agentic-sdlc-wizard 1.72.0 → 1.74.0

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.72.0",
+      "version": "1.74.0",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.72.0",
+  "version": "1.74.0",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,81 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.74.0] - 2026-05-17
+
+### Salvaged from closed v1.43.0-quick-wins branch (PR #340)
+
+Long-running session built v1.43.0 quick-wins off `c1c6f31` (~May 12), unaware main had shipped through `v1.73.0`. PR #340 closed without merging; this release ships the items that are still genuinely missing on current main, with Codex+Claude joint triage (`.reviews/v143-salvage-triage.md`).
+
+### Added
+
+- **#338 SDLC-skill source-and-precedence preamble.** `skills/sdlc/SKILL.md` now opens with an explicit "Skill source & precedence" section: repo-local `.claude/skills/sdlc/SKILL.md` (symlinked to wizard's `skills/sdlc/SKILL.md`) wins over global `~/.claude/skills/sdlc/SKILL.md`, with a `head -5` verification one-liner. Resolves user-reported confusion when both copies exist with the same name. Regression test `test_sdlc_skill_has_precedence_preamble` in `tests/test-doc-consistency.sh`.
+- **#235(a) `/insights` complementary-tool guidance.** Setup skill Step 12 closing checklist + `CLAUDE_CODE_SDLC_WIZARD.md` "Complementary native skills" table now both cite `/insights` (native CC v2.1.101+) with an explicit qualitative-only caveat: it surfaces `underlying_goal` / `outcome` / `friction_counts` / `user_satisfaction_counts` / `brief_summary` from local session history, but does NOT expose `cache_read_input_tokens` / cache-hit ratio / per-turn breakdown / model-version tracking — so it is **not a substitute** for token-spike detection (ROADMAP #220 / `hooks/token-spike-check.sh`) which reads raw session JSONL. Two regression tests guard the doc-presence + caveat.
+- **#235(b) `/insights` allowlist.** Appended `/insights` to `tests/e2e/known-slash-commands.txt` so the community feature-discovery scanner (#207) stops flagging it as a "new" candidate on every weekly run. `tests/test-community-scanner.sh::test_filters_insights_as_known` asserts the scanner now filters `/insights` from candidate output.
+
+### Fixed
+
+- **Codex stdin-hang doc fix.** All multi-line `codex exec` invocations in `README.md`, `CLAUDE_CODE_SDLC_WIZARD.md`, `skills/sdlc/SKILL.md` (and the new `scripts/codex-review-with-progress.sh` wrapper) now append `< /dev/null`. Without the redirect, codex from a non-interactive parent (background, hooks, CI, Claude Code Bash tool) blocks on stdin reads even when the prompt is passed as an argument — the process sits at S/0% CPU indefinitely with a 0-byte `-o` output file (file only written on completion, so a hang gives zero visibility). Validated on `codex-cli 0.130.0` / macOS 14, 2026-05-15, after two 30+ minute silent hangs. Repro: `codex exec -s read-only 'Reply A.' &` hangs forever; `codex exec -s read-only 'Reply A.' < /dev/null` returns in 8s. Two new tests: `test_codex_exec_blocks_redirect_stdin` in `tests/test-doc-consistency.sh` (asserts every multi-line block in user-facing docs has the redirect) and `test_wrapper_redirects_child_stdin_to_dev_null` in `tests/test-codex-progress-wrapper.sh` (asserts the wrapper redirects child stdin so heartbeats actually fire instead of hanging).
+- **`tests/test-hooks.sh` env-isolation.** `test_instructions_hook_cwd_walkup` now scopes both `HOME=$tmpdir` and `SDLC_WIZARD_CACHE_DIR=$tmpdir/cache`. Without isolation, the user's `~/.cache/sdlc-wizard/latest-version` (e.g. a stale `1.73.0`) poisoned the staleness check and triggered the "30 releases behind" loud nudge against a fresh-version fixture, breaking the test's negative grep. Hit live during the v1.43 session; happens any time the cached latest doesn't match the SDLC.md version under test.
