@imdeadpool/guardex 7.0.18 → 7.0.19

package/templates/codex/skills/guardex-merge-skills-to-dev/SKILL.md

@@ -24,7 +24,7 @@ echo "$BASE_BRANCH"
 2. Start a dedicated integration sandbox from base:
 
 ```sh
-bash scripts/agent-branch-start.sh "merge-skill-files-to-${BASE_BRANCH}" "skill-merge" "$BASE_BRANCH"
+gx branch start "merge-skill-files-to-${BASE_BRANCH}" "skill-merge" "$BASE_BRANCH"
 ```
 
 3. Enter the sandbox worktree printed by the command above.
@@ -48,11 +48,11 @@ git diff --name-only
 ```sh
 git add .codex/skills templates/codex/skills
 git commit -m "Merge skill file updates into ${BASE_BRANCH}"
-bash scripts/agent-branch-finish.sh --branch "$(git rev-parse --abbrev-ref HEAD)" --base "$BASE_BRANCH" --via-pr --wait-for-merge --cleanup
+gx branch finish --branch "$(git rev-parse --abbrev-ref HEAD)" --base "$BASE_BRANCH" --via-pr --wait-for-merge --cleanup
 ```
 
 ## Notes
 
 - If a source branch has non-skill changes, this runbook keeps them out of the merge.
-- If merge conflicts occur, resolve only within the skill files, then rerun `agent-branch-finish.sh`.
+- If merge conflicts occur, resolve only within the skill files, then rerun `gx branch finish`.
 - Do not commit directly on `dev`/`main`; always merge through an agent branch/worktree.

package/templates/githooks/pre-commit

@@ -13,6 +13,8 @@ repo_root="$(git rev-parse --show-toplevel 2>/dev/null || true)"
 if [[ -z "$repo_root" ]]; then
   exit 0
 fi
+NODE_BIN="${GUARDEX_NODE_BIN:-node}"
+CLI_ENTRY="${GUARDEX_CLI_ENTRY:-}"
 guardex_env_helper="${repo_root}/scripts/guardex-env.sh"
 if [[ -f "$guardex_env_helper" ]]; then
   # shellcheck source=/dev/null
@@ -22,6 +24,23 @@ if declare -F guardex_repo_is_enabled >/dev/null 2>&1 && ! guardex_repo_is_enabl
   exit 0
 fi
 
+run_guardex_cli() {
+  if [[ -n "$CLI_ENTRY" ]]; then
+    "$NODE_BIN" "$CLI_ENTRY" "$@"
+    return $?
+  fi
+  if command -v gx >/dev/null 2>&1; then
+    gx "$@"
+    return $?
+  fi
+  if command -v gitguardex >/dev/null 2>&1; then
+    gitguardex "$@"
+    return $?
+  fi
+  echo "[agent-branch-guard] Guardex CLI entrypoint unavailable; rerun via gx." >&2
+  return 127
+}
+
 if [[ "${ALLOW_COMMIT_ON_PROTECTED_BRANCH:-0}" == "1" ]]; then
   exit 0
 fi
@@ -191,11 +210,11 @@ if [[ "$branch" == agent/* ]]; then
     while IFS= read -r staged_file; do
       [[ -z "$staged_file" ]] && continue
       [[ "$staged_file" == ".omx/state/agent-file-locks.json" ]] && continue
-      python3 scripts/agent-file-locks.py claim --branch "$branch" "$staged_file" >/dev/null 2>&1 || true
+      run_guardex_cli locks claim --branch "$branch" "$staged_file" >/dev/null 2>&1 || true
     done < <(git diff --cached --name-only --diff-filter=ACMRDTUXB)
   fi
 
-  if ! python3 scripts/agent-file-locks.py validate --branch "$branch" --staged; then
+  if ! run_guardex_cli locks validate --branch "$branch" --staged; then
     cat >&2 <<'MSG'
 [agent-branch-guard] Agent branch commits require file ownership locks.
 Claim files first:

package/templates/scripts/agent-branch-finish.sh

@@ -9,11 +9,30 @@ DELETE_REMOTE_BRANCH=0
 DELETE_REMOTE_BRANCH_EXPLICIT=0
 MERGE_MODE="auto"
 GH_BIN="${GUARDEX_GH_BIN:-gh}"
+NODE_BIN="${GUARDEX_NODE_BIN:-node}"
+CLI_ENTRY="${GUARDEX_CLI_ENTRY:-}"
 CLEANUP_AFTER_MERGE_RAW="${GUARDEX_FINISH_CLEANUP:-false}"
 WAIT_FOR_MERGE_RAW="${GUARDEX_FINISH_WAIT_FOR_MERGE:-false}"
 WAIT_TIMEOUT_SECONDS_RAW="${GUARDEX_FINISH_WAIT_TIMEOUT_SECONDS:-1800}"
 WAIT_POLL_SECONDS_RAW="${GUARDEX_FINISH_WAIT_POLL_SECONDS:-10}"
 
