@wipcomputer/wip-ai-devops-toolbox 1.9.61 → 1.9.63

package/CHANGELOG.md

@@ -31,6 +31,56 @@
 
 
 
+
+## 1.9.63 (2026-03-29)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.63
+
+**Fix all wip-release errors: branch cleanup crashes, shell injection, stale remote refs.**
+
+## The story
+
+Every wip-release run produced errors: "fatal: Not a valid object name +", "remote ref does not exist", and shell injection risks from branch names passed through execSync template strings. These were dismissed as "non-blocking" but they cluttered every release output and masked real problems.
+
+Root cause: branch cleanup code (sections 10 and 11) used `execSync` with template strings, which breaks on branch names with special characters and allows shell injection. Also tried to delete remote branches that GitHub already deleted during PR merge.
+
+Fix: replaced all `execSync` template strings with `execFileSync` array args (safe from injection). Added character validation to skip branches with special chars. Wrapped remote delete in try/catch since GitHub PR merge already handles deletion.
+
+## Issues closed
+
+- #231 (continued: release pipeline reliability)
+
+## How to verify
+
+```bash
+wip-release patch --dry-run
+# Should show no "fatal" or "Not a valid object name" errors
+# Guard tests: cd tools/wip-branch-guard && bash test.sh
+```
+
+## 1.9.62 (2026-03-29)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.62
+
+**Fix wip-release leaving dirty state on main after every release.**
+
+## The story
+
+wip-release writes to 15+ files during a release (root package.json, 12 sub-tool package.json files, SKILL.md, CHANGELOG.md, product docs, trashed release notes). But gitCommitAndTag() only staged 3 files (package.json, CHANGELOG.md, SKILL.md). The other 12+ files were left modified on disk, uncommitted. This blocked git pull on the next operation and required manual `git checkout -- .` every time.
+
+Fix: stage all files that wip-release modifies. Sub-tool package.json files, product docs (ai/product/), and trashed release notes (_trash/) are now included in the release commit.
+
+## Issues closed
+
+- #231 (wip-release rollback version bumps on failure)
+
+## How to verify
+
+```bash
+wip-release patch
+git status
+# Should show clean working tree after release
+```
 
 ## 1.9.61 (2026-03-29)
 

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.61"
+  version: "1.9.63"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "main": "guard.mjs",

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/core.mjs

@@ -149,12 +149,37 @@ function trashReleaseNotes(repoPath) {
 
 function gitCommitAndTag(repoPath, newVersion, notes) {
   const msg = `v${newVersion}: ${notes || 'Release'}`;
-  // Stage known files (ignore missing ones)
+  // Stage ALL files that wip-release modifies:
+  // - Root: package.json, CHANGELOG.md, SKILL.md
+  // - Sub-tools: tools/*/package.json
+  // - Product docs: ai/product/plans-prds/roadmap.md, ai/product/readme-first-product.md
+  // - Trashed release notes: _trash/RELEASE-NOTES-*.md
+  // Using git add -A on specific paths instead of listing each file (#231)
   for (const f of ['package.json', 'CHANGELOG.md', 'SKILL.md']) {
     if (existsSync(join(repoPath, f))) {
       execFileSync('git', ['add', f], { cwd: repoPath, stdio: 'pipe' });
     }
   }
+  // Stage sub-tool package.json files
+  const toolsDir = join(repoPath, 'tools');
+  if (existsSync(toolsDir)) {
+    for (const sub of readdirSync(toolsDir, { withFileTypes: true })) {
+      if (!sub.isDirectory()) continue;
+      const subPkg = join('tools', sub.name, 'package.json');
+      if (existsSync(join(repoPath, subPkg))) {
+        execFileSync('git', ['add', subPkg], { cwd: repoPath, stdio: 'pipe' });
+      }
+    }
+  }
+  // Stage product docs and trashed release notes
+  const aiProduct = join(repoPath, 'ai', 'product');
+  if (existsSync(aiProduct)) {
+    execFileSync('git', ['add', 'ai/product/'], { cwd: repoPath, stdio: 'pipe' });
+  }
+  const trash = join(repoPath, '_trash');
+  if (existsSync(trash)) {
+    execFileSync('git', ['add', '_trash/'], { cwd: repoPath, stdio: 'pipe' });
+  }
   // Use execFileSync to avoid shell injection via notes.
   // --no-verify: wip-release legitimately commits on main (version bump + changelog).
   // The pre-commit hook blocks all commits on main, but wip-release is the one exception.
@@ -1544,31 +1569,33 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
       .filter(b => b && b !== 'main' && b !== 'master' && !b.startsWith('*') && !b.includes('--merged-'));
 