+
+### Test counts (all green)
+
+- `tests/test-doc-consistency.sh` — 39/0 (4 new tests: setup-insights, wizard-insights, sdlc-preamble, codex-stdin)
+- `tests/test-community-scanner.sh` — 15/0 (1 new: filters-insights-as-known)
+- `tests/test-codex-progress-wrapper.sh` — 12/0 (1 new: wrapper-redirects-child-stdin)
+- `tests/test-hooks.sh` — 156/0 (env-isolation fix)
+
+### Dropped from v1.43 branch (not salvaged — already-shipped or no-longer-applicable)
+
+- #226 weekly-update.yml Tier 2 wording fix — code deleted in #231 Phase 3d (v1.54.0)
+- #227 weekly-update.yml `cusum --add` → `--add-json` — same refactor removed the CUSUM steps
+- #219 setup-skill CC 2.1.117 model-pin note — already verified on main (CHANGELOG.md:331); doc nuance dropped per Codex's "weak MAYBE → DROP"
+- #337 `--yolo` audit — verification-only, no code to ship
+- #339 5-entry API triage — triage-only, no code to ship
+
+### Process
+
+Two-step Codex cross-model review: (1) initial triage of branch vs main (`.reviews/v143-salvage-triage.md`) returned CERTIFIED 7/10 with corrected target-line numbers for every salvaged item, (2) closed PR #340 cleanly with explanation comment, rebuilt against current main with Codex's targets.
+
+## [1.73.0] - 2026-05-06
+
+### Fix: PreCompact hook no longer false-positives on stale `.git/REBASE_HEAD`
+
+`hooks/precompact-seam-check.sh` was treating any presence of `.git/REBASE_HEAD` as "rebase in progress" and blocking manual `/compact`. But `REBASE_HEAD` is just a rebase-related ref (the stopped/replayed commit) that git can leave behind after a clean rebase finishes — the authoritative "rebase in progress" signal is the `rebase-merge/` or `rebase-apply/` directory (which is what `git status` keys on too). Hit live in this repo 2026-05-05 — yesterday's clean rebase left `REBASE_HEAD` behind, the user's manual `/compact` was blocked, and clearing it required `rm .git/REBASE_HEAD` by hand.
+
+The OR-chain at line 227 now drops the `REBASE_HEAD` predicate; only the `rebase-{merge,apply}/` dir checks remain. Two new tests cover the fix:
+
+- `test_precompact_silent_on_stale_rebase_head_alone` — positive: `rc=0` + empty stderr when only `REBASE_HEAD` exists
+- `test_precompact_blocks_on_rebase_head_with_rebase_merge_dir` — negative control: still blocks on real in-flight rebase (REBASE_HEAD + rebase-merge dir together)
+
+156/156 hook tests green. Codex round 1 CERTIFIED 9/10 (one P2 comment-accuracy nit caught — fixed: `REBASE_HEAD` is the stopped/replayed commit, not the original branch tip, which is `ORIG_HEAD`).
+
+PR #330.
+
+### GC: -460 LOC of stale review/plan artifacts (#236 bloat hunt)
+
+`.reviews/` is gitignored, but 14 handoff/preflight/round-N review files for now-merged PRs were committed before that gitignore line landed. They held no ongoing reference value. `plans/CATCHUP.md` captured the v2.1.15 → v2.1.81 catch-up (March 2026) — historical context lives in CHANGELOG (v1.8.0 entry); the plan doc was dead weight.
