agentic-sdlc-wizard 1.76.0 → 1.77.0

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.76.0",
+      "version": "1.77.0",
       "author": {
         "name": "Stefan Ayala"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.76.0",
+  "version": "1.77.0",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

package/CHANGELOG.md

@@ -4,6 +4,21 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.77.0] - 2026-05-24
+
+### Added
+
+- **`release-dry-run.yml` CI workflow** (A1, v1.75.1 post-mortem). Runs `npm publish --dry-run --tag dry-run --json` on every PR touching `release.yml`, `package.json`, or the shipped package surface (`cli/`, `hooks/`, `skills/`, `.claude-plugin/`, `CLAUDE_CODE_SDLC_WIZARD.md`, `CHANGELOG.md`). Catches MODULE_NOT_FOUND-class regressions, dropped shipped paths, Node/npm version drift — visible at PR-time instead of producing a half-published tag. Uses `permissions: contents: read` only (no `id-token: write` — npm CLI runs OIDC setup before the dry-run branch, so requesting that permission would attempt token mint on every PR). Rewrites `package.json` to `0.0.0-dry-run-<SHA>` in a temp checkout to avoid the "cannot publish over previously published versions" error. Path filter is `package.json.files`-aware and tested for drift. 25 quality tests in `tests/test-release-dry-run-workflow.sh`.
+- **`cc-version-drift.yml` cadence workflow** (closes #350). The fix for the gap that let native `/goal` (CC v2.1.139) slip past for 32 versions / 5 weeks. Pure GH-API detector — no LLM, no API spend. Mon 09:30 UTC cron (staggered from `weekly-update.yml` 09:00 and `weekly-api-update.yml` 10:00) + `workflow_dispatch`. Parses new `<!-- Claude Code Baseline: vX.Y.Z -->` anchor in `SDLC.md` (single-purpose; NOT `<!-- SDLC Wizard Version -->` which is the wizard's own pkg version), compares to `npm view @anthropic-ai/claude-code version`, opens a tracking issue when patch gap > 5 (major/minor jumps alert regardless of threshold). Idempotent via label `cc-version-drift` + machine-readable marker in issue body. Edits existing open issue instead of comment-spamming. Re-opens a closed issue only if delta WIDENED (respects "won't fix for now"). 22 workflow tests + 18 unit tests on the extracted `scripts/cc-drift-check.sh` (bash 3 compatible, strict SemVer validation, refuses prereleases and regressions).
+- **`/goal` SDLC-discipline gates in `/sdlc` skill** (PR-D). Two new load-bearing rules now that native `/goal` is universal across CC (v2.1.139+) and Codex CLI: **(1) Confidence gate — NEVER invoke `/goal` below HIGH 95%** (mirrors existing Confidence Check; below 95% the Haiku evaluator rubber-stamps "did the agent flail" as progress). **(2) DLC binding — the condition MUST name the active DLC** (`/sdlc`, `/gdlc`, `/ldlc`, etc.) so the evaluator anchors on "doing it right," not just "doing it." Example: `/goal "tests pass + clean tree following /sdlc, stop after 20 turns"`. `test_sdlc_skill_has_goal_wrapper` extended to grep both new keywords (9 quality elements total).
+- **`<!-- Claude Code Baseline: v2.1.150 -->` anchor in `SDLC.md`** — single-purpose machine-parseable source of truth for `cc-version-drift.yml`. Maintainer updates this anchor + the human-readable `Claude Code Recommended` row when bumping CC support. Test asserts both stay in sync.
+
+### Notes
+
+- **Trusted Publishing flow held.** Third release shipped via OIDC since the v1.75.0 migration; no token to rotate, expire, or 2FA-gate.
+- **Cross-model design reviews** at `.reviews/176-followup-prio-codex.md` (Codex gpt-5.5 xhigh). Caught: (a) naive `npm publish --dry-run` against already-published version fails today; (b) `id-token: write` on the dry-run workflow would attempt OIDC mint on every PR; (c) `weekly-update.yml` is the wrong host for #350 (cron is disabled + tests assert no `issues: write`); (d) "minor versions" is wrong terminology — `2.1.150 → 2.1.180` is a SemVer patch delta.
+- **Self-test landed in PR-B:** the new `release-dry-run.yml` workflow ran ON the PR that introduced it (paths filter included `release-dry-run.yml` itself) and SUCCEEDED — first proof that the dry-run mechanism works end-to-end against the temp-version-rewrite + `--tag dry-run` flow.
+
 ## [1.76.0] - 2026-05-24
 
 ### Added

package/CLAUDE_CODE_SDLC_WIZARD.md

@@ -2981,7 +2981,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.76.0 -->
+<!-- SDLC Wizard Version: 1.77.0 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.76.0",
+  "version": "1.77.0",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

package/skills/sdlc/SKILL.md

@@ -110,7 +110,7 @@ Use plan mode for: multi-file changes, new features, LOW confidence, bugs needin
 
