@wipcomputer/wip-ai-devops-toolbox 1.9.48 → 1.9.50

package/CHANGELOG.md

@@ -31,6 +31,67 @@
 
 
 
+
+## 1.9.50 (2026-03-20)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.50
+
+**wip-release: require product update doc on every release.**
+
+## What changed
+
+New quality gate in wip-release: checks that `ai/dev-updates/product-update/*-product-update.md` was modified since the last release tag. Same pattern as dev-updates, roadmap, and readme-first checks.
+
+The product update doc is a human-readable test guide. Each release entry has: what changed, how it's supposed to work, and how to test. New entries go at the top. Additive only.
+
+## Why
+
+Three repos now have product update docs but nothing enforced keeping them current. Without the gate, the docs will drift immediately (same problem we had with TECHNICAL.md).
+
+## Issues closed
+
+- #220
+
+## How to verify
+
+```bash
+wip-release patch --dry-run
+# Should warn if product update doc not modified since last release
+```
+
+## 1.9.49 (2026-03-20)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.49
+
+**TECHNICAL.md audit: 2 weeks of undocumented features now documented.**
+
+## What changed
+
+Full TECHNICAL.md audit covering v1.9.15 through v1.9.48. Two passes. Key additions:
+
+- **wip-release quality gates:** Technical docs gate, interface coverage gate, product docs auto-sync, all skip flags documented.
+- **deploy-public.sh:** Full 8-step pipeline including GitHub Packages publishing, repo URL rewrite, co-author sync.
+- **wip-license-guard:** Now documented as both CLI and Claude Code PreToolUse hook (guard.mjs). Enforcement details.
+- **wip-branch-guard:** Worktree requirement on branches, non-repo file passthrough, workflow teaching messages.
+- **wip-repos claude:** Cross-repo CLAUDE.md ecosystem generator fully documented.
+- **Source code table:** Missing files added (guard.mjs, claude.mjs, mcp-server.mjs).
+- **Log paths:** Fixed stale /tmp/ references to ~/.ldm/logs/.
+
+## Why
+
+15 releases shipped without TECHNICAL.md updates. Agents reading the docs were missing critical features: release gates, license enforcement hooks, deploy pipeline details.
+
+## Issues closed
+
+- #218
+
+## How to verify
+
+```bash
+grep "Interface coverage" TECHNICAL.md    # new gate
+grep "guard.mjs" TECHNICAL.md             # license-guard hook
+grep "GitHub Packages" TECHNICAL.md       # deploy pipeline
+```
 
 ## 1.9.48 (2026-03-20)
 

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.48"
+  version: "1.9.50"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/TECHNICAL.md

@@ -88,26 +88,43 @@ open -W ~/Applications/LDMDevTools.app --args visibility-audit
 
 ```bash
 # Daily backup at midnight, branch protection audit at 1 AM, visibility audit at 2 AM
-0 0 * * * open -W ~/Applications/LDMDevTools.app --args backup >> /tmp/ldm-dev-tools/cron.log 2>&1
-0 1 * * * open -W ~/Applications/LDMDevTools.app --args branch-protect >> /tmp/ldm-dev-tools/cron.log 2>&1
-0 2 * * * open -W ~/Applications/LDMDevTools.app --args visibility-audit >> /tmp/ldm-dev-tools/cron.log 2>&1
+0 0 * * * open -W ~/Applications/LDMDevTools.app --args backup >> ~/.ldm/logs/cron.log 2>&1
+0 1 * * * open -W ~/Applications/LDMDevTools.app --args branch-protect >> ~/.ldm/logs/cron.log 2>&1
+0 2 * * * open -W ~/Applications/LDMDevTools.app --args visibility-audit >> ~/.ldm/logs/cron.log 2>&1
 ```
 
-Logs: `/tmp/ldm-dev-tools/`
+Logs: `~/.ldm/logs/`
 
 ### wip-release
 
-One-command release pipeline. Version bump, changelog, SKILL.md sync, npm publish, GitHub release. All in one shot. Release notes live on the branch so you review them in the PR before they go live.
+One-command release pipeline. Version bump, changelog, SKILL.md sync, npm publish, GitHub release, website skill publish. All in one shot.
 
 ```bash
-wip-release patch --notes="description of what was built and why"
-wip-release minor                               # auto-detects RELEASE-NOTES-v{version}.md
-wip-release major --dry-run
+wip-release patch                               # auto-detects RELEASE-NOTES-v{version}.md
+wip-release minor --dry-run
+wip-release major
 ```
 
-**Release notes convention:** Write `RELEASE-NOTES-v{version}.md` (e.g. `RELEASE-NOTES-v1-6-0.md`) on your feature branch. It shows up in the PR diff for review. On release, wip-release auto-detects the file and uses it as the GitHub release body. One file, renamed each release. Warns when notes are missing, too short, or look like changelog entries instead of narrative.
+**Release notes are mandatory.** Write `RELEASE-NOTES-v{version}.md` (dashes, not dots) on your feature branch. Commit it with the code. The PR diff shows both code and notes for review. On release, wip-release auto-detects the file.
 
