aidevops 3.5.896 → 3.8.2

package/README.md

@@ -1,3 +1,6 @@
+<!-- SPDX-License-Identifier: MIT -->
+<!-- SPDX-FileCopyrightText: 2025-2026 Marcus Quinn -->
+
 # AI DevOps Framework
 
 **[aidevops.sh](https://aidevops.sh)** — An [OpenCode](https://opencode.ai/) plugin and AI operations platform for launching and managing development, business, marketing, and creative projects. 13 specialist AI agents handle the automatable work across every domain so your time is preserved for real-world discovery and decisions that AI cannot yet reach.
@@ -188,7 +191,8 @@ git clone https://github.com/marcusquinn/aidevops.git ~/Git/aidevops
 - Configure your AI assistants automatically
 - Offer to install Oh My Zsh (optional, opt-in) for enhanced shell experience
 - Guide you through recommended tools (Tabby, Zed, Git CLIs)
-- Ensure all PATH and alias changes work in both bash and zsh
+- Ensure all PATH and alias changes work in both bash, zsh, and fish
+- Add a `claude` alias that runs `claude --dangerously-skip-permissions` (skips per-tool permission prompts). Re-running setup updates the alias automatically. To grant permissions per-session instead, press **Shift-Tab** inside Claude Code to cycle through permission modes (default → skip permissions → auto-approve).
 
 **New users: Start [OpenCode](https://opencode.ai/) and type `/onboarding`** to configure your services interactively. OpenCode is the recommended tool for aidevops - all features, agents, and workflows are designed and tested for it first. The onboarding wizard will:
 - Explain what **[aidevops](https://aidevops.sh)** can do
@@ -1792,25 +1796,67 @@ Call them in your AI assistant conversation with a simple @mention
 
 ### **Main Agents**
 
-Primary agents as registered in `subagent-index.toon` (13 total). MCPs are loaded on-demand per subagent, not per primary agent:
+Primary agents live at `.agents/<name>.md`. Each is a domain expert with its own system prompt, tool permissions, and subagent roster. MCPs are loaded on-demand per subagent, not per primary agent.
 
