release: v1.77.0 — release-dry-run + cc-version-drift + /goal SDLC-discipline gates

.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "sdlc-wizard",
       "source": ".",
       "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
-      "version": "1.76.0",
+      "version": "1.77.0",
       "author": {
         "name": "Stefan Ayala"
       },

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sdlc-wizard",
-  "version": "1.76.0",
+  "version": "1.77.0",
   "description": "SDLC enforcement for AI agents — TDD, planning, self-review, CI shepherd",
   "author": {
     "name": "Stefan Ayala",

CHANGELOG.md

@@ -4,6 +4,21 @@ All notable changes to the SDLC Wizard.
 
 > **Note:** This changelog is for humans to read. Don't manually apply these changes - just run the wizard ("Check for SDLC wizard updates") and it handles everything automatically.
 
+## [1.77.0] - 2026-05-24
+
+### Added
+
+- **`release-dry-run.yml` CI workflow** (A1, v1.75.1 post-mortem). Runs `npm publish --dry-run --tag dry-run --json` on every PR touching `release.yml`, `package.json`, or the shipped package surface (`cli/`, `hooks/`, `skills/`, `.claude-plugin/`, `CLAUDE_CODE_SDLC_WIZARD.md`, `CHANGELOG.md`). Catches MODULE_NOT_FOUND-class regressions, dropped shipped paths, Node/npm version drift — visible at PR-time instead of producing a half-published tag. Uses `permissions: contents: read` only (no `id-token: write` — npm CLI runs OIDC setup before the dry-run branch, so requesting that permission would attempt token mint on every PR). Rewrites `package.json` to `0.0.0-dry-run-<SHA>` in a temp checkout to avoid the "cannot publish over previously published versions" error. Path filter is `package.json.files`-aware and tested for drift. 25 quality tests in `tests/test-release-dry-run-workflow.sh`.
+- **`cc-version-drift.yml` cadence workflow** (closes #350). The fix for the gap that let native `/goal` (CC v2.1.139) slip past for 32 versions / 5 weeks. Pure GH-API detector — no LLM, no API spend. Mon 09:30 UTC cron (staggered from `weekly-update.yml` 09:00 and `weekly-api-update.yml` 10:00) + `workflow_dispatch`. Parses new `<!-- Claude Code Baseline: vX.Y.Z -->` anchor in `SDLC.md` (single-purpose; NOT `<!-- SDLC Wizard Version -->` which is the wizard's own pkg version), compares to `npm view @anthropic-ai/claude-code version`, opens a tracking issue when patch gap > 5 (major/minor jumps alert regardless of threshold). Idempotent via label `cc-version-drift` + machine-readable marker in issue body. Edits existing open issue instead of comment-spamming. Re-opens a closed issue only if delta WIDENED (respects "won't fix for now"). 22 workflow tests + 18 unit tests on the extracted `scripts/cc-drift-check.sh` (bash 3 compatible, strict SemVer validation, refuses prereleases and regressions).
+- **`/goal` SDLC-discipline gates in `/sdlc` skill** (PR-D). Two new load-bearing rules now that native `/goal` is universal across CC (v2.1.139+) and Codex CLI: **(1) Confidence gate — NEVER invoke `/goal` below HIGH 95%** (mirrors existing Confidence Check; below 95% the Haiku evaluator rubber-stamps "did the agent flail" as progress). **(2) DLC binding — the condition MUST name the active DLC** (`/sdlc`, `/gdlc`, `/ldlc`, etc.) so the evaluator anchors on "doing it right," not just "doing it." Example: `/goal "tests pass + clean tree following /sdlc, stop after 20 turns"`. `test_sdlc_skill_has_goal_wrapper` extended to grep both new keywords (9 quality elements total).
+- **`<!-- Claude Code Baseline: v2.1.150 -->` anchor in `SDLC.md`** — single-purpose machine-parseable source of truth for `cc-version-drift.yml`. Maintainer updates this anchor + the human-readable `Claude Code Recommended` row when bumping CC support. Test asserts both stay in sync.
+
+### Notes
+
+- **Trusted Publishing flow held.** Third release shipped via OIDC since the v1.75.0 migration; no token to rotate, expire, or 2FA-gate.
+- **Cross-model design reviews** at `.reviews/176-followup-prio-codex.md` (Codex gpt-5.5 xhigh). Caught: (a) naive `npm publish --dry-run` against already-published version fails today; (b) `id-token: write` on the dry-run workflow would attempt OIDC mint on every PR; (c) `weekly-update.yml` is the wrong host for #350 (cron is disabled + tests assert no `issues: write`); (d) "minor versions" is wrong terminology — `2.1.150 → 2.1.180` is a SemVer patch delta.
+- **Self-test landed in PR-B:** the new `release-dry-run.yml` workflow ran ON the PR that introduced it (paths filter included `release-dry-run.yml` itself) and SUCCEEDED — first proof that the dry-run mechanism works end-to-end against the temp-version-rewrite + `--tag dry-run` flow.
+
 ## [1.76.0] - 2026-05-24
 
