@imdeadpool/guardex 5.0.0 → 5.0.2

package/templates/githooks/pre-commit

@@ -50,9 +50,31 @@ case "$codex_require_agent_branch" in
   *) should_require_codex_agent_branch=1 ;;
 esac
 
+is_codex_managed_only_commit_on_protected=0
+if [[ "$is_codex_session" == "1" && "$is_protected_branch" == "1" ]]; then
+  deleted_paths="$(git diff --cached --name-only --diff-filter=D)"
+  staged_paths="$(git diff --cached --name-only --diff-filter=ACMRTUXB)"
+  if [[ -z "$deleted_paths" && -n "$staged_paths" ]]; then
+    managed_only=1
+    while IFS= read -r staged_path; do
+      case "$staged_path" in
+        AGENTS.md|.gitignore) ;;
+        *) managed_only=0; break ;;
+      esac
+    done <<< "$staged_paths"
+    if [[ "$managed_only" == "1" ]]; then
+      is_codex_managed_only_commit_on_protected=1
+    fi
+  fi
+fi
+
 if [[ "$should_require_codex_agent_branch" == "1" && "${MUSAFETY_ALLOW_CODEX_ON_NON_AGENT:-0}" != "1" ]]; then
   if [[ "$is_codex_session" == "1" && "$branch" != agent/* ]]; then
     if [[ "$is_protected_branch" == "1" ]]; then
+      if [[ "$is_codex_managed_only_commit_on_protected" == "1" ]]; then
+        exit 0
+      fi
+
       cat >&2 <<'MSG'
 [guardex-preedit-guard] Codex edit/commit detected on a protected branch.
 GuardeX requires Codex work to run from an isolated agent/* branch.

package/templates/scripts/agent-branch-finish.sh

@@ -5,9 +5,26 @@ BASE_BRANCH=""
 BASE_BRANCH_EXPLICIT=0
 SOURCE_BRANCH=""
 PUSH_ENABLED=1
-DELETE_REMOTE_BRANCH=1
+DELETE_REMOTE_BRANCH=0
+DELETE_REMOTE_BRANCH_EXPLICIT=0
 MERGE_MODE="auto"
 GH_BIN="${MUSAFETY_GH_BIN:-gh}"
+CLEANUP_AFTER_MERGE_RAW="${MUSAFETY_FINISH_CLEANUP:-false}"
+
+normalize_bool() {
+  local raw="${1:-}"
+  local fallback="${2:-0}"
+  local lowered
+  lowered="$(printf '%s' "$raw" | tr '[:upper:]' '[:lower:]')"
+  case "$lowered" in
+    1|true|yes|on) printf '1' ;;
+    0|false|no|off) printf '0' ;;
+    '') printf '%s' "$fallback" ;;
+    *) printf '%s' "$fallback" ;;
+  esac
+}
+
+CLEANUP_AFTER_MERGE="$(normalize_bool "$CLEANUP_AFTER_MERGE_RAW" "0")"
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
@@ -26,6 +43,20 @@ while [[ $# -gt 0 ]]; do
       ;;
     --keep-remote-branch)
       DELETE_REMOTE_BRANCH=0
+      DELETE_REMOTE_BRANCH_EXPLICIT=1
+      shift
+      ;;
+    --delete-remote-branch)
+      DELETE_REMOTE_BRANCH=1
+      DELETE_REMOTE_BRANCH_EXPLICIT=1
+      shift
+      ;;
+    --cleanup)
+      CLEANUP_AFTER_MERGE=1
+      shift
+      ;;
+    --no-cleanup)
+      CLEANUP_AFTER_MERGE=0
       shift
       ;;
     --mode)
@@ -42,12 +73,16 @@ while [[ $# -gt 0 ]]; do
       ;;
     *)
       echo "[agent-branch-finish] Unknown argument: $1" >&2
-      echo "Usage: $0 [--base <branch>] [--branch <branch>] [--no-push] [--keep-remote-branch] [--mode auto|direct|pr|--via-pr|--direct-only]" >&2
+      echo "Usage: $0 [--base <branch>] [--branch <branch>] [--no-push] [--cleanup|--no-cleanup] [--keep-remote-branch|--delete-remote-branch] [--mode auto|direct|pr|--via-pr|--direct-only]" >&2
       exit 1
       ;;
   esac
 done
 
