bmad-module-skill-forge 1.0.0-rc.3 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +1 -1
- package/README.md +3 -3
- package/docs/_data/pinned.yaml +5 -2
- package/docs/{RELEASING.md → _internal/RELEASING.md} +87 -61
- package/docs/{STABILITY.md → _internal/STABILITY.md} +2 -2
- package/package.json +1 -6
- package/release-audits/v1.0.0-launch-audit.md +523 -2
- package/src/skf-audit-skill/steps-c/step-01-init.md +60 -0
- package/src/skf-audit-skill/steps-c/step-02-re-index.md +7 -1
- package/src/skf-audit-skill/steps-c/step-03-structural-diff.md +19 -1
- package/src/skf-audit-skill/steps-c/step-04-semantic-diff.md +10 -1
- package/src/skf-audit-skill/steps-c/step-05-severity-classify.md +8 -0
- package/src/skf-audit-skill/steps-c/step-06-report.md +8 -0
- package/src/skf-brief-skill/assets/skill-brief-schema.md +36 -18
- package/src/skf-drop-skill/steps-c/step-02-execute.md +1 -1
- package/src/skf-export-skill/assets/managed-section-format.md +1 -1
- package/src/skf-export-skill/steps-c/step-04-update-context.md +4 -4
- package/src/skf-rename-skill/steps-c/step-02-execute.md +1 -1
- package/src/skf-test-skill/steps-c/step-03-coverage-check.md +1 -1
- package/src/skf-update-skill/steps-c/step-02-detect-changes.md +123 -0
- package/tools/validate-docs-drift.js +42 -2
|
@@ -38,7 +38,7 @@ description: Pre-flight gate audit of every must-have launch-checklist item, wit
|
|
|
38
38
|
| H5 | `CHANGELOG.md` missing hand-curated `## [1.0.0]` entry | FIXED-IN-THIS-STORY | Inserted `## [1.0.0] - TBD` section with `v1-0-0-changelog-draft.md` body between lines 5 and 7, and added `(pre-v0.3.0 tag, never published)` parenthetical to the dangling `Revert "0.2.0"` line, per Story 5.1 AC 5 / AC 13 + Task 6 | [deferred-work.md → 2-2](../_bmad-output/implementation-artifacts/deferred-work.md) |
|
|
39
39
|
| H6 | `docs/STABILITY.md:6` DRAFT banner | FIXED-IN-THIS-STORY | Replaced DRAFT banner with `STABLE — locked at v1.0.0. Amendments follow the "Changes to This Contract" section below.` per Story 5.1 AC 14 + Task 7 | [`docs/STABILITY.md:6`](./STABILITY.md) |
|
|
40
40
|
| H7 | `0.10.1-alpha.0` CHANGELOG `closes [#11]` / `[#12]` pollution | NOT-APPLICABLE | The pollution lived in the immutable `v0.10.1-alpha.0` tarball and in the orphaned commit `2a57dcbd`; current `main`'s `CHANGELOG.md` does NOT contain those refs (`grep -c 'closes \[#1[12]\]' CHANGELOG.md` → `0`). Alpha tarball is historical / immutable; no repo edit | [Epic 3 retro](../_bmad-output/implementation-artifacts/epic-3-retro-2026-04-21.md) |
|
|
41
|
-
| H8 | `docs/RELEASING.md` missing `### Cutting v1.0.0-rc.1` hand-bump procedure | FIXED-IN-THIS-STORY | Authored new H3 section under `## Rollback Playbook` umbrella (last H3, after `### Baseline snapshots`) with the same five-element shape (Trigger / CLI / Outcome / Constraints / Verification) as Scenarios A–G, per Story 5.1 AC 15 + Task 8 | [`docs/RELEASING.md` § Cutting v1.0.0
|
|
41
|
+
| H8 | `docs/RELEASING.md` missing `### Cutting v1.0.0-rc.1` hand-bump procedure | FIXED-IN-THIS-STORY | Authored new H3 section under `## Rollback Playbook` umbrella (last H3, after `### Baseline snapshots`) with the same five-element shape (Trigger / CLI / Outcome / Constraints / Verification) as Scenarios A–G, per Story 5.1 AC 15 + Task 8 (section subsequently renamed to `### Cutting v1.0.0 under --tag latest` by Story 5.3 Commit 2 per AC 14) | [`docs/RELEASING.md` § Cutting v1.0.0 under --tag latest](./RELEASING.md) |
|
|
42
42
|
| H9 | `prevent_self_review: false` on `release` env + admin ruleset bypass | DEFERRED-POST-V1 | Solo-maintainer repo today; both flips happen together at second-maintainer onboarding. Standing flag with no fire date | [Epic 3 retro standing flag + `deferred-work.md` 1-2](../_bmad-output/implementation-artifacts/deferred-work.md) |
|
|
43
43
|
| H10 | `CONTRIBUTING.md` → `docs/` anchor validator coverage | DEFERRED-POST-V1 | Pre-existing tooling gap; not introduced by any Epic 1–4 story; captured as a CI-as-enforced-gate candidate for a dedicated post-v1.0.0 tooling story | [Epic 4 retro + `deferred-work.md`](../_bmad-output/implementation-artifacts/deferred-work.md) |
|
|
44
44
|
|
|
@@ -198,10 +198,531 @@ None — audit passes clean; Story 5.2 unblocked.
|
|
|
198
198
|
|
|
199
199
|
## Sign-off
|
|
200
200
|
|
|
201
|
-
|
|
201
|
+
Signed off by Armel (@armelhbobdad) at 2026-04-23 16:40Z (post-publish, after smoke test completion). v1.0.0-rc.3 survived smoke test clean; Story 5.3 unblocked. v1.0.0 launched 2026-04-23 18:56:39Z; Story 5.4 cross-platform verification in scope. v1.0.0 cross-platform install verification VERIFIED at 2026-04-23T20:23:53Z; Epic 5 cleared.
|
|
202
202
|
|
|
203
203
|
## Post-commit footer
|
|
204
204
|
|
|
205
205
|
- **Audit-completion commit SHA:** [`540fdda`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/540fdda419fc7e71bfdc571dab279b5de1b42578) — seven-file envelope (`docs(release): pre-v1.0.0 readiness audit (Story 5.1)`)
|
|
206
206
|
- **Back-fill commit SHA:** this commit (the one that made this footer sentence self-referential)
|
|
207
207
|
- **`git status --short` after commit:** clean working tree (verified per Story 5.1 AC 1 seven-file envelope)
|
|
208
|
+
|
|
209
|
+
## Story 5.2 RC Cut + Smoke Test
|
|
210
|
+
|
|
211
|
+
### Hand-bump commit
|
|
212
|
+
|
|
213
|
+
- **Commit 1 subject:** `chore(release): pre-RC bump to 1.0.0-rc.0 (Story 5.1 hand-off)`
|
|
214
|
+
- **PR:** [#197](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/197)
|
|
215
|
+
- **Merge commit on main:** [`689501c`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/689501c) (merge-commit pattern, matching PR #195/#196)
|
|
216
|
+
- **Hand-bump commit SHA under merge:** [`3fc1f00`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/3fc1f00)
|
|
217
|
+
- **Scope:** `package.json` + `package-lock.json` — single-line version flip `0.10.0 → 1.0.0-rc.0`. No other files touched per AC 1(a) / AC 16.
|
|
218
|
+
- **`npm run quality`:** all 13 subcommands green before opening PR.
|
|
219
|
+
- **PR checks:** all 7 required status checks passed (eslint 22s, markdownlint 21s, prettier 24s, python ubuntu 24s, python windows 1m22s, validate ubuntu 21s, validate windows 1m10s).
|
|
220
|
+
- **Remote `main` post-merge verification (AC 5 stronger precondition):** `gh api repos/.../contents/package.json` → `1.0.0-rc.0`.
|
|
221
|
+
|
|
222
|
+
### Workflow dispatch run
|
|
223
|
+
|
|
224
|
+
**Seven dispatch attempts** (numbered 1–7 below, of which the 7th passed) were required to land a passing RC end-to-end. Each failed attempt surfaced a distinct latent defect in the release pipeline — none of which had been exercised by the pre-v1.0.0 alpha cut (`v0.10.1-alpha.0`) because that cut dispatched from a feature branch and took the `Skip main push` pattern, bypassing the entire `main`-bound path. Story 5.2 was the first real E2E validation of the canonical path.
