Release v2.1.0: Opus 4.8-tuned pm-ai-shipping audits + CHANGELOG-driven release automation

pm-ai-shipping: mandatory Evidence citations verified before reporting,
concrete subagent fan-out contract, read-only allowed-tools on both audits,
N+1/waterfall detection and a refute pass in the performance audit,
untrusted-input hardening across the kit, parallel audits in /ship-check,
severity anchors + report consolidation, repo-relative paths.

Repo: CHANGELOG.md as release source of truth with auto-tag-and-release on
merge to main (adapted from phuryn/claude-usage, minus the .vsix build),
Tests workflow on every PR/push, unit + docs-consistency test suite,
contributor-credit conventions in CONTRIBUTING, all manifests synced at 2.1.0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011URgT9hYuNrXeCvzjnqRxJ
This commit is contained in:
Claude
2026-07-03 13:34:34 +02:00
parent a0cd730d4c
commit 18468a95b4
27 changed files with 619 additions and 44 deletions
+2 -1
View File
@@ -1,6 +1,7 @@
![GitHub stars](https://img.shields.io/github/stars/phuryn/pm-skills)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow?style=flat-square)](https://github.com/phuryn/pm-skills/blob/main/LICENSE)
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen?style=flat-square)](https://github.com/phuryn/pm-skills/blob/main/CONTRIBUTING.md)
[![Tests](https://github.com/phuryn/pm-skills/actions/workflows/tests.yml/badge.svg)](https://github.com/phuryn/pm-skills/actions/workflows/tests.yml)
[![Companion: pm-skills](https://img.shields.io/badge/companion-pm--brain-blue)](https://github.com/phuryn/pm-brain)
[![Companion: burnstop](https://img.shields.io/badge/companion-burnstop-blue)](https://github.com/phuryn/burnstop)
[![Companion: claude-usage](https://img.shields.io/badge/companion-claude--usage-blue)](https://github.com/phuryn/claude-usage)
@@ -452,7 +453,7 @@ For PMs and founders accountable for AI-built code. AI agents write code fast bu
- `/document-app` — Reverse-engineer a codebase into the system documents reviewers and auditors need — a core set (architecture, flows, permissions, variables) plus conditional docs (emails, cron, SEO, automation) when they apply
- `/derive-tests` — Turn documented intent into a test-coverage map: inventory the tests that exist today, separate them from proposed tests and unverified gaps, and recommend a green-before-merge CI gate
- `/security-audit-static` — Static security audit: map trust boundaries, cross-reference documented intent, self-refute every finding, and report only evidence-backed risks
- `/performance-audit-static` — Static performance audit: find over-fetching, missing indexes, and caching opportunities, ranked by effort and impact
- `/performance-audit-static` — Static performance audit: find N+1 queries and request waterfalls, over-fetching, missing indexes, and caching opportunities, ranked by effort and impact
**Examples:**