shipwright-cli 3.0.0 → 3.1.0

package/scripts/lib/pipeline-stages.sh

@@ -1,8 +1,23 @@
-# pipeline-stages.sh — Stage implementations (intake, plan, build, test, review, pr, merge, deploy, validate, monitor) for sw-pipeline.sh
+# pipeline-stages.sh — Stage implementations (intake, plan, build, test, review, compound_quality, pr, merge, deploy, validate, monitor) for sw-pipeline.sh
 # Source from sw-pipeline.sh. Requires all pipeline globals and state/github/detection/quality modules.
 [[ -n "${_PIPELINE_STAGES_LOADED:-}" ]] && return 0
 _PIPELINE_STAGES_LOADED=1
 
+# ─── Safe git helpers ────────────────────────────────────────────────────────
+# BASE_BRANCH may not exist locally (e.g. --local mode with no remote).
+# These helpers return empty output instead of crashing under set -euo pipefail.
+_safe_base_log() {
+    local branch="${BASE_BRANCH:-main}"
+    git rev-parse --verify "$branch" >/dev/null 2>&1 || { echo ""; return 0; }
+    git log "$@" "${branch}..HEAD" 2>/dev/null || true
+}
+
+_safe_base_diff() {
+    local branch="${BASE_BRANCH:-main}"
+    git rev-parse --verify "$branch" >/dev/null 2>&1 || { git diff HEAD~5 "$@" 2>/dev/null || true; return 0; }
+    git diff "${branch}...HEAD" "$@" 2>/dev/null || true
+}
+
 show_stage_preview() {
     local stage_id="$1"
     echo ""
@@ -15,6 +30,7 @@ show_stage_preview() {
         test_first) echo -e "  Generate tests from requirements (TDD mode) before implementation" ;;
         test)     echo -e "  Run test suite and check coverage" ;;
         review)   echo -e "  AI code review on the diff, post findings" ;;
+        compound_quality) echo -e "  Adversarial review, negative tests, e2e, DoD audit" ;;
         pr)       echo -e "  Create GitHub PR with labels, reviewers, milestone" ;;
         merge)    echo -e "  Wait for CI checks, merge PR, optionally delete branch" ;;
         deploy)   echo -e "  Deploy to staging/production with rollback" ;;
@@ -300,10 +316,22 @@ Checklist of completion criteria.
     fi
 
     local _token_log="${ARTIFACTS_DIR}/.claude-tokens-plan.log"
-    claude --print --model "$plan_model" --max-turns 25 \
+    claude --print --model "$plan_model" --max-turns 25 --dangerously-skip-permissions \
         "$plan_prompt" < /dev/null > "$plan_file" 2>"$_token_log" || true
     parse_claude_tokens "$_token_log"
 
+    # Claude may write to disk via tools instead of stdout — rescue those files
+    local _plan_rescue
+    for _plan_rescue in "${PROJECT_ROOT}/PLAN.md" "${PROJECT_ROOT}/plan.md" \
+                         "${PROJECT_ROOT}/implementation-plan.md"; do
+        if [[ -s "$_plan_rescue" ]] && [[ $(wc -l < "$plan_file" 2>/dev/null | xargs) -lt 10 ]]; then
+            info "Plan written to ${_plan_rescue} via tools — adopting as plan artifact"
+            cat "$_plan_rescue" >> "$plan_file"
+            rm -f "$_plan_rescue"
+            break
+        fi
+    done
+
     if [[ ! -s "$plan_file" ]]; then
         error "Plan generation failed — empty output"
         return 1
@@ -708,10 +736,22 @@ Be concrete and specific. Reference actual file paths in the codebase. Consider
     fi
 
     local _token_log="${ARTIFACTS_DIR}/.claude-tokens-design.log"
-    claude --print --model "$design_model" --max-turns 25 \
+    claude --print --model "$design_model" --max-turns 25 --dangerously-skip-permissions \
         "$design_prompt" < /dev/null > "$design_file" 2>"$_token_log" || true
     parse_claude_tokens "$_token_log"
 
