@wipcomputer/wip-ai-devops-toolbox 1.9.51 → 1.9.52

package/.publish-skill.json

@@ -1,4 +1,4 @@
 {
   "name": "wip-ai-devops-toolbox",
-  "websiteRepo": "/Users/lesa/Documents/wipcomputer--mac-mini-01/staff/Parker/Claude Code - Mini/repos/wip-web/wip-websites-private"
+  "websiteRepo": "/Users/lesa/wipcomputerinc/repos/wip-web/wip-websites-private"
 }

package/CHANGELOG.md

@@ -31,6 +31,34 @@
 
 
 
+
+## 1.9.52 (2026-03-27)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.52
+
+**Fix branch guard false-blocking bash commands targeting worktree paths**
+
+## What changed
+
+- Branch guard now extracts absolute paths from any bash command (mkdir, cp, mv, touch, etc.) and resolves the git branch from the target path's repo, not the CWD
+- `findRepoRoot()` improved to walk up to existing directories for paths that don't exist yet (handles mkdir for new directories)
+- Added `.ldm/worktrees` to allowed worktree locations alongside `_worktrees/` and `.claude/worktrees`
+
+## Why
+
+When Claude Code launches from `~/wipcomputerinc/` (on main) and runs bash commands targeting files inside a worktree (e.g., `mkdir -p /path/to/_worktrees/repo--branch/new-dir/`), the guard only knew how to extract paths from `cd` and `git -C` patterns. Any other command fell back to CWD resolution, saw "main", and blocked incorrectly. This caused minutes of wasted time every session.
+
+## Issues closed
+
+- wipcomputer/wip-ldm-os#187
+
+## How to verify
+
+```bash
+# From CWD on main, this should no longer be blocked:
+# mkdir -p /path/to/_worktrees/repo--branch/new-directory/
+# cp file.txt /path/to/_worktrees/repo--branch/
+```
 
 ## 1.9.51 (2026-03-24)
 

package/DEV-GUIDE-GENERAL-PUBLIC.md

@@ -1,6 +1,6 @@
 # Dev Guide ... Best Practices for AI-Assisted Development
 
-**WIP team members: also read [the private Dev Guide](ai/DEV-GUIDE-FOR-WIP-ONLY-PRIVATE.md).** It covers WIP-specific conventions (branch prefixes, agent IDs, deploy paths, incidents) that supplement everything below. Neither guide is complete without the other.
+**WIP team members: also read the private Dev Guide at `~/wipcomputerinc/settings/templates/dev-guide-private.md`.** It covers WIP-specific conventions (branch prefixes, agent IDs, deploy paths, incidents) that supplement everything below. Neither guide is complete without the other.
 
 ## Repo Structure Convention
 
@@ -648,6 +648,47 @@ Product docs drift fast. If roadmap updates only happen "when someone remembers,
 
 Release notes are the public face of the project. They must be comprehensive. One-liners like "Release v0.6.0" are unacceptable. Every feature, every change, documented section by section. This applies to both private and public GitHub releases.
 
+## Feature Planning: 5 Mandatory Questions
+
+Before implementing any feature that changes how the system works (installer, config, deploy, architecture), answer these 5 questions in your plan or PR description. Not optional. Not "consider this." Answer all five or the plan is incomplete.
+
+1. **What source files change?** (in the repo)
+2. **What does `ldm install` deploy?** (templates, rules, docs, boot config, CLAUDE.md, skills)
+3. **What needs to update for fresh install vs existing install?**
+4. **What docs need updating?** (repo docs, settings/docs, website)
+5. **What are ALL the files the installer touches on deploy?**
+
+If you can't answer #5, you don't understand the change well enough to ship it.
+
+## Doc Update Dependencies
+
+When you change a file on the left, you MUST also update the files on the right. This is not optional.
+
+| If you change | You must also update |
+|--------------|---------------------|
+| `SKILL.md` | `references/`, `settings/docs/how-install-works.md`, wip.computer/install/ (auto via wip-release) |
+| `lib/deploy.mjs` | `settings/docs/how-install-works.md`, `docs/universal-installer/SPEC.md`, `docs/universal-installer/TECHNICAL.md` |
+| `catalog.json` | `settings/docs/what-is-ldm-os.md`, `README.md`, `docs/skills/README.md` |
+| `bin/ldm.js` (init) | `settings/docs/how-install-works.md`, `settings/docs/system-directories.md` |
+| `shared/rules/*` | `settings/docs/how-rules-and-commands-work.md` |
+| `shared/boot/*` | `settings/docs/how-agents-work.md` |
+| `lib/detect.mjs` | `docs/universal-installer/SPEC.md`, `settings/docs/how-install-works.md` |
+| Backup scripts | `settings/docs/how-backup-works.md` |
+| Agent identity files | `settings/docs/how-agents-work.md` |
+| Any repo `README.md` | Public repo README (via deploy-public.sh) |
+
+Machine-readable version: `~/wipcomputerinc/settings/docs/change-dependencies.json`
+
+### Three doc layers
+
+Every change flows through three layers:
+
+1. **Repo docs** (generic, source of truth): README.md, TECHNICAL.md, SPEC.md per repo. Written for anyone.
+2. **Settings docs** (personalized, deployed by ldm install): `~/wipcomputerinc/settings/docs/`. Written for YOUR system. Personalized from config.json.
+3. **Website docs** (public): wip.computer. SKILL.md auto-deployed by wip-release. Other docs via Mintlify or deploy script.
+
+If repo docs change but settings docs don't update, the user's local docs drift. If settings docs change but the website doesn't, the public docs drift. All three layers must stay in sync.
+
 ## Repo Directory Structure
 
