@wipcomputer/wip-release 1.9.73 → 1.9.75

package/cli.js

@@ -24,6 +24,7 @@ const skipWorktreeCheck = args.includes('--skip-worktree-check');
 const skipTechDocsCheck = args.includes('--skip-tech-docs-check');
 const skipCoverageCheck = args.includes('--skip-coverage-check');
 const allowSubToolDrift = args.includes('--allow-sub-tool-drift');
+const noDeployPublic = args.includes('--no-deploy-public');
 const wantReleaseNotes = args.includes('--release-notes');
 const noReleaseNotes = args.includes('--no-release-notes');
 const notesFilePath = flag('notes-file');
@@ -174,6 +175,7 @@ Flags:
   --skip-stale-check       Skip stale remote branch check
   --skip-worktree-check    Skip main-branch + worktree guard (break-glass only)
   --allow-sub-tool-drift   Allow release even if a sub-tool's files changed since the last tag without a version bump (error by default)
+  --no-deploy-public       Skip the deploy-public.sh step at the end of stable and prerelease flows (runs by default for -private repos)
 
 Release notes (REQUIRED for stable, optional for other tracks):
   1. --notes-file=path          Explicit file path
@@ -224,6 +226,7 @@ if (level === 'alpha' || level === 'beta') {
     publishReleaseNotes: level === 'alpha' ? wantReleaseNotes : !noReleaseNotes,
     skipWorktreeCheck,
     allowSubToolDrift,
+    noDeployPublic,
   }).catch(err => {
     console.error(`  \u2717 ${err.message}`);
     process.exit(1);
@@ -258,6 +261,7 @@ if (level === 'alpha' || level === 'beta') {
     skipTechDocsCheck,
     skipCoverageCheck,
     allowSubToolDrift,
+    noDeployPublic,
   }).catch(err => {
     console.error(`  \u2717 ${err.message}`);
     process.exit(1);

package/core.mjs

@@ -1408,6 +1408,67 @@ function enforceMainBranchGuard(repoPath, skipWorktreeCheck) {
  * Related: `ai/product/bugs/release-pipeline/2026-04-05--cc-mini--release-pipeline-master-plan.md`
  * Phase 8.
  */
+/**
+ * Phase 5: Auto-bump sub-tool patch versions when their files changed since last tag.
+ * Called before validateSubToolVersions so drift is fixed before validation runs.
+ * Returns the number of sub-tools bumped.
+ */
+function autoFixSubToolVersions(repoPath) {
+  const toolsDir = join(repoPath, 'tools');
+  if (!existsSync(toolsDir)) return 0;
+  let lastTag = null;
+  try {
+    lastTag = execFileSync('git', ['describe', '--tags', '--abbrev=0'], {
+      cwd: repoPath, encoding: 'utf8'
+    }).trim();
+  } catch {
+    return 0;
+  }
+  if (!lastTag) return 0;
+
+  let bumped = 0;
+  let entries;
+  try {
+    entries = readdirSync(toolsDir, { withFileTypes: true });
+  } catch {
+    return 0;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    const subDir = `tools/${entry.name}`;
+    const subPkgPath = join(toolsDir, entry.name, 'package.json');
+    if (!existsSync(subPkgPath)) continue;
+    try {
+      const diff = execFileSync('git', ['diff', '--name-only', lastTag, 'HEAD', '--', subDir], {
+        cwd: repoPath, encoding: 'utf8'
+      }).trim();
+      if (!diff) continue;
+      const subPkg = JSON.parse(readFileSync(subPkgPath, 'utf8'));
+      const currentSubVersion = subPkg.version;
+      let oldSubVersion = null;
+      try {
+        oldSubVersion = JSON.parse(
+          execFileSync('git', ['show', `${lastTag}:${subDir}/package.json`], {
+            cwd: repoPath, encoding: 'utf8'
+          })
+        ).version;
+      } catch {}
+      if (currentSubVersion === oldSubVersion) {
+        const parts = currentSubVersion.split('.');
+        parts[2] = String(Number(parts[2]) + 1);
+        const newSubVersion = parts.join('.');
+        subPkg.version = newSubVersion;
+        writeFileSync(subPkgPath, JSON.stringify(subPkg, null, 2) + '\n');
+        console.log(`  ✓ Auto-bumped ${entry.name}: ${currentSubVersion} -> ${newSubVersion}`);
+        bumped++;
+      }
+    } catch (err) {
+      console.log(`  ! Auto-bump failed for ${entry.name}: ${err.message}`);
+    }
+  }
+  return bumped;
+}
+
 function validateSubToolVersions(repoPath, allowSubToolDrift) {
   const toolsDir = join(repoPath, 'tools');
   if (!existsSync(toolsDir)) {
@@ -1626,6 +1687,79 @@ function logPushFailure(result, tag) {
   }
 }
 
