agentic-sdlc-wizard 1.43.0 → 1.44.1

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.43.0",
+      "version": "1.44.1",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.43.0",
+  "version": "1.44.1",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,43 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.44.1] - 2026-04-27
+
+### Fixed
+
+- **Autocompact compound-misconfig detection** — closes #207. Consumer reported autocompact firing at 12% context on a fresh `opus[1m]` session because they set BOTH `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30` AND `CLAUDE_CODE_AUTO_COMPACT_WINDOW=400000` (a natural misreading of `CLAUDE_CODE_SDLC_WIZARD.md:1008`'s "or"-joined cell). The two compound: `30% × 400000 = 120000 tokens ≈ 12% of 1M`.
+  - **Doc fix**: `CLAUDE_CODE_SDLC_WIZARD.md` 1M-vs-200K table now writes `**OR** ... (pick one)` and adds a `> ⚠ Do NOT set both` callout that explains the compound math and points at the runtime detection.
+  - **Runtime detection**: `instructions-loaded-check.sh` (InstructionsLoaded hook) reads `.claude/settings.json` for both env vars, computes the effective trigger, and warns with the math when both are set — diagnosable from the warning alone.
+  - **Shipped skill drift**: `skills/sdlc/SKILL.md` was still calling `opus[1m]` the "default" (stale post-#198) AND repeating the same ambiguous "30 or 400000" wording it ships to consumers. Both fixed: opus[1m] now framed as opt-in with #198 reference; autocompact tuning line says "pick ONE of: ... OR ... (do NOT set both)".
+- 4 new test-hooks tests (warns / silent on PCT-only / silent on WINDOW-only / shows effective trigger), 3 new test-doc-consistency tests (wizard doc + sdlc skill regression guards), size-cap test fixture extended to include the new branch (cap raised 1500 → 1700 to accommodate). Codex round 2 CERTIFIED 9/10 (round 1 surfaced the size-cap, shipped-skill drift, and InstructionsLoaded vs SessionStart wording — all fixed).
+
+### Files
+
+- `hooks/instructions-loaded-check.sh` — new compound-misconfig detection block (single-line warning with full env var names + effective trigger math)
+- `CLAUDE_CODE_SDLC_WIZARD.md` — line 1008 alternatives clarification + `> ⚠ Do NOT set both` callout
+- `skills/sdlc/SKILL.md` — `opus[1m]` reframed `Default` → `Opt-in` (matches wizard doc post-#198); autocompact tuning line now warns against the compound config
+- `tests/test-hooks.sh` — 4 new tests + size-cap fixture extended + cap raised
+- `tests/test-doc-consistency.sh` — 3 new regression guards (wizard doc + sdlc skill)
+
+## [1.44.0] - 2026-04-27
+
+### Fixed
+
+- **Install-path & cache hygiene** — closes #254 (P1+P2), #239, #238 filed by consumer codeguesser after upgrading 1.32.0 → 1.42.1.
+  - **#254 Bug 1 (P1)**: `cli/init.js` FILES list now ships `hooks/_find-sdlc-root.sh`. The helper is sourced by all 5 wizard hooks and provides `find_sdlc_root` + `dedupe_plugin_or_project`, but `npx ... init --force` previously didn't copy it. Result on every consumer: stderr noise (`_find-sdlc-root.sh: No such file or directory`, `dedupe_plugin_or_project: command not found`) and the SDLC walk-up logic (#171), silent-exit-for-non-SDLC-dirs (#173), and plugin/project dedupe were all silently dead.
+  - **#254 Bug 2 (P2)**: `init --force` now invalidates `~/.cache/sdlc-wizard/latest-version` (or `$SDLC_WIZARD_CACHE_DIR/latest-version` when overridden). Previously the cache held the pre-upgrade "latest" for up to 24h, producing reverse staleness nudges like `update available 1.42.1 → 1.41.1`. Console now prints a `BUST` line so the cache eviction is visible.
+  - **#254 Bug 2 / #239 (semver-direction)**: `instructions-loaded-check.sh` introduces `semver_lt` for numeric major/minor/patch comparison. Nudge gate switched from `LATEST_VERSION != INSTALLED_VERSION` (which fired on equality AND reverse direction) to `semver_lt INSTALLED LATEST` — so the nudge only fires when an actual upgrade is available. Cache reads gain a sanity check: cached "latest" must be >= installed, otherwise force a refetch.
