@wipcomputer/wip-ai-devops-toolbox 1.9.27 → 1.9.29

package/CHANGELOG.md

@@ -31,6 +31,70 @@
 
 
 
+
+## 1.9.29 (2026-03-15)
+
+# Release notes must be a file on disk
+
+**Date:** 2026-03-15
+
+## What changed
+
+wip-release no longer accepts the `--notes` flag. Release notes MUST come from a file on disk:
+
+1. `RELEASE-NOTES-v{version}.md` in repo root (auto-detected)
+2. `ai/dev-updates/YYYY-MM-DD--description.md` (auto-detected)
+3. `--notes-file=path` (explicit file path)
+
+If no file exists, the release is blocked. The gate scaffolds a template (`RELEASE-NOTES-v{version}.md`) so the agent has something to fill in.
+
+## Why
+
+The `--notes` flag was the root cause of every bad release note. Agents passed one-liners like `--notes="fix bug"` and the gate let them through. Even after we added length checks and changelog detection, agents found ways around it. The flag was an escape hatch that undermined the entire system.
+
+The file-on-disk requirement solves three problems:
+1. **Reviewability.** The file is on the branch. It shows up in the PR diff. Parker can read and approve the release notes before merge.
+2. **Quality.** Writing a file forces the agent to think about what changed and why. A flag encourages one-liners.
+3. **History.** The file is committed to git. The release notes are part of the repo history, not a transient CLI argument.
+
+## What agents need to do
+
+Before running `wip-release`:
+1. Write `RELEASE-NOTES-v{version}.md` or `ai/dev-updates/YYYY-MM-DD--description.md`
+2. Commit it on the branch
+3. The file shows up in the PR for review
+4. After merge to main, `wip-release` auto-detects it
+
+If the agent forgets, `wip-release` blocks and scaffolds a template.
+
+## 1.9.28 (2026-03-15)
+
+# Release Notes Quality Gate
+
+**Date:** 2026-03-15
+
+## What changed
+
+wip-release now blocks ALL releases (patch, minor, major) if the release notes are bad. Previously, patch releases only warned. Now they block.
+
+The gate checks:
+- Notes must be at least 50 characters
+- Notes can't look like a changelog entry ("fix: ...", "add: ...", "update: ...")
+- Minor/major still require a file (not --notes flag)
+
+If the gate blocks, it tells you exactly how to fix it: write a RELEASE-NOTES file, write a dev update, or use --notes with at least 50 chars of real description.
+
+## Why
+
+Release notes were consistently garbage. One-liner --notes flags like "Fix bug" or "Update docs" sailed through on patch releases. The warnings were ignored by both humans and agents. Every release page on GitHub had thin, useless notes that didn't explain what changed or why.
+
+## Also in this release
+
+- wip-repo-init templates renamed from ai/ to templates/ so they ship with npm install (deploy-public.sh was stripping them)
+- SKILL.md restart notice after install (hooks need session restart)
+- SPEC.md and TECHNICAL.md updated with all 17 tools and LDM OS links
+- Branch guard matcher fix (catches Bash + NotebookEdit)
+- Forced Git Worktrees and Branch Guard sections added to SKILL.md
 
 ## 1.9.27 (2026-03-15)
 

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.27"
+  version: "1.9.29"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/scripts/deploy-public.sh

@@ -18,12 +18,29 @@
 
 set -euo pipefail
 
-PRIVATE_REPO="$1"
-PUBLIC_REPO="$2"
+PRIVATE_REPO="${1:-}"
+PUBLIC_REPO="${2:-}"
+DRY_RUN=false
+
+# Parse flags
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run) DRY_RUN=true ;;
+  esac
+done
+
+# Strip flags from positional args
+ARGS=()
+for arg in "$@"; do
+  [[ "$arg" == --* ]] || ARGS+=("$arg")
+done
+PRIVATE_REPO="${ARGS[0]:-}"
+PUBLIC_REPO="${ARGS[1]:-}"
 
 if [[ -z "$PRIVATE_REPO" || -z "$PUBLIC_REPO" ]]; then
-  echo "Usage: bash deploy-public.sh <private-repo-path> <public-github-repo>"
+  echo "Usage: bash deploy-public.sh <private-repo-path> <public-github-repo> [--dry-run]"
   echo "Example: bash deploy-public.sh /path/to/memory-crystal wipcomputer/memory-crystal"
+  echo "         bash deploy-public.sh /path/to/memory-crystal wipcomputer/memory-crystal --dry-run"
   exit 1
 fi
 
