@wipcomputer/wip-ai-devops-toolbox 1.9.67 → 1.9.69-alpha.1

package/CHANGELOG.md

@@ -31,6 +31,24 @@
 
 
 
+
+## 1.9.69-alpha.1 (2026-04-01)
+
+alpha prerelease
+
+## 1.9.68 (2026-04-01)
+
+# Release Notes: wip-ai-devops-toolbox v1.9.68
+
+Closes #239
+
+## Four-track release pipeline
+
+The release tool now supports four tracks: alpha, beta, hotfix, and stable. This replaces the single-track model where every release was public.
+
+Alpha is silent (no public release notes by default). Beta publishes prerelease notes to the public repo. Hotfix publishes to npm @latest without syncing code to public. Stable is the full deploy: npm + code sync + release notes. Developers can iterate on private, ship betas to testers, and only go public when ready.
+
+Version numbering uses standard semver prereleases: `1.9.68-alpha.1`, `1.9.68-beta.1`. The installer (`ldm install --beta` / `--alpha`) pulls the right tag from npm.
 
 ## 1.9.67 (2026-03-31)
 

package/DEV-GUIDE-GENERAL-PUBLIC.md

@@ -45,11 +45,45 @@ CLI is the universal fallback. MCP and plugin wrappers are optimizations.
 6. Merge PR:               gh pr merge <number> --merge --delete-branch
 7. Rename merged branch:   (see Post-Merge Branch Rename below)
 8. Pull merged main:       git checkout main && git pull origin main
-9. Release:                wip-release patch
-                           # wip-release auto-detects the RELEASE-NOTES file
+9. Release:                wip-release patch     (stable: full pipeline)
+                           wip-release alpha     (prerelease: npm @alpha, silent)
+                           wip-release beta      (prerelease: npm @beta, public notes)
+                           wip-release hotfix    (urgent: npm @latest, no deploy-public)
                            # flags: --dry-run (preview), --no-publish (bump + tag only)
 ```
 
+### Release Tracks
+
+Four release tracks. Choose the right one for the situation:
+
+| Track | Command | npm tag | Public code sync | When to use |
+|-------|---------|---------|-----------------|-------------|
+| Alpha | `wip-release alpha` | @alpha | No | Internal testing, not ready for users |
+| Beta | `wip-release beta` | @beta | No | External testing, release candidate |
+| Hotfix | `wip-release hotfix` | @latest | No | Urgent fix, skip deploy-public |
+| Stable | `wip-release patch/minor/major` | @latest | Yes | Normal release, full pipeline |
+
+**Alpha** is silent by default. No public release notes, no code sync. Add `--release-notes` to create a prerelease on the public GitHub repo.
+
+**Beta** publishes prerelease notes to the public GitHub repo by default. Add `--no-release-notes` to skip.
+
+**Hotfix** publishes to npm @latest and creates a release on the public GitHub repo, but does NOT run deploy-public (no code sync). Use this when you need a fix in npm immediately but the public repo code can wait for the next stable release.
+
+**Stable** is the existing behavior. Full pipeline: npm @latest, deploy-public (code sync), full release notes.
+
+Version numbering:
+- Alpha: `1.9.68-alpha.1`, `1.9.68-alpha.2` (increments on repeat)
+- Beta: `1.9.68-beta.1`, `1.9.68-beta.2` (increments on repeat)
+- Hotfix: normal patch bump (`1.9.67` -> `1.9.68`)
+- Stable: normal bump (patch/minor/major)
+
+Install integration:
+```bash
+ldm install              # checks @latest (stable + hotfix)
+ldm install --beta       # checks @beta
+ldm install --alpha      # checks @alpha
+```
+
 **Important:**
 - **Every change goes through a PR.** No direct pushes to main. Not even "just a README fix." Branch, PR, merge. Every time.
 - **Never squash merge.** Every commit has co-authors and tells the story of how something was built. Squashing destroys attribution and history. Always use `--merge` or fast-forward. This applies to `gh pr merge`, manual merges, deploy-public.sh, and any other merge path. No exceptions. Always include `--delete-branch` so the PR branch is cleaned up automatically.

package/SKILL.md

@@ -5,7 +5,7 @@ license: MIT
 interface: [cli, module, mcp, skill, hook, plugin]
 metadata:
   display-name: "WIP AI DevOps Toolbox"
-  version: "1.9.67"
+  version: "1.9.68"
   homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
   author: "Parker Todd Brooks"
   category: dev-tools

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.67",
+  "version": "1.9.69-alpha.1",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/tools/deploy-public/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/deploy-public",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "description": "Private-to-public repo sync. Excludes ai/ folder, creates PR, merges, cleans up branches.",
   "bin": {
     "deploy-public": "./deploy-public.sh"

package/tools/post-merge-rename/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/post-merge-rename",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "description": "Post-merge branch renaming. Appends --merged-YYYY-MM-DD to preserve history.",
   "bin": {
     "post-merge-rename": "./post-merge-rename.sh"

package/tools/wip-branch-guard/guard.mjs

@@ -136,6 +136,8 @@ const ALLOWED_BASH_PATTERNS = [
   /\brm\s+.*\.(openclaw|ldm)\/extensions\//,  // cleaning deployed extensions (managed by ldm install, not source code)
   /\bclaude\s+mcp\b/,          // MCP registration, not repo files
   /\bmkdir\s+.*\.worktrees\b/,  // creating .worktrees/ directory is part of the process
+  /\brm\s+.*\.trash-approved-to-rm/,  // Parker's approved-for-deletion folder (only Parker moves files here, agents only rm)
+  /\brm\s+.*\/_trash\//,              // agent trash directories (agents can mv here and rm here)
 ];
 
 // Workflow steps for error messages (#213)
@@ -320,7 +322,9 @@ Use the proper workflow: edit files in a worktree, commit, push, PR.`);
     // Block npm install -g right after a release (#73)
     // wip-release writes ~/.ldm/state/.last-release on completion.
     // If a release happened < 5 minutes ago, block install unless user explicitly said "install".
-    if (/\bnpm\s+install\s+-g\b/.test(cmd)) {
+    // Exception: prerelease installs (@alpha, @beta) skip the cooldown. The cooldown exists
+    // to enforce dogfooding stable releases. Prerelease installs ARE the dogfooding.
+    if (/\bnpm\s+install\s+-g\b/.test(cmd) && !/@(alpha|beta)\b/.test(cmd)) {
       try {
         const releasePath = join(process.env.HOME || '', '.ldm', 'state', '.last-release');
         if (existsSync(releasePath)) {

package/tools/wip-branch-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-branch-guard",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "description": "PreToolUse hook that blocks all writes on main branch. Forces agents to work on branches or worktrees.",
   "type": "module",
   "scripts": {

package/tools/wip-file-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-file-guard",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "type": "module",
   "description": "Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.",
   "main": "guard.mjs",

package/tools/wip-license-guard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-guard",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "description": "License compliance for your own repos. Ensures correct copyright, dual-license blocks, and LICENSE files.",
   "type": "module",
   "bin": {

package/tools/wip-license-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-license-hook",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "description": "License rug-pull detection and dependency license compliance for open source projects",
   "type": "module",
   "main": "dist/cli/index.js",

package/tools/wip-readme-format/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-readme-format",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "description": "Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.",
   "type": "module",
   "bin": {

package/tools/wip-release/REFERENCE.md

@@ -3,15 +3,47 @@
 
 Detailed usage, pipeline steps, flags, auth, and module API.
 
+## Release Tracks
+
+Four release tracks, each with different behavior:
+
+| Track | npm tag | Public code sync | Public release notes | Default notes |
+|-------|---------|-----------------|---------------------|---------------|
+| Alpha | @alpha | No | No (opt in with --release-notes) | Silent |
+| Beta | @beta | No | Yes, prerelease (opt out with --no-release-notes) | Visible |
+| Hotfix | @latest | No | Yes (opt out with --no-release-notes) | Visible |
+| Stable | @latest | Yes, full deploy-public | Yes, full notes | Full deploy |
+
+### Version numbering
+
+- Alpha: `1.9.68-alpha.1`, `1.9.68-alpha.2` (increments on repeat)
+- Beta: `1.9.68-beta.1`, `1.9.68-beta.2` (increments on repeat)
+- Hotfix: normal patch bump (`1.9.67` -> `1.9.68`)
+- Stable: normal bump (patch/minor/major)
+
 ## Usage
 
 Run from inside any repo:
 
