mirror of
https://github.com/phuryn/pm-skills.git
synced 2026-07-13 19:55:16 +03:00
18468a95b4
pm-ai-shipping: mandatory Evidence citations verified before reporting, concrete subagent fan-out contract, read-only allowed-tools on both audits, N+1/waterfall detection and a refute pass in the performance audit, untrusted-input hardening across the kit, parallel audits in /ship-check, severity anchors + report consolidation, repo-relative paths. Repo: CHANGELOG.md as release source of truth with auto-tag-and-release on merge to main (adapted from phuryn/claude-usage, minus the .vsix build), Tests workflow on every PR/push, unit + docs-consistency test suite, contributor-credit conventions in CONTRIBUTING, all manifests synced at 2.1.0. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011URgT9hYuNrXeCvzjnqRxJ
2.8 KiB
2.8 KiB
Changelog
v2.1.0 — 2026-07-03
pm-ai-shipping
/security-audit-staticfindings now carry a mandatory Evidence line (file:line+ verbatim snippet), and every citation is re-verified against the file before the final report ships.- Subagent fan-out has a concrete trigger (scope over ~30 files / ~5,000 lines) and a structured candidate-record contract, so parallel audit slices merge cleanly into one self-refute pass.
/performance-audit-staticnow hunts N+1 queries and request waterfalls — the most common perf failure in AI-generated code — alongside over-fetching, indexes, and caching, and gained a refute-before-reporting pass (dynamic field access, existing indexes, hot-path evidence).- Both audit commands pre-approve a read-only toolset (
allowed-tools): read, search, fan out, and write underreports/— never edit the code under audit. - The audited repo is treated as untrusted input across the kit: instructions embedded in code, comments, or docs are data to analyze — a steering attempt is itself a finding — never directives to follow.
/ship-checkruns the security and performance audits as parallel subagents once the docs exist.- Security reports gained severity anchors (what Critical/High/Medium/Low mean) and a consolidation rule (more than ~12 findings → lead with the worst, group the tail by root cause).
- Docs and reports now use repo-relative paths (
documentation/,reports/) — the old absolute forms (/documentation) could resolve to the filesystem root — and reports are always written, with the path announced, instead of "optionally".
Repo
- Added this
CHANGELOG.mdas the release source of truth with auto-tag-and-release on merge (adapted from claude-usage): pushing a new## vX.Y.Zheading tomaintags that version and publishes a GitHub Release with the section as notes — gated on the test suite and a version-sync check. - Added a test suite (
tests/) and a Tests workflow (every PR and push tomain): plugin-spec validation plus docs consistency — README skill/command counts vs. disk, marketplace plugin list vs. directories, version sync across all manifests, CHANGELOG format. - CONTRIBUTING now documents the changelog convention (every user-facing change gets a bullet; contributors credited inline) and the release procedure.
- Docs since v2.0.0: native Codex CLI install path; companion badges (burnstop, claude-usage).
v2.0.0 — 2026-06-05
- Added the pm-ai-shipping plugin (AI Shipping Kit):
/ship-check,/document-app,/derive-tests,/security-audit-static,/performance-audit-static, plus theshipping-artifactsandintended-vs-implementedskills. - Added the
strategy-red-teamskill and/red-team-prdcommand to pm-execution. - Refreshed the root README; added
CLAUDE.md/AGENTS.mdagent guidance.