xtrm-tools 0.7.17 → 0.7.19

package/.xtrm/skills/default/vaultctl/SKILL.md

@@ -21,13 +21,13 @@ No server, no embeddings, no container — fast local BM25 search with full CRUD
 ```toml
 [[sources]]
 id = "vault"
-root = "/home/dawid/second-mind"
+root = "$HOME/second-mind"
 include_glob = "**/*.md"
 exclude_glob = ".worktrees/**"
 
 [[sources]]
 id = "transcripts"
-root = "/home/dawid/dev/transcriptoz/transcripts"
+root = "$HOME/dev/transcriptoz/transcripts"
 include_glob = "**/*.analysis.md"
 ```
 

package/CHANGELOG.md

@@ -7,6 +7,90 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [Unreleased]
+
+## [0.7.19] - 2026-05-14
+
+### Fixed
+- `xt init`'s Project Bootstrap phase no longer leaves Skills Runtime in an `incomplete: active` state on a fresh repo. Bare `gitnexus analyze` (invoked by xt init) unconditionally writes 6 skills to `<project>/.claude/skills/gitnexus/<name>/SKILL.md`, and because xtrm makes `.claude/skills` a symlink to `.xtrm/skills/active/`, those writes landed as a non-symlink directory at `.xtrm/skills/active/gitnexus/` — breaking the flat-active-view invariant and tripping `hasOnlyValidSymlinkEntries` → `activeReady=false`. After `gitnexus analyze` returns, `runGitNexusInitForProject` now removes that polluting subdir (idempotent, try/catch wrapped). No functionality loss — the same gitnexus skills are already vendored as flat `gitnexus-cli`, `gitnexus-debugging`, etc. under `.xtrm/skills/default/` and symlinked into `active/`. Fresh-repo smoke now reports `✓ All phases verified successfully.` (5/5 green). (xtrm-wbfd / PR #252)
+
+## [0.7.18] - 2026-05-14
+
+### Added
+- Security baseline pipeline: new GitHub Actions workflows for `gitleaks`, `semgrep`, and `osv-scanner` triggered on push and PR; project-level `.githooks/pre-commit` + `.githooks/pre-push` security mirrors with `.local` extension hooks; `.pre-commit-config.yaml` framework integration; `.gitleaks.toml`, `.semgrepignore`, and `.github/dependabot.yml`. New helper scripts `scripts/osv-diff.sh`, `scripts/semgrep-diff.sh`, `scripts/security-scan.sh`. (xtrm-6m4y / PR #206)
+- Vendor freshness manifest committed at `.xtrm/specialists-source.json` so CI's `Verify specialists vendor freshness` step has a reference snapshot (was previously generated only at `prepublishOnly` time, leaving main CI red on every push). (PR #206)
+- `xt doctor`: report global xt-managed Pi package health in text and JSON via `piPackages`, including missing, outdated, and version-unknown states with remediation; doctor remains report-only and never installs packages. (xtrm-modr)
+- `xt update`: check global xt-managed Pi package freshness during dry-run and JSON output, and refresh only missing/outdated managed packages when `--apply` is used. (xtrm-5nwu)
+- `xt update --root <dir>`: surface partial-install repos in the output. Directories under `<root>` that contain a `.xtrm/` folder but no `.xtrm/registry.json` are now reported with status `incomplete` and a remediation hint (run `xt init` or `xt install`). Previously these were silently skipped. New `scanXtrmRepos` helper exposes the split (`managed`, `incomplete`) for programmatic callers; `findManagedRepos` kept as a backward-compatible thin wrapper. (xtrm-asqq)
+- `policies/beads.json`: wire `beads-compact-save.mjs` to `PreCompact` and `beads-compact-restore.mjs` to `SessionStart` so beads state survives Claude Code compaction; generated `.xtrm/config/hooks.json` carries a narrow wrapper-level `script` field for these entries only. (xtrm-4amc.5)
+- `xtrm update --help` advertises the `init` alias so operators discover the unified entry point from either command. (xtrm-4amc.7)
+- `xt status`: `--check` flag for non-interactive summary that never prompts. The inline sync prompt is also auto-skipped when stdin is not a TTY, so agents and CI can use `xt status` for a quick "is everything fine?" check without engaging the interactive multiselect. JSON output unchanged; interactive TTY behavior preserved. (xtrm-d3wx / PR #225)
+- `prepublishOnly`: new `check:payload-hygiene` step runs `npm pack --dry-run` and fails the publish gate on (a) forbidden packed paths matching a denylist (`.xtrm/worktrees/`, `.pi/`, `.serena/`, `__pycache__/`, `*.log`, `*.db`, `*.sqlite*`, `workspace/`, `evals/`, `.specialists/jobs/`, `.specialists/db/`, `.beads/dolt/`, `.beads/backup/`, `.beads/issues.jsonl`) and (b) absolute-path leaks (`/home/*`, `/Users/*`, `file:///home/`, `file:///Users/`) in packed text content. Both checks always run and report independently. (xtrm-7xxz / PR #228, xtrm-zb9q / PR #230)