+
+Deleted (15 files):
+
+- `.reviews/baseline-fires-once-001/{round-1,round-2}-review.md`
+- `.reviews/skill-cross-model-trim-001/{round-1,round-2,round-3}-review.md`
+- `.reviews/tdd-pretool-fires-once-001/{round-1,round-2}-review.md`
+- `.reviews/preflight-{allowed-tools-permissions,baseline-fires-once,model-pin-opt-in,precompact-seam,skill-cross-model-trim,staleness-nudge,tdd-pretool-fires-once}-001.md`
+- `plans/CATCHUP.md`
+
+Kept (still load-bearing):
+
+- `.reviews/research-95/97/99/206/235.md` (cited from ROADMAP rows)
+- `.reviews/experiment-tracking.md` (asserted by `tests/test-workflow-triggers.sh:2189`)
+- `plans/AUTO_SELF_UPDATE.md` (still annotated with #231 phase notes)
+
+Hooks 156/156, cli 88/88, workflow 176/176, docs 35/35 — all green post-deletion.
+
+PR #331.
+
+---
+
 ## [1.72.0] - 2026-05-05
 
 ### Closes #323: `init --force` no longer silently overwrites CUSTOMIZED files

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -2360,8 +2360,12 @@ PLANNING → DOCS → TDD RED → TDD GREEN → Tests Pass → Self-Review
       review the listed files. Output each finding with: an ID (1, 2, ...), \
       severity (P0/P1/P2), description, and a 'certify condition' stating \
       what specific change would resolve it. \
-      End with CERTIFIED or NOT CERTIFIED."
+      End with CERTIFIED or NOT CERTIFIED." \
+     < /dev/null
    ```
+
+   > **Always append `< /dev/null`** to `codex exec` calls run from background, hooks, CI, or any non-interactive parent. Without it, codex blocks on stdin reads even when the prompt is given as an argument — the process sits at S/0% CPU indefinitely with a 0-byte `-o` output file (the file is only written on completion, so a hang gives zero visibility). Validated on codex-cli 0.130.0 / macOS 14, 2026-05-15. For live progress, use `scripts/codex-review-with-progress.sh` instead.
+
 3. If CERTIFIED → proceed to CI. If NOT CERTIFIED → go to Round 2.
 
 ### Round 2+: Dialogue Loop
@@ -2402,7 +2406,8 @@ When the reviewer finds issues, respond per-finding instead of silently fixing e
       ACCEPTED → verify it was applied. \
       Do NOT raise new findings unless P0 (critical/security). \
       New observations go in 'Notes for next review' (non-blocking). \
-      End with CERTIFIED or NOT CERTIFIED."
+      End with CERTIFIED or NOT CERTIFIED." \
+     < /dev/null
    ```
 
 4. If CERTIFIED → done. If NOT CERTIFIED (rejected disputes or failed fixes) → fix rejected items and repeat.
@@ -2976,7 +2981,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.72.0 -->
+<!-- SDLC Wizard Version: 1.74.0 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->
@@ -3791,9 +3796,12 @@ codex exec \
    review the listed files. Output each finding with: an ID (1, 2, ...), \
    severity (P0/P1/P2), description, and a 'certify condition' stating \
    what specific change would resolve it. \
-   End with CERTIFIED or NOT CERTIFIED."
+   End with CERTIFIED or NOT CERTIFIED." \
+  < /dev/null
 ```
 
+> **Always append `< /dev/null`** to `codex exec` calls run from background, hooks, CI, or any non-interactive parent. Without it, codex blocks on stdin reads even when the prompt is given as an argument — the process sits at S/0% CPU indefinitely with a 0-byte `-o` output file. Validated on codex-cli 0.130.0 / macOS 14, 2026-05-15. For live progress visibility, use `scripts/codex-review-with-progress.sh` instead.
+
 4. If CERTIFIED → done. If NOT CERTIFIED → enter the dialogue loop.
 
 **The Dialogue Loop (Round 2+):**
@@ -3849,7 +3857,8 @@ codex exec \
    ACCEPTED → verify it was applied. \
    Do NOT raise new findings unless P0 (critical/security). \
    New observations go in 'Notes for next review' (non-blocking). \
-   End with CERTIFIED or NOT CERTIFIED."
