agentic-sdlc-wizard 1.74.0 → 1.75.1

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.74.0",
+      "version": "1.75.1",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.74.0",
+  "version": "1.75.1",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,56 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.75.1] - 2026-05-20
+
+### Fixed
+
+- **`release.yml` npm-upgrade step failed during v1.75.0 publish.** The `npm install -g npm@latest` step hit `npm error code MODULE_NOT_FOUND` / `Cannot find module 'promise-retry'` on the GitHub-hosted runner — a documented npm CLI bug where the in-place self-upgrade corrupts its own module tree mid-install. Bumped `actions/setup-node@v5` to `node-version: 24` (ships npm 11.x natively), dropped the unreliable `npm install -g` step entirely, and added an explicit `npm --version` fail-loud guard that aborts the publish if Node ever ships an npm older than 11.5.1. v1.75.0 is a tagged-but-unpublished version on GitHub; v1.75.1 supersedes it as the first version actually shipped via Trusted Publishing.
+
+### Process post-mortem (for /sdlc Lessons Learned)
+
+Two process gaps shipped this minor release:
+
+1. **CI doesn't exercise `release.yml`.** `tests/test-release-workflow.sh` greps the workflow YAML but no test actually executes the npm-upgrade step on a runner. The MODULE_NOT_FOUND bug is invisible to unit tests. Future-proofing options: (a) add a `release-dry-run` job in CI that runs the publish steps with `--dry-run` against a throwaway scope, (b) accept that some failures are only visible at deploy time and document a fast rollback path. Tracked as a roadmap follow-up.
+2. **`tag-then-publish` has a feedback gap.** v1.75.0 was tagged before the npm publish succeeded, leaving an inconsistent state where the git tag and the npm registry disagree (no GitHub Release page was ever created — that step was skipped after the publish failed). Mitigation already in place: tag verification (`git merge-base --is-ancestor` + `tag-vs-package.json` match), but neither catches "tag pushed, publish failed." Roadmap follow-up: gate the GitHub Release creation step on `npm publish` success (workflow already does this via step ordering), but also surface an explicit "PUBLISH FAILED — DO NOT TAG NEXT VERSION FROM THIS BASE" notice in the failed run.
+
+Both items added to ROADMAP as v1.76.0+ candidates. Neither blocked v1.75.1 shipping.
+
+### Test
+
+- `tests/test-release-workflow.sh::test_upgrades_npm_for_trusted_publishing` rewritten to accept either strategy: (a) Node ≥24 + explicit `npm --version` guard, or (b) explicit `npm install -g npm@…` step before publish. The new strategy (a) is what 1.75.1 uses; the test still catches a future revert to either no-guard Node 24 (which could silently downgrade) or back to the unreliable in-place upgrade.
+
+## [1.75.0] - 2026-05-20
+
+### Changed
+
+- **`release.yml` migrated to npm Trusted Publishing (OIDC).** Long-lived `NPM_TOKEN` retired in favor of per-publish OIDC auth via GitHub Actions (`id-token: write` was already set for SLSA provenance). The `NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}` env was removed, the `--provenance` flag was dropped (trusted publish auto-generates provenance), and a new step upgrades npm CLI to ≥ 11.5.1 (Node 22's bundled npm 10.9.x lacks Trusted Publishing support, which would silently fall back to token mode and re-introduce this failure class). Triggered by v1.74.0 publish failing with `404 Not Found - PUT` (revoked/expired token), then `EOTP` (token missing 2FA bypass). With Trusted Publishing there is no token to rotate, expire, mis-scope, or 2FA-gate — the workflow authenticates as itself against the registry via OIDC every time.
+
+### Required one-time setup (after merging this PR, before tagging v1.75.0)
+
+Maintainer must configure the publisher on the npm package page:
+
+1. https://www.npmjs.com/package/agentic-sdlc-wizard → **Settings**
+2. **Publishing access** → **GitHub Actions**
+3. Repository owner: `BaseInfinity`, repository name: `claude-sdlc-wizard`, workflow filename: `release.yml`, environment: (leave blank)
+4. **Save**
+
+After that, `git tag v1.75.0 && git push origin v1.75.0` publishes via OIDC with zero token interaction.
+
+### Removed
+
+- `NPM_TOKEN` GitHub secret is no longer used. After verifying v1.75.0 ships cleanly, the maintainer can revoke the granular access token on npmjs.com and delete the GH secret — both are dead weight.
+
+### Tests
+
+- `tests/test-release-workflow.sh::test_uses_trusted_publishing_not_token` — fails if `NODE_AUTH_TOKEN:` reappears in `release.yml` env (i.e., a revert to token-based publishing). Replaces the prior `test_references_npm_token` which asserted NPM_TOKEN's presence (now backwards).
+- `tests/test-release-workflow.sh::test_upgrades_npm_for_trusted_publishing` — fails if the `npm install -g npm@latest` (or pinned `>=11.5.1`) step is missing. Without the CLI upgrade, publishes silently fall back to token mode and reproduce the v1.74.0 EOTP failure.
+- All 15 release-workflow tests green.
+
+### Why this happened now (one-paragraph post-mortem)
+
+The 2026-05-21 v1.74.0 release was the first wizard release after the `NPM_TOKEN` secret aged past npm's automation token TTL. The token had successfully shipped v1.69.0 → v1.73.0 over the prior 2 weeks, then silently expired between v1.73.0 (2026-05-06) and v1.74.0 (2026-05-20). Symptom 1: `404 Not Found - PUT registry.npmjs.org/agentic-sdlc-wizard` — npm returns 404 (not 401) when a token doesn't recognize itself as a package maintainer, which makes the failure look like a missing package. Symptom 2 after rotation: `EOTP — This operation requires a one-time password from your authenticator` — the new granular token was created without the "Bypass two-factor authentication (2FA)" checkbox set, which npm requires for CI tokens. Both symptoms are eliminated by Trusted Publishing: no token, no expiry, no 2FA mode mismatch, and short-lived OIDC credentials are minted fresh per publish so revocation is automatic. Pattern: every npm token in CI is a latent ticking bomb. This PR defuses it permanently.
+
 ## [1.74.0] - 2026-05-17
 
