@wipcomputer/wip-ai-devops-toolbox 1.9.20

package/tools/deploy-public/deploy-public.sh

@@ -0,0 +1,264 @@
+#!/usr/bin/env bash
+#
+# deploy-public.sh ... sync a private repo to its public counterpart
+#
+# Usage:
+#   bash deploy-public.sh <private-repo-path> <public-github-repo>
+#
+# Example:
+#   bash deploy-public.sh /path/to/memory-crystal wipcomputer/memory-crystal
+#
+# Convention:
+#   - Private repo: {name}-private (where all work happens)
+#   - Public repo:  {name} (deployment target, never work here directly)
+#   - ai/ folder is excluded from public deploys
+#   - Old ai/ in public git history is fine, just not going forward
+#
+# Location: wip-dev-guide-private/scripts/deploy-public.sh (one script for all repos)
+
+set -euo pipefail
+
+PRIVATE_REPO="$1"
+PUBLIC_REPO="$2"
+
+if [[ -z "$PRIVATE_REPO" || -z "$PUBLIC_REPO" ]]; then
+  echo "Usage: bash deploy-public.sh <private-repo-path> <public-github-repo>"
+  echo "Example: bash deploy-public.sh /path/to/memory-crystal wipcomputer/memory-crystal"
+  exit 1
+fi
+
+if [[ ! -d "$PRIVATE_REPO/.git" ]]; then
+  echo "Error: $PRIVATE_REPO is not a git repository"
+  exit 1
+fi
+
+# ── Safety: never deploy back to the source repo ──
+# Extract the private repo's GitHub org/name from its remote URL
+PRIVATE_REMOTE=$(cd "$PRIVATE_REPO" && git remote get-url origin 2>/dev/null | sed 's/.*github.com[:/]\(.*\)\.git/\1/' || echo "")
+
+if [[ -n "$PRIVATE_REMOTE" && "$PRIVATE_REMOTE" == "$PUBLIC_REPO" ]]; then
+  echo "ERROR: PUBLIC_REPO ($PUBLIC_REPO) is the same as the private repo's origin ($PRIVATE_REMOTE)."
+  echo "This would deploy sanitized code (no ai/) back to the source repo and destroy files."
+  echo "Did you mean to target the public counterpart instead?"
+  exit 1
+fi
+
+if [[ "$PUBLIC_REPO" == *"-private"* ]]; then
+  echo "ERROR: PUBLIC_REPO ($PUBLIC_REPO) contains '-private'."
+  echo "deploy-public.sh should only target public repos. Private repos have ai/ folders that would be destroyed."
+  exit 1
+fi
+
+# Get the latest commit message from private repo
+COMMIT_MSG=$(cd "$PRIVATE_REPO" && git log -1 --pretty=format:"%s")
+COMMIT_HASH=$(cd "$PRIVATE_REPO" && git log -1 --pretty=format:"%h")
+
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "$TMPDIR"' EXIT
+
+# ── Auto-create public repo if it doesn't exist ──
+REPO_EXISTS=$(gh repo view "$PUBLIC_REPO" --json name -q '.name' 2>/dev/null || echo "")
+if [[ -z "$REPO_EXISTS" ]]; then
+  echo "Public repo $PUBLIC_REPO does not exist. Creating..."
+  DESCRIPTION=$(cd "$PRIVATE_REPO" && node -p "require('./package.json').description" 2>/dev/null || echo "")
+  gh repo create "$PUBLIC_REPO" --public --description "${DESCRIPTION:-Synced from private repo}" 2>/dev/null
+  echo "  + Created $PUBLIC_REPO"
+  EMPTY_REPO=true
+else
+  EMPTY_REPO=false
+  # Verify the resolved repo is actually the one we asked for (catch GitHub redirects)
+  RESOLVED_NAME=$(gh repo view "$PUBLIC_REPO" --json nameWithOwner -q '.nameWithOwner' 2>/dev/null || echo "")
+  if [[ -n "$RESOLVED_NAME" && "$RESOLVED_NAME" != "$PUBLIC_REPO" ]]; then
+    echo "ERROR: GitHub redirected $PUBLIC_REPO to $RESOLVED_NAME."
+    echo "The public repo doesn't actually exist. A repo with a similar name is redirecting."
+    echo "Create the public repo first: gh repo create $PUBLIC_REPO --public"
+    exit 1
+  fi
+fi
+
+echo "Cloning public repo $PUBLIC_REPO..."
+gh repo clone "$PUBLIC_REPO" "$TMPDIR/public" -- --depth 1 2>/dev/null || {
+  echo "Public repo is empty. Initializing..."
+  mkdir -p "$TMPDIR/public"
+  cd "$TMPDIR/public"
+  git init
+  git remote add origin "git@github.com:${PUBLIC_REPO}.git"
+  cd - > /dev/null
+  EMPTY_REPO=true
+}
+
+echo "Syncing files from private repo (excluding ai/, .git/)..."
