@wipcomputer/wip-ai-devops-toolbox 1.9.57 → 1.9.59

package/.worktrees/toolbox--guard-plan/tools/wip-universal-installer/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@wipcomputer/universal-installer",
+  "version": "1.9.32",
+  "type": "module",
+  "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
+  "main": "detect.mjs",
+  "exports": {
+    ".": "./detect.mjs",
+    "./detect": "./detect.mjs"
+  },
+  "scripts": {
+    "test": "node install.js --help"
+  },
+  "keywords": [
+    "installer",
+    "agent-native",
+    "sensor",
+    "actuator",
+    "universal-interface",
+    "claude-code",
+    "openclaw",
+    "mcp",
+    "cli"
+  ],
+  "author": "Parker Todd Brooks",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/wipcomputer/wip-universal-installer.git"
+  },
+  "homepage": "https://github.com/wipcomputer/wip-universal-installer"
+}

package/CHANGELOG.md

@@ -31,6 +31,61 @@
 
 
 
+
+## 1.9.59 (2026-03-29)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.59
+
+**Fix three bugs in branch guard destructive command handling.**
+
+## The story
+
+v1.9.56 added destructive command blocking but introduced three bugs because the new code was written differently from the existing guard pattern. The existing guard checks allowed patterns before blocked patterns and works per-command. The new code skipped the allowed check and matched against the entire raw command string, causing false positives on quoted text (blocking `gh issue create` when the body mentioned git commands) and false negatives on compound commands (allowing `rm -f file ; echo done` because `echo` is in the allowed list).
+
+Fix: two helper functions that strip quoted content before matching and check each command segment independently. Same pattern as the existing guard code. Also adds `~/.claude/plans/` to the shared state allowlist so plan files are editable.
+
+## Issues closed
+
+- #232 (branch guard three bugs in v1.9.56)
+
+## How to verify
+
+```bash
+# These should now be ALLOWED (were false-positive blocked):
+# gh issue create --body "use git checkout -- to fix"
+# echo "don't run git commit on main"
+
+# These should now be DENIED (were false-negative allowed):
+# rm -f file ; echo done  (on main)
+
+# These should still be DENIED:
+# git checkout -- file.txt
+# python3 -c "open('f').write('x')"
+```
+
+## 1.9.58 (2026-03-29)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.58
+
+**Fix deploy-public.sh losing release notes when invoked with relative path.**
+
+## The story
+
+When deploy-public.sh was called with `.` as the private repo path (e.g. `bash scripts/deploy-public.sh . wipcomputer/repo`), the script later cd'd into a temp directory. After that, `cd "."` no longer pointed to the private repo, so `gh release view` failed silently and release notes fell back to the empty "Release vX.Y.Z" default. This has been broken since at least v1.9.51.
+
+Fix: resolve PRIVATE_REPO to an absolute path at startup before any cd happens.
+
+## Issues closed
+
+- #228 (continued from v1.9.57)
+
+## How to verify
+
+```bash
+# From a repo directory, run with "." and check public release has real notes:
+cd /path/to/private-repo
+bash scripts/deploy-public.sh . wipcomputer/public-repo --dry-run
+```
 
 ## 1.9.57 (2026-03-29)
 

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.57"
+  version: "1.9.59"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/_trash/RELEASE-NOTES-v1-9-58.md

@@ -0,0 +1,21 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.58
+
+**Fix deploy-public.sh losing release notes when invoked with relative path.**
+
+## The story
+
+When deploy-public.sh was called with `.` as the private repo path (e.g. `bash scripts/deploy-public.sh . wipcomputer/repo`), the script later cd'd into a temp directory. After that, `cd "."` no longer pointed to the private repo, so `gh release view` failed silently and release notes fell back to the empty "Release vX.Y.Z" default. This has been broken since at least v1.9.51.
+
+Fix: resolve PRIVATE_REPO to an absolute path at startup before any cd happens.
+
+## Issues closed
+
+- #228 (continued from v1.9.57)
+
+## How to verify
+
+```bash
+# From a repo directory, run with "." and check public release has real notes:
+cd /path/to/private-repo
+bash scripts/deploy-public.sh . wipcomputer/public-repo --dry-run
+```