 ```bash
+# Stable (existing behavior)
 wip-release patch                    # 1.0.0 -> 1.0.1
 wip-release minor                    # 1.0.0 -> 1.1.0
 wip-release major                    # 1.0.0 -> 2.0.0
 
+# Alpha
+wip-release alpha                    # 1.0.1-alpha.1 (npm @alpha, silent)
+wip-release alpha --release-notes    # 1.0.1-alpha.1 (npm @alpha + prerelease on public)
+
+# Beta
+wip-release beta                     # 1.0.1-beta.1 (npm @beta + prerelease on public)
+wip-release beta --no-release-notes  # 1.0.1-beta.1 (npm @beta, skip notes)
+
+# Hotfix
+wip-release hotfix                   # 1.0.0 -> 1.0.1 (npm @latest + release on public)
+wip-release hotfix --no-release-notes  # skip public release notes
+
+# Common flags
 wip-release patch --notes="fix auth config"   # with changelog note
 wip-release minor --dry-run                    # preview, no changes
 wip-release patch --no-publish                 # bump + tag only
@@ -19,6 +51,8 @@ wip-release patch --no-publish                 # bump + tag only
 
 ## What It Does
 
+### Stable pipeline
+
 ```
   wip-grok: 1.0.0 -> 1.0.1 (patch)
   ────────────────────────────────────────
@@ -28,32 +62,97 @@ wip-release patch --no-publish                 # bump + tag only
   ✓ Committed and tagged v1.0.1
   ✓ Pushed to remote
   ✓ Published to npm
-  ✓ Published to GitHub Packages
+  - GitHub Packages: handled by deploy-public.sh
   ✓ GitHub release v1.0.1 created
   ✓ Published to ClawHub
 
   Done. wip-grok v1.0.1 released.
 ```
 
+### Alpha/beta pipeline
+
+```
+  wip-grok: 1.0.0 -> 1.0.1-alpha.1 (alpha)
+  ────────────────────────────────────────
+  ✓ package.json -> 1.0.1-alpha.1
+  ✓ CHANGELOG.md updated
+  ✓ Committed and tagged v1.0.1-alpha.1
+  ✓ Pushed to remote
+  ✓ Published to npm @alpha
+  - GitHub prerelease: skipped (silent alpha)
+
+  Done. wip-grok v1.0.1-alpha.1 (alpha) released.
+```
+
+### Hotfix pipeline
+
+```
+  wip-grok: 1.0.0 -> 1.0.1 (hotfix)
+  ────────────────────────────────────────
+  ✓ package.json -> 1.0.1
+  ✓ SKILL.md -> 1.0.1
+  ✓ CHANGELOG.md updated
+  ✓ Committed and tagged v1.0.1
+  ✓ Pushed to remote
+  ✓ Published to npm @latest
+  ✓ GitHub release v1.0.1 created on public repo
+  - deploy-public: skipped (hotfix)
+
+  Done. wip-grok v1.0.1 (hotfix) released.
+```
+
 ## Pipeline Steps
 
+### Stable (patch/minor/major)
+
 1. **Bump `package.json`** ... patch, minor, or major
 2. **Sync `SKILL.md`** ... updates version in YAML frontmatter (if file exists)
 3. **Update `CHANGELOG.md`** ... prepends new version entry with date and notes
 4. **Git commit + tag** ... commits changed files, creates `vX.Y.Z` tag
 5. **Push** ... pushes commit and tag to remote
-6. **npm publish** ... publishes to npmjs.com (auth via 1Password)
-7. **GitHub Packages** ... publishes to npm.pkg.github.com
-8. **GitHub release** ... creates release with changelog notes
+6. **npm publish** ... publishes to npmjs.com with @latest (auth via 1Password)
+7. **GitHub Packages** ... handled by deploy-public.sh
+8. **GitHub release** ... creates release on private repo with changelog notes
 9. **ClawHub publish** ... publishes skill to ClawHub (if SKILL.md exists)
+10. **Branch cleanup** ... renames/prunes merged branches
+11. **Worktree cleanup** ... prunes merged worktrees
+
+### Alpha/Beta
+
+1. **Bump `package.json`** ... adds prerelease suffix (-alpha.N / -beta.N)
+2. **Update `CHANGELOG.md`** ... lightweight prerelease entry
+3. **Git commit + tag** ... commits changed files, creates tag
+4. **Push** ... pushes commit and tag to remote
+5. **npm publish** ... publishes with --tag alpha or --tag beta
+6. **GitHub prerelease** ... (beta: on by default, alpha: opt-in with --release-notes)
+
+### Hotfix
+
+1. **Bump `package.json`** ... patch bump (no suffix)
+2. **Sync `SKILL.md`** ... updates version in YAML frontmatter
+3. **Update `CHANGELOG.md`** ... prepends new version entry
+4. **Git commit + tag** ... commits changed files, creates tag
+5. **Push** ... pushes commit and tag to remote
+6. **npm publish** ... publishes with --tag latest
+7. **GitHub release** ... creates release on public repo (opt out with --no-release-notes)
+8. **ClawHub publish** ... publishes skill to ClawHub (if SKILL.md exists)
+9. **No deploy-public** ... code sync is skipped
 