+  - **#239 (npm failure surface)**: When `npm view` fails (e.g. EPERM from root-owned `~/.npm/_cacache/`) AND no usable cache exists, the hook now prints `npm view failed — version check unavailable (run 'npm view agentic-sdlc-wizard version' to debug)`. Previously the version-check block produced no output at all and the user had no signal that the staleness nudge was broken.
+  - **#238 (dual-channel ack sentinel)**: The "CLI skills + Claude plugin both present" warning gains an opt-in silence mechanism. Once the user runs `mkdir -p $DUAL_CACHE_DIR && touch $DUAL_ACK_FILE` (the exact command is printed inside the nudge), the warning stops firing. Sentinel lives at `$SDLC_WIZARD_CACHE_DIR/dual-channel-acknowledged` (defaults to `~/.cache/sdlc-wizard/dual-channel-acknowledged`). Removes the every-session noise that was training users to ignore all hook output.
+- 8 new tests across `tests/test-cli.sh` (75 total, +3 for #254) and `tests/test-hooks.sh` (134 total, +5 for the four bugs + Codex round-1 cache-dir-absent regression test). Codex CERTIFIED 10/10 round 2.
+
+### Files
+
+- `cli/init.js` — `FILES` list adds `_find-sdlc-root.sh`; new `invalidateVersionCache()` helper; `--force` path calls bust + logs `BUST` line
+- `hooks/instructions-loaded-check.sh` — new `semver_lt()`; cache sanity check; npm-fail surface; semver-direction nudge gate; dual-channel ack sentinel
+- `tests/test-cli.sh` — file-count test bumped 11→12; 3 new tests
+- `tests/test-hooks.sh` — 5 new tests covering all 4 bugs + Codex cache-dir-absent regression
+
 ## [1.43.0] - 2026-04-27
 
 ### Added

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -1005,7 +1005,9 @@ Claude Code supports both 200K and 1M context windows. **`opus[1m]` is an opt-in
 | **Cost** | Standard pricing | Anthropic currently lists the 1M window at standard pricing across the full context for supported Opus/Sonnet models — **verify current rates at [docs.anthropic.com/pricing](https://docs.anthropic.com/)** before assuming no premium |
 | **Auto-mode** | **Enabled** — Claude Code chooses model per turn | **Disabled** — top-level `model` tells CC you've chosen explicitly |
 | **Auto-compact** | Default ~95% works well | Fires at ~76K by default ([issue #34332](https://github.com/anthropics/claude-code/issues/34332)) — pair with `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30` |
-| **Suggested override (if you pin)** | `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=75` | `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30` or `CLAUDE_CODE_AUTO_COMPACT_WINDOW=400000` |
+| **Suggested override (if you pin)** | `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=75` | `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30` **OR** `CLAUDE_CODE_AUTO_COMPACT_WINDOW=400000` (pick one) |
+
+> **⚠ Do NOT set both.** `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE` and `CLAUDE_CODE_AUTO_COMPACT_WINDOW` are alternatives, not complementary. Setting both compounds: `30% × 400000 = 120000` tokens, which is ~12% of a 1M window — autocompact fires almost immediately, destroying the headroom you opted in for. Pick one knob: either lower the trigger percentage (`PCT_OVERRIDE=30`) on the model's default 1M window, OR cap the working window (`AUTO_COMPACT_WINDOW=400000`) at the model's default 95% trigger. The `instructions-loaded-check.sh` `InstructionsLoaded` hook (fires on session start/resume) detects this misconfig and prints the effective trigger so you can debug from the warning alone (#207).
 
 **Why `opus[1m]` is opt-in (issue #198):**
 - **Pinning disables auto-mode.** Max-plan users pay for Claude Code's per-turn model selection (Sonnet for cheap tasks, Opus for hard ones, plus weekly-limit smoothing). A top-level `model` gives that up.
