@wipcomputer/wip-ai-devops-toolbox 1.9.50 → 1.9.52

package/.publish-skill.json

@@ -1,4 +1,4 @@
 {
   "name": "wip-ai-devops-toolbox",
-  "websiteRepo": "/Users/lesa/Documents/wipcomputer--mac-mini-01/staff/Parker/Claude Code - Mini/repos/wip-web/wip-websites-private"
+  "websiteRepo": "/Users/lesa/wipcomputerinc/repos/wip-web/wip-websites-private"
 }

package/CHANGELOG.md

@@ -31,6 +31,48 @@
 
 
 
+
+## 1.9.52 (2026-03-27)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.52
+
+**Fix branch guard false-blocking bash commands targeting worktree paths**
+
+## What changed
+
+- Branch guard now extracts absolute paths from any bash command (mkdir, cp, mv, touch, etc.) and resolves the git branch from the target path's repo, not the CWD
+- `findRepoRoot()` improved to walk up to existing directories for paths that don't exist yet (handles mkdir for new directories)
+- Added `.ldm/worktrees` to allowed worktree locations alongside `_worktrees/` and `.claude/worktrees`
+
+## Why
+
+When Claude Code launches from `~/wipcomputerinc/` (on main) and runs bash commands targeting files inside a worktree (e.g., `mkdir -p /path/to/_worktrees/repo--branch/new-dir/`), the guard only knew how to extract paths from `cd` and `git -C` patterns. Any other command fell back to CWD resolution, saw "main", and blocked incorrectly. This caused minutes of wasted time every session.
+
+## Issues closed
+
+- wipcomputer/wip-ldm-os#187
+
+## How to verify
+
+```bash
+# From CWD on main, this should no longer be blocked:
+# mkdir -p /path/to/_worktrees/repo--branch/new-directory/
+# cp file.txt /path/to/_worktrees/repo--branch/
+```
+
+## 1.9.51 (2026-03-24)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.51
+
+## Branch Guard: Workspace Files Allowlist (#185)
+
+Added TOOLS.md, MEMORY.md, IDENTITY.md, SOUL.md, WHERE-TO-WRITE.md, HEARTBEAT.md to the shared state allowlist. Both agents can now write to workspace files on main without being blocked.
+
+Previously only SHARED-CONTEXT.md was allowed. This broke Lesa's ability to edit her own workspace files during the migration to ~/wipcomputerinc/.
+
+## TECHNICAL.md: Backup Documentation
+
+Updated LDM Dev Tools.app backup section to reflect the unified backup system. backup.sh now calls `~/.ldm/bin/ldm-backup.sh` (deployed by ldm install from wip-ldm-os-private/scripts/).
 
 ## 1.9.50 (2026-03-20)
 

package/DEV-GUIDE-GENERAL-PUBLIC.md

@@ -1,6 +1,6 @@
 # Dev Guide ... Best Practices for AI-Assisted Development
 
-**WIP team members: also read [the private Dev Guide](ai/DEV-GUIDE-FOR-WIP-ONLY-PRIVATE.md).** It covers WIP-specific conventions (branch prefixes, agent IDs, deploy paths, incidents) that supplement everything below. Neither guide is complete without the other.
+**WIP team members: also read the private Dev Guide at `~/wipcomputerinc/settings/templates/dev-guide-private.md`.** It covers WIP-specific conventions (branch prefixes, agent IDs, deploy paths, incidents) that supplement everything below. Neither guide is complete without the other.
 
 ## Repo Structure Convention
 
@@ -648,6 +648,47 @@ Product docs drift fast. If roadmap updates only happen "when someone remembers,
 
 Release notes are the public face of the project. They must be comprehensive. One-liners like "Release v0.6.0" are unacceptable. Every feature, every change, documented section by section. This applies to both private and public GitHub releases.
 