 ## Flags
 
 | Flag | What |
 |------|------|
 | `--notes="text"` | Changelog entry text |
+| `--notes-file=path` | Read release narrative from a markdown file |
+| `--release-notes` | Opt in to public release notes (alpha only) |
+| `--no-release-notes` | Opt out of public release notes (beta, hotfix) |
 | `--dry-run` | Show what would happen, change nothing |
 | `--no-publish` | Bump + tag only, skip npm and GitHub release |
+| `--skip-product-check` | Skip product docs gate (stable only) |
+| `--skip-stale-check` | Skip stale remote branch check (stable only) |
+| `--skip-worktree-check` | Skip worktree guard |
+| `--skip-tech-docs-check` | Skip technical docs check (stable only) |
+| `--skip-coverage-check` | Skip interface coverage check (stable only) |
 
 ## Auth
 
@@ -66,15 +165,26 @@ Requires:
 - `gh` CLI authenticated (for GitHub Packages and releases)
 - `clawhub` CLI authenticated (for ClawHub skill publishing)
 
+## ldm install Integration
+
+The installer checks different npm tags based on the track:
+
+```bash
+ldm install             # checks @latest (stable + hotfix)
+ldm install --beta      # checks @beta tag
+ldm install --alpha     # checks @alpha tag
+```
+
 ## As a Module
 
 ```javascript
-import { release, detectCurrentVersion, bumpSemver } from '@wipcomputer/wip-release';
+import { release, releasePrerelease, releaseHotfix, detectCurrentVersion, bumpSemver, bumpPrerelease } from '@wipcomputer/wip-release';
 
 const current = detectCurrentVersion('/path/to/repo');
 const next = bumpSemver(current, 'minor');
 console.log(`${current} -> ${next}`);
 
+// Stable release
 await release({
   repoPath: '/path/to/repo',
   level: 'patch',
@@ -82,19 +192,54 @@ await release({
   dryRun: false,
   noPublish: false,
 });
+
+// Alpha prerelease
+await releasePrerelease({
+  repoPath: '/path/to/repo',
+  track: 'alpha',
+  notes: 'testing new feature',
+  dryRun: false,
+  noPublish: false,
+  publishReleaseNotes: false,
+});
+
+// Beta prerelease
+await releasePrerelease({
+  repoPath: '/path/to/repo',
+  track: 'beta',
+  notes: 'beta candidate',
+  dryRun: false,
+  noPublish: false,
+  publishReleaseNotes: true,
+});
+
+// Hotfix
+await releaseHotfix({
+  repoPath: '/path/to/repo',
+  notes: 'critical fix',
+  dryRun: false,
+  noPublish: false,
+  publishReleaseNotes: true,
+});
 ```
 
 ## Exports
 
 | Function | What |
 |----------|------|
-| `release({ repoPath, level, notes, dryRun, noPublish })` | Full pipeline |
+| `release({ repoPath, level, notes, dryRun, noPublish })` | Full stable pipeline |
+| `releasePrerelease({ repoPath, track, notes, dryRun, noPublish, publishReleaseNotes })` | Alpha/beta pipeline |
+| `releaseHotfix({ repoPath, notes, dryRun, noPublish, publishReleaseNotes })` | Hotfix pipeline |
 | `detectCurrentVersion(repoPath)` | Read version from package.json |
-| `bumpSemver(version, level)` | Bump a semver string |
+| `bumpSemver(version, level)` | Bump a semver string (patch/minor/major) |
+| `bumpPrerelease(version, track)` | Bump a prerelease version (alpha/beta) |
 | `syncSkillVersion(repoPath, newVersion)` | Update SKILL.md frontmatter |
 | `updateChangelog(repoPath, newVersion, notes)` | Prepend to CHANGELOG.md |
-| `publishNpm(repoPath)` | Publish to npmjs.com |
+| `publishNpm(repoPath)` | Publish to npmjs.com (@latest) |
+| `publishNpmWithTag(repoPath, tag)` | Publish to npmjs.com with specific tag |
 | `publishGitHubPackages(repoPath)` | Publish to npm.pkg.github.com |
-| `createGitHubRelease(repoPath, newVersion, notes, currentVersion)` | Create GitHub release with rich notes |
+| `createGitHubRelease(repoPath, newVersion, notes, currentVersion)` | Create GitHub release on private repo |
+| `createGitHubPrerelease(repoPath, newVersion, notes)` | Create GitHub prerelease on public repo |
+| `createGitHubReleaseOnPublic(repoPath, newVersion, notes, currentVersion)` | Create GitHub release on public repo |
 | `buildReleaseNotes(repoPath, currentVersion, newVersion, notes)` | Generate detailed release notes |
 | `publishClawHub(repoPath, newVersion, notes)` | Publish skill to ClawHub |

package/tools/wip-release/SKILL.md

@@ -46,6 +46,8 @@ Local release pipeline. One command bumps version, updates all docs, publishes e
 - Releasing a new version of any @wipcomputer package
 - After merging a PR to main and you need to publish
 - Bumping version + changelog + SKILL.md in one step
+- Publishing alpha or beta prereleases for testing
+- Pushing hotfixes to npm without full deploy-public
 
 **Use --dry-run for:**
 - Previewing what a release would do before committing
@@ -55,18 +57,48 @@ Local release pipeline. One command bumps version, updates all docs, publishes e
 
 ### Do NOT Use For
 
-- Pre-release / alpha versions (not yet supported)
 - Repos without a package.json
 