@@ -2918,7 +2920,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.43.0 -->
+<!-- SDLC Wizard Version: 1.44.1 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->
@@ -3983,7 +3985,7 @@ Walk through updates? (y/n)
 Store wizard state in `SDLC.md` as metadata comments (invisible to readers, parseable by Claude):
 
 ```markdown
-<!-- SDLC Wizard Version: 1.43.0 -->
+<!-- SDLC Wizard Version: 1.44.1 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: PRs -->

package/cli/init.js

@@ -25,6 +25,10 @@ const FILES = [
   { src: 'hooks/instructions-loaded-check.sh', dest: '.claude/hooks/instructions-loaded-check.sh', executable: true, base: REPO_ROOT },
   { src: 'hooks/model-effort-check.sh', dest: '.claude/hooks/model-effort-check.sh', executable: true, base: REPO_ROOT },
   { src: 'hooks/precompact-seam-check.sh', dest: '.claude/hooks/precompact-seam-check.sh', executable: true, base: REPO_ROOT },
+  // #254 Bug 1: shared helper sourced by all hooks above. Must ship — without
+  // it, hooks emit "_find-sdlc-root.sh: No such file or directory" + the
+  // SDLC root walk-up logic is silently dead.
+  { src: 'hooks/_find-sdlc-root.sh', dest: '.claude/hooks/_find-sdlc-root.sh', base: REPO_ROOT },
   { src: 'skills/sdlc/SKILL.md', dest: '.claude/skills/sdlc/SKILL.md', base: REPO_ROOT },
   { src: 'skills/setup/SKILL.md', dest: '.claude/skills/setup/SKILL.md', base: REPO_ROOT },
   { src: 'skills/update/SKILL.md', dest: '.claude/skills/update/SKILL.md', base: REPO_ROOT },
@@ -235,6 +239,21 @@ function printOps(ops) {
   }
 }
 
+// #254 Bug 2: clear the version cache on `init --force` so the
+// instructions-loaded hook re-fetches latest from npm post-upgrade. Without
+// this, the cache holds the pre-upgrade "latest" for up to 24h and the hook
+// prints reverse nudges like "1.42.1 → 1.41.1".
+function invalidateVersionCache({ dryRun }) {
+  const cacheDir = process.env.SDLC_WIZARD_CACHE_DIR
+    || path.join(os.homedir(), '.cache', 'sdlc-wizard');
+  const cacheFile = path.join(cacheDir, 'latest-version');
+  if (!fs.existsSync(cacheFile)) return false;
+  if (!dryRun) {
+    try { fs.rmSync(cacheFile, { force: true }); } catch (_) { /* best-effort */ }
+  }
+  return true;
+}
+
 function init(targetDir, { force = false, dryRun = false } = {}) {
   if (!dryRun && !force) {
     const pluginPaths = detectPluginInstall();
@@ -291,6 +310,13 @@ function init(targetDir, { force = false, dryRun = false } = {}) {
     console.log(`  ${GREEN}APPEND${RESET}  .gitignore (${gitignoreAdds.join(', ')})`);
   }
 
+  // #254 Bug 2: bust the latest-version cache after an upgrade so the
+  // staleness nudge re-fetches a fresh value from npm. Only on --force,
+  // since that's the upgrade path.
+  if (force && invalidateVersionCache({ dryRun: false })) {
+    console.log(`  ${CYAN}BUST${RESET}    version cache (${path.join(process.env.SDLC_WIZARD_CACHE_DIR || path.join(os.homedir(), '.cache', 'sdlc-wizard'), 'latest-version')})`);
+  }
+
   console.log(`
 ${GREEN}SDLC Wizard installed successfully!${RESET}
 

package/hooks/instructions-loaded-check.sh

@@ -44,14 +44,38 @@ fi
 SDLC_MD="$PROJECT_DIR/SDLC.md"
 # Strict x.y.z semver — rejects whitespace, "junk", "1.alpha.0", etc.
 SEMVER_RE='^[0-9]+\.[0-9]+\.[0-9]+$'
+
+# semver_lt A B → exit 0 if A < B, exit 1 otherwise. Both args validated semver.
+# Used so a stale-but-fresh cache from before an upgrade ("latest" < installed)
+# doesn't fire a reverse-direction nudge (#254 Bug 2 / #239).