+## Feature Planning: 5 Mandatory Questions
+
+Before implementing any feature that changes how the system works (installer, config, deploy, architecture), answer these 5 questions in your plan or PR description. Not optional. Not "consider this." Answer all five or the plan is incomplete.
+
+1. **What source files change?** (in the repo)
+2. **What does `ldm install` deploy?** (templates, rules, docs, boot config, CLAUDE.md, skills)
+3. **What needs to update for fresh install vs existing install?**
+4. **What docs need updating?** (repo docs, settings/docs, website)
+5. **What are ALL the files the installer touches on deploy?**
+
+If you can't answer #5, you don't understand the change well enough to ship it.
+
+## Doc Update Dependencies
+
+When you change a file on the left, you MUST also update the files on the right. This is not optional.
+
+| If you change | You must also update |
+|--------------|---------------------|
+| `SKILL.md` | `references/`, `settings/docs/how-install-works.md`, wip.computer/install/ (auto via wip-release) |
+| `lib/deploy.mjs` | `settings/docs/how-install-works.md`, `docs/universal-installer/SPEC.md`, `docs/universal-installer/TECHNICAL.md` |
+| `catalog.json` | `settings/docs/what-is-ldm-os.md`, `README.md`, `docs/skills/README.md` |
+| `bin/ldm.js` (init) | `settings/docs/how-install-works.md`, `settings/docs/system-directories.md` |
+| `shared/rules/*` | `settings/docs/how-rules-and-commands-work.md` |
+| `shared/boot/*` | `settings/docs/how-agents-work.md` |
+| `lib/detect.mjs` | `docs/universal-installer/SPEC.md`, `settings/docs/how-install-works.md` |
+| Backup scripts | `settings/docs/how-backup-works.md` |
+| Agent identity files | `settings/docs/how-agents-work.md` |
+| Any repo `README.md` | Public repo README (via deploy-public.sh) |
+
+Machine-readable version: `~/wipcomputerinc/settings/docs/change-dependencies.json`
+
+### Three doc layers
+
+Every change flows through three layers:
+
+1. **Repo docs** (generic, source of truth): README.md, TECHNICAL.md, SPEC.md per repo. Written for anyone.
+2. **Settings docs** (personalized, deployed by ldm install): `~/wipcomputerinc/settings/docs/`. Written for YOUR system. Personalized from config.json.
+3. **Website docs** (public): wip.computer. SKILL.md auto-deployed by wip-release. Other docs via Mintlify or deploy script.
+
+If repo docs change but settings docs don't update, the user's local docs drift. If settings docs change but the website doesn't, the public docs drift. All three layers must stay in sync.
+
 ## Repo Directory Structure
 
 ### The Standard Layout

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.50"
+  version: "1.9.52"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/TECHNICAL.md

@@ -60,19 +60,19 @@ Best practices for AI-assisted development teams. Covers release process, repo s
 
 macOS automation wrapper. A native `.app` bundle that runs scheduled jobs (backup, branch protection audit, etc.) with Full Disk Access. One app to grant permissions to, one place to add new automation.
 
-**Source:** Job scripts are plain shell, committed at [`tools/ldm-jobs/`](tools/ldm-jobs/):
+**Source:** Job scripts are plain shell. The app provides a Full Disk Access wrapper.
 
-| Script | What it does |
-|--------|-------------|
-| [`backup.sh`](tools/ldm-jobs/backup.sh) | Daily backup |
-| [`branch-protect.sh`](tools/ldm-jobs/branch-protect.sh) | Audit and enforce branch protection across all org repos |
-| [`visibility-audit.sh`](tools/ldm-jobs/visibility-audit.sh) | Audit public repos for missing -private counterparts |
+| Script | What it does | Source |
+|--------|-------------|--------|
+| `backup.sh` | Calls `~/.ldm/bin/ldm-backup.sh` (unified backup) | wip-ldm-os-private/scripts/ |
+| [`branch-protect.sh`](tools/ldm-jobs/branch-protect.sh) | Audit and enforce branch protection across all org repos | tools/ldm-jobs/ |
+| [`visibility-audit.sh`](tools/ldm-jobs/visibility-audit.sh) | Audit public repos for missing -private counterparts | tools/ldm-jobs/ |
 
