@wipcomputer/wip-ai-devops-toolbox 1.9.29 → 1.9.31

package/CHANGELOG.md

@@ -31,6 +31,70 @@
 
 
 
+
+## 1.9.31 (2026-03-15)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.31
+
+Branch guard no longer blocks global npm operations on main.
+
+## What changed
+
+Moved `npm install -g` and `npm link` from BLOCKED_BASH_PATTERNS to ALLOWED_BASH_PATTERNS in `wip-branch-guard/guard.mjs`. Global npm operations modify `/opt/homebrew/`, not the repo. Local `npm install` (no -g flag) remains blocked.
+
+## Why
+
+During LDM OS v0.4.0 dogfood, a CC session couldn't run `npm install -g @wipcomputer/wip-ldm-os@0.4.0` even after Parker explicitly said "install." The guard was too aggressive. Original intent (issue #137) was to block repo writes on main, not system-level package installs.
+
+## Issues closed
+
+- Closes #188 (branch guard blocks npm install -g)
+- Cross-ref: wipcomputer/wip-ldm-os#44
+
+## How to verify
+
+```bash
+# On main branch, these should now succeed:
+npm install -g @wipcomputer/wip-ldm-os@0.4.0
+npm link
+# This should still be blocked on main:
+npm install
+```
+
+## 1.9.30 (2026-03-15)
+
+# Release notes must be a file on disk
+
+**Date:** 2026-03-15
+
+## What changed
+
+wip-release no longer accepts the `--notes` flag. Release notes MUST come from a file on disk:
+
+1. `RELEASE-NOTES-v{version}.md` in repo root (auto-detected)
+2. `ai/dev-updates/YYYY-MM-DD--description.md` (auto-detected)
+3. `--notes-file=path` (explicit file path)
+
+If no file exists, the release is blocked. The gate scaffolds a template (`RELEASE-NOTES-v{version}.md`) so the agent has something to fill in.
+
+## Why
+
+The `--notes` flag was the root cause of every bad release note. Agents passed one-liners like `--notes="fix bug"` and the gate let them through. Even after we added length checks and changelog detection, agents found ways around it. The flag was an escape hatch that undermined the entire system.
+
+The file-on-disk requirement solves three problems:
+1. **Reviewability.** The file is on the branch. It shows up in the PR diff. Parker can read and approve the release notes before merge.
+2. **Quality.** Writing a file forces the agent to think about what changed and why. A flag encourages one-liners.
+3. **History.** The file is committed to git. The release notes are part of the repo history, not a transient CLI argument.
+
+## What agents need to do
+
+Before running `wip-release`:
+1. Write `RELEASE-NOTES-v{version}.md` or `ai/dev-updates/YYYY-MM-DD--description.md`
+2. Commit it on the branch
+3. The file shows up in the PR for review
+4. After merge to main, `wip-release` auto-detects it
+
+If the agent forgets, `wip-release` blocks and scaffolds a template.
 
 ## 1.9.29 (2026-03-15)
 

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.29"
+  version: "1.9.31"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/_trash/RELEASE-NOTES-v1-9-31.md

@@ -0,0 +1,26 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.31
+
+Branch guard no longer blocks global npm operations on main.
+
+## What changed
+
+Moved `npm install -g` and `npm link` from BLOCKED_BASH_PATTERNS to ALLOWED_BASH_PATTERNS in `wip-branch-guard/guard.mjs`. Global npm operations modify `/opt/homebrew/`, not the repo. Local `npm install` (no -g flag) remains blocked.
+
+## Why
+
+During LDM OS v0.4.0 dogfood, a CC session couldn't run `npm install -g @wipcomputer/wip-ldm-os@0.4.0` even after Parker explicitly said "install." The guard was too aggressive. Original intent (issue #137) was to block repo writes on main, not system-level package installs.
+
+## Issues closed
+
+- Closes #188 (branch guard blocks npm install -g)
+- Cross-ref: wipcomputer/wip-ldm-os#44
+
+## How to verify
+
+```bash
+# On main branch, these should now succeed:
+npm install -g @wipcomputer/wip-ldm-os@0.4.0
+npm link
+# This should still be blocked on main:
+npm install
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/guard.mjs