+semver_lt() {
+    local a_major a_minor a_patch b_major b_minor b_patch
+    a_major=$(echo "$1" | awk -F. '{print $1+0}')
+    a_minor=$(echo "$1" | awk -F. '{print $2+0}')
+    a_patch=$(echo "$1" | awk -F. '{print $3+0}')
+    b_major=$(echo "$2" | awk -F. '{print $1+0}')
+    b_minor=$(echo "$2" | awk -F. '{print $2+0}')
+    b_patch=$(echo "$2" | awk -F. '{print $3+0}')
+    if [ "$a_major" -lt "$b_major" ]; then return 0; fi
+    if [ "$a_major" -gt "$b_major" ]; then return 1; fi
+    if [ "$a_minor" -lt "$b_minor" ]; then return 0; fi
+    if [ "$a_minor" -gt "$b_minor" ]; then return 1; fi
+    if [ "$a_patch" -lt "$b_patch" ]; then return 0; fi
+    return 1
+}
+
 if [ -f "$SDLC_MD" ]; then
     INSTALLED_VERSION=$(grep -o 'SDLC Wizard Version: [0-9.]*' "$SDLC_MD" | head -1 | sed 's/SDLC Wizard Version: //')
     if [ -n "$INSTALLED_VERSION" ] && [[ "$INSTALLED_VERSION" =~ $SEMVER_RE ]]; then
         VERSION_CACHE_DIR="${SDLC_WIZARD_CACHE_DIR:-$HOME/.cache/sdlc-wizard}"
         VERSION_CACHE_FILE="$VERSION_CACHE_DIR/latest-version"
         LATEST_VERSION=""
+        NPM_FAILED=0
 
-        # Use cache if present, <24h old, and contents are valid semver
+        # Use cache if present, <24h old, contents are valid semver, AND cached
+        # version is not strictly older than installed (#239: post-upgrade
+        # cache poison sanity check — if cache says "latest=1.41.1" but
+        # installed=1.43.0, the cache is poisoned, force a refetch).
         if [ -f "$VERSION_CACHE_FILE" ]; then
             if stat -f %m "$VERSION_CACHE_FILE" > /dev/null 2>&1; then
                 CACHE_MTIME=$(stat -f %m "$VERSION_CACHE_FILE")
@@ -62,22 +86,37 @@ if [ -f "$SDLC_MD" ]; then
             if [ "$CACHE_AGE" -lt 86400 ]; then
                 CACHE_CONTENT=$(cat "$VERSION_CACHE_FILE" 2>/dev/null) || CACHE_CONTENT=""
                 if [[ "$CACHE_CONTENT" =~ $SEMVER_RE ]]; then
-                    LATEST_VERSION="$CACHE_CONTENT"
+                    # Sanity check: cached "latest" must be >= installed.
+                    if ! semver_lt "$CACHE_CONTENT" "$INSTALLED_VERSION"; then
+                        LATEST_VERSION="$CACHE_CONTENT"
+                    fi
                 fi
             fi
         fi
 
-        # Fetch from npm if cache miss / stale / malformed
+        # Fetch from npm if cache miss / stale / malformed / poisoned
         if [ -z "$LATEST_VERSION" ] && command -v npm > /dev/null 2>&1; then
-            NPM_RESULT=$(npm view agentic-sdlc-wizard version 2>/dev/null) || NPM_RESULT=""
-            if [[ "$NPM_RESULT" =~ $SEMVER_RE ]]; then
+            NPM_RESULT=$(npm view agentic-sdlc-wizard version 2>/dev/null)
+            NPM_RC=$?
+            if [ "$NPM_RC" -ne 0 ] || ! [[ "$NPM_RESULT" =~ $SEMVER_RE ]]; then
+                NPM_FAILED=1
+            else
                 LATEST_VERSION="$NPM_RESULT"
                 mkdir -p "$VERSION_CACHE_DIR" 2>/dev/null || true
                 printf '%s' "$LATEST_VERSION" > "$VERSION_CACHE_FILE" 2>/dev/null || true
             fi
         fi
 
-        if [ -n "$LATEST_VERSION" ] && [ "$LATEST_VERSION" != "$INSTALLED_VERSION" ]; then
+        # #239: surface npm failure once when cache miss + npm fails. Without
+        # this, the version-check block produces no output and the user has
+        # no way to know the staleness nudge is broken.
+        if [ -z "$LATEST_VERSION" ] && [ "$NPM_FAILED" -eq 1 ]; then
+            echo "npm view failed — version check unavailable (run 'npm view agentic-sdlc-wizard version' to debug)"
+        fi
+
+        # #254 Bug 2: only nudge when installed < latest (semver direction).
