agentic-sdlc-wizard 1.74.0 → 1.76.0

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.74.0",
+      "version": "1.76.0",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.74.0",
+  "version": "1.76.0",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,79 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.76.0] - 2026-05-24
+
+### Added
+
+- **Native `/goal` wrapper in `/sdlc` skill** (closes #347). CC v2.1.139 shipped a native `/goal <condition>` command — set a completion condition, Haiku evaluator re-checks the transcript per turn until met. The /sdlc skill now carries a tight wrapper section with 5 load-bearing elements: pre-flight checklist (workspace trusted, hooks not disabled, CC ≥ v2.1.143 for the subagent-race fix), condition-as-SDLC-contract guidance (measurable end state + check + constraints + hard turn/time bound since there's no native cap), compose-with-hooks note (UserPromptSubmit/SessionStart/PreCompact fire normally per turn), `--resume` resets counters caveat, and the off-transcript anti-pattern callout (the evaluator cannot call tools, so `/goal "production is healthy"` is wrong — it can only judge what's in the conversation). New quality test `test_sdlc_skill_has_goal_wrapper` greps for each element by keyword. Per Prove-It Gate absorption principle: extends the existing /sdlc skill, no new skill/hook/template scaffolding.
+- **CC v2.1.119 → v2.1.150 feature adoption** in `CLAUDE_CODE_SDLC_WIZARD.md` "Complementary native skills" table: `/code-review [effort] [--comment]` (v2.1.147+, renamed from `/simplify`, posts findings as inline GH PR comments), `/usage` per-category breakdown of limits usage (v2.1.149+ — skills, subagents, plugins, MCP-server costs), `/context all` per-skill per-model token estimates (v2.1.139+). Each row carries usage guidance with the same caveat discipline applied to `/insights` (#235a).
+- **`Claude Code Recommended` baseline guidance** in `SDLC.md` — new row at `v2.1.150+` alongside the unchanged `Claude Code Minimum` floor at `v2.1.111+`. Splits "what we require" from "what unlocks the latest features" without breaking back-compat for consumers still on the minimum.
+
+### Changed
+
+- **ROADMAP cleanup with demand-signal-first entry gate** (PR #349). New top-of-ROADMAP gate: new entries require one of a maintainer pain event with repro, a second external user signal, a dated platform deadline, or a low-cost cleanup. Everything else goes to a Research Parking Lot with 30/60-day expiry — if the trigger hasn't fired by expiry, the item is deleted rather than carried forward. Excised 4 items now tracked in sibling repos (#9 OpenCode → `BaseInfinity/opencode-sdlc-wizard`, #82 Domain DLCs → Stefan's separate track, #91 Multi-Agent Adapter umbrella → per-adapter sibling repos, Back Burner Agent-agnostic SDLC). Killed 4 stale items with no demand signal (#85 Phase 2 — 1.7 months stale, killed by #231 zero-cron philosophy; #233 automation subitems — 1 month stale, Max-user footgun; Back Burner Chaos/Resilience Testing — 1.8 months, no concrete failure; Back Burner Subagent Model Compliance Audit — 3+ months, prototype already deleted in #236). Source: cross-model prioritization at `.reviews/roadmap-prio-codex.md`.
+- **#347 corrected from "no native primitive" to "native `/goal` exists, build the wrapper"**. The original 2026-05-23 research (claude-code-guide subagent) was wrong — CC v2.1.139 had shipped `/goal` weeks earlier. Implementation scope shrunk from a 5-step plan + GOAL.md/HANDOFF.md templates down to a ~30-line wrapper in the existing `/sdlc` skill (now shipped — see Added). Meta-lesson captured: require explicit citation of an authoritative source (docs index, raw changelog grep) before accepting a "feature does not exist" claim — negative claims are easier to fake than positive ones.
