worclaude 2.4.11 → 2.4.13

package/CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to worclaude are documented in this file. Format loosely fol
 
 ## [Unreleased]
 
+## [2.4.12] — 2026-04-20
+
+Internal fix release — first post-v2.4.11 `upstream-check` run on `main` (workflow run 24693290867) failed with `error_max_turns / num_turns: 16` at the Claude cross-reference step. Not a parser issue: the v2.4.11 format-drift fix still works; Claude simply couldn't fit the workload into 15 turns. The prompt requires ~9 `Read` calls (feed inputs + `.claude/commands/upstream-check.md` + cross-reference against agents/commands/hooks templates, `src/data/agents.js`, `src/data/agent-registry.js`, `docs/spec/BACKLOG-v2.1.md`, `CLAUDE.md`) before the final response — each Read burns a turn, so 15 was tight by luck, not by design.
+
+### Fixed
+
+- `.github/workflows/upstream-check.yml` — `--max-turns` bumped from 15 to 25 in the `claude_args` string. Gives comfortable headroom for reads + reasoning + response without being excessive. If the cross-reference list grows further, revisit.
+
 ## [2.4.11] — 2026-04-20
 
 Internal fix release — the `upstream-check` workflow parser has been unable to classify any item correctly since the `anthropics/claude-code-action` SHA was pinned to v1.0.101. The action writes `$RUNNER_TEMP/claude-execution-output.json` as a pretty-printed JSON array (`JSON.stringify(messages, null, 2)`), not the newline-delimited JSONL our parser assumed. Every per-line `JSON.parse` failed on fragments like `[` and `{`, so `extractAssistantText` always returned `null` and the parser fell through to the raw-content fallback — which never matched the `SKIP_ISSUE` / `# Title: ` contract, producing a parse-error fallback issue on every run with new items. Misdiagnosed as prompt/contract drift (issue #89); the 2.4.10 fallback-size fix delivered the diagnostic (issue #91) that revealed the real cause.

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+sefaertunc@gmail.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