+        # Equality `!=` previously fired reverse nudges post-upgrade.
+        if [ -n "$LATEST_VERSION" ] && semver_lt "$INSTALLED_VERSION" "$LATEST_VERSION"; then
             # Minor-version delta: 1.25.0 vs 1.34.0 → 9
             INSTALLED_MINOR=$(echo "$INSTALLED_VERSION" | awk -F. '{print $2+0}')
             LATEST_MINOR=$(echo "$LATEST_VERSION" | awk -F. '{print $2+0}')
@@ -131,8 +170,35 @@ fi
 # this hook and model-effort-check.sh both fire on SessionStart, so two checks
 # would double-print the nudge and risk drifting out of sync.
 
-# Dual-channel install check (#181) — nudge when CLI skills + Claude plugin both present
-if [ -d "$PROJECT_DIR/.claude/skills/update" ]; then
+# Autocompact compound-misconfig check (#207). Setting BOTH
+# CLAUDE_AUTOCOMPACT_PCT_OVERRIDE and CLAUDE_CODE_AUTO_COMPACT_WINDOW
+# compounds — e.g. 30% × 400000 = 120000 token trigger, which on a 1M
+# window fires at ~12% of context. The wizard doc lists them as
+# alternatives ("PCT_OVERRIDE=30 OR AUTO_COMPACT_WINDOW=400000") but the
+# "or" is easy to misread, and the consumer in #207 hit autocompact at
+# 12% in a fresh session. Surface the misconfig with the effective
+# trigger so it's diagnosable from the warning alone.
+SETTINGS_JSON="$PROJECT_DIR/.claude/settings.json"
+if [ -f "$SETTINGS_JSON" ]; then
+    AC_PCT=$(grep -o '"CLAUDE_AUTOCOMPACT_PCT_OVERRIDE"[[:space:]]*:[[:space:]]*"[0-9]*"' "$SETTINGS_JSON" \
+        | head -1 | sed 's/.*"\([0-9]*\)"$/\1/')
+    AC_WIN=$(grep -o '"CLAUDE_CODE_AUTO_COMPACT_WINDOW"[[:space:]]*:[[:space:]]*"[0-9]*"' "$SETTINGS_JSON" \
+        | head -1 | sed 's/.*"\([0-9]*\)"$/\1/')
+    if [ -n "$AC_PCT" ] && [ -n "$AC_WIN" ]; then
+        # Effective trigger = pct% of window (integer math; both pure digits per the regex).
+        AC_TRIGGER=$(( AC_PCT * AC_WIN / 100 ))
+        AC_PCT_OF_1M=$(( AC_TRIGGER * 100 / 1000000 ))
+        echo "WARNING: autocompact compound misconfig — CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=${AC_PCT} AND CLAUDE_CODE_AUTO_COMPACT_WINDOW=${AC_WIN} both set in .claude/settings.json compound to ${AC_TRIGGER} tokens (~${AC_PCT_OF_1M}% of 1M). Pick one — see wizard doc '1M vs 200K' (#207)."
+    fi
+fi
+
+# Dual-channel install check (#181) — nudge when CLI skills + Claude plugin both present.
+# #238: silenced once the user opts in via an ack sentinel. Sentinel is per-host
+# (lives under $SDLC_WIZARD_CACHE_DIR/dual-channel-acknowledged) since the dual
+# install is always a $HOME-scoped condition.