+- **Release contract: cross-repo handshake with specialists.** New end-to-end gate chain that fails the npm publish if the vendored specialists payload drifts from upstream. (xtrm-9xg2 / PR #238, finalised in PR #239)
+  - `.github/workflows/specialists-validation.yml`: triggered by `repository_dispatch` (type=`specialists-asset-validation`) from specialists' release-gate workflow, or manually via `workflow_dispatch`. Checks out specialists at the dispatched SHA and runs `scripts/verify-asset-contract.mjs` against `.xtrm/skills/default/`. Hard-fails if `using-specialists-v3` or `update-specialists` (must-have specialists-owned skills) are missing from the mirror or their sha256 drifts. (xtrm-cvjg)
+  - `scripts/verify-asset-contract.mjs`: reads specialists' `dist/asset-contract.json` (sha256 manifest per shipped skill), filters by `docs/skills-ownership.json` owner=specialists, hashes each vendored file under `.xtrm/skills/default/<skill>/<basename>`, exits 1 on any drift. Skill name derived from `path.basename(path.dirname(entry.path))` — no `entry.skill` field exists.
+  - `.github/workflows/install-order-matrix.yml`: 4-leg matrix (`xt-only`, `sp-only`, `xt-then-sp`, `sp-then-xt`) over `mktemp -d` repos validates the canonical install order. Each leg asserts the documented prerequisite error wording when sp init runs before xt init, and that no symlinks ever appear under `.xtrm/`. Helper at `scripts/__tests__/install-order-asserts.sh`. Operator-triggered only (third-party install behaviour outside release-contract scope; see docs/release.md). (xtrm-nogp / PR #238, xtrm-g20x for scope)
+  - `.github/workflows/fresh-machine-smoke.yml`: end-to-end smoke that packs xtrm-tools + specialists via `npm pack`, installs both tarballs globally on a fresh ubuntu-latest runner, runs `xt init -y` + `xt doctor` + `xt update --apply` + `sp init/doctor/list` in a `mktemp -d` git repo. Reusable via `workflow_call` (used by `publish.yml`) and `workflow_dispatch` (operator). Assertions narrowed to release-contract invariants only: 3 must-have specialists skills land in the mirror, no symlink leaks, no `Source and destination must not be the same` regression. (xtrm-sn9t / PR #238, refined by xtrm-3qts / PR #243)
+  - `.github/workflows/pre-publish-readiness.yml`: operator dry-run of the entire publish chain (resolve_ref → fresh_machine_smoke → publish_dry_run) minus the actual `npm publish`. All 6 publish gates run including `verify-asset-contract.mjs` and `npm pack --dry-run`. Green = safe to tag. (xtrm-a8x4 / PR #239)
+  - `docs/release.md`: operator + agent release playbook. Architecture diagram, per-gate enforcement table, operator procedure, gate-specific recovery, 12 hard rules for agents touching release plumbing, runtime prerequisites (`sp` requires Bun), install-order-matrix scope clarification. (xtrm-a8x4 / PR #239)
+- `.pi/settings.json` `.skills` array: installer now seeds **two** entries in resolution order — `../.xtrm/skills/active` (project-local, wins) and `~/.xtrm/skills/default` (user-level fallback). Without the fallback, specialist configs that reference skills not vendored into a project failed to resolve in pi (`validateBeforeRun` warnings). User-added entries between the two managed ones are preserved on `xt update`; idempotent. (xtrm-4h6u / PR #247)
+- `installFromRegistry` now snapshots `packageRoot/.xtrm/registry.json` → `userXtrmDir/registry.json` after the file-by-file copy loop. Freshly init'd repos show as managed in `xt update --root` immediately — no manual `cp` from xtrm-tools. Skipped in dry-run. (xtrm-ya2i / PR #246, supersedes xtrm-tools-adh)
+- `using-specialists-auto` vendored as a new specialists-owned skill in `.xtrm/skills/default/`; added to both `docs/skills-ownership.json` and `docs/skills-ownership.release.json`. (xtrm-lhqy / PR #239)
+
+### Changed
+- Pi runtime package assurance now uses the canonical xt-managed package inventory, including `npm:@jaggerxtrm/pi-extensions`, instead of a two-package allowlist. (xtrm-ppwi)
+- Pi package freshness classification is centralized behind provider-injected helpers so commands can share deterministic missing/outdated/version-unknown behavior. (xtrm-basg)
+- `scripts/gen-registry.mjs` no longer emits a `pi_extensions` asset for project scaffold; `packages/pi-extensions` is global-only install and is not copied into target projects' `.xtrm/`. Re-lands the fix from commit `452d961` lost during the 2026-05-09 integration restitch. (xtrm-xvjg)
+- `session-close-report`: add paranoid cleanup, due-diligence, and CHANGELOG synchronization requirements so session handoffs include process cleanup, content audits, and consumer-facing changelog checks.
