@imdeadpool/guardex 5.0.16 → 6.0.0

package/README.md

@@ -349,11 +349,11 @@ openspec update
 ### OpenSpec in agent sub-branches
 
 - `scripts/codex-agent.sh` enforces OpenSpec workspaces before it launches Codex in each sandbox branch/worktree.
-- `scripts/agent-branch-start.sh` can scaffold both `openspec/changes/<agent-branch-slug>/` and `openspec/plan/<agent-branch-slug>/` when you set `MUSAFETY_OPENSPEC_AUTO_INIT=true`.
-- Set `MUSAFETY_OPENSPEC_AUTO_INIT=false` (default for `agent-branch-start`) to skip branch-start auto-bootstrap.
-- Set `MUSAFETY_OPENSPEC_PLAN_SLUG=<kebab-case-slug>` to force a specific plan workspace name.
-- Set `MUSAFETY_OPENSPEC_CHANGE_SLUG=<kebab-case-slug>` to force a specific change workspace name.
-- Set `MUSAFETY_OPENSPEC_CAPABILITY_SLUG=<kebab-case-slug>` to override the default capability folder used for `spec.md` scaffolding.
+- `scripts/agent-branch-start.sh` can scaffold both `openspec/changes/<agent-branch-slug>/` and `openspec/plan/<agent-branch-slug>/` when you set `GUARDEX_OPENSPEC_AUTO_INIT=true`.
+- Set `GUARDEX_OPENSPEC_AUTO_INIT=false` (default for `agent-branch-start`) to skip branch-start auto-bootstrap.
+- Set `GUARDEX_OPENSPEC_PLAN_SLUG=<kebab-case-slug>` to force a specific plan workspace name.
+- Set `GUARDEX_OPENSPEC_CHANGE_SLUG=<kebab-case-slug>` to force a specific change workspace name.
+- Set `GUARDEX_OPENSPEC_CAPABILITY_SLUG=<kebab-case-slug>` to override the default capability folder used for `spec.md` scaffolding.
 
 ## Security and maintenance posture
 
@@ -372,9 +372,23 @@ npm pack --dry-run
 
 ## Release notes
 
+### v6.0.0
+
+- **Breaking** — removed the legacy `musafety` bin alias and all `MUSAFETY_*` environment variables. Callers must migrate to the `guardex` / `gx` bins and the `GUARDEX_*` env-var surface.
+- **Breaking** — bootstrap manifest filename changed from `musafety-bootstrap-manifest.json` to `guardex-bootstrap-manifest.json`; existing sandbox worktrees must be pruned + re-bootstrapped (or have their manifest manually renamed).
+- Rebranded all remaining `musafety` / `Musafety` / `MUSAFETY` codename tokens to `guardex` / `Guardex` / `GUARDEX` across scripts, templates, hooks, tests, and docs.
+- The descriptive phrase `multiagent-safety` (including `bin/multiagent-safety.js` and `templates/AGENTS.multiagent-safety.md`) is preserved intentionally — only the short codename changed.
+- Bumped package version from `5.0.17` to `6.0.0` for the next npm publish.
+
+### v5.0.17
+
+- Bumped package version from `5.0.16` to `5.0.17` for the next npm publish.
+
 ### v5.0.16
 
 - Fixed `gx doctor` runtime crash (`parseDoctorArgs is not defined`) by restoring the doctor argument parser for `--target` and `--strict`.
+- Fixed `gx doctor` command routing so the repair-first doctor flow remains the active command path (duplicate legacy doctor definition no longer overrides it).
+- Updated worktree change detection to run `git status --porcelain --untracked-files=normal --` for consistent normal untracked-file behavior.
 - Added regression coverage that asserts the doctor parser function exists in `bin/multiagent-safety.js`.
 - Bumped package version from `5.0.15` to `5.0.16`.
 
@@ -411,7 +425,7 @@ npm pack --dry-run
 
 ### v5.0.9
 
-- Enforced OpenSpec workspace bootstrap for sandbox agent execution: `scripts/codex-agent.sh` now initializes `openspec/plan/<agent-branch-slug>/` before launching Codex, and `scripts/agent-branch-start.sh` supports `MUSAFETY_OPENSPEC_AUTO_INIT` plus `MUSAFETY_OPENSPEC_PLAN_SLUG`.
+- Enforced OpenSpec workspace bootstrap for sandbox agent execution: `scripts/codex-agent.sh` now initializes `openspec/plan/<agent-branch-slug>/` before launching Codex, and `scripts/agent-branch-start.sh` supports `GUARDEX_OPENSPEC_AUTO_INIT` plus `GUARDEX_OPENSPEC_PLAN_SLUG`.
 - Tightened doctor auto-finish correctness: sandbox finish now waits for merge and exits non-zero if the PR closes without merge, so repair flows are not reported as complete when policy blocks merge.
 - Updated package version from `5.0.8` to `5.0.9` for the next npm publish.
 