|
|
225
|
+
|
|
226
|
+
| # | Run ID | Failed step | Root cause | Remediation |
|
|
227
|
+
|---|---|---|---|---|
|
|
228
|
+
| 1 | [24829166764](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24829166764) | `Push commit to main` | Branch protection ruleset `Default` rejected direct `github-actions[bot]` push (GH013). AC 17's claimed bot-bypass-via-PR was factually wrong. | Story 3.4 refactor: push via auto-merge PR ([issue #198](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/198)); merged as PRs #199 + #200. |
|
|
229
|
+
| 2 | [24838486851](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24838486851) | `Open bot PR` | Repo setting `can_approve_pull_request_reviews: false` blocked `gh pr create` under GITHUB_TOKEN. | Side-fix: `gh api -X PUT /actions/permissions/workflow -F can_approve_pull_request_reviews=true`. Should be codified as a Story 3.4 follow-up. |
|
|
230
|
+
| 3 | [24838762562](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24838762562) | `Wait for required status checks` | `gh pr checks --required --watch` does NOT see check-runs posted by `workflow_dispatch`-triggered runs (they land in a different check suite than the PR's pull_request suite). All 7 required contexts were green on the SHA but invisible to the PR rollup. | Story 3.5: replace `gh pr checks` with direct `/commits/:sha/check-runs` API polling ([issue #202](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/202)); merged as PR #203. |
|
|
231
|
+
| 4 | [24842070205](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24842070205) | `Wait for required status checks` (20-min timeout) | Story 3.5's `for CTX in $(jq -r '.[]')` unquoted command substitution word-split context names with spaces (`validate (ubuntu-latest)`, etc.) into separate tokens. | PR [#205](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/205): swap to `while IFS= read -r CTX; do ... done < <(...)`. |
|
|
232
|
+
| 5 | [24844278359](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24844278359) | `Wait for PR approval or admin-bypass merge` (30-min step timeout) | `gh pr view --json merged` is invalid — the valid field is `state` (returns `"OPEN"`/`"CLOSED"`/`"MERGED"`). The call exited 1, the guard treated it as transient and retried on every poll iteration until the enclosing `timeout-minutes: 30` on the step fired. Blocked both admin-bypass AND formal-approval paths. | PR [#207](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/207): swap `--json merged` → `--json state` + string comparison update in both Wait steps. |
|
|
233
|
+
| 6 | [24845860915](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24845860915) | `Create and push tag` | Transient GitHub git-backend 500 on `git fetch origin main` (`remote: Internal Server Error` + `fatal: unable to access ...: The requested URL returned error: 500`, raw log from the failed step). The tag-step's Story 3.4 P9 defensive guard correctly bailed rather than anchoring on stale `origin/main` tip. Not a code bug; the guard behaved as designed. | Dispatch again; 500 self-resolved on retry. |
|
|
234
|
+
| 7 (passing) | [24846332151](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24846332151) | — | Full end-to-end success. | — |
|
|
235
|
+
|
|
236
|
+
- **Passing run:** [24846332151](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24846332151)
|
|
237
|
+
- **Start:** `2026-04-23T16:21:33Z`
|
|
238
|
+
- **End:** `2026-04-23T16:27:30Z`
|
|
239
|
+
- **Duration:** 5m 4s
|
|
240
|
+
- **Conclusion:** `success`
|
|
241
|
+
- **Release commit subject:** `release: bump to v1.0.0-rc.3`
|
|
242
|
+
- **Release commit SHA:** [`78ac999`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/78ac999) (authored by `github-actions[bot]`)
|
|
243
|
+
- **Bot PR merged via:** [#209](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/209) (admin-bypass-merge by @armelhbobdad at `2026-04-23T16:27:20Z`)
|
|
244
|
+
- **Merge commit on main:** [`5fad470`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/5fad470)
|
|
245
|
+
|
|
246
|
+
### npm publish evidence
|
|
247
|
+
|
|
248
|
+
Excerpted fields from `npm view bmad-module-skill-forge@1.0.0-rc.3 --json` (full output is ~200 lines; the fields below are the ones the ACs gate on):
|
|
249
|
+
|
|
250
|
+
```json
|
|
251
|
+
{
|
|
252
|
+
"version": "1.0.0-rc.3",
|
|
253
|
+
"dist": {
|
|
254
|
+
"tarball": "https://registry.npmjs.org/bmad-module-skill-forge/-/bmad-module-skill-forge-1.0.0-rc.3.tgz",
|
|
255
|
+
"shasum": "85bcb22f65cb98debda06c9ec22062bdc85fea4f",
|
|
256
|
+
"attestations": {
|
|
257
|
+
"url": "https://registry.npmjs.org/-/npm/v1/attestations/bmad-module-skill-forge@1.0.0-rc.3",
|
|
258
|
+
"provenance": { "predicateType": "https://slsa.dev/provenance/v1" }
|
|
259
|
+
}
|
|
260
|
+
}
|
|
261
|
+
}
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
`npm view bmad-module-skill-forge dist-tags --json` before and after the cut:
|
|
265
|
+
|
|
266
|
+
```json
|
|
267
|
+
// Pre-publish baseline (recorded at Task 1 recon per AC 7 baseline requirement)
|
|
268
|
+
{ "latest": "0.10.0", "alpha": "0.10.1-alpha.0" }
|
|
269
|
+
|
|
270
|
+
// Post-publish (observed after run 24846332151 completed)
|
|
271
|
+
{ "latest": "0.10.0", "alpha": "0.10.1-alpha.0", "rc": "1.0.0-rc.3" }
|
|
272
|
+
```
|
|
273
|
+
|
|
274
|
+
`npm view bmad-module-skill-forge versions --json` (all published versions — confirms rc.1/rc.2 were never published to the registry):
|
|
275
|
+
|
|
276
|
+
```json
|
|
277
|
+
["0.2.0","0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.9.0","0.10.0","0.10.1-alpha.0","1.0.0-rc.3"]
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
- **AC 6 provenance:** ✅ SLSA L2 attestation present (`provenance/v1`).
|
|
281
|
+
- **AC 7 dist-tag:** ✅ `rc: 1.0.0-rc.3` added; `latest: 0.10.0` preserved from baseline; `alpha: 0.10.1-alpha.0` preserved from baseline. Baseline-vs-post diff is additive only.
|
|
282
|
+
|
|
283
|
+
### GitHub Release v1.0.0-rc.3
|
|
284
|
+
|
|
285
|
+
```json
|
|
286
|
+
{
|
|
287
|
+
"tagName": "v1.0.0-rc.3",
|
|
288
|
+
"isPrerelease": true,
|
|
289
|
+
"createdAt": "2026-04-23T16:27:20Z",
|
|
290
|
+
"name": "Skill Forge (SKF) v1.0.0-rc.3",
|
|
291
|
+
"url": "https://github.com/armelhbobdad/bmad-module-skill-forge/releases/tag/v1.0.0-rc.3"
|
|
292
|
+
}
|
|
293
|
+
```
|
|
294
|
+
|
|
295
|
+
### Main-branch side-effects
|
|
296
|
+
|
|
297
|
+
- `git log main -1 --format='%H %s'` → `5fad470 Merge pull request #209 from armelhbobdad/release/bot/v1.0.0-rc.3-24846332151`
|
|
298
|
+
- `git log main --grep='bump to v1.0.0-rc.3' --oneline` → `78ac999 release: bump to v1.0.0-rc.3` (workflow-authored, one behind merge tip)
|
|
299
|
+
- `jq -r .version package.json` → `1.0.0-rc.3` ✅ (AC 8b)
|
|
300
|
+
- `jq -r '.plugins[0].version' .claude-plugin/marketplace.json` → `1.0.0-rc.3` ✅ (AC 8c — **first live proof of Story 5.1 H3 jq fix working end-to-end**)
|
|
301
|
+
- `grep -c '^## \[1.0.0-rc.3\]' CHANGELOG.md` → `1` ✅ (AC 8d)
|
|
302
|
+
- `grep -c '^## \[1.0.0\] - TBD' CHANGELOG.md` → `1` ✅ (AC 8e — placeholder survives)
|
|
303
|
+
- `head -5 CHANGELOG.md` → `# Changelog` + preamble + `## [Unreleased]` ✅ (AC 8f — Story 3.3 awk preamble-restore verified)
|
|
304
|
+
- `git tag -l 'v1.0.0-rc.3'` → `v1.0.0-rc.3` ✅ (AC 8g)
|
|
305
|
+
- `gh release view v1.0.0-rc.3` → `isPrerelease: true` ✅ (AC 8h)
|
|
306
|
+
|
|
307
|
+
**Topology note (AC 8 re-interpretation under Story 3.4 PR-auto-merge flow):** the pre-3.4 AC 8(a) wording ("main tip SHA advanced by exactly one commit") is outdated — under the new PR-auto-merge flow, main advances by TWO commits per release cut (merge commit + the release commit underneath). `git log main -1` returns the merge commit; the release commit is reachable via `git log main --grep='bump to v1.0.0-rc.3'`. Functionally equivalent; the verification grep in AC 1 still works unchanged.