 ## Long-Running Goals (`/goal`)
 
-Native `/goal <condition>` (**requires v2.1.143+**). Haiku evaluator re-checks transcript per turn. **Pre-flight:** trusted workspace; `disableAllHooks`/`allowManagedHooksOnly` both off (it's a Stop hook). **Condition = SDLC contract:** measurable end state + check + constraints + hard turn/time bound (no native cap); e.g. `/goal "npm test=0, stop after 20 turns"`. **Anti-pattern:** evaluator **cannot call tools** — judges transcript only; don't use for off-transcript work. `--resume` resets counters.
+Native `/goal <condition>` (**v2.1.143+**). Haiku evaluator re-checks transcript per turn. **Confidence gate — NEVER invoke below HIGH 95%**; below that the evaluator rubber-stamps flailing as progress. **DLC binding — condition MUST name the DLC** (`/sdlc`, `/gdlc`, `/ldlc`, etc.) so the evaluator anchors on "doing it right." **Pre-flight:** trusted workspace; `disableAllHooks`/`allowManagedHooksOnly` both off. **Condition = contract:** end state + check + constraints + hard turn/time bound (no native cap); e.g. `/goal "tests pass + clean tree following /sdlc, stop after 20 turns"`. **Anti-pattern:** evaluator can't call tools — transcript-only. `--resume` resets counters.
 
 ## Recommended Model
 
@@ -141,7 +141,7 @@ PROTOCOL is universal across domains; only `review_instructions` and `verificati
 
 **Convergence:** 2 rounds sweet spot, 3 max (research: 14 repos + 7 papers). After 3 still NOT CERTIFIED → escalate.
 
-**Multi-reviewer / non-code domains:** when running multiple reviewers in parallel (e.g. Claude review + Codex + human), respond per-reviewer (different blind spots, no shared anchoring). For non-code domains (research, persuasion, medical), keep the same handoff format and add `"audience"` + `"stakes"` keys.
+**Multi-reviewer:** parallel reviewers → respond per-reviewer (different blind spots, no shared anchoring). **Non-code domains:** same handoff + add `"audience"`/`"stakes"` keys.
 
 ### Release Review Focus
 

package/skills/update/SKILL.md

@@ -93,14 +93,15 @@ Parse CHANGELOG entries between the user's installed version and latest. Present
 
 ```
 Installed: 1.42.0
-Latest:    1.76.0
+Latest:    1.77.0
 
 What changed:
+- [1.77.0] release-dry-run.yml + cc-version-drift.yml (#350) + /goal SDLC gates (95% + DLC binding).
 - [1.76.0] /goal /sdlc wrapper (#347) + CC v2.1.150 feature adoption + ROADMAP demand-signal gate (4 excise, 4 kill).
 - [1.75.1] release-workflow fix — Node 22 → 24 (ships npm 11.x), dropped flaky `npm install -g` self-upgrade (hit MODULE_NOT_FOUND on v1.75.0 publish). Explicit npm-version guard.
 - [1.75.0] npm Trusted Publishing — `release.yml` swapped from `NPM_TOKEN` to OIDC. No more token rotation. Requires one-time publisher config on the npm package page.
 - [1.74.0] v1.43 salvage: #338 precedence preamble; #235ab `/insights`; codex `< /dev/null` stdin-hang fix; test env-isolation.
-- [1.73.0] precompact stale REBASE_HEAD fix — no longer HOLDs `/compact` without active `rebase-{merge,apply}/` dirs. 15 stale tracked artifacts deleted (-460 LOC).
+- [1.73.0] precompact stale REBASE_HEAD fix + 15 stale artifact deletes (-460 LOC).
 - [1.72.0] #323 closed — customization-aware `check` recommendation + new `--preserve-customized` flag. `init --force --preserve-customized` skips CUSTOMIZED files (action `PRESERVE`), still OVERWRITEs MATCH and CREATEs MISSING. Default `init --force` unchanged. 10 tests.
 - [1.71.0–1.69.0] token-bloat sweep #236 — BASELINE + TDD CHECK fire once per `session_id` (-12K, -0.5-1.5K); sdlc-skill Cross-Model Review trimmed.
 - [1.68.0–1.65.0] roadmap hygiene — five paperwork closes: #97 Anthropic Policy NO-GO + AAR-paper validating parallel; #99 AutoGPT NO-GO; #95 Nous NO-GO; #243 token-history liveness verified; #210 Node-24 false-green; #235 Thoughtworks AI Evals NO-GO. **6/6 external-product audits NO-GO** (continues #76, #77). Research write-ups in `.reviews/research-*.md`.