+    # Claude may write to disk via tools instead of stdout — rescue those files
+    local _design_rescue
+    for _design_rescue in "${PROJECT_ROOT}/design-adr.md" "${PROJECT_ROOT}/design.md" \
+                           "${PROJECT_ROOT}/ADR.md" "${PROJECT_ROOT}/DESIGN.md"; do
+        if [[ -s "$_design_rescue" ]] && [[ $(wc -l < "$design_file" 2>/dev/null | xargs) -lt 10 ]]; then
+            info "Design written to ${_design_rescue} via tools — adopting as design artifact"
+            cat "$_design_rescue" >> "$design_file"
+            rm -f "$_design_rescue"
+            break
+        fi
+    done
+
     if [[ ! -s "$design_file" ]]; then
         error "Design generation failed — empty output"
         return 1
@@ -739,7 +779,7 @@ Be concrete and specific. Reference actual file paths in the codebase. Consider
     files_to_modify=$(sed -n '/Files to modify/,/^-\|^#\|^$/p' "$design_file" 2>/dev/null | grep -E '^\s*-' | head -20 || true)
 
     if [[ -n "$files_to_create" || -n "$files_to_modify" ]]; then
-        info "Design scope: ${DIM}$(echo "$files_to_create $files_to_modify" | grep -c '^\s*-' || echo 0) file(s)${RESET}"
+        info "Design scope: ${DIM}$(echo "$files_to_create $files_to_modify" | grep -c '^\s*-' || true) file(s)${RESET}"
     fi
 
     # Post design to GitHub issue
@@ -1077,8 +1117,9 @@ ${prevention_text}"
         loop_args+=(--resume)
     fi
 
-    # Skip permissions in CI (no interactive terminal)
-    [[ "${CI_MODE:-false}" == "true" ]] && loop_args+=(--skip-permissions)
+    # Skip permissions — pipeline runs headlessly (claude -p) and has no terminal
+    # for interactive permission prompts. Without this flag, agents can't write files.
+    loop_args+=(--skip-permissions)
 
     info "Starting build loop: ${DIM}shipwright loop${RESET} (max ${max_iter} iterations, ${agents} agent(s))"
 
@@ -1131,13 +1172,13 @@ ${prevention_text}"
 
     # Count commits made during build
     local commit_count
-    commit_count=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | wc -l | xargs)
+    commit_count=$(_safe_base_log --oneline | wc -l | xargs)
     info "Build produced ${BOLD}$commit_count${RESET} commit(s)"
 
     # Commit quality evaluation when intelligence is enabled
     if type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1 && [[ "${commit_count:-0}" -gt 0 ]]; then
         local commit_msgs
-        commit_msgs=$(git log --format="%s" "${BASE_BRANCH}..HEAD" 2>/dev/null | head -20)
+        commit_msgs=$(_safe_base_log --format="%s" | head -20)
         local quality_score
         quality_score=$(claude --print --output-format text -p "Rate the quality of these git commit messages on a scale of 0-100. Consider: focus (one thing per commit), clarity (describes the why), atomicity (small logical units). Reply with ONLY a number 0-100.
 
@@ -1276,8 +1317,7 @@ stage_review() {
     local diff_file="$ARTIFACTS_DIR/review-diff.patch"
     local review_file="$ARTIFACTS_DIR/review.md"
 
-    git diff "${BASE_BRANCH}...${GIT_BRANCH}" > "$diff_file" 2>/dev/null || \
-        git diff HEAD~5 > "$diff_file" 2>/dev/null || true
+    _safe_base_diff > "$diff_file" 2>/dev/null || true
 
     if [[ ! -s "$diff_file" ]]; then
         warn "No diff found — skipping review"
@@ -1290,13 +1330,13 @@ stage_review() {
     fi
 
     local diff_stats
-    diff_stats=$(git diff --stat "${BASE_BRANCH}...${GIT_BRANCH}" 2>/dev/null | tail -1 || echo "")
+    diff_stats=$(_safe_base_diff --stat | tail -1 || echo "")
     info "Running AI code review... ${DIM}($diff_stats)${RESET}"
 