|
|
308
|
+
|
|
309
|
+
### Clean-env smoke test transcripts
|
|
310
|
+
|
|
311
|
+
**`--version` transcript (AC 9b):** `npx --yes bmad-module-skill-forge@rc --version` in a fresh `/tmp/skf-rc3-smoke/` → printed `1.0.0-rc.3`, exit `0`. The npm `11.6.2` `Permission denied` issue that Story 5.1 Task 10 hit on `.tgz`-path did NOT recur on the registry-resolved `@rc` path — as expected per Story 5.2 Dev Notes (F).
|
|
312
|
+
|
|
313
|
+
**`install` transcript (AC 9d) — deviation from spec noted:** AC 9(d) specified piped-defaults via `printf 'skf-rc1-smoke\n\n\n\n\n' | npx ... install`, but the install TUI's `multiselect` IDE prompt (`required: true`) cannot be driven by piped stdin — the piped newlines get consumed by the first 3 text prompts (project name, skills folder, forge folder), and prompt 4 (multiselect) requires keystroke-level interaction (space + enter). Story 5.1 Task 10 also only smoke-tested `--version`, not the full install. **This is an AC 9 documentation defect, not an RC defect — tracked at [issue #211](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/211) for Story 5.4 / Epic 5 retrospective resolution.** To complete the install smoke test, Armel ran the install **interactively** in a real terminal, selecting Claude Code as the IDE; `echo "install exit: $?"` after completion printed `install exit: 0`. Install completed cleanly with Ferris agent set up and all expected artifacts present:
|
|
314
|
+
|
|
315
|
+
```
|
|
316
|
+
◇ Installation complete! ──────────────────────────────────╮
|
|
317
|
+
│ │
|
|
318
|
+
│ Get Started │
|
|
319
|
+
│ 1. Open this folder in Claude Code │
|
|
320
|
+
│ 2. Activate Ferris: /skf-forger │
|
|
321
|
+
│ 3. Ferris (your Skill Architect) will guide you through │
|
|
322
|
+
│ setting up and forging your first agent skill │
|
|
323
|
+
│ │
|
|
324
|
+
├───────────────────────────────────────────────────────────╯
|
|
325
|
+
│
|
|
326
|
+
└ ⚒ Agent: Ferris (Skill Architect & Integrity Guardian)
|
|
327
|
+
```
|
|
328
|
+
|
|
329
|
+
Artifact verification:
|
|
330
|
+
|
|
331
|
+
- `ls /tmp/skf-rc3-smoke/_bmad/skf/` (full listing):
|
|
332
|
+
- `config.yaml` (installer-generated)
|
|
333
|
+
- `knowledge/`, `shared/`, `module.yaml`, `module-help.csv` (module metadata)
|
|
334
|
+
- Skill dirs: `skf-analyze-source`, `skf-audit-skill`, `skf-brief-skill`, `skf-create-skill`, `skf-create-stack-skill`, `skf-drop-skill`, `skf-export-skill`, `skf-forger`, `skf-quick-skill`, `skf-refine-architecture`, `skf-rename-skill`, `skf-setup`, `skf-test-skill`, `skf-update-skill`, `skf-verify-stack`
|
|
335
|
+
- `[ -f /tmp/skf-rc3-smoke/_bmad/_config/skf-manifest.yaml ]` → present
|
|
336
|
+
- Zero `Installation failed.` in stderr
|
|
337
|
+
|
|
338
|
+
**Skill count note:** the tarball ships 15 `skf-*` directories (listed above); the `status` command's `Skills: 14` count excludes one of them (likely `skf-setup`, which is a one-shot initialization helper rather than an invocable skill). This 15-vs-14 drift is a status-counting semantics detail, not a shipping defect — recorded here for Story 5.4 / Epic 5 retrospective to codify which `skf-*` prefix entries the count should include.
|
|
339
|
+
|
|
340
|
+
**`status` transcript (AC 10):** `npx --yes bmad-module-skill-forge@rc status` exit `0`. All 6 STABILITY.md contract fields present in stdout:
|
|
341
|
+
|
|
342
|
+
```
|
|
343
|
+
Skill Forge — Status
|
|
344
|
+
v1.0.0-rc.3
|
|
345
|
+
|
|
346
|
+
Installation
|
|
347
|
+
Project: skf-rc3-smoke
|
|
348
|
+
SKF folder: _bmad/skf/
|
|
349
|
+
Agent: installed
|
|
350
|
+
Skills: 14
|
|
351
|
+
Installed: 4/23/2026
|
|
352
|
+
Manifest: present
|
|
353
|
+
|
|
354
|
+
IDEs
|
|
355
|
+
● Claude Code
|
|
356
|
+
|
|
357
|
+
Forge Tier
|
|
358
|
+
Not detected yet — run @Ferris SF
|
|
359
|
+
ast-grep: not detected
|
|
360
|
+
gh CLI: not detected
|
|
361
|
+
ccc: not detected
|
|
362
|
+
QMD: not detected
|
|
363
|
+
|
|
364
|
+
Output Folders
|
|
365
|
+
Skills: skills/ ✓
|
|
366
|
+
Forge data: forge-data/ ✓
|
|
367
|
+
|
|
368
|
+
Sidecar
|
|
369
|
+
State: initialized
|
|
370
|
+
Location: _bmad/_memory/forger-sidecar/
|
|
371
|
+
```
|
|
372
|
+
|
|
373
|
+
| STABILITY.md contract field | Observed | ✓ |
|
|
374
|
+
|---|---|---|
|
|
375
|
+
| installation-present | Installation section rendered | ✓ |
|
|
376
|
+
| installed version string | `v1.0.0-rc.3` | ✓ |
|
|
377
|
+
| forge-tier name | `Not detected yet` (plus ast-grep/gh/ccc/QMD tool rows) | ✓ |
|
|
378
|
+
| configured IDE list | `● Claude Code` | ✓ |
|
|
379
|
+
| workflow-skill count | `Skills: 14` | ✓ |
|
|
380
|
+
| sidecar state | `State: initialized` | ✓ |
|
|
381
|
+
| output-folder paths | `Skills: skills/ ✓` + `Forge data: forge-data/ ✓` | ✓ |
|
|
382
|
+
|
|
383
|
+
**`uninstall` transcript (AC 11):** `printf 'y\n' | npx --yes bmad-module-skill-forge@rc uninstall` — note that unlike `install`, uninstall's only prompt is a simple `Yes/No` confirm which IS satisfied by piped `y\n`. Exit `0`. Final message: `SKF uninstalled successfully.` Post-uninstall:
|
|
384
|
+
|
|
385
|
+
- `ls /tmp/skf-rc3-smoke/_bmad/skf/ 2>/dev/null | wc -l` → `0`
|
|
386
|
+
- `[ -f /tmp/skf-rc3-smoke/_bmad/_config/skf-manifest.yaml ]` → absent ✓
|
|
387
|
+
|
|
388
|
+
### NFR1 cycle-time record
|
|
389
|
+
|
|
390
|
+
- **Dispatch → success wall-clock:** 5m 4s (run 24846332151: `2026-04-23T16:21:33Z` → `16:27:30Z`).
|
|
391
|
+
- **NFR1 target:** 20 min (15 CI + 5 approval).
|
|
392
|
+
- **Status:** **Provisional PASS — 1/10 data points collected** against NFR1's rolling-over-10-releases target. The 5m 4s run is well under the 20-min envelope, but a single observation cannot confirm the rolling target; Stories 5.3 / 5.4 will add the next two data points.
