agentic-sdlc-wizard 1.37.0 → 1.37.1

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.37.0",
+      "version": "1.37.1",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.37.0",
+  "version": "1.37.1",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.37.1] - 2026-04-24
+
+### Fixed
+
+- **Dual-channel hook 2× print** (token-bloat audit, ROADMAP item 8, PR #241). When both the project's `.claude/settings.json` AND a locally-installed wizard plugin (`~/.claude/plugins-local/` or `~/.claude/plugins/cache/`) registered the same hook, both fired per event — `SDLC BASELINE` block printed twice per `UserPromptSubmit`, ~300 tokens doubled per prompt. Fix: `dedupe_plugin_or_project()` helper in `hooks/_find-sdlc-root.sh`. Plugin invocation yields if project also registers the same hook by name (project always wins). Wired into all 5 hooks (sdlc-prompt-check, instructions-loaded-check, tdd-pretool-check, model-effort-check, precompact-seam-check). Consumer plugin-only installs still fire normally. Codex 2-round: 100/100 CERTIFIED. 9 new dedupe tests + 1 stale-fixture fix (test_instructions_hook_cwd_walkup now reads current version dynamically from package.json so it doesn't drift past the staleness-nudge threshold on each release).
+
 ## [1.37.0] - 2026-04-24
 
 ### Changed

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -2715,7 +2715,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.37.0 -->
+<!-- SDLC Wizard Version: 1.37.1 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->
@@ -3777,7 +3777,7 @@ Walk through updates? (y/n)
 Store wizard state in `SDLC.md` as metadata comments (invisible to readers, parseable by Claude):
 
 ```markdown
-<!-- SDLC Wizard Version: 1.37.0 -->
+<!-- SDLC Wizard Version: 1.37.1 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: PRs -->

package/hooks/_find-sdlc-root.sh

@@ -34,3 +34,62 @@ find_partial_sdlc_root() {
     done
     return 1
 }
+
+# dedupe_plugin_or_project — token-bloat fix.
+# When a hook is registered via BOTH the project's `.claude/settings.json` AND
+# a locally-installed wizard plugin (e.g., maintainer dogfooding the wizard
+# while also having `~/.claude/plugins-local/sdlc-wizard-wrap/`), the same
+# script fires twice per event = 2× tokens per prompt, 2× hook output noise.
+#
+# Resolution: plugin invocation yields if the project also registers the
+# same hook by name. Project registration always wins (user-explicit).
+# Consumer plugin-only installs (no project settings.json) still fire normally.
+#
+# Plugin path heuristic: $0 contains "/plugins-local/" or "/plugins/cache/".
+#
+# Usage:
+#   source _find-sdlc-root.sh
+#   dedupe_plugin_or_project || exit 0   # plugin yields when project registered
+#
+# Args (optional, for tests): $1 script_path, $2 project_dir
+# Returns: 0 = proceed, 1 = yield (caller should exit 0).
+#
+# Codex review hardening (DEDUPE-001/002):
+# - Uses parameter expansion (${path##*/}) instead of `basename` — survives
+#   PATH-restricted environments. Falsely emitting `basename: command not found`
+#   would corrupt the rc=1 (yield) signal.
+# - Matches the script name only inside a `"command"` JSON field, not anywhere
+#   in the settings file. Otherwise a basename mentioned in `permissions.allow`
+#   or a comment would falsely trigger yield (plugin would skip when project
+#   never actually registers the hook).
+dedupe_plugin_or_project() {
+    local script_path="${1:-${BASH_SOURCE[1]:-$0}}"
+    local project_dir="${2:-${CLAUDE_PROJECT_DIR:-.}}"
+
+    case "$script_path" in
+        */plugins-local/*|*/plugins/cache/*)
+            local proj_settings="$project_dir/.claude/settings.json"
+            [ -f "$proj_settings" ] || return 0
+
+            # Parameter-expansion basename: ${path##*/} strips up to last /.
+            # If no / in path, returns path itself (defensive — caller passed
+            # bare filename).
+            local script_name="${script_path##*/}"
+            [ -n "$script_name" ] || return 0
+
+            # Match only inside a "command" JSON registration so a basename
+            # appearing in permissions.allow / comments / unrelated sections
+            # doesn't falsely yield. Pattern: `"command"` followed by colon,
+            # any whitespace, optional quotes, anything, then the basename.
+            # Example matches:
+            #   "command": "$CLAUDE_PROJECT_DIR/hooks/sdlc-prompt-check.sh"
+            #   "command":"hooks/sdlc-prompt-check.sh"
+            # Does NOT match:
+            #   "Bash(./hooks/sdlc-prompt-check.sh *)"  (in permissions.allow)
+            if grep -qE '"command"[[:space:]]*:[[:space:]]*"[^"]*'"$script_name"'"' "$proj_settings" 2>/dev/null; then
+                return 1  # yield — project will fire its own copy
+            fi
+            ;;
+    esac
+    return 0  # proceed
+}

package/hooks/instructions-loaded-check.sh

@@ -8,6 +8,9 @@
 HOOK_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$HOOK_DIR/_find-sdlc-root.sh"
 
+# Token-bloat fix: when both project + plugin register this hook, plugin yields.
+dedupe_plugin_or_project "${BASH_SOURCE[0]}" || exit 0
+
 # CWD walk-up finds nearest SDLC project (#173: silent exit for non-SDLC dirs)
 if find_sdlc_root; then
     PROJECT_DIR="$SDLC_ROOT"

package/hooks/model-effort-check.sh

@@ -15,6 +15,13 @@
 
 RECOMMENDED_MODEL="opus[1m]"
 
+# Token-bloat fix: when both project + plugin register this hook, plugin yields.
+HOOK_DIR="${BASH_SOURCE[0]%/*}"
+[ "$HOOK_DIR" = "${BASH_SOURCE[0]}" ] && HOOK_DIR="."
+# shellcheck disable=SC1091
+source "$HOOK_DIR/_find-sdlc-root.sh"
+dedupe_plugin_or_project "${BASH_SOURCE[0]}" || { cat > /dev/null; exit 0; }
+
 # Drain stdin (SessionStart sends JSON but model field isn't in it)
 cat > /dev/null
 

package/hooks/precompact-seam-check.sh

@@ -14,6 +14,15 @@
 #       → finish in-progress git operation first
 # Allow otherwise.
 
+# Token-bloat fix: when both project + plugin register this hook, plugin yields.
+# Use parameter expansion (not `dirname`) so the PATH-restricted gh-missing test
+# still works — bash builtin `${var%/*}` is always available.
+HOOK_DIR="${BASH_SOURCE[0]%/*}"
+[ "$HOOK_DIR" = "${BASH_SOURCE[0]}" ] && HOOK_DIR="."
+# shellcheck disable=SC1091
+source "$HOOK_DIR/_find-sdlc-root.sh"
+dedupe_plugin_or_project "${BASH_SOURCE[0]}" || { [ ! -t 0 ] && cat > /dev/null; exit 0; }
+
 [ ! -t 0 ] && INPUT=$(cat) || INPUT=""
 
 # Determine project root: prefer $CLAUDE_PROJECT_DIR, fall back to cwd

package/hooks/sdlc-prompt-check.sh

@@ -6,6 +6,12 @@
 HOOK_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$HOOK_DIR/_find-sdlc-root.sh"
 
+# Token-bloat fix: when both project + plugin register this hook, plugin yields.
+# Prevents 2× SDLC BASELINE print per UserPromptSubmit (~300 tokens doubled).
+# Pass real script path explicitly (not $0) so the dedupe heuristic recognizes
+# plugin paths even when the script is sourced or invoked via aliases.
+dedupe_plugin_or_project "${BASH_SOURCE[0]}" || exit 0
+
 # CWD walk-up finds nearest SDLC project (#173: silent exit for non-SDLC dirs)
 if find_sdlc_root; then
     PROJECT_DIR="$SDLC_ROOT"

package/hooks/tdd-pretool-check.sh

@@ -2,6 +2,15 @@
 # PreToolUse hook - TDD enforcement before editing source files
 # Fires before Write/Edit/MultiEdit tools
 
+# Token-bloat fix: when both project + plugin register this hook, plugin yields.
+# Parameter-expansion-safe (no `dirname` dep): `%/*` strips trailing `/file`.
+# Fallback `.` when BASH_SOURCE has no slash (direct invocation `bash hook.sh`).
+HOOK_DIR="${BASH_SOURCE[0]%/*}"
+[ "$HOOK_DIR" = "${BASH_SOURCE[0]}" ] && HOOK_DIR="."
+# shellcheck disable=SC1091
+source "$HOOK_DIR/_find-sdlc-root.sh"
+dedupe_plugin_or_project "${BASH_SOURCE[0]}" || exit 0
+
 # Read the tool input (JSON with file_path, content, etc.)
 TOOL_INPUT=$(cat)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.37.0",
+  "version": "1.37.1",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

package/skills/update/SKILL.md

@@ -46,9 +46,10 @@ Parse all CHANGELOG entries between the user's installed version and the latest.
 