 ### Salvaged from closed v1.43.0-quick-wins branch (PR #340)

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -2981,7 +2981,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.74.0 -->
+<!-- SDLC Wizard Version: 1.75.1 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->
@@ -4079,7 +4079,7 @@ Walk through updates? (y/n)
 Store wizard state in `SDLC.md` as metadata comments (invisible to readers, parseable by Claude):
 
 ```markdown
-<!-- SDLC Wizard Version: 1.74.0 -->
+<!-- SDLC Wizard Version: 1.75.1 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: PRs -->

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.74.0",
+  "version": "1.75.1",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

package/skills/update/SKILL.md

@@ -93,13 +93,15 @@ Parse CHANGELOG entries between the user's installed version and latest. Present
 
 ```
 Installed: 1.42.0
-Latest:    1.74.0
+Latest:    1.75.1
 
 What changed:
-- [1.74.0] Salvage from closed v1.43 PR. Ships #338 SDLC-skill source-and-precedence preamble; #235(a)(b) `/insights` guidance + allowlist (qualitative-only — NOT a substitute for #220 token-spike); codex stdin-hang fix (`< /dev/null` on all multi-line `codex exec` blocks + wrapper, codex-cli 0.130.0); `test-hooks.sh` env-isolation.
-- [1.73.0] precompact stale REBASE_HEAD fix + bloat sweep — `hooks/precompact-seam-check.sh` no longer false-positive HOLDs `/compact` when a finished rebase left REBASE_HEAD behind without `rebase-{merge,apply}/` dirs (hit live 2026-05-05). 15 tracked review/plan artifacts deleted (-460 LOC).
+- [1.75.1] release-workflow fix — Node 22 → 24 (ships npm 11.x), dropped flaky `npm install -g` self-upgrade (hit MODULE_NOT_FOUND on v1.75.0 publish). Explicit npm-version guard.
+- [1.75.0] npm Trusted Publishing — `release.yml` swapped from `NPM_TOKEN` to OIDC. No more token rotation. Requires one-time publisher config on the npm package page.
+- [1.74.0] Salvage from v1.43 PR: #338 sdlc-skill source-precedence preamble; #235(a)(b) `/insights` guidance; codex stdin-hang `< /dev/null` fix; test-hooks env-isolation.
+- [1.73.0] precompact stale REBASE_HEAD fix + bloat sweep — `hooks/precompact-seam-check.sh` no longer HOLDs `/compact` on stale REBASE_HEAD without `rebase-{merge,apply}/` dirs. 15 tracked artifacts deleted (-460 LOC).
 - [1.72.0] #323 closed — customization-aware `check` recommendation + new `--preserve-customized` flag. `init --force --preserve-customized` skips CUSTOMIZED files (action `PRESERVE`), still OVERWRITEs MATCH and CREATEs MISSING. Default `init --force` unchanged. 10 tests.
-- [1.71.0–1.69.0] token-bloat sweep #236 — three phases: BASELINE block fires once per `session_id` (-12K/session), TDD CHECK fires once per `session_id` (-0.5-1.5K/session), `skills/sdlc/SKILL.md` Cross-Model Review trimmed (full protocol moved to canonical wizard doc).
+- [1.71.0–1.69.0] token-bloat sweep #236 — BASELINE + TDD CHECK fire once per `session_id` (-12K, -0.5-1.5K); sdlc-skill Cross-Model Review trimmed.
 - [1.68.0–1.65.0] roadmap hygiene — five paperwork closes: #97 Anthropic Policy NO-GO + AAR-paper validating parallel; #99 AutoGPT NO-GO; #95 Nous NO-GO; #243 token-history liveness verified; #210 Node-24 false-green; #235 Thoughtworks AI Evals NO-GO. **6/6 external-product audits NO-GO** (continues #76, #77). Research write-ups in `.reviews/research-*.md`.
 - [1.64.0] XDLC ecosystem cross-references — README, wizard doc, and ROADMAP now cross-reference all three sibling packages (`agentic-sdlc-wizard`, `codex-sdlc-wizard`, `claude-gdlc-wizard`). New "Ecosystem (Sibling Projects)" section in README. 3 new doc-consistency tests prevent drift.
 - [1.63.0] cache-cost observability closeout (#204 absorbed by #220) — token-spike test gains explicit cache-miss + negative-control coverage. "Cache-Cost Surprises" docs added (10-20× silent blowups from mid-session CLAUDE.md edits, idle pruning).