|
|
393
|
+
- **Caveat:** this measurement excludes the cumulative time of attempts 1–6 (all failures). Total story wall-clock from first dispatch attempt to successful publish was ~6 hours including dev-cycle time on Stories 3-4, 3-5, and PRs #205/#207. That cumulative cost is retrospective-relevant but does NOT represent steady-state NFR1 performance — it represents first-time E2E discovery overhead, which by definition cannot repeat.
|
|
394
|
+
|
|
395
|
+
### Decision: v1.0.0-rc.3 status
|
|
396
|
+
|
|
397
|
+
**PASS — cleared for Story 5.3 promotion to v1.0.0 under --tag latest with manual approval.**
|
|
398
|
+
|
|
399
|
+
Note to Story 5.3 dev-agent: the `## [1.0.0] - TBD` block at `CHANGELOG.md:396` was verified accurate against shipped rc.3 behavior (AC 15 — all bullets match: 1 agent Ferris, 14 workflows, 23 IDEs via `platform-codes.yaml`, tier names Quick/Forge/Forge+/Deep match the `Forge Tier` detection section). No CHANGELOG refinements flagged for Story 5.3. The only date-flip Story 5.3 must handle is `- TBD` → `- 2026-04-23` (or whatever date 5.3 dispatches).
|
|
400
|
+
|
|
401
|
+
**Derogation from original AC 1 RC-number envelope:** the originally-planned RC number was `rc.1`; actually-shipped is `rc.3`. Stories 5.1 and 5.2 both authored AC text referencing `rc.1` literal. Under Story 5.2's 7-attempt execution, `rc.1` and `rc.2` were both committed to main (via PR #206's bypass-merge and PR #208's auto-merge respectively) but never tagged or published because downstream defects blocked each. Both are cosmetic-only stale release commits on main — npm immutability does NOT apply (nothing was published under those names); dist-tags never pointed at them. Story 5.3 dispatches on top of `rc.3` → `1.0.0`. This derogation is recorded per AC 12's spirit (defect discovery protocol), though each failure was a pipeline defect rather than an RC-content defect.
|
|
402
|
+
|
|
403
|
+
**Negative-evidence for the rc.1/rc.2 "never tagged/never published" claim** (run 2026-04-23 post-publish):
|
|
404
|
+
|
|
405
|
+
```
|
|
406
|
+
$ git tag -l 'v1.0.0-rc.1' 'v1.0.0-rc.2' 'v1.0.0-rc.3'
|
|
407
|
+
v1.0.0-rc.3
|
|
408
|
+
# rc.1 and rc.2 absent — only rc.3 was tagged
|
|
409
|
+
|
|
410
|
+
$ npm view bmad-module-skill-forge versions --json | jq '. | map(select(startswith("1.0.0-rc")))'
|
|
411
|
+
["1.0.0-rc.3"]
|
|
412
|
+
# rc.1 and rc.2 absent — only rc.3 was published to the registry
|
|
413
|
+
```
|
|
414
|
+
|
|
415
|
+
**AC 12 title-convention note (D2 resolution):** AC 12 prescribes issue titles `v1.0.0-rc.N blocker: <one-line>` for failures of AC 6/7/8/9/10/11 (RC-content defects). Issues [#198](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/198) and [#202](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/202) were filed during Story 5.2 with `release.yaml`-prefixed titles instead, because each failure was a pipeline/workflow defect (failing step inside `release.yaml`), not an RC-content defect — none of the ACs 6–11 fired. The title-convention distinction: use `v1.0.0-rc.N blocker:` when the RC itself has a content defect (wrong version on npm, missing attestation, broken install, etc.); use `fix(release):` conventional-commit prefix when the release workflow has a defect. Codify this split at the Epic 5 retrospective.
|
|
416
|
+
|
|
417
|
+
**Lesson for Epic 5 retrospective:** The canonical release path from `main` dispatch had zero prior E2E validation before Story 5.2 attempted it. Stories 3-1 through 3-4 implicitly assumed the path worked; each defect surfaced by Story 5.2 was invisible because the alpha cut (`v0.10.1-alpha.0`) took the non-main-dispatch branch and skipped every affected step. Recommendation: future release-pipeline epics must include a **staging dispatch test** against a sandbox repo (or at minimum a full-workflow dry-run against the default branch) before declaring the pipeline ready. Catching 5+ defects via the first real v1.0.0 cut is demonstrably more expensive than discovering them in pre-launch testing.
|
|
418
|
+
|
|
419
|
+
## Story 5.3 v1.0.0 Final Cut
|
|
420
|
+
|
|
421
|
+
Story 5.3 promoted the passing `v1.0.0-rc.3` RC to `v1.0.0` under `--tag latest` via the canonical `release.yaml` workflow with two-gate maintainer approval. The dispatch succeeded on the first attempt (in contrast to Story 5.2's 7-attempt saga), validating that the pipeline defects surfaced during Story 5.2 (Stories 3-4, 3-5, and PRs #205 / #207) were fully resolved. The cut is the NFR6 immutability activation event: from `2026-04-23T18:56:39Z`, `v1.0.0` is forever-burned on npm under `--tag latest`; rollback from this instant is `npm deprecate` + ship-forward only.
|
|
422
|
+
|
|
423
|
+
### Workflow dispatch run
|
|
424
|
+
|
|
425
|
+
- **Run URL:** <https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24852899833>
|
|
426
|
+
- **Run id:** `24852899833`
|
|
427
|
+
- **Dispatch command:** `gh workflow run release.yaml -f version_bump=major --ref main`
|
|
428
|
+
- **Dispatch timestamp:** `2026-04-23T18:49:46Z` (per GitHub API `run_started_at` on run `24852899833`)
|
|
429
|
+
- **Release env gate approved at:** `2026-04-23T18:52:32Z` (set-up-job start; 2m 46s gate wait from dispatch)
|
|
430
|
+
- **Bot PR approval-or-admin-bypass merge at:** `2026-04-23T18:56:30Z` (admin-bypass-merge — the PR's `Wait for PR approval or admin-bypass merge` step cleared in 0s because the merge had already happened by the time that step evaluated; matches the rc.3 pattern where PR #209 was admin-bypass-merged)
|
|
431
|
+
- **Run completion:** `2026-04-23T18:56:48Z`
|
|
432
|
+
- **Final conclusion:** `success`
|
|
433
|
+
- **Step failures:** none. Of 31 declared job steps, 30 ran successfully and 1 (step 27 `Skip PR flow (non-main dispatch ref)`) was skipped by design: the step's `if: github.ref != 'refs/heads/main'` guard evaluated false (the ref IS main), so the non-main fallback path was correctly bypassed.
|
|
434
|
+
|
|
435
|
+
### Bot PR auto-merge evidence
|
|
436
|
+
|
|
437
|
+
- **Bot PR:** [#213 `release: bump to v1.0.0`](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/213)
|
|
438
|
+
- **Head branch:** `release/bot/v1.0.0-24852899833` (temp branch; auto-deleted post-merge per standard flow)
|
|
439
|
+
- **Head commit:** `62d56418836c90153401eae2d49500dbfa1c70d8` (the `release: bump to v1.0.0` commit)
|
|
440
|
+
- **Merge commit:** `393a5a2012e8914faa3f67e1af94bc3ca0c90062`
|
|
441
|
+
- **Merged at:** `2026-04-23T18:56:30Z`
|
|
442
|
+
- **Merge path:** admin-bypass-merge (maintainer clicked merge on the PR without formal review approval; both `reviewDecision == APPROVED` and `state == MERGED` are accepted by `release.yaml:481-569`). This matches the Story 5.2 rc.3 pattern and is the expected path per Story 3.4.
|
|
443
|
+
|
|
444
|
+
### npm publish evidence
|
|
445
|
+
|
|
446
|
+
**Pre-cut dist-tags snapshot (from Task 1 recon, `2026-04-23 ~18:48Z`):**
|
|
447
|
+
|
|
448
|
+
```json
|
|
449
|
+
{
|
|
450
|
+
"latest": "0.10.0",
|
|
451
|
+
"alpha": "0.10.1-alpha.0",
|
|
452
|
+
"rc": "1.0.0-rc.3"
|
|
453
|
+
}
|
|
454
|
+
```
|
|
455
|
+
|
|
456
|
+
**Post-cut dist-tags snapshot (from Task 3 verification, `2026-04-23 ~18:57Z`):**
|
|
457
|
+
|
|
458
|
+
```json
|
|
459
|
+
{
|
|
460
|
+
"latest": "1.0.0",
|
|
461
|
+
"alpha": "0.10.1-alpha.0",
|
|
462
|
+
"rc": "1.0.0-rc.3"
|
|
463
|
+
}
|
|
464
|
+
```
|
|
465
|
+
|
|
466
|
+
**Dist-tag deltas:** `latest` flipped `0.10.0` → `1.0.0` (the whole point of Story 5.3); `rc` UNCHANGED at `1.0.0-rc.3` (Story 5.3's `major`-from-rc cut does NOT bump the rc tag); `alpha` UNCHANGED at `0.10.1-alpha.0`.