+
+# Remove all tracked files in public (except .git) so deleted files get removed
+find "$TMPDIR/public" -mindepth 1 -maxdepth 1 ! -name .git -exec rm -rf {} +
+
+# rsync from private, excluding ai/ and .git/
+rsync -a \
+  --exclude='ai/' \
+  --exclude='_trash/' \
+  --exclude='.git/' \
+  --exclude='.DS_Store' \
+  --exclude='.wrangler/' \
+  --exclude='.claude/' \
+  --exclude='CLAUDE.md' \
+  "$PRIVATE_REPO/" "$TMPDIR/public/"
+
+cd "$TMPDIR/public"
+
+# Check if there are changes
+if git diff --quiet HEAD -- 2>/dev/null && git diff --cached --quiet HEAD -- 2>/dev/null && [[ -z "$(git ls-files --others --exclude-standard)" ]]; then
+  echo "No changes to deploy."
+  exit 0
+fi
+
+# Harness ID for branch prefix. Set HARNESS_ID env var, or auto-detect from private repo path.
+if [[ -z "${HARNESS_ID:-}" ]]; then
+  case "$PRIVATE_REPO" in
+    *"Claude Code - Mini"*) HARNESS_ID="cc-mini" ;;
+    *"Claude Code - MBA"*)  HARNESS_ID="cc-air" ;;
+    *"Lēsa"*)               HARNESS_ID="oc-lesa-mini" ;;
+    *)                       HARNESS_ID="deploy" ;;
+  esac
+fi
+BRANCH="$HARNESS_ID/deploy-$(date +%Y%m%d-%H%M%S)"
+
+git add -A
+git commit -m "$COMMIT_MSG (from $COMMIT_HASH)"
+
+if [[ "$EMPTY_REPO" == "true" ]]; then
+  # Empty repo: push directly to main (no base branch to PR against)
+  echo "Pushing initial commit to main on $PUBLIC_REPO..."
+  git branch -M main
+  git push -u origin main
+  gh repo edit "$PUBLIC_REPO" --default-branch main 2>/dev/null || true
+  PR_URL="(initial push, no PR)"
+  echo "  + Initial commit pushed to main"
+else
+  git checkout -b "$BRANCH"
+
+  echo "Pushing branch $BRANCH to $PUBLIC_REPO..."
+  git push -u origin "$BRANCH"
+
+  echo "Creating PR..."
+  PR_URL=$(gh pr create -R "$PUBLIC_REPO" \
+    --head "$BRANCH" \
+    --title "$COMMIT_MSG" \
+    --body "Synced from private repo (commit $COMMIT_HASH).")
+
+  echo "Merging PR..."
+  PR_NUMBER=$(echo "$PR_URL" | grep -o '[0-9]*$')
+  gh pr merge "$PR_NUMBER" -R "$PUBLIC_REPO" --merge --delete-branch
+
+  # Clean up any other non-main branches on public repo
+  echo "Checking for stale branches on public repo..."
+  STALE_BRANCHES=$(gh api "repos/$PUBLIC_REPO/branches" --paginate --jq '.[].name' 2>/dev/null | grep -v '^main$' || true)
+  if [[ -n "$STALE_BRANCHES" ]]; then
+    STALE_COUNT=$(echo "$STALE_BRANCHES" | wc -l | tr -d ' ')
+    echo "  Found $STALE_COUNT stale branch(es). Deleting..."
+    echo "$STALE_BRANCHES" | while read -r stale; do
+      gh api -X DELETE "repos/$PUBLIC_REPO/git/refs/heads/$stale" 2>/dev/null && echo "  ✓ Deleted $stale" || echo "  ! Could not delete $stale"
+    done
+  else
+    echo "  ✓ No stale branches"
+  fi
+
+  echo "Code synced via PR: $PR_URL"
+fi
+
+# ── Sync release to public repo ──
+# If the private repo has a version tag, create a matching release on the public repo.
+# Pulls full release notes from the private repo and rewrites any private repo references.
+
+# Try package.json first, fall back to latest git tag
+VERSION=$(cd "$PRIVATE_REPO" && node -p "require('./package.json').version" 2>/dev/null || echo "")
+if [[ -z "$VERSION" ]]; then
+  # No package.json. Use the latest version tag (v*) in the repo
+  TAG=$(cd "$PRIVATE_REPO" && git tag -l 'v*' --sort=-version:refname 2>/dev/null | head -1 || echo "")
+  if [[ -n "$TAG" ]]; then
+    VERSION="${TAG#v}"
+  fi
+fi
+if [[ -n "$VERSION" ]]; then
+  TAG="v$VERSION"
+  EXISTING=$(gh release view "$TAG" -R "$PUBLIC_REPO" --json tagName 2>/dev/null || echo "")
+  if [[ -z "$EXISTING" ]]; then
+    # Get the private repo's GitHub path (e.g., wipcomputer/memory-crystal-private)
+    PRIVATE_GH=$(cd "$PRIVATE_REPO" && git remote get-url origin | sed 's/.*github.com[:/]\(.*\)\.git/\1/')