+/**
+ * Resolve the public GitHub repo name for a private-to-public mirror setup.
+ *
+ * Strategy:
+ *   1. Read `origin` remote URL (e.g. git@github.com:owner/repo-private.git)
+ *   2. Strip `-private` suffix to get the public repo name
+ *   3. Return `owner/repo` format suitable for gh CLI
+ *
+ * Returns null if the remote URL cannot be parsed or the repo name does not
+ * end in `-private` (in which case the caller should skip deploy-public as a
+ * no-op rather than error).
+ */
+function resolvePublicRepoName(repoPath) {
+  try {
+    const remoteUrl = execFileSync('git', ['remote', 'get-url', 'origin'], {
+      cwd: repoPath, encoding: 'utf8'
+    }).trim();
+    // Match owner/repo from either SSH (git@github.com:owner/repo.git) or HTTPS
+    const match = remoteUrl.match(/github\.com[:/]([^/]+)\/(.+?)(\.git)?$/);
+    if (!match) return null;
+    const [, owner, repoName] = match;
+    if (!repoName.endsWith('-private')) {
+      return null;
+    }
+    return `${owner}/${repoName.replace(/-private$/, '')}`;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Run deploy-public.sh as the final step of the release pipeline.
+ *
+ * Previously deploy-public was a separate manual step. Every release that
+ * forgot it left the public mirror stale, so `ldm install` pulled old code
+ * from the public repo. Now wip-release invokes it automatically for stable
+ * and prerelease tracks (hotfix still skips, per prior convention).
+ *
+ * Callable with `--no-deploy-public` to opt out.
+ *
+ * Skips silently if:
+ *   - The repo has no tools/deploy-public/deploy-public.sh (not a toolbox-
+ *     style repo, or deploy-public is provided by a parent install)
+ *   - The origin remote is not a -private repo (no public mirror to sync)
+ *
+ * Related: `ai/product/bugs/release-pipeline/2026-04-05--cc-mini--release-pipeline-master-plan.md` Phase 6.
+ */
+function runDeployPublic(repoPath, { skip } = {}) {
+  if (skip) {
+    return { ok: true, skipped: true, reason: 'flag' };
+  }
+  const scriptPath = join(repoPath, 'tools', 'deploy-public', 'deploy-public.sh');
+  if (!existsSync(scriptPath)) {
+    return { ok: true, skipped: true, reason: 'no-script' };
+  }
+  const publicRepo = resolvePublicRepoName(repoPath);
+  if (!publicRepo) {
+    return { ok: true, skipped: true, reason: 'not-private-repo' };
+  }
+  try {
+    execFileSync('bash', [scriptPath, repoPath, publicRepo], {
+      cwd: repoPath, stdio: 'inherit',
+    });
+    return { ok: true, publicRepo };
+  } catch (err) {
+    return {
+      ok: false,
+      detail: String(err?.stderr ?? err?.message ?? err),
+      publicRepo,
+    };
+  }
+}
+
 function logMainBranchGuardFailure(result) {
   if (result.reason === 'linked-worktree') {
     console.log(`  \u2717 wip-release must run from the main working tree, not a worktree.`);
@@ -1645,7 +1779,7 @@ function logMainBranchGuardFailure(result) {
 /**
  * Run the full release pipeline.
  */
-export async function release({ repoPath, level, notes, notesSource, dryRun, noPublish, skipProductCheck, skipStaleCheck, skipWorktreeCheck, skipTechDocsCheck, skipCoverageCheck, allowSubToolDrift }) {
+export async function release({ repoPath, level, notes, notesSource, dryRun, noPublish, skipProductCheck, skipStaleCheck, skipWorktreeCheck, skipTechDocsCheck, skipCoverageCheck, allowSubToolDrift, noDeployPublic }) {
   repoPath = repoPath || process.cwd();
   const currentVersion = detectCurrentVersion(repoPath);
   const newVersion = bumpSemver(currentVersion, level);
@@ -1667,9 +1801,17 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
     }
   }
 