+if [[ "$CLEANUP_AFTER_MERGE" -eq 1 && "$DELETE_REMOTE_BRANCH_EXPLICIT" -eq 0 ]]; then
+  DELETE_REMOTE_BRANCH=1
+fi
+
 case "$MERGE_MODE" in
   auto|direct|pr) ;;
   *)
@@ -347,43 +382,58 @@ if [[ -x "${repo_root}/scripts/agent-file-locks.py" ]]; then
   python3 "${repo_root}/scripts/agent-file-locks.py" release --branch "$SOURCE_BRANCH" >/dev/null 2>&1 || true
 fi
 
-if [[ "$source_worktree" == "$repo_root" ]]; then
-  if is_clean_worktree "$source_worktree"; then
-    git -C "$source_worktree" checkout "$BASE_BRANCH" >/dev/null 2>&1 || true
-    if [[ "$PUSH_ENABLED" -eq 1 ]] && git -C "$repo_root" show-ref --verify --quiet "refs/remotes/origin/${BASE_BRANCH}"; then
-      git -C "$source_worktree" pull --ff-only origin "$BASE_BRANCH" >/dev/null 2>&1 || true
+base_worktree="$(get_worktree_for_branch "$BASE_BRANCH")"
+if [[ -n "$base_worktree" ]] && is_clean_worktree "$base_worktree" && [[ "$PUSH_ENABLED" -eq 1 ]]; then
+  git -C "$base_worktree" pull --ff-only origin "$BASE_BRANCH" >/dev/null 2>&1 || true
+fi
+
+if [[ "$CLEANUP_AFTER_MERGE" -eq 1 ]]; then
+  if [[ "$source_worktree" == "$repo_root" ]]; then
+    if is_clean_worktree "$source_worktree"; then
+      git -C "$source_worktree" checkout "$BASE_BRANCH" >/dev/null 2>&1 || true
+      if [[ "$PUSH_ENABLED" -eq 1 ]] && git -C "$repo_root" show-ref --verify --quiet "refs/remotes/origin/${BASE_BRANCH}"; then
+        git -C "$source_worktree" pull --ff-only origin "$BASE_BRANCH" >/dev/null 2>&1 || true
+      fi
     fi
+  elif [[ "$source_worktree" == "$current_worktree" && "$source_worktree" == "${repo_root}/.omx/agent-worktrees"/* ]]; then
+    git -C "$source_worktree" checkout --detach >/dev/null 2>&1 || true
   fi
-elif [[ "$source_worktree" == "$current_worktree" && "$source_worktree" == "${repo_root}/.omx/agent-worktrees"/* ]]; then
-  git -C "$source_worktree" checkout --detach >/dev/null 2>&1 || true
-fi
 
-if [[ "$source_worktree" != "$current_worktree" && "$source_worktree" == "${repo_root}/.omx/agent-worktrees"/* ]]; then
-  git -C "$repo_root" worktree remove "$source_worktree" --force >/dev/null 2>&1 || true
-fi
+  if [[ "$source_worktree" != "$current_worktree" && "$source_worktree" == "${repo_root}/.omx/agent-worktrees"/* ]]; then
+    git -C "$repo_root" worktree remove "$source_worktree" --force >/dev/null 2>&1 || true
+  fi
 
-git -C "$repo_root" branch -d "$SOURCE_BRANCH"
+  git -C "$repo_root" branch -d "$SOURCE_BRANCH"
 
-if [[ "$PUSH_ENABLED" -eq 1 && "$DELETE_REMOTE_BRANCH" -eq 1 ]]; then
-  if git -C "$repo_root" ls-remote --exit-code --heads origin "$SOURCE_BRANCH" >/dev/null 2>&1; then
-    git -C "$repo_root" push origin --delete "$SOURCE_BRANCH"
+  if [[ "$PUSH_ENABLED" -eq 1 && "$DELETE_REMOTE_BRANCH" -eq 1 ]]; then
+    if git -C "$repo_root" ls-remote --exit-code --heads origin "$SOURCE_BRANCH" >/dev/null 2>&1; then
+      git -C "$repo_root" push origin --delete "$SOURCE_BRANCH"
+    fi
   fi
-fi
 
