@imdeadpool/guardex 7.0.4 → 7.0.6

package/README.md

@@ -373,6 +373,15 @@ npm pack --dry-run
 
 ## Release notes
 
+### v7.0.6
+
+- **Fixed: self-updater lied about success.** `gx`'s update prompt runs `npm i -g @imdeadpool/guardex@latest` and previously trusted npm's exit code. When npm's resolution cache made it report "changed 1 package" without actually overwriting the files (a known quirk triggered when the user just bumped from N-1 → N in the same session, or with a warm metadata cache), the prompt kept re-firing on every subsequent `gx` invocation because the on-disk `package.json` was still stale. `gx` now re-reads the globally installed `package.json` after the `@latest` install returns, compares its `version` field to the advertised latest, and if they don't match runs a pinned retry `npm i -g @imdeadpool/guardex@<latest>` to force the cache past the obstructing entry. If the pinned retry also fails to advance the on-disk version, the user gets a clear hint (`npm root -g && npm cache verify`) instead of a silent loop.
+
+### v7.0.5
+
+- **Added: `oh-my-claude` to `gx status` global-toolchain check.** The Claude-side mirror of `oh-my-codex` is now reported alongside the existing services (`oh-my-codex`, `@fission-ai/openspec`, `@imdeadpool/codex-account-switcher`, `gh`). Users who have not yet installed it will see a clear "inactive" line instead of silent omission, matching the existing codex detection contract.
+- **Added: `.omc/` to the managed `.gitignore` block.** `gx setup` / `gx doctor` write a `.omc/` entry next to `.omx/` so Claude-specific runtime state (notepad, worktrees landing there in a follow-up) stays out of commits by default, parity with the existing `.omx/` treatment.
+
 ### v7.0.4
 
 - **Fixed: publish collision on npm.** Advanced the package metadata from `7.0.3` to `7.0.4` so `npm publish` no longer targets an already published version.

package/bin/multiagent-safety.js

@@ -13,6 +13,7 @@ const LEGACY_NAMES = ['guardex', 'multiagent-safety'];
 const OPENSPEC_PACKAGE = '@fission-ai/openspec';
 const GLOBAL_TOOLCHAIN_PACKAGES = [
   'oh-my-codex',
+  'oh-my-claude',
   OPENSPEC_PACKAGE,
   '@imdeadpool/codex-account-switcher',
 ];
@@ -122,6 +123,7 @@ const GITIGNORE_MARKER_START = '# multiagent-safety:START';
 const GITIGNORE_MARKER_END = '# multiagent-safety:END';
 const MANAGED_GITIGNORE_PATHS = [
   '.omx/',
+  '.omc/',
   'scripts/agent-branch-start.sh',
   'scripts/agent-branch-finish.sh',
   'scripts/codex-agent.sh',
@@ -3263,9 +3265,71 @@ function maybeSelfUpdateBeforeStatus() {
     return;
   }
 
+  // Verify the install actually advanced the on-disk version. npm sometimes
+  // reports "changed 1 package" with status 0 while leaving the old files
+  // in place (version resolution cache / dedupe quirks). If the installed
+  // version doesn't match check.latest, retry with the pinned version so
+  // npm bypasses whatever heuristic made it skip the upgrade.
+  const postInstallVersion = readInstalledGuardexVersion();
+  if (postInstallVersion != null && postInstallVersion !== check.latest) {
+    console.log(
+      `[${TOOL_NAME}] Installed version is still ${postInstallVersion} (expected ${check.latest}). ` +
+        `Retrying with pinned version ${check.latest}…`,
+    );
+    const pinnedResult = run(
+      NPM_BIN,
+      ['i', '-g', `${packageJson.name}@${check.latest}`],
+      { stdio: 'inherit' },
+    );
+    if (pinnedResult.status !== 0) {
+      console.log(
+        `[${TOOL_NAME}] ⚠️ Pinned retry failed. Run manually: ${NPM_BIN} i -g ${packageJson.name}@${check.latest}`,
+      );
+      return;
+    }
+    const pinnedVersion = readInstalledGuardexVersion();
+    if (pinnedVersion != null && pinnedVersion !== check.latest) {
+      console.log(
+        `[${TOOL_NAME}] ⚠️ On-disk version still ${pinnedVersion} after pinned retry. ` +
+          `Investigate: ${NPM_BIN} root -g && ${NPM_BIN} cache verify`,
+      );
+      return;
+    }
+  }
+
   console.log(`[${TOOL_NAME}] ✅ Updated to latest published version.`);
 }
 
+function readInstalledGuardexVersion() {
+  // Resolves the globally-installed package's on-disk version so we can
+  // verify npm actually wrote new bytes. Uses `npm root -g` to locate the
+  // global install root so we don't accidentally read the running source
+  // tree (which is the file the CLI was spawned from — that IS the global
+  // copy in the normal case, but a bump should be visible via a fresh read
+  // either way). Returns null if we can't determine it.
+  try {
+    const rootResult = run(NPM_BIN, ['root', '-g'], { timeout: 5000 });
+    if (rootResult.status !== 0) {
+      return null;
+    }
+    const globalRoot = String(rootResult.stdout || '').trim();
+    if (!globalRoot) {
+      return null;
+    }
+    const installedPkgPath = path.join(globalRoot, packageJson.name, 'package.json');
+    if (!fs.existsSync(installedPkgPath)) {
+      return null;
+    }
+    const parsed = JSON.parse(fs.readFileSync(installedPkgPath, 'utf8'));
+    if (parsed && typeof parsed.version === 'string') {
+      return parsed.version;
+    }
+  } catch (error) {
+    return null;
+  }
+  return null;
+}
+
 function checkForOpenSpecPackageUpdate() {
   if (envFlagEnabled('GUARDEX_SKIP_OPENSPEC_UPDATE_CHECK')) {
     return { checked: false, reason: 'disabled' };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@imdeadpool/guardex",
-  "version": "7.0.4",
+  "version": "7.0.6",
   "description": "GuardeX: the Guardian T-Rex for your repo, with hardened multi-agent git guardrails.",
   "license": "MIT",
   "preferGlobal": true,