     # Semantic risk scoring when intelligence is enabled
     if type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1; then
         local diff_files
-        diff_files=$(git diff --name-only "${BASE_BRANCH}...${GIT_BRANCH}" 2>/dev/null || true)
+        diff_files=$(_safe_base_diff --name-only || true)
         local risk_score="low"
         # Fast heuristic: flag high-risk file patterns
         if echo "$diff_files" | grep -qiE 'migration|schema|auth|crypto|security|password|token|secret|\.env'; then
@@ -1390,11 +1430,9 @@ $(cat "$dod_file")
 ## Diff to Review
 $(cat "$diff_file")"
 
-    # Build claude args — add --dangerously-skip-permissions in CI
-    local review_args=(--print --model "$review_model" --max-turns 25)
-    if [[ "${CI_MODE:-false}" == "true" ]]; then
-        review_args+=(--dangerously-skip-permissions)
-    fi
+    # Skip permissions — pipeline runs headlessly (claude -p) and has no terminal
+    # for interactive permission prompts. Same rationale as build stage (line ~1083).
+    local review_args=(--print --model "$review_model" --max-turns 25 --dangerously-skip-permissions)
 
     claude "${review_args[@]}" "$review_prompt" < /dev/null > "$review_file" 2>"${ARTIFACTS_DIR}/.claude-tokens-review.log" || true
     parse_claude_tokens "${ARTIFACTS_DIR}/.claude-tokens-review.log"
@@ -1539,15 +1577,143 @@ ${review_summary}
     log_stage "review" "AI review complete ($total_issues issues: $critical_count critical, $bug_count bugs, $warning_count suggestions)"
 }
 
+# ─── Compound Quality (fallback) ────────────────────────────────────────────
+# Basic implementation: adversarial review, negative testing, e2e checks, DoD audit.
+# If pipeline-intelligence.sh was sourced first, its enhanced version takes priority.
+if ! type stage_compound_quality >/dev/null 2>&1; then
+stage_compound_quality() {
+    CURRENT_STAGE_ID="compound_quality"
+
+    # Read stage config from pipeline template
+    local cfg
+    cfg=$(jq -r '.stages[] | select(.id == "compound_quality") | .config // {}' "$PIPELINE_CONFIG" 2>/dev/null) || cfg="{}"
+
+    local do_adversarial do_negative do_e2e do_dod max_cycles blocking
+    do_adversarial=$(echo "$cfg" | jq -r '.adversarial // false')
+    do_negative=$(echo "$cfg" | jq -r '.negative // false')
+    do_e2e=$(echo "$cfg" | jq -r '.e2e // false')
+    do_dod=$(echo "$cfg" | jq -r '.dod_audit // false')
+    max_cycles=$(echo "$cfg" | jq -r '.max_cycles // 1')
+    blocking=$(echo "$cfg" | jq -r '.compound_quality_blocking // false')
+
+    local pass_count=0 fail_count=0 total=0
+    local compound_log="$ARTIFACTS_DIR/compound-quality.log"
+    : > "$compound_log"
+
+    # ── Adversarial review ──
+    if [[ "$do_adversarial" == "true" ]]; then
+        total=$((total + 1))
+        info "Running adversarial review..."
+        if [[ -x "$SCRIPT_DIR/sw-adversarial.sh" ]]; then
+            if bash "$SCRIPT_DIR/sw-adversarial.sh" --repo "${REPO_DIR:-.}" >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "Adversarial review passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "Adversarial review found issues"
+            fi
+        else
+            warn "sw-adversarial.sh not found, skipping"
+        fi
+    fi
+
+    # ── Negative / edge-case testing ──
+    if [[ "$do_negative" == "true" ]]; then
+        total=$((total + 1))
+        info "Running negative test pass..."
+        if [[ -n "${TEST_CMD:-}" ]]; then
+            if eval "$TEST_CMD" >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "Negative test pass passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "Negative test pass found failures"
+            fi
+        else
+            pass_count=$((pass_count + 1))
+            info "No test command configured, skipping negative tests"
+        fi
+    fi
+
+    # ── E2E checks ──
+    if [[ "$do_e2e" == "true" ]]; then
+        total=$((total + 1))
+        info "Running e2e checks..."
+        if [[ -x "$SCRIPT_DIR/sw-e2e-orchestrator.sh" ]]; then
+            if bash "$SCRIPT_DIR/sw-e2e-orchestrator.sh" run >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "E2E checks passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "E2E checks found issues"
+            fi
+        else
+            pass_count=$((pass_count + 1))
+            info "sw-e2e-orchestrator.sh not found, skipping e2e"
+        fi
+    fi
+
+    # ── Definition of Done audit ──
+    if [[ "$do_dod" == "true" ]]; then
+        total=$((total + 1))
+        info "Running definition-of-done audit..."
+        if [[ -x "$SCRIPT_DIR/sw-quality.sh" ]]; then
+            if bash "$SCRIPT_DIR/sw-quality.sh" validate >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "DoD audit passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "DoD audit found gaps"
+            fi
+        else
+            pass_count=$((pass_count + 1))
+            info "sw-quality.sh not found, skipping DoD audit"
+        fi
+    fi
+
+    # ── Summary ──
+    log_stage "compound_quality" "Compound quality: $pass_count/$total checks passed, $fail_count failed"
+
+    if [[ "$fail_count" -gt 0 && "$blocking" == "true" ]]; then
+        error "Compound quality gate failed: $fail_count of $total checks failed"
+        return 1
+    fi
+
+    return 0
+}
+fi  # end fallback stage_compound_quality
+
 stage_pr() {
     CURRENT_STAGE_ID="pr"
     local plan_file="$ARTIFACTS_DIR/plan.md"
     local test_log="$ARTIFACTS_DIR/test-results.log"
     local review_file="$ARTIFACTS_DIR/review.md"
 