+## Release Tracks
+
+Four release tracks. Each has different behavior for npm tags, public repo sync, and release notes.
+
+| Track | Command | npm tag | Public code sync | Public release notes |
+|-------|---------|---------|-----------------|---------------------|
+| Alpha | `wip-release alpha` | @alpha | No | No (opt in with --release-notes) |
+| Beta | `wip-release beta` | @beta | No | Yes, prerelease (opt out with --no-release-notes) |
+| Hotfix | `wip-release hotfix` | @latest | No | Yes (opt out with --no-release-notes) |
+| Stable | `wip-release patch/minor/major` | @latest | Yes (deploy-public) | Yes, full notes |
+
+### Version numbering
+
+- Alpha: `1.9.68-alpha.1`, `1.9.68-alpha.2`, etc.
+- Beta: `1.9.68-beta.1`, `1.9.68-beta.2`, etc.
+- Hotfix: normal version bump (patch)
+- Stable: normal version bump (patch/minor/major)
+
 ## API Reference
 
 ### CLI
 
 ```bash
-wip-release patch --notes="fix X"           # full pipeline
+# Stable (existing behavior)
+wip-release patch                           # full pipeline
 wip-release minor --dry-run                 # preview only
 wip-release major --no-publish              # bump + tag only
 wip-release patch --skip-product-check      # skip product docs gate
+
+# Alpha
+wip-release alpha                           # npm @alpha, no public notes
+wip-release alpha --release-notes           # npm @alpha + prerelease notes on public
+
+# Beta
+wip-release beta                            # npm @beta + prerelease notes on public
+wip-release beta --no-release-notes         # npm @beta, skip public notes
+
+# Hotfix
+wip-release hotfix                          # npm @latest + public release notes
+wip-release hotfix --no-release-notes       # npm @latest, skip public notes
 ```
 
 ### Product Docs Gate
@@ -108,9 +140,16 @@ After publishing, wip-release auto-copies SKILL.md to your website as plain text
 ### Module
 
 ```javascript
-import { release, detectCurrentVersion, bumpSemver, syncSkillVersion } from '@wipcomputer/wip-release';
+import { release, releasePrerelease, releaseHotfix, detectCurrentVersion, bumpSemver, bumpPrerelease } from '@wipcomputer/wip-release';
 
+// Stable release
 await release({ repoPath: '.', level: 'patch', notes: 'fix', dryRun: false, noPublish: false });
+
+// Alpha/beta prerelease
+await releasePrerelease({ repoPath: '.', track: 'alpha', notes: 'testing', dryRun: false, noPublish: false, publishReleaseNotes: false });
+
+// Hotfix
+await releaseHotfix({ repoPath: '.', notes: 'critical fix', dryRun: false, noPublish: false, publishReleaseNotes: true });
 ```
 
 ## Troubleshooting

package/tools/wip-release/cli.js

@@ -5,10 +5,10 @@
  * Release tool CLI. Bumps version, updates docs, publishes.
  */
 
-import { release, detectCurrentVersion, collectMergedPRNotes } from './core.mjs';
+import { release, releasePrerelease, releaseHotfix, detectCurrentVersion, collectMergedPRNotes } from './core.mjs';
 
 const args = process.argv.slice(2);
-const level = args.find(a => ['patch', 'minor', 'major'].includes(a));
+const level = args.find(a => ['patch', 'minor', 'major', 'alpha', 'beta', 'hotfix'].includes(a));
 
 function flag(name) {
   const prefix = `--${name}=`;
@@ -23,6 +23,8 @@ const skipStaleCheck = args.includes('--skip-stale-check');
 const skipWorktreeCheck = args.includes('--skip-worktree-check');
 const skipTechDocsCheck = args.includes('--skip-tech-docs-check');
 const skipCoverageCheck = args.includes('--skip-coverage-check');
+const wantReleaseNotes = args.includes('--release-notes');
+const noReleaseNotes = args.includes('--no-release-notes');
 const notesFilePath = flag('notes-file');
 let notes = flag('notes');
 // Bug fix #121: use strict check, not truthiness. --notes="" is empty, not absent.
@@ -51,13 +53,15 @@ let notesSource = (notes !== null && notes !== undefined && notes !== '') ? 'fla
     }
     notes = readFileSync(resolved, 'utf8').trim();
     notesSource = 'file';
-  } else if (level) {
+  } else if (level && ['patch', 'minor', 'major', 'hotfix'].includes(level)) {
     // 2. Auto-detect RELEASE-NOTES-v{version}.md (ALWAYS checks, even if --notes provided)
+    // Only for stable levels and hotfix. Alpha/beta skip this.
     try {
       const { detectCurrentVersion, bumpSemver } = await import('./core.mjs');
       const cwd = process.cwd();
       const currentVersion = detectCurrentVersion(cwd);
-      const newVersion = bumpSemver(currentVersion, level);
+      const bumpLevel = level === 'hotfix' ? 'patch' : level;
+      const newVersion = bumpSemver(currentVersion, bumpLevel);
       const dashed = newVersion.replace(/\./g, '-');
       const autoFile = join(cwd, `RELEASE-NOTES-v${dashed}.md`);
       if (existsSync(autoFile)) {
@@ -75,12 +79,13 @@ let notesSource = (notes !== null && notes !== undefined && notes !== '') ? 'fla
   // 2.5. Auto-combine release notes from merged PRs since last tag (#237)
   // Only runs when no single RELEASE-NOTES file was found on disk.
   // Scans git merge history for RELEASE-NOTES files committed on PR branches.
-  if (level && notesSource !== 'file') {
+  if (level && ['patch', 'minor', 'major', 'hotfix'].includes(level) && notesSource !== 'file') {
     try {
       const { collectMergedPRNotes, detectCurrentVersion: dcv, bumpSemver: bs } = await import('./core.mjs');
       const cwd = process.cwd();
       const cv = dcv(cwd);
-      const nv = bs(cv, level);
+      const bumpLevel = level === 'hotfix' ? 'patch' : level;
+      const nv = bs(cv, bumpLevel);
       const combined = collectMergedPRNotes(cwd, cv, nv);
       if (combined) {
         if (flagNotes && flagNotes !== combined.notes) {
@@ -144,27 +149,37 @@ if (!level || args.includes('--help') || args.includes('-h')) {
   console.log(`wip-release ... local release tool${current}
 