 | Name | File | Purpose | Model Tier |
 |------|------|---------|------------|
-| Build+ | `build-plus.md` | Enhanced Build with context tools (default agent) | opus |
+| Build+ | `build-plus.md` | Code: features, bug fixes, refactors, CI, full-loop delivery (default) | opus |
 | Automate | `automate.md` | Scheduling, dispatch, monitoring, background orchestration | sonnet |
-| Accounts | `accounts.md` | Financial operations | opus |
-| Business | `business.md` | Company orchestration via AI runners | sonnet |
-| Content | `content.md` | Content creation workflows | opus |
-| Health | `health.md` | Health and wellness | opus |
-| Legal | `legal.md` | Legal compliance | opus |
-| Marketing | `marketing.md` | Marketing strategy, email campaigns, paid ads, CRO | opus |
-| Research | `research.md` | Research and analysis tasks | gemini/grok |
-| Sales | `sales.md` | Sales operations and CRM pipeline | opus |
-| SEO | `seo.md` | SEO optimization and analysis | opus |
-| Social-Media | `social-media.md` | Social media management | opus |
-| Video | `video.md` | AI video generation and prompt engineering | opus |
-
-**Specialist subagents** (@plan-plus, @aidevops, @wordpress, Build-Agent, Build-MCP, etc.) live under `tools/` or as `mode: subagent` files and are invoked via @mention when domain expertise is needed. See `subagent-index.toon` for the full listing.
+| Aidevops | `aidevops.md` | Framework development — meta-agent for improving aidevops itself | opus |
+| Business | `business.md` | Company orchestration, financial ops, invoicing, strategy | sonnet |
+| Content | `content.md` | Content creation across blog, video, audio, image, social | opus |
+| Health | `health.md` | Health and wellness content, fitness, nutrition | opus |
+| Legal | `legal.md` | Legal compliance, terms, privacy, GDPR | opus |
+| Marketing-Sales | `marketing-sales.md` | Email campaigns, CRM, outreach, paid ads, direct response, CRO | opus |
+| Product | `product.md` | Product management, PRDs, roadmaps, requirements capture | opus |
+| Research | `research.md` | Technical and market research, competitive analysis | gemini/grok |
+| SEO | `seo.md` | SEO audits, keyword research, GSC, schema, technical SEO | opus |
+
+**Specialist subagents** (e.g. `@wordpress`, `@seo`, Build-Agent, Build-MCP, etc.) live under `.agents/tools/` or as `mode: subagent` files and are invoked via `@mention` when domain expertise is needed. See `subagent-index.toon` for the full roster.
+
+#### How to invoke a main agent
+
+| Client | Invocation |
+|---|---|
+| **OpenCode** | Tab through the agent picker in the UI — Build+ is the default. Main agents are registered as top-level agents in OpenCode's config. |
+| **Claude Code / Codex / Cursor / Droid / Kiro / Continue / Kimi / Qwen / Amp / Windsurf / Gemini CLI** | Slash command, namespaced with the `aidevops-` prefix: `/aidevops-build-plus`, `/aidevops-automate`, `/aidevops-seo`, etc. |
+| **Aider** | No native slash command support — use a shell alias: `alias aider-build='aider --message-file ~/.aidevops/agents/build-plus.md'`. |
+
+The `aidevops-` prefix differentiates framework commands from each client's native slash commands and groups them alphabetically in the command picker. It applies to **every** aidevops slash command — not just main agents — so `/aidevops-preflight`, `/aidevops-release`, `/aidevops-commit` etc. all sort together in your `/` menu.
+
+#### Supported AI clients (14)
+
+The framework installs itself across these clients. Slash commands, agent definitions, and (optionally) session-memory mining are wired up per-client by `setup.sh`, gated on per-client feature flags in `.agents/scripts/runtime-registry.sh`.
+
+| Client | Slash commands | Agent dir | Memory mining | Notes |
+|---|---|---|---|---|
+| OpenCode | ✅ `~/.config/opencode/command/` | config-based | ✅ default | Native tab-through primary agents |
+| Claude Code | ✅ `~/.claude/commands/` | ✅ `~/.claude/agents/` | ✅ default | Full feature parity |
+| Codex CLI | ✅ `~/.codex/prompts/` | — | ✅ default | Invoked as `/prompts:aidevops-<name>` |
+| Cursor | ✅ `~/.cursor/commands/` (≥1.6) | ✅ `~/.cursor/agents/` | ✅ default | Frontmatter stripped (not supported) |
+| Droid (Factory) | ✅ `~/.factory/commands/` | — | opt-in | — |
+| Gemini CLI | ✅ `~/.gemini/commands/` | — | opt-in | Converted to TOML (`prompt = """..."""`) |
+| Kimi CLI | ✅ `~/.kimi/skills/<name>/SKILL.md` | ✅ `~/.kimi/agents/` | opt-in | Directory-per-skill + auto `name:` matching |
+| Qwen Code | ✅ `~/.qwen/commands/` | ✅ `~/.qwen/agents/` | opt-in | Sub-agents + skills |
+| Continue | ✅ `~/.continue/prompts/` | — | opt-in | `.prompt` ext + `invokable: true` |
+| Kiro | ✅ `~/.kiro/steering/` | — | opt-in | `inclusion: manual` for slash access |
+| Kilo Code | custom modes | — | opt-in | Uses modes instead of commands |
+| Windsurf | repo-local `.windsurf/workflows/` | — | ❌ (protobuf) | Symlinked by `aidevops init` |
+| Amp (Sourcegraph) | repo-local `.agents/commands/` | ✅ `~/.amp/agents/` | ❌ (cloud) | Path match is native |
+| Aider | shell alias workaround | — | ❌ (per-repo md) | Native custom commands open upstream |
+
+**Feature flags** per client (`agents` / `commands` / `memory`) live in `runtime-registry.sh` and can be overridden at install time via environment variables:
+
+```bash
+AIDEVOPS_FEATURE_MEMORY_CLAUDE_CODE=no setup.sh
+AIDEVOPS_FEATURE_COMMANDS_CURSOR=no setup.sh
+```
+
+Memory mining defaults are deliberately conservative: only OpenCode, Claude Code, Codex, and Cursor are opted in by default. All other clients default to off — enable them case-by-case after reviewing what the mining job will read.
+
+#### Endgame: progressive disclosure
+
+The long-term direction is to make slash commands and `@mentions` unnecessary altogether. A progressive disclosure layer should load the right domain agents and tools into context based on the nature of the conversation — you should never have to remember agent names or prefix commands. The `aidevops-` slash commands documented above are a stepping stone: they standardise routing across every client we support, and will eventually be auto-invoked by the router rather than typed by hand.
 