@@ -123,6 +140,24 @@ fi
 BRANCH="$HARNESS_ID/deploy-$(date +%Y%m%d-%H%M%S)"
 
 git add -A
+
+# Dry-run: show what would be deployed, then stop
+if $DRY_RUN; then
+  echo ""
+  echo "  Dry run: deploy-public.sh"
+  echo "  ────────────────────────────────────"
+  echo "  Source: $PRIVATE_REPO"
+  echo "  Target: $PUBLIC_REPO"
+  echo "  Commit: $COMMIT_MSG ($COMMIT_HASH)"
+  echo ""
+  echo "  Files that would change:"
+  git diff --cached --stat 2>/dev/null || git diff --stat HEAD 2>/dev/null || echo "  (new files)"
+  git ls-files --others --exclude-standard | head -20 | while read f; do echo "  + $f"; done
+  echo ""
+  echo "  Dry run complete. No changes pushed."
+  exit 0
+fi
+
 git commit -m "$COMMIT_MSG (from $COMMIT_HASH)"
 
 if [[ "$EMPTY_REPO" == "true" ]]; then

package/scripts/post-merge-rename.sh

@@ -159,6 +159,11 @@ prune_branches() {
       if [[ $count -le $KEEP_COUNT ]]; then
         echo "  ✓ KEEP $branch"
       else
+        # Safety: verify branch is actually merged into main before deleting
+        if ! git merge-base --is-ancestor "origin/$branch" origin/main 2>/dev/null; then
+          echo "  ! SKIP $branch (NOT merged into main despite --merged suffix)"
+          continue
+        fi
         if $DRY_RUN; then
           echo "  [dry-run] DELETE $branch"
         else

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/format.mjs

@@ -337,6 +337,26 @@ if (DEPLOY) {
     process.exit(1);
   }
 
+  // Safety: init files must be reviewed (committed or modified) before deploy.
+  // If all init files are untracked (just generated, never reviewed), block.
+  try {
+    const { execSync } = await import('node:child_process');
+    const initFiles = readdirSync(repoPath).filter(f => f.startsWith('README-init-'));
+    const allUntracked = initFiles.every(f => {
+      try {
+        const status = execSync(`git status --porcelain "${f}"`, { cwd: repoPath, encoding: 'utf8' }).trim();
+        return status.startsWith('??');
+      } catch { return false; }
+    });
+    if (allUntracked && initFiles.length > 0) {
+      fail('Init files have not been reviewed. They are all untracked (just generated).');
+      console.log('  Review the README-init-*.md files, edit as needed, then git add them before deploying.');
+      console.log('  Or commit them first so there is a review trail.');
+      process.exit(1);
+    }
+  } catch {}
+
+
   const date = new Date().toISOString().slice(0, 10);
   const aiTrash = join(repoPath, 'ai', '_trash');
 

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/cli.js

@@ -119,12 +119,12 @@ Flags:
   --skip-stale-check       Skip stale remote branch check
   --skip-worktree-check    Skip worktree guard (allow release from worktree)
 
-Release notes (highest priority wins, files ALWAYS beat --notes flag):
-  1. --notes-file=path          Explicit file path (always wins)
-  2. RELEASE-NOTES-v{ver}.md    In repo root (wins over --notes)
-  3. ai/dev-updates/YYYY-MM-DD* Today's dev update (wins over --notes if longer)
-  4. --notes="text"             Fallback only (use for repos without release notes files)
-  Written notes on disk always take priority over a CLI one-liner.
+Release notes (REQUIRED, must be a file on disk):
+  1. --notes-file=path          Explicit file path
+  2. RELEASE-NOTES-v{ver}.md    In repo root (auto-detected)
+  3. ai/dev-updates/YYYY-MM-DD* Today's dev update (auto-detected)
+  The --notes flag is NOT accepted. Write a file. Commit it on your branch.
+  The file shows up in the PR diff so it can be reviewed before merge.
 
