docs(privacy+roadmap): v0.13.1 — six-tier reality sweep

Doc-only release. PRIVACY.md opened with 'four backend tiers' since v0.2.0;
v0.12.0 added 'managed' (OpenCode Zen) and v0.13.0 added 'subscription'
(GitHub Copilot Pro+) but the tier walkthroughs hadn't caught up.

PRIVACY.md:
- Overview table 4 -> 6 rows (managed + subscription)
- New '## managed' walkthrough (OPENCODE_ZEN_API_KEY, gpt-5.5 default,
  free-tier model example, privacy positioning)
- New '## subscription' walkthrough (OAuth not env-var, critical shape
  difference, /connect flow, Pro+ ToS notes)
- Z.AI GLM walkthrough added to proprietary section (provider shipped
  v0.11.0 but missed the walkthrough)

ROADMAP.md:
- v0.10.1+ candidates list (open queue since v0.10.0) closed out
- v0.10.1 -> v0.13.1 sprint declared shipped — 5 of 6 highest-signal
  May-17 research patterns landed across 13 releases
- New 'feature-complete relative to May-2026 community signals' framing
- New 'v0.13.2+ post-sprint backlog' section for speculative items
  with no community-research backing

No code changes. 407 tests / 12 suites unchanged.

Author: BaseInfinity

CHANGELOG.md

@@ -2,6 +2,60 @@
 
 All notable changes to opencode-sdlc-wizard.
 
+## [0.13.1] - 2026-05-18
+
+### Changed — PRIVACY.md tier walkthroughs updated for the six-tier reality
+
+Doc-only sweep. `PRIVACY.md` opened with "four backend tiers" since
+v0.2.0; v0.12.0 added `managed` (OpenCode Zen) and v0.13.0 added
+`subscription` (GitHub Copilot Pro+), but the tier walkthroughs hadn't
+caught up. v0.13.1 closes the doc drift.
+
+- **PRIVACY.md overview table** bumped from 4 rows to 6 (managed +
+  subscription added with privacy-positioning notes).
+- **New `## managed — OpenCode-routed PAYG (Zen)` section** — full
+  walkthrough with `OPENCODE_ZEN_API_KEY` setup, default model
+  (`gpt-5.5`), free-tier model example (`deepseek-v4-flash-free`),
+  privacy positioning (between hosted_oss and proprietary).
+- **New `## subscription — OAuth-managed sub bridge (Copilot Pro+)`
+  section** — full walkthrough including:
+  - Critical shape difference: auth is OAuth, not env-var/JSON-key
+  - Configure scaffolds model pin only; `opencode /connect` flow
+    completes OAuth
+  - Privacy positioning (Pro+ ToS specifically excludes training on
+    prompts; verify at the plan page)
+- **Z.AI GLM Coding Plan walkthrough** added to proprietary section
+  (was added as provider in v0.11.0 but missed in the walkthrough doc).
+
+### ROADMAP.md — v0.10.1 → v0.13.1 sprint declared shipped
+
+The v0.10.1+ candidates list (last updated in v0.10.0's ROADMAP entry)
+described an open queue. The reality: 5 of 6 highest-signal community
+patterns from May-17 research were shipped across v0.10.1–v0.13.1.
+ROADMAP now reflects this — wizard is **feature-complete relative to
+May-2026 community signals**.
+
+ROADMAP audit:
+- ✅ Per-agent permission sandboxing (v0.10.1 + v0.10.5)
+- ✅ Planner / docs / test-writer flags (v0.10.2 + v0.10.5)
+- ✅ Copilot Pro+ as first-class provider (v0.13.0)
+- ✅ Z.AI GLM (v0.11.0)
+- ✅ OpenCode Zen managed tier (v0.12.0)
+- ✅ Default-model freshness (v0.10.2 + v0.10.3)
+- ✅ small_model / per-agent temps / security agent (v0.10.4 / v0.11.1 / v0.11.2)
+
+Remaining v0.13.2+ backlog items have no community-research backing —
+moved to a "post-sprint backlog" section flagged as speculative until
+dogfood feedback or a fresh research pass surfaces signal.
+
+### Tests
+
+- No code changes; `407 tests across 12 suites` unchanged from v0.13.0.
+
+### Compat
+
+- Pure doc patch. Every flag, provider, tier, default-model unchanged.
+
 ## [0.13.0] - 2026-05-18
 