+- `releasing`: update the release skill to drive releases end-to-end without relying on the deprecated `xt release` flow.
+- `using-specialists-v3`: strengthen specialist orchestration guidance around runtime listing, file-layer discipline, security/code-sanity chains, monitoring, and worktree cleanup.
+- `planning` skill: align Phase 4 with the `using-specialists-v3` 7-section bead contract (PROBLEM/SUCCESS/SCOPE/NON_GOALS/CONSTRAINTS/VALIDATION/OUTPUT). Affects every bead created by a planner specialist run going forward. (xtrm-bkgf)
+- `transcriber` specialist migrated from `dashscope/qwen3.5-plus` to `nano-gpt/qwen/qwen3.5-397b-a17b-thinking` after dashscope provider was retired. Companion to specialists `unitAI-ght3j`.
+- `prepublishOnly`'s `--specialists-ref` updated from the deleted `integration/2026-05-09-orchestrator` branch to `master` so the vendor step uses a live ref (vendor script's sibling-path fallback was masking the misconfiguration). (xtrm-m6yd)
+- `package.json` `files`: add 3 negation entries (`!.xtrm/skills/default/**/evals/**`, `!.xtrm/skills/default/**/workspace/iteration-*/**`, `!packages/*/.serena/**`) so eval/workspace/.serena artifacts no longer ship in `npm pack`. `.npmignore` had identical patterns added first but turned out to be largely ignored when `files` is set; the negation form in `files` is the supported pattern in this repo. (xtrm-87b2 / PR #234, xtrm-0svb / PR #231)
+- `scripts/gen-registry.mjs`: now reads `package.json` `files` negation entries and skips matching paths during registry generation, so `.xtrm/registry.json` stays in sync with the published pack contents. Closes the parity gap that surfaced when pack exclusions stopped matching the registry. (xtrm-y6sn / PR #234)
+- `.github/workflows/publish.yml`: restructured into a 3-job DAG. `resolve_ref` reads `.source.resolved_sha` (preferred) or `.source.ref` from `.xtrm/specialists-source.json` via jq; `fresh_machine_smoke` is invoked via `workflow_call` with that pinned ref; `publish` job depends on both via `needs:` and runs the 6 gates (`check:skills-ownership`, `check:specialists-vendor` with explicit step-level `SPECIALISTS_REPO_PATH` env, `check:layout-guards`, `check:payload-hygiene`, `check:registry-pack-parity`, `verify-asset-contract.mjs`) before `npm publish --provenance`. Drift between vendored mirror and shipped specialists tarball is now impossible to ship by construction. (xtrm-2yn4 / PR #238, xtrm-nmiv, xtrm-8uox / PR #242)
+- `scripts/vendor-specialists-skills.mjs`: now captures the supplied `--specialists-ref <value>` and writes both `source.ref` and `source.resolved_sha` (git HEAD of the specialists checkout at vendor time) into `.xtrm/specialists-source.json`. `publish.yml` reads `.source.resolved_sha` via jq, so the live specialists tarball used by `fresh_machine_smoke` matches the vendored mirror by construction — no more "is master still at the SHA I vendored against?" race. (xtrm-lhqy / PR #239)
+- `cli/src/core/machine-bootstrap.ts`: `checkDep` now extends `process.env.PATH` with `~/.local/bin`, `/usr/local/bin`, `/opt/homebrew/bin` once on module load, so `spawnSync` finds binaries that were just installed in the same process. Fixes `xt init -y` bailing before the Project Bootstrap phase on fresh ubuntu-latest runners with a cached PATH that didn't include the install destinations. (xtrm-5k0o / PR #239)
+- `cli/src/core/pi-runtime.ts`: `updatePiSettings` exported for direct testability; emits both `../.xtrm/skills/active` and `~/.xtrm/skills/default` in `.skills`; preserves user-added entries between the two managed paths; idempotent across repeated `xt update` runs. (xtrm-4h6u / PR #247)
+- `scripts/check-payload-hygiene.mjs`: new `ABSOLUTE_PATH_LEAK_ALLOWLIST` (`CHANGELOG.md` + the hygiene script itself) suppresses self-trips when those files legitimately document absolute-path patterns. Forbidden-path scanning still applies to those files. (xtrm-h67r / PR #244)
