bmad-module-skill-forge 0.10.0 → 1.0.0-rc.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (269) hide show
  1. package/.claude-plugin/marketplace.json +56 -0
  2. package/.gitattributes +16 -0
  3. package/README.md +105 -38
  4. package/docs/404.md +13 -10
  5. package/docs/RELEASING.md +616 -0
  6. package/docs/STABILITY.md +123 -0
  7. package/docs/_data/pinned.yaml +98 -0
  8. package/docs/agents.md +16 -11
  9. package/docs/architecture.md +221 -0
  10. package/docs/bmad-synergy.md +11 -13
  11. package/docs/concepts.md +18 -108
  12. package/docs/examples.md +121 -80
  13. package/docs/getting-started.md +85 -147
  14. package/docs/how-it-works.md +25 -536
  15. package/docs/index.md +44 -27
  16. package/docs/skill-model.md +328 -0
  17. package/docs/troubleshooting.md +39 -0
  18. package/docs/verifying-a-skill.md +232 -0
  19. package/docs/why-skf.md +93 -0
  20. package/docs/workflows.md +119 -13
  21. package/package.json +30 -9
  22. package/release-audits/v1.0.0-launch-audit.md +207 -0
  23. package/src/README.md +23 -25
  24. package/src/forger/forge-tier.yaml +4 -2
  25. package/src/forger/preferences.yaml +7 -1
  26. package/src/knowledge/agentskills-spec.md +1 -1
  27. package/src/knowledge/architecture-verification.md +1 -1
  28. package/src/knowledge/ccc-bridge.md +16 -15
  29. package/src/knowledge/overview.md +11 -11
  30. package/src/knowledge/progressive-capability.md +3 -3
  31. package/src/knowledge/provenance-tracking.md +9 -3
  32. package/src/knowledge/qmd-registry.md +8 -8
  33. package/src/knowledge/skf-knowledge-index.csv +2 -2
  34. package/src/knowledge/skill-lifecycle.md +16 -1
  35. package/src/knowledge/split-body-strategy.md +1 -1
  36. package/src/knowledge/version-paths.md +17 -12
  37. package/src/module-help.csv +18 -17
  38. package/src/shared/health-check.md +372 -0
  39. package/src/shared/references/feasibility-report-schema.md +86 -0
  40. package/src/shared/references/headless-gate-convention.md +62 -0
  41. package/src/shared/references/output-contract-schema.md +35 -0
  42. package/src/shared/references/pipeline-contracts.md +102 -0
  43. package/src/shared/scripts/skf-atomic-write.py +370 -0
  44. package/src/shared/scripts/skf-manifest-ops.py +236 -0
  45. package/src/shared/scripts/skf-preflight.py +164 -0
  46. package/src/shared/scripts/skf-rebuild-managed-sections.py +201 -0
  47. package/src/shared/scripts/skf-severity-classify.py +163 -0
  48. package/src/shared/scripts/skf-skill-inventory.py +210 -0
  49. package/src/shared/scripts/skf-structural-diff.py +257 -0
  50. package/src/shared/scripts/skf-validate-frontmatter.py +318 -0
  51. package/src/shared/scripts/skf-validate-output.py +247 -0
  52. package/src/skf-analyze-source/SKILL.md +57 -0
  53. package/src/skf-analyze-source/assets/skill-brief-schema.md +125 -0
  54. package/src/skf-analyze-source/references/unit-detection-heuristics.md +124 -0
  55. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-01-init.md +6 -66
  56. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-01b-continue.md +4 -59
  57. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-02-scan-project.md +7 -68
  58. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-03-identify-units.md +6 -66
  59. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-04-map-and-detect.md +7 -68
  60. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-05-recommend.md +6 -66
  61. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-06-generate-briefs.md +14 -71
  62. package/src/skf-analyze-source/steps-c/step-07-health-check.md +22 -0
  63. package/src/skf-audit-skill/SKILL.md +59 -0
  64. package/src/{workflows/audit-skill/data → skf-audit-skill/assets}/drift-report-template.md +7 -7
  65. package/src/{workflows/audit-skill/data → skf-audit-skill/references}/severity-rules.md +11 -11
  66. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-01-init.md +24 -68
  67. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-02-re-index.md +36 -71
  68. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-03-structural-diff.md +21 -63
  69. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-04-semantic-diff.md +6 -65
  70. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-05-severity-classify.md +5 -63
  71. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-06-report.md +10 -64
  72. package/src/skf-audit-skill/steps-c/step-07-health-check.md +22 -0
  73. package/src/skf-brief-skill/SKILL.md +53 -0
  74. package/src/{workflows/brief-skill/data → skf-brief-skill/assets}/scope-templates.md +23 -0
  75. package/src/skf-brief-skill/assets/skill-brief-schema.md +206 -0
  76. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-01-gather-intent.md +6 -67
  77. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-02-analyze-target.md +6 -66
  78. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-03-scope-definition.md +12 -68
  79. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-04-confirm-brief.md +5 -63
  80. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-05-write-brief.md +10 -70
  81. package/src/skf-brief-skill/steps-c/step-06-health-check.md +22 -0
  82. package/src/skf-create-skill/SKILL.md +63 -0
  83. package/src/{workflows/create-skill/data → skf-create-skill/assets}/compile-assembly-rules.md +60 -0
  84. package/src/{workflows/create-skill/data → skf-create-skill/assets}/skill-sections.md +92 -23
  85. package/src/skf-create-skill/assets/tessl-dismissal-rules.md +102 -0
  86. package/src/{workflows/create-skill/data → skf-create-skill/references}/extraction-patterns-tracing.md +13 -13
  87. package/src/{workflows/create-skill/data → skf-create-skill/references}/extraction-patterns.md +8 -3
  88. package/src/skf-create-skill/references/source-resolution-protocols.md +239 -0
  89. package/src/{workflows/create-skill/data → skf-create-skill/references}/tier-degradation-rules.md +8 -7
  90. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-01-load-brief.md +25 -63
  91. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-02-ecosystem-check.md +8 -64
  92. package/src/skf-create-skill/steps-c/step-03-extract.md +379 -0
  93. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-03d-component-extraction.md +18 -35
  94. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-04-enrich.md +12 -69
  95. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-05-compile.md +71 -75
  96. package/src/skf-create-skill/steps-c/step-06-validate.md +267 -0
  97. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-07-generate-artifacts.md +30 -74
  98. package/src/skf-create-skill/steps-c/step-08-report.md +145 -0
  99. package/src/skf-create-skill/steps-c/step-09-health-check.md +23 -0
  100. package/src/{workflows/create-skill/steps-c → skf-create-skill/steps-c/sub}/step-02b-ccc-discover.md +8 -66
  101. package/src/skf-create-skill/steps-c/sub/step-03b-fetch-temporal.md +229 -0
  102. package/src/{workflows/create-skill/steps-c → skf-create-skill/steps-c/sub}/step-03c-fetch-docs.md +18 -42
  103. package/src/skf-create-stack-skill/SKILL.md +64 -0
  104. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/assets}/stack-skill-template.md +2 -1
  105. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/compose-mode-rules.md +19 -5
  106. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/integration-patterns.md +1 -1
  107. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/manifest-patterns.md +10 -10
  108. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-01-init.md +14 -55
  109. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-02-detect-manifests.md +29 -63
  110. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-03-rank-and-confirm.md +9 -59
  111. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-04-parallel-extract.md +29 -64
  112. package/src/skf-create-stack-skill/steps-c/step-05-detect-integrations.md +164 -0
  113. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-06-compile-stack.md +7 -60
  114. package/src/skf-create-stack-skill/steps-c/step-07-generate-output.md +328 -0
  115. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-08-validate.md +17 -63
  116. package/src/skf-create-stack-skill/steps-c/step-09-report.md +128 -0
  117. package/src/skf-create-stack-skill/steps-c/step-10-health-check.md +22 -0
  118. package/src/skf-drop-skill/SKILL.md +57 -0
  119. package/src/{workflows/drop-skill → skf-drop-skill}/steps-c/step-01-select.md +9 -69
  120. package/src/{workflows/drop-skill → skf-drop-skill}/steps-c/step-02-execute.md +30 -106
  121. package/src/skf-drop-skill/steps-c/step-03-report.md +83 -0
  122. package/src/skf-drop-skill/steps-c/step-04-health-check.md +22 -0