+   End with CERTIFIED or NOT CERTIFIED." \
+  < /dev/null
 ```
 
 **The key constraint:** Rechecks are scoped to previous findings only. The reviewer cannot block certification with new P2 observations discovered during recheck. This prevents scope creep and ensures convergence.
@@ -4070,7 +4079,7 @@ Walk through updates? (y/n)
 Store wizard state in `SDLC.md` as metadata comments (invisible to readers, parseable by Claude):
 
 ```markdown
-<!-- SDLC Wizard Version: 1.72.0 -->
+<!-- SDLC Wizard Version: 1.74.0 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: PRs -->
@@ -4423,9 +4432,12 @@ The gap this closes: the advisor tool (API beta, `advisor-tool-2026-03-01`) ship
 |--------------|--------------|-------------|
 | `/less-permission-prompts` | Scans transcripts for common read-only Bash/MCP calls and proposes a prioritized allowlist | After a few sessions — reduces permission friction without auto mode |
 | `/permissions` | Pre-allow specific commands and check them into `.claude/settings.json` | Anytime you want an auditable team allowlist |
+| `/insights` | Local analyzer of your CC session history. Generates HTML report at `~/.claude/usage-data/report.html` + per-session facet JSON at `~/.claude/usage-data/facets/<session>.json`. Surfaces `underlying_goal`, `outcome`, `friction_counts`, `user_satisfaction_counts`, `brief_summary`, recurring friction patterns, suggested CLAUDE.md additions | Monthly — **qualitative-only**; see caveat below |
 
 These are shipped by Claude Code itself. The wizard doesn't reimplement them — it points you at them so you benefit from the native version's ongoing maintenance.
 
+**`/insights` caveat (do not over-claim):** the output is behavioral/qualitative only — friction counts, goal categories, satisfaction. It does NOT expose `cache_read_input_tokens`, cache-hit ratio, per-turn token breakdown, or model-version tracking. It is **not a substitute** for token-spike detection (ROADMAP #220 / `hooks/token-spike-check.sh`), which reads raw session JSONL (`~/.claude/projects/<proj>/<session>.jsonl`, `usage.cache_read_input_tokens` per turn). Use `/insights` for behavioral friction; use `#220`-class instrumentation for token/cache anomalies. They are complementary, not interchangeable. (Original research: ROADMAP #206, full writeup `.reviews/research-206-insights.md`.)
+
 ### When Claude Code Improves
 
 Claude Code is actively improving. When they add built-in features:

package/README.md

@@ -4,7 +4,7 @@ A **self-evolving Software Development Life Cycle (SDLC) enforcement system for
 
 **Built on 15+ years of software engineering and founding engineering experience** — battle-tested patterns from real production systems, baked into an AI agent that follows tried-and-true software quality practices so you don't have to enforce them manually.
 
-> **Built for Claude Code.** Using OpenAI's Codex CLI instead? Check out [`codex-sdlc-wizard`](https://github.com/BaseInfinity/codex-sdlc-wizard) — same SDLC enforcement, ported. ([Full ecosystem](#xdlc-ecosystem-sibling-projects).)
+> **Built for Claude Code.** Using OpenAI's Codex CLI instead? Check out [`codex-sdlc-wizard`](https://github.com/BaseInfinity/codex-sdlc-wizard). Need privacy-first / any-backend (local Ollama, Azure OpenAI, hosted OSS)? See [`opencode-sdlc-wizard`](https://github.com/BaseInfinity/opencode-sdlc-wizard). ([Full ecosystem](#xdlc-ecosystem-sibling-projects).)
 
 ## Install
 
@@ -129,9 +129,12 @@ That's it. Codex picks up your OpenAI account's best available model automatical
 ```bash
 codex exec -c 'model_reasoning_effort="xhigh"' -s danger-full-access \
   -o .reviews/latest-review.md \
-  "Read .reviews/handoff.json and review per the checklist. Output findings + CERTIFIED or NOT CERTIFIED."