|
|
467
|
+
|
|
468
|
+
**`npm view bmad-module-skill-forge@1.0.0 --json | jq '.dist'` (verbatim):**
|
|
469
|
+
|
|
470
|
+
```json
|
|
471
|
+
{
|
|
472
|
+
"integrity": "sha512-6tQOBCuf05SMRs/1MNWm6+f7OYOGh6tz62AbTvMG3bjspqMQa6Ln9y5paQtQRh4eWyuPvTlPaKqV6Vug8IIOeA==",
|
|
473
|
+
"shasum": "a582acf226016bb075dc5235a721da9d16104b35",
|
|
474
|
+
"tarball": "https://registry.npmjs.org/bmad-module-skill-forge/-/bmad-module-skill-forge-1.0.0.tgz",
|
|
475
|
+
"fileCount": 227,
|
|
476
|
+
"unpackedSize": 1697974,
|
|
477
|
+
"attestations": {
|
|
478
|
+
"url": "https://registry.npmjs.org/-/npm/v1/attestations/bmad-module-skill-forge@1.0.0",
|
|
479
|
+
"provenance": {
|
|
480
|
+
"predicateType": "https://slsa.dev/provenance/v1"
|
|
481
|
+
}
|
|
482
|
+
},
|
|
483
|
+
"signatures": [
|
|
484
|
+
{
|
|
485
|
+
"keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U",
|
|
486
|
+
"sig": "MEUCIHcz/PIyH7DaVNN872V0uwQXmO29h6WmeXgGRxP0RFR7AiEA2zX6/x2aXiDN4V7irzXiWKNYG+uqFiQwBRGdt0DGFvg="
|
|
487
|
+
}
|
|
488
|
+
]
|
|
489
|
+
}
|
|
490
|
+
```
|
|
491
|
+
|
|
492
|
+
**Provenance attestation URL:** <https://registry.npmjs.org/-/npm/v1/attestations/bmad-module-skill-forge@1.0.0>
|
|
493
|
+
|
|
494
|
+
**Versions list (after publish):**
|
|
495
|
+
|
|
496
|
+
```
|
|
497
|
+
$ npm view bmad-module-skill-forge versions --json | jq '. | map(select(startswith("1.0.0")))'
|
|
498
|
+
[
|
|
499
|
+
"1.0.0-rc.3",
|
|
500
|
+
"1.0.0"
|
|
501
|
+
]
|
|
502
|
+
```
|
|
503
|
+
|
|
504
|
+
**AC 6 NFR4 provenance-coverage status:** PASS — SLSA L2 attestation present for `1.0.0` (`predicateType: https://slsa.dev/provenance/v1`; the SLSA Build L2 level follows from npm's trusted-publishing design, which signs provenance statements via GitHub Actions OIDC with tamper-evident build metadata — see <https://docs.npmjs.com/generating-provenance-statements>).
|
|
505
|
+
|
|
506
|
+
### GitHub Release v1.0.0
|
|
507
|
+
|
|
508
|
+
**`gh release view v1.0.0 --json tagName,isPrerelease,name,createdAt,url`:**
|
|
509
|
+
|
|
510
|
+
```json
|
|
511
|
+
{
|
|
512
|
+
"createdAt": "2026-04-23T18:56:33Z",
|
|
513
|
+
"isPrerelease": false,
|
|
514
|
+
"name": "Skill Forge (SKF) v1.0.0",
|
|
515
|
+
"tagName": "v1.0.0",
|
|
516
|
+
"url": "https://github.com/armelhbobdad/bmad-module-skill-forge/releases/tag/v1.0.0"
|
|
517
|
+
}
|
|
518
|
+
```
|
|
519
|
+
|
|
520
|
+
- `isPrerelease: false` ✓ — load-bearing for NFR6 threshold; `release.yaml:697-704` computes `prerelease` as `contains(version, 'alpha|beta|rc')` and `1.0.0` contains none of those substrings.
|
|
521
|
+
- Release URL: <https://github.com/armelhbobdad/bmad-module-skill-forge/releases/tag/v1.0.0>
|
|
522
|
+
- Release body: auto-generated by `release.yaml § Generate release notes` from the conventional-commits between `v1.0.0-rc.3` and `v1.0.0` (expected empty — the commit range contains only `docs(release):` and `chore(release):` entries, neither of which emits `### Features` or `### Bug Fixes` under conventional-changelog; the reconciled CHANGELOG carries the hand-curated v1.0.0 prose separately). **Post-sign-off amplification (Story 5.3 code-review patch 2a, 2026-04-23):** the Release body was subsequently replaced via `gh release edit v1.0.0 --notes-file …` with the verbatim hand-curated CHANGELOG § [1.0.0] prose (First Major Release / Initial Release / Highlights / Workflows / Confidence Tiers / IDE Support / Links) plus a 6-line footer linking to the CHANGELOG entry and the `v1.0.0-rc.3...v1.0.0` compare view. Post-amplification body length: 3844 bytes (up from 473). This edit does not alter npm, the tag, or provenance; it only changes the public Release-page prose for discoverability.
|
|
523
|
+
|
|
524
|
+
### Main-branch side-effects
|
|
525
|
+
|
|
526
|
+
**`main` branch advance (AC 8a):**
|
|
527
|
+
|
|
528
|
+
```
|
|
529
|
+
$ git log main -2 --format='%H %an %s'
|
|
530
|
+
393a5a2012e8914faa3f67e1af94bc3ca0c90062 github-actions[bot] Merge pull request #213 from armelhbobdad/release/bot/v1.0.0-24852899833
|
|
531
|
+
62d56418836c90153401eae2d49500dbfa1c70d8 github-actions[bot] release: bump to v1.0.0
|
|
532
|
+
```
|
|
533
|
+
|
|
534
|
+
- Merge commit: `393a5a2` (parents: `3e60788` pre-Story-5.3 main tip + `62d56418` bot release commit)
|
|
535
|
+
- Release commit: `62d56418` (parent: `3e60788`)
|
|
536
|
+
- Topology matches rc.3 precedent: PR merge commit on top, workflow-authored release commit underneath.
|
|
537
|
+
|
|
538
|
+
**Version-file bumps (AC 8b, 8c):**
|
|
539
|
+
|
|
540
|
+
```
|
|
541
|
+
$ jq -r .version package.json
|
|
542
|
+
1.0.0
|
|
543
|
+
|
|
544
|
+
$ jq -r '.plugins[0].version' .claude-plugin/marketplace.json
|
|
545
|
+
1.0.0
|
|
546
|
+
```
|
|
547
|
+
|
|
548
|
+
AC 8c: 2nd live end-to-end proof of the Story 5.1 H3 jq-based marketplace-sync step (1st was rc.3).
|
|
549
|
+
|
|
550
|
+
**CHANGELOG post-workflow topology (AC 8d, 8e, 8f):**
|
|
551
|
+
|
|
552
|
+
```
|
|
553
|
+
$ grep -cE '^## \[1\.0\.0\]' CHANGELOG.md # 2 (auto-gen + stale TBD; reconciled in Commit 2)
|
|
554
|
+
$ grep -c '^## \[1.0.0-rc.3\]' CHANGELOG.md # 1 (rc.3 block survived)
|
|
555
|
+
$ head -5 CHANGELOG.md # # Changelog + preamble + ## [Unreleased]
|
|
556
|
+
```
|
|
557
|
+
|
|
558
|
+
**Zero-conventional-commit edge case:** the auto-generated `## [1.0.0]` block had an EMPTY body (no `### Features` / `### Bug Fixes` sub-sections) because the commit range `v1.0.0-rc.3..v1.0.0` contained only `docs(release):` and `chore(release):` entries. This is the expected behavior per deferred-work 3-3; AC 10 reconciliation preserves the auto-gen header (compare URL + date) and injects the hand-curated prose. The `awk`-based preamble-restore from Story 3.3 worked correctly despite the empty block.