 Usage:
-  wip-release patch                    1.0.0 -> 1.0.1
-  wip-release minor                    1.0.0 -> 1.1.0
-  wip-release major                    1.0.0 -> 2.0.0
+  wip-release patch                    1.0.0 -> 1.0.1 (stable)
+  wip-release minor                    1.0.0 -> 1.1.0 (stable)
+  wip-release major                    1.0.0 -> 2.0.0 (stable)
+  wip-release alpha                    1.0.1-alpha.1 (prerelease)
+  wip-release beta                     1.0.1-beta.1 (prerelease)
+  wip-release hotfix                   1.0.0 -> 1.0.1 (hotfix, no deploy-public)
+
+Release tracks:
+  alpha    npm @alpha tag, no public notes (opt in with --release-notes)
+  beta     npm @beta tag, prerelease notes on public (opt out with --no-release-notes)
+  hotfix   npm @latest tag, release notes on public (opt out with --no-release-notes)
+  stable   npm @latest tag, deploy-public, full notes (patch/minor/major)
 
 Flags:
   --notes="description"    Release narrative (what was built and why)
   --notes-file=path        Read release narrative from a markdown file
+  --release-notes          Opt in to public release notes (alpha only)
+  --no-release-notes       Opt out of public release notes (beta, hotfix)
   --dry-run                Show what would happen, change nothing
   --no-publish             Bump + tag only, skip npm/GitHub
   --skip-product-check     Skip product docs check (dev update, roadmap, readme-first)
   --skip-stale-check       Skip stale remote branch check
   --skip-worktree-check    Skip worktree guard (allow release from worktree)
 
-Release notes (REQUIRED, must be a file on disk):
+Release notes (REQUIRED for stable, optional for other tracks):
   1. --notes-file=path          Explicit file path
   2. RELEASE-NOTES-v{ver}.md    In repo root (auto-detected)
   3. Merged PR notes             Auto-combined from git history (#237)
   4. ai/dev-updates/YYYY-MM-DD* Today's dev update (auto-detected)
-  The --notes flag is NOT accepted. Write a file. Commit it on your branch.
-  The file shows up in the PR diff so it can be reviewed before merge.
-  When batching multiple PRs, each PR's RELEASE-NOTES are auto-combined.
+  For stable releases: the --notes flag is NOT accepted. Write a file.
+  For alpha/beta/hotfix: --notes="text" is accepted as a convenience.
 
 Skill publish to website:
   Add .publish-skill.json to repo root: { "name": "my-tool" }
@@ -172,7 +187,7 @@ Skill publish to website:
   After release, SKILL.md is copied to {website}/wip.computer/install/{name}.txt
   and deploy.sh is run to push to VPS.
 
-Pipeline:
+Pipeline (stable):
   1. Bump package.json version
   2. Sync SKILL.md version (if exists)
   3. Update CHANGELOG.md
@@ -181,23 +196,64 @@ Pipeline:
   6. npm publish (via 1Password)
   7. GitHub Packages publish
   8. GitHub release create
-  9. Publish SKILL.md to website (if configured)`);
+  9. Publish SKILL.md to website (if configured)
+
+Pipeline (alpha/beta):
+  1. Bump version with prerelease suffix (-alpha.N / -beta.N)
+  2. npm publish with --tag alpha or --tag beta
+  3. GitHub prerelease (beta default, alpha opt-in)
+
+Pipeline (hotfix):
+  1. Bump patch version (no suffix)
+  2. npm publish with --tag latest
+  3. GitHub release (no deploy-public)`);
   process.exit(level ? 0 : 1);
 }
 
-release({
-  repoPath: process.cwd(),
-  level,
-  notes,
-  notesSource,
-  dryRun,
-  noPublish,
-  skipProductCheck,
-  skipStaleCheck,
-  skipWorktreeCheck,
-  skipTechDocsCheck,
-  skipCoverageCheck,
-}).catch(err => {
-  console.error(`  ✗ ${err.message}`);
-  process.exit(1);
-});
+// Route to the correct release function based on track
+if (level === 'alpha' || level === 'beta') {
+  // Prerelease track: alpha or beta
+  releasePrerelease({
+    repoPath: process.cwd(),
+    track: level,
+    notes,
+    dryRun,
+    noPublish,
+    publishReleaseNotes: level === 'alpha' ? wantReleaseNotes : !noReleaseNotes,
+  }).catch(err => {
+    console.error(`  \u2717 ${err.message}`);
+    process.exit(1);
+  });
+} else if (level === 'hotfix') {
+  // Hotfix track: patch bump, @latest tag, no deploy-public
+  releaseHotfix({
+    repoPath: process.cwd(),
+    notes,
+    notesSource,
+    dryRun,
+    noPublish,
+    publishReleaseNotes: !noReleaseNotes,
+    skipWorktreeCheck,
+  }).catch(err => {
+    console.error(`  \u2717 ${err.message}`);
+    process.exit(1);
+  });
+} else {
+  // Stable track: patch, minor, major
+  release({
+    repoPath: process.cwd(),
+    level,
+    notes,
+    notesSource,
+    dryRun,
+    noPublish,
+    skipProductCheck,
+    skipStaleCheck,
+    skipWorktreeCheck,
+    skipTechDocsCheck,
+    skipCoverageCheck,
+  }).catch(err => {
+    console.error(`  \u2717 ${err.message}`);
+    process.exit(1);
+  });
+}

package/tools/wip-release/core.mjs

@@ -34,6 +34,37 @@ export function bumpSemver(version, level) {
   }
 }
 
+/**
+ * Bump a version string for prerelease tracks (alpha, beta).
+ *
+ * If the current version already has the same prerelease prefix,
+ * increment the counter: 1.2.3-alpha.1 -> 1.2.3-alpha.2
+ *
+ * If the current version is a clean release or a different prerelease,
+ * bump patch and start at .1: 1.2.3 -> 1.2.4-alpha.1
+ */
+export function bumpPrerelease(version, track) {
+  // Check if current version already has this prerelease prefix
+  const preMatch = version.match(new RegExp(`^(\\d+\\.\\d+\\.\\d+)-${track}\\.(\\d+)$`));
+  if (preMatch) {
+    // Same track: increment the counter
+    const base = preMatch[1];
+    const counter = parseInt(preMatch[2], 10);
+    return `${base}-${track}.${counter + 1}`;
+  }
+
+  // Strip any existing prerelease suffix to get the base version
+  const baseMatch = version.match(/^(\d+)\.(\d+)\.(\d+)/);
+  if (!baseMatch) throw new Error(`Cannot parse version: ${version}`);
+
+  const major = parseInt(baseMatch[1], 10);
+  const minor = parseInt(baseMatch[2], 10);
+  const patch = parseInt(baseMatch[3], 10);
+
+  // Bump patch and start prerelease at .1
+  return `${major}.${minor}.${patch + 1}-${track}.1`;
+}
+
 /**
  * Write new version to package.json.
  */
@@ -200,6 +231,18 @@ export function publishNpm(repoPath) {
   ], { cwd: repoPath, stdio: 'inherit' });
 }
 