+
+    # Pull full release notes from private repo
+    NOTES=$(gh release view "$TAG" -R "$PRIVATE_GH" --json body -q '.body' 2>/dev/null || echo "")
+
+    if [[ -z "$NOTES" || "$NOTES" == "null" ]]; then
+      NOTES="Release $TAG"
+    else
+      # Rewrite private repo references to public repo
+      NOTES=$(echo "$NOTES" | sed "s|$PRIVATE_GH|$PUBLIC_REPO|g")
+    fi
+
+    echo "Creating release $TAG on $PUBLIC_REPO..."
+    gh release create "$TAG" -R "$PUBLIC_REPO" --title "$TAG" --notes "$NOTES" 2>/dev/null && echo "  ✓ Release $TAG created on $PUBLIC_REPO" || echo "  ✗ Release creation failed (non-fatal)"
+  else
+    # Update existing release notes (in case they were incomplete)
+    PRIVATE_GH=$(cd "$PRIVATE_REPO" && git remote get-url origin | sed 's/.*github.com[:/]\(.*\)\.git/\1/')
+    NOTES=$(gh release view "$TAG" -R "$PRIVATE_GH" --json body -q '.body' 2>/dev/null || echo "")
+    if [[ -n "$NOTES" && "$NOTES" != "null" ]]; then
+      NOTES=$(echo "$NOTES" | sed "s|$PRIVATE_GH|$PUBLIC_REPO|g")
+      gh release edit "$TAG" -R "$PUBLIC_REPO" --notes "$NOTES" 2>/dev/null && echo "  ✓ Release $TAG notes updated on $PUBLIC_REPO" || true
+    fi
+    echo "  Release $TAG exists on $PUBLIC_REPO (notes synced)"
+  fi
+fi
+
+# ── npm publish from public repo (#100) ──
+# After syncing code and release, publish to npm from the public clone.
+# Only if package.json exists and private !== true.
+
+if [[ -n "${VERSION:-}" ]]; then
+  # Re-clone public for npm publish (the previous tmpdir might be gone)
+  NPM_TMPDIR=$(mktemp -d)
+  gh repo clone "$PUBLIC_REPO" "$NPM_TMPDIR/public" -- --depth 1 2>/dev/null
+
+  if [[ -f "$NPM_TMPDIR/public/package.json" ]]; then
+    IS_PRIVATE=$(cd "$NPM_TMPDIR/public" && node -p "require('./package.json').private || false" 2>/dev/null)
+    echo "Publishing to npm from public repo..."
+    NPM_TOKEN=$(OP_SERVICE_ACCOUNT_TOKEN=$(cat ~/.openclaw/secrets/op-sa-token) \
+      op item get "npm Token" --vault "Agent Secrets" --fields label=password --reveal 2>/dev/null || echo "")
+    if [[ -n "$NPM_TOKEN" ]]; then
+      cd "$NPM_TMPDIR/public"
+
+      # Publish root package (if not private)
+      if [[ "$IS_PRIVATE" != "true" ]]; then
+        echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
+        npm publish --access public 2>/dev/null && echo "  ✓ Published root package to npm" || echo "  ✗ Root npm publish failed (non-fatal)"
+        rm -f .npmrc
+      else
+        echo "  - Root package is private. Skipping root npm publish."
+      fi
+
+      # For toolbox repos: publish each sub-tool regardless of root private status
+      if [[ -d "tools" ]]; then
+        for TOOL_DIR in tools/*/; do
+          if [[ -f "${TOOL_DIR}package.json" ]]; then
+            TOOL_PRIVATE=$(node -p "require('./${TOOL_DIR}package.json').private || false" 2>/dev/null)
+            if [[ "$TOOL_PRIVATE" != "true" ]]; then
+              TOOL_NAME=$(node -p "require('./${TOOL_DIR}package.json').name" 2>/dev/null)
+              echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > "${TOOL_DIR}.npmrc"
+              (cd "$TOOL_DIR" && npm publish --access public 2>/dev/null) && echo "  ✓ Published $TOOL_NAME to npm" || echo "  ✗ npm publish failed for $TOOL_NAME (non-fatal)"
+              rm -f "${TOOL_DIR}.npmrc"
+            fi
+          fi
+        done
+      fi
+
+      cd - > /dev/null
+    else
+      echo "  ! npm Token not found in 1Password. Skipping npm publish."
+    fi
+  fi
+  rm -rf "$NPM_TMPDIR"
+fi
+
+echo "Done. Public repo updated."
+echo "  PR: $PR_URL"
+echo "  Commit: $COMMIT_MSG (from $COMMIT_HASH)"
+[[ -n "${VERSION:-}" ]] && echo "  Release: v$VERSION"

