npm - wize-dev-kit - Versions diffs - 0.7.0 → 0.7.1 - Mend

wize-dev-kit 0.7.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,16 @@ Format inspired by [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ## [Unreleased]
+## [0.7.1] — 2026-06-21
+### Changed
+- **README reescrito** com TL;DR, perfil **Wize Security** na tabela, seção dedicada do AI Pentester (como funciona + garantias de design), roster com 10 agentes (red-teamer), `.wize/security/` no layout e status atualizado para v0.7.x.
+### Added
+- **Traduções do README:** `README.pt-BR.md` (Português) e `README.es.md` (Español), com seletor de idioma cruzado. Incluídos no pacote npm.
 ## [0.7.0] — 2026-06-21
 ### Added

package/README.es.md ADDED Viewed

@@ -0,0 +1,226 @@
+# Wize Development Kit
+> **Kit de desarrollo asistido por IA, de ciclo completo** — lleva un proyecto del brief a la implementación testeada mediante 10 agentes especializados, con un Test Architect, un estudio de UX Whiteport y un Pentester de IA integrados. Funciona dentro de tu IDE con IA.
+[![npm version](https://img.shields.io/npm/v/wize-dev-kit?color=blue)](https://www.npmjs.com/package/wize-dev-kit)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![Status](https://img.shields.io/badge/status-beta-green)](#estado)
+[![Repo](https://img.shields.io/badge/repo-qwize--br%2Fwize--development--kit-181717?logo=github)](https://github.com/qwize-br/wize-development-kit)
+**🌐 Idiomas:** [English](README.md) · [Português (pt-BR)](README.pt-BR.md) · **Español**
+---
+## Resumen rápido
+```bash
+npx wize-dev-kit install
+```
+Elige tus perfiles y tu IDE; luego, en tu IDE con IA, di *"Activa a Wizer y dale el briefing del proyecto."* Wizer te guía por el agente adecuado en cada fase — brief, PRD, UX, arquitectura, código testeado — y (opcionalmente) ejecuta un pentest de IA sobre tu aplicación.
+---
+## Qué es
+Wize Development Kit (WDK) es un **stack de agentes de IA** instalable que funciona dentro de tu IDE con IA (Claude Code, Cursor, Windsurf, Codex y otros) y escribe artefactos estructurados en una carpeta oculta `.wize/` de tu repositorio. Lleva un proyecto de **brief → PRD → estrategia de UX → arquitectura → implementación testeada**, y también puede **hacer pentest de la app en ejecución y planificar el sprint de remediación**.
+Es **file-first y zero-runtime**: los agentes son skills en Markdown que tu IDE lee; el tooling es Node puro (sin nuevas dependencias npm). Nada está simulado — cada paso lee el artefacto anterior y escribe uno real.
+### Perfiles (combinables en monorepos)
+| Perfil | Qué añade |
+|---|---|
+| **Wize Dev Core** | Ciclo completo (análisis → plan → solución → implementación) + Test Architect + UX Whiteport + Agent Builder. Siempre instalado. |
+| **Wize Web Dev** *(overlay)* | Scaffolds web, SEO, analytics, playbook WCAG para Mantis, Playwright/Vitest para Hawkeye. |
+| **Wize App Development** *(overlay)* | Scaffolds móviles, ficha de tienda, directrices de plataforma (HIG / Material 3), Detox/Maestro para Hawkeye. |
+| **Wize Security** *(overlay)* 🆕 | **Pentester de IA.** Pipeline de pentest file-first (recon → enumerate → SAST → DAST → report) conducido por la persona `red-teamer`, con gate de alcance, clasificación OWASP/CVSS e informe ejecutivo. |
+---
+## Instalación
+En cualquier repositorio, nuevo o existente (greenfield o brownfield):
+```bash
+npx wize-dev-kit install
+```
+O directamente desde GitHub (sin necesidad de npm):
+```bash
+npx github:qwize-br/wize-development-kit install
+```
+El instalador pregunta:
+1. **Perfil(es)** — Core / +Web / +App / +Security (selección múltiple).
+2. **IDE(s) objetivo** — Claude Code, Cursor, Windsurf, Codex, Continue, Kimi Code, OpenCode, Antigravity o fallback genérico (selección múltiple).
+3. **Idiomas** — comunicación + salida de documentos.
+4. **Carpeta de salida** — por defecto `.wize/`.
+5. **Brownfield** — ofrece ejecutar `wize-document-project` para crear la baseline del código existente.
+Tras instalar, abre tu IDE y di:
+> "Activa a Wizer y dale el briefing del proyecto."
+---
+## El elenco
+| # | Persona | Código | Rol |
+|---|---|---|---|
+| 1 | **Wizer** | `wize-orchestrator` | Orquestador, base de conocimiento, briefing, enrutamiento |
+| 2 | **Pepper Potts** | `wize-agent-analyst` | Analista de Negocio + WDS Saga (brief de producto, trigger map) |
+| 3 | **Peggy Carter** | `wize-agent-tech-writer` | Redactora Técnica (transversal) |
+| 4 | **Maria Hill** | `wize-agent-pm` | Product Manager (PRD, epics, sprints) |
+| 5 | **Mantis** | `wize-agent-ux-designer` | UX Designer + WDS Freya (escenarios, diseño, design system) |
+| 6 | **Nick Fury** | `wize-agent-solution-strategist` | Estrategia de Solución, visión técnica, principios de NFR |
+| 7 | **Tony Stark** | `wize-agent-architect` | Arquitecto de Sistemas (arquitectura, ADRs, epics, stories) |
+| 8 | **Hawkeye** | `wize-agent-test-architect` | Test Architect — 6 gates (risk, design, trace, nfr, review, gate) |
+| 9 | **Shuri** | `wize-agent-dev` | Desarrolladora Senior (TDD, código, refactor) |
+| 10 | **red-teamer** 🆕 | `red-teamer` (overlay de seguridad) | Pentester de IA — recon, SAST/DAST, pruebas ofensivas con alcance, informe |
+Consulta [`ROSTER.md`](ROSTER.md) para personas, estilos y equivalencias con BMAD.
