@wipcomputer/wip-ai-devops-toolbox 1.9.20

package/TECHNICAL.md

@@ -0,0 +1,282 @@
+###### WIP Computer
+
+# AI DevOps Toolbox
+
+## Want your AI to dev? Here's the full system.
+
+Your AI writes code. But does it know how to release it? Check license compliance? Sync private repos to public ones? Follow a real development process?
+
+**AI DevOps Toolbox** is a collection of battle-tested tools for AI-assisted software development. Built by a team of humans and AIs shipping real software together.
+
+Used internally to manage 100+ repos, 200+ releases, and daily license compliance across the [wipcomputer](https://github.com/wipcomputer) org. These tools run in production every day.
+
+**Real-world example:** [wip-universal-installer](tools/wip-universal-installer/) ships its releases entirely through wip-release. 6 releases, v2.1.5, changelog and GitHub releases all generated automatically.
+
+## Quick Start
+
+```bash
+# Install LDM OS (shared infrastructure for all your AI tools)
+npm install -g @wipcomputer/wip-ldm-os
+ldm init
+
+# Preview what will be installed (12 tools, 39+ interfaces)
+ldm install wipcomputer/wip-ai-devops-toolbox --dry-run
+
+# Install everything
+ldm install wipcomputer/wip-ai-devops-toolbox
+
+# Verify
+ldm doctor
+```
+
+## Tools
+
+### wip-universal-installer
+
+The Universal Interface specification for agent-native software. Defines how every tool ships six interfaces: CLI, importable module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook. Includes a reference installer and a minimal example template.
+
+```bash
+# Detect what interfaces a repo supports
+wip-install /path/to/repo --dry-run
+
+# Install a tool from GitHub
+wip-install wipcomputer/wip-file-guard
+```
+
+**Source:** Pure JavaScript, no build step. [`tools/wip-universal-installer/detect.mjs`](tools/wip-universal-installer/detect.mjs) (detection), [`tools/wip-universal-installer/install.js`](tools/wip-universal-installer/install.js) (installer). Zero dependencies.
+
+[README](tools/wip-universal-installer/README.md) ... [SKILL.md](tools/wip-universal-installer/SKILL.md) ... [SPEC.md](tools/wip-universal-installer/SPEC.md) ... [Reference](tools/wip-universal-installer/REFERENCE.md)
+
+Also available as `UNIVERSAL-INTERFACE.md` at the repo root.
+
+### Dev Guide
+
+Best practices for AI-assisted development teams. Covers release process, repo structure, the `ai/` folder convention, branch protection, private/public repo patterns, post-merge branch renaming, repo directory structure, Cloudflare Workers deploy guards, and more.
+
+[Read the Dev Guide](DEV-GUIDE-GENERAL-PUBLIC.md)
+
+### LDM Dev Tools.app
+
+macOS automation wrapper. A native `.app` bundle that runs scheduled jobs (backup, branch protection audit, etc.) with Full Disk Access. One app to grant permissions to, one place to add new automation.
+
+**Source:** Job scripts are plain shell, committed at [`tools/ldm-jobs/`](tools/ldm-jobs/):
+
+| Script | What it does |
+|--------|-------------|
+| [`backup.sh`](tools/ldm-jobs/backup.sh) | Daily backup |
+| [`branch-protect.sh`](tools/ldm-jobs/branch-protect.sh) | Audit and enforce branch protection across all org repos |
+| [`visibility-audit.sh`](tools/ldm-jobs/visibility-audit.sh) | Audit public repos for missing -private counterparts |
