@wipcomputer/wip-ai-devops-toolbox 1.9.20

package/tools/wip-repo-permissions-hook/cli.js

@@ -0,0 +1,83 @@
+#!/usr/bin/env node
+/**
+ * wip-repo-permissions-hook/cli.js
+ * CLI for repo visibility permissions.
+ *
+ * Usage:
+ *   wip-repo-permissions check <org/repo>      Check if repo can be public
+ *   wip-repo-permissions audit <org>            Audit all public repos
+ *   wip-repo-permissions can-publish <org/repo> Alias for check
+ */
+
+import { checkPrivateCounterpart, auditOrg } from './core.mjs';
+
+const args = process.argv.slice(2);
+const command = args[0];
+const target = args[1];
+
+function usage() {
+  console.log('wip-repo-permissions ... repo visibility guard\n');
+  console.log('Usage:');
+  console.log('  wip-repo-permissions check <org/repo>       Check if repo can be made public');
+  console.log('  wip-repo-permissions audit <org>             Audit all public repos in org');
+  console.log('  wip-repo-permissions can-publish <org/repo>  Alias for check');
+  console.log('\nExamples:');
+  console.log('  wip-repo-permissions check wipcomputer/wip-bridge');
+  console.log('  wip-repo-permissions audit wipcomputer');
+  process.exit(1);
+}
+
+if (!command || !target) usage();
+
+switch (command) {
+  case 'check':
+  case 'can-publish': {
+    const parts = target.split('/');
+    if (parts.length !== 2) {
+      console.error('Error: target must be org/repo (e.g. wipcomputer/memory-crystal)');
+      process.exit(1);
+    }
+    const [org, repo] = parts;
+    const result = checkPrivateCounterpart(org, repo);
+
+    if (result.allowed) {
+      console.log(`  OK: ${result.reason}`);
+      process.exit(0);
+    } else {
+      console.error(`  ${result.reason}`);
+      process.exit(1);
+    }
+    break;
+  }
+
+  case 'audit': {
+    const org = target;
+    console.log(`\nAuditing public repos in ${org}...\n`);
+
+    const { violations, ok } = auditOrg(org);
+
+    if (ok.length > 0) {
+      console.log(`  Compliant (${ok.length}):`);
+      for (const r of ok) {
+        console.log(`    OK  ${r.name}`);
+      }
+      console.log('');
+    }
+
+    if (violations.length > 0) {
+      console.log(`  VIOLATIONS (${violations.length}):`);
+      for (const v of violations) {
+        console.log(`    !!  ${v.name} ... no -private counterpart`);
+      }
+      console.log('');
+      console.error(`  ${violations.length} repo(s) are public without a -private counterpart.`);
+      process.exit(1);
+    } else {
+      console.log('  All public repos have -private counterparts (or are exempt forks).');
+      process.exit(0);
+    }
+  }
+
+  default:
+    usage();
+}

