@event4u/agent-config 5.8.0 → 5.9.0

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Shared agent configuration \u2014 skills for AI coding tools (Claude Code, Augment, Cursor, Cline, Windsurf, Gemini CLI).",
-    "version": "5.8.0",
+    "version": "5.9.0",
     "keywords": [
       "agent-config",
       "skills",

package/CHANGELOG.md

@@ -811,6 +811,23 @@ our recommendation order, not its support status.
 > that forces a new era split (`# Era: 5.5.x`, etc.) — see
 > [`docs/contracts/CHANGELOG-conventions.md § Era splits`](docs/contracts/CHANGELOG-conventions.md).
 
+## [5.9.0](https://github.com/event4u-app/agent-config/compare/5.8.0...5.9.0) (2026-06-02)
+
+### Features
+
+* **doctor:** runnable global-only report without a project lockfile ([4c4f20b](https://github.com/event4u-app/agent-config/commit/4c4f20b82eb472ff6b6d84ebac889832ce1329f0))
+* **ci:** release-published drift gate (catch npm lagging main) ([7f4e125](https://github.com/event4u-app/agent-config/commit/7f4e125dd48d0233d33ce8cbb219731a0b501497))
+
+### Bug Fixes
+
+* **release:** anchor --resume to package.json, auto-delete merged branch ([f2db736](https://github.com/event4u-app/agent-config/commit/f2db736c7259845fe204af1ffd293e7f5341a58d))
+
+### Chores
+
+* **roadmap:** close + archive doctor-global-only-readiness ([3d3aaf7](https://github.com/event4u-app/agent-config/commit/3d3aaf739464b9e6613175f352b09a153bdbec90))
+
+Tests: 5480 (+25 since 5.8.0)
+
 ## [5.8.0](https://github.com/event4u-app/agent-config/compare/5.7.0...5.8.0) (2026-06-02)
 
 ### Features

package/dist/discovery/deprecation-report.md

@@ -1,6 +1,6 @@
 # Discovery — Deprecation Report
 
-- Generated: `2026-06-02T02:48:57Z`
+- Generated: `2026-06-02T05:57:08Z`
 - Deprecated artefacts: **0**
 
 _None. Tree is clean._

package/dist/discovery/discovery-manifest.json

@@ -10004,7 +10004,7 @@
       "reason": "scaffold for new SKILL.md authoring"
     }
   ],
-  "generated_at": "2026-06-02T02:48:57Z",
+  "generated_at": "2026-06-02T05:57:08Z",
   "packs": [
     {
       "artefact_count": 85,

package/dist/discovery/discovery-manifest.json.sha256

@@ -1 +1 @@
-a943cc6a13b848ee35ec40fcc64ca9cf0823fffdf944d3d15afa54535ca72d74  discovery-manifest.json
+4b7e6f9a9278cd1129d4cc5d1e5901f0c18b8ef8d741ef2ab7cfc30e567eb0cb  discovery-manifest.json

package/dist/discovery/discovery-manifest.summary.md

@@ -1,6 +1,6 @@
 # Discovery Manifest — Summary
 
-- Generated: `2026-06-02T02:48:57Z`
+- Generated: `2026-06-02T05:57:08Z`
 - Scanner: `ca7acd2ec7af`
 - Artefacts: **453**
 - Unassigned: **0**

package/dist/discovery/orphan-report.md

@@ -1,6 +1,6 @@
 # Discovery — Orphan Report
 
-- Generated: `2026-06-02T02:48:57Z`
+- Generated: `2026-06-02T05:57:08Z`
 - Orphan artefacts: **0**
 
 > An orphan is an artefact whose declared pack has no other members.