+- Workflow `run:` scripts no longer interpolate `${{ ... }}` github-context expressions inline. All instances rewritten to step-level `env:` blocks consuming `"$VARNAME"` (double-quoted), unblocking semgrep `yaml.github-actions.security.run-shell-injection`. Applies to `specialists-validation.yml`, `publish.yml`, `pre-publish-readiness.yml`, `fresh-machine-smoke.yml`. (xtrm-6cl8 / PR #238)
+- `docs/cat-b-distribution.md` + `docs/skills-ownership.md`: refreshed specialist-owned skill lists (added `using-specialists-v3` + `using-specialists-auto`), mention the new asset-contract verification gate, document the vendor-script auto-write of `source.ref` + `source.resolved_sha`. (xtrm-so64 / PR #245)
+- `.xtrm/skills/default/update-xt/SKILL.md`: refreshed for this session's installer changes — two-path pi skills expectation (xtrm-4h6u), `xt init` auto-seeding `registry.json` (xtrm-ya2i), worktree-build caveat (`npm run build` blocked inside `.xtrm/worktrees/`), `pnpm-workspace.yaml` row in the worktree artifact inventory (xtrm-ombq), and a new section **"Migrating a dev-linked project to a real consumer install"** with the full recipe for projects that have manually symlinked `.xtrm/skills/default` to npm-linked xtrm-tools. (xtrm-bmiq / PR #248)
+
+### Fixed
+- `xtrm-cli` workspace tarball startup no longer resolves package assets at import time, so temp-installed `xt` / `xtrm` `--version` and help commands work without a root `.xtrm/registry.json`; the workspace package is marked private while root `xtrm-tools` remains the canonical distributable. (xtrm-cplc)
+- Pi runtime sync (`xtrm-n83y`) now installs `npm:pi-mcp-adapter` as a required managed Pi package, preventing Pi MCP startup blocks after `xt init` / `xt update` while still removing stale `~/.pi/agent/extensions/pi-mcp-adapter` extension overrides.
+- `.beads/` is no longer committed as a self-referential symlink (introduced accidentally in PR #196); restored as a tracked directory with sensitive runtime files (`.beads-credential-key`, `interactions.jsonl`) properly gitignored, and `dolt.shared-server: true` added to `.beads/config.yaml` for parity with sibling projects. Fresh clones no longer fail with "too many levels of symbolic links". (xtrm-f3s2)
+- `xtrm docs` (`list`, `verify`, `show`, `cross-check`): use `findProjectRoot()` instead of `findRepoRoot()` so the scanner respects the current project / fixture cwd rather than always traversing the xtrm-tools package source's `docs/`. (xtrm-4amc.1)
+- `runProjectInit` throws an actionable `Compilation failed: ...` error when the source repo root cannot be resolved, instead of resolving to undefined and silently no-op'ing. (xtrm-4amc.7)
+- `cli/src/utils/worktree-session.ts`: new `suppressBeadsWorktreeNoise` helper runs after the existing `.beads`-dir-to-symlink swap during worktree provisioning. Appends `.beads` to the per-worktree `<gitdir>/info/exclude` and runs `git update-index --skip-worktree` on tracked `.beads/*` files. Future `xt claude` / `xt pi` worktree checkpoint commits no longer carry 1.7k lines of phantom `.beads/` deletions, eliminating the manual commit-rewrite workaround for edit-capable specialists. (xtrm-nsca)
+- `xt end`: new pre-push guard parses `git diff <upstream>..HEAD --raw -- .beads/` and aborts the push with an actionable error if any path under `.beads/` has destination mode `120000` (symlink). Defense-in-depth catches the case where prevention is bypassed (executors using `git add -A`, manual operator pushes, external scripts) so a `.beads` self-symlink can never be merged to a shipping branch. (xtrm-w1ip)
+- `scripts/check-layout-guards.mjs` no longer flags itself as an offender. The script contains the staleActiveTiers strings by necessity to detect them in other files; added a self-reference to the `transientAllowlist`. Unblocks `npm run check:layout-guards` as a usable release gate. (xtrm-4kt0)