+
+Scripts can be run standalone without the `.app`. The app provides a Full Disk Access wrapper for scripts that need it.
+
+```bash
+# Run standalone
+bash tools/ldm-jobs/backup.sh
+bash tools/ldm-jobs/branch-protect.sh
+bash tools/ldm-jobs/visibility-audit.sh
+
+# Or via the app wrapper
+open -W ~/Applications/LDMDevTools.app --args backup
+open -W ~/Applications/LDMDevTools.app --args branch-protect
+open -W ~/Applications/LDMDevTools.app --args visibility-audit
+```
+
+[README](tools/ldm-jobs/README.md)
+
+**Setup:** Drag `LDMDevTools.app` into System Settings > Privacy & Security > Full Disk Access. Then schedule via cron:
+
+```bash
+# Daily backup at midnight, branch protection audit at 1 AM, visibility audit at 2 AM
+0 0 * * * open -W ~/Applications/LDMDevTools.app --args backup >> /tmp/ldm-dev-tools/cron.log 2>&1
+0 1 * * * open -W ~/Applications/LDMDevTools.app --args branch-protect >> /tmp/ldm-dev-tools/cron.log 2>&1
+0 2 * * * open -W ~/Applications/LDMDevTools.app --args visibility-audit >> /tmp/ldm-dev-tools/cron.log 2>&1
+```
+
+Logs: `/tmp/ldm-dev-tools/`
+
+### wip-release
+
+One-command release pipeline. Version bump, changelog, SKILL.md sync, npm publish, GitHub release. All in one shot. Release notes live on the branch so you review them in the PR before they go live.
+
+```bash
+wip-release patch --notes="description of what was built and why"
+wip-release minor                               # auto-detects RELEASE-NOTES-v{version}.md
+wip-release major --dry-run
+```
+
+**Release notes convention:** Write `RELEASE-NOTES-v{version}.md` (e.g. `RELEASE-NOTES-v1-6-0.md`) on your feature branch. It shows up in the PR diff for review. On release, wip-release auto-detects the file and uses it as the GitHub release body. One file, renamed each release. Warns when notes are missing, too short, or look like changelog entries instead of narrative.
+
+**Source:** Pure JavaScript, no build step. [`tools/wip-release/cli.js`](tools/wip-release/cli.js) (entry point), [`tools/wip-release/core.mjs`](tools/wip-release/core.mjs) (main logic). Zero dependencies.
+
+[README](tools/wip-release/README.md) ... [SKILL.md](tools/wip-release/SKILL.md) ... [Reference](tools/wip-release/REFERENCE.md)
+
+### wip-license-hook
+
+License rug-pull detection. Scans every dependency and fork for license changes. Pre-pull hook blocks merges if a license changed upstream. Pre-push hook alerts. Daily cron scan. Generates a public compliance dashboard.
+
+```bash
+wip-license-hook scan
+wip-license-hook audit
+```
+
+**Source:** TypeScript. All source in [`tools/wip-license-hook/src/`](tools/wip-license-hook/src/):
+
+| File | What it does |
+|------|-------------|
+| `src/cli/index.ts` | CLI entry point |
+| `src/core/scanner.ts` | Dependency scanning (npm, pip, cargo, go, forks) |
+| `src/core/detector.ts` | License text fingerprinting |
+| `src/core/ledger.ts` | Ledger persistence and snapshots |
+| `src/core/reporter.ts` | Reporting and dashboard HTML generation |
+
+[README](tools/wip-license-hook/README.md) ... [SKILL.md](tools/wip-license-hook/SKILL.md)
+
+### wip-repo-permissions-hook
+
+Repo visibility guard. Blocks repos from going public without a `-private` counterpart. Works as a CLI, Claude Code hook, and OpenClaw plugin. Catches accidental exposure of internal plans, todos, and development context.