package/dist/discovery/packs.json

@@ -1,6 +1,6 @@
 {
   "checksum": "sha256:b55ddc4224e45ec7627ece7c2fd6f043df8c7030efbe50df87573f0da4de4173",
-  "generated_at": "2026-06-02T02:48:57Z",
+  "generated_at": "2026-06-02T05:57:08Z",
   "packs": [
     {
       "artefact_count": 85,

package/dist/discovery/trust-report.md

@@ -1,6 +1,6 @@
 # Discovery — Trust Report
 
-- Generated: `2026-06-02T02:48:57Z`
+- Generated: `2026-06-02T05:57:08Z`
 - Workspaces tracked: **8**
 - Human-review-required artefacts: **2**
 

package/dist/discovery/workspaces.json

@@ -1,6 +1,6 @@
 {
   "checksum": "sha256:b55ddc4224e45ec7627ece7c2fd6f043df8c7030efbe50df87573f0da4de4173",
-  "generated_at": "2026-06-02T02:48:57Z",
+  "generated_at": "2026-06-02T05:57:08Z",
   "scanner_version": "ca7acd2ec7af",
   "workspaces": [
     {

package/dist/mcp/registry-manifest.json

@@ -9,7 +9,7 @@
     "homepage": "https://github.com/event4u-app/agent-config#readme",
     "name": "@event4u/agent-config",
     "repository": "https://github.com/event4u-app/agent-config",
-    "version": "5.8.0"
+    "version": "5.9.0"
   },
   "registries": [
     {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@event4u/agent-config",
-    "version": "5.8.0",
+    "version": "5.9.0",
     "description": "Universal AI Agent OS \u2014 audited skills, governance rules, commands, and templates for AI coding tools (Claude Code, Cursor, Windsurf, Copilot).",
     "license": "MIT",
     "private": false,

package/scripts/_cli/cmd_doctor.py

@@ -23,8 +23,16 @@ mcp-mode · mcp-beta-readiness · offline-readiness · python-runtime ·
 tier-usage-readiness · council-cli · unsupported-combos ·
 wizard-state.
 Each emits a structured ``{id, status, message, remedy}`` record with
-``status`` ∈ ``ok`` / ``warn`` / ``fail`` (rendered ``✅`` / ``⚠️`` /
-``❌``). ``--check <id>`` runs a single check.
+``status`` ∈ ``ok`` / ``warn`` / ``fail`` / ``skipped`` (rendered
+``✅`` / ``⚠️`` / ``❌`` / ``⏭️``). ``--check <id>`` runs a single check.
+
+Checks are split by scope (:data:`GLOBAL_CHECK_IDS` vs
+:data:`MANIFEST_REQUIRED_CHECK_IDS`) so an ADR-020 global-only consumer
+(bridge marker present, no ``agents/installed-tools.lock``) gets a
+green-capable report instead of a hard bail: the global checks run, the
+manifest-required checks report ``skipped``, and ``bridge-drift`` returns
+a scope-aware "drift not applicable" verdict. See :func:`main` for the
+no-manifest branch and exit-code contract.
 
 Repair affordances: ``--repair wizard-state`` resets a malformed or
 orphaned ``state/wizard-state.json`` under the user-global root (the
@@ -455,6 +463,41 @@ CHECK_IDS = (
     "wizard-state",
 )
 