-**Source:** Pure JavaScript, no build step. [`tools/wip-release/cli.js`](tools/wip-release/cli.js) (entry point), [`tools/wip-release/core.mjs`](tools/wip-release/core.mjs) (main logic). Zero dependencies.
+**Quality gates (all run before release):**
+- **Release notes:** Must come from a file (--notes flag removed). Three sources: RELEASE-NOTES file, ai/dev-updates/, or --notes-file. Blocks changelog-format entries ("fix: ...", "add: ..."). Must reference at least one GitHub issue (#XX).
+- **Product docs:** Warns if roadmap, readme-first, or dev-updates are stale. Auto-updates version/date in `ai/product/plans-prds/roadmap.md` and `ai/product/readme-first-product.md` before commit.
+- **Technical docs:** When source files (.mjs, .js, .ts) changed since last tag, checks that SKILL.md or TECHNICAL.md was also updated. Warns on patch, blocks on minor/major. Skip: `--skip-tech-docs-check`.
+- **Interface coverage (toolbox repos):** Scans `tools/*/` for actual interfaces (CLI, Module, MCP, OC Plugin, Skill, CC Hook). Compares against README.md and SKILL.md coverage table. Reports: missing from table, detected but not marked, marked but not detected. Warns on patch, blocks on minor/major. Skip: `--skip-coverage-check`.
+- **Stale branches:** Warns (patch) or blocks (minor/major) if merged branches exist on remote.
+- **Worktree guard:** Blocks releases from linked worktrees. Must run from main working tree. Skip: `--skip-worktree-check`.
+- **Dogfood cooldown:** Writes `.last-release` marker. Branch guard blocks `npm install -g` for 5 minutes.
+
+**Post-release automation:**
+- Post-merge branch rename (--merged-YYYY-MM-DD)
+- Stale worktree prune from `_worktrees/`
+- Skill publish to wip.computer/install/{name}.txt
+- Product docs version sync
+
+**All 7 CLIs support `--version` and `-v`.**
+
+**Source:** Pure JavaScript, no build step. [`tools/wip-release/cli.js`](tools/wip-release/cli.js) (entry point), [`tools/wip-release/core.mjs`](tools/wip-release/core.mjs) (main logic), [`tools/wip-release/mcp-server.mjs`](tools/wip-release/mcp-server.mjs) (MCP server). Zero dependencies.
 
 [README](tools/wip-release/README.md) ... [SKILL.md](tools/wip-release/SKILL.md) ... [Reference](tools/wip-release/REFERENCE.md)
 
@@ -179,14 +196,24 @@ wip-file-guard --list
 
 ### deploy-public.sh
 
-Private-to-public repo sync. Copies everything except `ai/` from your working repo to the public mirror. Creates a PR, merges it. One script for all repos.
+Private-to-public repo sync. The full pipeline:
 
-**Source:** Plain shell. [`scripts/deploy-public.sh`](scripts/deploy-public.sh)
+1. Rsyncs all files except `ai/` from private to public repo clone
+2. Rewrites repository URL from private to public in package.json
+3. Creates a branch, commits with co-authors, pushes, creates PR
+4. Merges PR (--merge, never squash)
+5. Creates matching GitHub release on public repo (pulls notes from private repo's release)
+6. Publishes to npm from public repo clone
+7. Publishes to GitHub Packages from public repo clone (uses `gh auth token`)
+8. Cleans stale branches on public repo
 
 ```bash
 bash scripts/deploy-public.sh /path/to/private-repo wipcomputer/public-repo
+bash scripts/deploy-public.sh /path/to/private-repo wipcomputer/public-repo --dry-run
 ```
 
+**Source:** Plain shell. [`scripts/deploy-public.sh`](scripts/deploy-public.sh) and [`tools/deploy-public/deploy-public.sh`](tools/deploy-public/deploy-public.sh)
+
 ### wip-repos
 