+
+### Added (ROADMAP only — implementation deferred)
+
+- **#302 — User-level setup-wizard + repo-local lifecycle split** (PR #346). Cross-model design review (Codex gpt-5.5 xhigh) scored Claude's first-pass 5/10 NOT CERTIFIED and replaced it with a concrete channel contract: plugin = user-level/global, npm/npx = repo-local, no npm `postinstall` writing to `~/.claude/`. Implementation deferred per demand-signal-first gate.
+- **#350 — CC feature-discovery cadence fix** (PR #350). Captures the process gap that let `/goal` slip past for ~5 weeks: #231 Phase 3d gutted the in-CI LLM-ranker to take `weekly-update.yml` to $0, and the maintainer-run replacement on Max never ran. Proposed fix: a thin GH-API-only check that opens a "CC version drift" issue when our `<!-- SDLC Wizard Version -->` baseline is >5 minor versions behind latest npm. No LLM, no API spend.
+
+### Notes
+
+- **Trusted Publishing flow is stable.** Second release shipped via OIDC since the v1.75.0 migration; no token to rotate, expire, mis-scope, or 2FA-gate.
+- **Inventory of all 32 missed CC versions** (v2.1.119 → v2.1.150) lives at `.reviews/cc-feature-inventory-2026-05-24.md` (gitignored) with HIGH/MEDIUM/LOW relevance triage and the adoption sequence for follow-up PRs. After verifying against CC's hook docs, H2 (`$CLAUDE_EFFORT` env var) and H8 (Stop hook `background_tasks`) were demoted to non-applicable: `$CLAUDE_EFFORT` is only available in tool-use-context hooks (not our SessionStart-typed `model-effort-check.sh`), and `background_tasks` is only in Stop/SubagentStop input (not our PreCompact-typed `precompact-seam-check.sh`). The existing hook code is correct as-written.
+
+## [1.75.1] - 2026-05-20
+
+### Fixed
+
+- **`release.yml` npm-upgrade step failed during v1.75.0 publish.** The `npm install -g npm@latest` step hit `npm error code MODULE_NOT_FOUND` / `Cannot find module 'promise-retry'` on the GitHub-hosted runner — a documented npm CLI bug where the in-place self-upgrade corrupts its own module tree mid-install. Bumped `actions/setup-node@v5` to `node-version: 24` (ships npm 11.x natively), dropped the unreliable `npm install -g` step entirely, and added an explicit `npm --version` fail-loud guard that aborts the publish if Node ever ships an npm older than 11.5.1. v1.75.0 is a tagged-but-unpublished version on GitHub; v1.75.1 supersedes it as the first version actually shipped via Trusted Publishing.
+
+### Process post-mortem (for /sdlc Lessons Learned)
+
+Two process gaps shipped this minor release:
+
+1. **CI doesn't exercise `release.yml`.** `tests/test-release-workflow.sh` greps the workflow YAML but no test actually executes the npm-upgrade step on a runner. The MODULE_NOT_FOUND bug is invisible to unit tests. Future-proofing options: (a) add a `release-dry-run` job in CI that runs the publish steps with `--dry-run` against a throwaway scope, (b) accept that some failures are only visible at deploy time and document a fast rollback path. Tracked as a roadmap follow-up.
+2. **`tag-then-publish` has a feedback gap.** v1.75.0 was tagged before the npm publish succeeded, leaving an inconsistent state where the git tag and the npm registry disagree (no GitHub Release page was ever created — that step was skipped after the publish failed). Mitigation already in place: tag verification (`git merge-base --is-ancestor` + `tag-vs-package.json` match), but neither catches "tag pushed, publish failed." Roadmap follow-up: gate the GitHub Release creation step on `npm publish` success (workflow already does this via step ordering), but also surface an explicit "PUBLISH FAILED — DO NOT TAG NEXT VERSION FROM THIS BASE" notice in the failed run.
+
+Both items added to ROADMAP as v1.76.0+ candidates. Neither blocked v1.75.1 shipping.
+
+### Test
+
+- `tests/test-release-workflow.sh::test_upgrades_npm_for_trusted_publishing` rewritten to accept either strategy: (a) Node ≥24 + explicit `npm --version` guard, or (b) explicit `npm install -g npm@…` step before publish. The new strategy (a) is what 1.75.1 uses; the test still catches a future revert to either no-guard Node 24 (which could silently downgrade) or back to the unreliable in-place upgrade.