+#: Checks that need only the project root (or no input at all) and run
+#: regardless of whether a project lockfile exists. Under ADR-020
+#: global-only (bridge marker present, no ``installed-tools.lock``) these
+#: still produce a real verdict. ``scope`` lives here because
+#: :func:`_check_scope` reads only ``project_root`` — the roadmap prose
+#: that grouped it with the manifest checks predates this code reality
+#: (AI council, claude-sonnet-4-5 + gpt-4o, design lens, 2026-06-02).
+GLOBAL_CHECK_IDS: frozenset[str] = frozenset({
+    "scope",
+    "global-binary",
+    "mcp-mode",
+    "mcp-beta-readiness",
+    "offline-readiness",
+    "python-runtime",
+    "tier-usage-readiness",
+    "council-cli",
+    "wizard-state",
+})
+
+#: Checks that genuinely cannot run without the project manifest. Without
+#: a lockfile they report ``skipped`` rather than a misleading verdict.
+#: ``bridge-drift`` is deliberately **not** here: it is scope-aware —
+#: a manifest-derived drift roll-up when the lockfile exists, and a
+#: "drift not applicable (global-only consumer)" verdict when it does
+#: not (computed in :func:`_check_bridge_drift_no_manifest`, keeping
+#: :func:`_check_bridge_drift` a pure roll-up per the council's SRP point).
+MANIFEST_REQUIRED_CHECK_IDS: frozenset[str] = frozenset({
+    "manifest-integrity",
+    "lockfile-freshness",
+    "unsupported-combos",
+})
+
+#: Project-root-relative path of the ADR-020 global-only consumer marker.
+BRIDGE_MARKER_RELATIVE = "agents/.event4u-bridge.yml"
+
 #: Repair targets that ``--repair <id>`` accepts. Each id maps to a
 #: function in :func:`_run_repair` that resets the named artefact and
 #: returns an exit code. Additive set: introduce by adding a new id
@@ -476,7 +519,7 @@ MCP_BETA_GATES: tuple[tuple[str, str], ...] = (
 
 #: Visible status → glyph map. ``warn`` keeps a trailing space so the
 #: rendered output stays in a single visual column with the other glyphs.
-STATUS_SYMBOLS = {"ok": "✅", "warn": "⚠️ ", "fail": "❌"}
+STATUS_SYMBOLS = {"ok": "✅", "warn": "⚠️ ", "fail": "❌", "skipped": "⏭️ "}
 
 #: Minimum Python interpreter the CLI targets. Bumped in lockstep with
 #: ``from __future__ import annotations`` + PEP-604 syntax usage.
@@ -1159,6 +1202,131 @@ def _run_checks(
     return out
 