 ### Added — `subscription` tier with GitHub Copilot Pro+

PRIVACY.md

@@ -1,6 +1,6 @@
 # Privacy Tiers — Choosing a Backend
 
-OpenCode SDLC Wizard supports four backend tiers. Tiers are ordered by where
+OpenCode SDLC Wizard supports six backend tiers. Tiers are ordered by where
 your prompts and code can travel. The wizard's recommendation defaults to the
 strongest privacy guarantee available, not the strongest model ceiling.
 
@@ -9,7 +9,9 @@ strongest privacy guarantee available, not the strongest model ceiling.
 | **`private_local`** | Stays on your machine. No outbound traffic. | Privileged data, attorney-client work, air-gapped environments, source you cannot send to a third party |
 | **`enterprise`** | Stays in your tenant. Vendor processes under contract; zero-retention configurable. | Regulated companies with an Azure/Bedrock/internal-gateway agreement that meets compliance |
 | **`hosted_oss`** | Sent to a third-party host of open-weight models. Logging policy is the host's. | Cost-sensitive work where the model weights are open but you'd rather pay-per-token than self-host |
-| **`proprietary`** | Sent to Anthropic / OpenAI. Vendor's standard ToS applies. | Maximum capability ceiling when privacy isn't the binding constraint |
+| **`managed`** | Sent to OpenCode's hosted routing service (OpenCode Zen). PAYG, vendor-managed model selection. Free tier available. | Lowest-friction "just give me a working setup" option; new-user entry per official OpenCode docs |
+| **`proprietary`** | Sent to Anthropic / OpenAI / Google / Z.AI. Vendor's standard ToS applies. | Maximum capability ceiling when privacy isn't the binding constraint |
+| **`subscription`** | Sent via vendor-managed OAuth (GitHub Copilot Pro+). Auth lives in OpenCode's user state, not `opencode.json`. | Flat-fee bridge to Opus 4.7 + GPT-5.3-Codex post-Anthropic-OAuth-ban; $39/mo all-you-can-eat |
 
 ## How to pick
 
@@ -138,6 +140,35 @@ bash .opencode/scripts/configure-backend.sh \
 The host's logging policy applies. If that's not acceptable for your data,
 move to `private_local` or `enterprise`.
 
+## `managed` — OpenCode-routed PAYG (Zen)
+
+OpenCode's own hosted routing service. PAYG with auto-reload, 40+ models
+including a free tier (Big Pickle, DeepSeek V4 Flash Free, MiniMax M2.5
+Free, Nemotron 3 Super Free). Lowest-friction "just give me something
+that works" option per OpenCode's own docs — the recommended new-user
+entry point.
+
+| Provider | Default model | Notes |
+|----------|---------------|-------|
+| OpenCode Zen (`opencode` / `zen` / `opencode_zen`) | `gpt-5.5` | 40+ models, $5 auto-reload trigger, free-tier models available |
+
+```bash
+export OPENCODE_ZEN_API_KEY="..."   # get a key at opencode.ai/zen
+bash .opencode/scripts/configure-backend.sh \
+     --tier managed --provider opencode \
+     --model "gpt-5.5"
+
+# Or use a free-tier model for $0 work:
+bash .opencode/scripts/configure-backend.sh \
+     --tier managed --provider opencode \
+     --model "deepseek-v4-flash-free"
+```
+
+**Privacy positioning.** Sits between `hosted_oss` and `proprietary`:
+prompts go through OpenCode's infra (you don't control the upstream
+routing decisions), but you're not directly bound to a specific vendor
+contract. Less private than DIY hosted, less locked-in than vendor.
+
 ## `proprietary` — max capability, vendor-bound
 