 ```
 Installed: 1.24.0
-Latest:    1.37.0
+Latest:    1.37.1
 
 What changed:
+- [1.37.1] Token-bloat fix: dedupe 2× SDLC BASELINE print when both project + plugin register the same hook (~300 tokens doubled per prompt). 5 hooks gain `dedupe_plugin_or_project()` helper. Codex 2-round 100/100.
 - [1.37.0] `monthly-research.yml` workflow deleted (ROADMAP #231 Phase 1) — 0 merged artifacts in 30d while burning $11-23/month; research happens inline now. `model-effort-check.sh` loud WARNING below xhigh (#217) — max preferred, xhigh floor; duplicate effort nudge in `instructions-loaded-check.sh` removed; single source of truth. Both changes Codex-certified.
 - [1.36.1] Repo renamed `agentic-ai-sdlc-wizard` → `claude-sdlc-wizard` (matches sibling pattern; npm package unchanged); `npm pkg fix` metadata cleanup; slug migration across docs/tests/configs
 - [1.36.0] CC 2.1.118 `/usage` canonical + aliases, Tier 2 dead-gate fix (#215), score-history max_score correctness (#211), setup-bun regression guard (#210), post-mortem learnings (#220-222), GPT-5.5 adoption plan (#223), MCP-tool hooks + #198 re-verify in backlog (#218/#219)