 ### Added

CLAUDE_CODE_SDLC_WIZARD.md

@@ -2981,7 +2981,7 @@ If deployment fails or post-deploy verification catches issues:
 
 **SDLC.md:**
 ```markdown
-<!-- SDLC Wizard Version: 1.76.0 -->
+<!-- SDLC Wizard Version: 1.77.0 -->
 <!-- Setup Date: [DATE] -->
 <!-- Completed Steps: step-0.1, step-0.2, step-0.4, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Git Workflow: [PRs or Solo] -->

SDLC.md

@@ -1,4 +1,4 @@
-<!-- SDLC Wizard Version: 1.76.0 -->
+<!-- SDLC Wizard Version: 1.77.0 -->
 <!-- Setup Date: 2026-01-24 -->
 <!-- Completed Steps: step-0.1, step-0.2, step-1, step-2, step-3, step-4, step-5, step-6, step-7, step-8, step-9 -->
 <!-- Claude Code Baseline: v2.1.150 -->
@@ -10,7 +10,7 @@
 
 | Property | Value |
 |----------|-------|
-| Wizard Version | 1.76.0 |
+| Wizard Version | 1.77.0 |
 | Last Updated | 2026-05-24 |
 | Claude Code Minimum | v2.1.111+ (required for Opus 4.7 / `opus[1m]`); v2.1.105+ for `PreCompact` hook |
 | Claude Code Recommended | v2.1.150+ (latest at 2026-05-24) — unlocks native `/goal` (v2.1.139), `/code-review --comment` (v2.1.147), per-category `/usage` (v2.1.149), `$CLAUDE_EFFORT` env var for hooks (v2.1.133) |

package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-sdlc-wizard",
-  "version": "1.76.0",
+  "version": "1.77.0",
   "description": "SDLC enforcement for Claude Code — hooks, skills, and wizard setup in one command",
   "bin": {
     "sdlc-wizard": "cli/bin/sdlc-wizard.js"

skills/update/SKILL.md

@@ -93,14 +93,15 @@ Parse CHANGELOG entries between the user's installed version and latest. Present
 
 ```
 Installed: 1.42.0
-Latest:    1.76.0
+Latest:    1.77.0
 
 What changed:
+- [1.77.0] release-dry-run.yml + cc-version-drift.yml (#350) + /goal SDLC gates (95% + DLC binding).
 - [1.76.0] /goal /sdlc wrapper (#347) + CC v2.1.150 feature adoption + ROADMAP demand-signal gate (4 excise, 4 kill).
 - [1.75.1] release-workflow fix — Node 22 → 24 (ships npm 11.x), dropped flaky `npm install -g` self-upgrade (hit MODULE_NOT_FOUND on v1.75.0 publish). Explicit npm-version guard.
 - [1.75.0] npm Trusted Publishing — `release.yml` swapped from `NPM_TOKEN` to OIDC. No more token rotation. Requires one-time publisher config on the npm package page.
 - [1.74.0] v1.43 salvage: #338 precedence preamble; #235ab `/insights`; codex `< /dev/null` stdin-hang fix; test env-isolation.
-- [1.73.0] precompact stale REBASE_HEAD fix — no longer HOLDs `/compact` without active `rebase-{merge,apply}/` dirs. 15 stale tracked artifacts deleted (-460 LOC).
+- [1.73.0] precompact stale REBASE_HEAD fix + 15 stale artifact deletes (-460 LOC).
 - [1.72.0] #323 closed — customization-aware `check` recommendation + new `--preserve-customized` flag. `init --force --preserve-customized` skips CUSTOMIZED files (action `PRESERVE`), still OVERWRITEs MATCH and CREATEs MISSING. Default `init --force` unchanged. 10 tests.
 - [1.71.0–1.69.0] token-bloat sweep #236 — BASELINE + TDD CHECK fire once per `session_id` (-12K, -0.5-1.5K); sdlc-skill Cross-Model Review trimmed.
 - [1.68.0–1.65.0] roadmap hygiene — five paperwork closes: #97 Anthropic Policy NO-GO + AAR-paper validating parallel; #99 AutoGPT NO-GO; #95 Nous NO-GO; #243 token-history liveness verified; #210 Node-24 false-green; #235 Thoughtworks AI Evals NO-GO. **6/6 external-product audits NO-GO** (continues #76, #77). Research write-ups in `.reviews/research-*.md`.