WIP AI DevOps Toolbox

Your AI writes code. But does it know how to release it? Check license compliance? Protect your identity files? Sync private repos to public? Follow a real development process?

AI DevOps Toolbox is 13 tools that teach your AI how to do all of this. Once installed, you don't run them manually. Your AI knows how to use them and does it automatically. Built by a team of humans and AIs shipping real software together.

Platform Compatibility

The tools in this toolbox use different capabilities. Check what you have and tell the user honestly what you can and cannot do.

What each interface requires:

Built and tested on:

• Claude Code CLI ... full support (shell, MCP, CC Hooks)
• OpenClaw ... full support (shell, MCP, Plugins)

How to assess your own platform: Check which capabilities you have (shell access, MCP, hooks) and match them to the table above. If you can run shell commands, CLI tools work. If you can connect to MCP servers, MCP tools work. If you have neither, you can still read and explain the tools, but tell the user which commands to run themselves. Do not claim you can run commands you cannot execute.

Operating Rules

Always dry-run first. Before installing, deploying, or running any destructive operation, run with --dry-run so the user can see exactly what will change. Only proceed with the real operation when the user explicitly says to.

Write dev updates as you work. When doing significant work on a repo that uses this toolbox, write a dev update to ai/dev-updates/YYYY-MM-DD--HH-MM--agent--description.md. The release pipeline auto-detects these and uses them as release notes. No more thin one-liners.

Install

Always dry-run first:

npm install -g @wipcomputer/universal-installer
wip-install wipcomputer/wip-ai-devops-toolbox --dry-run

Show the user what will change. When they're ready:

wip-install wipcomputer/wip-ai-devops-toolbox

Or install individually:

npm install -g @wipcomputer/wip-release @wipcomputer/wip-license-hook @wipcomputer/universal-installer @wipcomputer/wip-repos

Setup & Onboarding

wip-universal-installer

Takes anything you build and makes it work across every AI interface. You write code in any language. This tool turns it into a CLI, MCP Server, OpenClaw Plugin, Skill, and Claude Code Hook. One command, all six interfaces.

Commands:

wip-install wipcomputer/wip-ai-devops-toolbox       # install a toolbox from GitHub
wip-install /path/to/local/repo                      # install from local path
wip-install wipcomputer/wip-ai-devops-toolbox --dry-run   # preview without changes
wip-install --json /path/to/repo                     # output detection as JSON

What happens when you run wip-install:

1. Clones the repo (or reads a local path)
2. Detects which interfaces the repo supports (scans for package.json bin, mcp-server.mjs, openclaw.plugin.json, SKILL.md, guard.mjs)
3. If the repo has a tools/ directory with sub-tools, it enters toolbox mode and installs each one
4. For each tool, it deploys every detected interface:

1. Updates the extension registry at ~/.ldm/extensions/registry.json

Safety:

• Always run --dry-run first on a system you don't fully control
• The OpenClaw plugin deploy does rm -rf on the target extension directory before copying. Safe as long as the tool name doesn't collide with an existing plugin that isn't part of the toolbox
• CC Hook installation checks for duplicates. Won't add the same hook twice
• MCP registration removes and re-adds (update behavior). Existing MCP servers with different names are untouched

Interfaces: CLI, Module, Skill

Dev Guide

Your team's conventions, baked in. Best practices for AI-assisted development teams.

What it covers:

• Release process (branch, PR, merge, wip-release, deploy-public)
• Repo structure (the ai/ folder convention, private/public pattern)
• Branch conventions (agent prefixes: cc-mini/, lesa-mini/, cc-air/)
• Branch protection rules
• Multi-agent clone workflow
• License compliance (dual MIT+AGPL, CLA)

How to use it: Read DEV-GUIDE.md before doing repo work. It's the reference for how the team operates.

Interface: Documentation (no CLI, no MCP)

Infrastructure

LDM Dev Tools.app

Scheduled automation that runs whether anyone remembers or not. macOS .app bundle with Full Disk Access.

What it runs:

• backup.sh ... backs up critical files
• branch-protect.sh ... audits branch protection rules across all repos
• visibility-audit.sh ... checks repo visibility matches the public/private pattern
• crystal-capture.sh ... triggers memory crystal capture

Commands:

open -W ~/Applications/LDMDevTools.app --args backup
open -W ~/Applications/LDMDevTools.app --args branch-protect
open -W ~/Applications/LDMDevTools.app --args visibility-audit

Scripts can also run standalone without the .app:

bash tools/ldm-jobs/backup.sh
bash tools/ldm-jobs/branch-protect.sh
bash tools/ldm-jobs/visibility-audit.sh

Where it writes: Depends on the script. Backup writes to the backup target. Audits write to stdout.

