@imdeadpool/guardex 7.0.3 → 7.0.4

package/README.md

@@ -373,6 +373,11 @@ npm pack --dry-run
 
 ## Release notes
 
+### v7.0.4
+
+- **Fixed: publish collision on npm.** Advanced the package metadata from `7.0.3` to `7.0.4` so `npm publish` no longer targets an already published version.
+- **Changed: release-note sync for versioning rule.** Added this versioned entry in README in the same change as the package bump to keep publish metadata and release notes aligned.
+
 ### v7.0.3
 
 - **Branch/worktree naming refactor.** `agent-branch-start.sh` now produces `agent/<role>/<task>-<YYYY-MM-DD>-<HH-MM>` instead of `agent/<role+account-email>/<snapshot-slug>-<task>-<cksum6>`. Codex account names (e.g. `Zeus Edix Hu`) and 6-hex checksums no longer leak into branch or worktree paths.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@imdeadpool/guardex",
-  "version": "7.0.3",
+  "version": "7.0.4",
   "description": "GuardeX: the Guardian T-Rex for your repo, with hardened multi-agent git guardrails.",
   "license": "MIT",
   "preferGlobal": true,

package/templates/githooks/pre-commit

@@ -23,6 +23,14 @@ if [[ -n "${CODEX_THREAD_ID:-}" || -n "${OMX_SESSION_ID:-}" || "${CODEX_CI:-0}"
   is_codex_session=1
 fi
 
+# Superset of is_codex_session that also covers Claude Code sessions so the
+# protected-branch gate below only triggers for automated agents — humans stay
+# free to commit directly on main/dev/master.
+is_agent_session=$is_codex_session
+if [[ -n "${CLAUDECODE:-}" || -n "${CLAUDE_CODE_SESSION_ID:-}" ]]; then
+  is_agent_session=1
+fi
+
 is_vscode_git_context=0
 if [[ -n "${VSCODE_GIT_IPC_HANDLE:-}" || -n "${VSCODE_GIT_ASKPASS_NODE:-}" || -n "${VSCODE_IPC_HOOK_CLI:-}" ]]; then
   is_vscode_git_context=1
@@ -124,10 +132,10 @@ MSG
 fi
 
 if [[ "$is_protected_branch" == "1" ]]; then
-  if [[ "$is_codex_session" != "1" && "$is_vscode_git_context" == "1" ]]; then
-    if [[ "$allow_vscode_protected_branch_writes" == "1" ]]; then
-      exit 0
-    fi
+  # Humans may commit directly on protected branches; only agent sessions
+  # (Codex / Claude Code / OMX) are blocked.
+  if [[ "$is_agent_session" != "1" ]]; then
+    exit 0
   fi
 
   if [[ "$is_unborn_branch" == "1" && "$is_codex_session" != "1" ]]; then
@@ -146,16 +154,13 @@ Use an agent branch first:
 After finishing work:
   bash scripts/agent-branch-finish.sh
 
-Optional repo opt-in for VS Code protected-branch commits:
-  git config multiagent.allowVscodeProtectedBranchWrites true
-
 Temporary bypass (not recommended):
   ALLOW_COMMIT_ON_PROTECTED_BRANCH=1 git commit ...
 MSG
   exit 1
 fi
 
-if [[ "$is_agent_context" == "1" && "$branch" != agent/* ]]; then
+if [[ "$is_agent_session" == "1" && "$branch" != agent/* ]]; then
   cat >&2 <<'MSG'
 [agent-branch-guard] Agent commits must run on dedicated agent/* branches.
 Start an agent branch first:

package/templates/githooks/pre-push

@@ -28,6 +28,13 @@ if [[ -n "${CODEX_THREAD_ID:-}" || -n "${OMX_SESSION_ID:-}" || "${CODEX_CI:-0}"
   is_codex_session=1
 fi
 
+# Superset covering Claude Code so only agents are blocked from pushing to
+# protected refs; humans push directly from their primary checkout.
+is_agent_session=$is_codex_session
+if [[ -n "${CLAUDECODE:-}" || -n "${CLAUDE_CODE_SESSION_ID:-}" ]]; then
+  is_agent_session=1
+fi
+
 protected_branches_raw="${GUARDEX_PROTECTED_BRANCHES:-$(git config --get multiagent.protectedBranches || true)}"
 if [[ -z "$protected_branches_raw" ]]; then
   protected_branches_raw="dev main master"
@@ -69,6 +76,11 @@ if [[ "${#blocked_refs[@]}" -gt 0 ]]; then
     exit 1
   fi
 
+  # Humans may push directly to protected branches; only agent sessions are blocked.
+  if [[ "$is_agent_session" != "1" ]]; then
+    exit 0
+  fi
+
   if [[ "$is_vscode_git_context" == "1" && "$allow_vscode_protected_branch_writes" == "1" ]]; then
     exit 0
   fi