  123. package/src/skf-export-skill/SKILL.md +57 -0
  124. package/src/skf-export-skill/assets/managed-section-format.md +138 -0
  125. package/src/{workflows/export-skill/data → skf-export-skill/assets}/snippet-format.md +8 -12
  126. package/src/skf-export-skill/steps-c/step-01-load-skill.md +247 -0
  127. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-02-package.md +5 -58
  128. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-03-generate-snippet.md +15 -77
  129. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-04-update-context.md +59 -133
  130. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-05-token-report.md +4 -58
  131. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-06-summary.md +16 -68
  132. package/src/skf-export-skill/steps-c/step-07-health-check.md +22 -0
  133. package/src/skf-forger/SKILL.md +110 -0
  134. package/src/skf-forger/bmad-skill-manifest.yaml +11 -0
  135. package/src/skf-quick-skill/SKILL.md +56 -0
  136. package/src/{workflows/quick-skill/data → skf-quick-skill/references}/registry-resolution.md +6 -6
  137. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-01-resolve-target.md +9 -62
  138. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-02-ecosystem-check.md +5 -59
  139. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-03-quick-extract.md +18 -61
  140. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-04-compile.md +6 -60
  141. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-05-validate.md +58 -78
  142. package/src/skf-quick-skill/steps-c/step-06-write.md +73 -0
  143. package/src/skf-quick-skill/steps-c/step-07-health-check.md +22 -0
  144. package/src/skf-refine-architecture/SKILL.md +57 -0
  145. package/src/{workflows/refine-architecture/data → skf-refine-architecture/references}/refinement-rules.md +16 -16
  146. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-01-init.md +6 -63
  147. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-02-gap-analysis.md +29 -71
  148. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-03-issue-detection.md +5 -65
  149. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-04-improvements.md +5 -64
  150. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-05-compile.md +5 -56
  151. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-06-report.md +11 -64
  152. package/src/skf-refine-architecture/steps-c/step-07-health-check.md +22 -0
  153. package/src/skf-rename-skill/SKILL.md +58 -0
  154. package/src/{workflows/rename-skill → skf-rename-skill}/steps-c/step-01-select.md +12 -73
  155. package/src/{workflows/rename-skill → skf-rename-skill}/steps-c/step-02-execute.md +32 -113
  156. package/src/skf-rename-skill/steps-c/step-03-report.md +83 -0
  157. package/src/skf-rename-skill/steps-c/step-04-health-check.md +22 -0
  158. package/src/skf-setup/SKILL.md +55 -0
  159. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-01-detect-and-tier.md +6 -62
  160. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-01b-ccc-index.md +9 -65
  161. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-02-write-config.md +15 -60
  162. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-03-auto-index.md +7 -66
  163. package/src/skf-setup/steps-c/step-04-report.md +92 -0
  164. package/src/skf-setup/steps-c/step-05-health-check.md +22 -0
  165. package/src/skf-test-skill/SKILL.md +59 -0
  166. package/src/skf-test-skill/references/migration-section-rules.md +114 -0
  167. package/src/skf-test-skill/references/scoring-rules.md +207 -0
  168. package/src/skf-test-skill/references/source-access-protocol.md +109 -0
  169. package/src/skf-test-skill/scripts/compute-score.py +310 -0
  170. package/src/skf-test-skill/steps-c/step-01-init.md +238 -0
  171. package/src/{workflows/test-skill → skf-test-skill}/steps-c/step-02-detect-mode.md +4 -62
  172. package/src/skf-test-skill/steps-c/step-03-coverage-check.md +347 -0
  173. package/src/skf-test-skill/steps-c/step-04-coherence-check.md +239 -0
  174. package/src/{workflows/test-skill → skf-test-skill}/steps-c/step-04b-external-validators.md +42 -77
  175. package/src/skf-test-skill/steps-c/step-05-score.md +266 -0
  176. package/src/skf-test-skill/steps-c/step-06-report.md +290 -0
  177. package/src/skf-test-skill/steps-c/step-07-health-check.md +25 -0
  178. package/src/skf-test-skill/templates/test-report-template.md +58 -0
  179. package/src/skf-update-skill/SKILL.md +58 -0
  180. package/src/{workflows/update-skill/data → skf-update-skill/references}/manual-section-rules.md +6 -6
  181. package/src/{workflows/update-skill/data → skf-update-skill/references}/merge-conflict-rules.md +5 -5
  182. package/src/skf-update-skill/references/remote-source-resolution.md +94 -0
  183. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-01-init.md +22 -69
  184. package/src/skf-update-skill/steps-c/step-02-detect-changes.md +255 -0
  185. package/src/skf-update-skill/steps-c/step-03-re-extract.md +336 -0
  186. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-04-merge.md +60 -72
  187. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-05-validate.md +5 -62
  188. package/src/skf-update-skill/steps-c/step-06-write.md +278 -0
  189. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-07-report.md +11 -69
  190. package/src/skf-update-skill/steps-c/step-08-health-check.md +22 -0
  191. package/src/skf-verify-stack/SKILL.md +60 -0
  192. package/src/skf-verify-stack/assets/feasibility-report-template.md +76 -0
  193. package/src/{workflows/verify-stack/data → skf-verify-stack/references}/coverage-patterns.md +12 -4
  194. package/src/skf-verify-stack/references/integration-verification-rules.md +78 -0
  195. package/src/skf-verify-stack/steps-c/step-01-init.md +178 -0
  196. package/src/{workflows/verify-stack → skf-verify-stack}/steps-c/step-02-coverage.md +27 -72
  197. package/src/skf-verify-stack/steps-c/step-03-integrations.md +179 -0
  198. package/src/{workflows/verify-stack → skf-verify-stack}/steps-c/step-04-requirements.md +14 -67
  199. package/src/skf-verify-stack/steps-c/step-05-synthesize.md +147 -0
  200. package/src/skf-verify-stack/steps-c/step-06-report.md +156 -0
  201. package/src/skf-verify-stack/steps-c/step-07-health-check.md +25 -0
  202. package/tools/cli/commands/install.js +4 -1
  203. package/tools/cli/commands/status.js +21 -23
  204. package/tools/cli/commands/uninstall.js +11 -19
  205. package/tools/cli/commands/update.js +6 -4
  206. package/tools/cli/lib/ide-skills.js +216 -0
  207. package/tools/cli/lib/installer.js +29 -52
  208. package/tools/cli/lib/manifest.js +11 -5
  209. package/tools/cli/lib/platform-codes.yaml +223 -0
  210. package/tools/cli/lib/ui.js +76 -47
  211. package/tools/validate-docs-drift.js +193 -0
  212. package/src/agents/forger.agent.yaml +0 -114
  213. package/src/workflows/README.md +0 -174
  214. package/src/workflows/analyze-source/data/skill-brief-schema.md +0 -125
  215. package/src/workflows/analyze-source/data/unit-detection-heuristics.md +0 -124
  216. package/src/workflows/analyze-source/workflow.md +0 -61
  217. package/src/workflows/audit-skill/workflow.md +0 -64
  218. package/src/workflows/brief-skill/data/skill-brief-schema.md +0 -159
  219. package/src/workflows/brief-skill/workflow.md +0 -58
  220. package/src/workflows/create-skill/data/source-resolution-protocols.md +0 -200
  221. package/src/workflows/create-skill/steps-c/step-03-extract.md +0 -301
  222. package/src/workflows/create-skill/steps-c/step-03b-fetch-temporal.md +0 -253
  223. package/src/workflows/create-skill/steps-c/step-06-validate.md +0 -254
  224. package/src/workflows/create-skill/steps-c/step-08-report.md +0 -179
  225. package/src/workflows/create-skill/workflow.md +0 -53
  226. package/src/workflows/create-stack-skill/steps-c/step-05-detect-integrations.md +0 -196
  227. package/src/workflows/create-stack-skill/steps-c/step-07-generate-output.md +0 -270
  228. package/src/workflows/create-stack-skill/steps-c/step-09-report.md +0 -150
  229. package/src/workflows/create-stack-skill/workflow.md +0 -59
  230. package/src/workflows/drop-skill/steps-c/step-03-report.md +0 -136
  231. package/src/workflows/drop-skill/workflow.md +0 -63
  232. package/src/workflows/export-skill/data/managed-section-format.md +0 -103
  233. package/src/workflows/export-skill/steps-c/step-01-load-skill.md +0 -237
  234. package/src/workflows/export-skill/workflow.md +0 -58
  235. package/src/workflows/quick-skill/steps-c/step-06-write.md +0 -178
  236. package/src/workflows/quick-skill/workflow.md +0 -58
  237. package/src/workflows/refine-architecture/workflow.md +0 -61
  238. package/src/workflows/rename-skill/steps-c/step-03-report.md +0 -133