+
+```bash
+# Check a single repo
+wip-repo-permissions check wipcomputer/memory-crystal
+# -> OK: memory-crystal-private exists
+
+# Audit all public repos in org
+wip-repo-permissions audit wipcomputer
+# -> Lists violations, exit code 1 if any found
+```
+
+**Source:** Pure JavaScript, no build step. [`tools/wip-repo-permissions-hook/core.mjs`](tools/wip-repo-permissions-hook/core.mjs) (logic), [`tools/wip-repo-permissions-hook/cli.js`](tools/wip-repo-permissions-hook/cli.js) (CLI), [`tools/wip-repo-permissions-hook/guard.mjs`](tools/wip-repo-permissions-hook/guard.mjs) (Claude Code hook). Zero dependencies.
+
+[README](tools/wip-repo-permissions-hook/README.md) ... [SKILL.md](tools/wip-repo-permissions-hook/SKILL.md)
+
+### post-merge-rename.sh
+
+Post-merge branch renaming. Scans for merged branches that haven't been renamed, appends `--merged-YYYY-MM-DD` to preserve history. Runs automatically as part of `wip-release`, or standalone.
+
+**Source:** Plain shell. [`scripts/post-merge-rename.sh`](scripts/post-merge-rename.sh)
+
+```bash
+bash scripts/post-merge-rename.sh              # scan + rename all
+bash scripts/post-merge-rename.sh --dry-run     # preview only
+bash scripts/post-merge-rename.sh <branch>      # rename specific branch
+```
+
+### wip-file-guard
+
+Hook that blocks destructive edits to protected identity files. Works with Claude Code CLI and OpenClaw. Protects CLAUDE.md, SHARED-CONTEXT.md, SOUL.md, IDENTITY.md, MEMORY.md, and pattern-matched memory/journal files.
+
+Two rules: block `Write` on protected files entirely, block `Edit` when removing more than 2 lines or replacing more than 4 lines.
+
+```bash
+# List protected files
+wip-file-guard --list
+```
+
+**Source:** Pure JavaScript, no build step. [`tools/wip-file-guard/guard.mjs`](tools/wip-file-guard/guard.mjs) (single file, all logic). Zero dependencies.
+
+[README](tools/wip-file-guard/README.md) ... [SKILL.md](tools/wip-file-guard/SKILL.md) ... [Reference](tools/wip-file-guard/REFERENCE.md)
+
+### deploy-public.sh
+
+Private-to-public repo sync. Copies everything except `ai/` from your working repo to the public mirror. Creates a PR, merges it. One script for all repos.
+
+**Source:** Plain shell. [`scripts/deploy-public.sh`](scripts/deploy-public.sh)
+
+```bash
+bash scripts/deploy-public.sh /path/to/private-repo wipcomputer/public-repo
+```
+
+### wip-repos
+
+Repo manifest reconciler. Makes `repos-manifest.json` the single source of truth for repo organization. Like prettier for folder structure. Move folders around all day; on sync, everything snaps back to where the manifest says.
+
+```bash
+# Check for drift
+wip-repos check
+
+# Sync filesystem to match manifest
+wip-repos sync --dry-run
+
+# Add a repo
+wip-repos add ldm-os/utilities/my-tool --remote wipcomputer/my-tool
+
+# Move a repo in the manifest
+wip-repos move ldm-os/utilities/my-tool --to ldm-os/devops/my-tool
+
+# Generate directory tree
+wip-repos tree
+```
+
+**Source:** Pure JavaScript, no build step. [`tools/wip-repos/core.mjs`](tools/wip-repos/core.mjs) (logic), [`tools/wip-repos/cli.mjs`](tools/wip-repos/cli.mjs) (CLI). Zero dependencies.
+
+[README](tools/wip-repos/README.md)
+
+## Source Code
+