+run_guardex_cli() {
+  if [[ -n "$CLI_ENTRY" ]]; then
+    "$NODE_BIN" "$CLI_ENTRY" "$@"
+    return $?
+  fi
+  if command -v gx >/dev/null 2>&1; then
+    gx "$@"
+    return $?
+  fi
+  if command -v gitguardex >/dev/null 2>&1; then
+    gitguardex "$@"
+    return $?
+  fi
+  echo "[agent-branch-finish] Guardex CLI entrypoint unavailable; rerun via gx." >&2
+  return 127
+}
+
 normalize_bool() {
   local raw="${1:-}"
   local fallback="${2:-0}"
@@ -431,7 +450,7 @@ run_pr_flow() {
   if [[ -z "$pr_title" ]]; then
     pr_title="Merge ${SOURCE_BRANCH} into ${BASE_BRANCH}"
   fi
-  pr_body="Automated by scripts/agent-branch-finish.sh (PR flow)."
+  pr_body="Automated by gx branch finish (PR flow)."
 
   "$GH_BIN" pr create \
     --base "$BASE_BRANCH" \
@@ -517,9 +536,7 @@ if [[ "$PUSH_ENABLED" -eq 1 ]]; then
   fi
 fi
 
-if [[ -x "${repo_root}/scripts/agent-file-locks.py" ]]; then
-  python3 "${repo_root}/scripts/agent-file-locks.py" release --branch "$SOURCE_BRANCH" >/dev/null 2>&1 || true
-fi
+run_guardex_cli locks release --branch "$SOURCE_BRANCH" >/dev/null 2>&1 || true
 
 base_worktree="$(get_worktree_for_branch "$BASE_BRANCH")"
 if [[ -n "$base_worktree" ]] && is_clean_worktree "$base_worktree" && [[ "$PUSH_ENABLED" -eq 1 ]]; then
@@ -555,29 +572,25 @@ if [[ "$CLEANUP_AFTER_MERGE" -eq 1 ]]; then
     fi
   fi
 
-  if [[ -x "${repo_root}/scripts/agent-worktree-prune.sh" ]]; then
-    prune_args=(--base "$BASE_BRANCH" --only-dirty-worktrees --delete-branches)
-    if [[ "$DELETE_REMOTE_BRANCH" -eq 1 ]]; then
-      prune_args+=(--delete-remote-branches)
-    fi
-    if ! bash "${repo_root}/scripts/agent-worktree-prune.sh" "${prune_args[@]}"; then
-      echo "[agent-branch-finish] Warning: automatic worktree prune failed." >&2
-      echo "[agent-branch-finish] You can run manual cleanup: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH} --delete-branches" >&2
-    fi
+  prune_args=(--base "$BASE_BRANCH" --only-dirty-worktrees --delete-branches)
+  if [[ "$DELETE_REMOTE_BRANCH" -eq 1 ]]; then
+    prune_args+=(--delete-remote-branches)
+  fi
+  if ! run_guardex_cli worktree prune "${prune_args[@]}"; then
+    echo "[agent-branch-finish] Warning: automatic worktree prune failed." >&2
+    echo "[agent-branch-finish] You can run manual cleanup: gx cleanup --base ${BASE_BRANCH}" >&2
   fi
 
   echo "[agent-branch-finish] Merged '${SOURCE_BRANCH}' into '${BASE_BRANCH}' via ${merge_status} flow and cleaned source branch/worktree."
   if [[ "$source_worktree" == "$current_worktree" && "$source_worktree" == "${agent_worktree_root}"/* ]]; then
     echo "[agent-branch-finish] Current worktree '${source_worktree}' still exists because it is the active shell cwd." >&2
-    echo "[agent-branch-finish] Leave this directory, then run: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH} --delete-branches" >&2
+    echo "[agent-branch-finish] Leave this directory, then run: gx cleanup --base ${BASE_BRANCH}" >&2
   fi
 else
-  if [[ -x "${repo_root}/scripts/agent-worktree-prune.sh" ]]; then
-    if ! bash "${repo_root}/scripts/agent-worktree-prune.sh" --base "$BASE_BRANCH"; then
-      echo "[agent-branch-finish] Warning: temporary worktree prune failed." >&2
-    fi
+  if ! run_guardex_cli worktree prune --base "$BASE_BRANCH"; then
+    echo "[agent-branch-finish] Warning: temporary worktree prune failed." >&2
   fi
 