  239. package/src/workflows/rename-skill/workflow.md +0 -64
  240. package/src/workflows/setup-forge/steps-c/step-04-report.md +0 -159
  241. package/src/workflows/setup-forge/workflow.md +0 -51
  242. package/src/workflows/shared/health-check.md +0 -231
  243. package/src/workflows/test-skill/data/scoring-rules.md +0 -123
  244. package/src/workflows/test-skill/data/source-access-protocol.md +0 -51
  245. package/src/workflows/test-skill/steps-c/step-01-init.md +0 -217
  246. package/src/workflows/test-skill/steps-c/step-03-coverage-check.md +0 -280
  247. package/src/workflows/test-skill/steps-c/step-04-coherence-check.md +0 -271
  248. package/src/workflows/test-skill/steps-c/step-05-score.md +0 -222
  249. package/src/workflows/test-skill/steps-c/step-06-report.md +0 -208
  250. package/src/workflows/test-skill/templates/test-report-template.md +0 -28
  251. package/src/workflows/test-skill/workflow.md +0 -57
  252. package/src/workflows/update-skill/data/remote-source-resolution.md +0 -57
  253. package/src/workflows/update-skill/steps-c/step-02-detect-changes.md +0 -221
  254. package/src/workflows/update-skill/steps-c/step-03-re-extract.md +0 -256
  255. package/src/workflows/update-skill/steps-c/step-06-write.md +0 -265
  256. package/src/workflows/update-skill/workflow.md +0 -56
  257. package/src/workflows/verify-stack/data/feasibility-report-template.md +0 -63
  258. package/src/workflows/verify-stack/data/integration-verification-rules.md +0 -73
  259. package/src/workflows/verify-stack/steps-c/step-01-init.md +0 -179
  260. package/src/workflows/verify-stack/steps-c/step-03-integrations.md +0 -195
  261. package/src/workflows/verify-stack/steps-c/step-05-synthesize.md +0 -191
  262. package/src/workflows/verify-stack/steps-c/step-06-report.md +0 -200
  263. package/src/workflows/verify-stack/workflow.md +0 -61
  264. package/tools/cli/lib/compiler.js +0 -306
  265. package/tools/cli/lib/ide-commands.js +0 -244
  266. /package/src/{workflows/analyze-source → skf-analyze-source}/templates/analysis-report-template.md +0 -0
  267. /package/src/{workflows/quick-skill/data → skf-quick-skill/assets}/skill-template.md +0 -0
  268. /package/src/{workflows/setup-forge/data → skf-setup/references}/tier-rules.md +0 -0
  269. /package/src/{workflows/test-skill/data → skf-test-skill/assets}/output-section-formats.md +0 -0
@@ -0,0 +1,616 @@
1
+ ---
2
+ title: Releasing SKF
3
+ description: Maintainer reference for the release pipeline — branch protection, release workflow, and rollback procedures.
4
+ ---
5
+
6
+ This document records the configuration that gates releases of `bmad-module-skill-forge`. It exists so a future maintainer (including future-you) can audit, restore, or extend the pipeline without reverse-engineering GitHub settings.
7
+
8
+ For background on GitHub rulesets vs legacy branch protection, see the [GitHub ruleset docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
9
+
10
+ ## Branch Protection on `main`
11
+
12
+ `main` is gated by a **GitHub repository ruleset** (not legacy branch protection). The legacy "Settings → Branches → Branch protection rules" surface returns 404 for this repo.
13
+
14
+ **Ruleset:** `Default` — id `13855503` — applies to `~DEFAULT_BRANCH` (currently `main`) — enforcement `active`.
15
+
16
+ **Active rules (5):**
17
+
18
+ | Rule | Effect |
19
+ | ------------------------ | -------------------------------------------------------------------------------------------------------------------------- |
20
+ | `deletion` | Branch cannot be deleted. |
21
+ | `non_fast_forward` | Force-push blocked. |
22
+ | `pull_request` | Requires ≥ 1 approving review; `require_code_owner_review: true` (see CODEOWNERS note below); merge/squash/rebase allowed. |
23
+ | `code_quality` | Blocks merge on `severity: errors` from GitHub code-quality checks. |
24
+ | `required_status_checks` | Merge blocked until all seven `quality.yaml` checks pass (names below). |
25
+
26
+ **Required status checks (7):** sourced from `.github/workflows/quality.yaml` job keys. Matrix jobs expand to `jobname (matrix-value)`:
27
+
28
+ - `prettier`
29
+ - `eslint`
30
+ - `markdownlint`
31
+ - `validate (ubuntu-latest)`
32
+ - `validate (windows-latest)`
33
+ - `python (ubuntu-latest)`
34
+ - `python (windows-latest)`
35
+
36
+ **Coupling with `quality.yaml`:** if that workflow renames a job or changes the `strategy.matrix.os` for `validate` or `python`, the ruleset's `required_status_checks` list must be updated in lock-step — otherwise merges to `main` will either block on a check name that no longer reports, or silently pass without the renamed check. Update both in the same PR.
37
+
38
+ **`strict_required_status_checks_policy: false`** — PR branches are not forced to be up-to-date with `main` before merging. This avoids constant rebases on a low-traffic repo. Flip to `true` if concurrent merges start producing logical conflicts the checks can't catch.
39
+
40
+ **CODEOWNERS note:** the `pull_request` rule has `require_code_owner_review: true`, but no `.github/CODEOWNERS` file exists in the repo today. GitHub treats the code-owner requirement as vacuously satisfied when the file is absent, so this setting is currently a no-op — the only active review gate is `required_approving_review_count: 1`. If a CODEOWNERS file is added later, make sure the listed owners can actually approve PRs from other authors. GitHub's universal rule is that a PR author cannot approve their own PR — so a CODEOWNERS file that lists only a solo maintainer would deadlock every PR that maintainer opens (they'd be the sole eligible code-owner reviewer but also the author).
41
+
42
+ **Bypass actors:** `RepositoryRole` actor_id=5 (Admin), `bypass_mode: pull_request`. Admins can bypass the ruleset **only via a pull request**, never via direct push. This preserves `non_fast_forward` and the required-checks gate for the `github-actions[bot]` account that the future `release.yaml` workflow (Story 3.1) will use to push tags and commits to `main`. **Do not add a bot-specific bypass**; it would defeat the whole purpose of this ruleset.
43
+
44
+ ### Inspect current state
45
+
46
+ ```bash
47
+ gh api repos/armelhbobdad/bmad-module-skill-forge/rulesets/13855503
48
+ ```
49
+
50
+ ### Restore from a saved baseline
51
+
52
+ A JSON baseline captured before any change can be replayed via:
53
+
54
+ ```bash
55
+ # Extract the full set of fields required by a ruleset PUT from a saved baseline.json.
56
+ # PUT replaces the resource wholesale — omitting any of these fields either 422s or
57
+ # silently resets them server-side. `bypass_actors` is optional (empty array is the
58
+ # default) but is included here to preserve the admin-via-PR bypass.
59
+ jq '{name, target, enforcement, conditions, rules, bypass_actors}' baseline.json > /tmp/restore.json
60
+
61
+ gh api --method PUT \
62
+ repos/armelhbobdad/bmad-module-skill-forge/rulesets/13855503 \
63
+ --input /tmp/restore.json
64
+ ```
65
+
66
+ The GitHub ruleset API uses `PUT` (not `PATCH`) for updates, and the `rules` array is replaced wholesale — it is not merged server-side. Always fetch current state, modify the in-memory copy, and `PUT` the complete list.
67
+
68
+ ## Release Environment
69
+
70
+ The publish job is gated by a **GitHub [deployment environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) with a required-reviewer rule** (not by workflow logic). A job declaring `environment: release` pauses until a listed reviewer clicks "Approve and deploy" in the Actions UI.
71
+
72
+ **Environment:** `release` — id `14347249917` — created 2026-04-20.
73
+
74
+ | Setting | Value |
75
+ | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
76
+ | `wait_timer` | `0` (no artificial delay; approval is the only gate) |
77
+ | `prevent_self_review` | `false` — see rationale below |
78
+ | `reviewers` | `armelhbobdad` (user id `132626034`), 1 approver |
79
+ | `deployment_branch_policy` | `custom_branch_policies: true`, list: `main` only |
80
+ | Environment-scoped secrets | `0` (invariant — see `NPM_TOKEN` note below) |
81
+ | Cost | `$0` on public-repo tier (environments, required reviewers, and branch policies are [free for public repositories](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#about-environments)) |
82
+
83
+ **`prevent_self_review: false` — correctness constraint, not a loosened control.** Solo-maintainer setups cannot self-approve when this is `true`, so the gate would deadlock on any maintainer-triggered publish. The value flips to `true` the moment a second reviewer joins — do not leave it loose by inertia.