+- Stale GitNexus "(N symbols, M relationships, K execution flows)" counter scrubbed from tracked `AGENTS.md` + `CLAUDE.md`; new `check:gitnexus-no-counter` build gate prevents the counter from being reintroduced by ad-hoc `gitnexus analyze` runs that bypass `--skip-agents-md --no-stats` (specialists supervisor already passes both since fd60db04). Wired into `prepublishOnly`. (xtrm-c6sf)
+- `cli/src/utils/worktree-session.ts`: drop the `.beads` dir→symlink swap entirely. `launchWorktreeSession` now `rm -rf <worktree>/.beads` and marks the tracked `.beads/*` paths as `skip-worktree`. Modern bd 1.0.3 stores `core.hooksPath` as an absolute parent path at `bd init`, so the worktree inherits parent hooks via shared git config — no on-disk `.beads/` is needed, and bd resolves the DB via git common-dir. Removes a serious merge hazard: any branch carrying the worktree-local `.beads` symlink (mode 120000) wipes the parent's `.beads/` on squash-merge into main (real incident: projects/infra PR #39, 2026-05-12). Supersedes `xtrm-as7d` / `xtrm-nsca`. The `xt end` pre-push guard (xtrm-w1ip) stays in place as defense-in-depth for older clones and non-CLI push paths. (xtrm-cbjo)
+- OSV dependency advisories cleared: removed unused `@artale/pi-procs`, removed bundled `tdd-guard` + `tdd-guard-vitest` dev deps (the Vitest TDD reporter is now opt-in via `tdd-guard-vitest` resolved-at-runtime), pinned Vite via the `cli/pnpm-lock.yaml` `overrides` block, declared `yaml` as a direct `cli/package.json` dependency (was previously hoisted from `tdd-guard`'s transitive tree — broke when tdd-guard was removed), refreshed lockfiles. OSV/audit/typecheck/tests all green post-changes. (xtrm-krk0 / PR #206)
+- `scripts/scaffolder.py`: `ensure_legacy_symlink` no longer rejects every real caller. The previous confinement check required the legacy symlink's own location to live inside `pack_root`, but `scaffold_service_skill` deliberately places it at `<project>/.claude/skills/<service-id>` (sibling tree); every call raised `ValueError` after files + registry state were already written, leaving partial state. Dropped the misguided legacy-path check; the target-confinement check that prevents symlink escape via `..` or absolute paths is preserved. (xtrm-g41r / PR #220)
+- `cli/src/utils/worktree-session.ts`: generalize `markBeadsSkipWorktree` → `markPathSkipWorktree(worktreePath, pathspec)` and invoke from `ensureWorktreeSpecialists` for `.specialists/default` + `.specialists/user`. Closes the parity gap with `xtrm-cbjo` — `.specialists/user/*` had the same dir→symlink merge-hazard shape (a chain branch capturing the swap would wipe parent specialist overrides on squash-merge). (xtrm-6jd2 / PR #221)
+- `cli/src/commands/end.ts`: `findBeadsSymlinkIntroductions` pre-push guard now also flags mode-120000 introductions under `.specialists/*`, not just `.beads/*`. Error message and recovery hint generalized to cover both prefixes. (xtrm-6jd2 / PR #221)
+- `cli/test/extensions/beads.test.ts` + `cli/test/extensions/custom-footer-parity.test.ts`: added `vi.mock` for `@mariozechner/pi-coding-agent` and `@mariozechner/pi-tui` above the extension import so vitest doesn't fail the entire test file at module-load time. Those packages are Pi-provided runtime peers not in cli's `package.json`; CI's `npm install` never pulled them in. (xtrm-qdsx / PR #220)
+- `cli/test/init-cli.test.ts`: bump per-test timeout to 60s for `xt init --yes bypasses confirmation and completes quickly`. The assertion is "no interactive prompt", not "fast"; wall-clock reaches ~28s on slow CI runners because `spawnSync` waits for the child after its internal 15s SIGTERM. (xtrm-qdsx / PR #220)