+All implementation source is committed in this repo. No closed binaries, no mystery boxes.
+
+| Tool | Language | Source location | Build step? |
+|------|----------|----------------|-------------|
+| Dev Guide | Markdown | `DEV-GUIDE-GENERAL-PUBLIC.md` | None. |
+| LDM Dev Tools jobs | Shell | `tools/ldm-jobs/backup.sh`, `branch-protect.sh`, `visibility-audit.sh` | None. Runnable standalone or via `.app` wrapper. |
+| wip-release | JavaScript (ESM) | `tools/wip-release/cli.js`, `core.mjs`, `mcp-server.mjs` | None. What you see is what runs. |
+| wip-license-hook | TypeScript | `tools/wip-license-hook/src/**/*.ts`, `mcp-server.mjs` | `cd tools/wip-license-hook && npm install && npm run build` |
+| wip-license-guard | JavaScript (ESM) | `tools/wip-license-guard/cli.mjs`, `core.mjs` | None. What you see is what runs. |
+| wip-repo-permissions-hook | JavaScript (ESM) | `tools/wip-repo-permissions-hook/core.mjs`, `cli.js`, `guard.mjs`, `mcp-server.mjs` | None. What you see is what runs. |
+| post-merge-rename.sh | Shell | `scripts/post-merge-rename.sh` | None. |
+| wip-file-guard | JavaScript (ESM) | `tools/wip-file-guard/guard.mjs` | None. What you see is what runs. |
+| wip-branch-guard | JavaScript (ESM) | `tools/wip-branch-guard/guard.mjs` | None. What you see is what runs. |
+| wip-universal-installer | JavaScript (ESM) | `tools/wip-universal-installer/detect.mjs`, `install.js` | None. What you see is what runs. |
+| deploy-public.sh | Shell | `scripts/deploy-public.sh` | None. |
+| wip-repos | JavaScript (ESM) | `tools/wip-repos/core.mjs`, `cli.mjs`, `mcp-server.mjs` | None. What you see is what runs. |
+| wip-repo-init | JavaScript (ESM) | `tools/wip-repo-init/init.mjs` | None. What you see is what runs. |
+| wip-readme-format | JavaScript (ESM) | `tools/wip-readme-format/format.mjs` | None. What you see is what runs. |
+
+Previously standalone tools (wip-release, wip-license-hook, wip-file-guard, wip-universal-installer) were merged here. The standalone repos redirect to this one.
+
+### Private/Public Repo Pattern
+
+Development happens in private repos (with `ai/` folders for internal notes, plans, dev updates). When publishing, `deploy-public.sh` syncs everything except `ai/` to the public repo. Source files are always committed. Compiled output (`dist/`) is gitignored and only published to npm.
+
+## Development
+
+### wip-license-hook (TypeScript)
+
+```bash
+cd tools/wip-license-hook
+npm install
+npm run build          # compiles src/ -> dist/
+node dist/cli/index.js scan   # test locally
+```
+
+### wip-release (JavaScript)
+
+No build step needed. Edit `cli.js` or `core.mjs` and test directly:
+
+```bash
+cd tools/wip-release
+node cli.js --dry-run patch --notes="test"
+```
+
+## Install
+
+Tell your AI:
+
+```
+Read the SKILL.md at github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/SKILL.md.
+Then explain what these tools do and help me set them up.
+```
+
+Or install individually:
+
+```bash
+npm install -g @wipcomputer/wip-release
+npm install -g @wipcomputer/wip-license-hook
+npm install -g @wipcomputer/wip-file-guard
+npm install -g @wipcomputer/universal-installer
+npm install -g @wipcomputer/wip-repos
+```
+
+## License
+
+MIT. Built by Parker Todd Brooks, Lēsa (OpenClaw, Claude Opus 4.6), Claude Code CLI (Claude Opus 4.6).