+/**
+ * Publish to npm with a specific dist-tag (alpha, beta, latest).
+ */
+export function publishNpmWithTag(repoPath, tag) {
+  const token = getNpmToken();
+  execFileSync('npm', [
+    'publish', '--access', 'public',
+    '--tag', tag,
+    `--//registry.npmjs.org/:_authToken=${token}`
+  ], { cwd: repoPath, stdio: 'inherit' });
+}
+
 /**
  * Publish to GitHub Packages.
  */
@@ -1018,6 +1061,61 @@ export function createGitHubRelease(repoPath, newVersion, notes, currentVersion)
   }
 }
 
+/**
+ * Create a GitHub prerelease on the PUBLIC repo (no code sync).
+ * Used by alpha (opt-in) and beta (default) tracks.
+ */
+export function createGitHubPrerelease(repoPath, newVersion, notes) {
+  const repoSlug = detectRepoSlug(repoPath);
+  if (!repoSlug) throw new Error('Cannot detect repo slug from git remote');
+
+  // Target the public repo (strip -private suffix)
+  const publicSlug = repoSlug.replace(/-private$/, '');
+  const body = notes || `Prerelease ${newVersion}`;
+
+  const tmpFile = join(repoPath, '.release-notes-tmp.md');
+  writeFileSync(tmpFile, body);
+
+  try {
+    execFileSync('gh', [
+      'release', 'create', `v${newVersion}`,
+      '--title', `v${newVersion}`,
+      '--notes-file', '.release-notes-tmp.md',
+      '--prerelease',
+      '--repo', publicSlug
+    ], { cwd: repoPath, stdio: 'inherit' });
+  } finally {
+    try { execFileSync('rm', ['-f', tmpFile]); } catch {}
+  }
+}
+
+/**
+ * Create a GitHub release on the PUBLIC repo (no code sync).
+ * Used by the hotfix track.
+ */
+export function createGitHubReleaseOnPublic(repoPath, newVersion, notes, currentVersion) {
+  const repoSlug = detectRepoSlug(repoPath);
+  if (!repoSlug) throw new Error('Cannot detect repo slug from git remote');
+
+  // Target the public repo (strip -private suffix)
+  const publicSlug = repoSlug.replace(/-private$/, '');
+  const body = buildReleaseNotes(repoPath, currentVersion, newVersion, notes);
+
+  const tmpFile = join(repoPath, '.release-notes-tmp.md');
+  writeFileSync(tmpFile, body);
+
+  try {
+    execFileSync('gh', [
+      'release', 'create', `v${newVersion}`,
+      '--title', `v${newVersion}`,
+      '--notes-file', '.release-notes-tmp.md',
+      '--repo', publicSlug
+    ], { cwd: repoPath, stdio: 'inherit' });
+  } finally {
+    try { execFileSync('rm', ['-f', tmpFile]); } catch {}
+  }
+}
+
 /**
  * Publish skill to ClawHub.
  */
@@ -1900,3 +1998,371 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
 
