[AAASM-2774] 🔧 (sonar): Wire projectVersion off 0.0.0 + cover in release skills

.claude/skills/release-runbook/SKILL.md

@@ -228,6 +228,14 @@ state machine:
 - Downloading + staging the `aasm-*.tar.gz` binaries.
 - The post-publish `v<version>` git tag + GitHub Release.
 - The Docusaurus docs-version snapshot PR (`version-docs` job).
+- The SonarCloud `sonar.projectVersion`. `quality-report.yml` overrides the
+  `sonar-project.properties` value with `-Dsonar.projectVersion=<package.json
+  version>` at scan time, so the quality gate auto-advances once the five
+  `package.json` files are bumped — no manual `sonar.projectVersion` bump is
+  required on the release path (AAASM-2774). Keep the static fallback in
+  `sonar-project.properties` roughly in step with `package.json` so the gate
+  never falls back to `0.0.0` ("Not computed") if the scan ever runs without the
+  CI override.
 
 ## Detailed references
 

.claude/skills/sdk-only-release/SKILL.md

@@ -160,6 +160,12 @@ Three operator-side rules govern every dispatch:
   `repository_dispatch`); refresh docs separately if needed.
 - dist-tag promotion is a separate operator step from an authenticated
   terminal: `npm dist-tag add @agent-assembly/sdk@<X> alpha`.
+- The SonarCloud `sonar.projectVersion` needs **no** manual bump for an SDK-only
+  release. `quality-report.yml` derives it from `package.json` at scan time
+  (`-Dsonar.projectVersion=<version>`), so once `<npm_version>` is committed to
+  `package.json` the quality gate tracks it automatically (AAASM-2774). Keep the
+  static fallback in `sonar-project.properties` roughly in step so the gate never
+  reverts to `0.0.0` ("Not computed").
 
 ## Do NOT manually run
 

.github/workflows/quality-report.yml

@@ -60,8 +60,17 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
 
+      - name: Resolve package version for Sonar
+        id: sonar_version
+        run: echo "version=$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"
+
       - name: SonarQube Scan
         if: ${{ env.SONAR_TOKEN != '' }}
         uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0
         env:
           SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+        with:
+          # Override sonar-project.properties' static fallback so the quality
+          # gate version always tracks package.json and auto-advances per release.
+          args: >
+            -Dsonar.projectVersion=${{ steps.sonar_version.outputs.version }}

sonar-project.properties

@@ -3,7 +3,11 @@ sonar.projectKey=ai-agent-assembly_node-sdk
 sonar.organization=ai-agent-assembly
 
 sonar.projectName=node-sdk
-sonar.projectVersion=0.0.0
+# Static fallback only. The CI scan (.github/workflows/quality-report.yml)
+# overrides this with -Dsonar.projectVersion=<package.json version> so the
+# SonarCloud quality gate auto-advances each release. Keep this off 0.0.0 (which
+# stalls the gate at "Not computed") and roughly in step with package.json.
+sonar.projectVersion=0.0.1-rc.1
 
 sonar.projectBaseDir=./
 sonar.sources=src/