package/_trash/RELEASE-NOTES-v1-9-59.md

@@ -0,0 +1,28 @@
+# Release Notes: wip-ai-devops-toolbox v1.9.59
+
+**Fix three bugs in branch guard destructive command handling.**
+
+## The story
+
+v1.9.56 added destructive command blocking but introduced three bugs because the new code was written differently from the existing guard pattern. The existing guard checks allowed patterns before blocked patterns and works per-command. The new code skipped the allowed check and matched against the entire raw command string, causing false positives on quoted text (blocking `gh issue create` when the body mentioned git commands) and false negatives on compound commands (allowing `rm -f file ; echo done` because `echo` is in the allowed list).
+
+Fix: two helper functions that strip quoted content before matching and check each command segment independently. Same pattern as the existing guard code. Also adds `~/.claude/plans/` to the shared state allowlist so plan files are editable.
+
+## Issues closed
+
+- #232 (branch guard three bugs in v1.9.56)
+
+## How to verify
+
+```bash
+# These should now be ALLOWED (were false-positive blocked):
+# gh issue create --body "use git checkout -- to fix"
+# echo "don't run git commit on main"
+
+# These should now be DENIED (were false-negative allowed):
+# rm -f file ; echo done  (on main)
+
+# These should still be DENIED:
+# git checkout -- file.txt
+# python3 -c "open('f').write('x')"
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/scripts/deploy-public.sh

@@ -44,6 +44,9 @@ if [[ -z "$PRIVATE_REPO" || -z "$PUBLIC_REPO" ]]; then
   exit 1
 fi
 
+# Resolve to absolute path so later cd's don't break when cwd changes
+PRIVATE_REPO="$(cd "$PRIVATE_REPO" && pwd)"
+
 if [[ ! -d "$PRIVATE_REPO/.git" ]]; then
   echo "Error: $PRIVATE_REPO is not a git repository"
   exit 1

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/guard.mjs

@@ -32,20 +32,49 @@ const BLOCKED_GIT_PATTERNS = [
   /\bgit\s+restore\b/,
 ];
 
-// Destructive commands blocked on ANY branch, not just main.
+// Destructive git commands blocked on ANY branch, not just main.
 // These destroy work that may belong to other agents or the user.
+// Checked against STRIPPED command (quoted content removed) to avoid false positives (#232).
 const DESTRUCTIVE_PATTERNS = [
   /\bgit\s+clean\s+-[a-zA-Z]*f/,        // git clean -f, -fd, -fdx (deletes untracked files)
   /\bgit\s+checkout\s+--\s/,             // git checkout -- <path> (reverts files)
   /\bgit\s+checkout\s+\.\s*$/,           // git checkout . (reverts everything)
   /\bgit\s+stash\s+drop\b/,             // git stash drop (permanently deletes stashed work)
   /\bgit\s+stash\s+pop\b/,              // git stash pop (overwrites working tree, drops on success)
+  /\bgit\s+stash\s+clear\b/,            // git stash clear (drops all stashes)
   /\bgit\s+reset\s+--hard\b/,           // git reset --hard (nukes all uncommitted changes)
   /\bgit\s+restore\s+(?!--staged)/,     // git restore <path> (reverts files, but --staged is safe)
+];
+
+// Code execution bypass patterns. Checked against ORIGINAL command because
+// the attack IS inside quotes (e.g. python -c "open('f').write('x')").
+const DESTRUCTIVE_CODE_PATTERNS = [
   /\bpython3?\s+-c\s+.*\bopen\s*\(/,    // python -c "open().write()" bypass (#241)
   /\bnode\s+-e\s+.*\bfs\.\w*[Ww]rite/,  // node -e "fs.writeFile()" bypass
 ];
 
+// Strip quoted string contents to prevent regex matching inside data.
+// "gh issue create --body 'use git checkout -- to fix'" becomes
+// "gh issue create --body ''" so git checkout -- doesn't false-positive.
+function stripQuotedContent(cmd) {
+  return cmd.replace(/"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g, '""');
+}
+
+// Check each segment of a compound command independently.
+// "rm -f file ; echo done" splits into ["rm -f file", "echo done"].
+// Each segment checked against blocked, then allowed. An allowed match
+// on one segment can't excuse a blocked match on a different segment (#232).
+function isBlockedCompoundCommand(cmd, blockedPatterns, allowedPatterns) {
+  const stripped = stripQuotedContent(cmd);
+  const segments = stripped.split(/\s*(?:&&|\|\||[;|])\s*/).filter(Boolean);
+  for (const segment of segments) {
+    if (blockedPatterns.some(p => p.test(segment))) {
+      if (!allowedPatterns.some(p => p.test(segment))) return true;
+    }
+  }
+  return false;
+}
+
 // Git commands that are ALLOWED on main (read-only or safe operations)
 const ALLOWED_GIT_PATTERNS = [
   /\bgit\s+merge\b/,
@@ -239,11 +268,13 @@ async function main() {
 
   // Block destructive commands on ANY branch.
   // These destroy work that may belong to other agents or the user.
-  // The agent should NEVER reach for these. If something is stuck, tell the user.
   if (toolName === BASH_TOOL) {
     const cmd = (toolInput.command || '');
+    const strippedCmd = stripQuotedContent(cmd);
+
+    // Git destructive patterns: check against stripped command (no quoted content)
     for (const pattern of DESTRUCTIVE_PATTERNS) {
-      if (pattern.test(cmd)) {
+      if (pattern.test(strippedCmd)) {
         deny(`BLOCKED: Destructive command detected.
 