   echo "[agent-branch-finish] Merged '${SOURCE_BRANCH}' into '${BASE_BRANCH}' via ${merge_status} flow and kept source branch/worktree."
-  echo "[agent-branch-finish] Cleanup later with: bash scripts/agent-worktree-prune.sh --base ${BASE_BRANCH} --delete-branches --delete-remote-branches"
+  echo "[agent-branch-finish] Cleanup later with: gx cleanup --base ${BASE_BRANCH}"
 fi

package/templates/scripts/agent-branch-merge.sh

@@ -6,18 +6,37 @@ BASE_BRANCH_EXPLICIT=0
 TARGET_BRANCH=""
 TASK_NAME=""
 AGENT_NAME="${GUARDEX_MERGE_AGENT_NAME:-codex}"
+NODE_BIN="${GUARDEX_NODE_BIN:-node}"
+CLI_ENTRY="${GUARDEX_CLI_ENTRY:-}"
 declare -a SOURCE_BRANCHES=()
 
 usage() {
   cat <<'EOF'
-Usage: scripts/agent-branch-merge.sh --branch <agent/...> [--branch <agent/...> ...] [--into <agent/...>] [--task <task>] [--agent <agent>] [--base <branch>]
+Usage: gx branch merge --branch <agent/...> [--branch <agent/...> ...] [--into <agent/...>] [--task <task>] [--agent <agent>] [--base <branch>]
 
 Examples:
-  bash scripts/agent-branch-merge.sh --branch agent/codex/ui-a --branch agent/codex/ui-b
-  bash scripts/agent-branch-merge.sh --into agent/codex/owner-lane --branch agent/codex/helper-a --branch agent/codex/helper-b
+  gx branch merge --branch agent/codex/ui-a --branch agent/codex/ui-b
+  gx branch merge --into agent/codex/owner-lane --branch agent/codex/helper-a --branch agent/codex/helper-b
 EOF
 }
 
+run_guardex_cli() {
+  if [[ -n "$CLI_ENTRY" ]]; then
+    "$NODE_BIN" "$CLI_ENTRY" "$@"
+    return $?
+  fi
+  if command -v gx >/dev/null 2>&1; then
+    gx "$@"
+    return $?
+  fi
+  if command -v gitguardex >/dev/null 2>&1; then
+    gitguardex "$@"
+    return $?
+  fi
+  echo "[agent-branch-merge] Guardex CLI entrypoint unavailable; rerun via gx." >&2
+  return 127
+}
+
 sanitize_slug() {
   local raw="$1"
   local fallback="${2:-merge-agent-branches}"
@@ -262,7 +281,7 @@ if [[ -z "$TARGET_BRANCH" ]]; then
   start_output=""
   if ! start_output="$(
     cd "$repo_root"
-    env GUARDEX_OPENSPEC_AUTO_INIT=1 bash "scripts/agent-branch-start.sh" "$TASK_NAME" "$AGENT_NAME" "$BASE_BRANCH" 2>&1
+    GUARDEX_OPENSPEC_AUTO_INIT=1 run_guardex_cli branch start "$TASK_NAME" "$AGENT_NAME" "$BASE_BRANCH" 2>&1
   )"; then
     printf '%s\n' "$start_output" >&2
     exit 1
@@ -418,4 +437,4 @@ echo "[agent-branch-merge] Merge sequence complete for '${TARGET_BRANCH}'."
 if [[ "$target_created" -eq 1 ]]; then
   echo "[agent-branch-merge] Review and verify in '${target_worktree}', then finish the integration branch when ready."
 fi
-echo "[agent-branch-merge] Next step: bash scripts/agent-branch-finish.sh --branch \"${TARGET_BRANCH}\" --base \"${BASE_BRANCH}\" --via-pr --wait-for-merge --cleanup"
+echo "[agent-branch-merge] Next step: gx branch finish --branch \"${TARGET_BRANCH}\" --base \"${BASE_BRANCH}\" --via-pr --wait-for-merge --cleanup"

package/templates/scripts/agent-branch-start.sh

@@ -7,6 +7,8 @@ BASE_BRANCH=""
 BASE_BRANCH_EXPLICIT=0
 WORKTREE_ROOT_REL=""
 WORKTREE_ROOT_EXPLICIT=0
+NODE_BIN="${GUARDEX_NODE_BIN:-node}"
+CLI_ENTRY="${GUARDEX_CLI_ENTRY:-}"
 OPENSPEC_AUTO_INIT_RAW="${GUARDEX_OPENSPEC_AUTO_INIT:-false}"
 OPENSPEC_PLAN_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_PLAN_SLUG:-}"
 OPENSPEC_CHANGE_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_CHANGE_SLUG:-}"
@@ -15,6 +17,23 @@ OPENSPEC_MASTERPLAN_LABEL_RAW="${GUARDEX_OPENSPEC_MASTERPLAN_LABEL-masterplan}"
 PRINT_NAME_ONLY=0
 POSITIONAL_ARGS=()
 