package/tools/wip-repo-permissions-hook/core.mjs

@@ -0,0 +1,122 @@
+/**
+ * wip-repo-permissions-hook/core.mjs
+ * Pure logic for repo visibility permissions.
+ * Blocks repos from going public without a -private counterpart.
+ * Zero dependencies. Uses gh CLI for GitHub API calls.
+ */
+
+import { execFileSync } from 'node:child_process';
+
+/**
+ * Check if a repo has a -private counterpart on GitHub.
+ * @param {string} org - GitHub org (e.g. "wipcomputer")
+ * @param {string} repoName - Repo name (e.g. "memory-crystal")
+ * @returns {{ allowed: boolean, reason: string }}
+ */
+export function checkPrivateCounterpart(org, repoName) {
+  // If the repo itself IS the private repo, allow
+  if (repoName.endsWith('-private')) {
+    return { allowed: true, reason: `${repoName} is already a private repo.` };
+  }
+
+  // Check if it's a fork (forks of external projects are exempt)
+  const forkStatus = isThirdPartyFork(org, repoName);
+  if (forkStatus.isFork) {
+    return { allowed: true, reason: `${repoName} is a fork of ${forkStatus.parent}. Forks are exempt.` };
+  }
+
+  // Check if -private counterpart exists
+  const privateName = `${repoName}-private`;
+  try {
+    execFileSync('gh', ['api', `repos/${org}/${privateName}`, '--jq', '.name'], {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10000,
+    });
+    return { allowed: true, reason: `${privateName} exists. ${repoName} can be public.` };
+  } catch {
+    return {
+      allowed: false,
+      reason: `BLOCKED: ${org}/${repoName} cannot be made public. No -private counterpart found (expected ${org}/${privateName}). Create the -private repo first, move all ai/ content there, then make this repo public.`,
+    };
+  }
+}
+
+/**
+ * Check if a repo is a fork of an external project.
+ * @param {string} org
+ * @param {string} repoName
+ * @returns {{ isFork: boolean, parent: string }}
+ */
+export function isThirdPartyFork(org, repoName) {
+  try {
+    const json = execFileSync('gh', ['api', `repos/${org}/${repoName}`, '--jq', '{fork: .fork, parent: .parent.full_name}'], {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10000,
+    });
+    const data = JSON.parse(json);
+    if (data.fork && data.parent && !data.parent.startsWith(`${org}/`)) {
+      return { isFork: true, parent: data.parent };
+    }
+    return { isFork: false, parent: '' };
+  } catch {
+    return { isFork: false, parent: '' };
+  }
+}
+
+/**
+ * Audit all public repos in an org for missing -private counterparts.
+ * @param {string} org
+ * @returns {{ violations: Array<{name: string, reason: string}>, ok: Array<{name: string, reason: string}> }}
+ */
+export function auditOrg(org) {
+  // Get all public repos
+  let repos;
+  try {
+    const json = execFileSync('gh', [
+      'repo', 'list', org,
+      '--visibility', 'public',
+      '--json', 'name',
+      '--limit', '200',
+    ], { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 30000 });
+    repos = JSON.parse(json);
+  } catch (e) {
+    throw new Error(`Failed to list repos for ${org}: ${e.message}`);
+  }
+
+  const violations = [];
+  const ok = [];
+
+  for (const repo of repos) {
+    const result = checkPrivateCounterpart(org, repo.name);
+    if (result.allowed) {
+      ok.push({ name: repo.name, reason: result.reason });
+    } else {
+      violations.push({ name: repo.name, reason: result.reason });
+    }
+  }
+
+  return { violations, ok };
+}
+
+/**
+ * Extract repo org/name from a gh command string.
+ * Looks for patterns like: gh repo edit wipcomputer/repo-name --visibility public
+ * @param {string} command
+ * @returns {{ org: string, repo: string, isVisibilityChange: boolean } | null}
+ */
+export function parseVisibilityCommand(command) {
+  // Match: gh repo edit <org/repo> ... --visibility public
+  const editMatch = command.match(/gh\s+repo\s+edit\s+([^\s]+)/);
+  if (!editMatch) return null;
+
+  const visibilityMatch = command.match(/--visibility\s+(public|private|internal)/);
+  if (!visibilityMatch || visibilityMatch[1] !== 'public') return null;
+
+  const slug = editMatch[1];
+  const parts = slug.split('/');
+  if (parts.length !== 2) return null;
+
+  return { org: parts[0], repo: parts[1], isVisibilityChange: true };
+}

