirements |
+| qc | not needed | not needed | full test plan + sign-off |
+| pm | not needed | optional | dashboard |

package/.dw/security/ioc-namespaces.json ADDED Viewed

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.0",
+  "updated": "2026-05-13",
+  "purpose": "Curated namespace patterns under ACTIVE incident — fallback for pre-install scan when OSV.dev is unavailable. Auto-expires per active_until date. TL updates when new incident requires fixture-level warning before OSV propagation.",
+  "namespaces": [
+    {
+      "pattern": "@tanstack/",
+      "reason": "Active incident 2026-05-11 — Mini Shai-Hulud worm (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx). 84 malicious versions across 42 @tanstack/* packages published 2026-05-11 19:20-19:26 UTC. Worm self-propagated to 169+ packages.",
+      "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
+      "active_until": "2026-11-11",
+      "severity": "critical",
+      "guidance": "If installing @tanstack/* fresh: verify version is NOT in 1.169.5-1.169.8 range; prefer 1.169.9+. Check SLSA provenance attestation matches expected publisher. If already installed and lockfile pins 1.169.5-8: rotate ALL credentials (npm tokens, GitHub PATs, SSH keys, cloud keys, Claude/AI configs) before continuing."
+    },
+    {
+      "pattern": "@uipath/",
+      "reason": "Worm spread vector from TanStack incident (2026-05-11) — 70+ @uipath/* packages compromised via stolen npm OIDC tokens.",
+      "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
+      "active_until": "2026-11-11",
+      "severity": "critical",
+      "guidance": "Verify each @uipath/* install against official UiPath release notes. Worm SLSA attestations are VALID — provenance check alone is insufficient. Cross-reference with UiPath security bulletin."
+    },
+    {
+      "pattern": "@mistralai/",
+      "reason": "Worm spread vector (2026-05-11) — @mistralai/mistralai 2.2.3-2.2.4 compromised on both npm and PyPI.",
+      "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
+      "active_until": "2026-11-11",
+      "severity": "critical",
+      "guidance": "Avoid @mistralai/mistralai 2.2.3-2.2.4. Pin to 2.2.2 or 2.2.5+ once available."
+    },
+    {
+      "pattern": "@opensearch-project/opensearch",
+      "reason": "Worm spread vector (2026-05-11) — @opensearch-project/opensearch 3.6.2 compromised (1.3M weekly downloads).",
+      "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
+      "active_until": "2026-11-11",
+      "severity": "critical",
+      "guidance": "Avoid version 3.6.2. Pin to 3.6.1 or 3.6.3+."
+    }
+  ],
+  "maintenance_note": "This fixture is a SHORT-TERM defensive measure. Per ADR-0005 design, OSV.dev/GHSA auto-sync is the primary source; this fixture handles offline + post-incident pre-propagation window. TL prunes entries past active_until on regular release cycles."
+}

