bmad-module-skill-forge 1.0.0-rc.3 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -30,7 +30,7 @@
30
30
  "name": "skill-forge",
31
31
  "source": "./",
32
32
  "description": "Evidence-based agent skills compiler with progressive capability tiers (Quick/Forge/Forge+/Deep).",
33
- "version": "1.0.0-rc.3",
33
+ "version": "1.0.0",
34
34
  "author": {
35
35
  "name": "Armel"
36
36
  },
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "$schema": "https://json.schemastore.org/package.json",
3
3
  "name": "bmad-module-skill-forge",
4
- "version": "1.0.0-rc.3",
4
+ "version": "1.0.0",
5
5
  "description": "BMAD module — Turn code and docs into instructions AI agents can actually follow. Progressive capability tiers (Quick/Forge/Forge+/Deep).",
6
6
  "keywords": [
7
7
  "bmad",
@@ -198,10 +198,220 @@ None — audit passes clean; Story 5.2 unblocked.
198
198
 
199
199
  ## Sign-off
200
200
 
201
- TBD signed by Armel at Story 5.2 dispatch time.
201
+ Signed off by Armel (@armelhbobdad) at 2026-04-23 16:40Z (post-publish, after smoke test completion). v1.0.0-rc.3 survived smoke test clean; Story 5.3 unblocked.
202
202
 
203
203
  ## Post-commit footer
204
204
 
205
205
  - **Audit-completion commit SHA:** [`540fdda`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/540fdda419fc7e71bfdc571dab279b5de1b42578) — seven-file envelope (`docs(release): pre-v1.0.0 readiness audit (Story 5.1)`)
206
206
  - **Back-fill commit SHA:** this commit (the one that made this footer sentence self-referential)
207
207
  - **`git status --short` after commit:** clean working tree (verified per Story 5.1 AC 1 seven-file envelope)
208
+
209
+ ## Story 5.2 RC Cut + Smoke Test
210
+
211
+ ### Hand-bump commit
212
+
213
+ - **Commit 1 subject:** `chore(release): pre-RC bump to 1.0.0-rc.0 (Story 5.1 hand-off)`
214
+ - **PR:** [#197](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/197)
215
+ - **Merge commit on main:** [`689501c`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/689501c) (merge-commit pattern, matching PR #195/#196)
216
+ - **Hand-bump commit SHA under merge:** [`3fc1f00`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/3fc1f00)
217
+ - **Scope:** `package.json` + `package-lock.json` — single-line version flip `0.10.0 → 1.0.0-rc.0`. No other files touched per AC 1(a) / AC 16.
218
+ - **`npm run quality`:** all 13 subcommands green before opening PR.
219
+ - **PR checks:** all 7 required status checks passed (eslint 22s, markdownlint 21s, prettier 24s, python ubuntu 24s, python windows 1m22s, validate ubuntu 21s, validate windows 1m10s).
220
+ - **Remote `main` post-merge verification (AC 5 stronger precondition):** `gh api repos/.../contents/package.json` → `1.0.0-rc.0`.
221
+
222
+ ### Workflow dispatch run
223
+
224
+ **Seven dispatch attempts** (numbered 1–7 below, of which the 7th passed) were required to land a passing RC end-to-end. Each failed attempt surfaced a distinct latent defect in the release pipeline — none of which had been exercised by the pre-v1.0.0 alpha cut (`v0.10.1-alpha.0`) because that cut dispatched from a feature branch and took the `Skip main push` pattern, bypassing the entire `main`-bound path. Story 5.2 was the first real E2E validation of the canonical path.