 Anthropic Claude, OpenAI GPT, or Google AI Studio (Gemini). Use when
@@ -159,6 +190,47 @@ bash .opencode/scripts/configure-backend.sh \
      --model gemini-3.1-pro
 ```
 
+Plus Z.AI GLM Coding Plan (post-Anthropic-OAuth-ban migration target):
+
+```bash
+export ZAI_API_KEY="..."
+bash .opencode/scripts/configure-backend.sh \
+     --tier proprietary --provider zai \
+     --model glm-4.6
+```
+
+## `subscription` — OAuth-managed sub bridge (Copilot Pro+)
+
+The only subscription path that bridges Claude Opus 4.7 + GPT-5.3-Codex
+into OpenCode as of May 2026. Anthropic killed third-party OAuth in
+Jan/Feb 2026 (OpenCode removed the OAuth code March 2026); GitHub
+Copilot Pro+ ($39/mo) is now the lone whitelisted bridge.
+
+Critical shape difference from every other tier: **auth is OAuth, not
+an API key**. No env var goes into `opencode.json`; the wizard scaffolds
+the model pin and OpenCode's native `github-copilot` adapter handles the
+device-flow OAuth on first use.
+
+| Provider | Default model | Notes |
+|----------|---------------|-------|
+| GitHub Copilot (`github-copilot` / `copilot` / `gh-copilot`) | `claude-opus-4-7` | $39/mo for Pro+ unlocks Opus + GPT-5.3-Codex; auth via `/connect` in OpenCode |
+
+```bash
+# Scaffold the pin (no env var needed — wizard writes the model field):
+bash .opencode/scripts/configure-backend.sh \
+     --tier subscription --provider copilot \
+     --model claude-opus-4-7
+
+# Complete OAuth (one-time per machine):
+opencode    # → /connect → search "GitHub Copilot" → enter the code
+            #   at github.com/login/device
+```
+
+**Privacy positioning.** Prompts go to GitHub/Microsoft/OpenAI/Anthropic
+via Copilot's routing under the Pro+ contract. Their terms apply; Copilot
+specifically does not train on Pro+ prompts per their docs (verify at the
+plan page — pricing and ToS change frequently).
+
 ## What the wizard itself sends
 
 Nothing automatic. The plugin shim, hooks, and skills run locally in the

ROADMAP.md

@@ -153,24 +153,49 @@ model than build work. v0.10.0 makes the split a one-flag-pair operation.
 Planner / docs / test-writer agent routing deferred to v0.10.1+ — `pick`
 gains `--planner-*` / `--docs-*` flags as each pattern is validated.
 
-## v0.10.1+ candidates (unprioritized)
-
-- **Per-agent `permission` sandboxing**: 9/15 surveyed configs use
-  `agent.<name>.permission.write` to scope what each agent can touch
-  (test-writer can only write `**/*.test.ts`, docs only `**/*.md`).
-  Maps directly onto our SDLC steps; pick could emit a starter block.
-- **Planner / docs / test-writer flags on `pick`**: extend Mixed-Mode
-  beyond coder + reviewer once each pattern has community validation.
+## v0.10.1 → v0.13.1 — community-signal sprint — shipped 2026-05-17 / 2026-05-18
+
+Once `pick` existed, the May-17 community-patterns research surfaced a
+clear queue: 5/6 of the highest-signal community patterns ranked above
+50% adoption in surveyed `opencode.json` files. The v0.10.1–v0.13.1
+arc shipped every one of them. Wizard is now **feature-complete relative
+to May-2026 community signals**.
+
+- ✅ v0.10.1 — `--sandbox-test-writer` + `--sandbox-docs` (path-scoped permission blocks)
+- ✅ v0.10.2 — `--planner-*` (Mixed-Mode for the plan agent; community's #1 most-overridden agent at 57%)
+- ✅ v0.10.2 — default-model bumps: openai → `gpt-5.3-codex`, google → `gemini-3.1-pro`