-  // 0. License compliance gate
+  // 0. License compliance gate (MANDATORY: blocks release if .license-guard.json missing)
   const configPath = join(repoPath, '.license-guard.json');
-  if (existsSync(configPath)) {
+  if (!existsSync(configPath)) {
+    console.log(`  ✗ .license-guard.json not found.`);
+    console.log(`    Every repo must have .license-guard.json to release.`);
+    console.log(`    Run: wip-repo-init   (scaffolds ai/, .license-guard.json, CLA.md)`);
+    console.log(`    Or:  wip-license-guard init`);
+    console.log('');
+    return { currentVersion, newVersion, dryRun: false, failed: true };
+  }
+  {
     const config = JSON.parse(readFileSync(configPath, 'utf8'));
     const licenseIssues = [];
 
@@ -1697,6 +1839,24 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
       if (config.license === 'MIT+AGPL' && !readme.includes('AGPL')) licenseIssues.push('README.md License section missing AGPL reference');
     }
 
+    // .npmignore must exclude ai/ if repo has ai/ directory
+    const aiDir = join(repoPath, 'ai');
+    if (existsSync(aiDir)) {
+      const npmignorePath = join(repoPath, '.npmignore');
+      const pkgJson = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
+      const hasFilesWhitelist = Array.isArray(pkgJson.files);
+      if (!hasFilesWhitelist) {
+        if (!existsSync(npmignorePath)) {
+          licenseIssues.push('.npmignore is missing (ai/ directory exists and could leak to npm)');
+        } else {
+          const npmignore = readFileSync(npmignorePath, 'utf8');
+          if (!npmignore.includes('ai/')) {
+            licenseIssues.push('.npmignore does not exclude ai/ (plans and bugs could leak to npm)');
+          }
+        }
+      }
+    }
+
     if (licenseIssues.length > 0) {
       console.log(`  ✗ License compliance failed:`);
       for (const issue of licenseIssues) console.log(`    - ${issue}`);
@@ -1984,6 +2144,14 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
   writePackageVersion(repoPath, newVersion);
   console.log(`  ✓ package.json -> ${newVersion}`);
 
+  // 1.25. Auto-bump sub-tool versions (Phase 5: auto-fix before validation)
+  {
+    const autoBumped = autoFixSubToolVersions(repoPath);
+    if (autoBumped > 0) {
+      console.log(`  ✓ Auto-bumped ${autoBumped} sub-tool(s)`);
+    }
+  }
+
   // 1.5. Validate sub-tool version bumps (Phase 8: error by default)
   {
     const subToolResult = validateSubToolVersions(repoPath, allowSubToolDrift);
@@ -2013,35 +2181,76 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
     console.log(`  ✓ Product docs synced to v${newVersion} (${docsUpdated} file(s))`);
   }
 
-  // 4. Git commit + tag
-  gitCommitAndTag(repoPath, newVersion, notes);
-  console.log(`  ✓ Committed and tagged v${newVersion}`);
-
-  // 5. Push commit + tag (with auto-PR fallback on protected main, Phase 4)
-  {
-    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, level);
-    if (pushResult.ok) {
-      console.log(`  ✓ Pushed to remote (${pushResult.via})`);
-    } else {
-      logPushFailure(pushResult, `v${newVersion}`);
-    }
-  }
-
   // Distribution results collector (#104)
   const distResults = [];
 
+  // 4. npm publish BEFORE commit (Phase 3: true publish-before-commit)
+  // Files are bumped and staged but NOT committed. If npm fails, we just
+  // revert the file changes. No commit, no tag, no remote state to clean up.
   if (!noPublish) {
-    // 6. npm publish
     try {
       publishNpm(repoPath);
       const pkg = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
       distResults.push({ target: 'npm', status: 'ok', detail: `${pkg.name}@${newVersion}` });
       console.log(`  ✓ Published to npm`);
     } catch (e) {
-      distResults.push({ target: 'npm', status: 'failed', detail: e.message });
       console.log(`  ✗ npm publish failed: ${e.message}`);
+      console.log(`  Reverting file changes (no commit was made)...`);
+      try {
+        execSync('git checkout -- .', { cwd: repoPath, stdio: 'pipe' });
+        // Clean up any new files (like trashed release notes)
+        execSync('git clean -fd _trash/', { cwd: repoPath, stdio: 'pipe' });
+        console.log(`  ✓ Reverted. Working tree is clean. Fix the issue and try again.`);
+      } catch (revertErr) {
+        console.log(`  ✗ Revert failed: ${revertErr.message}`);
+        console.log(`  Manual cleanup: git checkout -- .`);
+      }
+      console.log('');
+      return { currentVersion, newVersion, dryRun: false, failed: true };
     }
 