 Repo manifest reconciler. Makes `repos-manifest.json` the single source of truth for repo organization. Like prettier for folder structure. Move folders around all day; on sync, everything snaps back to where the manifest says. Also generates cross-repo CLAUDE.md ecosystem sections.
@@ -270,13 +297,24 @@ wip-license-guard init --from-standard   # apply WIP Computer defaults
 wip-license-guard readme-license         # audit/fix license blocks across all repos
 ```
 
-**Source:** Pure JavaScript, no build step. [`tools/wip-license-guard/cli.mjs`](tools/wip-license-guard/cli.mjs) (CLI), [`tools/wip-license-guard/core.mjs`](tools/wip-license-guard/core.mjs) (logic). Zero dependencies.
+**Claude Code Hook:** Also wired as a PreToolUse hook (`guard.mjs`). On `ldm install`, registers in `~/.claude/settings.json`. Blocks `git commit` and `git push` when license compliance fails. Only checks repos with `.license-guard.json`. Repos without config silently pass.
+
+**Source:** Pure JavaScript, no build step. [`tools/wip-license-guard/cli.mjs`](tools/wip-license-guard/cli.mjs) (CLI), [`tools/wip-license-guard/core.mjs`](tools/wip-license-guard/core.mjs) (logic), [`tools/wip-license-guard/guard.mjs`](tools/wip-license-guard/guard.mjs) (CC hook). Zero dependencies.
 
 [README](tools/wip-license-guard/README.md) ... [SKILL.md](tools/wip-license-guard/SKILL.md)
 
 ### wip-branch-guard
 
-Blocks all writes on main branch. The enforcement layer for forced worktrees. PreToolUse hook that catches Write, Edit, and destructive Bash commands. Resolves the repo from the file path, not the CWD, so it works when Claude Code opens in a different directory.
+Blocks all writes on main branch. The enforcement layer for required worktrees. PreToolUse hook that catches Write, Edit, and destructive Bash commands. Resolves the repo from the file path, not the CWD. If a file is outside any git repo (e.g. `~/.claude/plans/`), the guard allows edits immediately. Only protects files within git repos.
+
+**Features:**
+- **Workflow teaching:** Error messages include the full 8-step dev process (worktree, branch, commit, push, PR, merge, wip-release, deploy-public). Agents learn the workflow from the error, not just that they're blocked.
+- **Worktree path warning:** Warns when `git worktree add` creates outside `_worktrees/`. Suggests `ldm worktree add`.
+- **Dogfood cooldown:** After `wip-release`, blocks `npm install -g` for 5 minutes. Forces dogfooding via the install prompt.
+- **Worktree requirement on branches:** On any non-main branch, edits blocked if not inside a worktree. Separate error message directs agents to create a worktree properly.
+- **Dangerous flag blocking:** `--no-verify` and `git push --force` blocked on any branch.
+- **Shared state allowlist:** CLAUDE.md, SHARED-CONTEXT.md, daily logs, `~/.ldm/logs/` always writable on main.
+- **Non-repo passthrough:** Files outside any git repo allowed immediately.
 
 ```bash
 wip-branch-guard --check       # report current branch status
@@ -284,8 +322,6 @@ wip-branch-guard --check       # report current branch status
 
 **Source:** Pure JavaScript, no build step. [`tools/wip-branch-guard/guard.mjs`](tools/wip-branch-guard/guard.mjs). Zero dependencies.
 
