@wipcomputer/wip-release 1.1.1 → 1.2.2

package/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 
 
+
+
+## 1.2.2 (2026-02-21)
+
+Fix ClawHub display name and slug detection. Harden command injection fix.
+
+## 1.2.0 (2026-02-21)
+
+Add ClawHub publish as step 9 in release pipeline. Fix command injection by replacing execSync with execFileSync argument arrays. Declare required binaries and secrets in SKILL.md metadata.
+
 ## 1.1.1 (2026-02-21)
 
 Fix npm bin entry: rename cli.mjs to cli.js

package/README.md

@@ -1,5 +1,8 @@
 ###### WIP Computer
-# wip-release
+
+[![npm](https://img.shields.io/npm/v/@wipcomputer/wip-release)](https://www.npmjs.com/package/@wipcomputer/wip-release) [![CLI / TUI](https://img.shields.io/badge/interface-CLI_/_TUI-black)](https://github.com/wipcomputer/wip-release/blob/main/cli.js) [![OpenClaw Skill](https://img.shields.io/badge/interface-OpenClaw_Skill-black)](https://clawhub.ai/parkertoddbrooks/wip-release) [![Claude Code Skill](https://img.shields.io/badge/interface-Claude_Code_Skill-black)](https://github.com/wipcomputer/wip-release/blob/main/SKILL.md) [![Universal Interface Spec](https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black)](https://github.com/wipcomputer/wip-universal-installer/blob/main/SPEC.md)
+
+# WIP.release
 
 You ship a fix. Now you have to bump package.json, update CHANGELOG.md, sync the version in SKILL.md, commit, tag, push, publish to npm, publish to GitHub Packages, and create a GitHub release. Every time. Miss a step and versions drift.
 
@@ -24,6 +27,8 @@ Then ask me:
 
 Your agent will read the repo, explain the tool, and walk you through integration interactively.
 
+Also see **[wip-file-guard](https://github.com/wipcomputer/wip-file-guard)** ... the lock for the repo. Blocks AI agents from overwriting your critical files.
+
 See [REFERENCE.md](REFERENCE.md) for full usage, pipeline steps, flags, auth, and module API.
 
 ---

package/REFERENCE.md

@@ -30,6 +30,7 @@ wip-release patch --no-publish                 # bump + tag only
   ✓ Published to npm
   ✓ Published to GitHub Packages
   ✓ GitHub release v1.0.1 created
+  ✓ Published to ClawHub
 
