agentic-sdlc-wizard 1.28.0 → 1.30.0

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.28.0",
+      "version": "1.30.0",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.28.0",
+  "version": "1.30.0",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,58 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.30.0] - 2026-04-12
+
+### Added
+- CC degradation detection (#96, PR #166)
+  - Score persistence: CI now git-commits `score-history.jsonl` to PR branch after E2E runs, feeding CUSUM drift detection with real data
+  - Fork guard (`head.repo.full_name == github.repository`) prevents silent push failures on fork PRs
+  - Injection-safe: `head.ref` passed via `env:` block, not inline `${{ }}`
+  - Wizard effort section hardened: explains adaptive thinking root cause (Boris Cherny GH #42796), scopes "medium default" to Pro/Max plans, cites code.claude.com docs
+  - `CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING` documented as opt-in hardening (not default)
+  - Anti-laziness CLAUDE.md guidance section targeting specific mechanisms (adaptive thinking, effort levels, thinking budget)
+  - 14 behavioral tests (`test-degradation-detection.sh`)
+- Model A/B comparison workflow (#94, PRs #164, #165)
+  - `workflow_dispatch` benchmark: Opus vs Sonnet on E2E scenarios with 95% CI
+  - Matrix strategy over scenarios, parameterized model/trials/max_turns
+  - Wizard installation verification before simulation (P0 fix)
+  - jq-based artifact construction (safe against empty outputs)
+  - 37 quality tests (`test-model-comparison.sh`)
+- Firmware-embedded E2E fixture (#78, PR #163)
+  - Python SD card overlay manager, 3 device configs (Raspberry Pi, STM32, ESP32)
+  - SIL + config validation tests within fixture
+  - Domain-adaptive testing proof: firmware indicators, Python overlay, multi-device differentiation
+  - 12 quality tests (`test-firmware-fixture.sh`)
+
+### Fixed
+- P0 shell injection in model comparison workflow: `${{ inputs.model }}` directly in `run:` blocks. Fixed by passing all inputs through `env:` block (caught by Codex review)
+
+## [1.29.0] - 2026-04-07
+
+### Added
+- Node 24 compliance across all GitHub Actions workflows (#93, PR #160)
+  - 5 action version bumps: checkout@v5, setup-node@v5, upload-artifact@v6, create-pull-request@v8, sticky-pull-request-comment@v3
+  - 2 third-party actions replaced with `gh` CLI: `int128/hide-comment-action` → GraphQL `minimizeComment`, `softprops/action-gh-release` → `gh release create`
+  - 4 node-version bumps from 20 to 22
+  - 13 new compliance regression tests (`test-node24-compliance.sh`)
+  - Expression injection P0 in release.yml caught by CI reviewer and fixed
+- Autocompact env var in settings.json (#88, PR #161)
+  - CLI now ships `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=75` in `settings.json` `env` field (200K default)
+  - Smart merge preserves existing user env vars on upgrade; `--force` resets to defaults
+  - Handles malformed env values (arrays, strings) gracefully with type validation
+  - Setup wizard Step 9.5 references settings.json instead of shell profiles; 1M users guided to 30%
+  - 9 new tests (41 total CLI tests)
+- Effectiveness scoreboard (#80, PR #162)
+  - `.metrics/catches.jsonl`: 52 historical bug catches extracted from repo history
+  - `catch-analytics.sh`: DDE (Defect Detection Effectiveness) per layer, escape rates, severity breakdown
+  - Results: cross-model-review (48%) and self-review (46%) nearly tied; self-review missed 28 bugs caught downstream; all 3 P0s caught by cross-model or CI review
+  - 14 new quality tests (`test-effectiveness-scoreboard.sh`)
+  - Log automation deferred until analytics proven useful (prove-it gate)
+
+### Fixed
+- Expression injection in `release.yml`: `${{ github.ref_name }}` directly in `run:` shell command allowed tag-based code injection. Fixed by passing through `TAG_NAME` env var (P0, caught by CI reviewer)
+- `$TOTAL_` variable name collision in `catch-analytics.sh`: bash parsed as undefined variable `TOTAL_` instead of `$TOTAL` + underscore. Fixed with `${TOTAL}_` brace syntax (P0, caught by CI reviewer)
+
 ## [1.28.0] - 2026-04-06
 