+---
+## Recorrido — un proyecto completo, de principio a fin
+Cada paso es un slash command en tu IDE; cada persona lee el artefacto anterior antes de escribir el suyo.
+```
+1.  /wize-orchestrator          Wizer saluda, lee config, detecta el estado y enruta.
+2.  /wize-product-brief         Pepper convierte la demanda bruta en brief.md.
+    /wize-trigger-map           Pepper mapea psicología del usuario → metas de negocio (WDS).
+    /wize-research              Pepper sintetiza evidencia externa (opcional).
+3.  /wize-create-prd            Maria Hill escribe prd.md (metas, alcance, ACs).
+    /wize-validate-prd          Maria Hill (+ Mantis/Fury) aprueba.
+4.  /wize-ux-scenarios          Mantis conduce el diálogo WDS de 8 preguntas.
+    /wize-ux-design             Mantis escribe specs de pantalla (un .md por pantalla).
+5.  /wize-tech-vision           Fury elige la familia de stack + innegociables.
+    /wize-nfr-principles        Fury escribe el presupuesto de NFR (perf, seg, a11y…).
+6.  /wize-create-architecture   Tony escribe architecture.md + ADRs (8 pasos).
+    /wize-design-system         Mantis escribe design-system/ (tokens + componentes).
+    /wize-create-epics-and-stories
+                                Tony divide epics → stories (cada una con ACs).
+7.  /wize-tea-risk              Hawkeye construye el perfil global de riesgo.
+    /wize-tea-design            Hawkeye escribe el test design de la próxima story.
+    /wize-dev-story             Shuri implementa (TDD, IDs de AC en los commits).
+    /wize-tea-trace             Hawkeye mapea cada AC → tests.
+    /wize-tea-review            Hawkeye ejecuta la revisión de la story.
+    /wize-tea-gate              Hawkeye emite PASS / CONCERNS / FAIL / WAIVED.
+8.  /wize-sprint-status         Maria Hill mantiene el snapshot diario actualizado.
+    /wize-retrospective         Wizer facilita la retro al final de cada sprint.
+Transversales:
+    /wize-help                  Wizer averigua dónde estás y el próximo paso.
+    /wize-quick-dev             Shuri toma un arreglo pequeño sin el ciclo completo.
+    /wize-code-review           Revisión adversarial antes del gate TEA de Hawkeye.
+    /wize-party-mode            Wizer reúne multi-persona para decisiones difíciles.
+```
+> Usa `/wize-help next` cuando tengas dudas — inspecciona `.wize/` y te dice la única acción siguiente.
+---
+## 🛡️ Overlay de seguridad — Pentester de IA
+Con el perfil **Wize Security** instalado, la persona `red-teamer` ejecuta un pentest file-first de tu proyecto y produce un informe listo para stakeholders.
+### Cómo funciona
+1. **Autoriza el objetivo.** Declaras hosts/URLs permitidos en un `.wize/security/scope.md` firmado (integridad por SHA-256). Cualquier cosa fuera de la allowlist es **rechazada y auditada** — la herramienta nunca toca un objetivo que no autorizaste.
+2. **Ejecuta el pipeline.**
+   ```
+   /wize-sec-pentest                 # pasivo por defecto (chequeos read-only)
+   /wize-sec-pentest --active        # habilita tooling ofensivo (sqlmap, ffuf)
+   ```
+   Encadena: **recon** (nmap) → **enumerate** (superficie HTTP) → **SAST** (secrets con gitleaks + deps con osv-scanner/grype) → **DAST** (nuclei, nikto, sqlmap, ffuf) → **report**.
+3. **Lee el informe.** `report.md` + un `report.html` self-contained (offline, WCAG 2.2 AA) con:
+   - **Puntuación de riesgo 0–100** + **briefing** ejecutivo (qué significa el riesgo para el negocio),
+   - hallazgos clasificados por **CVSS v3.1** y **OWASP Top 10**, con secrets redactados,
+   - **cobertura honesta** ("audit confidence" — qué se probó y qué no),
+   - un **plan de acción priorizado** (P0/P1/P2).
+4. **Planifica la corrección.** El scan genera `security-backlog.md` (epics de remediación agrupados por tema, trazables a los hallazgos) e imprime el comando exacto para convertirlo en un sprint:
+   ```
+   /wize-create-epics-and-stories --from .wize/security/security-backlog.md
+   ```
+### Garantías de diseño
+- **Cero runtime propio** — solo built-ins de Node; ninguna dependencia npm nueva; el overlay nunca invoca una skill (imprime el comando para que tú/el agente lo ejecuten).
+- **Los datos quedan locales** — informes y hallazgos se escriben en `.wize/security/`, nunca se suben a ningún lado.
+- **Las herramientas se detectan, nunca se auto-instalan** — un preflight comprueba tu toolchain y genera un `install-pentest-tools.sh` consciente del SO (apt para nmap/nikto/sqlmap; releases de GitHub para gitleaks/nuclei/ffuf/osv-scanner; script oficial para grype). Una herramienta ausente degrada solo ese chequeo — el pipeline continúa.