package/UNIVERSAL-INTERFACE.md

@@ -0,0 +1,180 @@
+# The Universal Interface Specification
+
+Every tool is a sensor, an actuator, or both. Every tool should be accessible through multiple interfaces. We call this the Universal Interface.
+
+This is the spec.
+
+## The Six Interfaces
+
+### 1. CLI
+
+A shell command. The most universal interface. If it has a terminal, it works.
+
+**Convention:** `package.json` with a `bin` field.
+
+**Detection:** `pkg.bin` exists.
+
+**Install:** `npm install -g .` or `npm link`.
+
+```json
+{
+  "bin": {
+    "wip-grok": "./cli.mjs"
+  }
+}
+```
+
+### 2. Module
+
+An importable ES module. The programmatic interface. Other tools compose with it.
+
+**Convention:** `package.json` with `main` or `exports` field. File is `core.mjs` by convention.
+
+**Detection:** `pkg.main` or `pkg.exports` exists.
+
+**Install:** `npm install <package>` or import directly from path.
+
+```json
+{
+  "type": "module",
+  "main": "core.mjs",
+  "exports": {
+    ".": "./core.mjs",
+    "./cli": "./cli.mjs"
+  }
+}
+```
+
+### 3. MCP Server
+
+A JSON-RPC server implementing the Model Context Protocol. Any MCP-compatible agent can use it.
+
+**Convention:** `mcp-server.mjs` (or `.js`, `.ts`) at the repo root. Uses `@modelcontextprotocol/sdk`.
+
+**Detection:** One of `mcp-server.mjs`, `mcp-server.js`, `mcp-server.ts`, `dist/mcp-server.js` exists.
+
+**Install:** Add to `.mcp.json`:
+
+```json
+{
+  "tool-name": {
+    "command": "node",
+    "args": ["/path/to/mcp-server.mjs"]
+  }
+}
+```
+
+### 4. OpenClaw Plugin
+
+A plugin for OpenClaw agents. Lifecycle hooks, tool registration, settings.
+
+**Convention:** `openclaw.plugin.json` at the repo root.
+
+**Detection:** `openclaw.plugin.json` exists.
+
+**Install:** Copy to `~/.openclaw/extensions/<name>/`, run `npm install --omit=dev`.
+
+### 5. Skill (SKILL.md)
+
+A markdown file that teaches agents when and how to use the tool. The instruction interface.
+
+**Convention:** `SKILL.md` at the repo root. YAML frontmatter with name, version, description, metadata.
+
+**Detection:** `SKILL.md` exists.
+
+**Install:** Referenced by path. Agents read it when they need the tool.
+
+```yaml
+---
+name: wip-grok
+version: 1.0.0
+description: xAI Grok API. Search the web, search X, generate images.
+metadata:
+  category: search,media
+  capabilities:
+    - web-search
+    - image-generation
+---
+```
+
+### 6. Claude Code Hook
+
+A hook that runs during Claude Code's tool lifecycle (PreToolUse, Stop, etc.).
+
+**Convention:** `guard.mjs` at repo root, or `claudeCode.hook` in `package.json`.
+
+**Detection:** `guard.mjs` exists, or `pkg.claudeCode.hook` is defined.
+
+**Install:** Added to `~/.claude/settings.json` under `hooks`.
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [{
+      "matcher": "Edit|Write",
+      "hooks": [{
+        "type": "command",
+        "command": "node /path/to/guard.mjs",
+        "timeout": 5
+      }]
+    }]
+  }
+}
+```
+
+## Architecture
+
+Every repo that follows this spec has the same basic structure:
+
+```
+your-tool/
+  core.mjs            pure logic, zero or minimal deps
+  cli.mjs             thin CLI wrapper around core
+  mcp-server.mjs      MCP server wrapping core functions as tools
+  SKILL.md            agent instructions with YAML frontmatter
+  package.json         name, bin, main, exports, type: module
+  README.md            human documentation
+  ai/                  development process (plans, todos, notes)
+```
+
+Not every tool needs all six interfaces. Build the ones that make sense.
+
+The minimum viable agent-native tool has two interfaces: **Module** (importable) and **Skill** (agent instructions). Add CLI for humans. Add MCP for agents that speak MCP. Add OpenClaw/CC Hook for specific platforms.
+
+## The `ai/` Folder
+
+Every repo should have an `ai/` folder. This is where agents and humans collaborate on the project ... plans, todos, dev updates, research notes, conversations.
+
+```
+ai/
+  plan/              architecture plans, roadmaps
+  dev-updates/       what was built, session logs
+  todos/
+    PUNCHLIST.md     blockers to ship
+    inboxes/         per-agent action items
+  notes/             research, references, raw conversation logs
+```
+
+The `ai/` folder is the development process. It is not part of the published product.
+
+**Public/private split:** If a repo is public, the `ai/` folder should not ship. The recommended pattern is to maintain a private working repo (with `ai/`) and a public repo (everything except `ai/`). The public repo has everything an LLM or human needs to understand and use the tool. The `ai/` folder is operational context for the team building it.
+
+## The Reference Installer
+
+`wip-install` is the reference implementation. It scans a repo, detects which interfaces exist, and installs them all. One command.
+
+```bash
+wip-install /path/to/repo          # local
+wip-install org/repo               # from GitHub
+wip-install --dry-run /path/to/repo # detect only
+wip-install --json /path/to/repo    # JSON output
+```
+
+## Examples
+
+| Repo | Interfaces | Type |
+|------|------------|------|
+| [wip-grok](https://github.com/wipcomputer/wip-grok) | CLI + Module + MCP + Skill | Sensor + Actuator |
+| [wip-x](https://github.com/wipcomputer/wip-x) | CLI + Module + MCP + Skill | Sensor + Actuator |
+| [wip-file-guard](https://github.com/wipcomputer/wip-file-guard) | CLI + OpenClaw + CC Hook | Actuator |
+| [wip-markdown-viewer](https://github.com/wipcomputer/wip-markdown-viewer) | CLI + Module | Actuator |