 ### **Example Subagents with MCP Integration**
 
@@ -2284,6 +2330,40 @@ memory-helper.sh recall "refactor auth middleware" --semantic
 
 **Storage:** `~/.aidevops/.agent-workspace/memory/memory.db` (+ optional `embeddings.db` for semantic search, `namespaces/` for per-runner isolation)
 
+#### Session mining (cross-client)
+
+Beyond explicit `/remember` calls, aidevops can harvest structured session data from each supported AI client's on-disk conversation history. This turns every prior session — regardless of which tool you were using — into searchable context for future sessions.
+
+Per-client storage paths and formats (see `runtime-registry.sh`):
+
+| Client | Storage path | Format | Default |
+|---|---|---|---|
+| OpenCode | `~/.local/share/opencode/opencode.db` | SQLite | ✅ on |
+| Claude Code | `~/.claude/projects/` | JSONL per project | ✅ on |
+| Codex CLI | `~/.codex/sessions/` | JSONL, date-partitioned | ✅ on |
+| Cursor | `~/Library/Application Support/Cursor/User/workspaceStorage/` | SQLite (`state.vscdb`) | ✅ on |
+| Droid | `~/.factory/sessions/` | JSONL per session | opt-in |
+| Gemini CLI | `~/.gemini/tmp/` | JSON per session | opt-in |
+| Continue | `~/.continue/sessions/` | JSON per session | opt-in |
+| Kilo Code | `~/Library/.../kilocode.kilo-code/tasks/` | JSON (Anthropic schema) | opt-in |
+| Kiro | `~/Library/Application Support/Kiro/User/workspaceStorage/` | SQLite | opt-in |
+| Kimi CLI | `~/.kimi/sessions/<id>/context.jsonl` | JSONL | opt-in |
+| Qwen Code | `~/.qwen/tmp/` | JSON per session | opt-in |
+| Windsurf | `~/.codeium/windsurf/cascade/` | protobuf (opaque) | ❌ unsupported |
+| Amp | server-side (cloud) | needs API auth | ❌ unsupported |
+| Aider | `<repo>/.aider.chat.history.md` | markdown transcript | ❌ unsupported |
+
+**Defaults are deliberately conservative.** Only the four tier-1 clients — OpenCode, Claude Code, Codex, and Cursor — have memory mining enabled by default. They have the most mature, stable, documented formats and are the ones most likely to contain the full interactive history you'd want to search.
+
+For every other client, memory mining is **opt-in per runtime**. Enable it with:
+
+```bash
+AIDEVOPS_FEATURE_MEMORY_GEMINI_CLI=yes setup.sh
+AIDEVOPS_FEATURE_MEMORY_CONTINUE=yes setup.sh
+```
+
+**Privacy note.** Session files contain everything you typed — including secrets, credentials, and file contents pasted into prompts. The mining pipeline runs secretlint-style scrubbing at ingestion and defaults to local-only storage. Never sync the memory DB to a shared or cloud location without reviewing what's in it.
+
 See `.agents/memory/README.md` for complete documentation.
 
 ### **Installation**

package/VERSION

@@ -1 +1 @@
-3.5.896
+3.8.2

package/aidevops.sh

@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2025-2026 Marcus Quinn
 
 # AI DevOps Framework CLI
 # Usage: aidevops <command> [options]
 #
-# Version: 3.5.896
+# Version: 3.8.2
 
 set -euo pipefail
 
@@ -502,17 +504,26 @@ check_protected_branch() {
 	repo_name=$(basename "$project_root")
 	local suggested_branch="$branch_type/$branch_suffix"
 
-	echo ""
-	print_warning "On protected branch '$current_branch'"
-	echo ""
-	echo "Options:"
-	echo "  1. Create worktree: $suggested_branch (recommended)"
-	echo "  2. Continue on $current_branch (commits directly to main)"
-	echo "  3. Cancel"
-	echo ""
 	local choice
-	read -r -p "Choice [1]: " choice
-	choice="${choice:-1}"
+	# In non-interactive (non-TTY) contexts, auto-select option 1 (create worktree)
+	# without prompting. This prevents read from blocking or getting EOF in CI/AI
+	# assistant environments, which could cause silent script termination with set -e.
+	if [[ -t 0 ]]; then
+		echo ""
+		print_warning "On protected branch '$current_branch'"
+		echo ""
+		echo "Options:"
+		echo "  1. Create worktree: $suggested_branch (recommended)"
+		echo "  2. Continue on $current_branch (commits directly to main)"
+		echo "  3. Cancel"
+		echo ""
+		read -r -p "Choice [1]: " choice
+		choice="${choice:-1}"
+	else
+		# Non-interactive: auto-create worktree (safest default)
+		choice="1"
+		print_info "Non-interactive mode: auto-selecting worktree creation for '$suggested_branch'"
+	fi
 
 	case "$choice" in
 	1)
@@ -522,35 +533,34 @@ check_protected_branch() {
 
 		print_info "Creating worktree at $worktree_dir..."
 