+- **Pasivo por defecto** — el tooling ofensivo (sqlmap/ffuf) solo corre con `--active`; flags peligrosas (`--dump`, `--os-shell`) son vetadas por una allowlist independiente del input.
+> ⚠️ **Herramienta de doble uso.** Prueba solo sistemas que poseas o estés explícitamente autorizado a probar.
+---
+## Estructura de salida (en el repositorio objetivo)
+```
+.wize/
+├── config/             # project.toml, user.toml, tea.toml
+├── planning/           # brief, research, ux/, prd, tech-vision, nfr-principles
+├── solutioning/        # architecture, adrs, epics, stories
+├── implementation/     # sprint-status, retrospective, tea/{gates}
+├── knowledge/          # docs y referencias de larga duración
+├── security/           # scope.md, report.{md,html}, security-backlog.md (overlay de seguridad)
+└── custom/             # agents/skills/workflows creados por Agent Builder
+```
+---
+## Comandos de la CLI
+```bash
+npx wize-dev-kit install         # setup interactivo
+npx wize-dev-kit update          # actualiza un kit instalado a la versión actual
+npx wize-dev-kit sync            # re-renderiza los adapters de IDE tras editar la config
+npx wize-dev-kit agent list      # lista agentes nativos + personalizados
+npx wize-dev-kit agent create    # crea un nuevo agente personalizado (validado + dry-run)
+npx wize-dev-kit agent edit <code>  # sobrescribe un agente nativo
+npx wize-dev-kit doctor          # diagnostica kit / proyecto / adapters / gates
+npx wize-dev-kit validate        # chequeos estructurales en los assets del kit
+npx wize-dev-kit document-project [quick|initial_scan|full_rescan|deep_dive] [--resume] [--target <path>]
+npx wize-dev-kit uninstall       # elimina .wize/ (tu código queda intacto)
+```
+---
+## Documentación
+- [`ARCH.md`](ARCH.md) — arquitectura completa: distribución, flujos, layout, instalador.
+- [`ROSTER.md`](ROSTER.md) — personas con estilo, rol, equivalencias BMAD.
+- [`DECISIONS.md`](DECISIONS.md) — registro de decisiones.
+- [`CHANGELOG.md`](CHANGELOG.md) — historial de releases.
+---
+## Estado
+**v0.7.0 — beta.** El ciclo completo (análisis → plan → solución → implementación) está montado con 10 agentes y una biblioteca estructurada de skills. El `security-overlay` (Pentester de IA) entrega un pipeline de pentest completo, un informe ejecutivo (puntuación de riesgo + briefing + plan de acción por IA) y planificación de remediación post-scan — validado de principio a fin contra una aplicación Laravel/PHP real. Los adapters de IDE para Claude Code, Cursor, Windsurf, Codex, Continue, Kimi Code, OpenCode y Antigravity se regeneran automáticamente.
+---
+## Inspiración y créditos
+- [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) por Brian (BMad) Madison — ciclo ágil de IA, personas de agentes, patrón de instalador, sistema de módulos.
+- [Whiteport Design Studio expansion](https://github.com/bmad-code-org/bmad-method-wds-expansion) — metodología UX-first, panteón nórdico (Saga, Freya), estructura de fases.
+Wize Development Kit es una **adaptación independiente** — no afiliada ni respaldada por los autores de BMAD o WDS. Los nombres de personas Marvel se usan como referencias creativas bajo uso nominativo justo.
+---
+## Licencia
+MIT — consulta [`LICENSE`](LICENSE).

package/README.md CHANGED Viewed

@@ -1,13 +1,41 @@
 # Wize Development Kit
-> **Full-lifecycle AI-assisted development kit** with Test Architect and Whiteport Design Studio embedded.
-> Inspired by [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) and [WDS Expansion](https://github.com/bmad-code-org/bmad-method-wds-expansion).
+> **Full-lifecycle AI-assisted development kit** — takes a project from brief to tested implementation through 10 specialized agents, with a Test Architect, a Whiteport UX studio, and an AI Pentester embedded. Runs inside your AI IDE.
 [![npm version](https://img.shields.io/npm/v/wize-dev-kit?color=blue)](https://www.npmjs.com/package/wize-dev-kit)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Status](https://img.shields.io/badge/status-alpha-orange)](#status)
+[![Status](https://img.shields.io/badge/status-beta-green)](#status)
 [![Repo](https://img.shields.io/badge/repo-qwize--br%2Fwize--development--kit-181717?logo=github)](https://github.com/qwize-br/wize-development-kit)
+**🌐 Languages:** **English** · [Português (pt-BR)](README.pt-BR.md) · [Español](README.es.md)
+---
+## TL;DR
+```bash
+npx wize-dev-kit install
+```
+Pick your profiles and IDE, then in your AI IDE say *"Activate Wizer and brief him on the project."* Wizer routes you through the right agent for each phase — brief, PRD, UX, architecture, tested code — and (optionally) runs an AI pentest of your app.
+---
+## What it is
+Wize Development Kit (WDK) is an installable **AI agent stack** that runs inside your AI IDE (Claude Code, Cursor, Windsurf, Codex, and others) and writes structured artifacts to a hidden `.wize/` folder in your repo. It takes a project from **brief → PRD → UX strategy → architecture → tested implementation**, and can also **pentest the running app and plan the remediation sprint**.
+It is **file-first and zero-runtime**: the agents are Markdown skills your IDE reads; the tooling is plain Node (no new npm dependencies). Nothing is mocked — every step reads the previous artifact and writes a real one.
