@wipcomputer/wip-ai-devops-toolbox 1.9.27 → 1.9.28

package/CHANGELOG.md

@@ -31,6 +31,35 @@
 
 
 
+
+## 1.9.28 (2026-03-15)
+
+# Release Notes Quality Gate
+
+**Date:** 2026-03-15
+
+## What changed
+
+wip-release now blocks ALL releases (patch, minor, major) if the release notes are bad. Previously, patch releases only warned. Now they block.
+
+The gate checks:
+- Notes must be at least 50 characters
+- Notes can't look like a changelog entry ("fix: ...", "add: ...", "update: ...")
+- Minor/major still require a file (not --notes flag)
+
+If the gate blocks, it tells you exactly how to fix it: write a RELEASE-NOTES file, write a dev update, or use --notes with at least 50 chars of real description.
+
+## Why
+
+Release notes were consistently garbage. One-liner --notes flags like "Fix bug" or "Update docs" sailed through on patch releases. The warnings were ignored by both humans and agents. Every release page on GitHub had thin, useless notes that didn't explain what changed or why.
+
+## Also in this release
+
+- wip-repo-init templates renamed from ai/ to templates/ so they ship with npm install (deploy-public.sh was stripping them)
+- SKILL.md restart notice after install (hooks need session restart)
+- SPEC.md and TECHNICAL.md updated with all 17 tools and LDM OS links
+- Branch guard matcher fix (catches Bash + NotebookEdit)
+- Forced Git Worktrees and Branch Guard sections added to SKILL.md
 
 ## 1.9.27 (2026-03-15)
 

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.27"
+  version: "1.9.28"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/scripts/deploy-public.sh

@@ -18,12 +18,29 @@
 
 set -euo pipefail
 
-PRIVATE_REPO="$1"
-PUBLIC_REPO="$2"
+PRIVATE_REPO="${1:-}"
+PUBLIC_REPO="${2:-}"
+DRY_RUN=false
+
+# Parse flags
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run) DRY_RUN=true ;;
+  esac
+done
+
+# Strip flags from positional args
+ARGS=()
+for arg in "$@"; do
+  [[ "$arg" == --* ]] || ARGS+=("$arg")
+done
+PRIVATE_REPO="${ARGS[0]:-}"
+PUBLIC_REPO="${ARGS[1]:-}"
 
 if [[ -z "$PRIVATE_REPO" || -z "$PUBLIC_REPO" ]]; then
-  echo "Usage: bash deploy-public.sh <private-repo-path> <public-github-repo>"
+  echo "Usage: bash deploy-public.sh <private-repo-path> <public-github-repo> [--dry-run]"
   echo "Example: bash deploy-public.sh /path/to/memory-crystal wipcomputer/memory-crystal"
+  echo "         bash deploy-public.sh /path/to/memory-crystal wipcomputer/memory-crystal --dry-run"
   exit 1
 fi
 
@@ -123,6 +140,24 @@ fi
 BRANCH="$HARNESS_ID/deploy-$(date +%Y%m%d-%H%M%S)"
 
 git add -A
+
+# Dry-run: show what would be deployed, then stop
+if $DRY_RUN; then
+  echo ""
+  echo "  Dry run: deploy-public.sh"
+  echo "  ────────────────────────────────────"
+  echo "  Source: $PRIVATE_REPO"
+  echo "  Target: $PUBLIC_REPO"
+  echo "  Commit: $COMMIT_MSG ($COMMIT_HASH)"
+  echo ""
+  echo "  Files that would change:"
+  git diff --cached --stat 2>/dev/null || git diff --stat HEAD 2>/dev/null || echo "  (new files)"
+  git ls-files --others --exclude-standard | head -20 | while read f; do echo "  + $f"; done
+  echo ""
+  echo "  Dry run complete. No changes pushed."
+  exit 0
+fi
+
 git commit -m "$COMMIT_MSG (from $COMMIT_HASH)"
 
 if [[ "$EMPTY_REPO" == "true" ]]; then

package/scripts/post-merge-rename.sh

@@ -159,6 +159,11 @@ prune_branches() {
       if [[ $count -le $KEEP_COUNT ]]; then
         echo "  ✓ KEEP $branch"
       else
+        # Safety: verify branch is actually merged into main before deleting
+        if ! git merge-base --is-ancestor "origin/$branch" origin/main 2>/dev/null; then
+          echo "  ! SKIP $branch (NOT merged into main despite --merged suffix)"
+          continue
+        fi
         if $DRY_RUN; then
           echo "  [dry-run] DELETE $branch"
         else