+		local worktree_created=false
 		if [[ -f "$AGENTS_DIR/scripts/worktree-helper.sh" ]]; then
-			if bash "$AGENTS_DIR/scripts/worktree-helper.sh" add "$suggested_branch" 2>/dev/null; then
-				export WORKTREE_PATH="$worktree_dir"
-				echo ""
-				print_success "Worktree created!"
-				print_info "Switching to: $worktree_dir"
-				echo ""
-				# Change to worktree directory
-				cd "$worktree_dir" || return 1
-				return 0
+			if bash "$AGENTS_DIR/scripts/worktree-helper.sh" add "$suggested_branch"; then
+				worktree_created=true
 			else
-				print_error "Failed to create worktree"
+				print_error "Failed to create worktree via worktree-helper.sh"
 				return 1
 			fi
 		else
 			# Fallback without helper script
-			if git worktree add -b "$suggested_branch" "$worktree_dir" 2>/dev/null; then
-				export WORKTREE_PATH="$worktree_dir"
-				echo ""
-				print_success "Worktree created!"
-				print_info "Switching to: $worktree_dir"
-				echo ""
-				cd "$worktree_dir" || return 1
-				return 0
+			if git worktree add -b "$suggested_branch" "$worktree_dir"; then
+				worktree_created=true
 			else
 				print_error "Failed to create worktree"
 				return 1
 			fi
 		fi
+
+		if [[ "$worktree_created" == "true" ]]; then
+			export WORKTREE_PATH="$worktree_dir"
+			echo ""
+			print_success "Worktree created at: $worktree_dir"
+			print_info "Switching to: $worktree_dir"
+			echo ""
+			# Change to worktree directory for the remainder of this process
+			cd "$worktree_dir" || return 1
+			return 0
+		fi
 		;;
 	2)
 		print_warning "Continuing on $current_branch - changes will commit directly"
@@ -655,6 +665,22 @@ cmd_status() {
 	print_header "SSH Configuration"
 	check_file "$HOME/.ssh/id_ed25519" && print_success "Ed25519 SSH key" || print_warning "Ed25519 SSH key - not found"
 	echo ""
+	print_header "Commit Signing"
+	local signing_format signing_key signing_enabled
+	signing_format=$(git config --global gpg.format 2>/dev/null || echo "")
+	signing_key=$(git config --global user.signingkey 2>/dev/null || echo "")
+	signing_enabled=$(git config --global commit.gpgsign 2>/dev/null || echo "")
+	if [[ "$signing_format" == "ssh" && -n "$signing_key" && "$signing_enabled" == "true" ]]; then
+		print_success "SSH commit signing enabled"
+		if check_file "$HOME/.ssh/allowed_signers"; then
+			print_success "Allowed signers file configured"
+		else
+			print_warning "No allowed_signers file — run: aidevops signing setup"
+		fi
+	else
+		print_warning "Commit signing not configured — run: aidevops signing setup"
+	fi
+	echo ""
 }
 
 # Update helpers (extracted for complexity reduction)
@@ -838,6 +864,43 @@ _update_check_homebrew() {
 	return 0
 }
 
+# Verify supply chain signature after pulling framework updates.
+# Checks that the HEAD commit is signed by the trusted maintainer key.
+# Non-blocking: warns on failure, does not abort the update.
+_update_verify_signature() {
+	local signing_helper="$AGENTS_DIR/scripts/signing-setup.sh"
+
+	# Cannot verify if the helper script is not yet deployed
+	if [[ ! -f "$signing_helper" ]]; then
+		return 0
+	fi
+
+	local result
+	result=$(bash "$signing_helper" verify-update "$INSTALL_DIR" 2>/dev/null || echo "UNKNOWN")
+
+	case "$result" in
+	VERIFIED)
+		print_success "Supply chain verified: HEAD commit is signed by trusted maintainer"
+		;;
+	UNSIGNED)
+		print_warning "HEAD commit is not signed — cannot verify supply chain integrity"
+		print_info "This is expected for older releases. Signed commits start from v3.6.21+"
+		;;
+	UNTRUSTED)
+		print_warning "HEAD commit is signed but by an untrusted key"
+		print_info "Run 'aidevops signing setup' to configure signature verification"
+		;;
+	BAD_SIGNATURE)
+		print_error "HEAD commit has a BAD signature — update may be compromised"
+		print_info "Verify manually: cd $INSTALL_DIR && git log --show-signature -1"
+		;;
+	UNVERIFIABLE)
+		# Signing not configured yet — silent, do not nag
+		;;
+	esac
+	return 0
+}
+
 # Update/upgrade command
 cmd_update() {
 	local skip_project_sync=false
@@ -907,6 +970,9 @@ cmd_update() {
 				fi
 			fi
 			echo ""
+			# Verify supply chain integrity before applying changes
+			_update_verify_signature
+			echo ""
 			print_info "Running setup to apply changes..."
 			local setup_exit=0
 			bash "$INSTALL_DIR/setup.sh" --non-interactive || setup_exit=$?
@@ -1427,6 +1493,61 @@ EOF
 	return 0
 }
 