package/bin/multiagent-safety.js

@@ -9,14 +9,14 @@ const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
 
 const TOOL_NAME = 'guardex';
 const SHORT_TOOL_NAME = 'gx';
-const LEGACY_NAMES = ['musafety', 'multiagent-safety'];
+const LEGACY_NAMES = ['guardex', 'multiagent-safety'];
 const OPENSPEC_PACKAGE = '@fission-ai/openspec';
 const GLOBAL_TOOLCHAIN_PACKAGES = [
   'oh-my-codex',
   OPENSPEC_PACKAGE,
   '@imdeadpool/codex-account-switcher',
 ];
-const GH_BIN = process.env.MUSAFETY_GH_BIN || 'gh';
+const GH_BIN = process.env.GUARDEX_GH_BIN || 'gh';
 const REQUIRED_SYSTEM_TOOLS = [
   {
     name: 'gh',
@@ -26,11 +26,11 @@ const REQUIRED_SYSTEM_TOOLS = [
   },
 ];
 const MAINTAINER_RELEASE_REPO = path.resolve(
-  process.env.MUSAFETY_RELEASE_REPO || '/tmp/multiagent-safety',
+  process.env.GUARDEX_RELEASE_REPO || '/tmp/multiagent-safety',
 );
-const NPM_BIN = process.env.MUSAFETY_NPM_BIN || 'npm';
-const OPENSPEC_BIN = process.env.MUSAFETY_OPENSPEC_BIN || 'openspec';
-const SCORECARD_BIN = process.env.MUSAFETY_SCORECARD_BIN || 'scorecard';
+const NPM_BIN = process.env.GUARDEX_NPM_BIN || 'npm';
+const OPENSPEC_BIN = process.env.GUARDEX_OPENSPEC_BIN || 'openspec';
+const SCORECARD_BIN = process.env.GUARDEX_SCORECARD_BIN || 'scorecard';
 const GIT_PROTECTED_BRANCHES_KEY = 'multiagent.protectedBranches';
 const GIT_BASE_BRANCH_KEY = 'multiagent.baseBranch';
 const GIT_SYNC_STRATEGY_KEY = 'multiagent.sync.strategy';
@@ -1405,7 +1405,7 @@ function finishDoctorSandboxBranch(blocked, metadata) {
       note: 'origin remote missing; skipped auto-finish',
     };
   }
-  const explicitGhBin = Boolean(String(process.env.MUSAFETY_GH_BIN || '').trim());
+  const explicitGhBin = Boolean(String(process.env.GUARDEX_GH_BIN || '').trim());
   if (!explicitGhBin && !originRemoteLooksLikeGithub(blocked.repoRoot)) {
     return {
       status: 'skipped',
@@ -1413,7 +1413,7 @@ function finishDoctorSandboxBranch(blocked, metadata) {
     };
   }
 
-  const ghBin = process.env.MUSAFETY_GH_BIN || 'gh';
+  const ghBin = process.env.GUARDEX_GH_BIN || 'gh';
   if (!isCommandAvailable(ghBin)) {
     return {
       status: 'skipped',
@@ -1429,7 +1429,7 @@ function finishDoctorSandboxBranch(blocked, metadata) {
     };
   }
 
-  const rawWaitTimeoutSeconds = Number.parseInt(process.env.MUSAFETY_FINISH_WAIT_TIMEOUT_SECONDS || '1800', 10);
+  const rawWaitTimeoutSeconds = Number.parseInt(process.env.GUARDEX_FINISH_WAIT_TIMEOUT_SECONDS || '1800', 10);
   const waitTimeoutSeconds =
     Number.isFinite(rawWaitTimeoutSeconds) && rawWaitTimeoutSeconds >= 30 ? rawWaitTimeoutSeconds : 1800;
   const finishTimeoutMs = Math.max(180_000, (waitTimeoutSeconds + 60) * 1000);
@@ -2117,7 +2117,14 @@ function mapWorktreePathsByBranch(repoRoot) {
 }
 
 function hasSignificantWorkingTreeChanges(worktreePath) {
-  const result = run('git', ['-C', worktreePath, 'status', '--porcelain']);
+  const result = run('git', [
+    '-C',
+    worktreePath,
+    'status',
+    '--porcelain',
+    '--untracked-files=normal',
+    '--',
+  ]);
   if (result.status !== 0) {
     return true;
   }
@@ -2163,15 +2170,15 @@ function autoFinishReadyAgentBranches(repoRoot, options = {}) {
     return summary;
   }
 
-  if (String(process.env.MUSAFETY_DOCTOR_SANDBOX || '') === '1') {
+  if (String(process.env.GUARDEX_DOCTOR_SANDBOX || '') === '1') {
     summary.enabled = false;
     summary.details.push('Skipped auto-finish sweep inside doctor sandbox pass.');
     return summary;
   }
 
-  if (String(process.env.MUSAFETY_SKIP_AUTO_FINISH_READY_BRANCHES || '') === '1') {
+  if (String(process.env.GUARDEX_SKIP_AUTO_FINISH_READY_BRANCHES || '') === '1') {
     summary.enabled = false;
-    summary.details.push('Skipped auto-finish sweep (MUSAFETY_SKIP_AUTO_FINISH_READY_BRANCHES=1).');
+    summary.details.push('Skipped auto-finish sweep (GUARDEX_SKIP_AUTO_FINISH_READY_BRANCHES=1).');
     return summary;
   }
 