+- `xt doctor`: resolve the project root via `findProjectRoot()` when `--cwd` is omitted, instead of using `process.cwd()` literally. Previously, running `xt doctor` from anywhere except the project root crashed with `ENOENT: no such file or directory, open '/.xtrm/registry.json'`. Explicit `--cwd <path>` still overrides; running outside any xtrm project now throws a clear `Not inside an xtrm project: …` error. (xtrm-sxug / PR #224)
+- Pi runtime detection: `xt update` and `xt doctor` no longer report globally-installed xt-managed Pi packages as `state: missing, installedVersion: null`. The freshness path now falls back to the global npm root (resolved via `npm root -g`) when the agent-local `$PI_AGENT_DIR/npm/node_modules/<pkg>` path is absent, then chooses the agent-local path when both exist. Regression tests assert agent-local-wins and globally-installed scoped packages never report missing. (xtrm-ntf8 / PR #226)
+- `cli/src/core/pi-runtime.ts`: 4 inline `// nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal` annotations for `path.join(agentDir, ..., npmPackageName, ...)` call sites. `npmPackageName` is sourced from the xt-managed allowlist constants (`XT_MANAGED_PI_PACKAGES`), not user input, so the semgrep finding is a false positive. Unblocks pre-push push of `xtrm-ntf8`. (xtrm-1hwe / PR #226)
+- `cli/src/core/claude-runtime-sync.ts`: harden `resolveHooksForProjectRuntime` against single-object wrapper shape. The function previously assumed `wrappers` is always an array and called `wrappers.map(...)` directly; some upstream test was leaving `hooks.json` in `{event: { hooks: [...] }}` shape instead of `{event: [{ hooks: [...] }]}`, causing `install-integration.test.ts` to flake in full-suite runs. Now normalises with `Array.isArray(wrappers) ? wrappers : [wrappers as HookWrapper]`. Behavior on canonical array shape unchanged. (xtrm-0kgm / PR #227)
+- `.gitignore` / `.pi/npm`: the host-specific `.pi/npm` self-referential symlink no longer gets re-committed by every executor that touches `.pi/`. Root cause: `.gitignore` had `.pi/npm/` (trailing slash matches **directory only**), but `.pi/npm` was a symlink — git treats symlinks as regular files, so the pattern silently never matched. Now lists both `.pi/npm` (symlink/file form) and `.pi/npm/` (directory form). `git rm --cached .pi/npm` removes the existing tracked entry. (xtrm-5kn1 / PR #235)
+- Pi runtime: `resolveGlobalNpmRootDir()` is no longer shelled out per-package inside the freshness loop. `assureXtManagedPiPackages` and `getXtManagedPiPackageDoctorReport` now hoist the call to once-per-invocation, dropping the per-command `npm root -g` subprocess count from 8 to 1 (visible on machines where npm startup is slow). (xtrm-w6ey / PR #236)
+- Multiple skill / runtime files cleaned of absolute-path leaks surfaced by the new `check:payload-hygiene` gate: `CHANGELOG.md` (`/home/<user>/.claude/hooks/...` → `~/.claude/hooks/...`), `hook-development/references/patterns.md` + `update-xt/SKILL.md` + `vaultctl/SKILL.md` (`/home/<user>/` → portable tokens), and `last30days/scripts/test-v1-vs-v2.sh` (`/Users/<user>/last30days-skill` → `$HOME/last30days-skill`, `/Users/<user>/.local/bin/claude` → `${CLAUDE_BIN:-$(command -v claude)}`; the latter is a net portability improvement since the original hardcoded paths only worked on the upstream author's machine). (xtrm-ykv4 / PR #233)
+- `cli/src/commands/init.ts upsertManagedBlock`: regex switched from lazy `*?` to greedy `*` so duplicate-content + trailing-orphan-end-marker tails left behind by older versions get swept into the replacement. Previously only the first `start..end` pair was replaced, leaving a duplicate `# XTRM Agent Workflow` block + free-floating end marker in tracked AGENTS.md files. Visible in this repo until this PR — `AGENTS.md` cleaned in the same change (378 → 273 lines, single managed block). 6 regression tests in `cli/src/tests/upsert-managed-block.test.ts`. (xtrm-ya67 / PR #249)