|
|
559
|
+
|
|
560
|
+
**Tag anchor verification (AC 9):**
|
|
561
|
+
|
|
562
|
+
```
|
|
563
|
+
$ git tag -l 'v1.0.0'
|
|
564
|
+
v1.0.0
|
|
565
|
+
|
|
566
|
+
$ git rev-parse 'v1.0.0^{}' # dereference annotated tag to commit
|
|
567
|
+
393a5a2012e8914faa3f67e1af94bc3ca0c90062
|
|
568
|
+
|
|
569
|
+
$ git log main -1 --format='%H'
|
|
570
|
+
393a5a2012e8914faa3f67e1af94bc3ca0c90062
|
|
571
|
+
|
|
572
|
+
=> MATCH ✓ (tag anchors on PR merge commit per Story 3.4 P9 defensive guard)
|
|
573
|
+
|
|
574
|
+
$ git log v1.0.0 -1 --format='%s'
|
|
575
|
+
Merge pull request #213 from armelhbobdad/release/bot/v1.0.0-24852899833
|
|
576
|
+
```
|
|
577
|
+
|
|
578
|
+
**Note:** `v1.0.0` is an **annotated tag object** (tag SHA `4579b954ee6512a1c39ef4e3f06ecdb60e67358f`), not a lightweight tag. `git rev-parse v1.0.0` returns the tag object SHA, not the commit SHA — use `^{}` to dereference. This is consistent with the rc.3 tag shape from Story 5.2.
|
|
579
|
+
|
|
580
|
+
### CHANGELOG reconciliation
|
|
581
|
+
|
|
582
|
+
**Pre-reconciliation state (post-workflow):** two `## [1.0.0]` H2 blocks — (A) auto-generated at line 7 with compare URL `compare/v1.0.0-rc.3...v1.0.0` and empty body, (B) hand-curated `## [1.0.0] - TBD` placeholder at line 397 (originally staged by Story 5.1).
|
|
583
|
+
|
|
584
|
+
**Post-reconciliation state:** single `## [1.0.0]` block at line 7 with preserved auto-gen header (compare URL + date `2026-04-23`) and hand-curated body (First Major Release → Initial Release → Highlights → Workflows → Confidence Tiers → IDE Support → Links); stale TBD placeholder deleted.
|
|
585
|
+
|
|
586
|
+
**Post-edit verification (AC 10 iii):**
|
|
587
|
+
|
|
588
|
+
```
|
|
589
|
+
$ grep -cE '^## \[1\.0\.0\]' CHANGELOG.md # 1 (exactly one reconciled block)
|
|
590
|
+
$ grep -c '^## \[1\.0\.0\] - TBD' CHANGELOG.md # 0 (stale placeholder gone)
|
|
591
|
+
$ grep -cE '^## \[1\.0\.0\]\(https' CHANGELOG.md # 1 (compare-URL header preserved)
|
|
592
|
+
$ grep -c '^## \[1.0.0-rc.3\]' CHANGELOG.md # 1 (rc.3 block untouched)
|
|
593
|
+
$ grep -c '^## \[0.10.0\]' CHANGELOG.md # 1 (older history intact)
|
|
594
|
+
```
|
|
595
|
+
|
|
596
|
+
**Diff excerpt (block A insertion, head):**
|
|
597
|
+
|
|
598
|
+
```diff
|
|
599
|
+
## [1.0.0](https://github.com/armelhbobdad/bmad-module-skill-forge/compare/v1.0.0-rc.3...v1.0.0) (2026-04-23)
|
|
600
|
+
+
|
|
601
|
+
+### First Major Release
|
|
602
|
+
+
|
|
603
|
+
+First major release of Skill Forge (SKF). Introduces the `INCONCLUSIVE` test verdict, atomic stack-skill writes, a shared feasibility schema across VS/RA/SS, and formalizes Linux/macOS-only support. Sets the stable contract for subsequent 1.x releases.
|
|
604
|
+
+
|
|
605
|
+
+### Initial Release
|
|
606
|
+
+
|
|
607
|
+
+Skill Forge (SKF) — an agent skill compiler that transforms code repositories, documentation, and developer discourse into [agentskills.io](https://agentskills.io)-compliant agent skills with AST-backed provenance.
|
|
608
|
+
+[... hand-curated body continues with Highlights / Workflows / Confidence Tiers / IDE Support / Links ...]
|
|
609
|
+
## [1.0.0-rc.3](https://github.com/armelhbobdad/bmad-module-skill-forge/compare/v0.10.0...v1.0.0-rc.3) (2026-04-23)
|
|
610
|
+
```
|
|
611
|
+
|
|
612
|
+
**Diff excerpt (block B deletion, tail — the bracketed placeholder line inside the code fence below is narrative, not a literal diff line; run `git diff c0b2b67^..c0b2b67 -- CHANGELOG.md` for the verbatim body):**
|
|
613
|
+
|
|
614
|
+
```diff
|
|
615
|
+
-## [1.0.0] - TBD
|
|
616
|
+
-
|
|
617
|
+
-<!--
|
|
618
|
+
-Hand-curated v1.0.0 release notes. Source: _bmad-output/planning-artifacts/v1-0-0-changelog-draft.md.
|
|
619
|
+
-Date placeholder "TBD" — replaced with actual publish date at Story 5.3's v1.0.0 final cut (see
|
|
620
|
+
-docs/RELEASING.md § Cutting v1.0.0-rc.1 for the reconciliation procedure).
|
|
621
|
+
--->
|
|
622
|
+
-
|
|
623
|
+
-### First Major Release
|
|
624
|
+
-[... full hand-curated body deleted from here (moved up into reconciled block A) ...]
|
|
625
|
+
-- npm: <https://www.npmjs.com/package/bmad-module-skill-forge>
|
|
626
|
+
-
|
|
627
|
+
## [0.10.0](https://github.com/armelhbobdad/bmad-module-skill-forge/compare/v0.9.0...v0.10.0) (2026-04-06)
|
|
628
|
+
```
|
|
629
|
+
|
|
630
|
+
**Net CHANGELOG delta:** 710 lines → 703 lines (−7 lines from removing the TBD placeholder's HTML comment + header markers; the body itself was relocated, not deleted).
|
|
631
|
+
|
|
632
|
+
### NFR1 cycle-time record
|
|
633
|
+
|
|
634
|
+
- **Dispatch → success wall-clock:** **7m 2s** (run `24852899833`: `2026-04-23T18:49:46Z` → `2026-04-23T18:56:48Z`)
|
|
635
|
+
- **Env-gate approval sub-budget:** 2m 46s (`2026-04-23T18:49:46Z` dispatch → `2026-04-23T18:52:32Z` set-up-job start)
|
|
636
|
+
- **Workflow automation sub-budget:** 4m 16s (`2026-04-23T18:52:32Z` → `2026-04-23T18:56:48Z`)
|
|
637
|
+
- **NFR1 target:** 20 min (15 CI + 5 approval)
|
|
638
|
+
- **Status:** within envelope; 13 min of headroom against the 20-min target.
|
|
639
|
+
- **Rolling-10-release window:** 2 / 10 data points collected — `[Story 5.2 rc.3: 5m 4s, Story 5.3 v1.0.0: 7m 2s]`. Both well under NFR1's 20-min target. Stories 5.4 onward continue filling the window.
|
|
640
|
+
- **Story 5.2 retrospective comparison:** Story 5.3 dispatched successfully on the first attempt (7m 2s wall-clock). Story 5.2 took 7 attempts and ~6 hours of cumulative dev-cycle time to discover and fix 5 pipeline defects (Stories 3-4, 3-5, PRs #205 / #207). Story 5.3's first-attempt success is evidence that those fixes landed correctly; the pipeline is now E2E-proven for main-dispatched cuts.