+DUAL_CACHE_DIR="${SDLC_WIZARD_CACHE_DIR:-$HOME/.cache/sdlc-wizard}"
+DUAL_ACK_FILE="$DUAL_CACHE_DIR/dual-channel-acknowledged"
+if [ -d "$PROJECT_DIR/.claude/skills/update" ] && [ ! -f "$DUAL_ACK_FILE" ]; then
     for plugin_path in "$HOME/.claude/plugins-local/sdlc-wizard-wrap" "$HOME/.claude/plugins/cache/sdlc-wizard-local"; do
         if [ -d "$plugin_path" ]; then
             echo "WARNING: dual-install detected — CLI skills in .claude/skills/ AND Claude plugin at:"
@@ -140,6 +206,7 @@ if [ -d "$PROJECT_DIR/.claude/skills/update" ]; then
             echo "  Duplicate /update-wizard commands come from running both channels. Pick one:"
             echo "    - Keep plugin: remove .claude/skills/ from this project"
             echo "    - Keep CLI:    /plugin uninstall sdlc-wizard (or remove plugin dir)"
+            echo "    - Keep both:   mkdir -p \"$DUAL_CACHE_DIR\" && touch \"$DUAL_ACK_FILE\"  (silences this nudge)"
             break
         fi
     done

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.43.0",
+  "version": "1.44.1",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

package/skills/sdlc/SKILL.md

@@ -170,16 +170,18 @@ When auto-approving, still announce your approach — just don't wait for approv
 
 ## Recommended Model
 
-**Default: `opus[1m]` (Opus 4.7 with 1M context window).** Run `/model opus[1m]` at the start of any non-trivial SDLC session.
+**Opt-in: `opus[1m]` (Opus 4.7 with 1M context window).** Run `/model opus[1m]` at the start of any non-trivial SDLC session — but understand the tradeoff first (issue #198).
 
-**Why:**
+**Why opt-in, not default:** A top-level `model` pin in `.claude/settings.json` disables Claude Code's per-turn model auto-selection. That's a real cost — Max-plan users pay for that auto-selection (Sonnet for cheap tasks, Opus for hard ones, plus weekly-limit smoothing). Pin only when you actually need the 1M headroom.
+
+**Why pin to `opus[1m]` when you do opt in:**
 - SDLC sessions (plan → TDD → review → CI shepherd) accumulate context fast — plans, test output, diffs, review artifacts. 200K fills up before you're done.
 - Forced auto-compact mid-task loses your working state. Extra headroom is cheaper than re-reading files.
 - At time of writing, Anthropic lists 1M context at standard pricing for supported Opus/Sonnet models — verify current rates for your plan before relying on this.
 
 **Requires Claude Code v2.1.111+** for Opus 4.7.
 
-**Pair with `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30`.** Without it, CC's default auto-compact on 1M fires at ~76K and defeats the purpose. The wizard's `cli/templates/settings.json` sets both defaults on install.
+**Pair with `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30`** when you opt in. Without it, CC's default auto-compact on 1M fires at ~76K and defeats the purpose. The setup wizard's Step 9.5 prompts to write both together (template ships with neither, opt-in only).
 
 **Fall back to `opus` (200K) only when:** your plan charges a premium for long-context prompts, the task is genuinely short (<30K), or team cost controls flag >200K prompts. See the "1M vs 200K Context Window" section in `CLAUDE_CODE_SDLC_WIZARD.md` for details.
 
@@ -606,7 +608,7 @@ CI passes -> Read review suggestions
 - `/clear` after 2+ failed corrections (context polluted — start fresh with better prompt)
 - Auto-compact fires at ~95% capacity — no manual management needed
 - After committing a PR, `/clear` before starting the next feature
-- **Autocompact tuning:** Set `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE` to trigger compaction earlier (75% for 200K, 30% for 1M). On 1M models, the default fires at ~76K — set 30% or `CLAUDE_CODE_AUTO_COMPACT_WINDOW=400000` to use the full context window. See wizard doc "Autocompact Tuning" for full details
+- **Autocompact tuning:** Set `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE` to trigger compaction earlier (75% for 200K, 30% for 1M). On 1M models, the default fires at ~76K — pick ONE of: `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30` **OR** `CLAUDE_CODE_AUTO_COMPACT_WINDOW=400000` (do NOT set both — they compound to 30% × 400K = 120K trigger ≈ 12% of 1M, which fires almost immediately, #207). See wizard doc "Autocompact Tuning" for full details
 
 **`--bare` mode (v2.1.81+):** `claude -p "prompt" --bare` skips ALL hooks, skills, LSP, and plugins. This is a complete wizard bypass — no SDLC enforcement, no TDD checks, no planning hooks. Use only for scripted headless calls (CI pipelines, automation) where you explicitly don't want wizard enforcement. Never use `--bare` for normal development work.
 

package/skills/update/SKILL.md

@@ -131,9 +131,11 @@ Parse all CHANGELOG entries between the user's installed version and the latest.