+- ✅ v0.10.3 — default-model bumps: deepseek → `deepseek-v4-flash`, groq → `gpt-oss-120b`
+- ✅ v0.10.4 — `--small-*` for top-level `small_model` (35–40% community adoption)
+- ✅ v0.10.5 — `--sandbox-plan` (categorical tool denial via `agent.plan.tools.{write,edit,patch}=false`)
+- ✅ v0.10.6 — cost-ladder.md recalibration (model IDs + Z.AI quarterly pricing)
+- ✅ v0.11.0 — Z.AI GLM Coding Plan as proprietary provider (post-Anthropic-OAuth-ban migration target)
+- ✅ v0.11.1 — `--coder-temp` / `--planner-temp` / `--reviewer-temp` per-agent temperatures
+- ✅ v0.11.2 — full security agent: `--security-*` triplet + `--security-temp` + `--sandbox-security`
+- ✅ v0.12.0 — new `managed` tier; OpenCode Zen (`opencode` provider; 40+ models incl. free tier)
+- ✅ v0.13.0 — new `subscription` tier; GitHub Copilot Pro+ (first OAuth-based provider, no env-var)
+- ✅ v0.13.1 — PRIVACY.md tier walkthroughs updated for the six-tier reality
+
+**Wizard surface as of v0.13.1:**
+
+- **6 tiers**: `private_local`, `enterprise`, `hosted_oss`, `managed`, `proprietary`, `subscription`
+- **17 providers** with canonical default-model entries
+- **5 first-class agents**: coder/build, small_model, planner (plan), reviewer (review), security
+- **3 sandbox shapes**: path-scoped permission.write (test-writer, docs), categorical tools-denial (plan, security)
+- **407 tests across 12 suites**
+- **15 tagged releases this sprint** (v0.8.4 → v0.13.1)
+
+## v0.13.2+ candidates (post-sprint backlog, no community-research backing)
+
+These are speculative — they have no direct community-signal evidence
+behind them. Either dogfood feedback or a fresh research pass should
+drive what's next.
+
 - **Auto-nudge integration**: `instructions-loaded-check.sh` hook
   delegates to `check-updates.sh` instead of duplicating the version-
-  check logic. Net: one source of truth, fewer drift opportunities.
-- **Copilot Pro+ as first-class provider**: per May-2026 research,
-  Copilot Pro+ ($39/mo) is now the only subscription path to Opus 4.7
-  + GPT-5.x-Codex inside OpenCode (Anthropic killed Claude Pro OAuth
-  in Feb 2026). Add `subscription` tier + Copilot config block.
-- **NIM 1M-context emphasis in cost-ladder**: per research, NVIDIA NIM
-  free tier has 1M-token context on DeepSeek V4 with RPM-only limits —
-  bigger than Cerebras's 8K-64K free cap. Underused in current docs.
+  check logic. DRY refactor; drift prevention only.
+- **NIM 1M-context emphasis in cost-ladder**: per May-2026 research,
+  NVIDIA NIM free tier has 1M-token context on DeepSeek V4 with
+  RPM-only limits — bigger than Cerebras's 8K-64K free cap. Doc patch.
 - **OPENCODE_SDLC_WIZARD.md master doc**: equivalent of parent's
   4506-line CLAUDE_CODE_SDLC_WIZARD.md. Heavier lift; defer until
   consumer feedback says it's needed.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-sdlc-wizard",
-  "version": "0.13.0",
+  "version": "0.13.1",
   "description": "SDLC enforcement for OpenCode CLI — privacy-first, any-backend portability with a four-tier backend picker plus an OSS-tier cross-model-review skill so the full SDLC loop can run with zero Anthropic+OpenAI lock-in. Ships JSON Schemas for review artifacts so any consumer (cross-model-review, ditto, CI) can validate. Install with `npx opencode-sdlc-wizard init`. Sibling of agentic-sdlc-wizard and codex-sdlc-wizard.",
   "bin": {
     "opencode-sdlc-wizard": "cli/bin/opencode-sdlc-wizard.js"