@@ -2194,14 +2201,14 @@ function autoFinishReadyAgentBranches(repoRoot, options = {}) {
     summary.details.push('Skipped auto-finish sweep (origin remote missing).');
     return summary;
   }
-  const explicitGhBin = Boolean(String(process.env.MUSAFETY_GH_BIN || '').trim());
+  const explicitGhBin = Boolean(String(process.env.GUARDEX_GH_BIN || '').trim());
   if (!explicitGhBin && !originRemoteLooksLikeGithub(repoRoot)) {
     summary.enabled = false;
     summary.details.push('Skipped auto-finish sweep (origin remote is not GitHub).');
     return summary;
   }
 
-  const ghBin = process.env.MUSAFETY_GH_BIN || 'gh';
+  const ghBin = process.env.GUARDEX_GH_BIN || 'gh';
   if (run(ghBin, ['--version']).status !== 0) {
     summary.enabled = false;
     summary.details.push(`Skipped auto-finish sweep (${ghBin} not available).`);
@@ -3144,12 +3151,12 @@ function parseNpmVersionOutput(stdout) {
   }
 }
 
-function checkForMusafetyUpdate() {
-  if (envFlagEnabled('MUSAFETY_SKIP_UPDATE_CHECK')) {
+function checkForGuardexUpdate() {
+  if (envFlagEnabled('GUARDEX_SKIP_UPDATE_CHECK')) {
     return { checked: false, reason: 'disabled' };
   }
 
-  const forceCheck = envFlagEnabled('MUSAFETY_FORCE_UPDATE_CHECK');
+  const forceCheck = envFlagEnabled('GUARDEX_FORCE_UPDATE_CHECK');
   if (!forceCheck && !isInteractiveTerminal()) {
     return { checked: false, reason: 'non-interactive' };
   }
@@ -3181,14 +3188,14 @@ function printUpdateAvailableBanner(current, latest) {
 }
 
 function maybeSelfUpdateBeforeStatus() {
-  const check = checkForMusafetyUpdate();
+  const check = checkForGuardexUpdate();
   if (!check.checked || !check.updateAvailable) {
     return;
   }
 
   printUpdateAvailableBanner(check.current, check.latest);
 
-  const autoApproval = parseAutoApproval('MUSAFETY_AUTO_UPDATE_APPROVAL');
+  const autoApproval = parseAutoApproval('GUARDEX_AUTO_UPDATE_APPROVAL');
   const interactive = isInteractiveTerminal();
 
   if (!interactive && autoApproval == null) {
@@ -3217,11 +3224,11 @@ function maybeSelfUpdateBeforeStatus() {
 }
 
 function checkForOpenSpecPackageUpdate() {
-  if (envFlagEnabled('MUSAFETY_SKIP_OPENSPEC_UPDATE_CHECK')) {
+  if (envFlagEnabled('GUARDEX_SKIP_OPENSPEC_UPDATE_CHECK')) {
     return { checked: false, reason: 'disabled' };
   }
 
-  const forceCheck = envFlagEnabled('MUSAFETY_FORCE_OPENSPEC_UPDATE_CHECK');
+  const forceCheck = envFlagEnabled('GUARDEX_FORCE_OPENSPEC_UPDATE_CHECK');
   if (!forceCheck && !isInteractiveTerminal()) {
     return { checked: false, reason: 'non-interactive' };
   }
@@ -3271,7 +3278,7 @@ function maybeOpenSpecUpdateBeforeStatus() {
 
   printOpenSpecUpdateAvailableBanner(check.current, check.latest);
 
-  const autoApproval = parseAutoApproval('MUSAFETY_AUTO_OPENSPEC_UPDATE_APPROVAL');
+  const autoApproval = parseAutoApproval('GUARDEX_AUTO_OPENSPEC_UPDATE_APPROVAL');
   const interactive = isInteractiveTerminal();
 
   if (!interactive && autoApproval == null) {
@@ -4659,7 +4666,7 @@ function initWorkspace(rawArgs) {
   }
 }
 
-function doctor(rawArgs) {
+function doctorAudit(rawArgs) {
   const options = parseDoctorArgs(rawArgs);
   const repoRoot = resolveRepoRoot(options.target);
   const failures = [];

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "@imdeadpool/guardex",
-  "version": "5.0.16",
+  "version": "6.0.0",
   "description": "GuardeX: the Guardian T-Rex for your repo, with hardened multi-agent git guardrails.",
   "license": "MIT",
   "preferGlobal": true,
   "bin": {
     "guardex": "bin/multiagent-safety.js",
     "gx": "bin/multiagent-safety.js",
-    "musafety": "bin/multiagent-safety.js",
     "multiagent-safety": "bin/multiagent-safety.js"
   },
   "scripts": {

package/templates/AGENTS.multiagent-safety.md

@@ -57,7 +57,7 @@ openspec/plan/<agent-branch-slug>/
 ```
 
 For manual `scripts/agent-branch-start.sh` usage, enable auto-bootstrap with
-`MUSAFETY_OPENSPEC_AUTO_INIT=true` or scaffold manually before implementation:
+`GUARDEX_OPENSPEC_AUTO_INIT=true` or scaffold manually before implementation:
 