 
 ```
 Installed: 1.24.0
-Latest:    1.43.0
+Latest:    1.44.1
 
 What changed:
+- [1.44.1] Autocompact compound-misconfig detection — closes #207. Consumer reported autocompact firing at 12% context on a fresh opus[1m] session because they set BOTH `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE=30` AND `CLAUDE_CODE_AUTO_COMPACT_WINDOW=400000` (a natural misreading of the "or"-joined override cell). The two compound: 30% × 400K = 120K trigger ≈ 12% of 1M. Three-pronged fix: (a) wizard doc clarifies alternatives with a `> ⚠ Do NOT set both` callout that shows the compound math; (b) `instructions-loaded-check.sh` (InstructionsLoaded hook) detects when both env vars are set in `.claude/settings.json`, computes the effective trigger, and warns with the math; (c) shipped `skills/sdlc/SKILL.md` was still calling opus[1m] the "default" (stale post-#198) AND repeating the same ambiguous wording — both fixed. 4 new hook tests + 3 new doc-consistency tests + size-cap fixture extended. Codex round 2 CERTIFIED 9/10.
+- [1.44.0] Install-path & cache hygiene — closes #254, #239, #238 filed by consumer codeguesser after upgrading 1.32.0 → 1.42.1. (1) `cli/init.js` FILES list now ships `hooks/_find-sdlc-root.sh` — the helper sourced by all 5 hooks was missing from npm install path, so every session emitted `_find-sdlc-root.sh: No such file or directory` + `dedupe_plugin_or_project: command not found` and the SDLC walk-up logic was silently dead. (2) `init --force` now invalidates `~/.cache/sdlc-wizard/latest-version` so post-upgrade hooks re-fetch fresh values from npm instead of serving the pre-upgrade cache for 24h (which produced reverse "1.42.1 → 1.41.1" nudges). (3) instructions-loaded-check.sh now uses semver-direction comparison via new `semver_lt` function: nudge only fires when installed < latest, equality is silent, reverse direction is silent. Cache sanity-check rejects poisoned values (cached "latest" < installed → force refetch). (4) When `npm view` fails AND cache empty, hook now surfaces a one-line warning instead of going silent. (5) Dual-channel install nudge gains an opt-in silence sentinel — set via `mkdir -p $SDLC_WIZARD_CACHE_DIR && touch $SDLC_WIZARD_CACHE_DIR/dual-channel-acknowledged` (printed inside the nudge itself for discoverability). 8 new tests across test-cli.sh + test-hooks.sh, Codex CERTIFIED 10/10 round 2.
 - [1.43.0] Token-spike anomaly detection — ROADMAP #220 closure. New `hooks/token-spike-check.sh` (SessionStart, opt-in via `.metrics/`) ingests CC transcript usage (`input_tokens` / `output_tokens` / `cache_creation_input_tokens` / `cache_read_input_tokens`) into `.metrics/token-history.jsonl`, then warns when the last session's `costly_tokens` (input + cache_creation + output, excluding the cheap cache_read tier) exceeds median + 2σ over a rolling baseline. Catches silent CC-side caching regressions (per Anthropic's 2026-04-23 post-mortem) before they surface on the invoice. Uses MAD-based spread for the median metric so a single baseline outlier doesn't mask the next spike. 14 quality tests in `tests/test-token-spike.sh` (incl. malicious-transcript privacy probe, flat-baseline floor, median-vs-mean contrast, concurrent-ingest mkdir lock).
 - [1.42.2] PreCompact self-heal documented — ROADMAP #209 closure. Added `pr_number` opt-in to all 3 handoff template schemas (skill Step 1; wizard Round 1 + cross-model section). Self-heal logic shipped earlier with #229 but was undocumented, leaving the dead-code path. New `test_handoff_template_documents_pr_number` enforces template/doc parity. Together with #229 (mtime auto-expire) closes the "stuck PENDING handoff blocks /compact forever" footgun from both directions.
 - [1.42.1] CI hygiene fix — skip Claude PR review on wizard self-PRs. 7 self-PRs (v1.39.0–v1.42.0) had shipped with red `review` job (API canary firing on dead credit balance). Treated as "expected" but red normalizes red. Workflow `if:` now skips review on `BaseInfinity/claude-sdlc-wizard` repo only; consumer projects unaffected. 7 quality tests, mutation-verified (== inversion fails).