   Done. wip-grok v1.0.1 released.
 ```
@@ -44,6 +45,7 @@ wip-release patch --no-publish                 # bump + tag only
 6. **npm publish** ... publishes to npmjs.com (auth via 1Password)
 7. **GitHub Packages** ... publishes to npm.pkg.github.com
 8. **GitHub release** ... creates release with changelog notes
+9. **ClawHub publish** ... publishes skill to ClawHub (if SKILL.md exists)
 
 ## Flags
 
@@ -62,6 +64,7 @@ Requires:
 - 1Password SA token at `~/.openclaw/secrets/op-sa-token`
 - "npm Token" item in "Agent Secrets" vault
 - `gh` CLI authenticated (for GitHub Packages and releases)
+- `clawhub` CLI authenticated (for ClawHub skill publishing)
 
 ## As a Module
 
@@ -94,3 +97,4 @@ await release({
 | `publishGitHubPackages(repoPath)` | Publish to npm.pkg.github.com |
 | `createGitHubRelease(repoPath, newVersion, notes, currentVersion)` | Create GitHub release with rich notes |
 | `buildReleaseNotes(repoPath, currentVersion, newVersion, notes)` | Generate detailed release notes |
+| `publishClawHub(repoPath, newVersion, notes)` | Publish skill to ClawHub |

package/SKILL.md

@@ -1,6 +1,6 @@
 ---
-name: wip-release
-version: 1.1.1
+name: WIP.release
+version: 1.2.2
 description: Local release tool. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.
 homepage: https://github.com/wipcomputer/wip-release
 metadata:
@@ -13,6 +13,14 @@ metadata:
     - github-release
   dependencies: []
   interface: CLI
+  requires:
+    binaries: [git, npm, gh, op, clawhub]
+    secrets:
+      - path: ~/.openclaw/secrets/op-sa-token
+        description: 1Password service account token
+      - vault: Agent Secrets
+        item: npm Token
+        description: npm publish token
 openclaw:
   emoji: "🚀"
   install:
@@ -42,7 +50,6 @@ Local release pipeline. One command bumps version, updates all docs, publishes e
 
 - Pre-release / alpha versions (not yet supported)
 - Repos without a package.json
-- Publishing to ClawHub (separate step)
 
 ## API Reference
 

package/core.mjs

@@ -5,7 +5,7 @@
  * Zero dependencies.
  */
 
-import { execSync } from 'node:child_process';
+import { execSync, execFileSync } from 'node:child_process';
 import { readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join, basename } from 'node:path';
 
@@ -97,9 +97,15 @@ export function updateChangelog(repoPath, newVersion, notes) {
 
 function gitCommitAndTag(repoPath, newVersion, notes) {
   const msg = `v${newVersion}: ${notes || 'Release'}`;
-  execSync(`git add package.json CHANGELOG.md SKILL.md 2>/dev/null; git add package.json CHANGELOG.md`, { cwd: repoPath, stdio: 'pipe' });
-  execSync(`git commit -m "${msg.replace(/"/g, '\\"')}"`, { cwd: repoPath, stdio: 'pipe' });
-  execSync(`git tag v${newVersion}`, { cwd: repoPath, stdio: 'pipe' });
+  // Stage known files (ignore missing ones)
+  for (const f of ['package.json', 'CHANGELOG.md', 'SKILL.md']) {
+    if (existsSync(join(repoPath, f))) {
+      execFileSync('git', ['add', f], { cwd: repoPath, stdio: 'pipe' });
+    }
+  }
+  // Use execFileSync to avoid shell injection via notes
+  execFileSync('git', ['commit', '-m', msg], { cwd: repoPath, stdio: 'pipe' });
+  execFileSync('git', ['tag', `v${newVersion}`], { cwd: repoPath, stdio: 'pipe' });
 }
 
 // ── Publish ─────────────────────────────────────────────────────────
@@ -109,10 +115,10 @@ function gitCommitAndTag(repoPath, newVersion, notes) {
  */
 export function publishNpm(repoPath) {
   const token = getNpmToken();
-  execSync(
-    `npm publish --access public --//registry.npmjs.org/:_authToken="${token}"`,
-    { cwd: repoPath, stdio: 'inherit' }
-  );
+  execFileSync('npm', [
+    'publish', '--access', 'public',
+    `--//registry.npmjs.org/:_authToken=${token}`
+  ], { cwd: repoPath, stdio: 'inherit' });
 }
 
 /**
@@ -120,10 +126,11 @@ export function publishNpm(repoPath) {
  */
 export function publishGitHubPackages(repoPath) {
   const ghToken = execSync('gh auth token', { encoding: 'utf8' }).trim();
-  execSync(
-    `npm publish --registry https://npm.pkg.github.com --//npm.pkg.github.com/:_authToken="${ghToken}"`,
-    { cwd: repoPath, stdio: 'inherit' }
-  );
+  execFileSync('npm', [
+    'publish',
+    '--registry', 'https://npm.pkg.github.com',
+    `--//npm.pkg.github.com/:_authToken=${ghToken}`
+  ], { cwd: repoPath, stdio: 'inherit' });
 }
 
 /**
@@ -145,17 +152,15 @@ export function buildReleaseNotes(repoPath, currentVersion, newVersion, notes) {
   const prevTag = `v${currentVersion}`;
   let commits = '';
   try {
-    commits = execSync(
-      `git log ${prevTag}..HEAD --pretty=format:"- %s (%h)" 2>/dev/null`,