-base_worktree="$(get_worktree_for_branch "$BASE_BRANCH")"
-if [[ -n "$base_worktree" ]] && is_clean_worktree "$base_worktree" && [[ "$PUSH_ENABLED" -eq 1 ]]; then
-  git -C "$base_worktree" pull --ff-only origin "$BASE_BRANCH" >/dev/null 2>&1 || true
-fi
+  if [[ -x "${repo_root}/scripts/agent-worktree-prune.sh" ]]; then
+    prune_args=(--base "$BASE_BRANCH" --delete-branches)
+    if [[ "$DELETE_REMOTE_BRANCH" -eq 1 ]]; then
+      prune_args+=(--delete-remote-branches)
+    fi
+    if ! bash "${repo_root}/scripts/agent-worktree-prune.sh" "${prune_args[@]}"; then
+      echo "[agent-branch-finish] Warning: automatic worktree prune failed." >&2
+      echo "[agent-branch-finish] You can run manual cleanup: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH} --delete-branches" >&2
+    fi
+  fi
 
-if [[ -x "${repo_root}/scripts/agent-worktree-prune.sh" ]]; then
-  if ! bash "${repo_root}/scripts/agent-worktree-prune.sh" --base "$BASE_BRANCH"; then
-    echo "[agent-branch-finish] Warning: automatic worktree prune failed." >&2
-    echo "[agent-branch-finish] You can run manual cleanup: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH}" >&2
+  echo "[agent-branch-finish] Merged '${SOURCE_BRANCH}' into '${BASE_BRANCH}' via ${merge_status} flow and cleaned source branch/worktree."
+  if [[ "$source_worktree" == "$current_worktree" && "$source_worktree" == "${repo_root}/.omx/agent-worktrees"/* ]]; then
+    echo "[agent-branch-finish] Current worktree '${source_worktree}' still exists because it is the active shell cwd." >&2
+    echo "[agent-branch-finish] Leave this directory, then run: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH} --delete-branches" >&2
+  fi
+else
+  if [[ -x "${repo_root}/scripts/agent-worktree-prune.sh" ]]; then
+    if ! bash "${repo_root}/scripts/agent-worktree-prune.sh" --base "$BASE_BRANCH"; then
+      echo "[agent-branch-finish] Warning: temporary worktree prune failed." >&2
+    fi
   fi
-fi
 
-echo "[agent-branch-finish] Merged '${SOURCE_BRANCH}' into '${BASE_BRANCH}' via ${merge_status} flow and removed branch."
-if [[ "$source_worktree" == "$current_worktree" && "$source_worktree" == "${repo_root}/.omx/agent-worktrees"/* ]]; then
-  echo "[agent-branch-finish] Current worktree '${source_worktree}' still exists because it is the active shell cwd." >&2
-  echo "[agent-branch-finish] Leave this directory, then run: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH}" >&2
+  echo "[agent-branch-finish] Merged '${SOURCE_BRANCH}' into '${BASE_BRANCH}' via ${merge_status} flow and kept source branch/worktree."
+  echo "[agent-branch-finish] Cleanup later with: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH} --delete-branches --delete-remote-branches"
 fi

package/templates/scripts/agent-worktree-prune.sh

@@ -1,22 +1,48 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-BASE_BRANCH="dev"
+BASE_BRANCH="${MUSAFETY_BASE_BRANCH:-}"
+BASE_BRANCH_EXPLICIT=0
 DRY_RUN=0
+FORCE_DIRTY=0
+DELETE_BRANCHES=0
+DELETE_REMOTE_BRANCHES=0
+TARGET_BRANCH=""
+
+if [[ -n "$BASE_BRANCH" ]]; then
+  BASE_BRANCH_EXPLICIT=1
+fi
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --base)
-      BASE_BRANCH="${2:-dev}"
+      BASE_BRANCH="${2:-}"
+      BASE_BRANCH_EXPLICIT=1
       shift 2
       ;;
     --dry-run)
       DRY_RUN=1
       shift
       ;;
+    --force-dirty)
+      FORCE_DIRTY=1
+      shift
+      ;;
+    --delete-branches)
+      DELETE_BRANCHES=1
+      shift
+      ;;
+    --delete-remote-branches)
+      DELETE_REMOTE_BRANCHES=1
+      shift
+      ;;
+    --branch)
+      TARGET_BRANCH="${2:-}"
+      shift 2
+      ;;
     *)
       echo "[agent-worktree-prune] Unknown argument: $1" >&2
-      echo "Usage: $0 [--base <branch>] [--dry-run]" >&2
+      echo "Usage: $0 [--base <branch>] [--dry-run] [--force-dirty] [--delete-branches] [--delete-remote-branches] [--branch <agent/...>]" >&2
       exit 1
       ;;
   esac
@@ -31,6 +57,51 @@ repo_root="$(git rev-parse --show-toplevel)"
 current_pwd="$(pwd -P)"
 worktree_root="${repo_root}/.omx/agent-worktrees"
 