+    # ── Skip PR in local/no-github mode ──
+    if [[ "${NO_GITHUB:-false}" == "true" || "${SHIPWRIGHT_LOCAL:-}" == "1" || "${LOCAL_MODE:-false}" == "true" ]]; then
+        info "Skipping PR stage — running in local/no-github mode"
+        # Save a PR draft locally for reference
+        local branch_name
+        branch_name=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")
+        local commit_count
+        commit_count=$(_safe_base_log --oneline | wc -l | xargs)
+        {
+            echo "# PR Draft (local mode)"
+            echo ""
+            echo "**Branch:** ${branch_name}"
+            echo "**Commits:** ${commit_count:-0}"
+            echo "**Goal:** ${GOAL:-N/A}"
+            echo ""
+            echo "## Changes"
+            _safe_base_diff --stat || true
+        } > ".claude/pr-draft.md" 2>/dev/null || true
+        emit_event "pr.skipped" "issue=${ISSUE_NUMBER:-0}" "reason=local_mode"
+        return 0
+    fi
+
     # ── PR Hygiene Checks (informational) ──
     local hygiene_commit_count
-    hygiene_commit_count=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | wc -l | xargs)
+    hygiene_commit_count=$(_safe_base_log --oneline | wc -l | xargs)
     hygiene_commit_count="${hygiene_commit_count:-0}"
 
     if [[ "$hygiene_commit_count" -gt 20 ]]; then
@@ -1556,7 +1722,7 @@ stage_pr() {
 
     # Check for WIP/fixup/squash commits (expanded patterns)
     local wip_commits
-    wip_commits=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | grep -ciE '^[0-9a-f]+ (WIP|fixup!|squash!|TODO|HACK|TEMP|BROKEN|wip[:-]|temp[:-]|broken[:-]|do not merge)' || true)
+    wip_commits=$(_safe_base_log --oneline | grep -ciE '^[0-9a-f]+ (WIP|fixup!|squash!|TODO|HACK|TEMP|BROKEN|wip[:-]|temp[:-]|broken[:-]|do not merge)' || true)
     wip_commits="${wip_commits:-0}"
     if [[ "$wip_commits" -gt 0 ]]; then
         warn "Branch has ${wip_commits} WIP/fixup/squash/temp commit(s) — consider cleaning up"
@@ -1564,7 +1730,7 @@ stage_pr() {
 