+
+## [1.75.0] - 2026-05-20
+
+### Changed
+
+- **`release.yml` migrated to npm Trusted Publishing (OIDC).** Long-lived `NPM_TOKEN` retired in favor of per-publish OIDC auth via GitHub Actions (`id-token: write` was already set for SLSA provenance). The `NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}` env was removed, the `--provenance` flag was dropped (trusted publish auto-generates provenance), and a new step upgrades npm CLI to ≥ 11.5.1 (Node 22's bundled npm 10.9.x lacks Trusted Publishing support, which would silently fall back to token mode and re-introduce this failure class). Triggered by v1.74.0 publish failing with `404 Not Found - PUT` (revoked/expired token), then `EOTP` (token missing 2FA bypass). With Trusted Publishing there is no token to rotate, expire, mis-scope, or 2FA-gate — the workflow authenticates as itself against the registry via OIDC every time.
+
+### Required one-time setup (after merging this PR, before tagging v1.75.0)
+
+Maintainer must configure the publisher on the npm package page:
+
+1. https://www.npmjs.com/package/agentic-sdlc-wizard → **Settings**
+2. **Publishing access** → **GitHub Actions**
+3. Repository owner: `BaseInfinity`, repository name: `claude-sdlc-wizard`, workflow filename: `release.yml`, environment: (leave blank)
+4. **Save**
+
+After that, `git tag v1.75.0 && git push origin v1.75.0` publishes via OIDC with zero token interaction.
+
+### Removed
+
+- `NPM_TOKEN` GitHub secret is no longer used. After verifying v1.75.0 ships cleanly, the maintainer can revoke the granular access token on npmjs.com and delete the GH secret — both are dead weight.
+
+### Tests
+
+- `tests/test-release-workflow.sh::test_uses_trusted_publishing_not_token` — fails if `NODE_AUTH_TOKEN:` reappears in `release.yml` env (i.e., a revert to token-based publishing). Replaces the prior `test_references_npm_token` which asserted NPM_TOKEN's presence (now backwards).
+- `tests/test-release-workflow.sh::test_upgrades_npm_for_trusted_publishing` — fails if the `npm install -g npm@latest` (or pinned `>=11.5.1`) step is missing. Without the CLI upgrade, publishes silently fall back to token mode and reproduce the v1.74.0 EOTP failure.
+- All 15 release-workflow tests green.
+
+### Why this happened now (one-paragraph post-mortem)
+
+The 2026-05-21 v1.74.0 release was the first wizard release after the `NPM_TOKEN` secret aged past npm's automation token TTL. The token had successfully shipped v1.69.0 → v1.73.0 over the prior 2 weeks, then silently expired between v1.73.0 (2026-05-06) and v1.74.0 (2026-05-20). Symptom 1: `404 Not Found - PUT registry.npmjs.org/agentic-sdlc-wizard` — npm returns 404 (not 401) when a token doesn't recognize itself as a package maintainer, which makes the failure look like a missing package. Symptom 2 after rotation: `EOTP — This operation requires a one-time password from your authenticator` — the new granular token was created without the "Bypass two-factor authentication (2FA)" checkbox set, which npm requires for CI tokens. Both symptoms are eliminated by Trusted Publishing: no token, no expiry, no 2FA mode mismatch, and short-lived OIDC credentials are minted fresh per publish so revocation is automatic. Pattern: every npm token in CI is a latent ticking bomb. This PR defuses it permanently.