-Scripts can be run standalone without the `.app`. The app provides a Full Disk Access wrapper for scripts that need it.
+The backup script is deployed by `ldm install` to `~/.ldm/bin/`. It backs up ~/.ldm/, ~/.openclaw/, ~/.claude/, and the workspace. See `how-backup-works.md` in the workspace docs.
 
 ```bash
 # Run standalone
-bash tools/ldm-jobs/backup.sh
+~/.ldm/bin/ldm-backup.sh                # or --dry-run to preview
 bash tools/ldm-jobs/branch-protect.sh
 bash tools/ldm-jobs/visibility-audit.sh
 

package/_trash/RELEASE-NOTES-v1-9-51.md

@@ -0,0 +1,11 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.51
+
+## Branch Guard: Workspace Files Allowlist (#185)
+
+Added TOOLS.md, MEMORY.md, IDENTITY.md, SOUL.md, WHERE-TO-WRITE.md, HEARTBEAT.md to the shared state allowlist. Both agents can now write to workspace files on main without being blocked.
+
+Previously only SHARED-CONTEXT.md was allowed. This broke Lesa's ability to edit her own workspace files during the migration to ~/wipcomputerinc/.
+
+## TECHNICAL.md: Backup Documentation
+
+Updated LDM Dev Tools.app backup section to reflect the unified backup system. backup.sh now calls `~/.ldm/bin/ldm-backup.sh` (deployed by ldm install from wip-ldm-os-private/scripts/).

package/_trash/RELEASE-NOTES-v1-9-52.md

@@ -0,0 +1,25 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.52
+
+**Fix branch guard false-blocking bash commands targeting worktree paths**
+
+## What changed
+
+- Branch guard now extracts absolute paths from any bash command (mkdir, cp, mv, touch, etc.) and resolves the git branch from the target path's repo, not the CWD
+- `findRepoRoot()` improved to walk up to existing directories for paths that don't exist yet (handles mkdir for new directories)
+- Added `.ldm/worktrees` to allowed worktree locations alongside `_worktrees/` and `.claude/worktrees`
+
+## Why
+
+When Claude Code launches from `~/wipcomputerinc/` (on main) and runs bash commands targeting files inside a worktree (e.g., `mkdir -p /path/to/_worktrees/repo--branch/new-dir/`), the guard only knew how to extract paths from `cd` and `git -C` patterns. Any other command fell back to CWD resolution, saw "main", and blocked incorrectly. This caused minutes of wasted time every session.
+
+## Issues closed
+
+- wipcomputer/wip-ldm-os#187
+
+## How to verify
+
+```bash
+# From CWD on main, this should no longer be blocked:
+# mkdir -p /path/to/_worktrees/repo--branch/new-directory/
+# cp file.txt /path/to/_worktrees/repo--branch/
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/guard.mjs

@@ -135,6 +135,17 @@ function findRepoRoot(filePath) {
       dir = dirname(dir); // File might not exist yet
     }
 
+    // Walk up until we find an existing directory (handles mkdir for new paths)
+    while (dir && dir !== '/') {
+      try {
+        const s = statSync(dir);
+        if (s.isDirectory()) break;
+        dir = dirname(dir);
+      } catch {
+        dir = dirname(dir);
+      }
+    }
+
     // Use git rev-parse from the directory
     const result = execSync('git rev-parse --show-toplevel 2>/dev/null', {
       cwd: dir,
@@ -146,6 +157,18 @@ function findRepoRoot(filePath) {
   return null;
 }
 
+function extractPathsFromCommand(command) {
+  // Extract absolute paths from a bash command
+  // Matches paths like /Users/foo/bar, /tmp/something, etc.
+  const paths = [];
+  const regex = /(\/(?:Users|home|tmp|var|opt|etc|private)[^\s"'|;&>)]+)/g;
+  let match;
+  while ((match = regex.exec(command)) !== null) {
+    paths.push(match[1]);
+  }
+  return paths;
+}
+
 function getCurrentBranch(cwd) {
   try {
     return execSync('git branch --show-current 2>/dev/null', {
@@ -230,7 +253,7 @@ async function main() {
     const wtMatch = cmd.match(/\bgit\s+worktree\s+add\s+["']?([^\s"']+)/);
     if (wtMatch) {
       const wtPath = wtMatch[1];
-      if (!wtPath.includes('_worktrees') && !wtPath.includes('.claude/worktrees')) {
+      if (!wtPath.includes('_worktrees') && !wtPath.includes('.claude/worktrees') && !wtPath.includes('.ldm/worktrees')) {
         deny(`WARNING: Creating worktree outside _worktrees/. Use: ldm worktree add <branch>
 