 ```bash
 bash scripts/openspec/init-change-workspace.sh "<change-slug>" "<capability-slug>"

package/templates/githooks/post-merge

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-if [[ "${MUSAFETY_DISABLE_POST_MERGE_CLEANUP:-0}" == "1" ]]; then
+if [[ "${GUARDEX_DISABLE_POST_MERGE_CLEANUP:-0}" == "1" ]]; then
   exit 0
 fi
 
@@ -15,7 +15,7 @@ if [[ -z "$branch" || "$branch" == "HEAD" ]]; then
   exit 0
 fi
 
-base_branch="${MUSAFETY_BASE_BRANCH:-$(git -C "$repo_root" config --get multiagent.baseBranch || true)}"
+base_branch="${GUARDEX_BASE_BRANCH:-$(git -C "$repo_root" config --get multiagent.baseBranch || true)}"
 if [[ -z "$base_branch" ]]; then
   base_branch="dev"
 fi
@@ -29,7 +29,7 @@ if [[ ! -f "$cli_path" ]]; then
   exit 0
 fi
 
-node_bin="${MUSAFETY_NODE_BIN:-node}"
+node_bin="${GUARDEX_NODE_BIN:-node}"
 if ! command -v "$node_bin" >/dev/null 2>&1; then
   exit 0
 fi

package/templates/githooks/pre-commit

@@ -28,7 +28,7 @@ if [[ -n "${VSCODE_GIT_IPC_HANDLE:-}" || -n "${VSCODE_GIT_ASKPASS_NODE:-}" || -n
   is_vscode_git_context=1
 fi
 
-allow_vscode_protected_raw="${MUSAFETY_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
+allow_vscode_protected_raw="${GUARDEX_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
 if [[ -z "$allow_vscode_protected_raw" ]]; then
   allow_vscode_protected_raw="false"
 fi
@@ -41,7 +41,7 @@ case "$allow_vscode_protected" in
   *) allow_vscode_protected_branch_writes=0 ;;
 esac
 
-protected_branches_raw="${MUSAFETY_PROTECTED_BRANCHES:-$(git config --get multiagent.protectedBranches || true)}"
+protected_branches_raw="${GUARDEX_PROTECTED_BRANCHES:-$(git config --get multiagent.protectedBranches || true)}"
 if [[ -z "$protected_branches_raw" ]]; then
   protected_branches_raw="dev main master"
 fi
@@ -55,7 +55,7 @@ for protected_branch in $protected_branches_raw; do
   fi
 done
 
-codex_require_agent_branch_raw="${MUSAFETY_CODEX_REQUIRE_AGENT_BRANCH:-$(git config --get multiagent.codexRequireAgentBranch || true)}"
+codex_require_agent_branch_raw="${GUARDEX_CODEX_REQUIRE_AGENT_BRANCH:-$(git config --get multiagent.codexRequireAgentBranch || true)}"
 if [[ -z "$codex_require_agent_branch_raw" ]]; then
   codex_require_agent_branch_raw="true"
 fi
@@ -86,7 +86,7 @@ if [[ "$is_codex_session" == "1" && "$is_protected_branch" == "1" ]]; then
   fi
 fi
 
-if [[ "$should_require_codex_agent_branch" == "1" && "${MUSAFETY_ALLOW_CODEX_ON_NON_AGENT:-0}" != "1" ]]; then
+if [[ "$should_require_codex_agent_branch" == "1" && "${GUARDEX_ALLOW_CODEX_ON_NON_AGENT:-0}" != "1" ]]; then
   if [[ "$is_codex_session" == "1" && "$branch" != agent/* ]]; then
     if [[ "$is_protected_branch" == "1" ]]; then
       if [[ "$is_codex_managed_only_commit_on_protected" == "1" ]]; then
@@ -103,7 +103,7 @@ Or manually:
 Then commit from the created agent/* branch.
 
 Temporary bypass (not recommended):
-  MUSAFETY_ALLOW_CODEX_ON_NON_AGENT=1 git commit ...
+  GUARDEX_ALLOW_CODEX_ON_NON_AGENT=1 git commit ...
 MSG
       exit 1
     fi
@@ -115,7 +115,7 @@ Use isolated branch/worktree first:
 Then commit from the created agent/* branch.
 
 Temporary bypass (not recommended):
-  MUSAFETY_ALLOW_CODEX_ON_NON_AGENT=1 git commit ...
+  GUARDEX_ALLOW_CODEX_ON_NON_AGENT=1 git commit ...
 Disable this rule for a repo (not recommended):
   git config multiagent.codexRequireAgentBranch false
 MSG
@@ -169,7 +169,7 @@ MSG
 fi
 
 if [[ "$branch" == agent/* ]]; then
-  if [[ "${MUSAFETY_AUTOCLAIM_STAGED_LOCKS:-1}" == "1" ]]; then
+  if [[ "${GUARDEX_AUTOCLAIM_STAGED_LOCKS:-1}" == "1" ]]; then
     while IFS= read -r staged_file; do
       [[ -z "$staged_file" ]] && continue
       [[ "$staged_file" == ".omx/state/agent-file-locks.json" ]] && continue

package/templates/githooks/pre-push

@@ -10,7 +10,7 @@ if [[ -n "${VSCODE_GIT_IPC_HANDLE:-}" || -n "${VSCODE_GIT_ASKPASS_NODE:-}" || -n
   is_vscode_git_context=1
 fi
 