     if (merged.length > 0) {
+      const current = execSync('git branch --show-current', { cwd: repoPath, encoding: 'utf8' }).trim();
       console.log(`  Scanning ${merged.length} merged branch(es) for rename...`);
       for (const branch of merged) {
-        const current = execSync('git branch --show-current', { cwd: repoPath, encoding: 'utf8' }).trim();
         if (branch === current) continue;
+        // Skip branches with characters that break git commands
+        if (/[+\s~^:?*\[\]]/.test(branch)) continue;
 
         let mergeDate;
         try {
-          const mergeBase = execSync(`git merge-base main ${branch}`, { cwd: repoPath, encoding: 'utf8' }).trim();
-          mergeDate = execSync(
-            `git log main --format="%ai" --ancestry-path ${mergeBase}..main`,
-            { cwd: repoPath, encoding: 'utf8' }
-          ).trim().split('\n').pop().split(' ')[0];
+          // Use execFileSync (array args) instead of execSync (shell string) to avoid injection
+          const mergeBase = execFileSync('git', ['merge-base', 'main', branch], { cwd: repoPath, encoding: 'utf8' }).trim();
+          const logOutput = execFileSync('git', ['log', 'main', '--format=%ai', '--ancestry-path', `${mergeBase}..main`], { cwd: repoPath, encoding: 'utf8' }).trim();
+          if (logOutput) mergeDate = logOutput.split('\n').pop().split(' ')[0];
         } catch {}
         if (!mergeDate) {
           try {
-            mergeDate = execSync(`git log ${branch} -1 --format="%ai"`, { cwd: repoPath, encoding: 'utf8' }).trim().split(' ')[0];
+            mergeDate = execFileSync('git', ['log', branch, '-1', '--format=%ai'], { cwd: repoPath, encoding: 'utf8' }).trim().split(' ')[0];
           } catch {}
         }
         if (!mergeDate) continue;
 
         const newName = `${branch}--merged-${mergeDate}`;
         try {
-          execSync(`git branch -m "${branch}" "${newName}"`, { cwd: repoPath, stdio: 'pipe' });
-          execSync(`git push origin "${newName}"`, { cwd: repoPath, stdio: 'pipe' });
-          execSync(`git push origin --delete "${branch}"`, { cwd: repoPath, stdio: 'pipe' });
+          execFileSync('git', ['branch', '-m', branch, newName], { cwd: repoPath, stdio: 'pipe' });
+          execFileSync('git', ['push', 'origin', newName], { cwd: repoPath, stdio: 'pipe' });
+          // Remote branch may already be deleted by GitHub PR merge. That's fine.
+          try { execFileSync('git', ['push', 'origin', '--delete', branch], { cwd: repoPath, stdio: 'pipe' }); } catch {}
           console.log(`  ✓ Renamed: ${branch} -> ${newName}`);
         } catch (e) {
           console.log(`  ! Could not rename ${branch}: ${e.message}`);
@@ -1610,8 +1637,8 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
 
         for (let i = KEEP_COUNT; i < branches.length; i++) {
           try {
-            execSync(`git push origin --delete "${branches[i]}"`, { cwd: repoPath, stdio: 'pipe' });
-            execSync(`git branch -d "${branches[i]}" 2>/dev/null || true`, { cwd: repoPath, stdio: 'pipe', shell: true });
+            execFileSync('git', ['push', 'origin', '--delete', branches[i]], { cwd: repoPath, stdio: 'pipe' });
+            try { execFileSync('git', ['branch', '-d', branches[i]], { cwd: repoPath, stdio: 'pipe' }); } catch {}
             pruned++;
           } catch {}
         }
@@ -1634,11 +1661,12 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
     let staleCleaned = 0;
     for (const branch of allRemote) {
       if (branch === current) continue;
+      if (/[+\s~^:?*\[\]]/.test(branch)) continue;
       try {
-        execSync(`git merge-base --is-ancestor origin/${branch} origin/main`, { cwd: repoPath, stdio: 'pipe' });
+        execFileSync('git', ['merge-base', '--is-ancestor', `origin/${branch}`, 'origin/main'], { cwd: repoPath, stdio: 'pipe' });
         // If we get here, branch is fully merged
-        execSync(`git push origin --delete "${branch}"`, { cwd: repoPath, stdio: 'pipe' });
-        execSync(`git branch -d "${branch}" 2>/dev/null || true`, { cwd: repoPath, stdio: 'pipe', shell: true });
+        try { execFileSync('git', ['push', 'origin', '--delete', branch], { cwd: repoPath, stdio: 'pipe' }); } catch {}
+        try { execFileSync('git', ['branch', '-d', branch], { cwd: repoPath, stdio: 'pipe' }); } catch {}
         staleCleaned++;
       } catch {}
     }

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.61",
+  "version": "1.9.63",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",