 
+def _skipped_manifest_check(check_id: str) -> dict[str, Any]:
+    """A ``skipped`` verdict for a manifest-required check with no lockfile.
+
+    Explicit machine-readable record (not omitted, not ``null``) so the
+    ``--json`` ``checks`` array keeps a stable shape for a global-only
+    consumer — a council convergence point (2026-06-02).
+    """
+    return {
+        "id": check_id, "status": "skipped",
+        "message": "requires a project lockfile (agents/installed-tools.lock)",
+        "remedy": "run `agent-config init` to create a project lockfile, "
+                  "then re-run this check",
+    }
+
+
+def _check_bridge_drift_no_manifest(bridge_present: bool) -> dict[str, Any]:
+    """Scope-aware ``bridge-drift`` verdict when no project manifest exists.
+
+    Kept out of :func:`_check_bridge_drift` (which stays a pure
+    manifest-derived roll-up) per the council's single-responsibility
+    point. A global-only consumer has no distributed tools to drift, so
+    a bridge-present repo reports ``ok`` ("not applicable"); a repo with
+    neither lockfile nor bridge marker reports ``skipped``.
+    """
+    if bridge_present:
+        return {
+            "id": "bridge-drift", "status": "ok",
+            "message": "no project lockfile → distributed-tool drift not "
+                       "applicable (global-only consumer)",
+            "remedy": "",
+        }
+    return {
+        "id": "bridge-drift", "status": "skipped",
+        "message": "no project lockfile and no bridge marker → drift check "
+                   "not applicable",
+        "remedy": "run `agent-config init` (project install) or "
+                  "`agent-config refresh --project` (global-only consumer)",
+    }
+
+
+def _run_checks_no_manifest(
+    project_root: Path,
+    bridge_present: bool,
+    only: str | None = None,
+) -> list[dict[str, Any]]:
+    """Run the registry with no project manifest available.
+
+    Mirrors :func:`_run_checks` and preserves :data:`CHECK_IDS` order.
+    Global checks (:data:`GLOBAL_CHECK_IDS`) run unchanged; manifest-required
+    checks (:data:`MANIFEST_REQUIRED_CHECK_IDS`) report ``skipped``;
+    ``bridge-drift`` gets the scope-aware no-manifest verdict.
+    """
+    runners: dict[str, Any] = {
+        "scope": lambda: _check_scope(project_root),
+        "global-binary": lambda: _check_global_binary(project_root),
+        "manifest-integrity": lambda: _skipped_manifest_check("manifest-integrity"),
+        "lockfile-freshness": lambda: _skipped_manifest_check("lockfile-freshness"),
+        "bridge-drift": lambda: _check_bridge_drift_no_manifest(bridge_present),
+        "mcp-mode": lambda: _check_mcp_mode(project_root),
+        "mcp-beta-readiness": lambda: _check_mcp_beta_readiness(project_root),
+        "offline-readiness": lambda: _check_offline_readiness(),
+        "python-runtime": lambda: _check_python_runtime(),
+        "tier-usage-readiness": lambda: _check_tier_usage_readiness(project_root),
+        "council-cli": lambda: _check_council_cli(project_root),
+        "unsupported-combos": lambda: _skipped_manifest_check("unsupported-combos"),
+        "wizard-state": _check_wizard_state,
+    }
+    out: list[dict[str, Any]] = []
+    for cid in CHECK_IDS:
+        if only is not None and cid != only:
+            continue
+        out.append(runners[cid]())
+    return out
+
+
+def _run_no_manifest(
+    opts: argparse.Namespace,
+    project_root: Path,
+    origin: str,
+    bridge_present: bool,
+) -> int:
+    """Handle the no-project-lockfile path without the old hard bail.
+
+    Exit-code contract (council-defined, 2026-06-02):
+
+    * ``0`` — bare report for a recognised global-only consumer
+      (bridge marker present), or a single global ``--check`` that passed.
+    * ``1`` — a runnable health check requested via ``--check`` failed.
+    * ``2`` — a requested ``--check`` cannot run (manifest-required check
+      with no lockfile, or ``bridge-drift`` with neither lockfile nor
+      bridge marker), or a bare report in an **uninitialised** repo
+      (neither lockfile nor bridge marker) — preserves the spirit of the
+      pre-existing "run init" signal while still printing a real report.
+    """
+    checks = _run_checks_no_manifest(project_root, bridge_present, only=opts.check)
+    fail_check = any(c["status"] == "fail" for c in checks)
+    skipped_requested = opts.check is not None and any(
+        c["id"] == opts.check and c["status"] == "skipped" for c in checks
+    )
+
+    if opts.json:
+        _emit_json(project_root, [], [], [], [], checks=checks, origin=origin)
+    elif opts.check is None:
+        print(f"  📍  project_root: {project_root} (origin: {origin})")
+        if bridge_present:
+            print("  ℹ️   global-only consumer: bridge marker present, no "
+                  "project lockfile (expected under ADR-020)")
+            print("      project-manifest checks are skipped — they apply only "
+                  "to project-local distributed tools")
+        else:
+            print("  ⚠️   no project lockfile and no bridge marker at "
+                  f"{project_root}", file=sys.stderr)
+            print("      run `agent-config init` (project install) or "
+                  "`agent-config refresh --project` (global-only consumer)",
+                  file=sys.stderr)
+        _emit_checks_text(checks)
+    else:
+        _emit_checks_text(checks)
+
+    if opts.check is not None:
+        if skipped_requested:
+            return 2
+        return 1 if fail_check else 0
+    return 0 if bridge_present else 2
+
 