+resolve_base_branch() {
+  local configured=""
+  local current=""
+
+  configured="$(git -C "$repo_root" config --get multiagent.baseBranch || true)"
+  if [[ -n "$configured" ]] && git -C "$repo_root" show-ref --verify --quiet "refs/heads/${configured}"; then
+    printf '%s' "$configured"
+    return 0
+  fi
+
+  current="$(git -C "$repo_root" rev-parse --abbrev-ref HEAD 2>/dev/null || true)"
+  if [[ -n "$current" && "$current" != "HEAD" ]] && git -C "$repo_root" show-ref --verify --quiet "refs/heads/${current}"; then
+    printf '%s' "$current"
+    return 0
+  fi
+
+  for fallback in main dev; do
+    if git -C "$repo_root" show-ref --verify --quiet "refs/heads/${fallback}"; then
+      printf '%s' "$fallback"
+      return 0
+    fi
+  done
+
+  printf '%s' ""
+}
+
+if [[ "$BASE_BRANCH_EXPLICIT" -eq 1 && -z "$BASE_BRANCH" ]]; then
+  echo "[agent-worktree-prune] --base requires a non-empty branch name." >&2
+  exit 1
+fi
+
+if [[ -n "$TARGET_BRANCH" && "$TARGET_BRANCH" != agent/* ]]; then
+  echo "[agent-worktree-prune] --branch must reference an agent/* branch: ${TARGET_BRANCH}" >&2
+  exit 1
+fi
+
+if [[ "$BASE_BRANCH_EXPLICIT" -eq 0 ]]; then
+  BASE_BRANCH="$(resolve_base_branch)"
+fi
+
+if [[ -z "$BASE_BRANCH" ]]; then
+  echo "[agent-worktree-prune] Unable to infer base branch. Pass --base <branch>." >&2
+  exit 1
+fi
+
 if ! git -C "$repo_root" show-ref --verify --quiet "refs/heads/${BASE_BRANCH}"; then
   echo "[agent-worktree-prune] Base branch not found: ${BASE_BRANCH}" >&2
   exit 1
@@ -49,9 +120,17 @@ branch_has_worktree() {
   git -C "$repo_root" worktree list --porcelain | grep -q "^branch refs/heads/${branch}$"
 }
 
+is_clean_worktree() {
+  local wt="$1"
+  git -C "$wt" diff --quiet -- . ":(exclude).omx/state/agent-file-locks.json" \
+    && git -C "$wt" diff --cached --quiet -- . ":(exclude).omx/state/agent-file-locks.json" \
+    && [[ -z "$(git -C "$wt" ls-files --others --exclude-standard)" ]]
+}
+
 removed_worktrees=0
 removed_branches=0
 skipped_active=0
+skipped_dirty=0
 
 process_entry() {
   local wt="$1"
@@ -65,6 +144,10 @@ process_entry() {
     branch="${branch_ref#refs/heads/}"
   fi
 
+  if [[ -n "$TARGET_BRANCH" && "$branch" != "$TARGET_BRANCH" ]]; then
+    return
+  fi
+
   if [[ "$wt" == "$current_pwd" ]]; then
     skipped_active=$((skipped_active + 1))
     echo "[agent-worktree-prune] Skipping active cwd worktree: ${wt}"
@@ -79,7 +162,9 @@ process_entry() {
     remove_reason="missing-branch"
   elif [[ "$branch" == agent/* ]]; then
     if git -C "$repo_root" merge-base --is-ancestor "$branch" "$BASE_BRANCH"; then
-      remove_reason="merged-agent-branch"
+      if [[ "$DELETE_BRANCHES" -eq 1 ]]; then
+        remove_reason="merged-agent-branch"
+      fi
     fi
   elif [[ "$branch" == __agent_integrate_* || "$branch" == __source-probe-* ]]; then
     remove_reason="temporary-worktree"
@@ -89,6 +174,12 @@ process_entry() {
     return
   fi
 