 ### The Standard Layout

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.51"
+  version: "1.9.52"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/_trash/RELEASE-NOTES-v1-9-52.md

@@ -0,0 +1,25 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.52
+
+**Fix branch guard false-blocking bash commands targeting worktree paths**
+
+## What changed
+
+- Branch guard now extracts absolute paths from any bash command (mkdir, cp, mv, touch, etc.) and resolves the git branch from the target path's repo, not the CWD
+- `findRepoRoot()` improved to walk up to existing directories for paths that don't exist yet (handles mkdir for new directories)
+- Added `.ldm/worktrees` to allowed worktree locations alongside `_worktrees/` and `.claude/worktrees`
+
+## Why
+
+When Claude Code launches from `~/wipcomputerinc/` (on main) and runs bash commands targeting files inside a worktree (e.g., `mkdir -p /path/to/_worktrees/repo--branch/new-dir/`), the guard only knew how to extract paths from `cd` and `git -C` patterns. Any other command fell back to CWD resolution, saw "main", and blocked incorrectly. This caused minutes of wasted time every session.
+
+## Issues closed
+
+- wipcomputer/wip-ldm-os#187
+
+## How to verify
+
+```bash
+# From CWD on main, this should no longer be blocked:
+# mkdir -p /path/to/_worktrees/repo--branch/new-directory/
+# cp file.txt /path/to/_worktrees/repo--branch/
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/guard.mjs

@@ -135,6 +135,17 @@ function findRepoRoot(filePath) {
       dir = dirname(dir); // File might not exist yet
     }
 
+    // Walk up until we find an existing directory (handles mkdir for new paths)
+    while (dir && dir !== '/') {
+      try {
+        const s = statSync(dir);
+        if (s.isDirectory()) break;
+        dir = dirname(dir);
+      } catch {
+        dir = dirname(dir);
+      }
+    }
+
     // Use git rev-parse from the directory
     const result = execSync('git rev-parse --show-toplevel 2>/dev/null', {
       cwd: dir,
@@ -146,6 +157,18 @@ function findRepoRoot(filePath) {
   return null;
 }
 
+function extractPathsFromCommand(command) {
+  // Extract absolute paths from a bash command
+  // Matches paths like /Users/foo/bar, /tmp/something, etc.
+  const paths = [];
+  const regex = /(\/(?:Users|home|tmp|var|opt|etc|private)[^\s"'|;&>)]+)/g;
+  let match;
+  while ((match = regex.exec(command)) !== null) {
+    paths.push(match[1]);
+  }
+  return paths;
+}
+
 function getCurrentBranch(cwd) {
   try {
     return execSync('git branch --show-current 2>/dev/null', {
@@ -230,7 +253,7 @@ async function main() {
     const wtMatch = cmd.match(/\bgit\s+worktree\s+add\s+["']?([^\s"']+)/);
     if (wtMatch) {
       const wtPath = wtMatch[1];
-      if (!wtPath.includes('_worktrees') && !wtPath.includes('.claude/worktrees')) {
+      if (!wtPath.includes('_worktrees') && !wtPath.includes('.claude/worktrees') && !wtPath.includes('.ldm/worktrees')) {
         deny(`WARNING: Creating worktree outside _worktrees/. Use: ldm worktree add <branch>
 
 The convention is _worktrees/<repo>--<branch>/ so worktrees don't mix with real repos.
@@ -274,6 +297,17 @@ This is a warning, not a block. If you need to create it here, retry.`);
     if (!repoDir && gitCMatch) {
       repoDir = findRepoRoot(gitCMatch[1].trim());
     }
+    // Extract absolute paths from the command itself (handles mkdir, cp, mv, etc.)
+    if (!repoDir) {
+      const paths = extractPathsFromCommand(command);
+      for (const p of paths) {
+        const resolved = findRepoRoot(p);
+        if (resolved) {
+          repoDir = resolved;
+          break;
+        }
+      }
+    }
   }
 