+  "Read .reviews/handoff.json and review per the checklist. Output findings + CERTIFIED or NOT CERTIFIED." \
+  < /dev/null
 ```
 
+**Always append `< /dev/null`** when running `codex exec` from a non-interactive parent (background, hooks, CI, Claude Code Bash tool). Without it, codex blocks on stdin reads even when the prompt is an argument — the process sits at S/0% CPU indefinitely with a 0-byte `-o` output file. Validated on codex-cli 0.130.0 / macOS 14, 2026-05-15.
+
 `xhigh` reasoning is **non-negotiable** — lower settings miss subtle bugs. See [CLAUDE_CODE_SDLC_WIZARD.md](CLAUDE_CODE_SDLC_WIZARD.md#cross-model-review-loop-optional) for the full protocol (handoff format, round-2 dialogue loop, preflight docs). Real-world: this catches P0/P1 issues in 2-3 out of 10 reviews that Claude's self-review rated as clean.
 
 ## How It Works
@@ -267,9 +270,10 @@ This wizard is one of three published siblings. Same enforcement philosophy, dif
 |---------|----------------|--------------|
 | [`agentic-sdlc-wizard`](https://www.npmjs.com/package/agentic-sdlc-wizard) ([repo](https://github.com/BaseInfinity/claude-sdlc-wizard)) | Claude Code / SDLC | This repo. Plan → TDD → self-review for code, with hooks + skills + CI scoring |
 | [`codex-sdlc-wizard`](https://www.npmjs.com/package/codex-sdlc-wizard) ([repo](https://github.com/BaseInfinity/codex-sdlc-wizard)) | OpenAI Codex / SDLC | Same SDLC enforcement, ported to Codex CLI (writes `.codex/` + `AGENTS.md`) |
+| [`opencode-sdlc-wizard`](https://www.npmjs.com/package/opencode-sdlc-wizard) ([repo](https://github.com/BaseInfinity/opencode-sdlc-wizard)) | OpenCode / privacy-first | Same SDLC enforcement against ANY backend OpenCode supports — local Ollama, Azure OpenAI, Together, Groq, OpenRouter. Writes `.opencode/` + `AGENTS.md`. |
 | [`claude-gdlc-wizard`](https://www.npmjs.com/package/claude-gdlc-wizard) ([repo](https://github.com/BaseInfinity/claude-gdlc-wizard)) | Claude Code / GDLC | Game Development Life Cycle — persona-driven playtest cycles, triangulated findings, ratchet-only-tightens |
 
-All three are part of the broader [XDLC ecosystem](https://github.com/BaseInfinity/xdlc) — generalized lifecycle enforcement across agents and domains.
+All four are part of the broader [XDLC ecosystem](https://github.com/BaseInfinity/xdlc) — generalized lifecycle enforcement across agents and domains.
 
 ## Community
 

package/hooks/precompact-seam-check.sh

@@ -218,7 +218,14 @@ esac
 # Unknown value (e.g. typo "bogus") → also falls through to real check
 # rather than silently bypassing safety. The safer-than-the-typo path.
 if [ "$DRY_RUN_GIT_HANDLED" -eq 0 ] && [ -d "$GITDIR" ]; then
-    if [ -e "$GITDIR/REBASE_HEAD" ] || [ -d "$GITDIR/rebase-merge" ] || [ -d "$GITDIR/rebase-apply" ]; then
+    # Only the rebase-{merge,apply}/ dir is authoritative for "rebase in progress."
+    # .git/REBASE_HEAD is a rebase-related ref (the stopped/replayed commit) that
+    # is not authoritative on its own — it can persist as a stale marker after a
+    # rebase finishes cleanly: git removes the dir but leaves REBASE_HEAD around
+    # for diff/log lookups. Including it in the OR-chain caused false-positive
+    # HOLDs that blocked manual /compact for users whose previous rebase had
+    # completed (hit live 2026-05-05). `git status` keys on the dirs too.