+run_guardex_cli() {
+  if [[ -n "$CLI_ENTRY" ]]; then
+    "$NODE_BIN" "$CLI_ENTRY" "$@"
+    return $?
+  fi
+  if command -v gx >/dev/null 2>&1; then
+    gx "$@"
+    return $?
+  fi
+  if command -v gitguardex >/dev/null 2>&1; then
+    gitguardex "$@"
+    return $?
+  fi
+  echo "[agent-branch-start] Guardex CLI entrypoint unavailable; rerun via gx." >&2
+  return 127
+}
+
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --task)
@@ -385,26 +404,14 @@ initialize_openspec_plan_workspace() {
   local worktree="$2"
   local plan_slug="$3"
 
-  hydrate_local_helper_in_worktree "$repo" "$worktree" "scripts/openspec/init-plan-workspace.sh"
-
   if [[ "$OPENSPEC_AUTO_INIT" -ne 1 ]]; then
     return 0
   fi
 
-  local openspec_script="${worktree}/scripts/openspec/init-plan-workspace.sh"
-  if [[ ! -f "$openspec_script" ]]; then
-    echo "[agent-branch-start] OpenSpec init script is missing in sandbox worktree." >&2
-    echo "[agent-branch-start] Run 'gx setup --target \"$repo\"' to repair templates, then retry." >&2
-    return 1
-  fi
-  if [[ ! -x "$openspec_script" ]]; then
-    chmod +x "$openspec_script" 2>/dev/null || true
-  fi
-
   local init_output=""
   if ! init_output="$(
     cd "$worktree"
-    bash "scripts/openspec/init-plan-workspace.sh" "$plan_slug" 2>&1
+    run_guardex_cli internal run-shell planInit "$plan_slug" 2>&1
   )"; then
     printf '%s\n' "$init_output" >&2
     echo "[agent-branch-start] OpenSpec workspace initialization failed for plan '${plan_slug}'." >&2
@@ -423,26 +430,14 @@ initialize_openspec_change_workspace() {
   local change_slug="$3"
   local capability_slug="$4"
 
-  hydrate_local_helper_in_worktree "$repo" "$worktree" "scripts/openspec/init-change-workspace.sh"
-
   if [[ "$OPENSPEC_AUTO_INIT" -ne 1 ]]; then
     return 0
   fi
 
-  local openspec_script="${worktree}/scripts/openspec/init-change-workspace.sh"
-  if [[ ! -f "$openspec_script" ]]; then
-    echo "[agent-branch-start] OpenSpec change init script is missing in sandbox worktree." >&2
-    echo "[agent-branch-start] Run 'gx setup --target \"$repo\"' to repair templates, then retry." >&2
-    return 1
-  fi
-  if [[ ! -x "$openspec_script" ]]; then
-    chmod +x "$openspec_script" 2>/dev/null || true
-  fi
-
   local init_output=""
   if ! init_output="$(
     cd "$worktree"
-    bash "scripts/openspec/init-change-workspace.sh" "$change_slug" "$capability_slug" 2>&1
+    run_guardex_cli internal run-shell changeInit "$change_slug" "$capability_slug" 2>&1
   )"; then
     printf '%s\n' "$init_output" >&2
     echo "[agent-branch-start] OpenSpec workspace initialization failed for change '${change_slug}'." >&2
@@ -592,7 +587,6 @@ if [[ -n "$auto_transfer_stash_ref" ]]; then
   fi
 fi
 
-hydrate_local_helper_in_worktree "$repo_root" "$worktree_path" "scripts/codex-agent.sh"
 hydrate_dependency_dir_symlink_in_worktree "$repo_root" "$worktree_path" "node_modules"
 hydrate_dependency_dir_symlink_in_worktree "$repo_root" "$worktree_path" "apps/frontend/node_modules"
 hydrate_dependency_dir_symlink_in_worktree "$repo_root" "$worktree_path" "apps/backend/node_modules"
@@ -609,6 +603,6 @@ echo "[agent-branch-start] OpenSpec change: openspec/changes/${openspec_change_s
 echo "[agent-branch-start] OpenSpec plan: openspec/plan/${openspec_plan_slug}"
 echo "[agent-branch-start] Next steps:"
 echo "  cd \"${worktree_path}\""
-echo "  python3 scripts/agent-file-locks.py claim --branch \"${branch_name}\" <file...>"
+echo "  gx locks claim --branch \"${branch_name}\" <file...>"
 echo "  # implement + commit"
-echo "  bash scripts/agent-branch-finish.sh --branch \"${branch_name}\" --base ${BASE_BRANCH} --via-pr --wait-for-merge"
+echo "  gx branch finish --branch \"${branch_name}\" --base ${BASE_BRANCH} --via-pr --wait-for-merge"

package/templates/scripts/agent-file-locks.py

@@ -2,11 +2,11 @@
 """Per-file lock registry for concurrent agent branches.
 