+### Profiles (combinable in monorepos)
+| Profile | What it adds |
+|---|---|
+| **Wize Dev Core** | Full lifecycle (analysis → plan → solution → implementation) + Test Architect + Whiteport UX + Agent Builder. Always installed. |
+| **Wize Web Dev** *(overlay)* | Web scaffolds, SEO, analytics, WCAG playbook for Mantis, Playwright/Vitest for Hawkeye. |
+| **Wize App Development** *(overlay)* | Mobile scaffolds, store listing, platform guidelines (HIG / Material 3), Detox/Maestro for Hawkeye. |
+| **Wize Security** *(overlay)* 🆕 | **AI Pentester.** File-first pentest pipeline (recon → enumerate → SAST → DAST → report) driven by the `red-teamer` persona, with a scope gate, OWASP/CVSS classification, and a stakeholder report. |
 ---
 ## Install
@@ -18,7 +46,7 @@ In any greenfield or brownfield repo:
 npx wize-dev-kit install
 ```
-Or straight from GitHub (no npm required):
+Or straight from GitHub (no npm needed):
 ```bash
 npx github:qwize-br/wize-development-kit install
@@ -26,32 +54,16 @@ npx github:qwize-br/wize-development-kit install
 The installer asks:
-1. Profile(s) to enable (Core / +Web / +App — multi-select).
-2. IDE target(s) (Claude Code, Cursor, Windsurf, Codex, Continue, Kimi Code, OpenCode, Antigravity, or generic fallback — multi-select).
-3. Language preferences (communication + document output).
-4. Output folder (default `.wize/`).
-5. For brownfield repos: offers to run `wize-document-project` to baseline the existing codebase.
+1. **Profile(s)** — Core / +Web / +App / +Security (multi-select).
+2. **IDE target(s)** — Claude Code, Cursor, Windsurf, Codex, Continue, Kimi Code, OpenCode, Antigravity, or generic fallback (multi-select).
+3. **Languages** — communication + document output.
+4. **Output folder** — default `.wize/`.
+5. **Brownfield** — offers to run `wize-document-project` to baseline the existing codebase.
-After install, open your IDE and start with:
+After install, open your IDE and say:
 > "Activate Wizer and brief him on the project."
-Wizer will route you to the right persona (Pepper for brief, Mantis for UX baseline, Tony for architecture preferences, etc.).
----
-## What it is
-Wize Development Kit (WDK) is an installable AI agent stack that takes a project from **brief → PRD → UX strategy → architecture → tested implementation** through 9 specialized agents (Marvel-themed) and a structured workflow library. It runs inside your AI IDE (Claude Code, Cursor, Windsurf, and others) and writes structured artifacts to a hidden `.wize/` folder in the target repo.
-Three profiles, combinable in monorepos:
-| Profile | What it adds |
-|---|---|
-| **Wize Dev Core** | Full lifecycle (analysis → plan → solution → implementation) + Test Architect + Whiteport UX + Agent Builder. Always installed. |
-| **Wize Web Dev** (overlay) | Web stack scaffolds, SEO, analytics, WCAG playbook for Mantis, Playwright/Vitest playbook for Hawkeye. |
-| **Wize App Development** (overlay) | Mobile scaffolds, store-listing, platform guidelines (HIG/Material 3), Detox/Maestro playbook for Hawkeye. |
 ---
 ## The roster
@@ -67,6 +79,7 @@ Three profiles, combinable in monorepos:
 | 7 | **Tony Stark** | `wize-agent-architect` | System Architect (architecture, ADRs, epics, stories) |
 | 8 | **Hawkeye** | `wize-agent-test-architect` | Test Architect — 6 gates (risk, design, trace, nfr, review, gate) |
 | 9 | **Shuri** | `wize-agent-dev` | Senior Developer (TDD, code, refactor) |
+| 10 | **red-teamer** 🆕 | `red-teamer` (security overlay) | AI Pentester — recon, SAST/DAST, scoped offensive testing, reporting |
 See [`ROSTER.md`](ROSTER.md) for personas, styles and BMAD equivalences.
@@ -74,18 +87,14 @@ See [`ROSTER.md`](ROSTER.md) for personas, styles and BMAD equivalences.
 ## Walkthrough — a full project, end to end
-Below is the canonical flow Wizer drives in a real session. Each step is a slash command in your IDE; each persona reads the previous artifact before writing its own. Nothing is mocked.
+Each step is a slash command in your IDE; each persona reads the previous artifact before writing its own.
 ```
-1.  /wize-orchestrator          Wizer greets, reads .wize/config/{project,user}.toml.
-                                Detects the project state and routes you.
+1.  /wize-orchestrator          Wizer greets, reads config, detects state, routes you.
 2.  /wize-product-brief         Pepper turns raw demand into brief.md.
     /wize-trigger-map           Pepper maps user psychology → business goals (WDS).
     /wize-research              Pepper synthesizes external evidence (optional).
-                                Or run a focused pass:
-                                /wize-market-research, /wize-domain-research,
-                                /wize-technical-research.
 3.  /wize-create-prd            Maria Hill writes prd.md (goals, scope, ACs).
     /wize-validate-prd          Maria Hill (+ Mantis/Fury) signs off.
@@ -96,8 +105,7 @@ Below is the canonical flow Wizer drives in a real session. Each step is a slash
 5.  /wize-tech-vision           Fury picks the stack family + non-negotiables.
     /wize-nfr-principles        Fury writes the NFR budget (perf, sec, a11y…).
-6.  /wize-create-architecture   Tony writes architecture.md + ADRs via 8 steps
-                                (context → decisions → patterns → structure → validation).