+    if [ -d "$GITDIR/rebase-merge" ] || [ -d "$GITDIR/rebase-apply" ]; then
         HOLD_REASONS="${HOLD_REASONS}  - Git rebase in progress. Compacting mid-rebase loses the operation's context.
     Resolve: finish or abort the rebase before /compact."$'\n'
     fi

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.72.0",
+  "version": "1.74.0",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

package/skills/sdlc/SKILL.md

@@ -6,6 +6,12 @@ effort: high
 ---
 # SDLC Skill - Full Development Workflow
 
+## Skill source & precedence
+
+This skill is loaded from **`.claude/skills/sdlc/SKILL.md`** in the active repo (symlinked to `skills/sdlc/SKILL.md` in the wizard's source tree). Claude Code prefers repo-local skills over global (`~/.claude/skills/sdlc/SKILL.md`) when both exist with the same name — the repo-local copy is the project's authoritative workflow contract. Use global skills only for cross-repo personal tooling (e.g. `feedback`, `revise-claude-md`); use repo-local for implementation, tests, release, and verification in this repo.
+
+If unsure which copy is active, compare `head -5 .claude/skills/sdlc/SKILL.md` against `head -5 ~/.claude/skills/sdlc/SKILL.md`. The repo-local copy wins. Don't mix guidance from both — pick the source for this repo and stay there.
+
 ## Task
 $ARGUMENTS
 
@@ -126,7 +132,7 @@ PROTOCOL is universal across domains; only `review_instructions` and `verificati
 
 1. **Preflight** (`.reviews/preflight-{review_id}.md`) — what you already checked: `/code-review` passed, tests passing, manual verifications, known limits. Reduces reviewer findings to 0-1/round.
 2. **Mission-first handoff** (`.reviews/handoff.json`) — required JSON keys: `"review_id"`, `"status": "PENDING_REVIEW"`, `"round": 1`, `"mission"` / `"success"` / `"failure"` (2-3 sentences each — without them you get "looks good"), `"files_changed"`, `"verification_checklist"` — the **verification checklist** is specific items with file:line refs (NOT a generic "review this"), `"review_instructions"`, `"preflight_path"`. Optional `"pr_number":` opts into the PreCompact self-heal (#209): if PR is MERGED, `/compact` treats handoff as implicit CERTIFIED.
-3. **Run reviewer:** `codex exec -c 'model_reasoning_effort="xhigh"' -s danger-full-access -o .reviews/latest-review.md "<prompt>"`. Always `xhigh`. CC sandbox blocks Codex's Rust binary (`SCDynamicStore`) — use `dangerouslyDisableSandbox: true` on Bash; Codex has its own sandbox. xhigh runs take 1-5 min; for a heartbeat use `scripts/codex-review-with-progress.sh`.
+3. **Run reviewer:** `codex exec -c 'model_reasoning_effort="xhigh"' -s danger-full-access -o .reviews/latest-review.md "<prompt>" < /dev/null`. Always `xhigh`. **Always append `< /dev/null`** — codex blocks on stdin reads from non-interactive parents (background, hooks, CI, CC Bash tool); without the redirect it hangs at S/0% CPU indefinitely. CC sandbox blocks Codex's Rust binary (`SCDynamicStore`) — use `dangerouslyDisableSandbox: true` on Bash; Codex has its own sandbox. xhigh runs take 1-5 min; for a heartbeat use `scripts/codex-review-with-progress.sh` (already redirects child stdin).
 4. **Dialogue loop:** per-finding response (`{"finding": "1", "action": "FIXED|DISPUTED|ACCEPTED", "summary": "..."}` in `.reviews/response.json`). Bump round, set status `PENDING_RECHECK`, add `fixes_applied` (numbered, file:line). Recheck prompt: "TARGETED RECHECK. FIXED → verify certify condition. DISPUTED → ACCEPT if sound, REJECT with reasoning. ACCEPTED → verify applied. No new findings unless P0."