 Usage examples:
-  python3 scripts/agent-file-locks.py claim --branch agent/a path/to/file1 path/to/file2
-  python3 scripts/agent-file-locks.py claim --branch agent/a --allow-delete path/to/obsolete-file
-  python3 scripts/agent-file-locks.py allow-delete --branch agent/a path/to/obsolete-file
-  python3 scripts/agent-file-locks.py validate --branch agent/a --staged
-  python3 scripts/agent-file-locks.py release --branch agent/a
+  gx locks claim --branch agent/a path/to/file1 path/to/file2
+  gx locks claim --branch agent/a --allow-delete path/to/obsolete-file
+  gx locks allow-delete --branch agent/a path/to/obsolete-file
+  gx locks validate --branch agent/a --staged
+  gx locks release --branch agent/a
 """
 
 from __future__ import annotations
@@ -27,9 +27,9 @@ CRITICAL_GUARDRAIL_PATHS = {
     'AGENTS.md',
     '.githooks/pre-commit',
     '.githooks/pre-push',
-    'scripts/agent-branch-start.sh',
-    'scripts/agent-branch-finish.sh',
-    'scripts/agent-file-locks.py',
+    '.githooks/post-merge',
+    '.githooks/post-checkout',
+    'scripts/guardex-env.sh',
 }
 ALLOW_GUARDRAIL_DELETE_ENV = 'AGENT_ALLOW_GUARDRAIL_DELETE'
 
@@ -326,11 +326,11 @@ def cmd_validate(args: argparse.Namespace, repo_root: Path) -> int:
             print(f'    - {file_path}', file=sys.stderr)
         print('    Approve explicit deletions with one of:', file=sys.stderr)
         print(
-            f'      python3 scripts/agent-file-locks.py claim --branch "{args.branch}" --allow-delete <file...>',
+            f'      gx locks claim --branch "{args.branch}" --allow-delete <file...>',
             file=sys.stderr,
         )
         print(
-            f'      python3 scripts/agent-file-locks.py allow-delete --branch "{args.branch}" <file...>',
+            f'      gx locks allow-delete --branch "{args.branch}" <file...>',
             file=sys.stderr,
         )
     if guardrail_delete_blocked:
@@ -343,7 +343,7 @@ def cmd_validate(args: argparse.Namespace, repo_root: Path) -> int:
         )
 
     print('\nClaim files with:', file=sys.stderr)
-    print(f'  python3 scripts/agent-file-locks.py claim --branch "{args.branch}" <file...>', file=sys.stderr)
+    print(f'  gx locks claim --branch "{args.branch}" <file...>', file=sys.stderr)
     return 1
 
 

package/templates/scripts/codex-agent.sh

@@ -7,6 +7,7 @@ BASE_BRANCH="${GUARDEX_BASE_BRANCH:-}"
 BASE_BRANCH_EXPLICIT=0
 CODEX_BIN="${GUARDEX_CODEX_BIN:-codex}"
 NODE_BIN="${GUARDEX_NODE_BIN:-node}"
+CLI_ENTRY="${GUARDEX_CLI_ENTRY:-}"
 AUTO_FINISH_RAW="${GUARDEX_CODEX_AUTO_FINISH:-true}"
 AUTO_REVIEW_ON_CONFLICT_RAW="${GUARDEX_CODEX_AUTO_REVIEW_ON_CONFLICT:-true}"
 AUTO_CLEANUP_RAW="${GUARDEX_CODEX_AUTO_CLEANUP:-true}"
@@ -17,6 +18,23 @@ OPENSPEC_CHANGE_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_CHANGE_SLUG:-}"
 OPENSPEC_CAPABILITY_SLUG_OVERRIDE="${GUARDEX_OPENSPEC_CAPABILITY_SLUG:-}"
 OPENSPEC_MASTERPLAN_LABEL_RAW="${GUARDEX_OPENSPEC_MASTERPLAN_LABEL-masterplan}"
 
