specweave 1.0.240 → 1.0.241

package/plugins/specweave/skills/grill/SKILL.md

@@ -19,6 +19,14 @@ Call me when you need to:
 - **Security review** - Find vulnerabilities before attackers do
 - **Performance check** - Identify bottlenecks and inefficiencies
 
+## Scope Boundaries
+
+This skill is the **PRE-SHIP quality gate**. Focuses on: correctness, edge cases, performance issues, error handling.
+
+- For deep security audits → use `/sw:security`
+- For design pattern guidance → use `/sw:tech-lead`
+- For code style/clarity → use `/sw:code-simplifier`
+
 ## My Mindset: The Demanding Reviewer
 
 I approach code like a demanding tech lead:
@@ -89,6 +97,89 @@ I categorize found issues:
 
 ---
 
+## Confidence-Based Findings
+
+Every finding from the grill process MUST be scored for confidence. This reduces noise and ensures developers focus on real issues, not speculation.
+
+### Scoring System
+
+- Each finding receives a confidence score from 0 to 100
+- Only findings with confidence >= 70 are surfaced by default
+- Findings below the threshold are silently dropped (they create noise, not value)
+- Categories: **correctness** (bugs), **performance**, **security**, **maintainability**, **edge-case**
+
+### Confidence Guidelines
+
+| Score | Meaning | Action |
+|-------|---------|--------|
+| 90-100 | Certain bug/issue — reproducible or provably wrong | MUST fix before shipping |
+| 70-89 | Very likely issue — strong evidence but not 100% confirmed | SHOULD fix, review recommended |
+| 50-69 | Possible issue — circumstantial evidence | Consider fixing, low priority |
+| <50 | Speculative — gut feeling, no hard evidence | Don't report (noise reduction) |
+
+**How to score**: Base confidence on concrete evidence. Reading the code and seeing a null dereference path = 95. Suspecting a performance issue without profiling data = 60. "This might be a problem someday" = 30 (don't report).
+
+### Finding Format
+
+Each finding in the grill report MUST use this structured format:
+
+```markdown
+### Finding: [Descriptive Title]
+- **Severity**: critical | high | medium | low
+- **Confidence**: [0-100]
+- **Category**: correctness | performance | security | maintainability | edge-case
+- **File**: [file_path:line_number]
+- **Issue**: [Clear description of the problem — what is wrong and why]
+- **Suggestion**: [Specific, actionable fix — not "consider improving"]
+- **Impact**: [What happens if this ships unfixed — be concrete]
+```
+
+**Severity mapping to existing categories**:
+
+| Confidence Finding | Legacy Severity |
+|---|---|
+| critical (90-100 confidence) | BLOCKER / CRITICAL |
+| high (70-89 confidence) | MAJOR |
+| medium (50-69 confidence) | MINOR (only if explicitly requested) |
+| low (<50 confidence) | Not reported |
+
+### Aggregated Summary
+
+Every grill report MUST end with a confidence-scored summary:
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+GRILL SUMMARY (Confidence-Scored)
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Total findings: {X} (above threshold)
+Suppressed: {Y} (below confidence threshold)
+
+  Critical (must-fix, confidence 90+): {X}
+  High (should-fix, confidence 70-89): {X}
+  Medium (consider, confidence 50-69): {X} (only shown with --verbose)
+
+Ship readiness: READY | NOT READY | NEEDS REVIEW
+
+  READY      = 0 critical, 0 high findings
+  NEEDS REVIEW = 0 critical, 1+ high findings
+  NOT READY  = 1+ critical findings
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+```
+
+### Threshold Override
+
+To see all findings including low-confidence ones:
+
+```
+/sw:grill 0042 --verbose       # Show findings with confidence >= 50
+/sw:grill 0042 --threshold 30  # Show findings with confidence >= 30
+```
+
+Default threshold is 70. Lowering it is useful when debugging a specific area or doing a thorough pre-release review.
+
+---
+
 ## Grill Report Format
 
 ```

package/plugins/specweave/skills/performance/SKILL.md

@@ -9,6 +9,12 @@ allowed-tools: Read, Bash, Grep
 
 You are an expert Performance Engineer with 10+ years of experience optimizing web applications, databases, and distributed systems.
 
+## Scope Boundaries
+
+This skill covers **HIGH-LEVEL PERFORMANCE**: Core Web Vitals, caching strategies, bundle optimization.
+
+- For deep database query optimization → use `/sw-backend:database-optimizer`
+
 ## Core Principles
 
 1. **ONE optimization area per response** - Chunk by area

package/plugins/specweave/skills/security/SKILL.md

@@ -10,6 +10,13 @@ context: fork
 
 You are an expert Security Engineer with 10+ years of experience in application security, penetration testing, and security compliance.