   return { currentVersion, newVersion, dryRun: false };
 }
+
+// ── Prerelease Track (Alpha / Beta) ────────────────────────────────
+
+/**
+ * Release an alpha or beta prerelease.
+ *
+ * Alpha: npm @alpha, no public release notes by default (opt in with publishReleaseNotes).
+ * Beta:  npm @beta, prerelease notes on public repo by default (opt out with publishReleaseNotes=false).
+ *
+ * No deploy-public. No code sync. No CHANGELOG gate. No product docs gate.
+ * Lightweight: bump version, npm publish with tag, optional GitHub prerelease.
+ */
+export async function releasePrerelease({ repoPath, track, notes, dryRun, noPublish, publishReleaseNotes }) {
+  repoPath = repoPath || process.cwd();
+  const currentVersion = detectCurrentVersion(repoPath);
+  const newVersion = bumpPrerelease(currentVersion, track);
+  const repoName = basename(repoPath);
+
+  console.log('');
+  console.log(`  ${repoName}: ${currentVersion} -> ${newVersion} (${track})`);
+  console.log(`  ${'─'.repeat(40)}`);
+
+  if (dryRun) {
+    console.log(`  [dry run] Would bump package.json to ${newVersion}`);
+    if (!noPublish) {
+      console.log(`  [dry run] Would npm publish with --tag ${track}`);
+      if (publishReleaseNotes) {
+        console.log(`  [dry run] Would create GitHub prerelease v${newVersion} on public repo`);
+      } else {
+        console.log(`  [dry run] No GitHub prerelease (silent)`);
+      }
+    }
+    console.log('');
+    console.log(`  Dry run complete. No changes made.`);
+    console.log('');
+    return { currentVersion, newVersion, dryRun: true };
+  }
+
+  // 1. Bump package.json
+  writePackageVersion(repoPath, newVersion);
+  console.log(`  \u2713 package.json -> ${newVersion}`);
+
+  // 2. Update CHANGELOG.md (lightweight entry)
+  updateChangelog(repoPath, newVersion, notes || `${track} prerelease`);
+  console.log(`  \u2713 CHANGELOG.md updated`);
+
+  // 3. Git commit + tag
+  const msg = `v${newVersion}: ${track} prerelease`;
+  for (const f of ['package.json', 'CHANGELOG.md']) {
+    if (existsSync(join(repoPath, f))) {
+      execFileSync('git', ['add', f], { cwd: repoPath, stdio: 'pipe' });
+    }
+  }
+  execFileSync('git', ['commit', '--no-verify', '-m', msg], { cwd: repoPath, stdio: 'pipe' });
+  execFileSync('git', ['tag', `v${newVersion}`], { cwd: repoPath, stdio: 'pipe' });
+  console.log(`  \u2713 Committed and tagged v${newVersion}`);
+
+  // 4. Push commit + tag
+  try {
+    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
+    console.log(`  \u2713 Pushed to remote`);
+  } catch {
+    console.log(`  ! Push failed. Push manually.`);
+  }
+
+  const distResults = [];
+
+  if (!noPublish) {
+    // 5. npm publish with dist-tag
+    try {
+      publishNpmWithTag(repoPath, track);
+      const pkg = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
+      distResults.push({ target: 'npm', status: 'ok', detail: `${pkg.name}@${newVersion} (tag: ${track})` });
+      console.log(`  \u2713 Published to npm @${track}`);
+    } catch (e) {
+      distResults.push({ target: 'npm', status: 'failed', detail: e.message });
+      console.log(`  \u2717 npm publish failed: ${e.message}`);
+    }
+
+    // 6. GitHub prerelease on public repo (if opted in)
+    if (publishReleaseNotes) {
+      try {
+        createGitHubPrerelease(repoPath, newVersion, notes || `${track} prerelease`);
+        distResults.push({ target: 'GitHub', status: 'ok', detail: `v${newVersion} (prerelease)` });
+        console.log(`  \u2713 GitHub prerelease v${newVersion} created on public repo`);
+      } catch (e) {
+        distResults.push({ target: 'GitHub', status: 'failed', detail: e.message });
+        console.log(`  \u2717 GitHub prerelease failed: ${e.message}`);
+      }
+    } else {
+      console.log(`  - GitHub prerelease: skipped (silent ${track})`);
+    }
+  }
+
+  // Distribution summary
+  if (distResults.length > 0) {
+    console.log('');
+    console.log('  Distribution:');
+    for (const r of distResults) {
+      const icon = r.status === 'ok' ? '\u2713' : '\u2717';
+      console.log(`    ${icon} ${r.target}: ${r.detail}`);
+    }
+  }
+
+  console.log('');
+  console.log(`  Done. ${repoName} v${newVersion} (${track}) released.`);
+  console.log('');
+
+  return { currentVersion, newVersion, dryRun: false };
+}
+
+// ── Hotfix Track ────────────────────────────────────────────────────
+
+/**
+ * Release a hotfix.
+ *
+ * Same as stable patch but: no deploy-public, no code sync.
+ * Publishes to npm @latest, creates GitHub release on public repo (opt out with publishReleaseNotes=false).
+ *
+ * Lighter gates than stable: no product docs check, no stale branch check.
+ * Still runs: worktree guard, license compliance, tests.
+ */
+export async function releaseHotfix({ repoPath, notes, notesSource, dryRun, noPublish, publishReleaseNotes, skipWorktreeCheck }) {
+  repoPath = repoPath || process.cwd();
+  const currentVersion = detectCurrentVersion(repoPath);
+  const newVersion = bumpSemver(currentVersion, 'patch');
+  const repoName = basename(repoPath);
+
+  console.log('');
+  console.log(`  ${repoName}: ${currentVersion} -> ${newVersion} (hotfix)`);
+  console.log(`  ${'─'.repeat(40)}`);
+
+  // Worktree guard
+  if (!skipWorktreeCheck) {
+    try {
+      const gitDir = execFileSync('git', ['rev-parse', '--git-dir'], {
+        cwd: repoPath, encoding: 'utf8'
+      }).trim();
+      if (gitDir.includes('/worktrees/')) {
+        const worktreeList = execFileSync('git', ['worktree', 'list', '--porcelain'], {
+          cwd: repoPath, encoding: 'utf8'
+        });
+        const mainWorktree = worktreeList.split('\n')
+          .find(line => line.startsWith('worktree '));
+        const mainPath = mainWorktree ? mainWorktree.replace('worktree ', '') : '(unknown)';
+        console.log(`  \u2717 wip-release must run from the main working tree, not a worktree.`);
+        console.log(`    Current: ${repoPath}`);
+        console.log(`    Main working tree: ${mainPath}`);
+        console.log('');
+        return { currentVersion, newVersion, dryRun: false, failed: true };
+      }
+      console.log('  \u2713 Running from main working tree');
+    } catch {}
+  }
+
+  // License compliance gate
+  const configPath = join(repoPath, '.license-guard.json');
+  if (existsSync(configPath)) {
+    const config = JSON.parse(readFileSync(configPath, 'utf8'));
+    const licenseIssues = [];
+    const licensePath = join(repoPath, 'LICENSE');
+    if (!existsSync(licensePath)) {
+      licenseIssues.push('LICENSE file is missing');
+    } else {
+      const licenseText = readFileSync(licensePath, 'utf8');
+      if (!licenseText.includes(config.copyright)) {
+        licenseIssues.push(`LICENSE copyright does not match "${config.copyright}"`);
+      }
+    }
+    if (licenseIssues.length > 0) {
+      console.log(`  \u2717 License compliance failed:`);
+      for (const issue of licenseIssues) console.log(`    - ${issue}`);
+      console.log('');
+      return { currentVersion, newVersion, dryRun: false, failed: true };
+    }
+    console.log(`  \u2713 License compliance passed`);
+  }
+
+  // Release notes: hotfix accepts --notes flag as convenience (no file-only gate)
+  if (!notes) {
+    console.log(`  ! No release notes provided. Hotfix will have minimal notes.`);
+    notes = 'Hotfix release.';
+  }
+
+  // Run tests if they exist
+  {
+    const toolsDir = join(repoPath, 'tools');
+    const testFiles = [];
+    if (existsSync(toolsDir)) {
+      for (const sub of readdirSync(toolsDir)) {
+        const testPath = join(toolsDir, sub, 'test.sh');