225
+
226
+ | # | Run ID | Failed step | Root cause | Remediation |
227
+ |---|---|---|---|---|
228
+ | 1 | [24829166764](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24829166764) | `Push commit to main` | Branch protection ruleset `Default` rejected direct `github-actions[bot]` push (GH013). AC 17's claimed bot-bypass-via-PR was factually wrong. | Story 3.4 refactor: push via auto-merge PR ([issue #198](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/198)); merged as PRs #199 + #200. |
229
+ | 2 | [24838486851](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24838486851) | `Open bot PR` | Repo setting `can_approve_pull_request_reviews: false` blocked `gh pr create` under GITHUB_TOKEN. | Side-fix: `gh api -X PUT /actions/permissions/workflow -F can_approve_pull_request_reviews=true`. Should be codified as a Story 3.4 follow-up. |
230
+ | 3 | [24838762562](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24838762562) | `Wait for required status checks` | `gh pr checks --required --watch` does NOT see check-runs posted by `workflow_dispatch`-triggered runs (they land in a different check suite than the PR's pull_request suite). All 7 required contexts were green on the SHA but invisible to the PR rollup. | Story 3.5: replace `gh pr checks` with direct `/commits/:sha/check-runs` API polling ([issue #202](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/202)); merged as PR #203. |
231
+ | 4 | [24842070205](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24842070205) | `Wait for required status checks` (20-min timeout) | Story 3.5's `for CTX in $(jq -r '.[]')` unquoted command substitution word-split context names with spaces (`validate (ubuntu-latest)`, etc.) into separate tokens. | PR [#205](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/205): swap to `while IFS= read -r CTX; do ... done < <(...)`. |
232
+ | 5 | [24844278359](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24844278359) | `Wait for PR approval or admin-bypass merge` (30-min step timeout) | `gh pr view --json merged` is invalid — the valid field is `state` (returns `"OPEN"`/`"CLOSED"`/`"MERGED"`). The call exited 1, the guard treated it as transient and retried on every poll iteration until the enclosing `timeout-minutes: 30` on the step fired. Blocked both admin-bypass AND formal-approval paths. | PR [#207](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/207): swap `--json merged` → `--json state` + string comparison update in both Wait steps. |
233
+ | 6 | [24845860915](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24845860915) | `Create and push tag` | Transient GitHub git-backend 500 on `git fetch origin main` (`remote: Internal Server Error` + `fatal: unable to access ...: The requested URL returned error: 500`, raw log from the failed step). The tag-step's Story 3.4 P9 defensive guard correctly bailed rather than anchoring on stale `origin/main` tip. Not a code bug; the guard behaved as designed. | Dispatch again; 500 self-resolved on retry. |
234
+ | 7 (passing) | [24846332151](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24846332151) | — | Full end-to-end success. | — |
235
+
236
+ - **Passing run:** [24846332151](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24846332151)
237
+ - **Start:** `2026-04-23T16:21:33Z`
238
+ - **End:** `2026-04-23T16:27:30Z`
239
+ - **Duration:** 5m 4s
240
+ - **Conclusion:** `success`
241
+ - **Release commit subject:** `release: bump to v1.0.0-rc.3`
242
+ - **Release commit SHA:** [`78ac999`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/78ac999) (authored by `github-actions[bot]`)
243
+ - **Bot PR merged via:** [#209](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/209) (admin-bypass-merge by @armelhbobdad at `2026-04-23T16:27:20Z`)
244
+ - **Merge commit on main:** [`5fad470`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/5fad470)
245
+
246
+ ### npm publish evidence
247
+
248
+ Excerpted fields from `npm view bmad-module-skill-forge@1.0.0-rc.3 --json` (full output is ~200 lines; the fields below are the ones the ACs gate on):
249
+
250
+ ```json
251
+ {
252
+ "version": "1.0.0-rc.3",
253
+ "dist": {
254
+ "tarball": "https://registry.npmjs.org/bmad-module-skill-forge/-/bmad-module-skill-forge-1.0.0-rc.3.tgz",
255
+ "shasum": "85bcb22f65cb98debda06c9ec22062bdc85fea4f",
256
+ "attestations": {
257
+ "url": "https://registry.npmjs.org/-/npm/v1/attestations/bmad-module-skill-forge@1.0.0-rc.3",
258
+ "provenance": { "predicateType": "https://slsa.dev/provenance/v1" }
259
+ }
260
+ }
261
+ }
262
+ ```
263
+
264
+ `npm view bmad-module-skill-forge dist-tags --json` before and after the cut:
265
+
266
+ ```json
267
+ // Pre-publish baseline (recorded at Task 1 recon per AC 7 baseline requirement)
268
+ { "latest": "0.10.0", "alpha": "0.10.1-alpha.0" }
269
+
270
+ // Post-publish (observed after run 24846332151 completed)
271
+ { "latest": "0.10.0", "alpha": "0.10.1-alpha.0", "rc": "1.0.0-rc.3" }
272
+ ```
273
+
274
+ `npm view bmad-module-skill-forge versions --json` (all published versions — confirms rc.1/rc.2 were never published to the registry):
275
+
276
+ ```json
277
+ ["0.2.0","0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.9.0","0.10.0","0.10.1-alpha.0","1.0.0-rc.3"]
278
+ ```
279
+
280
+ - **AC 6 provenance:** ✅ SLSA L2 attestation present (`provenance/v1`).