package/CONTRIBUTING.md

@@ -0,0 +1,132 @@
+# Contributing to Worclaude
+
+Thanks for your interest in contributing to Worclaude! Whether it's a bug report, feature idea, or pull request, your input helps make this tool better for everyone.
+
+## Branching Strategy
+
+```
+feature-branch ──PR──▶ develop ──PR──▶ main (release)
+                           │
+                           └── gh-pages (docs, auto-deployed)
+```
+
+| Branch     | Purpose             | Who can push             | Who can PR to it                     |
+| ---------- | ------------------- | ------------------------ | ------------------------------------ |
+| `develop`  | Active development  | Maintainer               | Contributors (from feature branches) |
+| `main`     | Production releases | Maintainer               | Maintainer only (from `develop`)     |
+| `gh-pages` | Documentation site  | Maintainer (auto-deploy) | Nobody                               |
+
+**Contributors only interact with `develop`.** Fork the repo, create a feature branch from `develop`, and open a PR back to `develop`. You cannot push or open PRs against `main` — they will be closed.
+
+## Development Setup
+
+```bash
+git clone https://github.com/sefaertunc/Worclaude.git
+cd Worclaude
+git checkout develop
+npm install
+npm test
+npm run lint
+```
+
+Run the CLI locally during development:
+
+```bash
+node src/index.js init
+node src/index.js status
+```
+
+## Using the Worclaude Workflow
+
+If you have [Claude Code](https://claude.com/claude-code), this project includes a 6-stage workflow pipeline to guide contributions:
+
+`/start` → `/review-plan` → implement → `/review-changes` → `/verify` → `/commit-push-pr`
+
+Run these as slash commands in Claude Code for a guided experience.
+
+## Pull Request Guidelines
+
+1. Fork the repo and create a branch from `develop`
+2. Make your changes in focused, logical commits
+3. Write or update tests for any new functionality
+4. Run the full test suite: `npm test`
+5. Run the linter: `npm run lint`
+6. Run the formatter: `npm run format`
+7. Open a PR **targeting `develop`** with a clear description of the change
+
+**Never open PRs against `main`** — they will be closed. Only the maintainer merges `develop` into `main` for releases.
+
+Keep PRs focused on a single concern. If you're fixing a bug and adding a feature, split them into separate PRs.
+
+### What CI Checks
+
+Every PR is validated by CI before merge:
+
+- **Tests** — full test suite across Node 18, 20, and 22
+- **ESLint** — code quality and style rules
+- **Prettier** — formatting consistency check
+- **Branch** — must be up-to-date with `develop`
+
+## Release Process (maintainer only)
+
+Releases are cut from `main` and published automatically by GitHub Actions with
+npm provenance (SLSA attestations).
+
+1. Open a PR from `develop` to `main` containing the version bump (handled by `/sync`).
+2. After merge, create a GitHub Release against `main` with tag `vX.Y.Z`.
+3. The `.github/workflows/release.yml` workflow runs `npm publish --provenance`.
+4. Verify the "Provenance" badge on `https://www.npmjs.com/package/worclaude`.
+
+Do not run `npm publish` from a local machine — manual publishes omit provenance
+and weaken the Snyk security score.
+
+## Reporting Bugs
+
+Open an issue on [GitHub Issues](https://github.com/sefaertunc/Worclaude/issues) with:
+
+- A clear, descriptive title
+- Steps to reproduce the problem
+- Expected behavior vs actual behavior
+- Your Node.js version and OS
+- Any relevant error output
+
+## Suggesting Features
+
+Open an issue on [GitHub Issues](https://github.com/sefaertunc/Worclaude/issues) with the **enhancement** label. Describe the use case and how you envision the feature working.
+
+## Code Style
+
+This project uses ESLint and Prettier for consistent formatting. Before submitting:
+
+```bash
+npm run format    # Auto-format with Prettier
+npm run lint      # Check for lint errors
+```
+
+All code must pass both checks. The CI pipeline enforces this automatically.
+
+## Testing
+
+We use [Vitest](https://vitest.dev/) for testing. All tests must pass before a PR can be merged:
+
+```bash
+npm test          # Run the full test suite
+```
+
+When adding new features, include tests that cover:
+
+- The expected happy path
+- Edge cases and error conditions
+- Integration with existing commands (init, upgrade, status)
+
+Test all three scenarios (fresh project, existing project, upgrade) if your change touches merge logic or file generation.
+
+## Template Format Requirements
+
+- **Skills** must be in directory format: `templates/skills/universal/skill-name.md` is the source, scaffolded as `.claude/skills/skill-name/SKILL.md` in user projects. Flat `.md` files in `.claude/skills/` are silently ignored by Claude Code.
+- **Agents** must have both `name` and `description` in YAML frontmatter. Without `description`, agents are invisible to Claude Code's `/agents` and routing system.
+- **Commands** are flat `.md` files in `templates/commands/` and scaffolded as `.claude/commands/command-name.md`. This is the legacy format and is supported.
+
+## Questions?
+
+Open a discussion on GitHub or mention it in your issue/PR. We're happy to help.

package/SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.4.x   | :white_check_mark: |
+| < 2.4   | :x:                |
+
+## Reporting a Vulnerability
+
+Please report security issues privately via
+[GitHub Security Advisories](https://github.com/sefaertunc/Worclaude/security/advisories/new).
+This is the preferred channel — it lets us coordinate a fix before disclosure.
+
+As a fallback, you may email **sefaertunc@gmail.com**.
+
+Please do **not** open a public issue for security vulnerabilities.
+
+You can expect an initial response within 48 hours.
+If the vulnerability is accepted, a fix will be prioritized and released as a patch version.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "worclaude",
-  "version": "2.4.11",
+  "version": "2.4.13",
   "description": "The Workflow Layer for Claude Code — scaffold agents, commands, skills, hooks, and memory into any project",
   "type": "module",
   "bin": {
@@ -12,6 +12,9 @@
     "templates/",
     "README.md",
     "CHANGELOG.md",
+    "CONTRIBUTING.md",
+    "CODE_OF_CONDUCT.md",
+    "SECURITY.md",
     "LICENSE"
   ],
   "repository": {
@@ -22,6 +25,7 @@
   "bugs": {
     "url": "https://github.com/sefaertunc/Worclaude/issues"
   },
+  "funding": "https://github.com/sponsors/sefaertunc",
   "author": "Sefa Ertunç",
   "engines": {
     "node": ">=18.0.0"
@@ -37,6 +41,10 @@
     "docs:preview": "vitepress preview docs",
     "prepublishOnly": "npm test && npm run lint"
   },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "keywords": [
     "claude",
     "claude-code",