package/tools/deploy-public/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "@wipcomputer/deploy-public",
+  "version": "1.9.20",
+  "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
+  "bin": {
+    "deploy-public": "./deploy-public.sh"
+  },
+  "license": "MIT"
+}

package/tools/ldm-jobs/LICENSE

@@ -0,0 +1,52 @@
+Dual License: MIT + AGPLv3
+
+Copyright (c) 2026 WIP Computer, Inc.
+
+
+1. MIT License (local and personal use)
+---------------------------------------
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+2. GNU Affero General Public License v3.0 (commercial and cloud use)
+--------------------------------------------------------------------
+
+If you run this software as part of a hosted service, cloud platform,
+marketplace listing, or any network-accessible offering for commercial
+purposes, the AGPLv3 terms apply. You must either:
+
+  a) Release your complete source code under AGPLv3, or
+  b) Obtain a commercial license.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+
+AGPLv3 for personal use is free. Commercial licenses available.

package/tools/ldm-jobs/README.md

@@ -0,0 +1,46 @@
+# LDM Dev Tools Jobs
+
+Shell scripts that power the LDM Dev Tools.app scheduled automation. These are the same scripts bundled inside the `.app` at `Contents/Resources/jobs/`. Committed here so the logic is fully readable and auditable without installing the app.
+
+## Jobs
+
+### backup.sh
+
+Daily backup. Delegates to Lesa's backup script.
+
+### branch-protect.sh
+
+Audits all repos in the `wipcomputer` GitHub org. Enforces branch protection on any repo missing it. Reports results.
+
+### visibility-audit.sh
+
+Audits all public repos in the `wipcomputer` GitHub org for missing `-private` counterparts. Uses `wip-repo-permissions-hook` CLI.
+
+### setup-shell.sh
+
+One-time shell environment setup for new machines. Configures:
+- **tmux mouse scrolling** ... `set -g mouse on` in `~/.tmux.conf`. Trackpad scrolling works inside tmux sessions.
+
+Idempotent. Safe to re-run.
+
+## Usage
+
+These scripts can be run standalone (no `.app` required):
+
+```bash
+bash tools/ldm-jobs/backup.sh
+bash tools/ldm-jobs/branch-protect.sh
+bash tools/ldm-jobs/visibility-audit.sh
+```
+
+Or via the macOS app wrapper (which provides Full Disk Access for scripts that need it):
+
+```bash
+open -W ~/Applications/LDMDevTools.app --args backup
+open -W ~/Applications/LDMDevTools.app --args branch-protect
+open -W ~/Applications/LDMDevTools.app --args visibility-audit
+```
+
+## App Source
+
+The LDM Dev Tools.app is a minimal native macOS launcher that runs these shell scripts with Full Disk Access permissions. The app binary source is not yet committed. The automation logic lives entirely in these `.sh` files.