+    // Phase 5: Auto-publish changed sub-tools to npm
+    const toolsDir = join(repoPath, 'tools');
+    if (existsSync(toolsDir)) {
+      for (const tool of readdirSync(toolsDir)) {
+        const toolPath = join(toolsDir, tool);
+        const toolPkg = join(toolPath, 'package.json');
+        if (!existsSync(toolPkg)) continue;
+        const pkg = JSON.parse(readFileSync(toolPkg, 'utf8'));
+        if (!pkg.name || pkg.private) continue;
+        try {
+          publishNpm(toolPath);
+          distResults.push({ target: 'npm', status: 'ok', detail: `${pkg.name}@${pkg.version}` });
+          console.log(`  ✓ Published sub-tool: ${pkg.name}@${pkg.version}`);
+        } catch (e) {
+          // Sub-tool publish failure is non-fatal but loud (Phase 7)
+          const msg = e.message || '';
+          if (msg.includes('previously published') || msg.includes('cannot publish over')) {
+            // Already published at this version. Not an error.
+          } else {
+            distResults.push({ target: 'npm', status: 'failed', detail: `${pkg.name}: ${msg}` });
+            console.log(`  ✗ Sub-tool ${pkg.name} publish failed: ${msg}`);
+          }
+        }
+      }
+    }
+  }
+
+  // 5. Git commit + tag (AFTER npm publish succeeds)
+  gitCommitAndTag(repoPath, newVersion, notes);
+  console.log(`  ✓ Committed and tagged v${newVersion}`);
+
+  // 5.5. Push commit + tag
+  {
+    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, level);
+    if (pushResult.ok) {
+      console.log(`  ✓ Pushed to remote (${pushResult.via})`);
+    } else {
+      logPushFailure(pushResult, `v${newVersion}`);
+    }
+  }
+
+  if (!noPublish) {
     // 7. GitHub Packages ... SKIPPED from private repos.
     // deploy-public.sh publishes to GitHub Packages from the public repo clone.
     // Publishing from private ties the package to the private repo, making it
@@ -2288,6 +2497,29 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
     }) + '\n');
   } catch {}
 
+  // 12. deploy-public: sync private -> public mirror (Phase 6)
+  // Runs at the end of every stable release unless --no-deploy-public is set
+  // or the repo has no deploy-public.sh script. Skips silently for non-
+  // -private repos (no public mirror to sync).
+  {
+    const dp = runDeployPublic(repoPath, { skip: noDeployPublic });
+    if (dp.skipped) {
+      if (dp.reason === 'flag') {
+        console.log(`  - deploy-public: skipped (--no-deploy-public)`);
+      } else if (dp.reason === 'no-script') {
+        console.log(`  - deploy-public: skipped (no tools/deploy-public/deploy-public.sh)`);
+      } else if (dp.reason === 'not-private-repo') {
+        console.log(`  - deploy-public: skipped (origin is not a -private repo)`);
+      }
+    } else if (dp.ok) {
+      console.log(`  \u2713 deploy-public: synced to ${dp.publicRepo}`);
+    } else {
+      console.log(`  \u2717 deploy-public failed for ${dp.publicRepo}`);
+      if (dp.detail) console.log(`    ${dp.detail.split('\n')[0]}`);
+      console.log(`    Manual recovery: bash tools/deploy-public/deploy-public.sh ${repoPath} ${dp.publicRepo}`);
+    }
+  }
+
   console.log('');
   console.log(`  Done. ${repoName} v${newVersion} released.`);
   console.log('');
@@ -2306,7 +2538,7 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
  * No deploy-public. No code sync. No CHANGELOG gate. No product docs gate.
  * Lightweight: bump version, npm publish with tag, optional GitHub prerelease.
  */
-export async function releasePrerelease({ repoPath, track, notes, dryRun, noPublish, publishReleaseNotes, skipWorktreeCheck, allowSubToolDrift }) {
+export async function releasePrerelease({ repoPath, track, notes, dryRun, noPublish, publishReleaseNotes, skipWorktreeCheck, allowSubToolDrift, noDeployPublic }) {
   repoPath = repoPath || process.cwd();
   const currentVersion = detectCurrentVersion(repoPath);
   const newVersion = bumpPrerelease(currentVersion, track);
@@ -2330,6 +2562,66 @@ export async function releasePrerelease({ repoPath, track, notes, dryRun, noPubl
     }
   }
 
