@codyswann/lisa 2.158.0 → 2.158.2

package/package.json

@@ -84,7 +84,7 @@
     "lodash": ">=4.18.1"
   },
   "name": "@codyswann/lisa",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "exports": {

package/plugins/lisa/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Universal governance: agents, skills, commands, hooks, and rules for all projects.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/hooks/parity-safety-net.sh

@@ -61,14 +61,32 @@ fi
 
 # 2. Force-pushing a protected branch. `--force-with-lease` is the safe,
 #    non-clobbering alternative and is intentionally NOT blocked.
-if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_-])git[[:space:]]+push\b'; then
-  if printf '%s' "$command_str" | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
-    && ! printf '%s' "$command_str" | grep -Eiq -- '--force-with-lease'; then
-    if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
-      block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
-    fi
+#
+#    The force flag AND the protected-branch name must appear in the SAME
+#    `git push` statement. Checking them independently over the whole command is
+#    a false-positive magnet: an unrelated `-f` (a `[ -f file ]` test, `rm -f`,
+#    `grep -f`, `tail -f`) plus an unrelated protected name (`--base main`,
+#    `origin/main`, `git fetch origin main`) alongside any feature-branch
+#    `git push` would wrongly block. So split the command into statements
+#    (`;`, `&&`, `||`, `|`, newlines), keep only the `git push` segments, and
+#    inspect each in isolation — a real `git push --force origin main` still
+#    matches, while a feature-branch push next to `[ -f ]`/`--base main` passes.
+# Normalize bash line-continuations (backslash + newline → space) before
+# segmenting the command. Without this, "git push --force origin \<newline>main"
+# gets split by the grep into a segment that matches --force but not `main`,
+# letting a protected force-push slip past the guard.
+normalized_command_str="$(printf '%s' "$command_str" | sed ':a;N;$!ba;s/\\\n/ /g')"
+
+while IFS= read -r push_stmt; do
+  if printf '%s' "$push_stmt" \
+    | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
+    && ! printf '%s' "$push_stmt" | grep -Eiq -- '--force-with-lease' \
+    && printf '%s' "$push_stmt" \
+    | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
+    block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
   fi
-fi
+done < <(printf '%s' "$normalized_command_str" | tr '&|;' '\n' \
+  | grep -Ei '(^|[^[:alnum:]_-])git[[:space:]]+push\b')
 
 # 3. `git reset --hard` while the working tree has uncommitted changes — this
 #    silently discards them. Only blocks when the tree is actually dirty, so a

package/plugins/lisa-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "AWS CDK-specific Lisa plugin.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-copilot/hooks/parity-safety-net.sh

@@ -61,14 +61,32 @@ fi
 
 # 2. Force-pushing a protected branch. `--force-with-lease` is the safe,
 #    non-clobbering alternative and is intentionally NOT blocked.
-if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_-])git[[:space:]]+push\b'; then
-  if printf '%s' "$command_str" | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
-    && ! printf '%s' "$command_str" | grep -Eiq -- '--force-with-lease'; then
-    if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
-      block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
-    fi
+#
+#    The force flag AND the protected-branch name must appear in the SAME
+#    `git push` statement. Checking them independently over the whole command is
+#    a false-positive magnet: an unrelated `-f` (a `[ -f file ]` test, `rm -f`,
+#    `grep -f`, `tail -f`) plus an unrelated protected name (`--base main`,
+#    `origin/main`, `git fetch origin main`) alongside any feature-branch
+#    `git push` would wrongly block. So split the command into statements
+#    (`;`, `&&`, `||`, `|`, newlines), keep only the `git push` segments, and
+#    inspect each in isolation — a real `git push --force origin main` still
+#    matches, while a feature-branch push next to `[ -f ]`/`--base main` passes.
+# Normalize bash line-continuations (backslash + newline → space) before
+# segmenting the command. Without this, "git push --force origin \<newline>main"
+# gets split by the grep into a segment that matches --force but not `main`,
+# letting a protected force-push slip past the guard.
+normalized_command_str="$(printf '%s' "$command_str" | sed ':a;N;$!ba;s/\\\n/ /g')"
+
+while IFS= read -r push_stmt; do
+  if printf '%s' "$push_stmt" \
+    | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
+    && ! printf '%s' "$push_stmt" | grep -Eiq -- '--force-with-lease' \
+    && printf '%s' "$push_stmt" \
+    | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
+    block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
   fi
-fi
+done < <(printf '%s' "$normalized_command_str" | tr '&|;' '\n' \
+  | grep -Ei '(^|[^[:alnum:]_-])git[[:space:]]+push\b')
 
 # 3. `git reset --hard` while the working tree has uncommitted changes — this
 #    silently discards them. Only blocks when the tree is actually dirty, so a

package/plugins/lisa-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cursor/hooks/parity-safety-net.sh