 def _emit_json(
     project_root: Path,
@@ -1371,17 +1539,12 @@ def main(argv: list[str] | None = None) -> int:
     manifest_pth = installed_tools.manifest_path(project_root)
     manifest = installed_tools.read_manifest(manifest_pth)
     if manifest is None:
-        print(
-            f"❌  doctor: no project lockfile at {manifest_pth}",
-            file=sys.stderr,
-        )
-        print(
-            f"    project_root: {project_root} (origin: {origin})",
-            file=sys.stderr,
-        )
-        print("    run `./agent-config init` to create one",
-              file=sys.stderr)
-        return 2
+        # No project lockfile. Under ADR-020 global-only this is a
+        # legitimate state, not an error — run the lockfile-independent
+        # checks and report consumer state instead of a hard bail. The
+        # per-scope split + exit-code contract live in _run_no_manifest.
+        bridge_present = (project_root / BRIDGE_MARKER_RELATIVE).is_file()
+        return _run_no_manifest(opts, project_root, origin, bridge_present)
 
     records, known = _collect_manifest_entries(project_root, manifest)
     missing, modified, tag_drift = _classify(records)

package/scripts/check_release_published.py

@@ -0,0 +1,145 @@
+#!/usr/bin/env python3
+"""
+Release-published drift gate.
+
+Catches the "release merged to main but never tagged/published" failure
+mode — where ``main``'s ``package.json`` claims a version that has no
+matching git tag, and npm's ``latest`` therefore lags behind main. This
+is the backstop that would have surfaced the 5.8.0-stuck-on-5.7.0 state
+the moment it happened, instead of weeks later.
+
+Two independent invariants:
+
+  1. **Tag invariant** (always checkable, no network): the version in
+     ``package.json`` MUST have a matching git tag (local or remote).
+  2. **npm invariant** (``--check-npm``, network): ``npm view <pkg>
+     dist-tags.latest`` MUST equal the ``package.json`` version.
+
+Scope guard: this only makes sense on the release trunk. Off ``main``
+(e.g. a feature branch, or a ``release/X.Y.Z`` branch mid-flight where
+the bump legitimately precedes the tag) the gate **no-ops** unless
+``--strict`` is combined with an explicit on-main signal. The daily
+scheduled workflow runs ``--strict --check-npm`` on ``main``; the local
+``task check-release-published`` runs the tag invariant only.
+
+Exit codes: 0 = pass / no-op · 1 = drift detected · 3 = internal error.
+"""
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+SEMVER_RE = re.compile(r"^(\d+)\.(\d+)\.(\d+)(?:[-+].*)?$")
+REPO_ROOT = Path(__file__).resolve().parent.parent
+PACKAGE_JSON = REPO_ROOT / "package.json"
+MAIN_BRANCH = "main"
+
+
+def _git(*args: str) -> tuple[int, str]:
+    proc = subprocess.run(["git", *args], capture_output=True, text=True, check=False)
+    return proc.returncode, (proc.stdout or "").strip()
+
+
+def _package_version() -> str:
+    data = json.loads(PACKAGE_JSON.read_text(encoding="utf-8"))
+    return str(data["version"])
+
+
+def _package_name() -> str:
+    data = json.loads(PACKAGE_JSON.read_text(encoding="utf-8"))
+    return str(data["name"])
+
+
+def _tag_exists(tag: str) -> bool:
+    rc, out = _git("tag", "-l", tag)
+    if rc == 0 and tag in out.splitlines():
+        return True
+    rc, _ = _git("ls-remote", "--exit-code", "--tags", "origin", tag)
+    return rc == 0
+
+
+def _on_main() -> bool:
+    # Local checkout, CI push ref, or CI scheduled ref all map to main.
+    ref = os.environ.get("GITHUB_REF", "")
+    if ref in ("refs/heads/main", "refs/heads/master"):
+        return True
+    rc, head = _git("rev-parse", "--abbrev-ref", "HEAD")
+    return rc == 0 and head == MAIN_BRANCH
+
+
+def _npm_latest(pkg: str) -> str | None:
+    proc = subprocess.run(
+        ["npm", "view", pkg, "dist-tags.latest"],
+        capture_output=True, text=True, check=False,
+    )
+    if proc.returncode != 0:
+        return None
+    return (proc.stdout or "").strip() or None
+
+
+def main(argv: list[str] | None = None) -> int:
+    ap = argparse.ArgumentParser(description="Release-published drift gate.")
+    ap.add_argument("--strict", action="store_true",
+                    help="Fail on drift (default: informational, exit 0).")
+    ap.add_argument("--check-npm", action="store_true",
+                    help="Also assert npm dist-tags.latest == package.json version (network).")
+    ap.add_argument("--require-main", action="store_true",
+                    help="Only enforce when on main; no-op elsewhere (default for scheduled).")
+    args = ap.parse_args(argv)
+
+    try:
+        version = _package_version()
+    except (OSError, KeyError, json.JSONDecodeError) as exc:
+        print(f"❌  cannot read package.json version: {exc}", file=sys.stderr)
+        return 3
+    if not SEMVER_RE.match(version):
+        print(f"❌  package.json version is not semver: {version!r}", file=sys.stderr)
+        return 3
+
+    if args.require_main and not _on_main():
+        print(f"ℹ️  not on {MAIN_BRANCH} — release-published gate skipped.")
+        return 0
+
+    problems: list[str] = []
+
+    if not _tag_exists(version):
+        problems.append(
+            f"package.json is {version} but no git tag {version} exists "
+            f"(local or origin) — the release was bumped/merged but never "
+            f"tagged. Complete it: tag the release-merge commit and push "
+            f"(triggers publish-npm.yml), e.g. `git tag {version} && git "
+            f"push origin {version}`."
+        )
+
+    if args.check_npm:
+        pkg = _package_name()
+        latest = _npm_latest(pkg)
+        if latest is None:
+            print(f"⚠️  could not read npm dist-tags.latest for {pkg} "
+                  f"(network/registry) — npm invariant not checked.", file=sys.stderr)
+        elif latest != version:
+            problems.append(
+                f"npm {pkg}@latest is {latest} but package.json is {version} "
+                f"— the published release lags main. Check publish-npm.yml "
+                f"for tag {version}, or re-dispatch it."
+            )
+
+    if not problems:
+        suffix = " + npm" if args.check_npm else ""
+        print(f"✅  release-published: {version} is tagged{suffix} and in sync.")
+        return 0
+
+    header = "❌  Release-published drift:" if args.strict else "⚠️  Release-published drift (warn-only):"
+    print(header, file=sys.stderr)
+    for p in problems:
+        print(f"  - {p}", file=sys.stderr)
+    return 1 if args.strict else 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/scripts/release.py