     # ── PR Quality Gate: reject PRs with no real code changes ──
     local real_files
-    real_files=$(git diff --name-only "${BASE_BRANCH}...HEAD" 2>/dev/null | grep -v '^\.claude/' | grep -v '^\.github/' || true)
+    real_files=$(_safe_base_diff --name-only | grep -v '^\.claude/' | grep -v '^\.github/' || true)
     if [[ -z "$real_files" ]]; then
         error "No real code changes detected — only pipeline artifacts (.claude/ logs)."
         error "The build agent did not produce meaningful changes. Skipping PR creation."
@@ -1614,7 +1780,7 @@ stage_pr() {
         if [[ "$sim_enabled" == "true" ]]; then
             info "Running developer simulation review..."
             local diff_for_sim
-            diff_for_sim=$(git diff "${BASE_BRANCH}...HEAD" 2>/dev/null || true)
+            diff_for_sim=$(_safe_base_diff || true)
             if [[ -n "$diff_for_sim" ]]; then
                 local sim_result
                 sim_result=$(simulation_review "$diff_for_sim" "${GOAL:-}" 2>/dev/null || echo "")
@@ -1644,7 +1810,7 @@ stage_pr() {
         if [[ "$arch_enabled" == "true" ]]; then
             info "Validating architecture..."
             local diff_for_arch
-            diff_for_arch=$(git diff "${BASE_BRANCH}...HEAD" 2>/dev/null || true)
+            diff_for_arch=$(_safe_base_diff || true)
             if [[ -n "$diff_for_arch" ]]; then
                 local arch_result
                 arch_result=$(architecture_validate_changes "$diff_for_arch" "" 2>/dev/null || echo "")
@@ -1668,10 +1834,10 @@ stage_pr() {
 
     # Pre-PR diff gate — verify meaningful code changes exist (not just bookkeeping)
     local real_changes
-    real_changes=$(git diff --name-only "origin/${BASE_BRANCH:-main}...HEAD" \
+    real_changes=$(_safe_base_diff --name-only \
         -- . ':!.claude/loop-state.md' ':!.claude/pipeline-state.md' \
         ':!.claude/pipeline-artifacts/*' ':!**/progress.md' \
-        ':!**/error-summary.json' 2>/dev/null | wc -l | xargs || echo "0")
+        ':!**/error-summary.json' | wc -l | xargs || echo "0")
     if [[ "${real_changes:-0}" -eq 0 ]]; then
         error "No meaningful code changes detected — only bookkeeping files modified"
         error "Refusing to create PR with zero real changes"
@@ -1726,10 +1892,10 @@ stage_pr() {
     [[ -n "${GITHUB_ISSUE:-}" ]] && closes_line="Closes ${GITHUB_ISSUE}"
 
     local diff_stats
-    diff_stats=$(git diff --stat "${BASE_BRANCH}...${GIT_BRANCH}" 2>/dev/null | tail -1 || echo "")
+    diff_stats=$(_safe_base_diff --stat | tail -1 || echo "")
 
     local commit_count
-    commit_count=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | wc -l | xargs)
+    commit_count=$(_safe_base_log --oneline | wc -l | xargs)
 