package/tools/ldm-jobs/backup.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# Job: daily backup
+# Calls Lesa's existing backup script
+
+SCRIPT="$HOME/Documents/wipcomputer--mac-mini-01/staff/Lēsa/scripts/daily-backup.sh"
+
+echo "=== Backup started: $(date) ==="
+
+if [ -f "$SCRIPT" ]; then
+  /bin/bash "$SCRIPT"
+else
+  echo "ERROR: backup script not found at $SCRIPT"
+  exit 1
+fi
+
+echo "=== Backup finished: $(date) ==="

package/tools/ldm-jobs/branch-protect.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Job: audit and enforce branch protection across all org repos
+# Runs daily. Adds protection to any repo missing it.
+
+echo "=== Branch protection audit: $(date) ==="
+
+ORG="wipcomputer"
+FIXED=0
+SKIPPED=0
+ALREADY=0
+
+repos=$(gh repo list "$ORG" --limit 200 --json name,isArchived -q '.[] | select(.isArchived == false) | .name')
+
+for repo in $repos; do
+  result=$(gh api "repos/$ORG/$repo/branches/main/protection" 2>&1)
+
+  if echo "$result" | grep -q "enforce_admins"; then
+    ALREADY=$((ALREADY + 1))
+  elif echo "$result" | grep -q "Branch not protected"; then
+    echo "FIXING: $repo"
+    gh api "repos/$ORG/$repo/branches/main/protection" -X PUT \
+      -F "required_pull_request_reviews[required_approving_review_count]=0" \
+      -F "enforce_admins=true" \
+      -F "restrictions=null" \
+      -F "required_status_checks=null" > /dev/null 2>&1
+    if [ $? -eq 0 ]; then
+      echo "  Protected: $repo"
+      FIXED=$((FIXED + 1))
+    else
+      echo "  FAILED: $repo"
+    fi
+  else
+    SKIPPED=$((SKIPPED + 1))
+  fi
+done
+
+echo ""
+echo "Results: $ALREADY already protected, $FIXED fixed, $SKIPPED skipped (no main branch or error)"
+echo "=== Branch protection audit complete: $(date) ==="

package/tools/ldm-jobs/crystal-capture.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# Job: crystal-capture
+#
+# SOURCE OF TRUTH: memory-crystal-private/scripts/crystal-capture.sh
+# This copy is for LDM Dev Tools.app manual runs only.
+# The cron job runs from ~/.ldm/bin/crystal-capture.sh (installed via crystal init).
+# Memory Crystal does not depend on this app.
+#
+# If updating: update the source in memory-crystal-private first, then copy here.
+
+POLLER="$HOME/.ldm/extensions/memory-crystal/dist/cc-poller.js"
+NODE="/opt/homebrew/bin/node"
+
+if [ ! -f "$POLLER" ]; then
+  echo "ERROR: cc-poller not found at $POLLER"
+  exit 1
+fi
+
+$NODE "$POLLER" 2>&1

package/tools/ldm-jobs/setup-shell.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# setup-shell.sh ... Configure shell environment for LDM OS development.
+# Run once on a new machine. Idempotent (safe to re-run).
+
+set -euo pipefail
+
+echo "LDM OS shell setup"
+echo ""
+
+# ── tmux: enable mouse scrolling ──
+
+TMUX_CONF="$HOME/.tmux.conf"
+
+if [ -f "$TMUX_CONF" ] && grep -q "set -g mouse on" "$TMUX_CONF"; then
+  echo "[OK] tmux mouse scrolling already configured"
+else
+  echo "set -g mouse on" >> "$TMUX_CONF"
+  echo "[OK] tmux mouse scrolling enabled ($TMUX_CONF)"
+fi
+
+# Reload if tmux is running
+if command -v tmux &>/dev/null && tmux list-sessions &>/dev/null 2>&1; then
+  tmux source-file "$TMUX_CONF" 2>/dev/null && echo "[OK] tmux config reloaded" || true
+fi
+
+echo ""
+echo "Done. Shell environment configured."