+  if [[ "$FORCE_DIRTY" -ne 1 ]] && ! is_clean_worktree "$wt"; then
+    skipped_dirty=$((skipped_dirty + 1))
+    echo "[agent-worktree-prune] Skipping dirty worktree (${remove_reason}): ${wt}"
+    return
+  fi
+
   echo "[agent-worktree-prune] Removing worktree (${remove_reason}): ${wt}"
   run_cmd git -C "$repo_root" worktree remove "$wt" --force
   removed_worktrees=$((removed_worktrees + 1))
@@ -98,10 +189,16 @@ process_entry() {
   fi
 
   if git -C "$repo_root" show-ref --verify --quiet "refs/heads/${branch}" && ! branch_has_worktree "$branch"; then
-    if [[ "$branch" == agent/* ]]; then
+    if [[ "$branch" == agent/* && "$DELETE_BRANCHES" -eq 1 ]]; then
       if run_cmd git -C "$repo_root" branch -d "$branch" >/dev/null 2>&1; then
         removed_branches=$((removed_branches + 1))
         echo "[agent-worktree-prune] Deleted merged branch: ${branch}"
+        if [[ "$DELETE_REMOTE_BRANCHES" -eq 1 ]]; then
+          if git -C "$repo_root" ls-remote --exit-code --heads origin "$branch" >/dev/null 2>&1; then
+            run_cmd git -C "$repo_root" push origin --delete "$branch" >/dev/null 2>&1 || true
+            echo "[agent-worktree-prune] Deleted merged remote branch: ${branch}"
+          fi
+        fi
       fi
     elif [[ "$branch" == __agent_integrate_* || "$branch" == __source-probe-* ]]; then
       run_cmd git -C "$repo_root" branch -D "$branch" >/dev/null 2>&1 || true
@@ -134,22 +231,36 @@ done < <(git -C "$repo_root" worktree list --porcelain)
 
 process_entry "$current_wt" "$current_branch_ref"
 
-while IFS= read -r branch; do
-  [[ -z "$branch" ]] && continue
-  if branch_has_worktree "$branch"; then
-    continue
-  fi
-  if git -C "$repo_root" merge-base --is-ancestor "$branch" "$BASE_BRANCH"; then
-    if run_cmd git -C "$repo_root" branch -d "$branch" >/dev/null 2>&1; then
-      removed_branches=$((removed_branches + 1))
-      echo "[agent-worktree-prune] Deleted stale merged branch: ${branch}"
+if [[ "$DELETE_BRANCHES" -eq 1 ]]; then
+  while IFS= read -r branch; do
+    [[ -z "$branch" ]] && continue
+    if [[ -n "$TARGET_BRANCH" && "$branch" != "$TARGET_BRANCH" ]]; then
+      continue
     fi
-  fi
-done < <(git -C "$repo_root" for-each-ref --format='%(refname:short)' refs/heads/agent)
+    if branch_has_worktree "$branch"; then
+      continue
+    fi
+    if git -C "$repo_root" merge-base --is-ancestor "$branch" "$BASE_BRANCH"; then
+      if run_cmd git -C "$repo_root" branch -d "$branch" >/dev/null 2>&1; then
+        removed_branches=$((removed_branches + 1))
+        echo "[agent-worktree-prune] Deleted stale merged branch: ${branch}"
+        if [[ "$DELETE_REMOTE_BRANCHES" -eq 1 ]]; then
+          if git -C "$repo_root" ls-remote --exit-code --heads origin "$branch" >/dev/null 2>&1; then
+            run_cmd git -C "$repo_root" push origin --delete "$branch" >/dev/null 2>&1 || true
+            echo "[agent-worktree-prune] Deleted stale merged remote branch: ${branch}"
+          fi
+        fi
+      fi
+    fi
+  done < <(git -C "$repo_root" for-each-ref --format='%(refname:short)' refs/heads/agent)
+fi
 
 run_cmd git -C "$repo_root" worktree prune
 
-echo "[agent-worktree-prune] Summary: removed_worktrees=${removed_worktrees}, removed_branches=${removed_branches}, skipped_active=${skipped_active}"
+echo "[agent-worktree-prune] Summary: base=${BASE_BRANCH}, removed_worktrees=${removed_worktrees}, removed_branches=${removed_branches}, skipped_active=${skipped_active}, skipped_dirty=${skipped_dirty}"
 if [[ "$skipped_active" -gt 0 ]]; then
   echo "[agent-worktree-prune] Tip: leave active agent worktree directories, then run this command again for full cleanup." >&2
 fi
+if [[ "$skipped_dirty" -gt 0 ]]; then
+  echo "[agent-worktree-prune] Tip: dirty worktrees were preserved. Clean/finish them first, or pass --force-dirty to remove anyway." >&2
+fi