     local total_dur=""
     if [[ -n "$PIPELINE_START_EPOCH" ]]; then
@@ -1774,7 +1940,7 @@ EOF
     risk_tier="low"
     if [[ -f "$REPO_DIR/config/policy.json" ]]; then
         local changed_files
-        changed_files=$(git diff --name-only "${BASE_BRANCH}...HEAD" 2>/dev/null || true)
+        changed_files=$(_safe_base_diff --name-only || true)
         if [[ -n "$changed_files" ]]; then
             local policy_file="$REPO_DIR/config/policy.json"
             check_tier_match() {
@@ -1906,7 +2072,7 @@ EOF
             codeowners_json=$(gh_codeowners "$REPO_OWNER" "$REPO_NAME" 2>/dev/null || echo "[]")
             if [[ "$codeowners_json" != "[]" && -n "$codeowners_json" ]]; then
                 local changed_files
-                changed_files=$(git diff --name-only "${BASE_BRANCH}...HEAD" 2>/dev/null || true)
+                changed_files=$(_safe_base_diff --name-only || true)
                 if [[ -n "$changed_files" ]]; then
                     local co_reviewers
                     co_reviewers=$(echo "$codeowners_json" | jq -r '.[].owners[]' 2>/dev/null | sort -u | head -3 || true)
@@ -1980,13 +2146,14 @@ stage_merge() {
         local merge_diff_file="${ARTIFACTS_DIR}/review-diff.patch"
         local merge_review_file="${ARTIFACTS_DIR}/review.md"
         if [[ ! -s "$merge_diff_file" ]]; then
-            git diff "${BASE_BRANCH}...${GIT_BRANCH}" > "$merge_diff_file" 2>/dev/null || \
-                git diff HEAD~5 > "$merge_diff_file" 2>/dev/null || true
+            _safe_base_diff > "$merge_diff_file" 2>/dev/null || true
         fi
         if [[ -s "$merge_diff_file" ]]; then
             local _merge_critical _merge_sec _merge_blocking _merge_reject
-            _merge_critical=$(grep -ciE '\*\*\[?Critical\]?\*\*' "$merge_review_file" 2>/dev/null || echo "0")
-            _merge_sec=$(grep -ciE '\*\*\[?Security\]?\*\*' "$merge_review_file" 2>/dev/null || echo "0")
+            _merge_critical=$(grep -ciE '\*\*\[?Critical\]?\*\*' "$merge_review_file" 2>/dev/null || true)
+            _merge_critical="${_merge_critical:-0}"
+            _merge_sec=$(grep -ciE '\*\*\[?Security\]?\*\*' "$merge_review_file" 2>/dev/null || true)
+            _merge_sec="${_merge_sec:-0}"
             _merge_blocking=$((${_merge_critical:-0} + ${_merge_sec:-0}))
             [[ "$_merge_blocking" -gt 0 ]] && _merge_reject="Review found ${_merge_blocking} critical/security issue(s)"
             if ! bash "$SCRIPT_DIR/sw-oversight.sh" gate --diff "$merge_diff_file" --description "${GOAL:-Pipeline merge}" --reject-if "${_merge_reject:-}" >/dev/null 2>&1; then

package/scripts/lib/pipeline-state.sh

@@ -176,6 +176,13 @@ mark_stage_complete() {
     write_state
 
     record_stage_effectiveness "$stage_id" "complete"
+
+    # Record stage completion in SQLite pipeline_stages table
+    if type record_stage >/dev/null 2>&1; then
+        local _stage_secs
+        _stage_secs=$(get_stage_timing_seconds "$stage_id")
+        record_stage "${SHIPWRIGHT_PIPELINE_ID:-}" "$stage_id" "complete" "${_stage_secs:-0}" "" 2>/dev/null || true
+    fi
     # Update memory baselines and predictive baselines for stage durations
     if [[ "$stage_id" == "test" || "$stage_id" == "build" ]]; then
         local secs
@@ -354,6 +361,13 @@ mark_stage_failed() {
     log_stage "$stage_id" "failed (${timing})"
     write_state
 