+# Scaffold .agents/commands/ and .windsurf/workflows/ symlinks so that clients
+# which read repo-local command directories (Amp reads .agents/commands/ natively;
+# Windsurf reads .windsurf/workflows/) see the aidevops main-agent slash commands.
+#
+# Behavior is idempotent:
+#   - If .agents/commands/ already contains the expected aidevops-*.md symlinks
+#     (this repo IS the aidevops source), do nothing.
+#   - Otherwise link .agents/commands/ → ~/.aidevops/agents/commands/
+#   - Always link .windsurf/workflows/ → ../.agents/commands/ (relative)
+_init_scaffold_commands_symlinks() {
+	local project_root="$1"
+	local source_dir="$HOME/.aidevops/agents/commands"
+	local commands_dir="$project_root/.agents/commands"
+	local windsurf_dir="$project_root/.windsurf"
+	local workflows_link="$windsurf_dir/workflows"
+
+	# If .agents/commands/ already contains main-agent symlinks, this repo
+	# manages them directly (e.g. the aidevops source repo itself) — leave
+	# it alone so we never overwrite authoritative content.
+	if [[ -e "$commands_dir/aidevops-build-plus.md" ]]; then
+		print_info ".agents/commands/ already contains main-agent symlinks — preserving"
+	elif [[ ! -d "$source_dir" ]]; then
+		print_warning "Framework commands dir not found at $source_dir — run setup.sh first to deploy main-agent symlinks"
+	elif [[ -L "$commands_dir" ]]; then
+		# Existing symlink — point at the canonical source
+		local current_target
+		current_target=$(readlink "$commands_dir")
+		if [[ "$current_target" != "$source_dir" ]]; then
+			rm "$commands_dir"
+			ln -s "$source_dir" "$commands_dir"
+			print_success "Re-linked .agents/commands/ → $source_dir"
+		else
+			print_info ".agents/commands/ already linked correctly"
+		fi
+	elif [[ -d "$commands_dir" ]]; then
+		print_warning ".agents/commands/ exists as a real directory — not overwriting"
+	else
+		ln -s "$source_dir" "$commands_dir"
+		print_success "Linked .agents/commands/ → $source_dir (Amp reads this natively)"
+	fi
+
+	# .windsurf/workflows/ → ../.agents/commands/ (relative, so the link
+	# resolves inside the repo regardless of checkout path).
+	mkdir -p "$windsurf_dir"
+	if [[ -L "$workflows_link" ]]; then
+		print_info ".windsurf/workflows/ already linked"
+	elif [[ -d "$workflows_link" ]]; then
+		print_warning ".windsurf/workflows/ exists as a real directory — not overwriting"
+	else
+		(cd "$windsurf_dir" && ln -s "../.agents/commands" workflows)
+		print_success "Linked .windsurf/workflows/ → ../.agents/commands (Windsurf slash commands)"
+	fi
+	return 0
+}
+
 # Init command - initialize aidevops in a project
 cmd_init() {
 	local features="${1:-all}"
@@ -1570,6 +1691,10 @@ EOF
 		print_success "Created .agents/ directory"
 	fi
 
+	# Link .agents/commands/ and .windsurf/workflows/ so Amp (native) and Windsurf
+	# (symlinked) can see the aidevops main-agent slash commands.
+	_init_scaffold_commands_symlinks "$project_root"
+
 	# Scaffold or update .agents/AGENTS.md (idempotent — creates if missing,
 	# updates Security section if file already exists)
 	local _agents_md_existed=false
@@ -1966,6 +2091,18 @@ GITATTRSEOF
 		print_info "Collaborator pointer files already exist"
 	fi
 