84
+
85
+ **`NPM_TOKEN` is NOT scoped to this environment.** It remains at repo-level secrets during the OIDC transition and is removed entirely post-v1.0.0 (see Story 6.3). The invariant: the `release` env must have zero secrets. If a future change scopes any secret here, re-audit whether the OIDC trusted-publisher path is still in force.
86
+
87
+ **Coupling with npm trusted publishing (Story 1.3).** The npm trusted publisher binds on four fields — `organization=armelhbobdad`, `repository=bmad-module-skill-forge`, `workflow filename=release.yaml`, `environment=release`. The environment name above is load-bearing: any rename here must be accompanied by a matching npm-side update in the same change, or the next publish returns 404.
88
+
89
+ ### Inspect current state
90
+
91
+ ```bash
92
+ # Environment itself (reviewers, branch-policy shape, prevent_self_review)
93
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release
94
+
95
+ # Allowed deployment branches (expect: one entry, name "main")
96
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies
97
+
98
+ # Environment-scoped secrets (expect: zero)
99
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/secrets
100
+ ```
101
+
102
+ ### Restore / re-apply
103
+
104
+ Two-call pattern — the environment and its branch-policy list are separate resources. Creating the environment alone with `custom_branch_policies: true` leaves the allow-list empty, which rejects every dispatch; the second call is mandatory.
105
+
106
+ ```bash
107
+ # (1) Create or update the environment with the required-reviewer gate
108
+ gh api --method PUT repos/armelhbobdad/bmad-module-skill-forge/environments/release --input - <<'JSON'
109
+ {
110
+ "wait_timer": 0,
111
+ "prevent_self_review": false,
112
+ "reviewers": [{ "type": "User", "id": 132626034 }],
113
+ "deployment_branch_policy": {
114
+ "protected_branches": false,
115
+ "custom_branch_policies": true
116
+ }
117
+ }
118
+ JSON
119
+
120
+ # (2) Add main to the allowed deployment branches.
121
+ # Returns HTTP 422 ("already_exists") if main is already on the list —
122
+ # safe to ignore on re-apply. To pre-check:
123
+ # gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies
124
+ gh api --method POST repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies --input - <<'JSON'
125
+ { "name": "main" }
126
+ JSON
127
+ ```
128
+
129
+ ### Temporarily allowing a feature branch
130
+
131
+ A release workflow that declares `environment: release` will be rejected from any branch not on the allow-list. For legitimate validation cuts from a feature branch (Story 3.2's alpha cut is the canonical case), widen the allow-list for the duration of the test and tighten it back immediately:
132
+
133
+ ```bash
134
+ # Allow the feature branch and capture the returned policy id into a shell var.
135
+ # Using command substitution + --jq .id avoids the "eyeball the JSON and paste
136
+ # the id later" footgun — if the POST succeeds, $POLICY_ID is ready for the revoke.
137
+ POLICY_ID=$(gh api --method POST \
138
+ repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies \
139
+ --input - --jq .id <<'JSON'
140
+ { "name": "feat/my-validation-branch" }
141
+ JSON
142
+ )
143
+ echo "POLICY_ID=$POLICY_ID" # confirm a numeric id was captured before proceeding
144
+
145
+ # ... run the validation cut, approve via the reviewer UI, confirm publish ...
146
+
147
+ # Revoke immediately — the allow-list must return to { main } before leaving the session.
148
+ # Quote the expansion so the shell never interprets the id as a redirection token.
149
+ gh api --method DELETE \
150
+ "repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies/$POLICY_ID"
151
+ ```
152
+
153
+ Leaving a feature branch on the allow-list is an unguarded hole — any later `workflow_dispatch` from that branch would be able to reach the publish path. Treat the revoke as the last step of the validation, not a follow-up.
154
+
155
+ ## npm Trusted Publisher
156
+
157
+ The future `release.yaml` workflow (Story 3.1) publishes to npm via **OIDC trusted publishing** — no `NPM_TOKEN` is consulted during the publish step, and every published version carries an auto-attached SLSA Build Level 2 provenance attestation. For this to work, the npm package `bmad-module-skill-forge` has a trusted-publisher entry on npmjs.com that binds on four fields exactly matching what the workflow asserts at run time. A mismatch on any field causes an opaque `404` at publish time — the error ("npm could not match your workflow run") surfaces the failure class but does not name which of the four fields is wrong.
158
+
159
+ **Registered:** 2026-04-20 by `armelhbobdad`.
160
+
161
+ | Field | Value |
162
+ | ----------------- | ------------------------- |
163
+ | Publisher type | `GitHub Actions` |
164
+ | Organization/user | `armelhbobdad` |
165
+ | Repository | `bmad-module-skill-forge` |
166
+ | Workflow filename | `release.yaml` |
167
+ | Environment | `release` |
168
+
169
+ **Inspect current state:** visit the [npm package settings for `bmad-module-skill-forge`](https://www.npmjs.com/package/bmad-module-skill-forge) → **Settings** tab → **Trusted Publisher** section (npm UI as of 2026-04-20; if the tab is reorganised later, the section still lives on the package Settings page). Modification requires 2FA re-entry on the maintainer account. No CLI or public API for programmatic inspection of Trusted Publisher state exists as of 2026-04-20 — drift detection is UI-only until npm exposes one.
170
+
171
+ **Case-sensitive.** All four fields above use the exact lowercase forms shown; npm's matcher is an exact-string comparison. Do not capitalize on re-registration even if GitHub's UI surfaces a display-form with capitals.
172
+
173
+ **Rename coupling — the four fields are load-bearing.** Renaming OR deleting the `release` GitHub environment (see § Release Environment), renaming or moving `release.yaml` within `.github/workflows/`, or flipping the extension between `.yaml` and `.yml` each require matching updates in the same PR to: (a) the npm-side Trusted Publisher, (b) the Registered table above, and (c) the `## Release Process` enumeration in `README.md` (which names both `release` and the Trusted Publisher). Skipping any of these produces an opaque `404` on the next publish — the error names the failure class, not the specific field.
174
+
175
+ **Pre-registration inversion.** This entry was registered **before** `release.yaml` was authored (Story 3.1). The first live validator of the full OIDC chain is Story 3.2's alpha cut. If that cut's publish step 404s, open a **three-way comparison**: (1) the npm Settings tab, (2) the workflow YAML's `name` / `on` / `jobs.<id>.environment` lines, and (3) the Registered table above. The table is the ground truth because it captured the values at npm-save time — compare both the npm record and the workflow header against the table, never the workflow against itself (verifying the workflow against its own header will silently confirm a typo).
176
+
177
+ **`NPM_TOKEN` is a legacy residual, not a safety net.** The token remains at repo-level secrets for two reasons: (a) the legacy `publish.yaml` still uses it until Story 3.3 retires that path, and (b) Story 6.3 deletes the secret entirely post-v1.0.0. Treat its continued presence as attack surface to minimize, not defence-in-depth — a repo-scope token is reachable from any workflow with `secrets.*` access. The token does NOT sit "behind" OIDC: `release.yaml` does not yet exist, so there is no OIDC path for it to be a fallback to. If a future OIDC incident forces a last-resort token-based re-publish, document the flip in the commit body and revert as soon as OIDC is restored.
178
+
179
+ **Fixing a bad registration.** The npm UI exposes both **Edit** and **Delete** on an existing Trusted Publisher entry (observed 2026-04-20). Prefer edit for a single-field typo; prefer delete-and-re-add if multiple fields are wrong or the edit form ever feels ambiguous. **Pre-Story 3.2**: there is no destructive side effect because no publish is attempted yet, and delete-and-re-add keeps the audit trail cleaner. **Post-Story 3.2**: a publish that fires during the delete-and-re-add window will 404 — gate any delete-and-re-add behind a manual publish freeze (pause any active `release.yaml` runs, confirm no tags are in-flight) before touching the entry.
180
+
181
+ <!-- Rollback Playbook — added in Story 4.1 -->
182
+
183
+ ## Rollback Playbook
184
+
185
+ > **NEVER `npm unpublish` v1.0.0.** Once `bmad-module-skill-forge` is published under `--tag latest` at v1.0.0, the version is immutable by policy (NFR6). The default rollback is `npm deprecate` + ship forward. See Scenario C for the narrow 72h / zero-dependents exception — which applies to **pre-v1.0.0 versions only**.
186
+
187
+ Scenarios A–F are recovery paths for a bad publish; Scenario G is a meta-recovery path for the release workflow itself. Each scenario follows a five-element shape: **Trigger** → **CLI** → **Expected outcome** → **Constraints** → **Verification**. A compact [cross-reference matrix](#cross-reference-matrix) sits at the end of this section for under-pressure triage. All `gh api` examples in this section use name-based lookups (ruleset by `name=="Default"`, environment by literal `release`) so they survive ruleset or environment re-creation.