@@ -665,7 +665,7 @@ def execute(
     resume: bool = False,
 ) -> None:
     branch = f"release/{plan.target}"
-    total = 9
+    total = 10
 
     if dry_run:
         print("(dry-run) no git/gh mutations will be performed.")
@@ -842,6 +842,25 @@ def execute(
             "--notes", notes,
         )
 
+    # ─── 10. delete the merged release branch (local + remote) ───────────────
+    # Branch hygiene: a merged-but-undeleted release/X.Y.Z is what made
+    # `--resume` mis-detect an old version. Delete it now so it can never
+    # accumulate. Idempotent — skips whatever is already gone. Never touches
+    # `main` or any tag.
+    if dry_run:
+        _step(10, total, f"Would delete merged branch {branch} (local + remote)")
+    else:
+        deleted = []
+        if _branch_exists_local(branch) and \
+                git("rev-parse", "--abbrev-ref", "HEAD", capture=True) != branch:
+            run("git", "branch", "-D", branch, check=False)
+            deleted.append("local")
+        if _branch_exists_remote(branch):
+            run("git", "push", REMOTE, "--delete", branch, check=False)
+            deleted.append("remote")
+        where = " + ".join(deleted) if deleted else "already gone"
+        _step(10, total, f"Delete merged branch {branch} ({where})")
+
     print()
     print(f"✅  Released {plan.target}")
     print(f"   https://github.com/{REPO_SLUG}/releases/tag/{plan.target}")
@@ -904,43 +923,47 @@ _RELEASE_BRANCH_RE = re.compile(r"^release/(\d+\.\d+\.\d+)$")
 