package/_trash/RELEASE-NOTES-v1-8-0.md

@@ -0,0 +1,29 @@
+# v1.8.0: Fix CC Hook duplicates, add GitHub Issues convention
+
+## CC Hook duplicate detection fix
+
+`wip-install` was adding duplicate PreToolUse hooks to `~/.claude/settings.json` every time it ran. After a few installs, there were 8 hooks when there should have been 2. The duplicates pointed to repo clones and `/tmp/` paths, violating the "never run tools from repo clones" rule.
+
+The root cause: duplicate detection compared exact command strings. The same `guard.mjs` installed from different paths produced different strings, so each install added another entry.
+
+The fix:
+- Match existing hooks by tool name in the path, not exact command string
+- Always prefer `~/.ldm/extensions/<tool>/guard.mjs` over source or temp paths
+- If a hook for the same tool exists at a different path, update it instead of adding a duplicate
+
+## GitHub Issues convention added to Dev Guide
+
+We were tracking work in `ai/todos/` markdown files. Items got lost. GitHub Issues gives us tracking, cross-referencing, and visibility across agents.
+
+Added to the public Dev Guide:
+- When to use GitHub Issues vs `ai/todos/`
+- Filing convention: `filed-by:<agent-id>` labels and attribution lines
+- Public vs private issue routing: public issues are the front door, private issues are the workshop
+- Agent ID naming convention: `[platform]-[agent]-[machine]`
+
+Added to the private Dev Guide:
+- `filed-by:cc-mini` (blue) and `filed-by:oc-lesa-mini` (purple) label details
+- Org-wide deployment commands
+- Incident note: Memory Crystal agent ID drift
+
+Both labels deployed across all wipcomputer repos.

package/_trash/RELEASE-NOTES-v1-8-1.md

@@ -0,0 +1,7 @@
+# v1.8.1: Fix CLI install when package name changed
+
+When a tool's npm package gets renamed but the binary name stays the same, `npm install -g` fails with EEXIST. The stale symlink from the old package blocks the new one.
+
+The installer now detects this: if the binary is a symlink pointing to a different package, it removes the stale link and retries. Only affects symlinks, only when the target doesn't match the package being installed.
+
+Found on `wip-license-hook` (renamed from `@wipcomputer/license-hook` to `@wipcomputer/wip-license-hook`).

package/_trash/RELEASE-NOTES-v1-8-2.md

@@ -0,0 +1,7 @@
+# v1.8.2: Clean up release notes after release
+
+RELEASE-NOTES files were piling up in the repo root. `wip-release` consumed them for the GitHub release and CHANGELOG but never cleaned up.
+
+Now after consuming the file, `wip-release` moves all `RELEASE-NOTES-v*.md` files to `_trash/` as part of the version bump commit. We never delete anything.
+
+`deploy-public.sh` also now excludes `_trash/` so these files stay private.