 
+## Scope Boundaries
+
+This skill performs **MANUAL SECURITY AUDITS**. Focuses on: OWASP Top 10, threat modeling, vulnerability assessment, penetration testing guidance.
+
+- For real-time pattern detection → use `/sw:security-patterns` (activates automatically)
+- For general code quality → use `/sw:grill`
+
 ## Core Principles
 
 1. **ONE security domain per response** - Chunk audits by domain

package/plugins/specweave/skills/security-patterns/SKILL.md

@@ -10,6 +10,12 @@ user-invocable: false
 
 This skill provides real-time security pattern detection based on Anthropic's official security-guidance plugin. It identifies potentially dangerous coding patterns BEFORE they're committed.
 
+## Scope Boundaries
+
+This skill is a **REAL-TIME DETECTOR**. Activates proactively when writing code. Detects: command injection, XSS, unsafe deserialization, dynamic code execution.
+
+- For comprehensive security audits → use `/sw:security`
+
 ## Detection Categories
 
 ### 1. Command Injection Risks

package/plugins/specweave/skills/tdd-orchestrator/SKILL.md

@@ -169,7 +169,7 @@ tdd:
 - `/sw:tdd:red`, `/sw:tdd:green`, `/sw:tdd:refactor` - Individual phases
 
 **Skills**:
-- `qa-lead` - Test strategy overlaps with TDD principles
+- `sw-testing:qa-engineer` - Test strategy overlaps with TDD principles
 
 ## Project-Specific Learnings
 

package/plugins/specweave/skills/team-build/SKILL.md

@@ -141,7 +141,7 @@ Generate comprehensive test coverage across all test levels simultaneously. Each
 |---|------|----------|------|----------------|
 | 1 | Unit | `sw-testing:unit-testing` | `tests/unit/` | Write unit tests for individual functions, classes, and modules with proper mocking |
 | 2 | E2E | `sw-testing:e2e-testing` | `tests/e2e/` | Write end-to-end tests for user flows, API sequences, and cross-service interactions |
-| 3 | Coverage | `sw-testing:test-coverage` | `tests/` (analysis scope) | Analyze coverage gaps, generate missing test cases, ensure threshold compliance |
+| 3 | Coverage | `sw-testing:qa-engineer` | `tests/` (analysis scope) | Analyze coverage gaps, generate missing test cases, ensure threshold compliance |
 
 #### Execution Chain
 

package/plugins/specweave/skills/team-orchestrate/SKILL.md

@@ -111,7 +111,7 @@ Analyze the feature request and map affected domains to SpecWeave skills.
 | **Testing** | `sw-testing:qa-engineer` | `sw-testing:e2e-testing`, `sw-testing:unit-testing` | Test strategy, E2E suites, integration tests |
 | **Security** | `sw:security` | `sw:security-patterns` | Auth, authorization, threat modeling, OWASP |
 | **DevOps** | `sw-infra:devops` | `sw-k8s:deployment-generate`, `sw-infra:observability` | CI/CD, Docker, K8s, monitoring |
-| **Mobile** | `sw-mobile:mobile-architect` | `sw-mobile:screen-generate`, `sw-mobile:react-native-expert` | Native/cross-platform mobile apps |
+| **Mobile** | `sw-mobile:react-native-expert` | `sw-mobile:screen-generate`, `sw-mobile:expo` | Native/cross-platform mobile apps |
 | **ML** | `sw-ml:ml-engineer` | `sw-ml:pipeline`, `sw-ml:deploy` | Model training, inference pipelines, deployment |
 
 ### Auto-Detection Signals

package/plugins/specweave/skills/tech-lead/SKILL.md

@@ -10,6 +10,13 @@ context: fork
 
 You are an expert Technical Lead bridging architecture and implementation. You ensure code quality, provide technical guidance, and create implementation plans.
 
+## Scope Boundaries
+
+This skill provides **DESIGN GUIDANCE**. Focuses on: architecture patterns, SOLID principles, refactoring strategies, technical debt.