 
 **Convergence:** 2 rounds sweet spot, 3 max (research: 14 repos + 7 papers). After 3 still NOT CERTIFIED → escalate.
@@ -161,7 +167,7 @@ Mandatory steps:
 1. Push to remote
 2. `gh pr checks --watch`
 3. **Read CI logs whether pass or fail** (`gh run view <RUN_ID> --log`, not just `--log-failed`). Passing CI hides warnings, skipped steps, degraded scores
-4. **Cross-model audit the CI logs** — pipe to a tmp file, run `codex exec -c 'model_reasoning_effort="xhigh"' -s danger-full-access` with *"Audit for silent failures, skipped tests, degraded metrics, warnings-that-should-be-errors."* Tier 1 + Tier 2 separately
+4. **Cross-model audit the CI logs** — pipe to a tmp file, run `codex exec -c 'model_reasoning_effort="xhigh"' -s danger-full-access "<audit prompt>" < /dev/null` (always append `< /dev/null` — stdin-hang fix) with *"Audit for silent failures, skipped tests, degraded metrics, warnings-that-should-be-errors."* Tier 1 + Tier 2 separately
 5. CI fails → diagnose, fix, push (max 2 attempts)
 6. CI passes → `gh api repos/OWNER/REPO/pulls/PR/comments` for review feedback
 7. Implement valid suggestions (bugs, perf, missing error handling, dedup, coverage). Skip opinions/style. Max 3 iterations

package/skills/setup/SKILL.md

@@ -309,8 +309,9 @@ Tell the user:
 > - After a few sessions, run `/less-permission-prompts` — a native Claude Code skill
 >   that scans your transcripts for common read-only Bash/MCP calls and proposes a
 >   prioritized allowlist. Reduces permission friction without enabling auto mode.
+> - Run `/insights` (native CC, v2.1.101+) **monthly** to surface friction patterns from your session history — `underlying_goal`, `outcome`, `friction_counts`, `user_satisfaction_counts`. Output is **qualitative-only**; it does NOT replace token-spike detection (ROADMAP #220 / `hooks/token-spike-check.sh`) which needs raw session JSONL (`~/.claude/projects/<proj>/<session>.jsonl`, `usage.cache_read_input_tokens` per turn).
 >
-> Both are complementary to the SDLC wizard — they add tooling and quality-of-life, not process enforcement.
+> All three are complementary to the SDLC wizard — they add tooling and quality-of-life, not process enforcement.
 
 ## Rules
 

package/skills/update/SKILL.md

@@ -93,17 +93,17 @@ Parse CHANGELOG entries between the user's installed version and latest. Present
 
 ```
 Installed: 1.42.0
-Latest:    1.72.0
+Latest:    1.74.0
 
 What changed:
+- [1.74.0] Salvage from closed v1.43 PR. Ships #338 SDLC-skill source-and-precedence preamble; #235(a)(b) `/insights` guidance + allowlist (qualitative-only — NOT a substitute for #220 token-spike); codex stdin-hang fix (`< /dev/null` on all multi-line `codex exec` blocks + wrapper, codex-cli 0.130.0); `test-hooks.sh` env-isolation.
+- [1.73.0] precompact stale REBASE_HEAD fix + bloat sweep — `hooks/precompact-seam-check.sh` no longer false-positive HOLDs `/compact` when a finished rebase left REBASE_HEAD behind without `rebase-{merge,apply}/` dirs (hit live 2026-05-05). 15 tracked review/plan artifacts deleted (-460 LOC).
 - [1.72.0] #323 closed — customization-aware `check` recommendation + new `--preserve-customized` flag. `init --force --preserve-customized` skips CUSTOMIZED files (action `PRESERVE`), still OVERWRITEs MATCH and CREATEs MISSING. Default `init --force` unchanged. 10 tests.
