voidforge-build 23.12.1 → 23.12.2

package/dist/.claude/commands/git.md

@@ -53,11 +53,12 @@ Update all version files:
 3. Update `VERSION.md`:
    - Change "**Current:** X.Y.Z" to the new version
    - Add a row to the Version History table with date and one-line summary
-4. Update `package.json` version field
+4. Update the version in **every** versioned `package.json`. For a single-package repo that is the root `package.json`. For a workspaces/monorepo it is each non-private workspace package — VoidForge has **two**: `packages/voidforge/package.json` and `packages/methodology/package.json` (the root is `"private": true` with no version). **Also bump any internal dep pin:** when one workspace package depends on a sibling, set the range to `^<new-version>` — for VoidForge, `voidforge-build`'s `voidforge-build-methodology` dependency, per ADR-062. A bump that updates one package but not its sibling or the pin ships an inconsistent release (and the Step 7 publish skips any package whose version doesn't match).
+5. **Re-sync tracked generated copies of release files.** If a source file changed this release has a tracked copy that is regenerated at publish, re-sync it so the in-repo copy doesn't go stale between releases. VoidForge: `packages/methodology/CLAUDE.md` is the root `CLAUDE.md` with the ADR-058 template block stripped — `sed '/<!-- REMOVE-FOR-NPM-PUBLISH/,/END-REMOVE-FOR-NPM-PUBLISH -->/d' CLAUDE.md > packages/methodology/CLAUDE.md`.
 
 ## Step 4 — Commit (Rogers)
 Stage and commit:
-1. Stage all modified version files: `VERSION.md`, `CHANGELOG.md`, `package.json`
+1. Stage all modified version files: `VERSION.md`, the active changelog (`CHANGELOG.md` or `PROJECT_VERSION.md`), **every** bumped `package.json` (all workspace packages, not just the root), and any generated copy re-synced in Step 3
 2. Stage any other files that are part of this release (from Step 0)
 3. Craft commit message in the format: `vX.Y.Z: One-line summary`
    - If elaboration needed, add a blank line then details
@@ -78,7 +79,8 @@ Confirm everything is consistent:
 1. Run `git log -1 --format="%H %s"` — verify the commit exists and message is correct
 2. Check version consistency:
    - `VERSION.md` current version matches
-   - `package.json` version matches
+   - **every** versioned `package.json` matches the new version (all workspace packages, not just the root), and any internal dep pin reads `^<new-version>` (ADR-062)
+   - any tracked generated copy re-synced in Step 3 reflects this release (VoidForge: `packages/methodology/CLAUDE.md` diff against the stripped root `CLAUDE.md` is empty)
    - The **active changelog** (PROJECT_VERSION.md if present, else CHANGELOG.md) has an entry for this version
    - Commit message starts with the correct version tag
    - `git tag --list vX.Y.Z` returns the tag (unless `--no-tag` was used)

package/dist/CHANGELOG.md

@@ -6,6 +6,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/), and this
 
 ---
 
+## [23.12.2] - 2026-06-09
+
+### `/git` monorepo release-discipline fix
+
+A review of `/git` after the v23.12.0/.1 releases found that its version-*bump* steps (3–5) still assumed a single `package.json` — even though its *publish* step (7) was already monorepo-aware. On this two-package monorepo that meant `/git` would have bumped only one (nonexistent root) `package.json` and missed both workspace packages and the ADR-062 dep pin — exactly the three things bumped by hand in v23.12.0 and v23.12.1. Same doc↔reality drift class as #320/#342.
+
+### Changed
+
+- **`.claude/commands/git.md` Step 3** — bump **every** versioned `package.json` (names both `packages/voidforge` and `packages/methodology`; notes the root is `"private"` with no version), **bump the internal dep pin** `voidforge-build-methodology` → `^<new-version>` (ADR-062), and **re-sync tracked generated copies** (`packages/methodology/CLAUDE.md` via the ADR-058 `sed` strip). Steps 4 (staging) and 5 (verify) updated to check all workspace packages + the pin + the generated copy.
+- **`docs/methods/RELEASE_MANAGER.md` `/git --npm` section** — added two troubleshooting rules learned this session:
+  - **`npm error E404` on publish = account/scope, not expiry.** npm returns 404 (not 403) on publish to hide package existence, so E404 means the credential lacks write access to *that package* — wrong-account token, unscoped/read-only granular token, or wrong registry. Check `npm owner ls <pkg>` and verify the token's account (`npm whoami --userconfig`) *before* rotating. In CI the local preflight doesn't run, so an E404 points at the `NPM_TOKEN` secret's account. (Cites the incident where a v23.12.x publish failed E404 four times on a token minted from a non-owner account.)
+  - **Sequential oldest-first publish** when catching up multiple unpublished versions, so the `latest` dist-tag lands on the newest semver rather than whichever CI run finished last.
+
+### Pipeline
+
+First release cut via the corrected `/git` procedure (dogfood) — both packages and the dep pin bumped together. Dep range `^23.12.1` → `^23.12.2` (ADR-062).
+
+---
+
 ## [23.12.1] - 2026-06-09
 