+    # Record stage failure in SQLite pipeline_stages table
+    if type record_stage >/dev/null 2>&1; then
+        local _stage_secs
+        _stage_secs=$(get_stage_timing_seconds "$stage_id")
+        record_stage "${SHIPWRIGHT_PIPELINE_ID:-}" "$stage_id" "failed" "${_stage_secs:-0}" "" 2>/dev/null || true
+    fi
+
     # Update GitHub progress + comment failure
     if [[ -n "$ISSUE_NUMBER" ]]; then
         local body

package/scripts/postinstall.mjs

@@ -11,8 +11,11 @@ import {
   readFileSync,
   writeFileSync,
   appendFileSync,
+  chmodSync,
+  readdirSync,
 } from "fs";
-import { join } from "path";
+import { join, basename } from "path";
+import { execSync } from "child_process";
 
 const HOME = process.env.HOME || process.env.USERPROFILE;
 const PKG_DIR = join(import.meta.dirname, "..");
@@ -130,6 +133,77 @@ try {
     success("Migrated legacy config (originals preserved)");
   }
 
+  // Set executable bits on all scripts (npm strips them on some platforms)
+  const scriptsDir = join(PKG_DIR, "scripts");
+  if (existsSync(scriptsDir)) {
+    let madeExecutable = 0;
+    for (const file of readdirSync(scriptsDir)) {
+      const fp = join(scriptsDir, file);
+      try {
+        chmodSync(fp, 0o755);
+        madeExecutable++;
+      } catch (_) {
+        // skip non-files
+      }
+    }
+    const libDir = join(scriptsDir, "lib");
+    if (existsSync(libDir)) {
+      for (const file of readdirSync(libDir)) {
+        try {
+          chmodSync(join(libDir, file), 0o755);
+          madeExecutable++;
+        } catch (_) {}
+      }
+    }
+    success(`Set executable bits on ${madeExecutable} scripts`);
+  }
+
+  // Install shell completions for the user's current shell
+  const completionsDir = join(PKG_DIR, "completions");
+  if (existsSync(completionsDir)) {
+    const shell = basename(process.env.SHELL || "/bin/bash");
+    try {
+      if (shell === "bash") {
+        const dest =
+          process.env.BASH_COMPLETION_USER_DIR ||
+          join(
+            process.env.XDG_DATA_HOME || join(HOME, ".local", "share"),
+            "bash-completion",
+            "completions",
+          );
+        ensureDir(dest);
+        cpSync(
+          join(completionsDir, "shipwright.bash"),
+          join(dest, "shipwright"),
+        );
+        cpSync(join(completionsDir, "shipwright.bash"), join(dest, "sw"));
+        success(`Installed bash completions to ${dest}`);
+      } else if (shell === "zsh") {
+        const dest = join(HOME, ".zfunc");
+        ensureDir(dest);
+        cpSync(join(completionsDir, "_shipwright"), join(dest, "_shipwright"));
+        cpSync(join(completionsDir, "_shipwright"), join(dest, "_sw"));
+        success(`Installed zsh completions to ${dest}`);
+      } else if (shell === "fish") {
+        const dest = join(
+          process.env.XDG_CONFIG_HOME || join(HOME, ".config"),
+          "fish",
+          "completions",
+        );
+        ensureDir(dest);
+        cpSync(
+          join(completionsDir, "shipwright.fish"),
+          join(dest, "shipwright.fish"),
+        );
+        cpSync(join(completionsDir, "shipwright.fish"), join(dest, "sw.fish"));
+        success(`Installed fish completions to ${dest}`);
+      }
+    } catch (e) {
+      warn(`Could not auto-install completions: ${e.message}`);
+      info(`Run: shipwright init  (or: bash scripts/install-completions.sh)`);
+    }
+  }
+
   // Print success banner
   console.log();
   console.log(`${GREEN}${BOLD}Shipwright CLI installed!${RESET} Next steps:`);