+	# Seed DESIGN.md template (AI-readable design system skeleton)
+	if [[ ! -f "$project_root/DESIGN.md" ]]; then
+		local design_template="$AGENTS_DIR/templates/DESIGN.md.template"
+		if [[ -f "$design_template" ]]; then
+			# Replace {Project Name} with the repo name
+			sed "s/{Project Name}/$repo_name/g" "$design_template" >"$project_root/DESIGN.md"
+			print_success "Created DESIGN.md (design system skeleton — populate with tools/design/design-md.md)"
+		fi
+	else
+		print_info "DESIGN.md already exists, skipping"
+	fi
+
 	# Scaffold repo courtesy files (README, LICENCE, CHANGELOG, etc.)
 	scaffold_repo_courtesy_files "$project_root"
 
@@ -2009,8 +2146,21 @@ GITATTRSEOF
 	[[ "$enable_security" == "true" ]] && features_list="${features_list}security,"
 	features_list="${features_list%,}" # Remove trailing comma
 
-	# Register repo in repos.json
-	register_repo "$project_root" "$aidevops_version" "$features_list"
+	# Register the *main* repo path (not the worktree path) in repos.json.
+	# When check_protected_branch creates a worktree and cd's into it,
+	# $project_root (resolved via git rev-parse --show-toplevel) points to the
+	# worktree directory. We must register the canonical main worktree path so
+	# that pulse and cleanup processes don't treat the worktree as a standalone repo.
+	local register_path="$project_root"
+	if [[ -n "${WORKTREE_PATH:-}" ]]; then
+		# We're inside a worktree — resolve the main worktree path from git metadata
+		local main_wt_path
+		main_wt_path=$(git -C "$project_root" worktree list --porcelain 2>/dev/null | awk '/^worktree /{print $2; exit}')
+		if [[ -n "$main_wt_path" ]] && [[ "$main_wt_path" != "$project_root" ]]; then
+			register_path="$main_wt_path"
+		fi
+	fi
+	register_repo "$register_path" "$aidevops_version" "$features_list"
 