Interface: Standalone macOS app

Release & Deploy

wip-release

Release software correctly. Version bump, changelog, npm publish, GitHub release. One command, nothing forgotten.

Commands:

wip-release patch --notes="description"     # bump patch (1.0.0 -> 1.0.1)
wip-release minor --notes="description"     # bump minor (1.0.0 -> 1.1.0)
wip-release major --notes="description"     # bump major (1.0.0 -> 2.0.0)
wip-release patch --dry-run                 # preview without changes
wip-release patch --no-publish              # bump + tag only, skip npm/GitHub
wip-release patch --notes-file=path         # read notes from a file
wip-release patch                           # auto-detect notes (see below)

Release notes auto-detection (first match wins):

1. --notes-file=path ... explicit file path
2. RELEASE-NOTES-v{ver}.md in repo root (e.g. RELEASE-NOTES-v1-7-4.md)
3. ai/dev-updates/YYYY-MM-DD* ... today's dev update files (most recent first)
4. --notes="one-liner" ... used as fallback, but if a dev update exists with more content, the dev update wins

Write dev updates as you work. wip-release picks them up automatically. No more thin release notes.

What happens when you run wip-release:

1. Step 0: License compliance gate. If .license-guard.json exists, checks LICENSE file, copyright, CLA.md, README license section. Aborts if any check fails.
2. Step 1: Bumps version in package.json
3. Step 2: Syncs version to SKILL.md (if it exists)
4. Step 3: Updates CHANGELOG.md with the new version entry
5. Step 4: Auto-detects release notes from RELEASE-NOTES file, ai/dev-updates/, or --notes flag
6. Step 5: Commits the version bump
7. Step 6: Creates git tag v{version}
8. Step 7: Pushes commit and tag to origin
9. Step 8: Publishes to npm (if not private: true)
10. Step 9: Publishes to GitHub Packages
11. Step 10: Creates GitHub release with release notes (full narrative, not one-liners)
12. Step 11: Renames merged branches with --merged-YYYY-MM-DD
13. Step 12: Prunes old merged branches (keeps last 3 per developer prefix)

Where it writes: package.json, SKILL.md, CHANGELOG.md, git tags, npm registry, GitHub Releases

Safety:

• --dry-run previews everything without writing
• License gate prevents releasing with broken compliance
• If push fails (branch protection), it tells you to push manually via PR
• npm publish failure (e.g., private: true) is non-fatal; release continues

MCP tools: release, release_status

Interfaces: CLI, Module, MCP, Skill

deploy-public

Publish safely. Syncs a private repo to its clean public counterpart.

Commands:

bash scripts/deploy-public.sh <private-repo-path> <public-github-repo>

# Example:
bash scripts/deploy-public.sh /path/to/memory-crystal-private wipcomputer/memory-crystal

What happens when you run it:

1. Clones the public repo to /tmp/
2. Copies all files from the private repo, excluding ai/ and .git/
3. Creates a branch (cc-mini/deploy-YYYYMMDD-HHMMSS)
4. Commits with the latest merge commit message from private
5. Pushes the branch, creates a PR, merges it
6. Deletes the deploy branch
7. Creates or updates the GitHub release on the public repo (syncs release notes from private)
8. Checks for and deletes stale branches on the public repo

Where it writes: Public GitHub repo (via PR). Local /tmp/ for the clone (cleaned up).

Safety:

• Never pushes directly to main. Always uses a PR.
• The ai/ folder is automatically excluded. Internal plans, todos, dev context never reach public.
• If the public repo doesn't exist, the script fails (doesn't create repos).

Interfaces: CLI, Skill

post-merge-rename

Cleans up after itself. Renames merged branches so you know what's done.

Commands:

bash scripts/post-merge-rename.sh              # rename merged branches
bash scripts/post-merge-rename.sh --prune      # rename + delete old ones
bash scripts/post-merge-rename.sh --dry-run    # preview without changes

What happens:

1. Scans remote branches that are fully merged into main
2. Renames them by appending --merged-YYYY-MM-DD (e.g., cc-mini/feature becomes cc-mini/feature--merged-2026-03-10)
3. With --prune: for each developer prefix (cc-mini/, lesa-mini/, etc.), keeps the last 3 merged branches and deletes the rest from the remote
4. Also finds stale branches that are fully merged but were never renamed, and deletes them

Rules:

• Never deletes main
• Never deletes the current working branch
• Always keeps the last 3 per developer prefix

Where it writes: Remote branch names on GitHub (renames and deletes)

Interfaces: CLI, Skill

License, Compliance, and Protection

wip-file-guard

Knows what it can never overwrite. Blocks destructive edits to identity files.