-allow_vscode_protected_raw="${MUSAFETY_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
+allow_vscode_protected_raw="${GUARDEX_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
 if [[ -z "$allow_vscode_protected_raw" ]]; then
   allow_vscode_protected_raw="false"
 fi
@@ -28,7 +28,7 @@ if [[ -n "${CODEX_THREAD_ID:-}" || -n "${OMX_SESSION_ID:-}" || "${CODEX_CI:-0}"
   is_codex_session=1
 fi
 
-protected_branches_raw="${MUSAFETY_PROTECTED_BRANCHES:-$(git config --get multiagent.protectedBranches || true)}"
+protected_branches_raw="${GUARDEX_PROTECTED_BRANCHES:-$(git config --get multiagent.protectedBranches || true)}"
 if [[ -z "$protected_branches_raw" ]]; then
   protected_branches_raw="dev main master"
 fi

package/templates/scripts/agent-branch-finish.sh

@@ -8,11 +8,11 @@ PUSH_ENABLED=1
 DELETE_REMOTE_BRANCH=0
 DELETE_REMOTE_BRANCH_EXPLICIT=0
 MERGE_MODE="auto"
-GH_BIN="${MUSAFETY_GH_BIN:-gh}"
-CLEANUP_AFTER_MERGE_RAW="${MUSAFETY_FINISH_CLEANUP:-false}"
-WAIT_FOR_MERGE_RAW="${MUSAFETY_FINISH_WAIT_FOR_MERGE:-false}"
-WAIT_TIMEOUT_SECONDS_RAW="${MUSAFETY_FINISH_WAIT_TIMEOUT_SECONDS:-1800}"
-WAIT_POLL_SECONDS_RAW="${MUSAFETY_FINISH_WAIT_POLL_SECONDS:-10}"
+GH_BIN="${GUARDEX_GH_BIN:-gh}"
+CLEANUP_AFTER_MERGE_RAW="${GUARDEX_FINISH_CLEANUP:-false}"
+WAIT_FOR_MERGE_RAW="${GUARDEX_FINISH_WAIT_FOR_MERGE:-false}"
+WAIT_TIMEOUT_SECONDS_RAW="${GUARDEX_FINISH_WAIT_TIMEOUT_SECONDS:-1800}"
+WAIT_POLL_SECONDS_RAW="${GUARDEX_FINISH_WAIT_POLL_SECONDS:-10}"
 
 normalize_bool() {
   local raw="${1:-}"

package/templates/scripts/agent-branch-start.sh

@@ -6,10 +6,10 @@ AGENT_NAME="agent"
 BASE_BRANCH=""
 BASE_BRANCH_EXPLICIT=0
 WORKTREE_ROOT_REL=".omx/agent-worktrees"
-OPENSPEC_AUTO_INIT_RAW="${MUSAFETY_OPENSPEC_AUTO_INIT:-false}"
-OPENSPEC_PLAN_SLUG_OVERRIDE="${MUSAFETY_OPENSPEC_PLAN_SLUG:-}"
-OPENSPEC_CHANGE_SLUG_OVERRIDE="${MUSAFETY_OPENSPEC_CHANGE_SLUG:-}"
-OPENSPEC_CAPABILITY_SLUG_OVERRIDE="${MUSAFETY_OPENSPEC_CAPABILITY_SLUG:-}"
+OPENSPEC_AUTO_INIT_RAW="${GUARDEX_OPENSPEC_AUTO_INIT:-false}"
+OPENSPEC_PLAN_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_PLAN_SLUG:-}"
+OPENSPEC_CHANGE_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_CHANGE_SLUG:-}"
+OPENSPEC_CAPABILITY_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_CAPABILITY_SLUG:-}"
 POSITIONAL_ARGS=()
 
 while [[ $# -gt 0 ]]; do
@@ -86,6 +86,68 @@ sanitize_slug() {
   printf '%s' "$slug"
 }
 