 ### Added

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -224,7 +224,11 @@ Claude Code's **effort level** controls how much thinking the model does before
 | `high` | **Default for all SDLC work.** Features, bug fixes, refactoring, tests, reviews | `effort: high` in skill frontmatter (already set) |
 | `max` | LOW confidence, FAILED 2x, architecture decisions, complex debugging, cross-model reviews | `/effort max` (session only — resets next session) |
 
-**Why `high` is the default:** The `/sdlc` skill sets `effort: high` in its frontmatter, so every SDLC invocation automatically uses high effort. This gives thorough reasoning without the unbounded token cost of `max`.
+**Why `high` is the default:** Claude Code uses **adaptive thinking** to dynamically allocate reasoning budget per turn. On Pro and Max plans, the default effort level is **medium (85)**, which causes the model to under-allocate reasoning on complex multi-step tasks — leading to shallow analysis, missed edge cases, and "lazy" outputs. This was [confirmed by Anthropic engineer Boris Cherny](https://github.com/anthropics/claude-code/issues/42796) and is documented at [code.claude.com](https://code.claude.com/docs/en/model-config). API, Team, and Enterprise plans default to high effort and are not affected.
+
+The `/sdlc` skill sets `effort: high` in its frontmatter, overriding the medium default on every SDLC invocation. This gives thorough reasoning without the unbounded token cost of `max`.
+
+**Nuclear option — disable adaptive thinking entirely:** Set `CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING=1` in your environment or settings.json `env` block. This forces a fixed reasoning budget per turn instead of letting the model dynamically allocate. Use this if you observe persistent quality issues even with `effort: high`. See [Claude Code model config docs](https://code.claude.com/docs/en/model-config) for details.
 
 **When to escalate to `max`:**
 - You hit LOW confidence on your approach — deeper thinking may find clarity
@@ -242,6 +246,21 @@ Claude Code's **effort level** controls how much thinking the model does before
 
 > See also: the **Effort** column in the [Confidence Check table](#confidence-check-required) below for per-confidence-level guidance on when to escalate to `max`.
 
+### Anti-Laziness Guidance for CLAUDE.md
+
+If you notice Claude Code producing shallow outputs despite `effort: high`, add these instructions to your project's `CLAUDE.md`. These target the **specific mechanisms** behind quality degradation — adaptive thinking and effort levels — rather than vague directives:
+
+```markdown
+## Quality Anchoring
+- This project uses effort: high via SDLC skill frontmatter. Do not reduce reasoning depth.
+- Adaptive thinking may under-allocate your thinking budget on complex tasks. When working on
+  multi-file changes, architecture decisions, or debugging: reason through the full problem
+  before acting, even if the system prompt suggests taking the "simplest approach first."
+- If you catch yourself skipping steps, re-read the task requirements and verify completeness.
+```
+
+**Why this works:** Claude Code's hidden system prompt includes "Go straight to the point. Try the simplest approach first." This is good for simple queries but causes the model to under-invest in reasoning on complex SDLC tasks. The instructions above don't fight the system prompt — they provide task-specific context that justifies deeper reasoning. Note that CLAUDE.md instructions can be partially overridden by the system prompt, so `effort: high` in skill frontmatter remains the primary defense.
+
 ---
 
 ## Claude Code Feature Updates
@@ -807,10 +826,19 @@ Override the default auto-compact threshold with environment variables. These ar
 | `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE` | Trigger compaction at this % of context capacity (1-100) | ~95% |
 | `CLAUDE_CODE_AUTO_COMPACT_WINDOW` | Override context capacity in tokens (useful for 1M models) | Model default |
 
-Set these in your shell profile (`~/.bashrc`, `~/.zshrc`) or per-project `.envrc`:
+**Recommended:** The SDLC Wizard CLI sets `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=75` in `.claude/settings.json` by default (200K model optimized). To customize, edit the `env` field in `.claude/settings.json`:
+
+```json
+{
+  "env": {
+    "CLAUDE_AUTOCOMPACT_PCT_OVERRIDE": "75"
+  }
+}
+```
+
+Alternatively, set via shell profile (`~/.bashrc`, `~/.zshrc`) or per-project `.envrc`:
 
 ```bash
-# Example: compact earlier on a 200K model
 export CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=75
 ```
 