281
+ - **AC 7 dist-tag:** ✅ `rc: 1.0.0-rc.3` added; `latest: 0.10.0` preserved from baseline; `alpha: 0.10.1-alpha.0` preserved from baseline. Baseline-vs-post diff is additive only.
282
+
283
+ ### GitHub Release v1.0.0-rc.3
284
+
285
+ ```json
286
+ {
287
+ "tagName": "v1.0.0-rc.3",
288
+ "isPrerelease": true,
289
+ "createdAt": "2026-04-23T16:27:20Z",
290
+ "name": "Skill Forge (SKF) v1.0.0-rc.3",
291
+ "url": "https://github.com/armelhbobdad/bmad-module-skill-forge/releases/tag/v1.0.0-rc.3"
292
+ }
293
+ ```
294
+
295
+ ### Main-branch side-effects
296
+
297
+ - `git log main -1 --format='%H %s'` → `5fad470 Merge pull request #209 from armelhbobdad/release/bot/v1.0.0-rc.3-24846332151`
298
+ - `git log main --grep='bump to v1.0.0-rc.3' --oneline` → `78ac999 release: bump to v1.0.0-rc.3` (workflow-authored, one behind merge tip)
299
+ - `jq -r .version package.json` → `1.0.0-rc.3` ✅ (AC 8b)
300
+ - `jq -r '.plugins[0].version' .claude-plugin/marketplace.json` → `1.0.0-rc.3` ✅ (AC 8c — **first live proof of Story 5.1 H3 jq fix working end-to-end**)
301
+ - `grep -c '^## \[1.0.0-rc.3\]' CHANGELOG.md` → `1` ✅ (AC 8d)
302
+ - `grep -c '^## \[1.0.0\] - TBD' CHANGELOG.md` → `1` ✅ (AC 8e — placeholder survives)
303
+ - `head -5 CHANGELOG.md` → `# Changelog` + preamble + `## [Unreleased]` ✅ (AC 8f — Story 3.3 awk preamble-restore verified)
304
+ - `git tag -l 'v1.0.0-rc.3'` → `v1.0.0-rc.3` ✅ (AC 8g)
305
+ - `gh release view v1.0.0-rc.3` → `isPrerelease: true` ✅ (AC 8h)
306
+
307
+ **Topology note (AC 8 re-interpretation under Story 3.4 PR-auto-merge flow):** the pre-3.4 AC 8(a) wording ("main tip SHA advanced by exactly one commit") is outdated — under the new PR-auto-merge flow, main advances by TWO commits per release cut (merge commit + the release commit underneath). `git log main -1` returns the merge commit; the release commit is reachable via `git log main --grep='bump to v1.0.0-rc.3'`. Functionally equivalent; the verification grep in AC 1 still works unchanged.
308
+
309
+ ### Clean-env smoke test transcripts
310
+
311
+ **`--version` transcript (AC 9b):** `npx --yes bmad-module-skill-forge@rc --version` in a fresh `/tmp/skf-rc3-smoke/` → printed `1.0.0-rc.3`, exit `0`. The npm `11.6.2` `Permission denied` issue that Story 5.1 Task 10 hit on `.tgz`-path did NOT recur on the registry-resolved `@rc` path — as expected per Story 5.2 Dev Notes (F).