+6.  /wize-create-architecture   Tony writes architecture.md + ADRs (8 steps).
     /wize-design-system         Mantis writes design-system/ (tokens + components).
     /wize-create-epics-and-stories
                                 Tony slices epics → stories (each has ACs).
@@ -111,20 +119,49 @@ Below is the canonical flow Wizer drives in a real session. Each step is a slash
 8.  /wize-sprint-status         Maria Hill keeps the daily snapshot updated.
     /wize-retrospective         Wizer facilitates retro at end of each sprint.
-    /wize-tea-nfr               Hawkeye assesses NFRs at epic boundary.
 Cross-cutting:
-    /wize-help                  Wizer figures out where you are and proposes
-                                the next step (use anytime).
+    /wize-help                  Wizer figures out where you are and the next step.
     /wize-quick-dev             Shuri takes a small fix without the full ride.
-    /wize-code-review           Shuri runs an adversarial peer review (Blind Hunter,
-                                Edge Case Hunter, Acceptance Auditor) before Hawkeye's TEA review.
-    /wize-spec                  Distill any intent into a canonical five-field spec.
+    /wize-code-review           Adversarial peer review before Hawkeye's TEA gate.
     /wize-party-mode            Wizer convenes multi-persona for hard calls.
 ```
-> Use `/wize-help next` whenever you're unsure — it inspects `.wize/` and tells
-> you the single next action.
+> Use `/wize-help next` whenever you're unsure — it inspects `.wize/` and tells you the single next action.
+---
+## 🛡️ Security overlay — AI Pentester
+When the **Wize Security** profile is installed, the `red-teamer` persona runs a file-first pentest of your project and produces a stakeholder-ready report.
+### How it works
+1. **Authorize the target.** You declare allowed hosts/URLs in a signed `.wize/security/scope.md` (SHA-256 integrity). Anything outside the allowlist is **refused and audited** — the tool never touches a target you didn't authorize.
+2. **Run the pipeline.**
+   ```
+   /wize-sec-pentest                 # passive by default (read-only checks)
+   /wize-sec-pentest --active        # enables active exploit tooling (sqlmap, ffuf)
+   ```
+   It chains: **recon** (nmap) → **enumerate** (HTTP surface) → **SAST** (gitleaks secrets + osv-scanner/grype deps) → **DAST** (nuclei, nikto, sqlmap, ffuf) → **report**.
+3. **Read the report.** `report.md` + a self-contained `report.html` (offline, WCAG 2.2 AA) with:
+   - **Risk score 0–100** + executive **briefing** (what the risk means for the business),
+   - findings classified by **CVSS v3.1** and **OWASP Top 10**, with redacted secrets,
+   - **honest coverage** ("audit confidence" — what was and wasn't tested),
+   - a **prioritized action plan** (P0/P1/P2).
+4. **Plan the fix.** The scan emits `security-backlog.md` (remediation epics grouped by theme, traceable to findings) and prints the exact command to turn it into a sprint:
+   ```
+   /wize-create-epics-and-stories --from .wize/security/security-backlog.md
+   ```
+### Design guarantees
+- **Zero runtime of its own** — Node built-ins only; no new npm dependency; the overlay never invokes a skill (it prints the command for you/the agent to run).
+- **Data stays local** — reports and findings are written under `.wize/security/`, never uploaded anywhere.
+- **Tools are detected, never auto-installed** — a preflight checks your toolchain and generates an OS-aware `install-pentest-tools.sh` (apt for nmap/nikto/sqlmap; GitHub releases for gitleaks/nuclei/ffuf/osv-scanner; official script for grype). Missing tools degrade a single check gracefully — the pipeline keeps going.
+- **Default passive** — offensive tooling (sqlmap/ffuf) runs only with `--active`; dangerous flags (`--dump`, `--os-shell`) are vetoed by an allowlist regardless of input.
+> ⚠️ **Dual-use tool.** Only test systems you own or are explicitly authorized to test.
 ---
@@ -137,6 +174,7 @@ Cross-cutting:
 ├── solutioning/        # architecture, adrs, epics, stories
 ├── implementation/     # sprint-status, retrospective, tea/{gates}
 ├── knowledge/          # long-lived docs and references
+├── security/           # scope.md, report.{md,html}, security-backlog.md (security overlay)
 └── custom/             # agents/skills/workflows created by Agent Builder
 ```
@@ -146,15 +184,14 @@ Cross-cutting:
 ```bash
 npx wize-dev-kit install         # interactive setup
-npx wize-dev-kit update          # bring an installed kit up to the current package version
+npx wize-dev-kit update          # bring an installed kit up to the current version
 npx wize-dev-kit sync            # re-render IDE adapters after editing config
 npx wize-dev-kit agent list      # list built-in + custom agents
 npx wize-dev-kit agent create    # scaffold a new custom agent (validated + dry-run)
-npx wize-dev-kit agent edit <code>  # override a built-in via .wize/custom/agents/<code>/customize.toml
-npx wize-dev-kit doctor          # diagnose kit / project / adapters / gates and suggest fixes
+npx wize-dev-kit agent edit <code>  # override a built-in agent
+npx wize-dev-kit doctor          # diagnose kit / project / adapters / gates
 npx wize-dev-kit validate        # structural checks on the kit assets
 npx wize-dev-kit document-project [quick|initial_scan|full_rescan|deep_dive] [--resume] [--target <path>]
-                                 # document the current repo; quick baseline by default
 npx wize-dev-kit uninstall       # remove .wize/ (your code is left untouched)
 ```
@@ -162,22 +199,23 @@ npx wize-dev-kit uninstall       # remove .wize/ (your code is left untouched)
 ## Documentation
-- [`ARCH.md`](ARCH.md) — full architecture: distribution, fluxos, layout, installer.