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/format.mjs

@@ -337,6 +337,26 @@ if (DEPLOY) {
     process.exit(1);
   }
 
+  // Safety: init files must be reviewed (committed or modified) before deploy.
+  // If all init files are untracked (just generated, never reviewed), block.
+  try {
+    const { execSync } = await import('node:child_process');
+    const initFiles = readdirSync(repoPath).filter(f => f.startsWith('README-init-'));
+    const allUntracked = initFiles.every(f => {
+      try {
+        const status = execSync(`git status --porcelain "${f}"`, { cwd: repoPath, encoding: 'utf8' }).trim();
+        return status.startsWith('??');
+      } catch { return false; }
+    });
+    if (allUntracked && initFiles.length > 0) {
+      fail('Init files have not been reviewed. They are all untracked (just generated).');
+      console.log('  Review the README-init-*.md files, edit as needed, then git add them before deploying.');
+      console.log('  Or commit them first so there is a review trail.');
+      process.exit(1);
+    }
+  } catch {}
+
+
   const date = new Date().toISOString().slice(0, 10);
   const aiTrash = join(repoPath, 'ai', '_trash');
 

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/core.mjs

@@ -252,6 +252,44 @@ function checkReleaseNotes(notes, notesSource, level) {
   return { ok: issues.length === 0, issues, block: issues.length > 0 };
 }
 
+/**
+ * Scaffold a RELEASE-NOTES-v{version}.md template if one doesn't exist.
+ * Called when the release notes gate blocks. Gives the agent a file to fill in.
+ */
+export function scaffoldReleaseNotes(repoPath, version) {
+  const dashed = version.replace(/\./g, '-');
+  const notesPath = join(repoPath, `RELEASE-NOTES-v${dashed}.md`);
+  if (existsSync(notesPath)) return notesPath;
+
+  const pkg = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
+  const name = pkg.name?.replace(/^@[^/]+\//, '') || basename(repoPath);
+
+  const template = `# Release Notes: ${name} v${version}
+
+**One-line summary of what this release does**
+
+## What changed
+
+Describe the changes. Not a commit list. Explain:
+- What was built or fixed
+- Why it matters
+- What the user should know
+
+## Why
+
+What problem does this solve? What was broken or missing?
+
+## How to verify
+
+\`\`\`bash
+# Commands to test the changes
+\`\`\`
+`;
+
+  writeFileSync(notesPath, template);
+  return notesPath;
+}
+
 /**
  * Check if a file was modified in commits since the last git tag.
  */
@@ -783,11 +821,10 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
       console.log(`  ✗ Release notes blocked:`);
       for (const issue of notesCheck.issues) console.log(`    - ${issue}`);
       console.log('');
-      console.log('  Release notes must explain what changed and why.');
-      console.log('  Options:');
-      console.log('    1. Write RELEASE-NOTES-v{version}.md (dashes not dots) and commit it');
-      console.log('    2. Write ai/dev-updates/YYYY-MM-DD--description.md and commit it');
-      console.log('    3. Use --notes="at least 50 chars explaining the change and its impact"');
+      // Scaffold a template so the agent has something to fill in
+      const templatePath = scaffoldReleaseNotes(repoPath, newVersion);
+      console.log(`  Scaffolded template: ${basename(templatePath)}`);
+      console.log('  Fill it in, commit, then run wip-release again.');
       console.log('');
       return { currentVersion, newVersion, dryRun: false, failed: true };
     }

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.27",
+  "version": "1.9.28",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",