package/tools/wip-repo-permissions-hook/guard.mjs

@@ -0,0 +1,64 @@
+#!/usr/bin/env node
+/**
+ * wip-repo-permissions-hook/guard.mjs
+ * PreToolUse:Bash hook for Claude Code.
+ * Blocks `gh repo edit --visibility public` unless -private counterpart exists.
+ * Same pattern as wip-file-guard/guard.mjs.
+ */
+
+import { parseVisibilityCommand, checkPrivateCounterpart } from './core.mjs';
+
+function deny(reason) {
+  const output = {
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'deny',
+      permissionDecisionReason: reason,
+    },
+  };
+  process.stdout.write(JSON.stringify(output));
+}
+
+async function main() {
+  let raw = '';
+  for await (const chunk of process.stdin) {
+    raw += chunk;
+  }
+
+  let input;
+  try {
+    input = JSON.parse(raw);
+  } catch {
+    // Can't parse input, allow by default
+    process.exit(0);
+  }
+
+  const toolName = input.tool_name || '';
+  const toolInput = input.tool_input || {};
+
+  // Only check Bash commands
+  if (toolName !== 'Bash') {
+    process.exit(0);
+  }
+
+  const command = toolInput.command || '';
+
+  // Only check commands that look like visibility changes
+  const parsed = parseVisibilityCommand(command);
+  if (!parsed) {
+    process.exit(0);
+  }
+
+  // Check if the repo can be made public
+  const result = checkPrivateCounterpart(parsed.org, parsed.repo);
+
+  if (!result.allowed) {
+    deny(result.reason);
+    process.exit(0);
+  }
+
+  // Allowed
+  process.exit(0);
+}
+
+main().catch(() => process.exit(0));

package/tools/wip-repo-permissions-hook/mcp-server.mjs

@@ -0,0 +1,92 @@
+#!/usr/bin/env node
+// wip-repo-permissions-hook/mcp-server.mjs
+// MCP server exposing repo visibility guard as tools.
+// Wraps core.mjs. Registered via .mcp.json.
+
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { CallToolRequestSchema, ListToolsRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import {
+  checkPrivateCounterpart, auditOrg,
+} from './core.mjs';
+
+const server = new Server(
+  { name: 'wip-repo-permissions', version: '1.0.0' },
+  { capabilities: { tools: {} } }
+);
+
+// ── Tool Definitions ──
+
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+  tools: [
+    {
+      name: 'repo_permissions_check',
+      description: 'Check if a repo has a -private counterpart on GitHub. Required before making any repo public.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          org: { type: 'string', description: 'GitHub org (e.g. wipcomputer)' },
+          repo: { type: 'string', description: 'Repo name (e.g. memory-crystal)' },
+        },
+        required: ['org', 'repo'],
+      },
+    },
+    {
+      name: 'repo_permissions_audit',
+      description: 'Audit all public repos in a GitHub org for missing -private counterparts. Returns violations and passing repos.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          org: { type: 'string', description: 'GitHub org (e.g. wipcomputer)' },
+        },
+        required: ['org'],
+      },
+    },
+  ],
+}));
+
+// ── Tool Handlers ──
+
+server.setRequestHandler(CallToolRequestSchema, async (req) => {
+  const { name, arguments: args } = req.params;
+
+  try {
+    if (name === 'repo_permissions_check') {
+      const result = checkPrivateCounterpart(args.org, args.repo);
+      return {
+        content: [{
+          type: 'text',
+          text: `${result.allowed ? 'ALLOWED' : 'BLOCKED'}: ${result.reason}`,
+        }],
+      };
+    }
+
+    if (name === 'repo_permissions_audit') {
+      const result = auditOrg(args.org);
+      const lines = [];
+      if (result.violations.length > 0) {
+        lines.push(`${result.violations.length} violation(s):`);
+        for (const v of result.violations) {
+          lines.push(`  BLOCKED: ${v.name} - ${v.reason}`);
+        }
+      }
+      lines.push(`${result.ok.length} repo(s) OK.`);
+      return {
+        content: [{ type: 'text', text: lines.join('\n') }],
+      };
+    }
+
+    return {
+      content: [{ type: 'text', text: `Unknown tool: ${name}` }],
+      isError: true,
+    };
+  } catch (err) {
+    return {
+      content: [{ type: 'text', text: `Error: ${err.message}` }],
+      isError: true,
+    };
+  }
+});
+
+const transport = new StdioServerTransport();
+await server.connect(transport);