-- [`ROSTER.md`](ROSTER.md) — 9 personas with style, role, BMAD equivalences.
-- [`DECISIONS.md`](DECISIONS.md) — decisions log from the design interview.
+- [`ARCH.md`](ARCH.md) — full architecture: distribution, flows, layout, installer.
+- [`ROSTER.md`](ROSTER.md) — personas with style, role, BMAD equivalences.
+- [`DECISIONS.md`](DECISIONS.md) — decisions log.
+- [`CHANGELOG.md`](CHANGELOG.md) — release history.
 ---
 ## Status
-**v0.3.0+ — beta.** The core lifecycle is scaffolded, the `document-project` engine is wired, and selected BMAD step flows have been adapted into Wize skills: `wize-spec`, `wize-create-architecture` (8-step), `wize-code-review` (adversarial triage), and vertical research skills (`wize-market-research`, `wize-domain-research`, `wize-technical-research`). IDE adapters for Claude Code, Cursor, Windsurf, and others are regenerated automatically. Production-readiness target remains v0.5.0.
+**v0.7.0 — beta.** The full lifecycle (analysis → plan → solution → implementation) is wired with 10 agents and a structured skill library. The `security-overlay` (AI Pentester) ships a complete pentest pipeline, a stakeholder report (risk score + briefing + AI action plan), and post-scan remediation planning — validated end-to-end against a real Laravel/PHP app. IDE adapters for Claude Code, Cursor, Windsurf, Codex, Continue, Kimi Code, OpenCode, and Antigravity are regenerated automatically.
 ---
 ## Inspiration & credits
-- [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) by Brian (BMad) Madison — for the agile AI lifecycle, agent personas, installer pattern, module system.
-- [Whiteport Design Studio expansion](https://github.com/bmad-code-org/bmad-method-wds-expansion) — for the UX-first methodology, Norse pantheon (Saga, Freya), phase structure.
+- [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) by Brian (BMad) Madison — agile AI lifecycle, agent personas, installer pattern, module system.
+- [Whiteport Design Studio expansion](https://github.com/bmad-code-org/bmad-method-wds-expansion) — UX-first methodology, Norse pantheon (Saga, Freya), phase structure.
 Wize Development Kit is an **independent adaptation** — not affiliated with or endorsed by BMAD or WDS authors. Marvel persona names are used as creative references under nominative fair use.

package/README.pt-BR.md ADDED Viewed

@@ -0,0 +1,226 @@
+# Wize Development Kit
+> **Kit de desenvolvimento assistido por IA, de ciclo completo** — leva um projeto do brief à implementação testada por meio de 10 agentes especializados, com um Test Architect, um estúdio de UX Whiteport e um Pentester de IA embarcados. Roda dentro da sua IDE com IA.
+[![npm version](https://img.shields.io/npm/v/wize-dev-kit?color=blue)](https://www.npmjs.com/package/wize-dev-kit)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![Status](https://img.shields.io/badge/status-beta-green)](#status)
+[![Repo](https://img.shields.io/badge/repo-qwize--br%2Fwize--development--kit-181717?logo=github)](https://github.com/qwize-br/wize-development-kit)
+**🌐 Idiomas:** [English](README.md) · **Português (pt-BR)** · [Español](README.es.md)
+---
+## Resumo rápido
+```bash
+npx wize-dev-kit install
+```
+Escolha os perfis e a IDE; depois, na sua IDE com IA, diga *"Ative o Wizer e dê o briefing do projeto a ele."* O Wizer te conduz pelo agente certo em cada fase — brief, PRD, UX, arquitetura, código testado — e (opcionalmente) roda um pentest de IA na sua aplicação.
+---
+## O que é
+O Wize Development Kit (WDK) é uma **stack de agentes de IA** instalável que roda dentro da sua IDE com IA (Claude Code, Cursor, Windsurf, Codex e outras) e grava artefatos estruturados em uma pasta oculta `.wize/` no seu repositório. Leva um projeto de **brief → PRD → estratégia de UX → arquitetura → implementação testada** e também pode **fazer pentest da aplicação rodando e planejar a sprint de correção**.
+É **file-first e zero-runtime**: os agentes são skills em Markdown que sua IDE lê; o tooling é Node puro (sem novas dependências npm). Nada é simulado — cada passo lê o artefato anterior e grava um real.
+### Perfis (combináveis em monorepos)
+| Perfil | O que adiciona |
+|---|---|
+| **Wize Dev Core** | Ciclo completo (análise → plano → solução → implementação) + Test Architect + UX Whiteport + Agent Builder. Sempre instalado. |
+| **Wize Web Dev** *(overlay)* | Scaffolds web, SEO, analytics, playbook WCAG para o Mantis, Playwright/Vitest para o Hawkeye. |
+| **Wize App Development** *(overlay)* | Scaffolds mobile, listagem em loja, diretrizes de plataforma (HIG / Material 3), Detox/Maestro para o Hawkeye. |
+| **Wize Security** *(overlay)* 🆕 | **Pentester de IA.** Pipeline de pentest file-first (recon → enumerate → SAST → DAST → report) conduzido pela persona `red-teamer`, com gate de escopo, classificação OWASP/CVSS e relatório executivo. |
+---
+## Instalação
+Em qualquer repositório, novo ou existente (greenfield ou brownfield):
+```bash
+npx wize-dev-kit install
+```
+Ou direto do GitHub (sem precisar de npm):
+```bash
+npx github:qwize-br/wize-development-kit install
+```
+O instalador pergunta:
+1. **Perfil(is)** — Core / +Web / +App / +Security (múltipla escolha).