+run_guardex_cli() {
+  if [[ -n "$CLI_ENTRY" ]]; then
+    "$NODE_BIN" "$CLI_ENTRY" "$@"
+    return $?
+  fi
+  if command -v gx >/dev/null 2>&1; then
+    gx "$@"
+    return $?
+  fi
+  if command -v gitguardex >/dev/null 2>&1; then
+    gitguardex "$@"
+    return $?
+  fi
+  echo "[codex-agent] Guardex CLI entrypoint unavailable; rerun via gx." >&2
+  return 127
+}
+
 normalize_bool() {
   local raw="${1:-}"
   local fallback="${2:-0}"
@@ -375,11 +393,6 @@ start_sandbox_fallback() {
   printf '[agent-branch-start] Worktree: %s\n' "$worktree_path"
 }
 
-if [[ ! -x "${repo_root}/scripts/agent-branch-start.sh" ]]; then
-  echo "[codex-agent] Missing scripts/agent-branch-start.sh. Run: gx setup" >&2
-  exit 1
-fi
-
 start_args=("$TASK_NAME" "$AGENT_NAME")
 if [[ "$BASE_BRANCH_EXPLICIT" -eq 1 ]]; then
   start_args+=("$BASE_BRANCH")
@@ -392,7 +405,7 @@ set +e
 start_output="$(
   GUARDEX_OPENSPEC_AUTO_INIT="$OPENSPEC_AUTO_INIT" \
   GUARDEX_OPENSPEC_MASTERPLAN_LABEL="$OPENSPEC_MASTERPLAN_LABEL_RAW" \
-  bash "${repo_root}/scripts/agent-branch-start.sh" "${start_args[@]}" 2>&1
+  run_guardex_cli branch start "${start_args[@]}" 2>&1
 )"
 start_status=$?
 set -e
@@ -529,7 +542,7 @@ print_takeover_prompt() {
     change_artifact="openspec/changes/${change_slug}/"
   fi
 
-  finish_cmd="bash scripts/agent-branch-finish.sh --branch \"${branch}\" --base ${base_branch} --via-pr --wait-for-merge --cleanup"
+  finish_cmd="gx branch finish --branch \"${branch}\" --base ${base_branch} --via-pr --wait-for-merge --cleanup"
 
   echo "[codex-agent] Takeover sandbox: ${wt}"
   echo "[codex-agent] Takeover prompt: Continue \`${change_slug}\` on branch \`${branch}\`. Work inside \`${wt}\`, review \`${change_artifact}\`, continue from the current state instead of creating a new sandbox, and when the work is done run \`${finish_cmd}\`."
@@ -585,24 +598,12 @@ ensure_openspec_plan_workspace() {
     return 0
   fi
 
-  hydrate_local_helper_in_worktree "$wt" "scripts/openspec/init-plan-workspace.sh"
-
-  local openspec_script="${wt}/scripts/openspec/init-plan-workspace.sh"
-  if [[ ! -f "$openspec_script" ]]; then
-    echo "[codex-agent] Missing OpenSpec init script in sandbox: ${openspec_script}" >&2
-    echo "[codex-agent] Run 'gx setup --target ${repo_root}' and retry." >&2
-    return 1
-  fi
-  if [[ ! -x "$openspec_script" ]]; then
-    chmod +x "$openspec_script" 2>/dev/null || true
-  fi
-
   local plan_slug
   plan_slug="$(resolve_openspec_plan_slug "$branch")"
   local init_output=""
   if ! init_output="$(
     cd "$wt"
-    bash "scripts/openspec/init-plan-workspace.sh" "$plan_slug" 2>&1
+    run_guardex_cli internal run-shell planInit "$plan_slug" 2>&1
   )"; then
     printf '%s\n' "$init_output" >&2
     echo "[codex-agent] OpenSpec workspace initialization failed for plan '${plan_slug}'." >&2
@@ -622,24 +623,12 @@ ensure_openspec_change_workspace() {
     return 0
   fi
 
