npm - @williambeto/ai-workflow - Versions diffs - 1.18.15 → 1.18.16 - Mend

@williambeto/ai-workflow 1.18.15 → 1.18.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +8 -0
package/package.json +2 -1
package/packages/ai-workflow/src/core/package-assets.js +15 -0
package/packages/ai-workflow/src/core/templates.js +6 -4
package/runbooks/publication-readiness-checklist.md +6 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,11 @@
+## [1.18.16](https://github.com/williambeto/ai-workflow/compare/v1.18.15...v1.18.16) (2026-05-22)
+### Bug Fixes
+* **audit:** harden artifact safety and align CLI/OpenCode catalog ([047c3bd](https://github.com/williambeto/ai-workflow/commit/047c3bd92d2d7fd3bc7bef2afc5f29a8fba441e9))
+* **audit:** harden artifact safety and align CLI/OpenCode catalog ([a13f489](https://github.com/williambeto/ai-workflow/commit/a13f489c1a5cc7a06ba67580b30dd30f670d9b62))
 ## [1.18.15](https://github.com/williambeto/ai-workflow/compare/v1.18.14...v1.18.15) (2026-05-22)

package/package.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": "1.18.15",
+  "version": "1.18.16",
   "name": "@williambeto/ai-workflow",
   "description": "AI Workflow Kit repository for designing and validating AI-assisted software delivery workflows with Codex and OpenCode",
   "license": "MIT",
@@ -56,6 +56,7 @@
     "validate:json": "node scripts/validate-json.mjs",
     "validate:structure": "node scripts/validate-structure.mjs",
     "validate:refs": "node scripts/validate-refs.mjs",
+    "validate:artifact-safety": "node scripts/validate-artifact-safety.mjs",
     "validate:links": "node scripts/validate-links.mjs",
     "validate:docs-consistency": "node scripts/validate-doc-consistency.mjs",
     "validate:workflow": "node scripts/validate-workflow.mjs",

package/packages/ai-workflow/src/core/package-assets.js CHANGED Viewed

@@ -38,6 +38,21 @@ export function readPackageFile(relativePath) {
   }
 }
+/**
+ * Resolve the current kit version from package metadata.
+ * Returns null if package.json cannot be read/parsed.
+ */
+export function getPackageVersion() {
+  try {
+    const raw = readPackageFile("package.json");
+    if (!raw) return null;
+    const parsed = JSON.parse(raw);
+    return typeof parsed.version === "string" ? parsed.version : null;
+  } catch {
+    return null;
+  }
+}
 /**
  * Discover ALL files under a package-relative directory.
  * Returns a flat map of { relativePath: content }.

package/packages/ai-workflow/src/core/templates.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { getFullAgentContent, getFullSkillFiles, discoverPackageFiles, readPackageFile } from "./package-assets.js";
+import { getFullAgentContent, getFullSkillFiles, discoverPackageFiles, readPackageFile, getPackageVersion } from "./package-assets.js";
 const COMMON_FILES = {
   "README.workflow.md": `# AI Workflow Setup\n\nThis project is configured for Codex and OpenCode workflows via \`ai-workflow\`.\n\n## Quick start\n\n1. Run validation command for your project.\n2. Start your AI workflow using repository prompts and agent commands.\n3. Keep changes small and evidence-based.\n`,
@@ -101,6 +101,7 @@ const FULL_PRIMARY_AGENTS = [
   "release-manager",
   "wordpress-engineer",
   "prompt-engineer",
+  "spec-engineer",
   "orchestrator"
 ];
@@ -114,7 +115,6 @@ const FULL_SKILLS = [
   "interface-design",
   "minimal-context",
   "napkin",
-  "nuxt-dashboard-workflow",
   "opencode-agent-design",
   "playwright-cli",
   "product-manager",
@@ -123,10 +123,12 @@ const FULL_SKILLS = [
   "tech-lead",
   "tester",
   "token-economy",
-  "vue-clean-architecture",
+  "vue-nuxt",
   "wordpress-engineer"
 ];
+const KIT_VERSION = getPackageVersion() ?? "unknown";
 function buildFullFiles() {
   const files = {};
@@ -249,7 +251,7 @@ export function buildAiWorkflowConfig({ profile, managedFiles, managedLinks = []
   return {
     $schema: "./schemas/ai-workflow.schema.json",
     version: 2,
-    kitVersion: "0.1.0",
+    kitVersion: KIT_VERSION,
     mode: "standalone",
     profile,
     installedAt: now,

package/runbooks/publication-readiness-checklist.md CHANGED Viewed

@@ -16,14 +16,20 @@ Use this checklist before making the GitHub repository public or before a major
 - [ ] GitHub-only folders (`evidence/`, `examples/`, `variants/`, `scripts/`, `tests/`) are appropriate for public readers.
 - [ ] CI and publish workflows reference secrets through GitHub Actions secrets only.
 - [ ] `npm run validate` passes.
+- [ ] Local source archives are created with safe commands (`git archive`), not ad-hoc workspace zips.
+- [ ] Local package inspection uses `npm pack --dry-run` and confirms no secrets or `.git/` content.
 ## Suggested verification commands
 ```bash
 npm run validate
+npm pack --dry-run
+git archive --format=zip --output ai-workflow-source.zip HEAD
 grep -R --exclude=publication-readiness-checklist.md "/home/" README.md docs runbooks evidence packages examples variants || true
 grep -R --exclude=publication-readiness-checklist.md "private preview\|private-preview\|not ready for broad public" README.md docs runbooks packages evidence || true
 grep -R --exclude=publication-readiness-checklist.md "arco-ptp" README.md docs runbooks packages evidence || true
 ```
 Review any matches before publication. Some historical references may be acceptable only when they are explicitly anonymized or explained.
+Avoid manually zipping the working directory (`zip -r .`) for distribution, because it can accidentally include `.env*`, `.git/`, and other local-only files.