@@ -49,8 +49,6 @@ const BLOCKED_BASH_PATTERNS = [
   /\brm\s+/,
   /\bmkdir\s+/,
   /\btouch\s+/,
-  /\bnpm\s+link\b/,
-  /\bnpm\s+install\s+-g\b/,
   />\s/,          // redirects
   /\btee\s+/,
   /\bsed\s+-i/,
@@ -77,6 +75,8 @@ const ALLOWED_BASH_PATTERNS = [
   /--dry-run/,
   /--help/,
   /\bwip-release\b.*--dry-run/,
+  /\bnpm\s+install\s+-g\b/,   // global installs modify /opt/homebrew/, not the repo
+  /\bnpm\s+link\b/,            // global operation, not repo-local
 ];
 
 function deny(reason) {

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/core.mjs

@@ -253,6 +253,12 @@ function checkReleaseNotes(notes, notesSource, level) {
     issues.push('Notes look like a changelog entry, not a narrative. Explain the impact.');
   }
 
+  // Release notes should reference at least one issue
+  const hasIssueRef = /#\d+/.test(notes);
+  if (!hasIssueRef) {
+    issues.push('No issue reference found (#XX). Every release should close or reference an issue.');
+  }
+
   return { ok: issues.length === 0, issues, block: issues.length > 0 };
 }
 
@@ -268,6 +274,19 @@ export function scaffoldReleaseNotes(repoPath, version) {
   const pkg = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
   const name = pkg.name?.replace(/^@[^/]+\//, '') || basename(repoPath);
 
+  // Auto-detect issue references from commits since last tag
+  let issueRefs = '';
+  try {
+    const lastTag = execFileSync('git', ['describe', '--tags', '--abbrev=0'],
+      { cwd: repoPath, encoding: 'utf8' }).trim();
+    const log = execFileSync('git', ['log', `${lastTag}..HEAD`, '--oneline'],
+      { cwd: repoPath, encoding: 'utf8' });
+    const issues = [...new Set(log.match(/#\d+/g) || [])];
+    if (issues.length > 0) {
+      issueRefs = issues.map(i => `- ${i}`).join('\n');
+    }
+  } catch {}
+
   const template = `# Release Notes: ${name} v${version}
 
 **One-line summary of what this release does**
@@ -283,6 +302,10 @@ Describe the changes. Not a commit list. Explain:
 
 What problem does this solve? What was broken or missing?
 
+## Issues closed
+
+${issueRefs || '- #XX (replace with actual issue numbers)'}
+
 ## How to verify
 
 \`\`\`bash
@@ -499,6 +522,23 @@ export function createGitHubRelease(repoPath, newVersion, notes, currentVersion)
         console.warn(`  ! GitHub release body is only ${bodyLen} chars. Notes may be truncated.`);
       }
     } catch {}
+
+    // Auto-close referenced issues
+    const issueNums = [...new Set((body.match(/#(\d+)/g) || []).map(m => m.slice(1)))];
+    for (const num of issueNums) {
+      try {
+        // Only close if issue exists and is open on the public repo
+        const publicSlug = repoSlug.replace(/-private$/, '');
+        execFileSync('gh', [
+          'issue', 'close', num,
+          '--repo', publicSlug,
+          '--comment', `Closed by v${newVersion}. See release notes.`
+        ], { cwd: repoPath, stdio: 'pipe' });
+        console.log(`  ✓ Closed #${num} on ${publicSlug}`);
+      } catch {
+        // Issue doesn't exist on public repo or already closed. Fine.
+      }
+    }
   } finally {
     try { execFileSync('rm', ['-f', tmpFile]); } catch {}
   }

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.29",
+  "version": "1.9.31",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",