 
 def _detect_in_flight_target() -> str | None:
-    """Find the in-flight release target from existing release branches.
-
-    Resume mode needs to know which `release/X.Y.Z` is being recovered,
-    not what the next bump would be. The release branch name is the
-    canonical anchor: it was committed by step 1 of an earlier run and
-    is the only state guaranteed to survive a partial pipeline.
-
-    Local branches win over remote, current-branch wins over both — if
-    you ran `git checkout release/1.15.0`, that's the target. Returns
-    None if no release branch exists; caller falls back to the regular
-    bump-inference path.
+    """Find the in-flight release target — the SOURCE OF TRUTH is package.json.
+
+    An "in-flight" release is one whose version was already bumped into
+    ``main``'s ``package.json`` (and possibly merged) but whose tag has not
+    yet been pushed — i.e. the publish step never completed. The canonical
+    anchor is therefore ``package.json`` version `V` **with no matching tag
+    `V`**, NOT the set of ``release/X.Y.Z`` branches.
+
+    Why not the branch set: merged release branches are frequently left
+    undeleted on the remote, so "highest existing release/* branch" can
+    resolve to an OLD, already-published version (e.g. picking 5.4.0 while
+    5.8.0 is the real in-flight target) and tag a downgrade. The package.json
+    version cannot lie that way — it is the version main currently claims to
+    be, and an untagged claim is exactly an incomplete release.
+
+    Resolution order:
+      1. If HEAD is on a ``release/X.Y.Z`` branch, that explicit checkout wins.
+      2. Else: read ``package.json`` version `V`. If tag `V` does not exist
+         (local or remote), `V` is the in-flight target. If it is already
+         tagged, the release is complete → return None (regular bump path).
+
+    Stale ``release/*`` branches are never used for version detection.
     """
     head = git("rev-parse", "--abbrev-ref", "HEAD", capture=True)
     m = _RELEASE_BRANCH_RE.match(head)
     if m:
         return m.group(1)
 
-    local_raw = git("for-each-ref", "--format=%(refname:short)", "refs/heads/release/", capture=True)
-    candidates = [
-        m.group(1)
-        for line in local_raw.splitlines()
-        if (m := _RELEASE_BRANCH_RE.match(line.strip()))
-    ]
-    remote_raw = git(
-        "for-each-ref", "--format=%(refname:short)",
-        f"refs/remotes/{REMOTE}/release/", capture=True,
-    )
-    for line in remote_raw.splitlines():
-        bare = line.strip().removeprefix(f"{REMOTE}/")
-        if (m := _RELEASE_BRANCH_RE.match(bare)):
-            candidates.append(m.group(1))
+    try:
+        version = json.loads(PACKAGE_JSON.read_text(encoding="utf-8"))["version"]
+    except (OSError, KeyError, json.JSONDecodeError):
+        return None
+    try:
+        parse_version(version)
+    except Exception:
+        return None
 
-    if not candidates:
+    # An already-tagged version is a completed release, not in-flight.
+    if _tag_exists_local(version) or _tag_exists_remote(version):
         return None
-    # Sort semver-aware so 1.10.0 > 1.9.0 (lexicographic would lose).
-    candidates.sort(key=parse_version)
-    return candidates[-1]
+    return version
 
 
 def main(argv: list[str] | None = None) -> int:
@@ -961,7 +984,7 @@ def main(argv: list[str] | None = None) -> int:
         target = args.explicit
     elif in_flight:
         target = in_flight
-        print(f"(resume) detected in-flight release branch release/{in_flight}")
+        print(f"(resume) in-flight target {in_flight} (package.json version with no tag yet)")
     else:
         target = bump_version(current, bump)
     parse_version(target)