-  hydrate_local_helper_in_worktree "$wt" "scripts/openspec/init-change-workspace.sh"
-
-  local openspec_script="${wt}/scripts/openspec/init-change-workspace.sh"
-  if [[ ! -f "$openspec_script" ]]; then
-    echo "[codex-agent] Missing OpenSpec change init script in sandbox: ${openspec_script}" >&2
-    echo "[codex-agent] Run 'gx setup --target ${repo_root}' and retry." >&2
-    return 1
-  fi
-  if [[ ! -x "$openspec_script" ]]; then
-    chmod +x "$openspec_script" 2>/dev/null || true
-  fi
-
   local change_slug capability_slug init_output=""
   change_slug="$(resolve_openspec_change_slug "$branch")"
   capability_slug="$(resolve_openspec_capability_slug)"
   if ! init_output="$(
     cd "$wt"
-    bash "scripts/openspec/init-change-workspace.sh" "$change_slug" "$capability_slug" 2>&1
+    run_guardex_cli internal run-shell changeInit "$change_slug" "$capability_slug" 2>&1
   )"; then
     printf '%s\n' "$init_output" >&2
     echo "[codex-agent] OpenSpec workspace initialization failed for change '${change_slug}'." >&2
@@ -668,11 +657,6 @@ worktree_has_changes() {
 claim_changed_files() {
   local wt="$1"
   local branch="$2"
-  local lock_script="${repo_root}/scripts/agent-file-locks.py"
-
-  if [[ ! -x "$lock_script" ]]; then
-    return 0
-  fi
 
   local changed_raw deleted_raw
   changed_raw="$({
@@ -683,7 +667,7 @@ claim_changed_files() {
 
   if [[ -n "$changed_raw" ]]; then
     mapfile -t changed_files < <(printf '%s\n' "$changed_raw")
-    python3 "$lock_script" claim --branch "$branch" "${changed_files[@]}" >/dev/null 2>&1 || true
+    run_guardex_cli locks claim --branch "$branch" "${changed_files[@]}" >/dev/null 2>&1 || true
   fi
 
   deleted_raw="$({
@@ -693,7 +677,7 @@ claim_changed_files() {
 
   if [[ -n "$deleted_raw" ]]; then
     mapfile -t deleted_files < <(printf '%s\n' "$deleted_raw")
-    python3 "$lock_script" allow-delete --branch "$branch" "${deleted_files[@]}" >/dev/null 2>&1 || true
+    run_guardex_cli locks allow-delete --branch "$branch" "${deleted_files[@]}" >/dev/null 2>&1 || true
   fi
 }
 
@@ -842,7 +826,7 @@ run_finish_flow() {
     return 2
   fi
 
-  if finish_output="$(bash "${repo_root}/scripts/agent-branch-finish.sh" "${finish_args[@]}" 2>&1)"; then
+  if finish_output="$(run_guardex_cli branch finish "${finish_args[@]}" 2>&1)"; then
     printf '%s\n' "$finish_output"
     return 0
   fi
@@ -865,7 +849,7 @@ run_finish_flow() {
       fi
     )
 
-    if finish_output="$(bash "${repo_root}/scripts/agent-branch-finish.sh" "${finish_args[@]}" 2>&1)"; then
+    if finish_output="$(run_guardex_cli branch finish "${finish_args[@]}" 2>&1)"; then
       printf '%s\n' "$finish_output"
       return 0
     fi
@@ -954,18 +938,16 @@ if [[ "$AUTO_FINISH" -eq 1 && -n "$worktree_branch" && "$worktree_branch" != "HE
   fi
 fi
 
-if [[ -x "${repo_root}/scripts/agent-worktree-prune.sh" ]]; then
-  echo "[codex-agent] Session ended (exit=${codex_exit}). Running worktree cleanup..."
-  prune_args=()
-  if [[ "$BASE_BRANCH_EXPLICIT" -eq 1 ]]; then
-    prune_args+=(--base "$BASE_BRANCH")
-  fi
-  if [[ "$AUTO_CLEANUP" -eq 1 && "$auto_finish_completed" -eq 1 ]]; then
-    prune_args+=(--only-dirty-worktrees --delete-branches --delete-remote-branches)
-  fi
-  if ! bash "${repo_root}/scripts/agent-worktree-prune.sh" "${prune_args[@]}"; then
-    echo "[codex-agent] Warning: automatic worktree cleanup failed." >&2
-  fi
+echo "[codex-agent] Session ended (exit=${codex_exit}). Running worktree cleanup..."
+prune_args=()
+if [[ "$BASE_BRANCH_EXPLICIT" -eq 1 ]]; then
+  prune_args+=(--base "$BASE_BRANCH")
+fi
+if [[ "$AUTO_CLEANUP" -eq 1 && "$auto_finish_completed" -eq 1 ]]; then
+  prune_args+=(--only-dirty-worktrees --delete-branches --delete-remote-branches)
+fi
+if ! run_guardex_cli worktree prune "${prune_args[@]}"; then
+  echo "[codex-agent] Warning: automatic worktree cleanup failed." >&2
 fi
 