+sanitize_optional_slug() {
+  local raw="$1"
+  local fallback="${2:-snapshot}"
+  if [[ -z "$raw" ]]; then
+    printf ''
+    return 0
+  fi
+  sanitize_slug "$raw" "$fallback"
+}
+
+normalize_positive_int() {
+  local raw="$1"
+  local fallback="$2"
+  if [[ "$raw" =~ ^[0-9]+$ ]] && [[ "$raw" -gt 0 ]]; then
+    printf '%s' "$raw"
+    return 0
+  fi
+  printf '%s' "$fallback"
+}
+
+shorten_slug() {
+  local slug="$1"
+  local raw_max="$2"
+  local max_len
+  max_len="$(normalize_positive_int "$raw_max" "32")"
+  if [[ "${#slug}" -le "$max_len" ]]; then
+    printf '%s' "$slug"
+    return 0
+  fi
+  local shortened="${slug:0:max_len}"
+  shortened="$(printf '%s' "$shortened" | sed -E 's/-+$//')"
+  if [[ -z "$shortened" ]]; then
+    shortened="${slug:0:max_len}"
+  fi
+  printf '%s' "$shortened"
+}
+
+checksum_slug_suffix() {
+  local raw="$1"
+  local checksum
+  checksum="$(printf '%s' "$raw" | cksum | awk '{print $1}')"
+  printf '%s' "${checksum:0:6}"
+}
+
+compose_branch_descriptor() {
+  local snapshot_slug="$1"
+  local task_slug="$2"
+  local snapshot_max task_max task_part snapshot_part checksum_input checksum_part
+  snapshot_max="$(normalize_positive_int "${GUARDEX_BRANCH_SNAPSHOT_SLUG_MAX:-18}" "18")"
+  task_max="$(normalize_positive_int "${GUARDEX_BRANCH_TASK_SLUG_MAX:-36}" "36")"
+  task_part="$(shorten_slug "$task_slug" "$task_max")"
+  if [[ -n "$snapshot_slug" ]]; then
+    snapshot_part="$(shorten_slug "$snapshot_slug" "$snapshot_max")"
+    checksum_input="${snapshot_slug}--${task_slug}"
+    checksum_part="$(checksum_slug_suffix "$checksum_input")"
+    printf '%s-%s-%s' "$snapshot_part" "$task_part" "$checksum_part"
+    return 0
+  fi
+  checksum_part="$(checksum_slug_suffix "$task_slug")"
+  printf '%s-%s' "$task_part" "$checksum_part"
+}
+
 normalize_bool() {
   local raw="${1:-}"
   local fallback="${2:-0}"
@@ -131,13 +193,13 @@ resolve_openspec_capability_slug() {
 }
 
 resolve_active_codex_snapshot_name() {
-  local override="${MUSAFETY_CODEX_AUTH_SNAPSHOT:-}"
+  local override="${GUARDEX_CODEX_AUTH_SNAPSHOT:-}"
   if [[ -n "$override" ]]; then
     printf '%s' "$override"
     return 0
   fi
 
-  local codex_auth_bin="${MUSAFETY_CODEX_AUTH_BIN:-codex-auth}"
+  local codex_auth_bin="${GUARDEX_CODEX_AUTH_BIN:-codex-auth}"
   if ! command -v "$codex_auth_bin" >/dev/null 2>&1; then
     return 0
   fi
@@ -165,7 +227,7 @@ has_local_changes() {
 resolve_protected_branches() {
   local root="$1"
   local raw
-  raw="${MUSAFETY_PROTECTED_BRANCHES:-$(git -C "$root" config --get multiagent.protectedBranches || true)}"
+  raw="${GUARDEX_PROTECTED_BRANCHES:-$(git -C "$root" config --get multiagent.protectedBranches || true)}"
   if [[ -z "$raw" ]]; then
     raw="dev main master"
   fi
@@ -350,15 +412,13 @@ else
 fi
 
 task_slug="$(sanitize_slug "$TASK_NAME" "task")"
-agent_slug="$(sanitize_slug "$AGENT_NAME" "agent")"
+agent_slug_raw="$(sanitize_slug "$AGENT_NAME" "agent")"
+agent_slug="$(shorten_slug "$agent_slug_raw" "${GUARDEX_BRANCH_AGENT_SLUG_MAX:-24}")"
 snapshot_name="$(resolve_active_codex_snapshot_name)"
-snapshot_slug="$(sanitize_slug "$snapshot_name" "")"
+snapshot_slug="$(sanitize_optional_slug "$snapshot_name" "snapshot")"
+branch_descriptor="$(compose_branch_descriptor "$snapshot_slug" "$task_slug")"
 timestamp="$(date +%Y%m%d-%H%M%S)"
-if [[ -n "$snapshot_slug" ]]; then
-  branch_name_base="agent/${agent_slug}/${snapshot_slug}-${task_slug}"
-else
-  branch_name_base="agent/${agent_slug}/${task_slug}"
-fi
+branch_name_base="agent/${agent_slug}/${branch_descriptor}"
 
 branch_name="$branch_name_base"
 branch_suffix=2
@@ -386,7 +446,7 @@ current_branch="$(git -C "$repo_root" rev-parse --abbrev-ref HEAD 2>/dev/null ||
 protected_branches_raw="$(resolve_protected_branches "$repo_root")"
 if [[ -n "$current_branch" && "$current_branch" != "HEAD" ]] && is_protected_branch_name "$current_branch" "$protected_branches_raw"; then
   if has_local_changes "$repo_root"; then
-    auto_transfer_message="musafety-auto-transfer-${timestamp}-${agent_slug}-${task_slug}"
+    auto_transfer_message="guardex-auto-transfer-${timestamp}-${agent_slug}-${task_slug}"
     if git -C "$repo_root" stash push --include-untracked --message "$auto_transfer_message" >/dev/null 2>&1; then
       auto_transfer_stash_ref="$(
         git -C "$repo_root" stash list \
@@ -401,7 +461,7 @@ if [[ -n "$current_branch" && "$current_branch" != "HEAD" ]] && is_protected_bra
 fi
 
 git -C "$repo_root" worktree add -b "$branch_name" "$worktree_path" "$start_ref"
-git -C "$repo_root" config "branch.${branch_name}.musafetyBase" "$BASE_BRANCH" >/dev/null 2>&1 || true
+git -C "$repo_root" config "branch.${branch_name}.guardexBase" "$BASE_BRANCH" >/dev/null 2>&1 || true
 