+2. **IDE(s) alvo** — Claude Code, Cursor, Windsurf, Codex, Continue, Kimi Code, OpenCode, Antigravity ou fallback genérico (múltipla escolha).
+3. **Idiomas** — comunicação + saída de documentos.
+4. **Pasta de saída** — padrão `.wize/`.
+5. **Brownfield** — oferece rodar `wize-document-project` para criar a baseline do código existente.
+Após instalar, abra sua IDE e diga:
+> "Ative o Wizer e dê o briefing do projeto a ele."
+---
+## O elenco
+| # | Persona | Código | Papel |
+|---|---|---|---|
+| 1 | **Wizer** | `wize-orchestrator` | Orquestrador, base de conhecimento, briefing, roteamento |
+| 2 | **Pepper Potts** | `wize-agent-analyst` | Analista de Negócio + WDS Saga (brief de produto, trigger map) |
+| 3 | **Peggy Carter** | `wize-agent-tech-writer` | Redatora Técnica (transversal) |
+| 4 | **Maria Hill** | `wize-agent-pm` | Product Manager (PRD, epics, sprints) |
+| 5 | **Mantis** | `wize-agent-ux-designer` | UX Designer + WDS Freya (cenários, design, design system) |
+| 6 | **Nick Fury** | `wize-agent-solution-strategist` | Estratégia de Solução, visão técnica, princípios de NFR |
+| 7 | **Tony Stark** | `wize-agent-architect` | Arquiteto de Sistemas (arquitetura, ADRs, epics, stories) |
+| 8 | **Hawkeye** | `wize-agent-test-architect` | Test Architect — 6 gates (risk, design, trace, nfr, review, gate) |
+| 9 | **Shuri** | `wize-agent-dev` | Desenvolvedora Sênior (TDD, código, refactor) |
+| 10 | **red-teamer** 🆕 | `red-teamer` (overlay de segurança) | Pentester de IA — recon, SAST/DAST, testes ofensivos com escopo, relatório |
+Veja [`ROSTER.md`](ROSTER.md) para personas, estilos e equivalências com o BMAD.
+---
+## Passo a passo — um projeto completo, de ponta a ponta
+Cada passo é um slash command na sua IDE; cada persona lê o artefato anterior antes de escrever o seu.
+```
+1.  /wize-orchestrator          Wizer cumprimenta, lê config, detecta estado e roteia.
+2.  /wize-product-brief         Pepper transforma a demanda bruta em brief.md.
+    /wize-trigger-map           Pepper mapeia psicologia do usuário → metas de negócio (WDS).
+    /wize-research              Pepper sintetiza evidências externas (opcional).
+3.  /wize-create-prd            Maria Hill escreve prd.md (metas, escopo, ACs).
+    /wize-validate-prd          Maria Hill (+ Mantis/Fury) aprova.
+4.  /wize-ux-scenarios          Mantis conduz o diálogo WDS de 8 perguntas.
+    /wize-ux-design             Mantis escreve specs de tela (um .md por tela).
+5.  /wize-tech-vision           Fury escolhe a família de stack + não-negociáveis.
+    /wize-nfr-principles        Fury escreve o orçamento de NFR (perf, seg, a11y…).
+6.  /wize-create-architecture   Tony escreve architecture.md + ADRs (8 passos).
+    /wize-design-system         Mantis escreve design-system/ (tokens + componentes).
+    /wize-create-epics-and-stories
+                                Tony fatia epics → stories (cada uma com ACs).
+7.  /wize-tea-risk              Hawkeye monta o perfil global de risco.
+    /wize-tea-design            Hawkeye escreve o test design da próxima story.
+    /wize-dev-story             Shuri implementa (TDD, IDs de AC nos commits).
+    /wize-tea-trace             Hawkeye mapeia cada AC → testes.
+    /wize-tea-review            Hawkeye faz a revisão da story.
+    /wize-tea-gate              Hawkeye emite PASS / CONCERNS / FAIL / WAIVED.
+8.  /wize-sprint-status         Maria Hill mantém o snapshot diário atualizado.
+    /wize-retrospective         Wizer facilita a retro no fim de cada sprint.
+Transversais:
+    /wize-help                  Wizer descobre onde você está e o próximo passo.
+    /wize-quick-dev             Shuri pega uma correção pequena sem o ciclo completo.
+    /wize-code-review           Revisão adversarial antes do gate TEA do Hawkeye.
+    /wize-party-mode            Wizer reúne multi-persona para decisões difíceis.
+```
+> Use `/wize-help next` sempre que estiver em dúvida — ele inspeciona `.wize/` e diz a única próxima ação.
+---
+## 🛡️ Overlay de segurança — Pentester de IA
+Com o perfil **Wize Security** instalado, a persona `red-teamer` roda um pentest file-first do seu projeto e produz um relatório pronto para stakeholders.
+### Como funciona
+1. **Autorize o alvo.** Você declara hosts/URLs permitidos em um `.wize/security/scope.md` assinado (integridade por SHA-256). Qualquer coisa fora da allowlist é **recusada e auditada** — a ferramenta nunca toca em um alvo que você não autorizou.