 Skill publish to website:
   Add .publish-skill.json to repo root: { "name": "my-tool" }

package/tools/wip-release/core.mjs

@@ -227,23 +227,27 @@ function checkReleaseNotes(notes, notesSource, level) {
   const issues = [];
 
   if (!notes) {
-    issues.push('No release notes provided. Write a RELEASE-NOTES-v{version}.md or ai/dev-updates/ file.');
+    issues.push('No release notes found. A file is REQUIRED.');
+    issues.push('Write RELEASE-NOTES-v{version}.md or ai/dev-updates/YYYY-MM-DD--description.md');
+    issues.push('Commit it on your branch so it is reviewable in the PR.');
     return { ok: false, issues, block: true };
   }
 
-  // Notes too short. All levels blocked.
-  if (notes.length < 50) {
-    issues.push('Release notes are too short (under 50 chars). Explain what changed and why.');
-    issues.push('Write a RELEASE-NOTES-v{version}.md or ai/dev-updates/ file.');
+  // HARD RULE: release notes must come from a file on disk.
+  // --notes flag is NOT accepted. Write a file. Commit it. Review it.
+  if (notesSource === 'flag') {
+    issues.push('Release notes must come from a file, not the --notes flag.');
+    issues.push('Write RELEASE-NOTES-v{version}.md or ai/dev-updates/YYYY-MM-DD--description.md');
+    issues.push('Commit it on your branch so it is reviewable in the PR before merge.');
+    return { ok: false, issues, block: true };
   }
 
-  // Bare --notes flag for minor/major is never acceptable.
-  if (notesSource === 'flag' && (level === 'minor' || level === 'major')) {
-    issues.push('Minor/major releases require a file, not --notes flag.');
-    issues.push('Write RELEASE-NOTES-v{version}.md (dashes not dots) and commit it.');
+  // Notes too short.
+  if (notes.length < 50) {
+    issues.push('Release notes are too short (under 50 chars). Explain what changed and why.');
   }
 
-  // Check for changelog-style one-liners regardless of source
+  // Check for changelog-style one-liners
   const looksLikeChangelog = /^(fix|add|update|remove|bump|chore|refactor|docs?)[\s:]/i.test(notes);
   if (looksLikeChangelog && notes.length < 100) {
     issues.push('Notes look like a changelog entry, not a narrative. Explain the impact.');
@@ -252,6 +256,44 @@ function checkReleaseNotes(notes, notesSource, level) {
   return { ok: issues.length === 0, issues, block: issues.length > 0 };
 }
 
+/**
+ * Scaffold a RELEASE-NOTES-v{version}.md template if one doesn't exist.
+ * Called when the release notes gate blocks. Gives the agent a file to fill in.
+ */
+export function scaffoldReleaseNotes(repoPath, version) {
+  const dashed = version.replace(/\./g, '-');
+  const notesPath = join(repoPath, `RELEASE-NOTES-v${dashed}.md`);
+  if (existsSync(notesPath)) return notesPath;
+
+  const pkg = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
+  const name = pkg.name?.replace(/^@[^/]+\//, '') || basename(repoPath);
+
+  const template = `# Release Notes: ${name} v${version}
+
+**One-line summary of what this release does**
+
+## What changed
+
+Describe the changes. Not a commit list. Explain:
+- What was built or fixed
+- Why it matters
+- What the user should know
+
+## Why
+
+What problem does this solve? What was broken or missing?
+
+## How to verify
+
+\`\`\`bash
+# Commands to test the changes
+\`\`\`
+`;
+
+  writeFileSync(notesPath, template);
+  return notesPath;
+}
+
 /**
  * Check if a file was modified in commits since the last git tag.
  */
@@ -783,11 +825,10 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
       console.log(`  ✗ Release notes blocked:`);
       for (const issue of notesCheck.issues) console.log(`    - ${issue}`);
       console.log('');
-      console.log('  Release notes must explain what changed and why.');
-      console.log('  Options:');
-      console.log('    1. Write RELEASE-NOTES-v{version}.md (dashes not dots) and commit it');
-      console.log('    2. Write ai/dev-updates/YYYY-MM-DD--description.md and commit it');
-      console.log('    3. Use --notes="at least 50 chars explaining the change and its impact"');
+      // Scaffold a template so the agent has something to fill in
+      const templatePath = scaffoldReleaseNotes(repoPath, newVersion);
+      console.log(`  Scaffolded template: ${basename(templatePath)}`);
+      console.log('  Fill it in, commit, then run wip-release again.');
       console.log('');
       return { currentVersion, newVersion, dryRun: false, failed: true };
     }

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.27",
+  "version": "1.9.29",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",