 if git -C "$repo_root" show-ref --verify --quiet "refs/remotes/origin/${BASE_BRANCH}"; then
   git -C "$worktree_path" branch --set-upstream-to="origin/${BASE_BRANCH}" "$branch_name" >/dev/null 2>&1 || true

package/templates/scripts/agent-worktree-prune.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-BASE_BRANCH="${MUSAFETY_BASE_BRANCH:-}"
+BASE_BRANCH="${GUARDEX_BASE_BRANCH:-}"
 BASE_BRANCH_EXPLICIT=0
 DRY_RUN=0
 FORCE_DIRTY=0
@@ -10,7 +10,7 @@ DELETE_REMOTE_BRANCHES=0
 ONLY_DIRTY_WORKTREES=0
 TARGET_BRANCH=""
 IDLE_MINUTES=0
-NOW_EPOCH_RAW="${MUSAFETY_PRUNE_NOW_EPOCH:-}"
+NOW_EPOCH_RAW="${GUARDEX_PRUNE_NOW_EPOCH:-}"
 IDLE_SECONDS=0
 NOW_EPOCH=0
 
@@ -117,7 +117,7 @@ if [[ ! "$IDLE_MINUTES" =~ ^[0-9]+$ ]]; then
 fi
 
 if [[ -n "$NOW_EPOCH_RAW" && ! "$NOW_EPOCH_RAW" =~ ^[0-9]+$ ]]; then
-  echo "[agent-worktree-prune] MUSAFETY_PRUNE_NOW_EPOCH must be a unix timestamp integer." >&2
+  echo "[agent-worktree-prune] GUARDEX_PRUNE_NOW_EPOCH must be a unix timestamp integer." >&2
   exit 1
 fi
 

package/templates/scripts/codex-agent.sh

@@ -1,19 +1,19 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-TASK_NAME="${MUSAFETY_TASK_NAME:-task}"
-AGENT_NAME="${MUSAFETY_AGENT_NAME:-agent}"
-BASE_BRANCH="${MUSAFETY_BASE_BRANCH:-}"
+TASK_NAME="${GUARDEX_TASK_NAME:-task}"
+AGENT_NAME="${GUARDEX_AGENT_NAME:-agent}"
+BASE_BRANCH="${GUARDEX_BASE_BRANCH:-}"
 BASE_BRANCH_EXPLICIT=0
-CODEX_BIN="${MUSAFETY_CODEX_BIN:-codex}"
-AUTO_FINISH_RAW="${MUSAFETY_CODEX_AUTO_FINISH:-true}"
-AUTO_REVIEW_ON_CONFLICT_RAW="${MUSAFETY_CODEX_AUTO_REVIEW_ON_CONFLICT:-true}"
-AUTO_CLEANUP_RAW="${MUSAFETY_CODEX_AUTO_CLEANUP:-true}"
-AUTO_WAIT_FOR_MERGE_RAW="${MUSAFETY_CODEX_WAIT_FOR_MERGE:-true}"
-OPENSPEC_AUTO_INIT_RAW="${MUSAFETY_OPENSPEC_AUTO_INIT:-true}"
-OPENSPEC_PLAN_SLUG_OVERRIDE="${MUSAFETY_OPENSPEC_PLAN_SLUG:-}"
-OPENSPEC_CHANGE_SLUG_OVERRIDE="${MUSAFETY_OPENSPEC_CHANGE_SLUG:-}"
-OPENSPEC_CAPABILITY_SLUG_OVERRIDE="${MUSAFETY_OPENSPEC_CAPABILITY_SLUG:-}"
+CODEX_BIN="${GUARDEX_CODEX_BIN:-codex}"
+AUTO_FINISH_RAW="${GUARDEX_CODEX_AUTO_FINISH:-true}"
+AUTO_REVIEW_ON_CONFLICT_RAW="${GUARDEX_CODEX_AUTO_REVIEW_ON_CONFLICT:-true}"
+AUTO_CLEANUP_RAW="${GUARDEX_CODEX_AUTO_CLEANUP:-true}"
+AUTO_WAIT_FOR_MERGE_RAW="${GUARDEX_CODEX_WAIT_FOR_MERGE:-true}"
+OPENSPEC_AUTO_INIT_RAW="${GUARDEX_OPENSPEC_AUTO_INIT:-true}"
+OPENSPEC_PLAN_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_PLAN_SLUG:-}"
+OPENSPEC_CHANGE_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_CHANGE_SLUG:-}"
+OPENSPEC_CAPABILITY_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_CAPABILITY_SLUG:-}"
 
 normalize_bool() {
   local raw="${1:-}"
@@ -275,7 +275,7 @@ start_sandbox_fallback() {
   fi
 