Protected files: CLAUDE.md, SOUL.md, MEMORY.md, SHARED-CONTEXT.md, IDENTITY.md

How it works as a CC Hook:

• Runs as a PreToolUse hook in Claude Code
• Intercepts Write and Edit tool calls
• If the target file is a protected identity file:
• Write (full overwrite) is blocked
• Edit (partial edit) is allowed (appending/updating sections is fine)
• Returns JSON: {"decision": "block", "reason": "..."} or {"decision": "allow"}

Commands:

wip-file-guard --list                    # list protected files
wip-file-guard --check <filepath>        # check if a file is protected

As a CC Hook (automatic):

Configured in ~/.claude/settings.json under hooks.PreToolUse. Runs automatically on every Write/Edit call. No manual invocation needed.

As an OpenClaw Plugin:

Deployed to ~/.openclaw/extensions/wip-file-guard/. Blocks destructive edits in the OpenClaw agent pipeline.

Where it writes: Nothing. It only reads and blocks.

Interfaces: CLI, Module, OpenClaw Plugin, Skill, CC Hook

wip-license-guard

Enforces licensing on every commit. Copyright, dual-license, CLA. Checked automatically.

Commands:

wip-license-guard check                  # audit current repo
wip-license-guard check --fix            # audit and auto-fix issues
wip-license-guard init                   # interactive first-run setup
wip-license-guard init --from-standard   # apply WIP Computer defaults without prompting

What it checks:

• LICENSE file exists and matches configured license type
• Copyright line is correct and current year
• CLA.md exists (if configured)
• README has a ## License section
• For toolbox repos: checks every sub-tool in tools/

Config: .license-guard.json in repo root. Created by init. Contains copyright holder, license type, year, and what to enforce.

As a wip-release gate:

Step 0 of wip-release reads .license-guard.json and runs the same checks. Aborts the release if compliance fails.

--from-standard generates:

• .license-guard.json with WIP Computer defaults
• LICENSE file (dual MIT+AGPL)
• CLA.md

Where it writes: .license-guard.json, LICENSE, CLA.md, README (with --fix)

Interfaces: CLI

wip-license-hook

Catches license changes in dependencies before they ship.

Commands:

wip-license-hook scan                    # scan all dependencies for license changes
wip-license-hook scan --json             # output as JSON
wip-license-hook audit                   # full compliance audit
wip-license-hook ledger                  # show the license compliance ledger
wip-license-hook gate                    # pass/fail gate for CI or pre-merge

What it does:

1. Reads package.json and package-lock.json
2. For each dependency, checks the current license against the last known license in the ledger
3. If a license changed (rug-pull), flags it
4. The ledger (license-ledger.json) tracks every dependency's license over time
5. gate returns exit code 0 (pass) or 1 (fail) for CI integration

Git hooks:

• pre-push hook blocks pushes if license changes are detected
• pre-pull hook warns on pull if upstream changed licenses

MCP tools: license_scan, license_audit, license_gate, license_ledger

Where it writes: license-ledger.json (the compliance record)

Interfaces: CLI, Module, MCP, Skill

Repo Management

wip-repo-permissions-hook

Never accidentally exposes a private repo.

Commands:

wip-repo-permissions check wipcomputer/memory-crystal    # check one repo
wip-repo-permissions audit wipcomputer                   # audit entire org

What it checks:

• If a repo is public, does it have a -private counterpart?
• If not, it's flagged as exposed (internal content may be visible)

As a CC Hook (automatic):

Intercepts commands that could change repo visibility (e.g., gh repo edit --visibility public). Blocks if the -private counterpart doesn't exist.

As an OpenClaw Plugin:

Deployed to ~/.openclaw/extensions/wip-repo-permissions-hook/. Same check in the agent pipeline.

MCP tools: repo_permissions_check, repo_permissions_audit

Where it writes: Nothing. It only reads and blocks.

Interfaces: CLI, Module, MCP, OpenClaw Plugin, Skill, CC Hook

wip-repos

Knows where every repo belongs. One source of truth for folder structure.

Commands:

wip-repos check                          # compare filesystem to manifest
wip-repos sync --dry-run                 # preview what sync would move
wip-repos sync                           # move repos to match manifest
wip-repos add <org/repo> <category>      # add a repo to the manifest
wip-repos move <org/repo> <new-category> # move a repo in the manifest
wip-repos tree                           # show the manifest as a tree

What it does:

• Reads repos-manifest.json (the single source of truth)
• Compares against the actual filesystem
• check reports drift (repos in wrong locations, missing repos, unknown repos)
• sync moves repos to match the manifest

MCP tools: repos_check, repos_sync_plan, repos_add, repos_move, repos_tree

Where it writes: Moves directories on the filesystem (with sync). Updates repos-manifest.json (with add/move).