188
+
189
+ Placeholder substitutions used throughout:
190
+
191
+ - `<bad>` — the broken version just published (e.g. `0.10.1`).
192
+ - `<previous_good>` — the last known-good version immediately before `<bad>` (e.g. `0.10.0`).
193
+ - `<next_version>` — the fix version produced by the next `release.yaml` dispatch (e.g. `0.10.2`).
194
+ - `<run-id>` — a GitHub Actions run id visible in the Actions UI and via `gh run list --workflow=release.yaml`.
195
+
196
+ ### Scenario A — "Bad version published to `latest`, no users yet (within ~minutes)"
197
+
198
+ - **Trigger.** Maintainer notices a defect within minutes of publish; `npm view bmad-module-skill-forge dist-tags` still shows `<bad>` on `latest`; download count is negligible; no dependents have pinned `<bad>` yet.
199
+
200
+ > **Note on cache lag.** `npm view … dist-tags` reads through a CDN with multi-second to multi-minute eventual consistency. "Still shows `<bad>` on `latest`" is not an authoritative "no users yet" signal. For freshness, cross-check with `npm view bmad-module-skill-forge@<bad> time --json | jq '. | to_entries | last'`.
201
+
202
+ - **CLI.**
203
+
204
+ ```bash
205
+ # Flip latest back to the last known-good version.
206
+ npm dist-tag add bmad-module-skill-forge@<previous_good> latest
207
+
208
+ # Verify the flip landed.
209
+ npm dist-tag ls bmad-module-skill-forge
210
+
211
+ # Warn anyone who did install <bad> in the meantime.
212
+ npm deprecate bmad-module-skill-forge@<bad> "Pulled - use <previous_good> instead"
213
+
214
+ # Cut the fix forward via the canonical workflow (OIDC publish, SLSA-L2 provenance).
215
+ gh workflow run release.yaml -f version_bump=patch
216
+ ```
217
+
218
+ - **Expected outcome.** `latest` now resolves to `<previous_good>`; `npm install bmad-module-skill-forge@<bad>` emits a deprecation warning; the subsequent patch cut advances `latest` to `<next_version>` cleanly.
219
+ - **Constraints.** Valid only while the blast radius is small. If any downstream has already pinned to `<bad>`, Scenario B applies instead — reverting `latest` won't reach those installs.
220
+ - **Verification.**
221
+
222
+ ```bash
223
+ npm view bmad-module-skill-forge dist-tags --json
224
+ # expected: {"latest":"<previous_good>", ...}
225
+ # Other dist-tags (e.g. "alpha") may also appear depending on prior releases.
226
+ ```
227
+
228
+ ### Scenario B — "Bad version live for hours/days, users may be installing it"
229
+
230
+ - **Trigger.** Defect discovered after `<bad>` has held `latest` long enough that download count is non-zero, or dependents may have already pinned.
231
+ - **CLI.**
232
+
233
+ ```bash
234
+ # Warn immediately — every install of <bad> now prints this string.
235
+ npm deprecate bmad-module-skill-forge@<bad> "Critical bug - use <next_version> instead"
236
+
237
+ # Cut the fix forward. release.yaml's dist-tag case-chain auto-updates `latest`
238
+ # for non-prerelease versions, so no manual `dist-tag add` is needed here.
239
+ gh workflow run release.yaml -f version_bump=patch
240
+ ```
241
+
242
+ - **Expected outcome.** `npm install bmad-module-skill-forge` starts emitting the deprecation warning; the new patch publishes cleanly; `latest` advances to `<next_version>`.
243
+ - **Constraints.** **Do NOT** `npm dist-tag add @<previous_good> latest` in this scenario. For post-v1.0.0 releases that is an NFR6 violation (it re-exposes a deprecated version as `latest`); for pre-v1.0.0 it fragments user expectation and hides the fix. Ship forward via patch bump.
244
+ - **Verification.**
245
+
246
+ ```bash
247
+ # Confirm the deprecation message landed on the registry (no install required —
248
+ # `npm install` would mutate the cwd's package.json/package-lock.json).
249
+ npm view bmad-module-skill-forge@<bad> deprecated
250
+ # expected: the exact deprecation string set above ("Critical bug - use <next_version> instead")
251
+ ```
252
+
253
+ NFR3 (rollback frequency <1/quarter post-v1.0.0) is evaluated against the frequency of Scenario B invocations — each trip through Scenario B is an NFR3 data point.
254
+
255
+ ### Scenario C — "Bad version within last 72h, zero downloads, zero dependents"
256
+
257
+ - **Trigger.** A narrow eligibility window per the [npm unpublish policy](https://docs.npmjs.com/policies/unpublish/): less than 72 hours since publish **AND** zero downloads **AND** zero dependent packages registered on npmjs.com. All three conditions must be true. Compute the 72-hour boundary from the `time.modified` field of `npm view bmad-module-skill-forge@<bad> --json`, NOT from the responder's local clock — npm's policy engine uses its server timestamp and a drift of even a few minutes at the boundary will 422 the unpublish.
258
+
259
+ > **Caveat on the "zero downloads" criterion.** npm's downloads API is documented as eventually consistent with up to 24–48h lag post-publish. A version can show "0 downloads" while having been installed by hundreds of CI runs in that window. When in doubt in the first 24–48 hours, treat C as Scenario B.
260
+
261
+ - **CLI.**
262
+
263
+ ```bash
264
+ npm unpublish bmad-module-skill-forge@<bad>
265
+ ```
266
+
267
+ - **Expected outcome.** The version disappears from `npm view`. **But** the version _number_ is permanently burned — npm rejects any future publish of that same version string forever.
268
+
269
+ > **Permanent-burn warning.** The version number is burned. After `npm unpublish bmad-module-skill-forge@0.10.1`, the next `release.yaml` dispatch with `version_bump: patch` on `0.10.0` will produce `0.10.2`, **not** `0.10.1` again. Attempting `npm version 0.10.1 --no-git-tag-version` would drive the workflow's `npm publish` toward an npm-burned version and return `403`. Treat the unpublish as a one-way jump in the version number line, not a true undo.
270
+
271
+ - **Constraints.** **This scenario does NOT apply to v1.0.0.** Per NFR6, v1.0.0 is never unpublished regardless of eligibility window — use Scenario B instead. Scenario C is a pre-v1.0.0-only path.
272
+ - **Verification.**
273
+
274
+ ```bash
275
+ npm view bmad-module-skill-forge@<bad> 2>&1
276
+ # expected: npm error 404 No match found for version <bad>
277
+ ```
278
+
279
+ ### Scenario D — "Tag exists but npm publish failed"
280
+
281
+ - **Trigger.** `release.yaml` pushed the `v*` tag (tag-creation step runs before the npm publish step) and then the publish step failed — OIDC 404, tarball validation error, network drop. `npm view bmad-module-skill-forge@<version>` returns 404; `git tag -l v<version>` shows the tag locally and on origin.
282
+ - **CLI.**
283
+
284
+ ```bash
285
+ # VERIFY FIRST that npm did NOT publish — a tag-delete after a successful
286
+ # publish would orphan the npm artifact. If this returns a manifest, STOP
287
+ # and go to Scenario E.
288
+ npm view bmad-module-skill-forge@<version> 2>&1
289
+
290
+ # Tag-only recovery: clear the tag locally and on origin, then re-dispatch.
291
+ git tag -d v<version>
292
+ git push --delete origin v<version>
293
+
294
+ # Re-dispatch with the same bump input — release.yaml will produce a fresh
295
+ # clean tag and successful publish.
296
+ gh workflow run release.yaml -f version_bump=<same-input-as-before>
297
+ ```
298
+
299
+ - **Expected outcome.** Tag cleared from origin; re-run produces a fresh clean tag plus a successful publish under the next version number.
300
+ - **Constraints.** Only safe if publish failed. If npm _did_ publish, use Scenario E — tag-deletion after a successful publish leaves the npm artifact without a matching git ref.
301
+ - **Do-NOT clause.** Never re-use the burned `<version>` number. `release.yaml` will produce the next version on redispatch (for example, re-running an `alpha` bump over `0.10.1-alpha.0` produces `0.10.1-alpha.1`, not `0.10.1-alpha.0` again). Forcing the original version back via `npm version <exact> --no-git-tag-version` is out of scope for rollback.