+  // License compliance gate (MANDATORY: blocks release if .license-guard.json missing)
+  {
+    const configPath = join(repoPath, '.license-guard.json');
+    if (!existsSync(configPath)) {
+      console.log(`  \u2717 .license-guard.json not found.`);
+      console.log(`    Every repo must have .license-guard.json to release.`);
+      console.log(`    Run: wip-repo-init   (scaffolds ai/, .license-guard.json, CLA.md)`);
+      console.log(`    Or:  wip-license-guard init`);
+      console.log('');
+      return { currentVersion, newVersion, dryRun: false, failed: true };
+    }
+    const config = JSON.parse(readFileSync(configPath, 'utf8'));
+    const licenseIssues = [];
+    const licensePath = join(repoPath, 'LICENSE');
+    if (!existsSync(licensePath)) {
+      licenseIssues.push('LICENSE file is missing');
+    } else {
+      const licenseText = readFileSync(licensePath, 'utf8');
+      if (!licenseText.includes(config.copyright)) {
+        licenseIssues.push(`LICENSE copyright does not match "${config.copyright}"`);
+      }
+      if (config.license === 'MIT+AGPL' && !licenseText.includes('AGPL') && !licenseText.includes('GNU Affero')) {
+        licenseIssues.push('LICENSE is MIT-only but config requires MIT+AGPL');
+      }
+    }
+    if (!existsSync(join(repoPath, 'CLA.md'))) {
+      licenseIssues.push('CLA.md is missing');
+    }
+    const readmePath = join(repoPath, 'README.md');
+    if (existsSync(readmePath)) {
+      const readme = readFileSync(readmePath, 'utf8');
+      if (!readme.includes('## License')) licenseIssues.push('README.md missing ## License section');
+      if (config.license === 'MIT+AGPL' && !readme.includes('AGPL')) licenseIssues.push('README.md License section missing AGPL reference');
+    }
+    const aiDir = join(repoPath, 'ai');
+    if (existsSync(aiDir)) {
+      const npmignorePath = join(repoPath, '.npmignore');
+      const pkgJson = JSON.parse(readFileSync(join(repoPath, 'package.json'), 'utf8'));
+      const hasFilesWhitelist = Array.isArray(pkgJson.files);
+      if (!hasFilesWhitelist) {
+        if (!existsSync(npmignorePath)) {
+          licenseIssues.push('.npmignore is missing (ai/ directory exists and could leak to npm)');
+        } else {
+          const npmignore = readFileSync(npmignorePath, 'utf8');
+          if (!npmignore.includes('ai/')) {
+            licenseIssues.push('.npmignore does not exclude ai/ (plans and bugs could leak to npm)');
+          }
+        }
+      }
+    }
+    if (licenseIssues.length > 0) {
+      console.log(`  \u2717 License compliance failed:`);
+      for (const issue of licenseIssues) console.log(`    - ${issue}`);
+      console.log(`\n  Run \`wip-license-guard check --fix\` to auto-repair, then try again.`);
+      console.log('');
+      return { currentVersion, newVersion, dryRun: false, failed: true };
+    }
+    console.log(`  \u2713 License compliance passed`);
+  }
+
   if (dryRun) {
     console.log(`  [dry run] Would bump package.json to ${newVersion}`);
     if (!noPublish) {
@@ -2358,6 +2650,14 @@ export async function releasePrerelease({ repoPath, track, notes, dryRun, noPubl
   writePackageVersion(repoPath, newVersion);
   console.log(`  \u2713 package.json -> ${newVersion}`);
 
+  // 1.25. Auto-bump sub-tool versions (Phase 5)
+  {
+    const autoBumped = autoFixSubToolVersions(repoPath);
+    if (autoBumped > 0) {
+      console.log(`  \u2713 Auto-bumped ${autoBumped} sub-tool(s)`);
+    }
+  }
+
   // 1.5. Validate sub-tool version bumps (Phase 8: error by default)
   {
     const subToolResult = validateSubToolVersions(repoPath, allowSubToolDrift);
@@ -2405,6 +2705,31 @@ export async function releasePrerelease({ repoPath, track, notes, dryRun, noPubl
       console.log(`  \u2717 npm publish failed: ${e.message}`);
     }
 