 "${cmd.substring(0, 80)}" can permanently destroy uncommitted work (yours, the user's, or another agent's).
@@ -260,6 +291,17 @@ These commands have destroyed work belonging to the user and other agents multip
         process.exit(0);
       }
     }
+    // Code execution bypasses: check against original command (the attack IS inside quotes)
+    for (const pattern of DESTRUCTIVE_CODE_PATTERNS) {
+      if (pattern.test(cmd)) {
+        deny(`BLOCKED: Code execution bypass detected.
+
+"${cmd.substring(0, 80)}" writes files through a scripting language, bypassing git protections.
+
+Use the proper workflow: edit files in a worktree, commit, push, PR.`);
+        process.exit(0);
+      }
+    }
   }
 
   // Block dangerous flags on ANY branch (these bypass safety checks)
@@ -375,8 +417,7 @@ This is a warning, not a block. If you need to create it here, retry.`);
     // On a branch but NOT in a worktree. Block writes.
     const isWriteOp = WRITE_TOOLS.has(toolName) ||
       (toolName === BASH_TOOL && command &&
-        BLOCKED_BASH_PATTERNS.some(p => p.test(command)) &&
-        !ALLOWED_BASH_PATTERNS.some(p => p.test(command)));
+        isBlockedCompoundCommand(command, BLOCKED_BASH_PATTERNS, ALLOWED_BASH_PATTERNS));
     if (isWriteOp) {
       deny(`BLOCKED: On branch "${branch}" but not in a worktree.\n\n${WORKFLOW_NOT_WORKTREE}`);
       process.exit(0);
@@ -400,6 +441,7 @@ This is a warning, not a block. If you need to create it here, retry.`);
     /\.ldm\/memory\/shared-log\.jsonl$/,
     /\.ldm\/memory\/daily\/.*\.md$/,
     /\.ldm\/logs\//,
+    /\.claude\/plans\//,              // Claude Code plan files (plan mode)
   ];
 
   if (filePath && SHARED_STATE_PATTERNS.some(p => p.test(filePath))) {
@@ -412,43 +454,19 @@ This is a warning, not a block. If you need to create it here, retry.`);
     process.exit(0);
   }
 
-  // For Bash, check the command
+  // For Bash, check each command segment independently (#232).
+  // No fast-path: an allowed pattern on one segment can't excuse a blocked pattern on another.
   if (toolName === BASH_TOOL && command) {
-    // First check if it's explicitly allowed (read-only)
-    for (const pattern of ALLOWED_BASH_PATTERNS) {
-      if (pattern.test(command)) {
-        process.exit(0);
-      }
-    }
-
-    // Check for blocked git commands
-    for (const pattern of BLOCKED_GIT_PATTERNS) {
-      if (pattern.test(command)) {
-        // Make sure it's not an allowed git operation
-        let isAllowed = false;
-        for (const ap of ALLOWED_GIT_PATTERNS) {
-          if (ap.test(command)) { isAllowed = true; break; }
-        }
-        if (!isAllowed) {
-          deny(`BLOCKED: Cannot run "${command.substring(0, 60)}..." on main branch.\n\n${WORKFLOW_ON_MAIN}`);
-          process.exit(0);
-        }
-      }
+    // Check for blocked git commands (per-segment, quote-stripped)
+    if (isBlockedCompoundCommand(command, BLOCKED_GIT_PATTERNS, ALLOWED_GIT_PATTERNS)) {
+      deny(`BLOCKED: Cannot run "${command.substring(0, 60)}..." on main branch.\n\n${WORKFLOW_ON_MAIN}`);
+      process.exit(0);
     }
 
-    // Check for file-writing bash commands
-    for (const pattern of BLOCKED_BASH_PATTERNS) {
-      if (pattern.test(command)) {
-        // Check it's not a read-only context
-        let isAllowed = false;
-        for (const ap of ALLOWED_BASH_PATTERNS) {
-          if (ap.test(command)) { isAllowed = true; break; }
-        }
-        if (!isAllowed) {
-          deny(`BLOCKED: Cannot run file-modifying command on main branch.\n\n${WORKFLOW_ON_MAIN}`);
-          process.exit(0);
-        }
-      }
+    // Check for file-writing bash commands (per-segment, quote-stripped)
+    if (isBlockedCompoundCommand(command, BLOCKED_BASH_PATTERNS, ALLOWED_BASH_PATTERNS)) {
+      deny(`BLOCKED: Cannot run file-modifying command on main branch.\n\n${WORKFLOW_ON_MAIN}`);
+      process.exit(0);
     }
   }
 

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.57",
+  "version": "1.9.59",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",