302
+ - **Story 3.2 load-bearing context.** The current `release.yaml` pushes the git tag **before** the npm publish step (see the `Create and push tag` job step vs. the `Publish to npm via OIDC trusted publishing` step). This ordering is pre-existing from Story 3.1 and tracked in `_bmad-output/implementation-artifacts/deferred-work.md` under `§ 3-1/3-2 code review "Create and push tag pushes the git tag BEFORE Publish to npm"` as a post-v1.0.0 hardening candidate. Until that lands, Scenario D's tag-delete path **is** the recovery.
303
+ - **Verification.**
304
+
305
+ ```bash
306
+ # Tag gone on origin.
307
+ gh api repos/armelhbobdad/bmad-module-skill-forge/git/refs/tags/v<version> 2>&1
308
+ # expected: 404 Not Found
309
+ ```
310
+
311
+ ### Scenario E — "npm publish succeeded but GitHub Release / tag push failed"
312
+
313
+ - **Trigger.** Publish succeeded (`npm view bmad-module-skill-forge@<version>` returns a manifest) but **one of**: tag-push to origin failed (network drop, branch-protection edge case); the `Create GitHub Release` softprops step failed (API rate limit, auth expiry); the `Push commit to main` step was (correctly) skipped but the release artifact diverged from `main`.
314
+ - **Premise inversion note.** In the research doc's scenario ordering, publish was assumed to happen before tag push — so publish failure was the likely branch. In the live `release.yaml` the ordering is reversed: the tag push runs **before** the npm publish. That means a publish-succeeded-but-tag-missing window is small, but real — the `Create GitHub Release` and `Push commit to main` steps still run after publish and either can fail independently. This scenario covers the post-publish-tag-or-release-missing recovery path.
315
+ - **CLI — tag recovery.**
316
+
317
+ ```bash
318
+ # Obtain the commit-sha the workflow used as its HEAD during the publish run
319
+ # (returns the SHA directly; do not grep the run log — the bump-commit echo
320
+ # line does not contain the SHA, only the post-commit confirmation does).
321
+ COMMIT_SHA=$(gh api \
322
+ repos/armelhbobdad/bmad-module-skill-forge/actions/runs/<run-id> \
323
+ --jq .head_sha)
324
+
325
+ # Recreate the annotated tag and push.
326
+ git tag -a v<version> "$COMMIT_SHA" -m "Release v<version>"
327
+ git push origin v<version>
328
+ ```
329
+
330
+ - **CLI — GitHub Release recovery.** The workflow's `Generate release notes`
331
+ step writes to `release_notes.md` inside the runner; that file is **not**
332
+ uploaded as an artifact, so it does not exist outside the run. Either scrape
333
+ the body from the run log first, or use `--generate-notes` to let GitHub
334
+ regenerate from commit subjects.
335
+
336
+ ```bash
337
+ # Option A: scrape the notes body from the run log into a local file.
338
+ gh run view <run-id> --log \
339
+ | sed -n '/^## Generate release notes/,/^##[^#]/p' \
340
+ > release_notes.md
341
+ gh release create v<version> \
342
+ --notes-file release_notes.md \
343
+ --title "Skill Forge (SKF) v<version>"
344
+
345
+ # Option B: let GitHub regenerate from commit subjects (loses the curated
346
+ # changelog body but always works).
347
+ gh release create v<version> \
348
+ --generate-notes \
349
+ --title "Skill Forge (SKF) v<version>"
350
+ ```
351
+
352
+ - **Expected outcome.** Tag landed on origin pointing at the correct commit; GitHub Release page reflects the published npm artifact; npm + GitHub + git state are now consistent.
353
+ - **Constraints.** **npm state is immutable.** Do NOT try to "clean up" the npm artifact so the release can be re-run from scratch. The npm artifact plus the orphaned post-recovery git state **is** the canonical record — NFR5 (audit-trail completeness) is satisfied by the successful npm publish plus the recovered tag and GitHub Release, not by a clean rerun.
354
+ - **Orphaned-commit caveat (Story 3.2 context).** If the run was dispatched from a feature branch and `Push commit to main` was correctly skipped, the `release: bump to v<version>` commit lives only in the workflow run log until the recovered tag above anchors it. This is NFR12-compliant and expected pre-v1.0.0 behavior; the tag is the authoritative pointer. This is exactly the pattern observed in the Story 3.2 alpha cut (`bmad-module-skill-forge@0.10.1-alpha.0`, run `24714953668`, tag `v0.10.1-alpha.0`, orphaned commit `2a57dcbd`).
355
+ - **Verification.**
356
+
357
+ ```bash
358
+ # Tag resolves.
359
+ gh api repos/armelhbobdad/bmad-module-skill-forge/git/refs/tags/v<version>
360
+
361
+ # GitHub Release exists.
362
+ gh release view v<version>
363
+
364
+ # npm + GitHub provenance still match.
365
+ npm view bmad-module-skill-forge@<version> --json | jq '.dist.attestations'
366
+ ```
367
+
368
+ ### Scenario F — "Suspected OIDC compromise / unauthorized publish"
369
+
370
+ - **Trigger (any of).**
371
+ - `npm view bmad-module-skill-forge time` shows a publish with a timestamp no maintainer triggered.
372
+ - `npm audit signatures` on a published tarball reports attestation verification failure.
373
+ - A GitHub Actions run shows reviewer approval that was not given.
374
+ - npm support notifies of suspected compromise.
375
+ - **Immediate CLI (within minutes of detection).** Revoke the OIDC trust surface before doing anything else:
376
+ - Visit `https://www.npmjs.com/package/bmad-module-skill-forge` → **Settings** tab → **Trusted Publisher** section → **Delete** the registration.
377
+ - This blocks _all_ future OIDC publishes until re-registered, stopping any further unauthorized use of the OIDC path mid-incident.
378
+ - **Audit CLI.**
379
+
380
+ ```bash
381
+ # Full publish timeline.
382
+ npm view bmad-module-skill-forge time
383
+
384
+ # Per-version provenance shape (script-friendly).
385
+ npm view bmad-module-skill-forge@<suspect> --json \
386
+ | jq '.dist.attestations'
387
+ # expected shape:
388
+ # {
389
+ # "url": "https://registry.npmjs.org/-/npm/v1/attestations/bmad-module-skill-forge@<suspect>",
390
+ # "provenance": { "predicateType": "https://slsa.dev/provenance/v1" }
391
+ # }
392
+
393
+ # Human-friendly signature-chain check. `npm audit signatures` operates on
394
+ # the cwd's installed dependency tree — running it in an empty dir returns
395
+ # "0 packages have verified attestations", which is a false-clean signal
396
+ # mid-incident. Wrap the install in a throwaway dir, ignore lifecycle
397
+ # scripts (the suspect tarball may be hostile), then audit.
398
+ mkdir -p /tmp/skf-incident-verify && cd /tmp/skf-incident-verify
399
+ npm init -y >/dev/null
400
+ npm install --ignore-scripts bmad-module-skill-forge@<suspect>
401
+ npm audit signatures
402
+ # expected: "X packages have verified attestations" with attestation count >= 1
403
+ ```
404
+
405
+ If `dist.attestations` is missing or the `url` field points somewhere unexpected, the publish bypassed the OIDC path.
406
+
407
+ - **Coordination CLI.** If a malicious version was actually published, contact `support@npmjs.com` with the version string, the attestation URL, and the Trusted Publisher registration timestamp; request a manual takedown. npm support can unpublish outside the 72-hour window for security-compromise cases.
408
+ - **Lockdown CLI.**
409
+
410
+ ```bash
411
+ # Confirm no unexpected secrets were added to the repo.
412
+ gh api repos/armelhbobdad/bmad-module-skill-forge/actions/secrets
413
+
414
+ # Confirm the write-access list is unchanged.
415
+ gh api repos/armelhbobdad/bmad-module-skill-forge/collaborators
416
+
417
+ # Review all workflows for any pull_request trigger type that could run
418
+ # attacker-controlled code with repo secrets (e.g. `types: [opened]`
419
+ # without a trusted-author gate).
420
+ grep -rn "pull_request:" .github/workflows/
421
+ ```
422
+
423
+ - **Post-incident reactivation.** After audit completes and root cause is identified and patched, re-register the Trusted Publisher via the npm UI with the four fields matching the table in `## npm Trusted Publisher` above (`organization=armelhbobdad`, `repository=bmad-module-skill-forge`, `workflow filename=release.yaml`, `environment=release`). Re-verify via an alpha cut (dispatch `release.yaml` from a temporarily-allowed feature branch per the `## Release Environment § Temporarily allowing a feature branch` procedure) before any stable release.
424
+ - **Pre-v1.0.0 context.** Trusted Publisher was pre-registered on 2026-04-20 (Story 1.3). A compromise discovered pre-v1.0.0 is recoverable via delete-and-re-register with no downstream-consumer blast radius (no stable release users yet). Post-v1.0.0, the incident has downstream blast radius and the `support@npmjs.com` coordination path is load-bearing.