 ### Follow-on triage — #354/#355 (8 fixes) + chronic CI-check fix

package/dist/VERSION.md

@@ -1,6 +1,6 @@
 # Version
 
-**Current:** 23.12.1
+**Current:** 23.12.2
 
 ## Versioning Scheme
 
@@ -14,6 +14,7 @@ This project uses [Semantic Versioning](https://semver.org/):
 
 | Version | Date | Summary |
 |---------|------|---------|
+| 23.12.2 | 2026-06-09 | `/git` monorepo release-discipline fix. The `/git` command's version-bump steps (3–5) assumed a single `package.json` and would have under-bumped this monorepo — missing the second workspace package and the ADR-062 dep pin (both bumped by hand in v23.12.0/.1). `git.md` Step 3 now bumps **every** versioned `package.json` + the `voidforge-build-methodology` dep pin + re-syncs the tracked `packages/methodology/CLAUDE.md` generated copy; Steps 4/5 staging+verify updated to match. `RELEASE_MANAGER.md` gains two troubleshooting rules paid for this session: **E404-on-publish = wrong npm account/scope, not expiry** (check `npm owner ls` first; in CI it's the `NPM_TOKEN` secret's account — cites the four-failed-runs incident where a rotated token was from a non-owner account) and **sequential oldest-first multi-version publish** so `latest` lands on the newest semver. First release cut via the corrected procedure (dogfood). Dep range `^23.12.1` → `^23.12.2`. |
 | 23.12.1 | 2026-06-09 | Follow-on field-report pass — `/debrief --inbox` triaged #354/#355 (filed during the v23.12.0 run) against the post-v23.12.0 tree and applied 8 fixes across 15 files. #354: port the vote-based REFUTE lens from /gauntlet into `/engage` + `/sentinel` (they used the old "second agent disagrees → drop" model), name find→cluster→3-lens-verify as the default review shape in `SUB_AGENTS.md`, **enforcement-keyed severity rubric** (a server-enforced client affordance leak is UX P2/P3, not a P0 breach — `SECURITY_AUDITOR.md`/`PRODUCT_DESIGN_FRONTEND.md`/`/ux`/`/sentinel`), "isolation-green ≠ deploy-green" (`BUILD_PROTOCOL.md`/`/deploy`/`QA_ENGINEER.md`), boot-time DDL-ownership class (`DEVOPS_ENGINEER.md`/`database-migration.ts`). #355: **contrast findings must cite literal source hex for fg+bg with file:line + re-grep the pairing before Critical** (token NAMES ≠ VALUES — defends against the false site-wide Critical; `PRODUCT_DESIGN_FRONTEND.md`/`GAUNTLET.md`/Samwise), **glob-derived fan-out work-lists + mandatory post-fan-out residual sweep** (`CAMPAIGN.md`/`SUB_AGENTS.md`/herald), focused single-lens roster cap + surface-partition (herald/`/ux`/`GAUNTLET.md`), per-wave staging deploy = status checkpoint inlined in CAMPAIGN action prose (verify pass overturned a false already-fixed). #355 F5 confirmed already-shipped (derived-counts doctrine). Also: **fixed the chronically-red `validate-branches.yml` slash-command CI check** (its grep mis-read `/docs/*` Docs-Reference rows as commands — the #352 "gate that doesn't gate" class) and registered `/audit-docs` in the CLAUDE.md Slash Commands table. Dep range `^23.12.0` → `^23.12.1`. |
 | 23.12.0 | 2026-06-09 | The v23.12 methodology pass — `/debrief --inbox` triaged all 12 open field reports (#342–#353) and applied every accepted fix in one session via two-phase workflow orchestration (triage → apply), with an adversarial verify pass on every file. 58 fixes across 32 files + 5 new files. 7 clusters: **verify-the-FIX** (the adversarial pass must vet the proposed fix, not just the finding — SUB_AGENTS.md, GAUNTLET.md, /engage; #348/#349/#350, M5 mint-fence incident); **production-config gate** (sandbox-green ≠ ship-ready — GAUNTLET.md prod-boot + sandbox-blind-spot round, CAMPAIGN.md Victory Checklist; #350); **Spring Cleaning consumer-vs-clone** (FORGE_KEEPER.md destructive-risk branch so app projects don't lose tsconfig/lockfiles; #343 F10); **Surfer roster sizing** (silver-surfer-herald.md scope_bias/scope_density/~18-cap + basename normalization; #343/#344/#345/#346); **creative/UX grounding** (world-scan + de-AI + token-scoped theming — ux.md, PRODUCT_DESIGN_FRONTEND.md, galadriel; #347/#351); **deploy/DevOps foot-guns** (DEVOPS_ENGINEER.md +13: eval-env, Node-MDWE, CF-Flexible, served-vs-built, compose-topology, docker-cleanup; #344/#349/#352/#353); **doc-currency** (CAMPAIGN/ASSEMBLER pre-SEAL refresh + new /audit-docs & DOC_AUDIT.md; #342). 3 new patterns (design-tokens.ts, nginx-vhost.conf, error-message-categorization.tsx; 48 → 51) + new /audit-docs command + DOC_AUDIT.md + scripts/regen-claude-md.sh. CLAUDE.md Personality +2 (anti-picker #343, authorized-autonomy #344), gate-timing #348, roster normalization #345. Dep range `^23.11.4` → `^23.12.0` (ADR-062). #349 F-4 and #352 #3 were already shipped (verified); #345 DEAL-004 + #353 RC-001/002/callout out of scope (Claude Code core / Workflow tool). |
 | 23.11.4 | 2026-05-12 | Wong promotion cluster + #260 closeout. /debrief --inbox re-triage of all 9 open field-report issues produced 3 ready-now promotion clusters (3+ data points across different reports each). BUILD_PROTOCOL.md Principle #11 "Derived counts discipline" (from #336 F6, #334 F6, #332 hidden #5 — three projects independently drifted the same class). New pattern `docs/patterns/autonomous-ops-triage-policy.md` codifying the 4-bucket model + SessionStart hook visibility rule (from #337 F3, #336 F7, #334 F5 — two operators independently reinvented). CAMPAIGN.md Planning Mode Step 4 "Scope-adversary check for bug classes" (from #332, #338 #2 — voidforge-marketing-site missed `/patterns` because the bug class scope was narrowed). Also closes #260 remaining items: PRODUCT_DESIGN_FRONTEND.md Operating Rule #12 "Tutorial-context checklist for slash commands" + QA_ENGINEER.md Operating Rule #13 "Tutorial smoke test for slash commands." Dep range `^23.11.3` → `^23.11.4` per ADR-062 discipline. Pattern count 47 → 48. 11 field reports remain open for v23.12 methodology pass. |