+    // 5.5. Auto-publish changed sub-tools to npm (Phase 5)
+    const toolsDir = join(repoPath, 'tools');
+    if (existsSync(toolsDir)) {
+      for (const tool of readdirSync(toolsDir)) {
+        const toolPath = join(toolsDir, tool);
+        const toolPkg = join(toolPath, 'package.json');
+        if (!existsSync(toolPkg)) continue;
+        const pkg = JSON.parse(readFileSync(toolPkg, 'utf8'));
+        if (!pkg.name || pkg.private) continue;
+        try {
+          publishNpm(toolPath);
+          distResults.push({ target: 'npm', status: 'ok', detail: `${pkg.name}@${pkg.version}` });
+          console.log(`  \u2713 Published sub-tool: ${pkg.name}@${pkg.version}`);
+        } catch (e) {
+          const msg = e.message || '';
+          if (msg.includes('previously published') || msg.includes('cannot publish over')) {
+            // Already published at this version. Not an error.
+          } else {
+            distResults.push({ target: 'npm', status: 'failed', detail: `${pkg.name}: ${msg}` });
+            console.log(`  \u2717 Sub-tool ${pkg.name} publish failed: ${msg}`);
+          }
+        }
+      }
+    }
+
     // 6. GitHub prerelease on public repo (if opted in)
     if (publishReleaseNotes) {
       try {
@@ -2430,6 +2755,30 @@ export async function releasePrerelease({ repoPath, track, notes, dryRun, noPubl
     }
   }
 
+  // deploy-public: sync private -> public mirror (Phase 6)
+  // Beta: deploy to public (testing distribution pipeline)
+  // Alpha: NEVER deploy to public (dev-only)
+  if (track === 'alpha') {
+    console.log(`  - deploy-public: skipped (alpha is dev-only, never goes to public)`);
+  } else {
+    const dp = runDeployPublic(repoPath, { skip: noDeployPublic });
+    if (dp.skipped) {
+      if (dp.reason === 'flag') {
+        console.log(`  - deploy-public: skipped (--no-deploy-public)`);
+      } else if (dp.reason === 'no-script') {
+        console.log(`  - deploy-public: skipped (no deploy-public.sh)`);
+      } else if (dp.reason === 'not-private-repo') {
+        console.log(`  - deploy-public: skipped (origin is not a -private repo)`);
+      }
+    } else if (dp.ok) {
+      console.log(`  \u2713 deploy-public: synced to ${dp.publicRepo}`);
+    } else {
+      console.log(`  \u2717 deploy-public failed for ${dp.publicRepo}`);
+      if (dp.detail) console.log(`    ${dp.detail.split('\n')[0]}`);
+      console.log(`    Manual recovery: bash tools/deploy-public/deploy-public.sh ${repoPath} ${dp.publicRepo}`);
+    }
+  }
+
   console.log('');
   console.log(`  Done. ${repoName} v${newVersion} (${track}) released.`);
   console.log('');
@@ -2470,9 +2819,17 @@ export async function releaseHotfix({ repoPath, notes, notesSource, dryRun, noPu
     }
   }
 
-  // License compliance gate
-  const configPath = join(repoPath, '.license-guard.json');
-  if (existsSync(configPath)) {
+  // License compliance gate (MANDATORY: blocks release if .license-guard.json missing)
+  {
+    const configPath = join(repoPath, '.license-guard.json');
+    if (!existsSync(configPath)) {
+      console.log(`  \u2717 .license-guard.json not found.`);
+      console.log(`    Every repo must have .license-guard.json to release.`);
+      console.log(`    Run: wip-repo-init   (scaffolds ai/, .license-guard.json, CLA.md)`);
+      console.log(`    Or:  wip-license-guard init`);
+      console.log('');
+      return { currentVersion, newVersion, dryRun: false, failed: true };
+    }
     const config = JSON.parse(readFileSync(configPath, 'utf8'));
     const licenseIssues = [];
     const licensePath = join(repoPath, 'LICENSE');
@@ -2484,6 +2841,9 @@ export async function releaseHotfix({ repoPath, notes, notesSource, dryRun, noPu
         licenseIssues.push(`LICENSE copyright does not match "${config.copyright}"`);
       }
     }
+    if (!existsSync(join(repoPath, 'CLA.md'))) {
+      licenseIssues.push('CLA.md is missing');
+    }
     if (licenseIssues.length > 0) {
       console.log(`  \u2717 License compliance failed:`);
       for (const issue of licenseIssues) console.log(`    - ${issue}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.73",
+  "version": "1.9.75",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",