@imdeadpool/guardex 7.0.7 → 7.0.10

package/README.md

@@ -1,28 +1,23 @@
-# GuardeX — Guardian T-Rex for your repo
+# GitGuardex — Guardian T-Rex for your repo
 
 [![npm version](https://img.shields.io/npm/v/%40imdeadpool%2Fguardex?color=cb3837&logo=npm)](https://www.npmjs.com/package/@imdeadpool/guardex)
-[![CI](https://github.com/recodeee/guardex/actions/workflows/ci.yml/badge.svg)](https://github.com/recodeee/guardex/actions/workflows/ci.yml)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/recodeee/guardex/badge)](https://securityscorecards.dev/viewer/?uri=github.com/recodeee/guardex)
+[![CI](https://github.com/recodeee/gitguardex/actions/workflows/ci.yml/badge.svg)](https://github.com/recodeee/gitguardex/actions/workflows/ci.yml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/recodeee/gitguardex/badge)](https://securityscorecards.dev/viewer/?uri=github.com/recodeee/gitguardex)
 
-GuardeX is a safety layer for parallel Codex/agent work in git repos.
+**GitGuardex is a safety layer for parallel agent work in git repos.** If you're running more than one Codex or Claude agent on the same codebase, this is what keeps them from deleting each other's work.
 
 > [!WARNING]
-> Not affiliated with OpenAI or Codex. Not an official tool.
+> Not affiliated with OpenAI, Anthropic, or Codex. Not an official tool.
 
-## Frontend Repo
+---
 
-- Standalone frontend repository: https://github.com/Webu-PRO/guardex-frontend
-- This repository tracks/mirrors the frontend under `frontend/` as documented below.
+## The problem
 
-## The problem (what was going wrong)
+I was running ~30 Codex agents in parallel and hit a wall: they kept working on the same files at the same time — especially tests — and started overwriting or deleting each other's changes. More agents meant *less* forward progress, not more. Classic de-progressive loop.
 
-Multiple Codex agents worked on the same files at the same time.
-They started overwriting or deleting each other's changes.
-Progress became **de-progressive**: more activity, less real forward movement.
+GitGuardex exists to stop that loop. Every agent gets its own worktree, claims the files it's touching, and can't clobber files another agent has claimed. Your local branch stays clean; agents stay in their lanes.
 
-GuardeX exists to stop that loop.
-
-![Multi-agent dashboard example](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/dashboard-multi-agent.png)
+![Multi-agent dashboard example](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/dashboard-multi-agent.png)
 
 ```mermaid
 flowchart LR
@@ -38,15 +33,21 @@ flowchart LR
     I --> F
 ```
 
-## What GuardeX enforces
+---
+
+## What it does
+
+- **Isolated `agent/*` branch + worktree per task** — agents never share a working directory.
+- **Explicit file lock claiming** — an agent declares which files it's editing before it edits them.
+- **Deletion guard** — claimed files can't be removed by another agent.
+- **Protected-base safety** — `main`, `dev`, `master` are blocked by default; agents must go through PRs.
+- **Auto-merges agent configs into every worktree** — `oh-my-codex`, `oh-my-claude`, caveman mode, and OpenSpec all get applied automatically so every spawned agent starts tuned, not bare.
+- **Repair/doctor flow** — when drift happens (and it will), `gx doctor` gets you back to a clean state.
+- **Auto-finish** — when Codex exits a session, Guardex commits sandbox changes, syncs against the base, retries once if the base moved, and opens a PR.
 
-- isolated `agent/*` branch + worktree per task
-- explicit file lock claiming before edits
-- deletion guard for claimed files
-- protected-base branch safety (`main`, `dev`, `master` by default)
-- repair/doctor flow when drift appears
+---
 
-## Copy-paste: install + bootstrap
+## Quick start
 
 ```sh
 npm i -g @imdeadpool/guardex
@@ -54,292 +55,269 @@ cd /path/to/your/repo
 gx setup
 ```
 
-Alias support:
+That's it. Setup installs hooks, scripts, templates, and scaffolds OpenSpec/caveman/OMX wiring. Aliases: `gx` (preferred), `gitguardex` (full), `guardex` (legacy).
 