-[INSTALL.md](tools/wip-branch-guard/INSTALL.md)
-
 ## Source Code
 
 All implementation source is committed in this repo. No closed binaries, no mystery boxes.
@@ -296,14 +332,14 @@ All implementation source is committed in this repo. No closed binaries, no myst
 | LDM Dev Tools jobs | Shell | `tools/ldm-jobs/backup.sh`, `branch-protect.sh`, `visibility-audit.sh` | None. Runnable standalone or via `.app` wrapper. |
 | wip-release | JavaScript (ESM) | `tools/wip-release/cli.js`, `core.mjs`, `mcp-server.mjs` | None. What you see is what runs. |
 | wip-license-hook | TypeScript | `tools/wip-license-hook/src/**/*.ts`, `mcp-server.mjs` | `cd tools/wip-license-hook && npm install && npm run build` |
-| wip-license-guard | JavaScript (ESM) | `tools/wip-license-guard/cli.mjs`, `core.mjs` | None. What you see is what runs. |
+| wip-license-guard | JavaScript (ESM) | `tools/wip-license-guard/cli.mjs`, `core.mjs`, `guard.mjs` | None. What you see is what runs. |
 | wip-repo-permissions-hook | JavaScript (ESM) | `tools/wip-repo-permissions-hook/core.mjs`, `cli.js`, `guard.mjs`, `mcp-server.mjs` | None. What you see is what runs. |
 | post-merge-rename.sh | Shell | `scripts/post-merge-rename.sh` | None. |
 | wip-file-guard | JavaScript (ESM) | `tools/wip-file-guard/guard.mjs` | None. What you see is what runs. |
 | wip-branch-guard | JavaScript (ESM) | `tools/wip-branch-guard/guard.mjs` | None. What you see is what runs. |
 | wip-universal-installer | JavaScript (ESM) | `tools/wip-universal-installer/detect.mjs`, `install.js` | None. What you see is what runs. |
 | deploy-public.sh | Shell | `scripts/deploy-public.sh` | None. |
-| wip-repos | JavaScript (ESM) | `tools/wip-repos/core.mjs`, `cli.mjs`, `mcp-server.mjs` | None. What you see is what runs. |
+| wip-repos | JavaScript (ESM) | `tools/wip-repos/core.mjs`, `cli.mjs`, `mcp-server.mjs`, `claude.mjs` | None. What you see is what runs. |
 | wip-repo-init | JavaScript (ESM) | `tools/wip-repo-init/init.mjs` | None. What you see is what runs. |
 | wip-readme-format | JavaScript (ESM) | `tools/wip-readme-format/format.mjs` | None. What you see is what runs. |
 

package/_trash/RELEASE-NOTES-v1-9-49.md

@@ -0,0 +1,31 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.49
+
+**TECHNICAL.md audit: 2 weeks of undocumented features now documented.**
+
+## What changed
+
+Full TECHNICAL.md audit covering v1.9.15 through v1.9.48. Two passes. Key additions:
+
+- **wip-release quality gates:** Technical docs gate, interface coverage gate, product docs auto-sync, all skip flags documented.
+- **deploy-public.sh:** Full 8-step pipeline including GitHub Packages publishing, repo URL rewrite, co-author sync.
+- **wip-license-guard:** Now documented as both CLI and Claude Code PreToolUse hook (guard.mjs). Enforcement details.
+- **wip-branch-guard:** Worktree requirement on branches, non-repo file passthrough, workflow teaching messages.
+- **wip-repos claude:** Cross-repo CLAUDE.md ecosystem generator fully documented.
+- **Source code table:** Missing files added (guard.mjs, claude.mjs, mcp-server.mjs).
+- **Log paths:** Fixed stale /tmp/ references to ~/.ldm/logs/.
+
+## Why
+
+15 releases shipped without TECHNICAL.md updates. Agents reading the docs were missing critical features: release gates, license enforcement hooks, deploy pipeline details.
+
+## Issues closed
+
+- #218
+
+## How to verify
+
+```bash
+grep "Interface coverage" TECHNICAL.md    # new gate
+grep "guard.mjs" TECHNICAL.md             # license-guard hook
+grep "GitHub Packages" TECHNICAL.md       # deploy pipeline
+```

package/_trash/RELEASE-NOTES-v1-9-50.md

@@ -0,0 +1,24 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.50
+
+**wip-release: require product update doc on every release.**
+
+## What changed
+
+New quality gate in wip-release: checks that `ai/dev-updates/product-update/*-product-update.md` was modified since the last release tag. Same pattern as dev-updates, roadmap, and readme-first checks.
+
+The product update doc is a human-readable test guide. Each release entry has: what changed, how it's supposed to work, and how to test. New entries go at the top. Additive only.
+
+## Why
+
+Three repos now have product update docs but nothing enforced keeping them current. Without the gate, the docs will drift immediately (same problem we had with TECHNICAL.md).
+
+## Issues closed
+
+- #220
+
+## How to verify
+
+```bash
+wip-release patch --dry-run
+# Should warn if product update doc not modified since last release
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/core.mjs

@@ -388,6 +388,20 @@ function checkProductDocs(repoPath) {
     }
   }
 
+  // 4. Product update doc: modified since last tag
+  const productUpdateDir = join(aiDir, 'dev-updates', 'product-update');
+  if (existsSync(productUpdateDir)) {
+    const puFiles = readdirSync(productUpdateDir).filter(f => f.endsWith('.md'));
+    if (puFiles.length > 0) {
+      const anyModified = puFiles.some(f =>
+        fileModifiedSinceLastTag(repoPath, `ai/dev-updates/product-update/${f}`)
+      );
+      if (!anyModified) {
+        missing.push('ai/dev-updates/product-update/ (product update doc not updated since last release)');
+      }
+    }
+  }
+
   return { missing, ok: missing.length === 0, skipped: false };
 }
 

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.48",
+  "version": "1.9.50",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",