|
|
641
|
+
|
|
642
|
+
### NFR6 v1.0.0 immutability activation
|
|
643
|
+
|
|
644
|
+
**v1.0.0 is live on npm under --tag latest as of 2026-04-23T18:56:39Z. NFR6 immutability policy is now in force: this version SHALL NEVER be unpublished or republished; rollback uses npm deprecate + ship forward per docs/RELEASING.md § Scenario A/B.**
|
|
645
|
+
|
|
646
|
+
This timestamp is the `Publish to npm via OIDC trusted publishing` step's completion time (step 29 of run `24852899833`; `2026-04-23T18:56:34Z` → `2026-04-23T18:56:39Z` in the GitHub Actions step timeline). From this instant, the version-number `1.0.0` on npm is an irreversible forensic fact: any future defect surfaced against `1.0.0` is resolved via `npm deprecate bmad-module-skill-forge@1.0.0 "<reason>"` and shipping `1.0.1` forward with the fix, NEVER via `npm unpublish` (regardless of eligibility-window rules — NFR6 forbids reclaim). This record is the auditable boundary between "pre-NFR6 state" and "NFR6-active state."
|
|
647
|
+
|
|
648
|
+
### Decision: v1.0.0 launch status
|
|
649
|
+
|
|
650
|
+
**LAUNCHED — v1.0.0 is live on npm under --tag latest with SLSA L2 provenance. Story 5.4 cross-platform verification cleared to begin (NFR9: within 1h of publish).**
|
|
651
|
+
|
|
652
|
+
The `## Sign-off` section (above) is updated with the dual-sentence form:
|
|
653
|
+
|
|
654
|
+
> Signed off by Armel (@armelhbobdad) at 2026-04-23 16:40Z (post-publish, after smoke test completion). v1.0.0-rc.3 survived smoke test clean; Story 5.3 unblocked. v1.0.0 launched 2026-04-23 18:56:39Z; Story 5.4 cross-platform verification in scope.
|
|
655
|
+
|
|
656
|
+
Story 5.4 opens with `v1.0.0 is live on npm` as its precondition; NFR9 requires cross-platform install verification (Linux + Windows via the `quality.yaml` matrix + macOS manual spot-check) within 60 minutes of the `2026-04-23T18:56:39Z` publish timestamp. Story 5.4 dispatches are in scope starting immediately after Story 5.3's Commit 2 (this audit append) lands on `main`.
|
|
657
|
+
|
|
658
|
+
## Story 5.4 Post-Publish Verification
|
|
659
|
+
|
|
660
|
+
### Workflow dispatch run
|
|
661
|
+
|
|
662
|
+
- **Workflow:** `.github/workflows/install-smoke.yaml` (authored in Story 5.4 Commit 1, PR [#219](https://github.com/armelhbobdad/bmad-module-skill-forge/pull/219), merged at `2026-04-23T20:22:07Z`, merge commit [`075dbcb`](https://github.com/armelhbobdad/bmad-module-skill-forge/commit/075dbcb2fd8100036822aa172712db07867b5e73))
|
|
663
|
+
- **Dispatch command:** `gh workflow run install-smoke.yaml -f version=latest --ref main`
|
|
664
|
+
- **Run ID:** `24856988815`
|
|
665
|
+
- **Run URL:** <https://github.com/armelhbobdad/bmad-module-skill-forge/actions/runs/24856988815>
|
|
666
|
+
- **Dispatch timestamp:** `2026-04-23T20:23:07Z`
|
|
667
|
+
- **Completion timestamp:** `2026-04-23T20:23:53Z`
|
|
668
|
+
- **Final conclusion:** `success` (all three matrix legs `success`)
|
|
669
|
+
- **Total wall-clock:** 46 seconds
|
|
670
|
+
|
|
671
|
+
### Matrix results
|
|
672
|
+
|
|
673
|
+
| Runner | Job status | `--version` stdout | Exit code | Wall-clock | Runner image version |
|
|
674
|
+
|--------|-----------|---------------------|-----------|------------|----------------------|
|
|
675
|
+
| `ubuntu-latest` | `success` | `stdout: 1.0.0` | 0 | ~5s (start `20:23:13Z` → end `20:23:18Z`) | `Runner Image 20260213.493`, `Runner Image Provisioner 20260413.86.1` |
|
|
676
|
+
| `windows-latest` | `success` | `stdout: 1.0.0` | 0 | ~40s (start `20:23:12Z` → end `20:23:52Z`) | `Runner Image 20260213.493`, `Runner Image Provisioner 20260413.84.1` |
|
|
677
|
+
| `macos-latest` | `success` | `stdout: 1.0.0` | 0 | ~8s (start `20:23:13Z` → end `20:23:21Z`) | `Runner Image 20260422.526`, `Runner Image Provisioner 20260421.0007.1` |
|
|
678
|
+
|
|
679
|
+
All three legs printed `1.0.0` verbatim (matching `package.json.version` for v1.0.0), exited 0, and completed well inside the 60-second-typical target from Story 5.4 AC 4. Windows was the slowest at 40s (expected — npx warm-up + longer shebang resolution on Windows); ubuntu-latest fastest at 5s.
|
|
680
|
+
|
|
681
|
+
### NFR9 elapsed-time record
|
|
682
|
+
|
|
683
|
+
- **Publish timestamp (Story 5.3 activating NFR6):** `2026-04-23T18:56:39Z`
|
|
684
|
+
- **NFR9 60-minute target deadline:** `2026-04-23T19:56:39Z`
|
|
685
|
+
- **Smoke-workflow dispatch timestamp:** `2026-04-23T20:23:07Z`
|
|
686
|
+
- **Smoke-workflow completion timestamp:** `2026-04-23T20:23:53Z`
|
|
687
|
+
- **Wall-clock delta from publish to completion:** `01:27` (1 hour 27 minutes 14 seconds)
|
|
688
|
+
- **NFR9 status classification:** `missed-target-non-blocking`
|
|
689
|
+
|
|
690
|
+
**Disposition rationale.** The 60-minute NFR9 target closed at `2026-04-23T19:56:39Z`; verification completed 27 minutes past the target. All three matrix legs passed with no surfaced regressions, so no live cross-platform defect existed during the unobserved window — the policy's safety goal (catching a platform regression fast while blast radius is small) was achieved in practice, just later than the 1-hour target. Per Story 5.4 AC 2, this disposition is non-blocking for Epic 5 closure. The first NFR9 data point goes into the Epic 5 retrospective, which will weigh whether the 1-hour target needs (i) softening to a 24-hour bucket for solo-maintainer operability, (ii) automation via tag-push auto-trigger to push verification toward near-real-time, or (iii) maintainer on-call commitments for future launches.
|
|
691
|
+
|
|
692
|
+
### Marketplace.json post-publish invariant
|
|
693
|
+
|
|
694
|
+
Re-verified post-smoke (Story 5.4 Task 4) — all four invariants hold, zero drift from Story 5.3 final state:
|
|
695
|
+
|
|
696
|
+
```
|
|
697
|
+
$ gh api repos/armelhbobdad/bmad-module-skill-forge/contents/package.json \
|
|
698
|
+
--jq '.content' | base64 -d | jq -r .version
|
|
699
|
+
1.0.0
|
|
700
|
+
|
|
701
|
+
$ gh api repos/armelhbobdad/bmad-module-skill-forge/contents/.claude-plugin/marketplace.json \
|
|
702
|
+
--jq '.content' | base64 -d | jq -r '.plugins[0].version'
|
|
703
|
+
1.0.0
|
|
704
|
+
|
|
705
|
+
$ npm view bmad-module-skill-forge@latest version
|
|
706
|
+
1.0.0
|
|
707
|
+
|
|
708
|
+
$ npm view bmad-module-skill-forge dist-tags --json
|
|
709
|
+
{
|
|
710
|
+
"latest": "1.0.0",
|
|
711
|
+
"alpha": "0.10.1-alpha.0",
|
|
712
|
+
"rc": "1.0.0-rc.3"
|
|
713
|
+
}
|
|
714
|
+
```
|
|
715
|
+
|
|
716
|
+
### Any observations or defects surfaced
|
|
717
|
+
|
|
718
|
+
None — all three matrix legs clean. No stderr noise, no deprecation warnings, no platform-specific anomalies. The published v1.0.0 tarball resolves and executes cleanly on `ubuntu-latest`, `windows-latest`, and `macos-latest` under Node 22, through the `tools/skf-npx-wrapper.js` bin entrypoint and commander dispatch.