+        if (existsSync(testPath)) testFiles.push({ tool: sub, path: testPath });
+      }
+    }
+    const rootTest = join(repoPath, 'test.sh');
+    if (existsSync(rootTest)) testFiles.push({ tool: '(root)', path: rootTest });
+
+    if (testFiles.length > 0) {
+      let allPassed = true;
+      for (const { tool, path } of testFiles) {
+        try {
+          execFileSync('bash', [path], { cwd: dirname(path), stdio: 'pipe', timeout: 30000 });
+          console.log(`  \u2713 Tests passed: ${tool}`);
+        } catch (e) {
+          allPassed = false;
+          console.log(`  \u2717 Tests FAILED: ${tool}`);
+          const output = (e.stdout || '').toString().trim();
+          if (output) {
+            for (const line of output.split('\n').slice(-5)) console.log(`    ${line}`);
+          }
+        }
+      }
+      if (!allPassed) {
+        console.log('');
+        console.log('  Fix failing tests before releasing.');
+        console.log('');
+        return { currentVersion, newVersion, dryRun: false, failed: true };
+      }
+    }
+  }
+
+  if (dryRun) {
+    console.log(`  [dry run] Would bump package.json to ${newVersion}`);
+    console.log(`  [dry run] Would update CHANGELOG.md`);
+    if (!noPublish) {
+      console.log(`  [dry run] Would npm publish with --tag latest`);
+      if (publishReleaseNotes) {
+        console.log(`  [dry run] Would create GitHub release v${newVersion} on public repo`);
+      } else {
+        console.log(`  [dry run] No GitHub release (--no-release-notes)`);
+      }
+      console.log(`  [dry run] No deploy-public (hotfix)`);
+    }
+    console.log('');
+    console.log(`  Dry run complete. No changes made.`);
+    console.log('');
+    return { currentVersion, newVersion, dryRun: true };
+  }
+
+  // 1. Bump package.json
+  writePackageVersion(repoPath, newVersion);
+  console.log(`  \u2713 package.json -> ${newVersion}`);
+
+  // 1.5. Bump sub-tool versions
+  const toolsDir = join(repoPath, 'tools');
+  if (existsSync(toolsDir)) {
+    let subBumped = 0;
+    try {
+      const entries = readdirSync(toolsDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        const subPkgPath = join(toolsDir, entry.name, 'package.json');
+        if (existsSync(subPkgPath)) {
+          try {
+            const subPkg = JSON.parse(readFileSync(subPkgPath, 'utf8'));
+            subPkg.version = newVersion;
+            writeFileSync(subPkgPath, JSON.stringify(subPkg, null, 2) + '\n');
+            subBumped++;
+          } catch {}
+        }
+      }
+    } catch {}
+    if (subBumped > 0) {
+      console.log(`  \u2713 ${subBumped} sub-tool(s) -> ${newVersion}`);
+    }
+  }
+
+  // 2. Sync SKILL.md
+  if (syncSkillVersion(repoPath, newVersion)) {
+    console.log(`  \u2713 SKILL.md -> ${newVersion}`);
+  }
+
+  // 3. Update CHANGELOG.md
+  updateChangelog(repoPath, newVersion, notes);
+  console.log(`  \u2713 CHANGELOG.md updated`);
+
+  // 3.5. Move RELEASE-NOTES-v*.md to _trash/
+  const trashed = trashReleaseNotes(repoPath);
+  if (trashed > 0) {
+    console.log(`  \u2713 Moved ${trashed} RELEASE-NOTES file(s) to _trash/`);
+  }
+
+  // 4. Git commit + tag
+  gitCommitAndTag(repoPath, newVersion, notes);
+  console.log(`  \u2713 Committed and tagged v${newVersion}`);
+
+  // 5. Push commit + tag
+  try {
+    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
+    console.log(`  \u2713 Pushed to remote`);
+  } catch {
+    console.log(`  ! Push failed. Push manually.`);
+  }
+
+  const distResults = [];
+
+  if (!noPublish) {
+    // 6. npm publish with @latest tag
+    try {
+      publishNpmWithTag(repoPath, 'latest');
+      const pkg = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
+      distResults.push({ target: 'npm', status: 'ok', detail: `${pkg.name}@${newVersion}` });
+      console.log(`  \u2713 Published to npm @latest`);
+    } catch (e) {
+      distResults.push({ target: 'npm', status: 'failed', detail: e.message });
+      console.log(`  \u2717 npm publish failed: ${e.message}`);
+    }
+
+    // 7. GitHub release on public repo (not prerelease)
+    if (publishReleaseNotes) {
+      try {
+        createGitHubReleaseOnPublic(repoPath, newVersion, notes, currentVersion);
+        distResults.push({ target: 'GitHub', status: 'ok', detail: `v${newVersion}` });
+        console.log(`  \u2713 GitHub release v${newVersion} created on public repo`);
+      } catch (e) {
+        distResults.push({ target: 'GitHub', status: 'failed', detail: e.message });
+        console.log(`  \u2717 GitHub release failed: ${e.message}`);
+      }
+    } else {
+      console.log(`  - GitHub release: skipped (--no-release-notes)`);
+    }
+
+    // No deploy-public for hotfix
+    console.log(`  - deploy-public: skipped (hotfix)`);
+
+    // 8. ClawHub skill publish
+    const rootSkill = join(repoPath, 'SKILL.md');
+    if (existsSync(rootSkill)) {
+      try {
+        publishClawHub(repoPath, newVersion, notes);
+        const slug = detectSkillSlug(repoPath);
+        distResults.push({ target: 'ClawHub', status: 'ok', detail: `${slug}@${newVersion}` });
+        console.log(`  \u2713 Published to ClawHub: ${slug}`);
+      } catch (e) {
+        distResults.push({ target: 'ClawHub', status: 'failed', detail: e.message });
+        console.log(`  \u2717 ClawHub publish failed: ${e.message}`);
+      }
+    }
+  }
+
+  // Distribution summary
+  if (distResults.length > 0) {
+    console.log('');
+    console.log('  Distribution:');
+    for (const r of distResults) {
+      const icon = r.status === 'ok' ? '\u2713' : '\u2717';
+      console.log(`    ${icon} ${r.target}: ${r.detail}`);
+    }
+  }
+
+  // Write release marker
+  try {
+    const markerDir = join(process.env.HOME || '', '.ldm', 'state');
+    mkdirSync(markerDir, { recursive: true });
+    writeFileSync(join(markerDir, '.last-release'), JSON.stringify({
+      repo: repoName,
+      version: newVersion,
+      timestamp: new Date().toISOString(),
+      track: 'hotfix',
+    }) + '\n');
+  } catch {}
+
+  console.log('');
+  console.log(`  Done. ${repoName} v${newVersion} (hotfix) released.`);
+  console.log('');
+
+  return { currentVersion, newVersion, dryRun: false };
+}

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",

package/tools/wip-repo-init/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-init",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "description": "Scaffold the standard ai/ directory structure in any repo",
   "type": "module",
   "bin": {

package/tools/wip-repo-permissions-hook/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repo-permissions-hook",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "type": "module",
   "description": "Repo visibility guard. Blocks repos from going public without a -private counterpart.",
   "main": "core.mjs",

package/tools/wip-repos/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-repos",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "type": "module",
   "description": "Repo manifest reconciler. Single source of truth for repo organization. Like prettier for folder structure.",
   "main": "core.mjs",

package/tools/wip-universal-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/universal-installer",
-  "version": "1.9.67",
+  "version": "1.9.68",
   "type": "module",
   "description": "The Universal Interface specification for agent-native software. Teaches your AI how to build repos with every interface: CLI, Module, MCP Server, OpenClaw Plugin, Skill, Claude Code Hook.",
   "main": "detect.mjs",