 if [[ ! -d "$worktree_path" ]]; then
@@ -978,7 +960,7 @@ else
       echo "[codex-agent] Branch kept intentionally. Cleanup on demand: gx cleanup --branch \"${worktree_branch}\""
     else
       print_takeover_prompt "$worktree_path" "$worktree_branch"
-      echo "[codex-agent] If finished, merge with: bash scripts/agent-branch-finish.sh --branch \"${worktree_branch}\" --base dev --via-pr --wait-for-merge"
+      echo "[codex-agent] If finished, merge with: gx branch finish --branch \"${worktree_branch}\" --base dev --via-pr --wait-for-merge"
       echo "[codex-agent] Cleanup on demand: gx cleanup --branch \"${worktree_branch}\""
     fi
   fi

package/templates/scripts/review-bot-watch.sh

@@ -9,10 +9,12 @@ BASE_BRANCH="${GUARDEX_REVIEW_BOT_BASE_BRANCH:-}"
 ONLY_PR="${GUARDEX_REVIEW_BOT_ONLY_PR:-}"
 RETRY_FAILED_RAW="${GUARDEX_REVIEW_BOT_RETRY_FAILED:-false}"
 INCLUDE_DRAFT_RAW="${GUARDEX_REVIEW_BOT_INCLUDE_DRAFT:-false}"
+NODE_BIN="${GUARDEX_NODE_BIN:-node}"
+CLI_ENTRY="${GUARDEX_CLI_ENTRY:-}"
 
 usage() {
   cat <<'USAGE'
-Usage: bash scripts/review-bot-watch.sh [options]
+Usage: gx review [options]
 
 Continuously monitor GitHub pull requests targeting a base branch and dispatch
 one Codex-agent task per newly opened/updated PR.
@@ -34,6 +36,23 @@ Environment overrides:
 USAGE
 }
 
+run_guardex_cli() {
+  if [[ -n "$CLI_ENTRY" ]]; then
+    "$NODE_BIN" "$CLI_ENTRY" "$@"
+    return $?
+  fi
+  if command -v gx >/dev/null 2>&1; then
+    gx "$@"
+    return $?
+  fi
+  if command -v gitguardex >/dev/null 2>&1; then
+    gitguardex "$@"
+    return $?
+  fi
+  echo "[review-bot-watch] Guardex CLI entrypoint unavailable; rerun via gx." >&2
+  return 127
+}
+
 normalize_bool() {
   local raw="${1:-}"
   local fallback="${2:-0}"
@@ -134,16 +153,20 @@ if ! command -v codex >/dev/null 2>&1; then
   exit 127
 fi
 
-if [[ ! -x "$repo_root/scripts/codex-agent.sh" ]]; then
-  echo "[review-bot-watch] Missing scripts/codex-agent.sh. Run: gx setup" >&2
-  exit 1
-fi
-
 if ! gh auth status >/dev/null 2>&1; then
   echo "[review-bot-watch] gh is not authenticated. Run: gh auth login" >&2
   exit 1
 fi
 
+run_codex_agent() {
+  local local_script="$repo_root/scripts/codex-agent.sh"
+  if [[ -x "$local_script" ]]; then
+    bash "$local_script" "$@"
+    return $?
+  fi
+  run_guardex_cli internal run-shell codexAgent --target "$repo_root" "$@"
+}
+
 sanitize_slug() {
   local raw="$1"
   local fallback="$2"
@@ -262,7 +285,7 @@ process_one_pr() {
 
   echo "[review-bot-watch] Dispatching Codex agent for PR #${pr} (${head_branch})"
   set +e
-  bash "$repo_root/scripts/codex-agent.sh" \
+  run_codex_agent \
     --task "$task_name" \
     --agent "$AGENT_NAME" \
     --base "$BASE_BRANCH" \

package/templates/vscode/guardex-active-agents/README.md

@@ -6,9 +6,10 @@ What it does:
 
 - Adds an `Active Agents` view to the Source Control container.
 - Renders one repo node per live Guardex workspace with grouped `ACTIVE AGENTS` and `CHANGES` sections.
-- Shows one row per live Guardex sandbox session inside the repo's `ACTIVE AGENTS` section.
+- Splits live sessions inside `ACTIVE AGENTS` into `WORKING NOW` and `THINKING` groups so active edit lanes stand out immediately.
+- Shows one row per live Guardex sandbox session inside those activity groups.
 - Shows repo-root git changes in a sibling `CHANGES` section when the guarded repo itself is dirty.
-- Derives `thinking` versus `working` from the live sandbox worktree and shows changed-file counts for active edits.
+- Derives `thinking` versus `working` from the live sandbox worktree, surfaces working counts in the repo/header summary, and shows changed-file counts for active edits.
 - Uses VS Code's native animated `loading~spin` icon for the running-state affordance.
 - Reads repo-local presence files from `.omx/state/active-sessions/`.