|
|
719
|
+
|
|
720
|
+
### Decision: v1.0.0 cross-platform verification status
|
|
721
|
+
|
|
722
|
+
**VERIFIED — v1.0.0 install clean on ubuntu-latest + windows-latest + macos-latest via npm dist-tag @latest. NFR9 missed-target-non-blocking. Epic 5 cleared for close; Epic 6 cleanup unblocked.**
|
|
723
|
+
|
|
724
|
+
The `## Sign-off` block at the top of this audit is updated to the four-sentence form per Story 5.4 AC 8:
|
|
725
|
+
|
|
726
|
+
> Signed off by Armel (@armelhbobdad) at 2026-04-23 16:40Z (post-publish, after smoke test completion). v1.0.0-rc.3 survived smoke test clean; Story 5.3 unblocked. v1.0.0 launched 2026-04-23 18:56:39Z; Story 5.4 cross-platform verification in scope. v1.0.0 cross-platform install verification VERIFIED at 2026-04-23T20:23:53Z; Epic 5 cleared.
|
|
727
|
+
|
|
728
|
+
Story 5.4 closes with Epic 5 at `done`. Epic 6 cleanup stories (6-1 delete legacy `publish.yaml` + `manual-release.yaml`; 6-2 remove `release:*` scripts from `package.json`; 6-3 remove `NPM_TOKEN` secret) are now unblocked. The `install-smoke.yaml` workflow remains as a permanent reusable artifact — every future release (v1.0.1, v1.1.0, v2.0.0, ...) can redispatch it with the new version tag to produce the same cross-platform evidence.
|
|
@@ -104,12 +104,72 @@ If `{legacy_stack_provenance}` is true: log a note that this stack uses v1 prove
|
|
|
104
104
|
**If provenance map loaded:**
|
|
105
105
|
- Use `source_root` from provenance map as source code path
|
|
106
106
|
- Verify source path still exists and is accessible
|
|
107
|
+
- Extract `baseline_commit` = `provenance-map.source_commit` (fall back to `metadata.source_commit` if absent from the provenance map)
|
|
108
|
+
- Extract `baseline_ref` = `metadata.source_ref` (may be a tag, branch, `HEAD`, or `"local"`)
|
|
107
109
|
|
|
108
110
|
**If degraded mode:**
|
|
109
111
|
- Ask user: "Please provide the path to the current source code."
|
|
112
|
+
- `baseline_commit` and `baseline_ref` are unavailable — §5b will short-circuit
|
|
110
113
|
|
|
111
114
|
**Validate:** Confirm source directory exists and contains expected files.
|
|
112
115
|
|
|
116
|
+
### 5b. Detect Upstream Drift
|
|
117
|
+
|
|
118
|
+
Upstream drift detection is the primary use case of this workflow. If the local clone is still pinned to the baseline commit while upstream has shipped newer tags, auditing against the unchanged tree will misleadingly report CLEAN even after a major release.
|
|
119
|
+
|
|
120
|
+
**Skip this section** if any of the following hold:
|
|
121
|
+
- `baseline_ref` is `"local"`, `null`, or unset (non-git source)
|
|
122
|
+
- `{source_root}` is not a git worktree (`git -C {source_root} rev-parse --git-dir` fails)
|
|
123
|
+
- `baseline_commit` is unavailable
|
|
124
|
+
- Degraded mode is active (no provenance map)
|
|
125
|
+
|
|
126
|
+
When skipping, log the reason, then set the audit-ref context variables to baseline values so step-06 renders a coherent Provenance row: `audit_ref = baseline_ref or "(unknown)"`, `audit_ref_source = "baseline"` (or `"unavailable"` if both `baseline_ref` and `baseline_commit` are unset), `audit_commit = baseline_commit or "(unknown)"`, `latest_tag = null`, `remote_head = null`. Continue to §6.
|
|
127
|
+
|
|
128
|
+
**Otherwise:**
|
|
129
|
+
|
|
130
|
+
1. **Fetch upstream refs** (read-only, no working-tree mutation):
|
|
131
|
+
|
|
132
|
+
```bash
|
|
133
|
+
git -C {source_root} fetch --tags --quiet origin
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
If fetch fails (no network, no remote, detached clone), log the reason, record `upstream_fetch: "failed:{reason}"` in context, set `audit_ref = baseline_ref`, `audit_ref_source = "baseline"`, `audit_commit = baseline_commit`, `latest_tag = null`, `remote_head = null`, and continue to §6 without gating.
|
|
137
|
+
|
|
138
|
+
2. **Find latest remote ref:**
|
|
139
|
+
- Remote default-branch HEAD: `git -C {source_root} rev-parse origin/HEAD` (fall back to `origin/main` or `origin/master` if the symbolic ref is unavailable) — record as `remote_head`.
|
|
140
|
+
- Newest semver tag: `git -C {source_root} for-each-ref --sort=-v:refname --format='%(refname:short)' 'refs/tags/v*' | head -1` — record as `latest_tag`.
|
|
141
|
+
|
|
142
|
+
3. **Compare to baseline:**
|
|
143
|
+
- If `baseline_commit` equals the commit that `remote_head` resolves to AND (`latest_tag` is empty OR semver-equals `baseline_ref` OR is older than `baseline_ref`), upstream has not moved. Set `audit_ref = baseline_ref`, `audit_ref_source = "baseline"`, `audit_commit = baseline_commit`. Continue to §6.
|
|
144
|
+
- Otherwise upstream has moved — proceed to the gate.
|
|
145
|
+
|
|
146
|
+
4. **User gate — Upstream drift detected:**
|
|
147
|
+
|
|
148
|
+
"**Upstream has moved since this skill was created.**
|
|
149
|
+
|
|
150
|
+
| | Baseline | Upstream |
|
|
151
|
+
|---|---|---|
|
|
152
|
+
| Ref | `{baseline_ref}` | `{latest_tag}` (newest tag) / `{remote_head}` (default HEAD) |
|
|
153
|
+
| Commit | `{baseline_commit_short}` | `{latest_tag_commit_short}` / `{remote_head_short}` |
|
|
154
|
+
|
|
155
|
+
Auditing against the baseline clone will report little-to-no structural drift even if the upstream API has changed. Options:
|
|
156
|
+
|
|
157
|
+
- **[C] Checkout-and-audit-against-latest** — checkout `{latest_tag}` (or `{remote_head}` if no newer tag) in `{source_root}` and audit against that. Re-extraction will reflect the current upstream surface.
|
|
158
|
+
- **[S] Stay-on-baseline** — keep `{source_root}` at `{baseline_ref}` and audit structural drift against the unchanged tree. The report will note `audit_ref = baseline`.
|
|
159
|
+
- **[X] Abort** — halt the workflow without producing a report.
|
|
160
|
+
|
|
161
|
+
**Select:** [C] / [S] / [X]"
|
|
162
|
+
|
|
163
|
+
**Gate handling:**
|
|
164
|
+
- **[C]:** Acquire an exclusive lock on `{source_root}/.skf-workspace.lock` (`flock -x` or `fcntl.flock(LOCK_EX)`) before mutating the working tree — matches the concurrency discipline in `src/skf-create-skill/references/source-resolution-protocols.md` and avoids racing with a concurrent create-skill / test-skill run against the same workspace clone. If `flock` is unavailable, emit a warning and proceed. Then `git -C {source_root} checkout {chosen_ref}` (prefer `latest_tag` when present, else `remote_head`). Set `audit_ref = {chosen_ref}`, `audit_ref_source = "checkout-latest"`, `audit_commit = git rev-parse HEAD`. Hold the lock through step-02 re-extraction and release only after the extraction snapshot is complete.
|
|
165
|
+
- **[S]:** Keep baseline. Set `audit_ref = baseline_ref`, `audit_ref_source = "baseline"`, `audit_commit = baseline_commit`.
|
|
166
|
+
- **[X]:** HALT workflow — do not create drift report.
|
|
167
|
+
- **Other input:** help user, redisplay gate.
|
|
168
|
+
|
|
169
|
+
**Headless default** (when `{headless_mode}`): auto-select **[S]** and emit a loud log line: `"headless: upstream drift detected ({baseline_ref} → {latest_tag or remote_head}); staying on baseline. Re-run interactively to audit against latest."` Do not check out in headless mode — silent ref changes under automation would mutate the user's working tree without consent.
|
|
170
|
+
|
|
171
|
+
5. **Record for report:** store `audit_ref`, `audit_ref_source`, `audit_commit`, `latest_tag`, `remote_head`, and `baseline_commit` in context. Step-06 surfaces them in the Provenance section so readers can tell which comparison actually ran.
|
|
172
|
+
|
|
113
173
|
### 6. Create Drift Report
|
|
114
174
|
|
|
115
175
|
Create `{outputFile}` from `{templateFile}`:
|