package/dist/docs/methods/RELEASE_MANAGER.md

@@ -164,6 +164,10 @@ When the user passes `--npm` to `/git`, run npm publish after the commit + tag +
 - On `EPUBLISHCONFLICT` (version exists), stop. The user must bump and re-run; do not attempt to dist-tag around it.
 - Scoped/private packages are skipped silently unless the user explicitly names them.
 
+**Troubleshooting `npm error E404` on publish (account/scope, NOT expiry).** When `npm publish` returns `404 Not Found - PUT https://registry.npmjs.org/<pkg> — '<pkg>@x.y.z' is not in this registry`, the package is **not** the problem — npm returns **404 instead of 403 on publish to avoid leaking package existence**, so E404 almost always means the credential lacks write access to *that package*: (a) the token belongs to an account that is not a maintainer (`npm owner ls <pkg>` shows who is), (b) a **granular** token wasn't scoped to the package or is read-only, or (c) wrong registry. Do NOT assume the token merely expired and rotate to another wrong-account token. Verify the token's account first: `printf '//registry.npmjs.org/:_authToken=%s\n' "$TOK" > /tmp/npmrc && npm whoami --userconfig /tmp/npmrc` — it must print a maintainer from `npm owner ls`. In CI (tag-push publish), the local `npm whoami` preflight does **not** run, so an E404 there points at the `NPM_TOKEN` secret's account/scope, not a local login. (Field incident: a v23.12.x publish failed E404 four times because the rotated token was minted from a non-owner npm account before the owner account was identified via `npm owner ls`.)
+
+**`latest` dist-tag ordering on a multi-version publish.** When two versioned tags are both unpublished (e.g. a failed earlier release plus the current one), publish them **sequentially, oldest first** — let `vX.Y.Z` finish before pushing/publishing `vX.Y.(Z+1)` — so `latest` lands on the newest semver. Pushing multiple tags at once races CI and `latest` can settle on whichever finished last; verify with `npm view <name> dist-tags` and repoint with `npm dist-tag add <name>@<newest> latest` if needed.
+
 ## Per-Commit CHANGELOG Discipline
 
 CHANGELOG drift accumulates silently when entries are deferred to session boundaries. By the time someone notices, the test count trajectory is wrong and the per-mission delta is unrecoverable from the diff alone.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "voidforge-build",
-  "version": "23.12.1",
+  "version": "23.12.2",
   "description": "From nothing, everything. A methodology framework for building with Claude Code.",
   "type": "module",
   "engines": {
@@ -45,7 +45,7 @@
     "@aws-sdk/client-rds": "^3.700.0",
     "@aws-sdk/client-s3": "^3.700.0",
     "@aws-sdk/client-sts": "^3.700.0",
-    "voidforge-build-methodology": "^23.12.1",
+    "voidforge-build-methodology": "^23.12.2",
     "node-pty": "^1.2.0-beta.12",
     "ws": "^8.19.0"
   },