@@ -2600,7 +2628,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.28.0 -->
+<!-- SDLC Wizard Version: 1.30.0 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->
@@ -3659,7 +3687,7 @@ Walk through updates? (y/n)
 Store wizard state in `SDLC.md` as metadata comments (invisible to readers, parseable by Claude):
 
 ```markdown
-<!-- SDLC Wizard Version: 1.28.0 -->
+<!-- SDLC Wizard Version: 1.30.0 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: PRs -->

package/README.md

@@ -229,7 +229,7 @@ This isn't the only Claude Code SDLC tool. Here's an honest comparison:
 | Document | What It Covers |
 |----------|---------------|
 | [ARCHITECTURE.md](ARCHITECTURE.md) | System design, 5-layer diagram, data flows, file structure |
-| [CI_CD.md](CI_CD.md) | All 6 workflows, E2E scoring, tier system, SDP, integrity checks |
+| [CI_CD.md](CI_CD.md) | All 7 workflows, E2E scoring, tier system, SDP, integrity checks |
 | [SDLC.md](SDLC.md) | Version tracking, enforcement rules, SDLC configuration |
 | [TESTING.md](TESTING.md) | Testing philosophy, test diamond, TDD approach |
 | [CHANGELOG.md](CHANGELOG.md) | Version history, what changed and when |

package/cli/init.js

@@ -51,6 +51,18 @@ function mergeSettings(existingPath, templatePath, force) {
     const existing = JSON.parse(fs.readFileSync(existingPath, 'utf8'));
     const template = JSON.parse(fs.readFileSync(templatePath, 'utf8'));
 
+    // Merge env field
+    if (template.env) {
+      if (!existing.env || typeof existing.env !== 'object' || Array.isArray(existing.env)) {
+        existing.env = {};
+      }
+      for (const [key, val] of Object.entries(template.env)) {
+        if (!(key in existing.env) || force) {
+          existing.env[key] = val;
+        }
+      }
+    }
+
     if (!existing.hooks) existing.hooks = {};
 
     for (const [event, templateEntries] of Object.entries(template.hooks || {})) {

package/cli/templates/settings.json

@@ -1,4 +1,7 @@
 {
+  "env": {
+    "CLAUDE_AUTOCOMPACT_PCT_OVERRIDE": "75"
+  },
   "hooks": {
     "UserPromptSubmit": [
       {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.28.0",
+  "version": "1.30.0",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "./cli/bin/sdlc-wizard.js"

package/skills/setup/SKILL.md

@@ -183,13 +183,23 @@ Present suggestions and let the user confirm.
 
 ### Step 9.5: Context Window Configuration
 
-Recommend autocompact settings based on the user's context window:
+The CLI already sets `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=75` in `.claude/settings.json` `env` field (200K default). Ask the user which model context window they use:
+
+- **200K models (default):** Already configured. Confirm `75` is set in `settings.json` `env` field
+- **1M models:** Update `settings.json` `env` field: set `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE` to `"30"` — the default fires at ~76K on 1M, wasting 92% of the window. Optionally also add `CLAUDE_CODE_AUTO_COMPACT_WINDOW` set to `"400000"`
+
+To update, edit `.claude/settings.json`:
+```json
+{
+  "env": {
+    "CLAUDE_AUTOCOMPACT_PCT_OVERRIDE": "30"
+  }
+}
+```
 
-- **200K models (default):** Suggest `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=75` — leaves room for implementation after planning
-- **1M models:** Suggest `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30` or `CLAUDE_CODE_AUTO_COMPACT_WINDOW=400000` — the default fires at ~76K on 1M, wasting 92% of the window
-- **CI pipelines:** Suggest 60% — short tasks, compact early
+For CI pipelines, consider `"60"` — short tasks benefit from compacting early.
 
-Tell the user to add the export to their shell profile (`~/.bashrc`, `~/.zshrc`) or project `.envrc`. This is guidance, not enforcement — the wizard doesn't write shell profiles.
+This is project-scoped and shared with the team via git.
 
 ### Step 10: Customize Hooks
 

package/skills/update/SKILL.md

@@ -46,9 +46,11 @@ Parse all CHANGELOG entries between the user's installed version and the latest.
 
 ```
 Installed: 1.24.0
-Latest:    1.28.0
+Latest:    1.30.0
 
 What changed:
+- [1.30.0] Firmware fixture, model A/B comparison workflow, CC degradation detection, ...
+- [1.29.0] Node 24 compliance, autocompact in settings.json, effectiveness scoreboard, ...
 - [1.28.0] Autocompact benchmarking methodology, canary fact mechanism, benchmark harness, ...
 - [1.27.0] Domain-adaptive testing diamond, 3 domain fixtures, 25 quality tests, ...
 - [1.26.0] Codex SDLC Adapter plan, claw-code/OmO/OmX research, CC feature discovery verified, ...