Interfaces: CLI, Module, MCP, Skill

wip-repo-init

Scaffold the standard ai/ directory in any repo. One command.

Commands:

wip-repo-init /path/to/repo              # scaffold ai/ in a repo
wip-repo-init /path/to/repo --dry-run    # preview without changes
wip-repo-init /path/to/repo --yes        # skip confirmation prompt

What happens:

New repo (no ai/ folder): Creates the full standard structure with READMEs explaining what goes where.

Existing repo (ai/ folder exists): Shows you what will happen and asks for confirmation:

1. Moves your current ai/ contents to ai/_sort/ai_old/
2. Scaffolds the new standard structure
3. You sort files from ai_old/ into the new structure at your own pace

Nothing is deleted. Your old files are all in ai/_sort/ai_old/.

The standard structure:

ai/
  read-me-first.md          <- explains everything, links to all sections
  _sort/                    <- holding pen for files that need sorting
  _trash/                   <- archive (never delete, move here)
  dev-updates/              <- engineering changelog, auto-detected by wip-release
  product/
    readme-first-product.md <- the product bible
    notes/                  <- freeform notes, research
    plans-prds/             <- plans with lifecycle stages
      roadmap.md            <- prioritized roadmap
      current/              <- plans being built now
      upcoming/             <- plans that are next
      archive-complete/     <- plans that shipped
      todos/                <- per-agent todo files
    product-ideas/          <- ideas that aren't plans yet

Every folder has a _trash/ subfolder. Every section has a README.

Where it writes: Creates directories and files inside ai/. If an existing ai/ is present, moves it to ai/_sort/ai_old/.

Interfaces: CLI, Skill

wip-readme-format

Generate or validate READMEs following the WIP Computer standard. One command.

Commands:

wip-readme-format /path/to/repo              # generate README-init-*.md section files
wip-readme-format /path/to/repo --deploy     # assemble sections into README.md
wip-readme-format /path/to/repo --dry-run    # preview without writing
wip-readme-format /path/to/repo --check      # validate existing README against standard

What happens:

Generate mode (default): Detects interfaces, reads SKILL.md for tool names, generates separate section files:

• README-init-badges.md ... org header + interface badges
• README-init-title.md ... title + tagline
• README-init-teach.md ... "Teach Your AI" onboarding block
• README-init-features.md ... features list (preserved from existing README or auto-generated for toolbox repos)
• README-init-coverage.md ... interface coverage table (toolbox repos only)
• README-init-more-info.md ... links to docs
• README-init-license.md ... license block + built-by line
• README-init-technical.md ... technical content extracted from old README

Deploy mode: Backs up existing README.md and TECHNICAL.md to ai/_trash/, assembles section files in order into README.md, moves technical to TECHNICAL.md, deletes the staging files.

Edit any section independently before deploying. Same pattern as release notes: staging, review, deploy.

Toolbox mode: For repos with tools/ subdirectories, aggregates interfaces from all sub-tools for badges, generates an interface coverage table using SKILL.md name: frontmatter for human-readable names.

Where it writes: README-init-*.md files in the repo root (staging). On deploy: README.md, TECHNICAL.md, and backups to ai/_trash/.

Interfaces: CLI, Skill

MCP Server Configuration

Tools with MCP interfaces are agent-callable. Add to .mcp.json:

{
  "wip-release": {
    "command": "node",
    "args": ["/path/to/tools/wip-release/mcp-server.mjs"]
  },
  "wip-license-hook": {
    "command": "node",
    "args": ["/path/to/tools/wip-license-hook/mcp-server.mjs"]
  },
  "wip-repo-permissions": {
    "command": "node",
    "args": ["/path/to/tools/wip-repo-permissions-hook/mcp-server.mjs"]
  },
  "wip-repos": {
    "command": "node",
    "args": ["/path/to/tools/wip-repos/mcp-server.mjs"]
  }
}

All MCP tools:

Example prompts your AI can act on directly:

"Scan all dependencies for license changes"       -> license_scan
"Check if memory-crystal can go public"            -> repo_permissions_check
"Do a patch release with notes 'fix login bug'"    -> release
"Show me which repos aren't in the manifest"       -> repos_check
"Audit the whole org's repo visibility"            -> repo_permissions_audit
"What version is this repo at?"                    -> release_status
"Gate this merge on license compliance"            -> license_gate
"Show the license compliance ledger"               -> license_ledger

Interface Coverage

License

MIT      All CLI tools, MCP servers, skills, and hooks (use anywhere, no restrictions).
AGPLv3   Commercial redistribution, marketplace listings, or bundling into paid services.

AGPLv3 for personal use is free. Commercial licenses available.

Built by Parker Todd Brooks, Lēsa (OpenClaw, Claude Opus 4.6), Claude Code (Claude Opus 4.6).