package/_trash/RELEASE-NOTES-v1-9-0.md

@@ -0,0 +1,37 @@
+# v1.9.0: README Formatter, Repo Init, Dev Guide overhaul
+
+Two new tools, eight SKILL.md fixes, and a major Dev Guide update.
+
+## New: wip-readme-format
+
+Auto-generates READMEs following the WIP Computer standard. Detects all six interfaces, reads SKILL.md for tool names, generates badges, "Teach Your AI" block, features, interface coverage table, license block. Works on single repos and toolbox repos.
+
+The key design: generates separate section files instead of one monolithic README.
+
+```
+wip-readme-format /path/to/repo          # generates README-init-*.md section files
+wip-readme-format /path/to/repo --deploy  # assembles sections into README.md
+```
+
+Section files: `README-init-badges.md`, `README-init-title.md`, `README-init-teach.md`, `README-init-features.md`, `README-init-coverage.md`, `README-init-more-info.md`, `README-init-license.md`, `README-init-technical.md`. Edit any section independently, then deploy assembles them in order. Same pattern as release notes: staging, review, deploy.
+
+Also supports `--dry-run` (preview) and `--check` (validate existing README against the standard).
+
+## New: wip-repo-init
+
+Scaffolds the standard `ai/` directory in any repo. Plans, notes, ideas, dev updates, todos. Every folder has self-documenting READMEs.
+
+New repo: creates the full structure. Existing repo: moves old `ai/` contents to `ai/_sort/ai_old/` so you can sort at your own pace. Nothing is deleted.
+
+## Dev Guide: release notes workflow
+
+Both Dev Guides (public and private) now explicitly document the `RELEASE-NOTES-v{version}.md` workflow. Write the release notes file on the branch, commit it with the code, review it in the PR, `wip-release` auto-detects it after merge. Both guides cross-reference each other at the top so agents know to read both.
+
+## Fixes
+
+- Fixed SKILL.md `name:` frontmatter in all 8 existing tools. Interface coverage table now shows human-readable names ("Release Pipeline", "Identity File Protection") instead of directory names ("wip-release", "wip-file-guard").
+- Fixed interface coverage table: renamed "OpenClaw" column to "OC Plugin", corrected License Guard row (was falsely claiming Module + CC Hook).
+- Skill deployment: `wip-install` now deploys SKILL.md files to `~/.openclaw/skills/<tool>/` so OpenClaw agents can use them.
+- Amalgamated interface system notes, README standard, and Universal Installer vision into one reference document.
+- Dogfooded wip-repo-init on the toolbox itself. Filled in product bible, roadmap, and readme-first with real content.
+- Created plan stubs for all roadmap items (README Formatter, Daily Dev Summary, GitHub Actions Pack, Security Suite).

package/_trash/RELEASE-NOTES-v1-9-1.md

@@ -0,0 +1,38 @@
+# v1.9.1: Release gates ... product docs and release notes quality enforcement
+
+Agents read the Dev Guide, say "got it," and then release with garbage one-liner notes anyway. Documentation doesn't change behavior. Tools do. This release adds two new gates to `wip-release` that block bad releases before they happen.
+
+## Product docs gate
+
+Every PR is supposed to include updated product docs: a dev update, roadmap changes, and readme-first updates. This was documented in the Dev Guide as a manual checklist. Nobody followed it.
+
+`wip-release` now checks three things before publishing:
+
+1. **Dev update exists.** Looks in `ai/dev-updates/` for a file from the last 3 days. If you did work worth releasing, you should have written about it.
+2. **Roadmap was updated.** Checks `ai/product/plans-prds/roadmap.md` via `git diff` against the last tag. If the roadmap doesn't reflect what just shipped, it's stale.
+3. **Readme-first was updated.** Same check on `ai/product/readme-first-product.md`. The product bible should always describe what's actually built.
+
+Repos without an `ai/` directory are skipped silently. This only applies to repos that have adopted the `ai/` folder standard.
+
+For **patch** releases: warns but doesn't block. Hotfixes shouldn't be held up by docs.
+For **minor/major** releases: blocks the release. You can't ship a meaningful feature with stale product docs.
+
+`--skip-product-check` overrides for exceptional cases.
+
+## Release notes quality gate
+
+On 2026-03-11, the other CC session released memory-crystal v0.7.4. It read the Dev Guide (which now explicitly says "write a RELEASE-NOTES file on the branch"). It said it understood. Then it ran `wip-release patch --notes="MCP fix and agent ID config"` and published a one-liner to GitHub. The old `warnIfNotesAreThin()` function printed a warning to console. The agent ignored it.
+
+The root cause was architectural, not behavioral. The warning ran at step 8 of the pipeline, AFTER the version was already bumped, committed, tagged, and pushed. By the time the warning appeared, the damage was done. And it was a warning, not a gate. Agents don't read warnings.
+
+The fix:
+- `checkReleaseNotes()` replaces `warnIfNotesAreThin()`. It runs before the version bump, not after.
+- The CLI now tracks `notesSource`: where the notes came from (`file`, `dev-update`, `flag`, or `none`).
+- For minor/major releases: if notes came from a bare `--notes` flag instead of a `RELEASE-NOTES-v{version}.md` file, the release is **blocked**. The agent gets explicit instructions: "Write RELEASE-NOTES-v{version}.md (dashes not dots), commit it, then release."
+- For patch releases: warns if notes are short, but doesn't block.
+
+## Both gates follow the same pattern
+
+The existing license compliance gate (step 0) checks `.license-guard.json` and blocks if licensing is wrong. The new product docs gate (step 0.5) and release notes gate (step 0.75) work the same way: check early, block before any changes, show status in `--dry-run`, give clear instructions on how to fix it.
+
+The MCP server was also updated with `skipProductCheck` and `notesSource` passthrough so agents calling wip-release via MCP get the same enforcement.