-      { cwd: repoPath, encoding: 'utf8' }
-    ).trim();
+    commits = execFileSync('git', [
+      'log', `${prevTag}..HEAD`, '--pretty=format:- %s (%h)'
+    ], { cwd: repoPath, encoding: 'utf8' }).trim();
   } catch {
     // No previous tag ... show all commits on branch
     try {
-      commits = execSync(
-        `git log --pretty=format:"- %s (%h)" -20`,
-        { cwd: repoPath, encoding: 'utf8' }
-      ).trim();
+      commits = execFileSync('git', [
+        'log', '--pretty=format:- %s (%h)', '-20'
+      ], { cwd: repoPath, encoding: 'utf8' }).trim();
     } catch {}
   }
 
@@ -168,10 +173,9 @@ export function buildReleaseNotes(repoPath, currentVersion, newVersion, notes) {
   // Files changed
   let filesChanged = '';
   try {
-    filesChanged = execSync(
-      `git diff ${prevTag}..HEAD --stat 2>/dev/null`,
-      { cwd: repoPath, encoding: 'utf8' }
-    ).trim();
+    filesChanged = execFileSync('git', [
+      'diff', `${prevTag}..HEAD`, '--stat'
+    ], { cwd: repoPath, encoding: 'utf8' }).trim();
   } catch {}
 
   if (filesChanged) {
@@ -216,15 +220,36 @@ export function createGitHubRelease(repoPath, newVersion, notes, currentVersion)
   writeFileSync(tmpFile, body);
 
   try {
-    execSync(
-      `gh release create v${newVersion} --title "v${newVersion}" --notes-file .release-notes-tmp.md --repo ${repoSlug}`,
-      { cwd: repoPath, stdio: 'inherit' }
-    );
+    execFileSync('gh', [
+      'release', 'create', `v${newVersion}`,
+      '--title', `v${newVersion}`,
+      '--notes-file', '.release-notes-tmp.md',
+      '--repo', repoSlug
+    ], { cwd: repoPath, stdio: 'inherit' });
   } finally {
-    try { execSync(`rm -f "${tmpFile}"`); } catch {}
+    try { execFileSync('rm', ['-f', tmpFile]); } catch {}
   }
 }
 
+/**
+ * Publish skill to ClawHub.
+ */
+export function publishClawHub(repoPath, newVersion, notes) {
+  const skillPath = join(repoPath, 'SKILL.md');
+  if (!existsSync(skillPath)) return false;
+
+  const slug = detectSkillSlug(repoPath);
+  const changelog = notes || 'Release.';
+
+  execFileSync('clawhub', [
+    'publish', repoPath,
+    '--slug', slug,
+    '--version', newVersion,
+    '--changelog', changelog
+  ], { cwd: repoPath, stdio: 'inherit' });
+  return true;
+}
+
 // ── Helpers ──────────────────────────────────────────────────────────
 
 function getNpmToken() {
@@ -238,6 +263,12 @@ function getNpmToken() {
   }
 }
 
+function detectSkillSlug(repoPath) {
+  // Slug must be lowercase and url-safe. Use directory name, not SKILL.md name
+  // (SKILL.md name can be display-formatted like "WIP.release").
+  return basename(repoPath).toLowerCase();
+}
+
 function detectRepoSlug(repoPath) {
   try {
     const url = execSync('git remote get-url origin', { cwd: repoPath, encoding: 'utf8' }).trim();
@@ -265,15 +296,16 @@ export async function release({ repoPath, level, notes, dryRun, noPublish }) {
   console.log(`  ${'─'.repeat(40)}`);
 
   if (dryRun) {
+    const hasSkill = existsSync(join(repoPath, 'SKILL.md'));
     console.log(`  [dry run] Would bump package.json to ${newVersion}`);
-    const skillPath = join(repoPath, 'SKILL.md');
-    if (existsSync(skillPath)) console.log(`  [dry run] Would update SKILL.md version`);
+    if (hasSkill) console.log(`  [dry run] Would update SKILL.md version`);
     console.log(`  [dry run] Would update CHANGELOG.md`);
     console.log(`  [dry run] Would commit and tag v${newVersion}`);
     if (!noPublish) {
       console.log(`  [dry run] Would publish to npm (@wipcomputer scope)`);
       console.log(`  [dry run] Would publish to GitHub Packages`);
       console.log(`  [dry run] Would create GitHub release v${newVersion}`);
+      if (hasSkill) console.log(`  [dry run] Would publish to ClawHub`);
     }
     console.log('');
     console.log(`  Dry run complete. No changes made.`);
@@ -330,6 +362,17 @@ export async function release({ repoPath, level, notes, dryRun, noPublish }) {
     } catch (e) {
       console.log(`  ✗ GitHub release failed: ${e.message}`);
     }
+
+    // 9. ClawHub skill publish
+    const skillPath = join(repoPath, 'SKILL.md');
+    if (existsSync(skillPath)) {
+      try {
+        publishClawHub(repoPath, newVersion, notes);
+        console.log(`  ✓ Published to ClawHub`);
+      } catch (e) {
+        console.log(`  ✗ ClawHub publish failed: ${e.message}`);
+      }
+    }
   }
 
   console.log('');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.1.1",
+  "version": "1.2.2",
   "type": "module",
   "description": "Local release tool. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",