   // Fall back to CWD

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/core.mjs

@@ -155,8 +155,10 @@ function gitCommitAndTag(repoPath, newVersion, notes) {
       execFileSync('git', ['add', f], { cwd: repoPath, stdio: 'pipe' });
     }
   }
-  // Use execFileSync to avoid shell injection via notes
-  execFileSync('git', ['commit', '-m', msg], { cwd: repoPath, stdio: 'pipe' });
+  // Use execFileSync to avoid shell injection via notes.
+  // --no-verify: wip-release legitimately commits on main (version bump + changelog).
+  // The pre-commit hook blocks all commits on main, but wip-release is the one exception.
+  execFileSync('git', ['commit', '--no-verify', '-m', msg], { cwd: repoPath, stdio: 'pipe' });
   execFileSync('git', ['tag', `v${newVersion}`], { cwd: repoPath, stdio: 'pipe' });
 }
 
@@ -261,6 +263,24 @@ function checkReleaseNotes(notes, notesSource, level) {
     issues.push('Notes look like a changelog entry, not a narrative. Explain the impact.');
   }
 
+  // Narrative quality: must have at least one paragraph (not just bullets/headers)
+  // A paragraph is 2+ consecutive lines of prose (not starting with -, *, #, |, or ```)
+  const lines = notes.split('\n').filter(l => l.trim().length > 0);
+  const proseLines = lines.filter(l => {
+    const t = l.trim();
+    return !t.startsWith('#') && !t.startsWith('-') && !t.startsWith('*') &&
+           !t.startsWith('|') && !t.startsWith('```') && !t.startsWith('>') &&
+           t.length > 30;
+  });
+  if (proseLines.length < 2) {
+    issues.push('Release notes need narrative, not just bullets. Write at least one paragraph explaining what changed and why it matters. Tell the story.');
+  }
+
+  // Must be substantial (not just a header + bullets)
+  if (notes.length < 200) {
+    issues.push('Release notes are too short (under 200 chars). Every release deserves a story: what was broken or missing, what we built, why the user should care.');
+  }
+
   // Release notes should reference at least one issue
   const hasIssueRef = /#\d+/.test(notes);
   if (!hasIssueRef) {
@@ -299,16 +319,14 @@ export function scaffoldReleaseNotes(repoPath, version) {
 
 **One-line summary of what this release does**
 
-## What changed
-
-Describe the changes. Not a commit list. Explain:
-- What was built or fixed
-- Why it matters
-- What the user should know
+Tell the story. What was broken or missing? What did we build? Why does the user care?
+Write at least one real paragraph of prose. Not just bullets. The release notes gate
+will block if there is no narrative. Bullets are fine for details, but the story comes first.
 
-## Why
+## The story
 
-What problem does this solve? What was broken or missing?
+(Write a paragraph here. What was the problem? What does this release fix? Why does it matter?
+This is what users read. Make it worth reading.)
 
 ## Issues closed
 

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.51",
+  "version": "1.9.52",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",

package/tools/wip-repo-init/templates/product/plans-prds/todos/README 2.md

@@ -1,63 +0,0 @@
-# todos/
-
-One todo file per person or agent. Three sections per file: To Do, Done, Deprecated.
-
-## What This Folder Is
-
-Todos that are specific to this repo. Each person or agent who works on this repo gets one file. The file tracks what they need to do, what they've done, and what got dropped.
-
-For cross-repo work or bigger items, use GitHub Issues. Todos here are for repo-scoped tasks that don't need the overhead of an issue.
-
-## Files
-
-One file per person/agent. Name it `[Name]-todo.md`.
-
-Example:
-
-| File | Who |
-|------|-----|
-| `Parker-todo.md` | Parker (human tasks: reviews, credentials, approvals) |
-| `CC-Mini-todo.md` | Claude Code on Mac Mini (code, builds, deploys) |
-
-Create the file when that person/agent first has work to do. No empty placeholder files.
-
-## File Format
-
-```markdown
-# [Name] Todos
-
-**Last updated:** YYYY-MM-DD
-
-## To Do
-
-- [ ] Task description
-- [ ] Task description (blocked by: reason)
-
-## Done
-
-- [x] Task description (YYYY-MM-DD)
-- [x] Task description (YYYY-MM-DD)
-
-## Deprecated
-
-- ~~Task description~~ ... reason. (YYYY-MM-DD)
-```
-
-## Rules
-
-- **Never delete anything.** Items move between sections, never off the page.
-- **To Do** ... work that needs to happen.
-- **Done** ... completed work. Check the box, add the date.
-- **Deprecated** ... planned but no longer needed. Strikethrough, add the reason and date. Not the same as Done. Done means it shipped. Deprecated means the requirement changed.
-- **Update the date** at the top of the file every time you edit it.
-- **One file per person/agent.** No dated files, no subfolders, no inboxes.
-- **Blocked items** stay in To Do with a `(blocked by: reason)` note. Don't move them to a separate section.
-
-## When to Use Todos vs GitHub Issues
-
-| Use | When |
-|-----|------|
-| **Todo file** | Quick tasks, repo-scoped work, things you'll do this session or this week |
-| **GitHub Issue** | Bugs, feature requests, cross-repo work, things that need tracking or discussion |
-
-Both is fine. File an issue AND add a todo that references it. The todo is your personal checklist. The issue is the team's record.