425
+ - **Do-NOT clause — `NPM_TOKEN` rotation is not OIDC incident response.** Do NOT rotate `NPM_TOKEN` as a first response. The token is not on the OIDC path; rotating it does nothing to stop an OIDC compromise.
426
+ - If `NPM_TOKEN` itself is _also_ suspected compromised, revoke via `https://www.npmjs.com` → **Access Tokens** and remove from the repo: `gh secret delete NPM_TOKEN --repo armelhbobdad/bmad-module-skill-forge`. This is separate from the OIDC incident response above.
427
+ - `NPM_TOKEN` still exists at repo scope until Story 6.3 (post-v1.0.0). A compromised `NPM_TOKEN` is a **separate incident class** from OIDC compromise. During the window where OIDC is revoked _and_ `NPM_TOKEN` is also compromised, there is no valid publish path — the repo enters lockdown until Trusted Publisher is re-registered. Document the flip in the incident post-mortem; do not publish via any stale path.
428
+
429
+ ### Scenario G — "release.yaml disabled, reverted, or missing from main"
430
+
431
+ - **Trigger.** `release.yaml` is the single-rooted release workflow (Story 3.3 Patch A neutralized the legacy `publish.yaml` `v*` tag trigger). If `release.yaml` is reverted, renamed, moved, or disabled at the repo-settings level (`gh workflow disable release.yaml`) and someone tries to cut a release, **no workflow fires**. Silent no-op until a maintainer checks `npm view` or the Actions UI.
432
+ - **Detection.** After any PR that touches `.github/workflows/*` — and before any release attempt — run:
433
+
434
+ ```bash
435
+ gh api repos/armelhbobdad/bmad-module-skill-forge/actions/workflows \
436
+ --jq '.workflows[] | select(.name=="Release") | {name, state, path}'
437
+ # expected: {"name":"Release","state":"active","path":".github/workflows/release.yaml"}
438
+ ```
439
+
440
+ If `state` is not `active` (the GitHub Actions API reports `disabled_manually` when disabled via the UI or `gh workflow disable`), or no matching workflow is returned at all (file renamed, moved, or deleted), Scenario G applies.
441
+
442
+ - **Recovery CLI.**
443
+
444
+ ```bash
445
+ # Case 1: workflow is disabled but the file is present.
446
+ gh workflow enable release.yaml
447
+
448
+ # Case 2: the file is missing or reverted.
449
+ # Revert the offending PR via the normal branch-protection review path.
450
+ # Do NOT hand-edit main — branch protection blocks direct push anyway.
451
+ gh pr view <offending-pr-number>
452
+ # `gh pr revert` opens a NEW revert PR; it does not merge anything itself.
453
+ # Capture the URL it prints, then approve + merge that revert PR through
454
+ # the standard review path before retrying the release.
455
+ gh pr revert <offending-pr-number>
456
+ # After approval (manual review step required by branch protection):
457
+ gh pr merge <revert-pr-number> --squash
458
+ ```
459
+
460
+ - **Expected outcome.** `release.yaml` is back on `main` with `state: "active"`; next dispatch fires normally.
461
+ - **Prevention.** Single-root invariants to spot-check after any workflow-dir PR. The globs below cover both `.yaml` and `.yml` extensions (the repo currently has at least one `.yml` workflow):
462
+
463
+ ```bash
464
+ # Any workflow with id-token: write should be a known release/provenance workflow.
465
+ grep -l 'id-token: write' .github/workflows/*.{yaml,yml} 2>/dev/null
466
+ # expected set:
467
+ # - docs.yaml (GitHub Pages — orthogonal to release)
468
+ # - publish.yaml (DEPRECATED — kept until Story 6.1 deletes it; workflow_dispatch-only,
469
+ # surviving as the Scenario G emergency hatch)
470
+ # - release.yaml (canonical)
471
+
472
+ # No `v*` push trigger should exist in any workflow — release.yaml is workflow_dispatch-only,
473
+ # and publish.yaml had its push:tags:v* trigger neutralized in Story 3.3 Patch A.
474
+ # Scan the 3 lines following each `push:` block for a v* tag pattern.
475
+ grep -A3 -E '^\s*push:' .github/workflows/*.{yaml,yml} 2>/dev/null \
476
+ | grep -E "['\"]v\*['\"]"
477
+ # expected: zero matches.
478
+ ```
479
+
480
+ - **Escalation path — emergency hatch.** If Scenario G is detected mid-incident when a release is urgently needed, the legacy `.github/workflows/publish.yaml` retains `workflow_dispatch:` as an emergency hatch (NPM_TOKEN still at repo scope until Story 6.3). Invoke via:
481
+
482
+ ```bash
483
+ gh workflow run publish.yaml
484
+ ```
485
+
486
+ Read the next two paragraphs **before** dispatching:
487
+ - **Auth vs. provenance — they are independent.** `publish.yaml` authenticates to npm with `NODE_AUTH_TOKEN=${{ secrets.NPM_TOKEN }}` (token-based; NOT OIDC trusted publishing — that path is `release.yaml`-only). However, the workflow also has `id-token: write` permission and calls `npm publish --provenance`, so npm WILL attach a SLSA-L2 provenance attestation derived from the GitHub Actions OIDC token. Provenance is independent of the auth-to-npm path. The trade-off is auth lineage (token vs. trusted-publisher OIDC), not attestation presence.
488
+ - **State divergence — `publish.yaml` does NOT bump version, push the `v*` tag, update `CHANGELOG.md`, or create a GitHub Release.** It only runs `npm publish` against whatever `package.json` is at HEAD of the dispatched ref. Every emergency-hatch use therefore leaves npm + git state diverged and requires a Scenario E-style reconciliation afterward: bump `package.json` manually on `main` (so the next release does not collide), then recreate the tag and GitHub Release per Scenario E.
489
+
490
+ Document every emergency-hatch use in an incident post-mortem, and re-enable `release.yaml` before the next release. This fallback disappears when Story 6.1 deletes `publish.yaml`.
491
+
492
+ - **Constraints.** Branch protection on `main` blocks direct pushes — recovery goes through a PR in every case. Do not attempt to sidestep branch protection to "fix" `release.yaml` faster; the cost of a bad release (NFR5 audit-trail breakage, NFR10 commit-trail breakage) far exceeds the cost of a normal-review PR.
493
+
494
+ ### Cross-reference matrix
495
+
496
+ | Scenario | Trigger class | Primary CLI verb | NFR linkage |
497
+ | -------- | ------------------------------- | -------------------------------- | ----------------- |
498
+ | A | Fresh bad latest | `dist-tag` + `deprecate` | NFR3 |
499
+ | B | Stale bad latest | `deprecate` + ship forward | NFR3, NFR6 |
500
+ | C | Eligible unpublish | `unpublish` | (pre-v1.0.0 only) |
501
+ | D | Tag orphan (publish failed) | `tag -d` + `push --delete` | NFR12 |
502
+ | E | Post-publish state drift | `tag -a` + `gh release create` | NFR5 |
503
+ | F | OIDC compromise | revoke Trusted Publisher + audit | NFR7 |
504
+ | G | `release.yaml` disabled/missing | `workflow enable` / `pr revert` | NFR5, NFR10 |
505
+
506
+ ### Baseline snapshots
507
+
508
+ The ruleset-restore snippet at the top of this document (`## Branch Protection on main § Restore from a saved baseline`) uses `gh api --method PUT .../rulesets/<id>`. That call returns `404` if the `Default` ruleset has been deleted, not merely edited. Keeping a recent `baseline-ruleset-Default-YYYYMMDD.json` on disk lets the PUT-then-POST fallback below recover from either case.
509
+
510
+ **One-time capture pattern** — run after any maintainer-initiated change to the ruleset or to the `release` environment, **not on a schedule**:
511
+
512
+ ```bash
513
+ # Capture the current Default ruleset as a disaster-recovery baseline.
514
+ # Uses name-based lookup so the snippet survives ruleset re-creation (IDs change, names don't).
515
+ RULESET_ID=$(gh api repos/armelhbobdad/bmad-module-skill-forge/rulesets \
516
+ --jq '.[] | select(.name=="Default") | .id')
517
+ gh api "repos/armelhbobdad/bmad-module-skill-forge/rulesets/$RULESET_ID" \
518
+ > "_bmad-output/planning-artifacts/baseline-ruleset-Default-$(date +%Y%m%d).json"
519
+
520
+ # Capture the release environment + its branch policy list (two separate resources).