312
+
313
+ **`install` transcript (AC 9d) — deviation from spec noted:** AC 9(d) specified piped-defaults via `printf 'skf-rc1-smoke\n\n\n\n\n' | npx ... install`, but the install TUI's `multiselect` IDE prompt (`required: true`) cannot be driven by piped stdin — the piped newlines get consumed by the first 3 text prompts (project name, skills folder, forge folder), and prompt 4 (multiselect) requires keystroke-level interaction (space + enter). Story 5.1 Task 10 also only smoke-tested `--version`, not the full install. **This is an AC 9 documentation defect, not an RC defect — tracked at [issue #211](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/211) for Story 5.4 / Epic 5 retrospective resolution.** To complete the install smoke test, Armel ran the install **interactively** in a real terminal, selecting Claude Code as the IDE; `echo "install exit: $?"` after completion printed `install exit: 0`. Install completed cleanly with Ferris agent set up and all expected artifacts present:
314
+
315
+ ```
316
+ ◇ Installation complete! ──────────────────────────────────╮
317
+ │ │
318
+ │ Get Started │
319
+ │ 1. Open this folder in Claude Code │
320
+ │ 2. Activate Ferris: /skf-forger │
321
+ │ 3. Ferris (your Skill Architect) will guide you through │
322
+ │ setting up and forging your first agent skill │
323
+ │ │
324
+ ├───────────────────────────────────────────────────────────╯
325
+
326
+ └ ⚒ Agent: Ferris (Skill Architect & Integrity Guardian)
327
+ ```
328
+
329
+ Artifact verification:
330
+
331
+ - `ls /tmp/skf-rc3-smoke/_bmad/skf/` (full listing):
332
+ - `config.yaml` (installer-generated)
333
+ - `knowledge/`, `shared/`, `module.yaml`, `module-help.csv` (module metadata)
334
+ - Skill dirs: `skf-analyze-source`, `skf-audit-skill`, `skf-brief-skill`, `skf-create-skill`, `skf-create-stack-skill`, `skf-drop-skill`, `skf-export-skill`, `skf-forger`, `skf-quick-skill`, `skf-refine-architecture`, `skf-rename-skill`, `skf-setup`, `skf-test-skill`, `skf-update-skill`, `skf-verify-stack`
335
+ - `[ -f /tmp/skf-rc3-smoke/_bmad/_config/skf-manifest.yaml ]` → present
336
+ - Zero `Installation failed.` in stderr
337
+
338
+ **Skill count note:** the tarball ships 15 `skf-*` directories (listed above); the `status` command's `Skills: 14` count excludes one of them (likely `skf-setup`, which is a one-shot initialization helper rather than an invocable skill). This 15-vs-14 drift is a status-counting semantics detail, not a shipping defect — recorded here for Story 5.4 / Epic 5 retrospective to codify which `skf-*` prefix entries the count should include.
339
+
340
+ **`status` transcript (AC 10):** `npx --yes bmad-module-skill-forge@rc status` exit `0`. All 6 STABILITY.md contract fields present in stdout:
341
+
342
+ ```
343
+ Skill Forge — Status
344
+ v1.0.0-rc.3
345
+
346
+ Installation
347
+ Project: skf-rc3-smoke
348
+ SKF folder: _bmad/skf/
349
+ Agent: installed
350
+ Skills: 14
351
+ Installed: 4/23/2026
352
+ Manifest: present
353
+
354
+ IDEs
355
+ ● Claude Code
356
+
357
+ Forge Tier
358
+ Not detected yet — run @Ferris SF
359
+ ast-grep: not detected
360
+ gh CLI: not detected
361
+ ccc: not detected
362
+ QMD: not detected
363
+
364
+ Output Folders
365
+ Skills: skills/ ✓
366
+ Forge data: forge-data/ ✓
367
+
368
+ Sidecar
369
+ State: initialized
370
+ Location: _bmad/_memory/forger-sidecar/
371
+ ```
372
+
373
+ | STABILITY.md contract field | Observed | ✓ |
374
+ |---|---|---|
375
+ | installation-present | Installation section rendered | ✓ |
376
+ | installed version string | `v1.0.0-rc.3` | ✓ |
377
+ | forge-tier name | `Not detected yet` (plus ast-grep/gh/ccc/QMD tool rows) | ✓ |
378
+ | configured IDE list | `● Claude Code` | ✓ |
379
+ | workflow-skill count | `Skills: 14` | ✓ |
380
+ | sidecar state | `State: initialized` | ✓ |
381
+ | output-folder paths | `Skills: skills/ ✓` + `Forge data: forge-data/ ✓` | ✓ |
382
+
383
+ **`uninstall` transcript (AC 11):** `printf 'y\n' | npx --yes bmad-module-skill-forge@rc uninstall` — note that unlike `install`, uninstall's only prompt is a simple `Yes/No` confirm which IS satisfied by piped `y\n`. Exit `0`. Final message: `SKF uninstalled successfully.` Post-uninstall:
384
+
385
+ - `ls /tmp/skf-rc3-smoke/_bmad/skf/ 2>/dev/null | wc -l` → `0`
386
+ - `[ -f /tmp/skf-rc3-smoke/_bmad/_config/skf-manifest.yaml ]` → absent ✓
387
+
388
+ ### NFR1 cycle-time record
389
+
390
+ - **Dispatch → success wall-clock:** 5m 4s (run 24846332151: `2026-04-23T16:21:33Z` → `16:27:30Z`).