+
 ## [1.74.0] - 2026-05-17
 
 ### Salvaged from closed v1.43.0-quick-wins branch (PR #340)

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -2981,7 +2981,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.74.0 -->
+<!-- SDLC Wizard Version: 1.76.0 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->
@@ -4079,7 +4079,7 @@ Walk through updates? (y/n)
 Store wizard state in `SDLC.md` as metadata comments (invisible to readers, parseable by Claude):
 
 ```markdown
-<!-- SDLC Wizard Version: 1.74.0 -->
+<!-- SDLC Wizard Version: 1.75.1 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: PRs -->
@@ -4433,6 +4433,10 @@ The gap this closes: the advisor tool (API beta, `advisor-tool-2026-03-01`) ship
 | `/less-permission-prompts` | Scans transcripts for common read-only Bash/MCP calls and proposes a prioritized allowlist | After a few sessions — reduces permission friction without auto mode |
 | `/permissions` | Pre-allow specific commands and check them into `.claude/settings.json` | Anytime you want an auditable team allowlist |
 | `/insights` | Local analyzer of your CC session history. Generates HTML report at `~/.claude/usage-data/report.html` + per-session facet JSON at `~/.claude/usage-data/facets/<session>.json`. Surfaces `underlying_goal`, `outcome`, `friction_counts`, `user_satisfaction_counts`, `brief_summary`, recurring friction patterns, suggested CLAUDE.md additions | Monthly — **qualitative-only**; see caveat below |
+| `/goal <condition>` (v2.1.139+) | Set a completion condition; Claude keeps working across turns until a separate evaluator pass (Haiku default) says it's met. Survives `--resume` (counters reset), not `/clear`. No disk writes — session-state only. Bound it yourself: `/goal "tests pass + git status clean, or stop after 20 turns"`. The evaluator judges the transcript only — it cannot run tools, so don't use `/goal` for "doneness" that lives off-transcript. Requires v2.1.143+ for the subagent-race fix. Composes cleanly with wizard hooks (`UserPromptSubmit`/`SessionStart`/`PreCompact` fire per turn) | Long-running goal-bound work — refactors, migrations, anything where "are we there yet?" has a checkable answer in the transcript |
+| `/code-review [effort] [--comment]` (v2.1.147+, renamed from `/simplify`) | Reports correctness bugs at chosen effort level; `--comment` posts findings as inline GitHub PR comments. Our /sdlc skill already invokes `/code-review`; the `--comment` flag streamlines CI shepherd workflows | Self-review during SDLC; PR review when shepherding |
+| `/usage` (v2.1.149+) | Per-category breakdown of limits usage — skills, subagents, plugins, per-MCP-server cost. Complement to `/context all` which shows per-skill per-model token estimates | When investigating session bloat / quota burn — pairs with `scripts/audit-session-load.sh` (#236) |
+| `/context all` (v2.1.139+) | Rounded token estimates per-skill per-model, names the providing plugin for plugin-sourced skills | Same as `/usage` — diagnose what's eating your context |
 
 These are shipped by Claude Code itself. The wizard doesn't reimplement them — it points you at them so you benefit from the native version's ongoing maintenance.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.74.0",
+  "version": "1.76.0",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

package/skills/sdlc/SKILL.md

@@ -108,6 +108,10 @@ State your confidence before presenting an approach:
 
 Use plan mode for: multi-file changes, new features, LOW confidence, bugs needing investigation. **Skip plan approval step** (auto-approval) when confidence HIGH (95%+) AND single-file/trivial AND no new patterns AND no architectural decisions — still announce approach, don't wait. When in doubt, wait.
 
+## Long-Running Goals (`/goal`)
+
+Native `/goal <condition>` (**requires v2.1.143+**). Haiku evaluator re-checks transcript per turn. **Pre-flight:** trusted workspace; `disableAllHooks`/`allowManagedHooksOnly` both off (it's a Stop hook). **Condition = SDLC contract:** measurable end state + check + constraints + hard turn/time bound (no native cap); e.g. `/goal "npm test=0, stop after 20 turns"`. **Anti-pattern:** evaluator **cannot call tools** — judges transcript only; don't use for off-transcript work. `--resume` resets counters.
+
 ## Recommended Model
 
 **Opt-in: `opus[1m]` (Opus 4.7 with 1M context).** `/model opus[1m]` at the start of non-trivial sessions — understand the tradeoff (issue #198). A top-level `model` pin in `.claude/settings.json` disables CC's per-turn auto-selection; pin only when you need 1M headroom. Requires CC v2.1.111+.

