@imdeadpool/guardex 5.0.7 → 5.0.9

package/README.md

@@ -69,6 +69,13 @@ gx cleanup --branch "$(git rev-parse --abbrev-ref HEAD)"
 ```
 
 If you use `scripts/codex-agent.sh`, the finish flow is auto-run after the Codex session exits.
+It auto-commits sandbox changes, retries once after syncing if the branch moved behind base during the run, then pushes/opens PR merge flow against the current base branch.
+
+If you run Codex in multiple existing agent worktrees directly (for example from VS Code Source Control), finalize all completed branches with:
+
+```sh
+gx finish --all
+```
 
 ## Visual workflow
 
@@ -88,6 +95,10 @@ If you use `scripts/codex-agent.sh`, the finish flow is auto-run after the Codex
 
 ![gx lock and delete guard screenshot](https://raw.githubusercontent.com/recodeecom/multiagent-safety/main/docs/images/workflow-lock-guard.svg)
 
+### Real VS Code Source Control layout (exact screenshot)
+
+![Real VS Code Source Control layout](https://raw.githubusercontent.com/recodeecom/multiagent-safety/main/docs/images/workflow-vscode-source-control-exact.png)
+
 ## Copy-paste: common commands
 
 ```sh
@@ -97,6 +108,9 @@ gx status
 # setup and repair
 gx setup
 gx doctor
+# setup + repair another repo without switching your current repo checkout
+gx setup --target /path/to/repo
+gx doctor --target /path/to/repo
 
 # protected branch management
 gx protect list
@@ -108,7 +122,10 @@ gx sync --check
 gx sync
 
 # continuously monitor open PRs targeting current branch and dispatch codex-agent review/merge tasks
-bash scripts/review-bot-watch.sh --interval 30
+gx review --interval 30
+
+# auto-commit finished agent branches and open/merge PR flow in one pass
+gx finish --all
 
 # cleanup merged agent branches and hide clean stale agent worktrees
 gx cleanup
@@ -123,7 +140,7 @@ gx report scorecard --repo github.com/recodeecom/multiagent-safety
 Run this in your local shell to keep watching PRs targeting the current branch (or `--base <branch>`):
 
 ```sh
-bash scripts/review-bot-watch.sh --interval 30
+gx review --interval 30
 ```
 
 Useful flags:
@@ -143,10 +160,12 @@ Note: the monitor dispatches Codex through explicit `--task/--agent/--base` flag
 - `gx setup` checks GitHub CLI (`gh`) and prints install guidance if missing.
 - Interactive self-update prompt defaults to **No** (`[y/N]`).
 - In initialized repos, `setup`/`install`/`fix` block protected-base writes unless explicitly overridden.
-- Direct commits/pushes to protected branches are blocked by default (including VS Code Source Control).
+- Direct commits/pushes to protected branches are blocked by default.
+- Exception: VS Code Source Control commits are allowed on protected branches that exist only locally (no upstream and no remote branch).
 - Optional repo override for manual VS Code protected-branch writes: `git config multiagent.allowVscodeProtectedBranchWrites true`.
 - Codex/agent sessions stay blocked on protected branches and must use `agent/*` branch + PR workflow.
 - On protected `main`, `gx doctor` auto-runs in a sandbox agent branch/worktree.
+- In-place agent branching is disabled; `scripts/agent-branch-start.sh` always creates a separate worktree to keep your visible local/base branch unchanged.
 - `scripts/agent-branch-start.sh` hydrates `scripts/codex-agent.sh` into new sandbox worktrees when missing, so auto-finish launcher flow stays available.
 
 ## Configure protected branches
@@ -222,6 +241,19 @@ scripts/openspec/init-plan-workspace.sh
 
 If `package.json` exists, setup also adds `agent:*` helper scripts.
 
+## OpenSpec quick start after `gx setup`
+
+If you enabled global OpenSpec install during setup (`@fission-ai/openspec`), use the full guide here:
+
+- [`docs/openspec-getting-started.md`](./docs/openspec-getting-started.md)
+
+### OpenSpec in agent sub-branches
+
+- `scripts/codex-agent.sh` enforces an OpenSpec workspace before it launches Codex in each sandbox branch/worktree.
+- `scripts/agent-branch-start.sh` can also scaffold `openspec/plan/<agent-branch-slug>/` when you set `MUSAFETY_OPENSPEC_AUTO_INIT=true`.
+- Set `MUSAFETY_OPENSPEC_AUTO_INIT=false` (default for `agent-branch-start`) to skip branch-start auto-bootstrap.
+- Set `MUSAFETY_OPENSPEC_PLAN_SLUG=<kebab-case-slug>` to force a specific plan workspace name.
+
 ## Security and maintenance posture
 
 - CI matrix on Node 18/20/22 (`npm test`, `node --check`, `npm pack --dry-run`)
@@ -239,9 +271,23 @@ npm pack --dry-run
 
 ## Release notes
 
+### v5.0.9
+
+- Enforced OpenSpec workspace bootstrap for sandbox agent execution: `scripts/codex-agent.sh` now initializes `openspec/plan/<agent-branch-slug>/` before launching Codex, and `scripts/agent-branch-start.sh` supports `MUSAFETY_OPENSPEC_AUTO_INIT` plus `MUSAFETY_OPENSPEC_PLAN_SLUG`.
+- Tightened doctor auto-finish correctness: sandbox finish now waits for merge and exits non-zero if the PR closes without merge, so repair flows are not reported as complete when policy blocks merge.
+- Updated package version from `5.0.8` to `5.0.9` for the next npm publish.
+
+### v5.0.8
+
+- Fixed `bin/multiagent-safety.js` syntax regressions in the doctor sandbox flow (`Unexpected identifier` / `Unexpected end of input`) that were breaking CLI execution and CI tests.
+- Restored `scripts/codex-agent.sh` from `templates/scripts/codex-agent.sh` so critical runtime helper parity checks pass in clean CI clones.
+- Bumped package version from `5.0.7` to `5.0.8` for the next npm publish.
+
 ### v5.0.7
+### Unreleased (generated draft, not versioned yet)
 
-- Bumped package version from `5.0.6` to `5.0.7` to stay one patch ahead for the next npm publish.
+- Add the user-facing changes for the next release here before assigning a version number.
+- Keep this section focused on behavior changes (`Added`, `Changed`, `Fixed`) rather than version-bump-only notes.
 
 ### v5.0.6