-- [1.71.0] token-bloat phase 3 — `skills/sdlc/SKILL.md` Cross-Model Review trimmed (~70 → ~20 lines, -427 tokens). Full protocol + examples moved to canonical `CLAUDE_CODE_SDLC_WIZARD.md` "Cross-Model Review Loop" section.
-- [1.70.0] token-bloat fix phase 2 — `hooks/tdd-pretool-check.sh` TDD CHECK JSON nudge fires once per CC `session_id` instead of every src/ edit. Saves ~0.5-1.5K tokens/session.
-- [1.69.0] token-bloat fix phase 1 — `hooks/sdlc-prompt-check.sh` BASELINE block fires once per CC `session_id`. Saves ~12K tokens/session.
+- [1.71.0–1.69.0] token-bloat sweep #236 — three phases: BASELINE block fires once per `session_id` (-12K/session), TDD CHECK fires once per `session_id` (-0.5-1.5K/session), `skills/sdlc/SKILL.md` Cross-Model Review trimmed (full protocol moved to canonical wizard doc).
 - [1.68.0–1.65.0] roadmap hygiene — five paperwork closes: #97 Anthropic Policy NO-GO + AAR-paper validating parallel; #99 AutoGPT NO-GO; #95 Nous NO-GO; #243 token-history liveness verified; #210 Node-24 false-green; #235 Thoughtworks AI Evals NO-GO. **6/6 external-product audits NO-GO** (continues #76, #77). Research write-ups in `.reviews/research-*.md`.
 - [1.64.0] XDLC ecosystem cross-references — README, wizard doc, and ROADMAP now cross-reference all three sibling packages (`agentic-sdlc-wizard`, `codex-sdlc-wizard`, `claude-gdlc-wizard`). New "Ecosystem (Sibling Projects)" section in README. 3 new doc-consistency tests prevent drift.
-- [1.63.0] cache-cost observability closeout (#204 absorbed by #220) — `tests/test-token-spike.sh` gains explicit cache-miss regression test + negative-control test. SDLC skill + wizard doc gain "Cache-Cost Surprises" sections covering 10-20× silent cost blowups (mid-session CLAUDE.md edits, idle pruning, upstream cache bugs) and detection via `hooks/token-spike-check.sh`'s `costly_tokens` metric.
-- [1.62.0] roadmap hygiene + #211 backfill — closes paperwork-stale rows (#207, #211 historical, #215, #217, #78, #79, #80, #219). Backfilled 5 corrupted `score-history.jsonl` rows from `max_score:10` → `max_score:11` (UI scenarios with design_system criterion). Codex strategic review confirmed scope.
+- [1.63.0] cache-cost observability closeout (#204 absorbed by #220) — token-spike test gains explicit cache-miss + negative-control coverage. "Cache-Cost Surprises" docs added (10-20× silent blowups from mid-session CLAUDE.md edits, idle pruning).
+- [1.62.0] roadmap hygiene + #211 backfill — closes paperwork-stale rows. Backfilled 5 corrupted `score-history.jsonl` rows from `max_score:10` → `:11` (UI scenarios). Codex strategic review confirmed scope.
 - [1.61.0] calibration scenarios for #96 Phase 3 PR 2 — `tests/e2e/scenarios/calibration-careful-read.md` (parsePrice with 5 edge-case formats) tests whether self-review catches missed requirements. Score delta between SDLC and naive agents on this scenario is a calibration signal for `lift-proof.sh`
 - [1.60.0] wizard-installation lift-proof harness (#96 Phase 3 PR 1) — `tests/e2e/lift-proof.sh` runs same scenario on bare vs wizard-installed fixture, emits score delta. Closes the "does the wizard work?" question. Honestly zero-API (sim + eval on Max)
 - [1.59.0] evaluator on Max via `claude --print` (#228) — `EVAL_USE_CLI=1` swaps `evaluate.sh`'s per-criterion judge transport from `curl` → API to `claude --print --output-format json`. local-shepherd.sh sets it by default, so the local path is honestly zero-API