agentic-sdlc-wizard 1.54.0 → 1.56.0

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.54.0",
+      "version": "1.56.0",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.54.0",
+  "version": "1.56.0",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,62 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.56.0] - 2026-04-29
+
+### Added
+
+- **`tests/e2e/fetch-community.sh`** — closes ROADMAP **#207**. Pulls public threads from Reddit (r/ClaudeCode + r/ClaudeAI) and HN Algolia ("claude code" stories), emits combined transcript text to stdout. Pipe to `scan-community.sh` to surface candidate `/slash-command` mentions that the wizard doesn't already know.
+
+  Usage:
+  ```bash
+  ./tests/e2e/fetch-community.sh --reddit ClaudeCode,ClaudeAI --hn | ./tests/e2e/scan-community.sh -
+  ```
+
+  Live mode hits Reddit's public JSON API + HN Algolia (no auth, no API spend on the Anthropic side). `--offline DIR` reads fixture JSON from `DIR/reddit-${sub}.json` + `DIR/hn-claudecode.json` for tests + offline-on-laptop runs. 11 quality tests in `tests/test-community-fetch.sh` (all mocked HTTP via fixtures, runs offline).
+
+  Pairs with the existing `scan-community.sh` (which was the manual-input piece): the maintainer no longer has to copy-paste threads. Discord skipped (requires bot/OAuth) and GH Discussions deferred (GraphQL-only, low marginal value over Reddit+HN coverage).
+
+### Security
+
+- **P0 fix during Codex round 1**: `parse_or_die` originally interpolated the path into `python3 -c` source. A crafted subreddit name with single quote + Python could escape the string and execute. Rewritten to pass the path via `JSON_PATH` environment variable. New regression test (`test_offline_fixture_path_injection_blocked`) creates a fixture with an injection-payload subreddit name and asserts the sentinel file is NOT created.
+- **P2 fix during Codex round 1**: `--reddit` and `--offline` previously silently exited 1 when called without a value. Both flags now validate `${2:-}` is non-empty before consuming + emit a clear flag-specific error. Two new tests cover the missing-value paths.
+
+### Files
+
+- `tests/e2e/fetch-community.sh` (new, ~180 lines after round-1 P0/P2 fixes)
+- `tests/test-community-fetch.sh` (new, 14 tests — 11 happy/error-path + 3 round-1 P0/P2 regressions)
+- `tests/fixtures/community-fetch/*.json` (new, 5 fixtures: reddit-claudecode, reddit-claudeai, hn-claudecode, reddit-empty, plus malformed.json for parse-error testing)
+- `.github/workflows/ci.yml` (+1 step: `Run community fetcher tests`)
+- `CONTRIBUTING.md` (test list updated)
+- Version bump 1.55.0 → 1.56.0
+
+## [1.55.0] - 2026-04-29
+
+### Removed
+
+- **Dead leftovers in `.github/workflows/weekly-update.yml`** — closes ROADMAP #231 Phase 4. After Phase 3d, the workflow still carried code that was wired to nothing:
+  - `env.VERSION_SCENARIO` — flagged as a "no-op marker" since Phase 3a (version-test deleted)
+  - `outputs.has_overlap` / `outputs.overlap_paths` job-level outputs — set by the placeholder analysis step but consumed by no downstream job (prove-it-test was already deleted in Phase 2)
+  - `Generate placeholder analysis` step — wrote `/tmp/analysis.json` with `relevance: "UNKNOWN"` purely so the next step could parse it back out
+  - `Parse analysis result` step — read the placeholder and wrote outputs that are now hardcoded
+  - `Build PR body` step + the `case "$RELEVANCE"` switch — relevance is always `UNKNOWN` post-Phase-3d, so the case statement and templated title/label collapsed to a literal `[UNKNOWN]` / `relevance-UNKNOWN`
+
+### Changed
+
+- `.github/workflows/weekly-update.yml`: 289 → 161 lines (-44%). Steps consolidated: 10 → 5 operational (6 YAML steps including checkout). Detection + version compare + existing-PR check fold into one `detect` step. PR body inlined as a `body: |` block on the create-pull-request action (was a separate Build PR body step writing /tmp/pr_body.md). The disabled cron line stays as a documented comment, but cron-collision tests now use Python YAML parsing (Codex round 1 P1) so they only compare ACTIVE schedules.
+- `tests/test-workflow-triggers.sh`: Test 17 updated to grep for the new pattern (`gh pr list --head` + `skip=true`) since the dedicated `existing-pr` step ID was consolidated. Test 54 simplified — the placeholder is gone, so the regression check is now just "no `claude-code-action@v1` directive resurrects." 3 new Phase 4 regression tests added (`test_weekly_update_no_dead_version_scenario_env`, `_no_has_overlap_output`, `_no_overlap_paths_output`).
+
+### Phase 3 + Phase 4 cumulative
+
+- weekly-update.yml has shrunk from ~1670 lines (pre-Phase 3) to 161 lines (-90%). Five jobs/workflows + one in-job ranker chain + Phase 4 dead-code removed. Zero `claude-code-action@v1` references. Cron burn $25-55/week → $0/week.
+- ROADMAP #231 closes here. Detection-only workflow stays at ~150 lines as documented in the Phase 4 plan; folding into the session-start hook would lose the GitHub PR audit trail (which is the only place the maintainer sees a new release while away from a session).
+
+### Files
+
+- `.github/workflows/weekly-update.yml` (-128 lines net)
+- `tests/test-workflow-triggers.sh` (+86 lines: 3 new regression tests, 2 tests updated)
+- Version bump 1.54.0 → 1.55.0
+
 ## [1.54.0] - 2026-04-29
 
 ### Removed

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -2974,7 +2974,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.54.0 -->
+<!-- SDLC Wizard Version: 1.56.0 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->
@@ -4039,7 +4039,7 @@ Walk through updates? (y/n)
 Store wizard state in `SDLC.md` as metadata comments (invisible to readers, parseable by Claude):
 
 ```markdown
-<!-- SDLC Wizard Version: 1.54.0 -->
+<!-- SDLC Wizard Version: 1.56.0 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: PRs -->

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.54.0",
+  "version": "1.56.0",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

package/skills/update/SKILL.md

@@ -93,9 +93,11 @@ Parse CHANGELOG entries between the user's installed version and latest. Present
 
 ```
 Installed: 1.42.0
-Latest:    1.54.0
+Latest:    1.56.0
 
 What changed:
+- [1.56.0] community feature-discovery fetcher (#207) — `tests/e2e/fetch-community.sh` pulls Reddit + HN; pipe to `scan-community.sh` to surface candidate /slash-commands
+- [1.55.0] shrink weekly-update.yml dead code (#231 Phase 4) — delete env.VERSION_SCENARIO + has_overlap/overlap_paths outputs + placeholder/parse steps; 289 → 161 lines (-44%)
 - [1.54.0] delete check-updates Claude-ranker (#231 Phase 3d) — weekly-update.yml is now zero-API-spend; auto-update PR body links the manual analyze-release.md command
 - [1.53.0] delete scan-community cron (#231 Phase 3c) — manual `claude --print` invocation of analyze-community.md
 - [1.52.0] delete community-e2e-test cron (#231 Phase 3b) — manual local-shepherd review of scan-community digest