package/_trash/RELEASE-NOTES-v1-9-10.md

@@ -0,0 +1,40 @@
+# Release Notes: AI DevOps Toolbox v1.9.10
+
+**Fix: Release notes files on disk always beat --notes flag**
+
+v1.9.9 shipped with a one-liner on the GitHub release instead of the full narrative release notes. The RELEASE-NOTES-v1-9-9.md file was sitting right there on disk, but `--notes="short text"` took priority because the auto-detect only ran when `--notes` was absent.
+
+This is exactly the kind of bug that happens when a rule exists in documentation but not in code. "Write release notes on the branch" is in the Dev Guide. The tool ignored them.
+
+## What changed
+
+### Notes priority is now enforced (highest wins):
+
+1. `--notes-file=path` ... explicit file path (always wins)
+2. `RELEASE-NOTES-v{ver}.md` ... in repo root (always wins over `--notes` flag)
+3. `ai/dev-updates/YYYY-MM-DD*` ... today's dev update (wins over `--notes` flag if longer)
+4. `--notes="text"` ... fallback only. Use for repos without release notes files.
+
+If a RELEASE-NOTES file exists on disk, `--notes` is ignored and a warning is printed:
+
+```
+! --notes flag ignored: RELEASE-NOTES-v1-9-10.md takes priority
+```
+
+Written notes on disk always take priority over a CLI one-liner. The agent wrote the file. The tool should use it.
+
+## Files changed
+
+```
+ tools/wip-release/cli.js | ~40 lines rewritten (notes cascade logic)
+```
+
+## Install
+
+```bash
+git pull origin main
+```
+
+## Attribution
+
+Built by Parker Todd Brooks, Lesa, and Claude Opus 4.6 at WIP.computer.

package/_trash/RELEASE-NOTES-v1-9-2.md

@@ -0,0 +1,40 @@
+# v1.9.2: Distribution Pipeline Fix
+
+The entire distribution pipeline was broken. Tools built but never reached users. 8 of 13 tools weren't on npm. ClawHub publish only shipped the root SKILL.md. deploy-public never ran npm publish. Errors were silent.
+
+This release fixes all of it.
+
+## What changed
+
+### Install fixes (#96, #110)
+- CLI binaries now have correct executable permissions (git +x on all bin entry files)
+- wip-license-hook dist/ committed to repo (TypeScript build output was gitignored)
+- Installer auto-detects TypeScript projects and runs build if dist/ missing
+- chmod +x safety net after every npm install -g
+- SSH fallback when HTTPS clone fails (private repos)
+
+### SKILL.md spec compliance (#107, #108)
+- All 12 SKILL.md files conform to agentskills.io spec
+- name field: lowercase-hyphen format matching directory name
+- Display names in metadata.display-name
+- version, homepage, author in metadata block
+- license: MIT on all files
+- metadata.openclaw blocks with install instructions and emoji
+- New SKILL.md created for wip-license-guard (was missing)
+
+### Distribution pipeline (#97, #100, #104)
+- ClawHub publish now iterates all sub-tool SKILL.md files, not just root
+- detectSkillSlug reads the name field from SKILL.md frontmatter
+- deploy-public.sh runs npm publish from the public clone after code sync
+- Handles both single repos and toolbox repos (iterates tools/*)
+- Distribution summary at end of release: shows all targets with pass/fail
+- syncSkillVersion handles quoted version strings in new metadata format
+
+## Install
+
+```bash
+npm install -g @wipcomputer/wip-ai-devops-toolbox
+wip-install wipcomputer/wip-ai-devops-toolbox
+```
+
+Built by Parker Todd Brooks, Lesa (OpenClaw, Claude Opus 4.6), Claude Code (Claude Opus 4.6).