+
+- For pre-ship bug-finding → use `/sw:grill`
+- For security review → use `/sw:security`
+
 ## Core Principles
 
 1. **ONE FILE per response** - Never implement multiple files at once

package/plugins/specweave-ado/lib/ado-permission-gate.js

@@ -1,5 +1,19 @@
 import { promises as fs } from "node:fs";
 import * as path from "node:path";
+function resolvePresetPermissions(preset) {
+  switch (preset) {
+    case "bidirectional":
+      return { canUpsert: true, canUpdateStatus: true };
+    case "push-only":
+      return { canUpsert: true, canUpdateStatus: true };
+    case "full-control":
+      return { canUpsert: true, canUpdateStatus: true };
+    case "read-only":
+      return { canUpsert: false, canUpdateStatus: false };
+    default:
+      return { canUpsert: false, canUpdateStatus: false };
+  }
+}
 const DEFAULT_SYNC_SETTINGS = {
   canUpsertInternalItems: false,
   canUpdateExternalItems: false,
@@ -98,10 +112,12 @@ async function createAdoPermissionGate(projectRoot = process.cwd()) {
   try {
     const content = await fs.readFile(configPath, "utf-8");
     const config = JSON.parse(content);
+    const preset = config?.sync?.preset;
+    const presetDefaults = resolvePresetPermissions(preset);
     const settings = {
       canUpsertInternalItems: config?.sync?.settings?.canUpsertInternalItems ?? false,
-      canUpdateExternalItems: config?.sync?.settings?.canUpdateExternalItems ?? false,
-      canUpdateStatus: config?.sync?.settings?.canUpdateStatus ?? false
+      canUpdateExternalItems: config?.sync?.settings?.canUpdateExternalItems ?? presetDefaults.canUpsert,
+      canUpdateStatus: config?.sync?.settings?.canUpdateStatus ?? presetDefaults.canUpdateStatus
     };
     return new AdoPermissionGate(settings, configPath);
   } catch {

package/plugins/specweave-ado/lib/ado-permission-gate.ts

@@ -55,6 +55,19 @@ export interface SyncSettings {
   canUpdateStatus: boolean;
 }
 
+/**
+ * Resolve preset permissions for fallback when explicit settings are absent
+ */
+function resolvePresetPermissions(preset?: string): { canUpsert: boolean; canUpdateStatus: boolean } {
+  switch (preset) {
+    case 'bidirectional': return { canUpsert: true, canUpdateStatus: true };
+    case 'push-only': return { canUpsert: true, canUpdateStatus: true };
+    case 'full-control': return { canUpsert: true, canUpdateStatus: true };
+    case 'read-only': return { canUpsert: false, canUpdateStatus: false };
+    default: return { canUpsert: false, canUpdateStatus: false };
+  }
+}
+
 /**
  * Default settings (all disabled for safety)
  */
@@ -187,10 +200,14 @@ export async function createAdoPermissionGate(
     const content = await fs.readFile(configPath, 'utf-8');
     const config = JSON.parse(content);
 
+    // v1.0.240 FIX: Honor preset (e.g., "bidirectional") when explicit settings absent
+    const preset = config?.sync?.preset;
+    const presetDefaults = resolvePresetPermissions(preset);
+
     const settings: SyncSettings = {
       canUpsertInternalItems: config?.sync?.settings?.canUpsertInternalItems ?? false,
-      canUpdateExternalItems: config?.sync?.settings?.canUpdateExternalItems ?? false,
-      canUpdateStatus: config?.sync?.settings?.canUpdateStatus ?? false,
+      canUpdateExternalItems: config?.sync?.settings?.canUpdateExternalItems ?? presetDefaults.canUpsert,
+      canUpdateStatus: config?.sync?.settings?.canUpdateStatus ?? presetDefaults.canUpdateStatus,
     };
 
     return new AdoPermissionGate(settings, configPath);

package/plugins/specweave-frontend/skills/frontend/SKILL.md

@@ -1,5 +1,5 @@
 ---
-description: Expert frontend developer for React, Vue, Angular, and modern JavaScript/TypeScript. Use when creating components, implementing hooks, handling state management, or building responsive web interfaces. Covers React 18+ features, custom hooks, form handling, and accessibility best practices.
+description: Expert frontend developer for React, Vue, Angular, and modern JavaScript/TypeScript. Use when creating components, implementing hooks, handling state management, or building responsive web interfaces. Covers React 18/19 features (use() hook, React Compiler, Server Functions, useActionState, useOptimistic), custom hooks, form handling, and accessibility best practices.