package/tools/wip-repo-permissions-hook/openclaw.plugin.json

@@ -0,0 +1,8 @@
+{
+  "name": "wip-repo-permissions-hook",
+  "version": "1.0.0",
+  "description": "Blocks repos from going public without a -private counterpart. Protects internal plans, todos, and dev context from exposure.",
+  "lifecycle": {
+    "before_tool_use": "./guard.mjs"
+  }
+}

package/tools/wip-repo-permissions-hook/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "@wipcomputer/wip-repo-permissions-hook",
+  "version": "1.9.20",
+  "type": "module",
+  "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
+  "main": "core.mjs",
+  "bin": {
+    "wip-repo-permissions": "./cli.js"
+  },
+  "scripts": {
+    "test": "bash test.sh"
+  },
+  "keywords": [
+    "claude-code",
+    "openclaw",
+    "hook",
+    "repo-guard",
+    "visibility",
+    "ai-safety",
+    "pretooluse"
+  ],
+  "author": "Parker Todd Brooks",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/wipcomputer/wip-ai-devops-toolbox.git"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0"
+  }
+}

package/tools/wip-repos/LICENSE

@@ -0,0 +1,52 @@
+Dual License: MIT + AGPLv3
+
+Copyright (c) 2026 WIP Computer, Inc.
+
+
+1. MIT License (local and personal use)
+---------------------------------------
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+2. GNU Affero General Public License v3.0 (commercial and cloud use)
+--------------------------------------------------------------------
+
+If you run this software as part of a hosted service, cloud platform,
+marketplace listing, or any network-accessible offering for commercial
+purposes, the AGPLv3 terms apply. You must either:
+
+  a) Release your complete source code under AGPLv3, or
+  b) Obtain a commercial license.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+
+AGPLv3 for personal use is free. Commercial licenses available.

package/tools/wip-repos/README.md

@@ -0,0 +1,77 @@
+###### WIP Computer
+
+[![npm](https://img.shields.io/npm/v/@wipcomputer/wip-repos)](https://www.npmjs.com/package/@wipcomputer/wip-repos) [![CLI / TUI](https://img.shields.io/badge/interface-CLI_/_TUI-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-repos/cli.mjs) [![MCP Server](https://img.shields.io/badge/interface-MCP_Server-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-repos/mcp-server.mjs) [![Claude Code Skill](https://img.shields.io/badge/interface-Claude_Code_Skill-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-repos/SKILL.md) [![Universal Interface Spec](https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-universal-installer/SPEC.md)
+
+# wip-repos
+
+Repo manifest reconciler. Single source of truth for repo organization.
+
+## The Problem
+
+You have 50 repos. Someone moves a folder. The README drifts. The manifest drifts. Your AI agent references a path that doesn't exist anymore. Everyone wastes time.
+
+## The Solution
+
+`repos-manifest.json` is the single source of truth. The filesystem adapts to it. Like prettier for folder structure.
+
+Move folders around all day. On sync, everything snaps back to where the manifest says it belongs. Want to change the structure? PR to the manifest. Org owner approves or rejects. Rejected? Your folders snap back on next sync.
+
+## Usage
+
+```bash
+# Check for drift between filesystem and manifest
+wip-repos check
+
+# See what sync would do
+wip-repos sync --dry-run
+
+# Actually move folders to match manifest
+wip-repos sync
+
+# Add a new repo
+wip-repos add ldm-os/utilities/my-tool --remote wipcomputer/my-tool
+
+# Move a repo to a different category
+wip-repos move ldm-os/utilities/my-tool --to ldm-os/devops/my-tool
+
+# Generate directory tree from manifest
+wip-repos tree
+```
+
+## Options
+
+```
+--manifest   Path to repos-manifest.json (default: ./repos-manifest.json)
+--root       Path to repos root directory (default: directory containing manifest)
+--dry-run    Show what would happen without making changes
+--json       Output as JSON
+```
+
+## How It Works
+
+1. **check** walks the filesystem, finds all git repos, compares against the manifest. Reports what's on disk but not in manifest, and what's in manifest but not on disk. Exit code 1 if drift detected.
+
+2. **sync** matches repos by their git remote URL. If a repo's remote matches a manifest entry but it's at the wrong path, sync moves it to the manifest path.
+
+3. **add/move** update the manifest file. The actual folder moves happen on the next `sync`.
+
+## Integration
+
+- `deploy-public` and `wip-release` can call `wip-repos check` before running. Stale manifest blocks deploys.
+- CI: run `wip-repos check` as a PR check. Drift = blocked merge.
+- README generation: `wip-repos tree` outputs a directory tree from the manifest.
+
+## Source
+
+Pure JavaScript. Zero dependencies. `core.mjs` (logic), `cli.mjs` (CLI). No build step.
+
+## License
+
+```
+CLI, MCP server, module                        MIT    (use anywhere, no restrictions)
+Hosted or cloud service use                    AGPL   (network service distribution)
+```
+
+AGPL for personal use is free.
+
+Built by Parker Todd Brooks, Lēsa (OpenClaw, Claude Opus 4.6), Claude Code (Claude Opus 4.6).