+- `skills/updating-service-skills/scripts/drift_detector.py`: pyright now reports 0 errors / 0 warnings via `typing.cast(str, project_root)` after the resolution dance plus `type:ignore[import-not-found]` on the dynamic `from bootstrap import ...` line. Unblocks pre-commit hooks in downstream projects where the script is vendored. (xtrm-2oho / PR #246)
+- `.gitignore`: add `pnpm-workspace.yaml` (root + `cli/`). Specialist tooling occasionally shells out to pnpm in this npm-workspaces repo, generating a stray workspace file that executor checkpoint commits would silently stage into chain branches. (xtrm-ombq / PR #246)
+- Workflow scripts now use `xt init -y` (the canonical non-interactive bootstrap) instead of the non-existent `xt install` subcommand. Earlier smoke runs failed with `error: too many arguments. Expected 0 arguments but got 1.` (xtrm-eb6y / PR #238)
+- `install-order-matrix.yml` leg step: capture per-command exit codes and `trap dump_logs ERR` to print every `/tmp/{xt,sp}-*.{stdout,stderr,log}` on failure. Without this, the leg failed silently with no diagnostic when xt init bailed. Added `git init` + an empty bootstrap commit before `xt init -y` so the Project Bootstrap phase can run. (xtrm-dr1k / PR #238)
+- `fresh-machine-smoke.yml`: scope narrowed to release-contract invariants only. `xt init`/`sp init` exit codes are captured and reported as `::warning::` (upstream package quirks like `@beads/bd` postinstall binary download or `oh-pi` exposing `oh-pi` instead of `pi` are outside the release contract). Validate step asserts: 3 must-have specialists skills in `.xtrm/skills/default/`, no symlinks under `.xtrm/`, no "Source and destination must not be the same" regression. (xtrm-3qts / PR #243, xtrm-gqiw / PR #240)
+- `fresh-machine-smoke.yml` + `install-order-matrix.yml` now install Bun via `oven-sh/setup-bun@v2`. Specialists' `sp` binary uses `#!/usr/bin/env bun` (engines.bun ≥ 1.0.0). Without Bun on the runner, every `sp init/doctor/list` failed with `/usr/bin/env: 'bun': No such file or directory`. (xtrm-ss0j / PR #241)
+- CHANGELOG.md: literal `/home/dawid/` + `/Users/mvanhorn/` placeholders inside an entry describing past leak fixes replaced with `/home/<user>/` / `/Users/<user>/` so the payload-hygiene gate doesn't trip on its own meta-documentation. (xtrm-h67r / PR #244)
+
 ## [0.7.17] - 2026-05-05
 
 ### Added
@@ -131,7 +215,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
-## [Unreleased]
+## [Legacy Unreleased]
 
 ### Added
 - **Optional skill packs installed (commit `0e711e76`)**: added domain bundles under `.xtrm/skills/optional/` — `research-methods` (`brainstorming`, `academic-researcher`, `deep-research`, `fact-checker`), `code-quality` (`systematic-debugging`, `verification-before-completion`, `code-review-excellence`, `multi-reviewer-patterns`), `security-ops` (`security-auditor`), `data-engineering` (`data-analyst`), `architecture-design` (`architecture-patterns`, `subagent-driven-development`, `prompt-engineering-patterns`).
@@ -646,7 +730,7 @@ ln -s ~/.claude/skills/prompt-improving ~/.claude/skills/p
   - Can be disabled without restart
 - **UserPromptSubmit hook registration** in `settings.json`
   - Timeout: 1s
-  - Command: `/home/dawid/.claude/hooks/skill-suggestion.sh`
+  - Command: `~/.claude/hooks/skill-suggestion.sh`
 
 #### Skill Features
 - **AskUserQuestion dialogs** in `ccs-delegation` skill for interactive delegation choice
@@ -711,4 +795,4 @@ ln -s ~/.claude/skills/prompt-improving ~/.claude/skills/p
 - **Skill `p`**: 118 lines, 52KB references (9 files)
 - **Skill `ccs-delegation`**: 486 lines, 103KB references (6 files)
 - **Total overhead**: 155KB token cost per skill activation
-- **Load time**: 5-8 seconds per skill invocation
+- **Load time**: 5-8 seconds per skill invocation