package/CLAUDE.md CHANGED Viewed

@@ -3,7 +3,7 @@
 Workflow toolkit codebase. Rules live in `.claude/rules/` (auto-loaded).
 **v2.0 direction:** Context-First SDLC Governance Layer (5 pillars — see `.dw/core/PILLARS.md`)
-**Current:** v1.4.0-dev · v1.3.0 ready to ship · ADR-0001 active
+**Current:** v1.3.5 (released 2026-05-12) · ADR-0001 active · ADR-0005 Accepted (Supply-Chain Guard, sunset review 2026-08-12) · v1.4 cuts pending telemetry
 ---
@@ -30,6 +30,8 @@ src/
   tasks/      Active + archive/ (Bridges pillar — via tracking.md)
   metrics/    Local telemetry (events.jsonl)
   config/     dw.config.yml
+  security/   IoC namespace fixture (Guards pillar — ADR-0005)
+  research/   Investigation notes, RFC-style proposals, voter panel outputs
 ```
 ## Dev Notes

package/MIGRATION-v1.3.md CHANGED Viewed

@@ -1,8 +1,8 @@
 # Migration Guide — dw-kit v1.2.x → v1.3
-**Target version:** 1.3.0
-**Ship date:** 2026-05-12 (target)
-**Status:** In Progress
+**Current version:** 1.3.4
+**Patch chain:** 1.3.0 → 1.3.1 (task-init + retroactive emit v2) → 1.3.2 (task-doc health metric) → 1.3.3 (writer skills v1/v2 compat + docs cleanup) → 1.3.4 (/dw:plan Quick Debate)
+**Status:** Shipped
 This guide documents all user-visible changes in v1.3. v1.3 is **fully backward compatible** with v1.2.x — existing projects continue to work. New features are opt-in.
@@ -17,7 +17,8 @@ This guide documents all user-visible changes in v1.3. v1.3 is **fully backward
 | ACTIVE index | `.dw/tasks/ACTIVE.md` auto-generated | New feature |
 | Telemetry | Local-only metrics in `.dw/metrics/events.jsonl` | Opt-out via `DW_NO_TELEMETRY=1` |
 | Solo preset | `dw init --preset solo` available | New option |
-| Skill naming | `/dw-*` may be renamed to `/dw:*` (pending harness verification) | **Potentially breaking** |
+| Skill naming | `/dw-*` renamed to `/dw:*` (verified working in Claude CLI) | **Breaking** — update custom prompts |
+| `/dw:plan` debate | Quick Debate (red/blue self-critique) integrated — depth-driven | v1.3.4 opt-in for standard, default for thorough |
 | Archive | 8 Done tasks moved to `.dw/tasks/archive/` in dw-kit repo itself | No user impact |
 ---

package/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 > An AI development workflow toolkit for teams using agentic IDEs (Claude Code, Cursor) — from idea to review-ready commits.
-**v1.3** · `npm install -g dw-kit` · [Docs](docs/README.md) · [Get started](docs/get-started.md) · [Cheatsheet](docs/cheatsheet.md) · [Migration v1.3](MIGRATION-v1.3.md) · [Changelog](CHANGELOG.md)
+**v1.3.5** · `npm install -g dw-kit` · [Docs](docs/README.md) · [Get started](docs/get-started.md) · [Cheatsheet](docs/cheatsheet.md) · [Migration v1.3](MIGRATION-v1.3.md) · [Changelog](CHANGELOG.md)
 ---
@@ -36,10 +36,22 @@ It’s designed for collaboration (Dev / Tech Lead / QA / PM) and keeps work aud
 ## Release notes
-- v1.2.0 notes: [`CHANGELOG.md#v120--2026-04-09`](CHANGELOG.md#v120--2026-04-09)
+- **v1.3.5** (2026-05-12) — AI-Native Supply-Chain Guard: `dw security-scan` CLI + OSV.dev auto-sync + Edit-lockfile hook + scoped `.gitignore` for end-user projects. See [`CHANGELOG.md#v135--2026-05-12`](CHANGELOG.md#v135--2026-05-12) and [ADR-0005](.dw/decisions/0005-supply-chain-guard.md). Public 90-day sunset review committed for 2026-08-12.
+- v1.3.4 (2026-04-21) — `/dw:plan` Quick Debate (red/blue self-critique), depth-driven activation
+- v1.3.3 (2026-04-21) — Writer skills v1/v2 compatibility fix
+- v1.3.0 (2026-04-21) — 5-pillar governance layer + telemetry foundation + ADRs + v2 task docs ([ADR-0001](.dw/decisions/0001-v2-pragmatic-lean.md))
+- v1.2.0 (2026-04-09) — [`CHANGELOG.md#v120--2026-04-09`](CHANGELOG.md#v120--2026-04-09)
 - Full changelog: `CHANGELOG.md`
 - Latest release notes: [GitHub Releases](https://github.com/dv-workflow/dv-workflow/releases)
+### What's in v1.3.5 for your team
+- **`dw security-scan`** — scan for known supply-chain advisories against your project's `package-lock.json` (full match) or `package.json` (pre-install approximate). Uses [OSV.dev](https://osv.dev/) as data source (multi-maintainer upstream feed; no solo-curated bundle to go stale).
+- **AI-aware hook** — fires when Claude Code edits a lockfile. Auto-wired by `dw init --preset team` or `--preset enterprise`; opt-in OFF for `--preset solo`.
+- **Scoped `.gitignore`** — `dw init` and `dw upgrade` write `.dw/.gitignore` and `.claude/.gitignore` managed blocks. Framework files stay out of your repo; tasks/decisions/docs/config stay in.
+- **`dw doctor`** has a new security section that fails loud if advisory snapshot is stale (>7 days) or schema-incompatible.
+- **Sunset rule** — feature retires silently in v1.4.x if 90-day telemetry shows zero real catches OR >5% false-positive rate. Disciplined experiment, not panic ship.
 ---
 ## Install

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dw-kit",
-  "version": "1.3.0",
+  "version": "1.3.5",
   "description": "AI development workflow toolkit — structured, quality-assured, team-ready. From requirements to dashboard.",
   "type": "module",
   "bin": {
@@ -14,6 +14,7 @@
     ".dw/core/",
     ".dw/config/",
     ".dw/adapters/",
+    ".dw/security/",
     ".claude/agents/",
     ".claude/hooks/",
     ".claude/rules/",