 	# Auto-commit initialized files so they don't linger as mystery unstaged
 	# changes (#2570 bug 2). Collect all files that cmd_init creates/modifies.
@@ -2019,6 +2169,7 @@ GITATTRSEOF
 	[[ -f "$project_root/.gitignore" ]] && init_files+=(".gitignore")
 	[[ -d "$project_root/.agents" ]] && init_files+=(".agents/")
 	[[ -f "$project_root/AGENTS.md" ]] && init_files+=("AGENTS.md")
+	[[ -f "$project_root/DESIGN.md" ]] && init_files+=("DESIGN.md")
 	[[ -f "$project_root/TODO.md" ]] && init_files+=("TODO.md")
 	[[ -d "$project_root/todo" ]] && init_files+=("todo/")
 	[[ -f "$project_root/MODELS.md" ]] && init_files+=("MODELS.md")
@@ -2064,6 +2215,22 @@ GITATTRSEOF
 	[[ "$enable_security" == "true" ]] && echo "  ✓ Security (per-repo posture assessment)"
 	[[ -f "$project_root/MODELS.md" ]] && echo "  ✓ MODELS.md (per-repo model performance leaderboard)"
 	echo ""
+	# When init ran inside a worktree (check_protected_branch created one),
+	# print explicit instructions so the user knows where to find their work.
+	# Without this, the user's shell is back in the main repo after aidevops exits
+	# and the worktree appears to have "disappeared".
+	if [[ -n "${WORKTREE_PATH:-}" ]]; then
+		local worktree_branch
+		worktree_branch=$(git branch --show-current 2>/dev/null || echo "chore/aidevops-init")
+		echo "Worktree location:"
+		echo "  $WORKTREE_PATH"
+		echo ""
+		echo "Your init commit is in the worktree above. To continue:"
+		echo "  cd $WORKTREE_PATH"
+		echo "  git push -u origin ${worktree_branch}"
+		echo "  gh pr create --fill"
+		echo ""
+	fi
 	echo "Next steps:"
 	local step=1
 	if [[ "$committed" != "true" ]]; then
@@ -2157,7 +2324,39 @@ _upgrade_todo() {
 	print_info "Upgrading TODO.md..."
 	local existing_tasks=""
 	if [[ -f "$todo_file" ]]; then
-		existing_tasks=$(grep -E "^[[:space:]]*- \[([ x-])\]" "$todo_file" 2>/dev/null || echo "")
+		# Extract everything under ## Backlog (tasks AND ### subsection headers)
+		# until the next ## header or EOF — preserves semantic grouping.
+		# GH#17804: Skip ## Format section and filter out template placeholder IDs
+		# (tXXX, tYYY, tZZZ) that are documentation examples, not real tasks.
+		existing_tasks=$(awk '
+			# Section-aware: track when inside ## Format to skip its content
+			/^## Format/ { in_format=1; next }
+			in_format && /^## / { in_format=0 }
+			in_format { next }
+			# Also skip content inside markdown code blocks (``` fenced blocks)
+			/^```/ { in_codeblock = !in_codeblock; next }
+			in_codeblock { next }
+			# Extract from ## Backlog to next ## header
+			/^## Backlog/ { found=1; next }
+			found && /^## / { exit }
+			found
+		' "$todo_file" 2>/dev/null || echo "")
+		# GH#17804: Filter out lines with non-numeric task IDs (template placeholders
+		# like tXXX, tYYY, tZZZ). Real task IDs match t<digits> or t<digits>.<digits>.
+		if [[ -n "$existing_tasks" ]]; then
+			existing_tasks=$(printf '%s\n' "$existing_tasks" | awk '
+				# Keep non-task lines (subsection headers, comments, blank lines)
+				!/^- \[[ x-]\] t/ { print; next }
+				# For task lines: extract the ID and validate it is numeric
+				{
+					id = $0
+					sub(/^- \[[ x-]\] /, "", id)
+					sub(/ .*/, "", id)
+					# Valid IDs: t followed by digits, optionally .digits (subtasks)
+					if (id ~ /^t[0-9]+(\.[0-9]+)*$/) print
+				}
+			')
+		fi
 		[[ "$backup" == "true" ]] && {
 			cp "$todo_file" "${todo_file}.bak"
 			print_success "Backup created: TODO.md.bak"
@@ -3279,6 +3478,7 @@ cmd_skills() {
 _help_commands() {
 	echo "Commands:"
 	echo "  init [features]    Initialize aidevops in current project"
+	echo "  init-routines      Scaffold private routines repo (--org <name> | --local)"
 	echo "  upgrade-planning   Upgrade TODO.md/PLANS.md to latest templates"
 	echo "  features           List available features for init"
 	echo "  skill <cmd>        Manage agent skills (add/list/check/update/remove)"
@@ -3293,8 +3493,10 @@ _help_commands() {
 	echo "  repo-sync <cmd>    Daily git pull for repos in parent dirs (enable/disable/status/dirs)"
 	echo "  update-tools       Check for outdated tools (--update to auto-update)"
 	echo "  repos [cmd]        Manage registered projects (list/add/remove/clean)"
-	echo "  model-accounts-pool OAuth account pool (list/check/add/rotate/reset-cooldowns)"
+	echo "  model-accounts-pool OAuth account pool (list/check/diagnose/add/rotate/reset-cooldowns)"
+	echo "  client-format      Client request format alignment (extract/check/canary/monitor)"
 	echo "  opencode-sandbox   Test OpenCode versions in isolation (install/run/check/clean)"
+	echo "  approve <cmd>      Cryptographic issue/PR approval (setup/issue/pr/verify/status)"
 	echo "  security [cmd]     Full security assessment (posture + hygiene + supply chain)"
 	echo "  ip-check <cmd>     IP reputation checks (check/batch/report/providers)"
 	echo "  secret <cmd>       Manage secrets (set/list/run/init/import/status)"
@@ -3331,6 +3533,7 @@ _help_detailed_sections() {