521
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release \
522
+ > "_bmad-output/planning-artifacts/baseline-env-release-$(date +%Y%m%d).json"
523
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies \
524
+ > "_bmad-output/planning-artifacts/baseline-env-release-branch-policies-$(date +%Y%m%d).json"
525
+ ```
526
+
527
+ Baselines live in `_bmad-output/planning-artifacts/` (already git-tracked, not shipped with the npm package). The filename date stamp makes the freshness of the baseline obvious at a glance.
528
+
529
+ **Ruleset-deletion recovery path — PUT-then-POST.** The canonical restore flow is:
530
+
531
+ 1. Try `PUT` first. If the ruleset exists but drifted, this reconciles it in place.
532
+
533
+ ```bash
534
+ RULESET_ID=$(gh api repos/armelhbobdad/bmad-module-skill-forge/rulesets \
535
+ --jq '.[] | select(.name=="Default") | .id')
536
+ # Pick the most recent baseline file (the YYYYMMDD suffix is a real date
537
+ # written by the capture command above; the glob avoids hard-coding it).
538
+ BASELINE=$(ls -t _bmad-output/planning-artifacts/baseline-ruleset-Default-*.json \
539
+ | head -1)
540
+ jq '{name, target, enforcement, conditions, rules, bypass_actors}' "$BASELINE" \
541
+ > /tmp/restore.json
542
+ gh api --method PUT \
543
+ "repos/armelhbobdad/bmad-module-skill-forge/rulesets/$RULESET_ID" \
544
+ --input /tmp/restore.json
545
+ ```
546
+
547
+ 2. If the `PUT` returns `404` (ruleset was deleted, not edited), recreate via `POST`:
548
+
549
+ ```bash
550
+ gh api --method POST \
551
+ repos/armelhbobdad/bmad-module-skill-forge/rulesets \
552
+ --input /tmp/restore.json
553
+ ```
554
+
555
+ The `POST` body needs the same `name`, `target`, `enforcement`, `conditions`, `rules`, and `bypass_actors` fields as the PUT — all captured by the baseline snapshot above. Try `PUT` first; on `404`, `POST` recreates with identical semantics. The ruleset gets a new id on re-creation (IDs are not stable across delete+create cycles); update any hard-coded id references in this document on the next planned edit pass.
556
+
557
+ For the `release` environment, a deletion+restore similarly uses the two-call pattern already documented at `## Release Environment § Restore / re-apply` — feed the environment-level baseline JSON to the `PUT .../environments/release` call, then re-POST each entry from the branch-policies baseline to `.../environments/release/deployment-branch-policies`.
558
+
559
+ ### Cutting v1.0.0-rc.1
560
+
561
+ - **Trigger.** Story 5.1 audit ([`release-audits/v1.0.0-launch-audit.md`](https://github.com/armelhbobdad/bmad-module-skill-forge/blob/main/release-audits/v1.0.0-launch-audit.md)) signed off and all blockers cleared; Story 5.2 ready to cut the first release-candidate. `package.json` still on a `0.x` line (at audit time: `0.10.0`). Running `release.yaml` with `version_bump: rc` on `0.10.0` would produce `0.10.1-rc.0` — NOT `1.0.0-rc.0` — because `npm version prerelease --preid=rc` advances the patch segment of the current version. The one-time hand-bump below lifts `package.json` onto the `1.0.0` line so the next workflow dispatch advances that line cleanly.
562
+ - **CLI.**
563
+
564
+ ```bash
565
+ # Hand-bump main onto the 1.0.0 line. Do not tag; release.yaml owns tags.
566
+ git checkout main && git pull
567
+ npm version 1.0.0-rc.0 --no-git-tag-version
568
+ # Leave .claude-plugin/marketplace.json alone — release.yaml's jq-based
569
+ # sync step rewrites .plugins[0].version atomically at RC cut time. A
570
+ # double-bump here would race against that step.
571
+ # Include package-lock.json — npm version bumps both files; committing
572
+ # only package.json leaves the lockfile out-of-sync and breaks `npm ci`.
573
+ git add package.json package-lock.json
574
+ git commit -m "chore(release): pre-RC bump to 1.0.0-rc.0 (Story 5.1 hand-off)"
575
+ # Push via the normal PR path (branch protection blocks direct push to main).
576
+ # Merge the PR to main after review.
577
+
578
+ # Dispatch the canonical release workflow. `version_bump: rc` runs
579
+ # `npm version prerelease --preid=rc` on 1.0.0-rc.0 → 1.0.0-rc.1.
580
+ gh workflow run release.yaml -f version_bump=rc
581
+ ```
582
+
583
+ - **Expected outcome.** `main` tip at `1.0.0-rc.1`; `npm view bmad-module-skill-forge@rc version` returns `1.0.0-rc.1`; a GitHub Release `v1.0.0-rc.1` exists with `prerelease: true` and the auto-generated body; `CHANGELOG.md` now carries an auto-generated `## [1.0.0-rc.1]` entry prepended ABOVE the hand-curated `## [1.0.0] - TBD` placeholder (Story 5.1 staged that placeholder; Story 5.3 reconciles the date at the v1.0.0 final cut); `.claude-plugin/marketplace.json`'s `.plugins[0].version` reflects `1.0.0-rc.1`.
584
+ - **Constraints.**
585
+ - Execute ONLY after `v1.0.0-launch-audit.md § Sign-off` is populated with a date.
586
+ - The pre-RC bump commit subject MUST be `chore(release): pre-RC bump to 1.0.0-rc.0 (Story 5.1 hand-off)` — use the `chore(release):` prefix (not bare `release:`) or the commit-msg hook rejects it for non-conventional form.
587
+ - Do NOT bump `.claude-plugin/marketplace.json` in the hand-bump commit. `release.yaml`'s jq-based marketplace sync handles it atomically at RC cut time; a double-bump here would race the workflow.
588
+ - The RC cut is the FIRST time the jq-based marketplace.json update path runs in anger. A failure there (jq syntax error, missing `jq` on runner — unlikely on `ubuntu-latest` but treat as a real risk) would halt the cut mid-step, possibly leaving a half-updated `CHANGELOG.md` on `main` with no `marketplace.json` follow-through. Recovery: `git revert` the pre-RC bump PR + retry after fixing the workflow.
589
+ - If the workflow dispatch emits `1.0.1-rc.0` instead of `1.0.0-rc.1`, the hand-bump commit never landed on `main` OR `npm version prerelease --preid=rc` behavior diverged from the documented semantics. Abort the RC cut and investigate before retry.
590
+ - **Verification.**
591
+
592
+ ```bash
593
+ # Confirm the rc dist-tag advanced.
594
+ npm view bmad-module-skill-forge@rc version
595
+ # expected: 1.0.0-rc.1
596
+
597
+ npm view bmad-module-skill-forge dist-tags --json | jq -r .rc
598
+ # expected: 1.0.0-rc.1
599
+
600
+ # Confirm SLSA L2 provenance is attached (NFR4 reconfirm).
601
+ npm view bmad-module-skill-forge@1.0.0-rc.1 --json | jq '.dist.attestations'
602
+ # expected: non-null object containing a provenance url
603
+
604
+ # Confirm the GitHub Release exists and is marked prerelease.
605
+ gh release view v1.0.0-rc.1 --json tagName,isPrerelease
606
+ # expected: {"tagName":"v1.0.0-rc.1","isPrerelease":true}
607
+
608
+ # Confirm the CHANGELOG carries both the auto-generated rc entry and the
609
+ # hand-curated v1.0.0 placeholder (Story 5.3 reconciles the placeholder).
610
+ grep -c '^## \[1.0.0-rc.1\]' CHANGELOG.md # expected: 1
611
+ grep -c '^## \[1.0.0\] - TBD' CHANGELOG.md # expected: 1
612
+ ```
613
+
614
+ #### Story 3.4 refactor note — PR-auto-merge flow
615
+
616
+ After Story 3.4 (GitHub issue [#198](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/198), [PR #199](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/199)), `release.yaml` no longer pushes the `release: bump to vX.Y.Z` commit directly to `main`. Instead, a main-dispatched cut pushes the release commit to a temp branch `release/bot/vX.Y.Z-<run_id>`, opens a bot PR against `main`, force-triggers `quality.yaml` against the temp branch via `workflow_dispatch` (so the 7 required status checks run and gate the merge), then auto-merges once checks pass and a maintainer approves. Approval is required at **two** gates — the `release` environment gate at job start, and the PR review-decision gate before auto-merge. Non-main dispatches (feature-branch alpha cuts) skip the PR dance and keep the legacy tag-only behavior. Story 5.2's dev agent on resume will refresh the § Cutting v1.0.0-rc.1 prose above to describe the refactored flow directly.