 ---
 
 # Frontend Development Expert
@@ -18,6 +18,98 @@ You are an expert frontend developer with deep knowledge of modern frameworks, J
 - Suspense and Error Boundaries
 - Concurrent features (useTransition, useDeferredValue)
 
+**React 19 Core Features**:
+- `use()` hook for reading promises and context in render
+- React Compiler (auto-memoization replaces manual useMemo/useCallback)
+- Server Functions (`"use server"`) and Server Actions
+- Form Actions with `useActionState` (replaces useFormState)
+- `useOptimistic` hook for optimistic UI updates
+- `<form action={fn}>` native integration
+- `ref` as a prop (no more forwardRef)
+- `<Context>` as a provider (no more `<Context.Provider>`)
+- Metadata (`<title>`, `<meta>`) hoisted from components automatically
+- Stylesheet precedence with `precedence` attribute
+- Async script deduplication
+
+**React 19 Patterns**:
+```tsx
+// use() hook — read a promise during render (Suspense handles loading)
+function UserProfile({ userPromise }: { userPromise: Promise<User> }) {
+  const user = use(userPromise);
+  return <h1>{user.name}</h1>;
+}
+
+// use() hook — read context (replaces useContext, works in conditionals)
+function ThemeButton() {
+  if (shouldUseTheme) {
+    const theme = use(ThemeContext);
+    return <button className={theme.buttonClass}>Click</button>;
+  }
+  return <button>Click</button>;
+}
+
+// useActionState for form handling
+function LoginForm() {
+  const [state, formAction, isPending] = useActionState(loginAction, null);
+  return (
+    <form action={formAction}>
+      <input name="email" />
+      <button disabled={isPending}>Login</button>
+      {state?.error && <p>{state.error}</p>}
+    </form>
+  );
+}
+
+// useOptimistic for instant UI feedback
+function TodoList({ todos }: { todos: Todo[] }) {
+  const [optimisticTodos, addOptimisticTodo] = useOptimistic(
+    todos,
+    (state, newTodo: Todo) => [...state, { ...newTodo, pending: true }]
+  );
+
+  async function addTodo(formData: FormData) {
+    const newTodo = { id: crypto.randomUUID(), title: formData.get('title') as string };
+    addOptimisticTodo(newTodo);
+    await saveTodoToServer(newTodo);
+  }
+
+  return (
+    <form action={addTodo}>
+      <input name="title" />
+      <button type="submit">Add</button>
+      <ul>
+        {optimisticTodos.map(todo => (
+          <li key={todo.id} style={{ opacity: todo.pending ? 0.5 : 1 }}>{todo.title}</li>
+        ))}
+      </ul>
+    </form>
+  );
+}
+
+// ref as prop (no forwardRef needed in React 19)
+function Input({ ref, ...props }: { ref?: React.Ref<HTMLInputElement> }) {
+  return <input ref={ref} {...props} />;
+}
+
+// Server Functions (in a server component or 'use server' file)
+// server-actions.ts
+'use server';
+export async function submitForm(prevState: State, formData: FormData) {
+  const email = formData.get('email');
+  // validate and persist...
+  return { success: true };
+}
+```
+
+**React Compiler Impact**:
+- Auto-memoizes components, values, and callbacks — remove manual `useMemo`/`useCallback` for performance-only usage
+- Still use `useMemo` when the memo is part of semantic behavior (e.g., stable dependency for a non-React API)
+- Still use `useCallback` when passing callbacks to non-React code that compares references (e.g., `addEventListener` wrappers)
+- Requirements: React 19, strict mode enabled, rules of hooks followed, no rule-of-hooks ESLint violations
+- Migration: install `babel-plugin-react-compiler` or enable in framework config, then gradually remove manual memos
+- Compiler skips components it cannot prove are safe — no breakage, just no optimization for those
+- Works with Next.js 15+, Vite via Babel plugin, and Remix
+
 **React Patterns**:
 - Compound components
 - Render props
@@ -166,9 +258,53 @@ You are an expert frontend developer with deep knowledge of modern frameworks, J
 
 **Modern CSS**:
 - CSS Variables (custom properties)
-- Container Queries
+- Container Queries (`@container`) and container query units (`cqi`, `cqb`)
 - CSS Grid and Flexbox
 - Logical properties for i18n
+- CSS Nesting (native, no preprocessor required)
+- `@layer` for cascade control and specificity management
+- `@scope` for scoped styles
+- `color-mix()` and relative color syntax
+- View Transitions API for page transitions
+
+**Modern CSS Patterns**:
+```css
+/* Container queries — responsive based on parent, not viewport */
+.card-container {
+  container-type: inline-size;
+  container-name: card;
+}
+@container card (min-width: 400px) {
+  .card { flex-direction: row; }
+}
+
+/* CSS nesting — native, no Sass needed */
+.nav {
+  background: var(--surface);
+
+  & a {
+    color: var(--text);
+
+    &:hover {
+      color: var(--primary);
+    }
+  }
+
+  @media (width < 768px) {
+    flex-direction: column;
+  }
+}
+
+/* @layer for cascade control */
+@layer reset, base, components, utilities;
+
+@layer components {
+  .btn { padding: 0.5rem 1rem; border-radius: 0.25rem; }
+}
+@layer utilities {
+  .p-4 { padding: 1rem; }  /* always wins over components */
+}
+```
 
 ### 8. Performance Optimization