 	echo "  aidevops model-accounts-pool status            # Pool health at a glance"
 	echo "  aidevops model-accounts-pool list              # Per-account detail"
 	echo "  aidevops model-accounts-pool check             # Live token validity test"
+	echo "  aidevops model-accounts-pool diagnose          # Full pipeline diagnostics (pool, plugin, CCH, runtime)"
 	echo "  aidevops model-accounts-pool rotate [provider] # Switch to next available account NOW (use when rate-limited)"
 	echo "  aidevops model-accounts-pool reset-cooldowns   # Clear rate-limit cooldowns"
 	echo "  aidevops model-accounts-pool add anthropic     # Add Claude Pro/Max account"
@@ -3341,13 +3544,26 @@ _help_detailed_sections() {
 	echo "  aidevops model-accounts-pool assign-pending <provider># Assign stranded token"
 	echo "  aidevops model-accounts-pool remove <provider> <email># Remove an account"
 	echo ""
-	echo "  Auth recovery (run these in order if model is broken):"
+	echo "  Auth troubleshooting (run diagnose first, then recovery if needed):"
+	echo "    aidevops model-accounts-pool diagnose        # 0. Full pipeline check (start here)"
 	echo "    aidevops model-accounts-pool status          # 1. Check pool health"
 	echo "    aidevops model-accounts-pool check           # 2. Test token validity"
 	echo "    aidevops model-accounts-pool rotate anthropic# 3. Switch account if rate-limited"
 	echo "    aidevops model-accounts-pool reset-cooldowns # 4. Clear cooldowns if all stuck"
 	echo "    aidevops model-accounts-pool add anthropic   # 5. Re-add if pool empty"
 	echo ""
+	echo "Client Format:"
+	echo "  aidevops client-format               # Show status + cached constants"
+	echo "  aidevops client-format extract        # Re-extract constants from installed CLI"
+	echo "  aidevops client-format check          # Verify cache matches installed CLI version"
+	echo "  aidevops client-format canary         # Run drift check against real CLI (uses tokens)"
+	echo "  aidevops client-format monitor [cmd]  # Traffic capture + diff (requires mitmproxy)"
+	echo "  aidevops client-format install-canary # Install daily drift check (launchd)"
+	echo ""
+	echo "  If requests stop working after a CLI update:"
+	echo "    aidevops client-format extract      # 1. Re-extract constants"
+	echo "    aidevops client-format canary       # 2. Verify against real CLI"
+	echo ""
 	echo "Secrets:"
 	echo "  aidevops secret set NAME     # Store a secret (hidden input)"
 	echo "  aidevops secret list         # List secret names (never values)"
@@ -3585,10 +3801,53 @@ main() {
 	detect | scan) cmd_detect ;;
 	ip-check | ip_check) _dispatch_helper "ip-reputation-helper.sh" "ip-reputation-helper.sh" "$@" ;;
 	model-accounts-pool | map) _dispatch_helper "oauth-pool-helper.sh" "oauth-pool-helper.sh" "$@" ;;
+	client-format)
+		case "${1:-status}" in
+		extract | refresh)
+			_dispatch_helper "cch-extract.sh" "cch-extract.sh" --cache
+			;;
+		check | verify)
+			_dispatch_helper "cch-extract.sh" "cch-extract.sh" --verify
+			;;
+		canary | test)
+			shift || true
+			_dispatch_helper "cch-canary.sh" "cch-canary.sh" --verbose "$@"
+			;;
+		monitor)
+			shift || true
+			_dispatch_helper "cch-traffic-monitor.sh" "cch-traffic-monitor.sh" "$@"
+			;;
+		install-canary)
+			_dispatch_helper "cch-canary.sh" "cch-canary.sh" --install
+			;;
+		status | "")
+			echo ""
+			echo "Client request format alignment"
+			echo "==============================="
+			echo ""
+			_dispatch_helper "cch-extract.sh" "cch-extract.sh" --verify 2>&1 || true
+			echo ""
+			if [[ -f "$HOME/.aidevops/cch-constants.json" ]]; then
+				echo "Cached constants:"
+				cat "$HOME/.aidevops/cch-constants.json"
+			else
+				echo "No cached constants. Run: aidevops client-format extract"
+			fi
+			;;
+		*)
+			print_error "Unknown subcommand: $1"
+			echo "Usage: aidevops client-format [extract|check|canary|monitor|install-canary|status]"
+			exit 1
+			;;
+		esac
+		;;
 	opencode-sandbox | oc-sandbox) _dispatch_helper "opencode-sandbox-helper.sh" "opencode-sandbox-helper.sh" "$@" ;;
 	secret | secrets) _dispatch_helper "secret-helper.sh" "secret-helper.sh" "$@" ;;
+	approve) _dispatch_helper "approval-helper.sh" "approval-helper.sh" "$@" ;;
+	signing) _dispatch_helper "signing-setup.sh" "signing-setup.sh" "$@" ;;
 	stats | observability) _dispatch_helper "observability-helper.sh" "observability-helper.sh" "$@" ;;
 	tabby) _dispatch_helper "tabby-helper.sh" "tabby-helper.sh" "$@" ;;
+	init-routines) _dispatch_helper "init-routines-helper.sh" "init-routines-helper.sh" "$@" ;;
 	config | configure) _dispatch_config "$@" ;;
 	uninstall | remove) cmd_uninstall ;;
 	version | v | -v | --version) cmd_version ;;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aidevops",
-  "version": "3.5.896",
+  "version": "3.8.2",
   "description": "AI DevOps Framework - AI-assisted development workflows, code quality, and deployment automation",
   "type": "module",
   "bin": {