391
+ - **NFR1 target:** 20 min (15 CI + 5 approval).
392
+ - **Status:** **Provisional PASS — 1/10 data points collected** against NFR1's rolling-over-10-releases target. The 5m 4s run is well under the 20-min envelope, but a single observation cannot confirm the rolling target; Stories 5.3 / 5.4 will add the next two data points.
393
+ - **Caveat:** this measurement excludes the cumulative time of attempts 1–6 (all failures). Total story wall-clock from first dispatch attempt to successful publish was ~6 hours including dev-cycle time on Stories 3-4, 3-5, and PRs #205/#207. That cumulative cost is retrospective-relevant but does NOT represent steady-state NFR1 performance — it represents first-time E2E discovery overhead, which by definition cannot repeat.
394
+
395
+ ### Decision: v1.0.0-rc.3 status
396
+
397
+ **PASS — cleared for Story 5.3 promotion to v1.0.0 under --tag latest with manual approval.**
398
+
399
+ Note to Story 5.3 dev-agent: the `## [1.0.0] - TBD` block at `CHANGELOG.md:396` was verified accurate against shipped rc.3 behavior (AC 15 — all bullets match: 1 agent Ferris, 14 workflows, 23 IDEs via `platform-codes.yaml`, tier names Quick/Forge/Forge+/Deep match the `Forge Tier` detection section). No CHANGELOG refinements flagged for Story 5.3. The only date-flip Story 5.3 must handle is `- TBD` → `- 2026-04-23` (or whatever date 5.3 dispatches).
400
+
401
+ **Derogation from original AC 1 RC-number envelope:** the originally-planned RC number was `rc.1`; actually-shipped is `rc.3`. Stories 5.1 and 5.2 both authored AC text referencing `rc.1` literal. Under Story 5.2's 7-attempt execution, `rc.1` and `rc.2` were both committed to main (via PR #206's bypass-merge and PR #208's auto-merge respectively) but never tagged or published because downstream defects blocked each. Both are cosmetic-only stale release commits on main — npm immutability does NOT apply (nothing was published under those names); dist-tags never pointed at them. Story 5.3 dispatches on top of `rc.3` → `1.0.0`. This derogation is recorded per AC 12's spirit (defect discovery protocol), though each failure was a pipeline defect rather than an RC-content defect.
402
+
403
+ **Negative-evidence for the rc.1/rc.2 "never tagged/never published" claim** (run 2026-04-23 post-publish):
404
+
405
+ ```
406
+ $ git tag -l 'v1.0.0-rc.1' 'v1.0.0-rc.2' 'v1.0.0-rc.3'
407
+ v1.0.0-rc.3
408
+ # rc.1 and rc.2 absent — only rc.3 was tagged
409
+
410
+ $ npm view bmad-module-skill-forge versions --json | jq '. | map(select(startswith("1.0.0-rc")))'
411
+ ["1.0.0-rc.3"]
412
+ # rc.1 and rc.2 absent — only rc.3 was published to the registry
413
+ ```
414
+
415
+ **AC 12 title-convention note (D2 resolution):** AC 12 prescribes issue titles `v1.0.0-rc.N blocker: <one-line>` for failures of AC 6/7/8/9/10/11 (RC-content defects). Issues [#198](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/198) and [#202](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/202) were filed during Story 5.2 with `release.yaml`-prefixed titles instead, because each failure was a pipeline/workflow defect (failing step inside `release.yaml`), not an RC-content defect — none of the ACs 6–11 fired. The title-convention distinction: use `v1.0.0-rc.N blocker:` when the RC itself has a content defect (wrong version on npm, missing attestation, broken install, etc.); use `fix(release):` conventional-commit prefix when the release workflow has a defect. Codify this split at the Epic 5 retrospective.
416
+
417
+ **Lesson for Epic 5 retrospective:** The canonical release path from `main` dispatch had zero prior E2E validation before Story 5.2 attempted it. Stories 3-1 through 3-4 implicitly assumed the path worked; each defect surfaced by Story 5.2 was invisible because the alpha cut (`v0.10.1-alpha.0`) took the non-main-dispatch branch and skipped every affected step. Recommendation: future release-pipeline epics must include a **staging dispatch test** against a sandbox repo (or at minimum a full-workflow dry-run against the default branch) before declaring the pipeline ready. Catching 5+ defects via the first real v1.0.0 cut is demonstrably more expensive than discovering them in pre-launch testing.