package/scripts/signals/example-collector.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# ╔═══════════════════════════════════════════════════════════════════════════╗
+# ║  Example External Signal Collector for Shipwright Decision Engine        ║
+# ║  Place custom collectors in scripts/signals/ — they're auto-discovered  ║
+# ╚═══════════════════════════════════════════════════════════════════════════╝
+#
+# Output: one JSON candidate per line (JSONL).
+# Required fields: id, signal, category, title, description, risk_score,
+#                  confidence, dedup_key
+# Optional fields: evidence (object)
+#
+# The decision engine collects output from all scripts/signals/*.sh files,
+# validates each line as JSON, and includes valid candidates in the scoring
+# pipeline.
+#
+# Categories (determines autonomy tier):
+#   auto:    deps_patch, deps_minor, security_patch, test_coverage,
+#            doc_sync, dead_code
+#   propose: refactor_hotspot, architecture_drift, performance_regression,
+#            deps_major, security_critical, recurring_failure, dora_regression
+#   draft:   new_feature, breaking_change, business_logic, api_change,
+#            data_model_change
+#
+# Example: detect a custom condition and emit a candidate
+#
+
+set -euo pipefail
+
+# Example: check if a TODO count exceeds a threshold
+TODO_COUNT=$(grep -r "TODO" --include="*.ts" --include="*.js" --include="*.sh" . 2>/dev/null | wc -l | tr -d ' ' || echo "0")
+
+if [[ "${TODO_COUNT:-0}" -gt 50 ]]; then
+    cat <<EOF
+{"id":"custom-todo-cleanup","signal":"custom","category":"dead_code","title":"Clean up ${TODO_COUNT} TODOs","description":"Codebase has ${TODO_COUNT} TODO comments — consider a cleanup sprint","evidence":{"todo_count":${TODO_COUNT}},"risk_score":15,"confidence":"0.70","dedup_key":"custom:todo:cleanup"}
+EOF
+fi

package/scripts/sw

@@ -5,7 +5,7 @@
 # ╚═══════════════════════════════════════════════════════════════════════════╝
 set -euo pipefail
 
-VERSION="3.0.0"
+VERSION="3.1.0"
 
 # Resolve symlinks (required for npm global install where bin/ symlinks to node_modules/)
 SOURCE="${BASH_SOURCE[0]}"
@@ -193,7 +193,8 @@ route_quality() {
         security-audit|audit) exec "$SCRIPT_DIR/sw-security-audit.sh" "$@" ;;
         testgen)          exec "$SCRIPT_DIR/sw-testgen.sh" "$@" ;;
         hygiene)          exec "$SCRIPT_DIR/sw-hygiene.sh" "$@" ;;
-        help|*) echo "Usage: shipwright quality {code-review|security-audit|testgen|hygiene}"; exit 1 ;;
+        validate|gate)    exec "$SCRIPT_DIR/sw-quality.sh" "$@" ;;
+        help|*) echo "Usage: shipwright quality {code-review|security-audit|testgen|hygiene|validate}"; exit 1 ;;
     esac
 }
 
@@ -530,14 +531,17 @@ main() {
         evidence|ev)
             exec "$SCRIPT_DIR/sw-evidence.sh" "$@"
             ;;
+        decide)
+            exec "$SCRIPT_DIR/sw-decide.sh" "$@"
+            ;;
         otel)
             exec "$SCRIPT_DIR/sw-otel.sh" "$@"
             ;;
         triage)
             exec "$SCRIPT_DIR/sw-triage.sh" "$@"
             ;;
-        quality)
-            exec "$SCRIPT_DIR/sw-quality.sh" "$@"
+        pipeline-composer|composer)
+            exec "$SCRIPT_DIR/sw-pipeline-composer.sh" "$@"
             ;;
         oversight)
             exec "$SCRIPT_DIR/sw-oversight.sh" "$@"

package/scripts/sw-activity.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.0.0"
+VERSION="3.1.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # ─── Cross-platform compatibility ──────────────────────────────────────────

package/scripts/sw-adaptive.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.0.0"
+VERSION="3.1.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # ─── Cross-platform compatibility ──────────────────────────────────────────

package/scripts/sw-adversarial.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.0.0"
+VERSION="3.1.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 

package/scripts/sw-architecture-enforcer.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.0.0"
+VERSION="3.1.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 

package/scripts/sw-auth.sh

@@ -6,7 +6,7 @@
 set -euo pipefail
 trap 'echo "ERROR: $BASH_SOURCE:$LINENO exited with status $?" >&2' ERR
 
-VERSION="3.0.0"
+VERSION="3.1.0"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"