 The convention is _worktrees/<repo>--<branch>/ so worktrees don't mix with real repos.
@@ -274,6 +297,17 @@ This is a warning, not a block. If you need to create it here, retry.`);
     if (!repoDir && gitCMatch) {
       repoDir = findRepoRoot(gitCMatch[1].trim());
     }
+    // Extract absolute paths from the command itself (handles mkdir, cp, mv, etc.)
+    if (!repoDir) {
+      const paths = extractPathsFromCommand(command);
+      for (const p of paths) {
+        const resolved = findRepoRoot(p);
+        if (resolved) {
+          repoDir = resolved;
+          break;
+        }
+      }
+    }
   }
 
   // Fall back to CWD
@@ -313,6 +347,12 @@ This is a warning, not a block. If you need to create it here, retry.`);
   const SHARED_STATE_PATTERNS = [
     /CLAUDE\.md$/,
     /workspace\/SHARED-CONTEXT\.md$/,
+    /workspace\/TOOLS\.md$/,
+    /workspace\/MEMORY\.md$/,
+    /workspace\/IDENTITY\.md$/,
+    /workspace\/SOUL\.md$/,
+    /workspace\/WHERE-TO-WRITE\.md$/,
+    /workspace\/HEARTBEAT\.md$/,
     /workspace\/memory\/.*\.md$/,
     /\.ldm\/agents\/.*\/memory\/daily\/.*\.md$/,
     /\.ldm\/memory\/shared-log\.jsonl$/,

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/core.mjs

@@ -155,8 +155,10 @@ function gitCommitAndTag(repoPath, newVersion, notes) {
       execFileSync('git', ['add', f], { cwd: repoPath, stdio: 'pipe' });
     }
   }
-  // Use execFileSync to avoid shell injection via notes
-  execFileSync('git', ['commit', '-m', msg], { cwd: repoPath, stdio: 'pipe' });
+  // Use execFileSync to avoid shell injection via notes.
+  // --no-verify: wip-release legitimately commits on main (version bump + changelog).
+  // The pre-commit hook blocks all commits on main, but wip-release is the one exception.
+  execFileSync('git', ['commit', '--no-verify', '-m', msg], { cwd: repoPath, stdio: 'pipe' });
   execFileSync('git', ['tag', `v${newVersion}`], { cwd: repoPath, stdio: 'pipe' });
 }
 
@@ -261,6 +263,24 @@ function checkReleaseNotes(notes, notesSource, level) {
     issues.push('Notes look like a changelog entry, not a narrative. Explain the impact.');
   }
 
+  // Narrative quality: must have at least one paragraph (not just bullets/headers)
+  // A paragraph is 2+ consecutive lines of prose (not starting with -, *, #, |, or ```)
+  const lines = notes.split('\n').filter(l => l.trim().length > 0);
+  const proseLines = lines.filter(l => {
+    const t = l.trim();
+    return !t.startsWith('#') && !t.startsWith('-') && !t.startsWith('*') &&
+           !t.startsWith('|') && !t.startsWith('```') && !t.startsWith('>') &&
+           t.length > 30;
+  });
+  if (proseLines.length < 2) {
+    issues.push('Release notes need narrative, not just bullets. Write at least one paragraph explaining what changed and why it matters. Tell the story.');
+  }
+
+  // Must be substantial (not just a header + bullets)
+  if (notes.length < 200) {
+    issues.push('Release notes are too short (under 200 chars). Every release deserves a story: what was broken or missing, what we built, why the user should care.');
+  }
+
   // Release notes should reference at least one issue
   const hasIssueRef = /#\d+/.test(notes);
   if (!hasIssueRef) {
@@ -299,16 +319,14 @@ export function scaffoldReleaseNotes(repoPath, version) {
 
 **One-line summary of what this release does**
 
-## What changed
-
-Describe the changes. Not a commit list. Explain:
-- What was built or fixed
-- Why it matters
-- What the user should know
+Tell the story. What was broken or missing? What did we build? Why does the user care?
+Write at least one real paragraph of prose. Not just bullets. The release notes gate
+will block if there is no narrative. Bullets are fine for details, but the story comes first.
 
-## Why
+## The story
 
-What problem does this solve? What was broken or missing?
+(Write a paragraph here. What was the problem? What does this release fix? Why does it matter?
+This is what users read. Make it worth reading.)
 
 ## Issues closed
 

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.50",
+  "version": "1.9.52",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",