package/skills/update/SKILL.md

@@ -93,13 +93,16 @@ Parse CHANGELOG entries between the user's installed version and latest. Present
 
 ```
 Installed: 1.42.0
-Latest:    1.74.0
+Latest:    1.76.0
 
 What changed:
-- [1.74.0] Salvage from closed v1.43 PR. Ships #338 SDLC-skill source-and-precedence preamble; #235(a)(b) `/insights` guidance + allowlist (qualitative-only — NOT a substitute for #220 token-spike); codex stdin-hang fix (`< /dev/null` on all multi-line `codex exec` blocks + wrapper, codex-cli 0.130.0); `test-hooks.sh` env-isolation.
-- [1.73.0] precompact stale REBASE_HEAD fix + bloat sweep — `hooks/precompact-seam-check.sh` no longer false-positive HOLDs `/compact` when a finished rebase left REBASE_HEAD behind without `rebase-{merge,apply}/` dirs (hit live 2026-05-05). 15 tracked review/plan artifacts deleted (-460 LOC).
+- [1.76.0] /goal /sdlc wrapper (#347) + CC v2.1.150 feature adoption + ROADMAP demand-signal gate (4 excise, 4 kill).
+- [1.75.1] release-workflow fix — Node 22 → 24 (ships npm 11.x), dropped flaky `npm install -g` self-upgrade (hit MODULE_NOT_FOUND on v1.75.0 publish). Explicit npm-version guard.
+- [1.75.0] npm Trusted Publishing — `release.yml` swapped from `NPM_TOKEN` to OIDC. No more token rotation. Requires one-time publisher config on the npm package page.
+- [1.74.0] v1.43 salvage: #338 precedence preamble; #235ab `/insights`; codex `< /dev/null` stdin-hang fix; test env-isolation.
+- [1.73.0] precompact stale REBASE_HEAD fix — no longer HOLDs `/compact` without active `rebase-{merge,apply}/` dirs. 15 stale tracked artifacts deleted (-460 LOC).
 - [1.72.0] #323 closed — customization-aware `check` recommendation + new `--preserve-customized` flag. `init --force --preserve-customized` skips CUSTOMIZED files (action `PRESERVE`), still OVERWRITEs MATCH and CREATEs MISSING. Default `init --force` unchanged. 10 tests.
-- [1.71.0–1.69.0] token-bloat sweep #236 — three phases: BASELINE block fires once per `session_id` (-12K/session), TDD CHECK fires once per `session_id` (-0.5-1.5K/session), `skills/sdlc/SKILL.md` Cross-Model Review trimmed (full protocol moved to canonical wizard doc).
+- [1.71.0–1.69.0] token-bloat sweep #236 — BASELINE + TDD CHECK fire once per `session_id` (-12K, -0.5-1.5K); sdlc-skill Cross-Model Review trimmed.
 - [1.68.0–1.65.0] roadmap hygiene — five paperwork closes: #97 Anthropic Policy NO-GO + AAR-paper validating parallel; #99 AutoGPT NO-GO; #95 Nous NO-GO; #243 token-history liveness verified; #210 Node-24 false-green; #235 Thoughtworks AI Evals NO-GO. **6/6 external-product audits NO-GO** (continues #76, #77). Research write-ups in `.reviews/research-*.md`.
 - [1.64.0] XDLC ecosystem cross-references — README, wizard doc, and ROADMAP now cross-reference all three sibling packages (`agentic-sdlc-wizard`, `codex-sdlc-wizard`, `claude-gdlc-wizard`). New "Ecosystem (Sibling Projects)" section in README. 3 new doc-consistency tests prevent drift.
 - [1.63.0] cache-cost observability closeout (#204 absorbed by #220) — token-spike test gains explicit cache-miss + negative-control coverage. "Cache-Cost Surprises" docs added (10-20× silent blowups from mid-session CLAUDE.md edits, idle pruning).