package/tools/ldm-jobs/visibility-audit.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# visibility-audit.sh ... audit all public repos for missing -private counterparts
+# Runs via LDMDevTools.app cron job
+# Same pattern as branch-protect.sh
+
+echo "=== Visibility audit: $(date) ==="
+
+ORG="wipcomputer"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+HOOK_DIR="$SCRIPT_DIR/../wip-repo-permissions-hook"
+
+if [[ ! -f "$HOOK_DIR/cli.js" ]]; then
+  echo "Error: wip-repo-permissions-hook not found at $HOOK_DIR"
+  exit 1
+fi
+
+node "$HOOK_DIR/cli.js" audit "$ORG"
+EXIT_CODE=$?
+
+if [[ $EXIT_CODE -ne 0 ]]; then
+  echo ""
+  echo "VIOLATIONS FOUND. Some public repos lack -private counterparts."
+  echo "Run: node $HOOK_DIR/cli.js audit $ORG"
+fi
+
+echo "=== Done ==="
+exit $EXIT_CODE

package/tools/post-merge-rename/LICENSE

@@ -0,0 +1,52 @@
+Dual License: MIT + AGPLv3
+
+Copyright (c) 2026 WIP Computer, Inc.
+
+
+1. MIT License (local and personal use)
+---------------------------------------
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+2. GNU Affero General Public License v3.0 (commercial and cloud use)
+--------------------------------------------------------------------
+
+If you run this software as part of a hosted service, cloud platform,
+marketplace listing, or any network-accessible offering for commercial
+purposes, the AGPLv3 terms apply. You must either:
+
+  a) Release your complete source code under AGPLv3, or
+  b) Obtain a commercial license.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+
+AGPLv3 for personal use is free. Commercial licenses available.

package/tools/post-merge-rename/README.md

@@ -0,0 +1,29 @@
+###### WIP Computer
+
+# Post-Merge Branch Naming
+
+Cleans up after itself. Merged branches get renamed with dates automatically.
+
+## What it does
+
+- Scans for merged branches that haven't been renamed
+- Appends `--merged-YYYY-MM-DD` to preserve history
+- We never delete branches. We rename them.
+
+## Usage
+
+```bash
+bash post-merge-rename.sh
+```
+
+## Requirements
+
+- git
+- bash
+
+## Interfaces
+
+- **CLI**: Shell script
+- **Skill**: SKILL.md for agent instructions
+
+## Part of [AI DevOps Toolbox](https://github.com/wipcomputer/wip-ai-devops-toolbox)

package/tools/post-merge-rename/SKILL.md

@@ -0,0 +1,57 @@
+---
+name: post-merge-rename
+description: Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.
+license: MIT
+interface: [cli, skill]
+metadata:
+  display-name: "Post-Merge Branch Naming"
+  version: "1.3.0"
+  homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
+  author: "Parker Todd Brooks"
+  category: dev-tools
+  capabilities:
+    - branch-rename
+    - history-preservation
+  requires:
+    bins: [git, bash]
+  openclaw:
+    requires:
+      bins: [git, bash]
+    emoji: "🏷️"
+compatibility: Requires git, bash.
+---
+
+# post-merge-rename
+
+Scans for merged branches that haven't been renamed and appends `--merged-YYYY-MM-DD` to preserve history. We never delete branches. We rename them.
+
+## When to Use This Skill
+
+**Use post-merge-rename for:**
+- After merging PRs, to rename the source branch
+- Cleaning up branches that were merged but not renamed
+- Runs automatically as step 10 of `wip-release`
+
+### Do NOT Use For
+
+- Unmerged branches
+- Branches you're currently working on
+
+## API Reference
+
+### CLI
+
+```bash
+bash scripts/post-merge-rename.sh              # scan + rename all merged branches
+bash scripts/post-merge-rename.sh --dry-run     # preview only
+bash scripts/post-merge-rename.sh <branch>      # rename specific branch
+```
+
+## What It Does
+
+1. Lists all local branches merged into main
+2. Skips branches already renamed (containing `--merged-`)
+3. Finds the merge date from git history
+4. Renames: `feature-branch` -> `feature-branch--merged-2026-03-09`
+5. Pushes the renamed branch to origin
+6. Deletes the old branch name from origin

package/tools/post-merge-rename/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "@wipcomputer/post-merge-rename",
+  "version": "1.9.20",
+  "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
+  "bin": {
+    "post-merge-rename": "./post-merge-rename.sh"
+  },
+  "license": "MIT"
+}