+2. **Rode o pipeline.**
+   ```
+   /wize-sec-pentest                 # passivo por padrão (checagens read-only)
+   /wize-sec-pentest --active        # habilita tooling ofensivo (sqlmap, ffuf)
+   ```
+   Encadeia: **recon** (nmap) → **enumerate** (superfície HTTP) → **SAST** (secrets via gitleaks + deps via osv-scanner/grype) → **DAST** (nuclei, nikto, sqlmap, ffuf) → **report**.
+3. **Leia o relatório.** `report.md` + um `report.html` self-contained (offline, WCAG 2.2 AA) com:
+   - **Score de risco 0–100** + **briefing** executivo (o que o risco significa para o negócio),
+   - findings classificados por **CVSS v3.1** e **OWASP Top 10**, com secrets redatados,
+   - **cobertura honesta** ("audit confidence" — o que foi e o que não foi testado),
+   - um **plano de ação priorizado** (P0/P1/P2).
+4. **Planeje a correção.** O scan gera `security-backlog.md` (epics de remediação agrupados por tema, rastreáveis aos findings) e imprime o comando exato para virar uma sprint:
+   ```
+   /wize-create-epics-and-stories --from .wize/security/security-backlog.md
+   ```
+### Garantias de design
+- **Zero runtime próprio** — só built-ins do Node; nenhuma dependência npm nova; o overlay nunca invoca uma skill (ele imprime o comando para você/o agente rodar).
+- **Os dados ficam locais** — relatórios e findings são gravados em `.wize/security/`, nunca enviados a lugar nenhum.
+- **Ferramentas são detectadas, nunca auto-instaladas** — um preflight checa seu toolchain e gera um `install-pentest-tools.sh` ciente do SO (apt para nmap/nikto/sqlmap; releases do GitHub para gitleaks/nuclei/ffuf/osv-scanner; script oficial para grype). Ferramenta ausente degrada só aquela checagem — o pipeline continua.
+- **Passivo por padrão** — tooling ofensivo (sqlmap/ffuf) só roda com `--active`; flags perigosas (`--dump`, `--os-shell`) são vetadas por uma allowlist independente do input.
+> ⚠️ **Ferramenta dual-use.** Só teste sistemas que você possui ou está explicitamente autorizado a testar.
+---
+## Layout de saída (no repositório alvo)
+```
+.wize/
+├── config/             # project.toml, user.toml, tea.toml
+├── planning/           # brief, research, ux/, prd, tech-vision, nfr-principles
+├── solutioning/        # architecture, adrs, epics, stories
+├── implementation/     # sprint-status, retrospective, tea/{gates}
+├── knowledge/          # docs e referências de longa duração
+├── security/           # scope.md, report.{md,html}, security-backlog.md (overlay de segurança)
+└── custom/             # agents/skills/workflows criados pelo Agent Builder
+```
+---
+## Comandos da CLI
+```bash
+npx wize-dev-kit install         # setup interativo
+npx wize-dev-kit update          # atualiza um kit instalado para a versão atual
+npx wize-dev-kit sync            # re-renderiza os adapters de IDE após editar a config
+npx wize-dev-kit agent list      # lista agentes nativos + customizados
+npx wize-dev-kit agent create    # cria um novo agente customizado (validado + dry-run)
+npx wize-dev-kit agent edit <code>  # sobrescreve um agente nativo
+npx wize-dev-kit doctor          # diagnostica kit / projeto / adapters / gates
+npx wize-dev-kit validate        # checagens estruturais nos assets do kit
+npx wize-dev-kit document-project [quick|initial_scan|full_rescan|deep_dive] [--resume] [--target <path>]
+npx wize-dev-kit uninstall       # remove .wize/ (seu código permanece intacto)
+```
+---
+## Documentação
+- [`ARCH.md`](ARCH.md) — arquitetura completa: distribuição, fluxos, layout, instalador.
+- [`ROSTER.md`](ROSTER.md) — personas com estilo, papel, equivalências BMAD.
+- [`DECISIONS.md`](DECISIONS.md) — log de decisões.
+- [`CHANGELOG.md`](CHANGELOG.md) — histórico de releases.
+---
+## Status
+**v0.7.0 — beta.** O ciclo completo (análise → plano → solução → implementação) está montado com 10 agentes e uma biblioteca estruturada de skills. O `security-overlay` (Pentester de IA) entrega um pipeline de pentest completo, um relatório executivo (score de risco + briefing + plano de ação por IA) e planejamento de correção pós-scan — validado de ponta a ponta contra uma aplicação Laravel/PHP real. Os adapters de IDE para Claude Code, Cursor, Windsurf, Codex, Continue, Kimi Code, OpenCode e Antigravity são regenerados automaticamente.
+---
+## Inspiração & créditos
+- [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) por Brian (BMad) Madison — ciclo ágil de IA, personas de agentes, padrão de instalador, sistema de módulos.
+- [Whiteport Design Studio expansion](https://github.com/bmad-code-org/bmad-method-wds-expansion) — metodologia UX-first, panteão nórdico (Saga, Freya), estrutura de fases.
+O Wize Development Kit é uma **adaptação independente** — não afiliada nem endossada pelos autores do BMAD ou do WDS. Os nomes de personas Marvel são referências criativas sob uso nominativo justo.
+---
+## Licença
+MIT — veja [`LICENSE`](LICENSE).

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "wize-dev-kit",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "Full-lifecycle AI-assisted development kit with Test Architect and Whiteport Design Studio embedded. Inspired by BMAD Method and WDS.",
   "keywords": [
     "ai",
@@ -43,6 +43,8 @@
     "tools/",
     "schemas/",
     "README.md",
+    "README.pt-BR.md",
+    "README.es.md",
     "LICENSE",
     "CHANGELOG.md",
     "ARCH.md",