package/tools/wip-repos/SKILL.md

@@ -0,0 +1,80 @@
+---
+name: wip-repos
+description: Repo manifest reconciler. Makes repos-manifest.json the single source of truth for repo organization.
+license: MIT
+interface: [cli, module, mcp]
+metadata:
+  display-name: "Repo Manifest Reconciler"
+  version: "0.1.0"
+  homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
+  author: "Parker Todd Brooks"
+  category: dev-tools
+  capabilities:
+    - manifest-check
+    - filesystem-sync
+    - repo-add
+    - repo-move
+    - tree-generation
+  requires:
+    bins: [node, git]
+  openclaw:
+    requires:
+      bins: [node, git]
+    install:
+      - id: node
+        kind: node
+        package: "@wipcomputer/wip-repos"
+        bins: [wip-repos]
+        label: "Install via npm"
+    emoji: "📂"
+compatibility: Requires git, node. Node.js 18+.
+---
+
+# wip-repos
+
+Repo manifest reconciler. Like prettier for folder structure. Move folders around all day; on sync, everything snaps back to where the manifest says.
+
+## When to Use This Skill
+
+**Use wip-repos for:**
+- Checking if the filesystem matches the manifest (`check`)
+- Moving repos to match the manifest (`sync`)
+- Adding a new repo to the manifest (`add`)
+- Moving a repo in the manifest (`move`)
+- Generating a directory tree from the manifest (`tree`)
+
+**Use after:**
+- Cloning a new repo
+- Moving repos between categories
+- Adding new repos to the org
+
+### Do NOT Use For
+
+- Git operations (use git directly)
+- Repo creation on GitHub (use gh)
+
+## API Reference
+
+### CLI
+
+```bash
+wip-repos check                              # diff filesystem vs manifest
+wip-repos sync --dry-run                     # preview moves
+wip-repos sync                               # execute moves
+wip-repos add ldm-os/utilities/new-tool --remote wipcomputer/new-tool
+wip-repos move ldm-os/utilities/tool --to ldm-os/devops/tool
+wip-repos tree                               # generate directory tree
+```
+
+### Module
+
+```javascript
+import { check, planSync, addRepo, moveRepo, generateReadmeTree } from '@wipcomputer/wip-repos';
+
+const result = check('/path/to/manifest.json', '/path/to/repos/');
+const moves = planSync('/path/to/manifest.json', '/path/to/repos/');
+```
+
+### MCP
+
+Tools: `repos_check`, `repos_sync_plan`, `repos_add`, `repos_move`, `repos_tree`