@@ -61,14 +61,32 @@ fi
 
 # 2. Force-pushing a protected branch. `--force-with-lease` is the safe,
 #    non-clobbering alternative and is intentionally NOT blocked.
-if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_-])git[[:space:]]+push\b'; then
-  if printf '%s' "$command_str" | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
-    && ! printf '%s' "$command_str" | grep -Eiq -- '--force-with-lease'; then
-    if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
-      block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
-    fi
+#
+#    The force flag AND the protected-branch name must appear in the SAME
+#    `git push` statement. Checking them independently over the whole command is
+#    a false-positive magnet: an unrelated `-f` (a `[ -f file ]` test, `rm -f`,
+#    `grep -f`, `tail -f`) plus an unrelated protected name (`--base main`,
+#    `origin/main`, `git fetch origin main`) alongside any feature-branch
+#    `git push` would wrongly block. So split the command into statements
+#    (`;`, `&&`, `||`, `|`, newlines), keep only the `git push` segments, and
+#    inspect each in isolation — a real `git push --force origin main` still
+#    matches, while a feature-branch push next to `[ -f ]`/`--base main` passes.
+# Normalize bash line-continuations (backslash + newline → space) before
+# segmenting the command. Without this, "git push --force origin \<newline>main"
+# gets split by the grep into a segment that matches --force but not `main`,
+# letting a protected force-push slip past the guard.
+normalized_command_str="$(printf '%s' "$command_str" | sed ':a;N;$!ba;s/\\\n/ /g')"
+
+while IFS= read -r push_stmt; do
+  if printf '%s' "$push_stmt" \
+    | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
+    && ! printf '%s' "$push_stmt" | grep -Eiq -- '--force-with-lease' \
+    && printf '%s' "$push_stmt" \
+    | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
+    block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
   fi
-fi
+done < <(printf '%s' "$normalized_command_str" | tr '&|;' '\n' \
+  | grep -Ei '(^|[^[:alnum:]_-])git[[:space:]]+push\b')
 
 # 3. `git reset --hard` while the working tree has uncommitted changes — this
 #    silently discards them. Only blocks when the tree is actually dirty, so a

package/plugins/lisa-expo/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Expo and React Native-specific skills, agents, rules, and MCP servers.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Harper/Fabric-specific Lisa rules for TypeScript component apps.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "NestJS-specific skills and migration write-protection hooks.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Ruby on Rails-specific skills and hooks for RuboCop and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "TypeScript-specific hooks for formatting, linting, and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "Distributable LLM Wiki kernel — ingest, query, lint, and maintain a git-native markdown knowledge base across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.158.0",
+  "version": "2.158.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/src/base/hooks/parity-safety-net.sh

@@ -61,14 +61,32 @@ fi
 
 # 2. Force-pushing a protected branch. `--force-with-lease` is the safe,
 #    non-clobbering alternative and is intentionally NOT blocked.
-if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_-])git[[:space:]]+push\b'; then
-  if printf '%s' "$command_str" | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
-    && ! printf '%s' "$command_str" | grep -Eiq -- '--force-with-lease'; then
-    if printf '%s' "$command_str" | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
-      block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
-    fi
+#
+#    The force flag AND the protected-branch name must appear in the SAME
+#    `git push` statement. Checking them independently over the whole command is
+#    a false-positive magnet: an unrelated `-f` (a `[ -f file ]` test, `rm -f`,
+#    `grep -f`, `tail -f`) plus an unrelated protected name (`--base main`,
+#    `origin/main`, `git fetch origin main`) alongside any feature-branch
+#    `git push` would wrongly block. So split the command into statements
+#    (`;`, `&&`, `||`, `|`, newlines), keep only the `git push` segments, and
+#    inspect each in isolation — a real `git push --force origin main` still
+#    matches, while a feature-branch push next to `[ -f ]`/`--base main` passes.
+# Normalize bash line-continuations (backslash + newline → space) before
+# segmenting the command. Without this, "git push --force origin \<newline>main"
+# gets split by the grep into a segment that matches --force but not `main`,
+# letting a protected force-push slip past the guard.
+normalized_command_str="$(printf '%s' "$command_str" | sed ':a;N;$!ba;s/\\\n/ /g')"
+
+while IFS= read -r push_stmt; do
+  if printf '%s' "$push_stmt" \
+    | grep -Eiq '(--force([[:space:]]|=|$)|[[:space:]]-f([[:space:]]|$))' \
+    && ! printf '%s' "$push_stmt" | grep -Eiq -- '--force-with-lease' \
+    && printf '%s' "$push_stmt" \
+    | grep -Eiq '(^|[^[:alnum:]_/-])(main|master|production|prod|release)([^[:alnum:]_/-]|$)'; then
+    block "force-pushing a protected branch (use --force-with-lease, or push a feature branch)"
   fi
-fi
+done < <(printf '%s' "$normalized_command_str" | tr '&|;' '\n' \
+  | grep -Ei '(^|[^[:alnum:]_-])git[[:space:]]+push\b')
 
 # 3. `git reset --hard` while the working tree has uncommitted changes — this
 #    silently discards them. Only blocks when the tree is actually dirty, so a