   git -C "$repo_root" worktree add -b "$branch_name" "$worktree_path" "$start_ref" >/dev/null
-  git -C "$repo_root" config "branch.${branch_name}.musafetyBase" "$base_branch" >/dev/null 2>&1 || true
+  git -C "$repo_root" config "branch.${branch_name}.guardexBase" "$base_branch" >/dev/null 2>&1 || true
   if git -C "$repo_root" show-ref --verify --quiet "refs/remotes/origin/${base_branch}"; then
     git -C "$worktree_path" branch --set-upstream-to="origin/${base_branch}" "$branch_name" >/dev/null 2>&1 || true
   fi
@@ -298,7 +298,7 @@ initial_repo_branch="$(git -C "$repo_root" rev-parse --abbrev-ref HEAD 2>/dev/nu
 start_output=""
 start_status=0
 set +e
-start_output="$(MUSAFETY_OPENSPEC_AUTO_INIT=0 bash "${repo_root}/scripts/agent-branch-start.sh" "${start_args[@]}" 2>&1)"
+start_output="$(GUARDEX_OPENSPEC_AUTO_INIT=0 bash "${repo_root}/scripts/agent-branch-start.sh" "${start_args[@]}" 2>&1)"
 start_status=$?
 set -e
 
@@ -548,7 +548,7 @@ auto_commit_worktree_changes() {
   fi
 
   local default_message="Auto-finish: ${TASK_NAME}"
-  local commit_message="${MUSAFETY_CODEX_AUTO_COMMIT_MESSAGE:-$default_message}"
+  local commit_message="${GUARDEX_CODEX_AUTO_COMMIT_MESSAGE:-$default_message}"
   local commit_output=""
 
   if commit_output="$(git -C "$wt" commit -m "$commit_message" 2>&1)"; then
@@ -662,8 +662,8 @@ run_finish_flow() {
   fi
 
   if has_origin_remote; then
-    if ! command -v "${MUSAFETY_GH_BIN:-gh}" >/dev/null 2>&1 && ! command -v gh >/dev/null 2>&1; then
-      echo "[codex-agent] Auto-finish requires GitHub CLI for PR flow; command not found: ${MUSAFETY_GH_BIN:-gh}" >&2
+    if ! command -v "${GUARDEX_GH_BIN:-gh}" >/dev/null 2>&1 && ! command -v gh >/dev/null 2>&1; then
+      echo "[codex-agent] Auto-finish requires GitHub CLI for PR flow; command not found: ${GUARDEX_GH_BIN:-gh}" >&2
       return 2
     fi
     finish_args+=(--via-pr)

package/templates/scripts/review-bot-watch.sh

@@ -1,14 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-INTERVAL_SECONDS="${MUSAFETY_REVIEW_BOT_INTERVAL_SECONDS:-30}"
-AGENT_NAME="${MUSAFETY_REVIEW_BOT_AGENT_NAME:-guardex-review-bot}"
-TASK_PREFIX="${MUSAFETY_REVIEW_BOT_TASK_PREFIX:-review-merge}"
-STATE_FILE="${MUSAFETY_REVIEW_BOT_STATE_FILE:-}"
-BASE_BRANCH="${MUSAFETY_REVIEW_BOT_BASE_BRANCH:-}"
-ONLY_PR="${MUSAFETY_REVIEW_BOT_ONLY_PR:-}"
-RETRY_FAILED_RAW="${MUSAFETY_REVIEW_BOT_RETRY_FAILED:-false}"
-INCLUDE_DRAFT_RAW="${MUSAFETY_REVIEW_BOT_INCLUDE_DRAFT:-false}"
+INTERVAL_SECONDS="${GUARDEX_REVIEW_BOT_INTERVAL_SECONDS:-30}"
+AGENT_NAME="${GUARDEX_REVIEW_BOT_AGENT_NAME:-guardex-review-bot}"
+TASK_PREFIX="${GUARDEX_REVIEW_BOT_TASK_PREFIX:-review-merge}"
+STATE_FILE="${GUARDEX_REVIEW_BOT_STATE_FILE:-}"
+BASE_BRANCH="${GUARDEX_REVIEW_BOT_BASE_BRANCH:-}"
+ONLY_PR="${GUARDEX_REVIEW_BOT_ONLY_PR:-}"
+RETRY_FAILED_RAW="${GUARDEX_REVIEW_BOT_RETRY_FAILED:-false}"
+INCLUDE_DRAFT_RAW="${GUARDEX_REVIEW_BOT_INCLUDE_DRAFT:-false}"
 
 usage() {
   cat <<'USAGE'
@@ -30,7 +30,7 @@ Options:
   -h, --help                 Show this help
 
 Environment overrides:
-  MUSAFETY_REVIEW_BOT_PROMPT_APPEND  Additional instructions appended to each Codex prompt
+  GUARDEX_REVIEW_BOT_PROMPT_APPEND  Additional instructions appended to each Codex prompt
 USAGE
 }
 
@@ -213,8 +213,8 @@ Strict task:
 5) Do not touch unrelated PRs.
 PROMPT
 
-  if [[ -n "${MUSAFETY_REVIEW_BOT_PROMPT_APPEND:-}" ]]; then
-    printf '\n%s\n' "${MUSAFETY_REVIEW_BOT_PROMPT_APPEND}"
+  if [[ -n "${GUARDEX_REVIEW_BOT_PROMPT_APPEND:-}" ]]; then
+    printf '\n%s\n' "${GUARDEX_REVIEW_BOT_PROMPT_APPEND}"
   fi
 }