-- preferred: `gx`
-- full: `guardex`
+---
 
-## Copy-paste: daily workflow (per new user task)
+## Daily workflow
+
+Per new agent task:
 
 ```sh
 # 1) Start isolated branch/worktree
 bash scripts/agent-branch-start.sh "task-name" "agent-name"
 
-# 2) Claim ownership
-python3 scripts/agent-file-locks.py claim --branch "$(git rev-parse --abbrev-ref HEAD)" <file...>
+# 2) Claim the files you're going to touch
+python3 scripts/agent-file-locks.py claim \
+  --branch "$(git rev-parse --abbrev-ref HEAD)" <file...>
 
 # 3) Implement + verify
 npm test
 
-# 4) Finish (commit/push/PR/merge flow)
-bash scripts/agent-branch-finish.sh --branch "$(git rev-parse --abbrev-ref HEAD)" --base dev --via-pr --wait-for-merge
+# 4) Finish (commit + push + PR + merge)
+bash scripts/agent-branch-finish.sh \
+  --branch "$(git rev-parse --abbrev-ref HEAD)" \
+  --base dev --via-pr --wait-for-merge
 
-# 5) Optional cleanup after merge
+# 5) Optional: cleanup after merge
 gx cleanup --branch "$(git rev-parse --abbrev-ref HEAD)"
 ```
 
-If you use `scripts/codex-agent.sh`, the finish flow is auto-run after the Codex session exits.
-It auto-commits sandbox changes, retries once after syncing if the branch moved behind base during the run, then pushes/opens PR merge flow against `dev`.
+If you use `scripts/codex-agent.sh`, the finish flow runs automatically when the Codex session exits — it auto-commits, retries once after syncing if the base moved during the run, then pushes and opens the PR.
 
-If you run Codex in multiple existing agent worktrees directly (for example from VS Code Source Control), finalize all completed branches with:
+Running Codex across several existing worktrees (e.g. from VS Code Source Control)? Finalize everything ready at once:
 
 ```sh
 gx finish --all
 ```
 
-## Visual workflow
-
-### Setup status
-
-![gx setup behavior screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/setup-success.svg)
+---
 
-### Service logs/status
+## Visual reference
 
-![gx status logs screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/status-tools-logs.svg)
+| | |
+|---|---|
+| ![Setup status](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/setup-success.svg) | **`gx setup`** — bootstraps everything in one command |
+| ![Service logs](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/status-tools-logs.svg) | **`gx status`** — health check for tools, hooks, services |
+| ![Branch start](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-branch-start.svg) | **Branch/worktree start protocol** |
+| ![Lock guard](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-lock-guard.svg) | **Lock + delete-guard protocol** |
+| ![VS Code layout](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-source-control.svg) | **VS Code Source Control view** with agent + OpenSpec files |
 
-### Branch/worktree start protocol
+### How It Works In VS Code
 
-![gx branch start protocol screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/workflow-branch-start.svg)
+This is the real Source Control shape Guardex is aiming for: isolated agent branches, clear OpenSpec artifacts, and no pile-up on one shared checkout.
 
-### Lock + delete guard protocol
+![Exact VS Code Source Control workflow screenshot](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-vscode-source-control-exact.png)
 
-![gx lock and delete guard screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/workflow-lock-guard.svg)
+---
 
-### VS Code Source Control layout (agent + OpenSpec files)
+## Commands
 
-![VS Code Source Control layout with OpenSpec files](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/workflow-source-control.svg)
-
-## Copy-paste: common commands
+### Core
 
 ```sh
-# health check (default when run with no args)
-gx status
-gx status --strict        # exit non-zero on findings (v6 name: gx scan)
-
-# bootstrap, repair, verify — all in one
-gx setup
-gx setup --repair         # repair only (v6 name: gx fix)
-gx setup --install-only   # scaffold templates, skip global installs (v6 name: gx install)
+gx status                 # health check (default)
+gx status --strict        # exit non-zero on findings
+gx setup                  # full bootstrap
+gx setup --repair         # repair only
+gx setup --install-only   # scaffold templates, skip global installs
 gx doctor                 # repair + verify (auto-sandboxes on protected main)
+```
+
+### Targeting other repos
 
-# target another repo without switching your current checkout
+```sh
 gx setup --target /path/to/repo
 gx doctor --target /path/to/repo
-# optional VS Code workspace showing repo + agent worktrees
+
+# optional: VS Code workspace showing repo + agent worktrees
 gx setup --target /path/to/repo --parent-workspace-view
+```
+
+### Monorepo support
+
+Setup auto-installs into every nested git repo (e.g. `apps/*/.git`). Submodules and worktrees under `.omx/agent-worktrees/` are skipped.
 
-# monorepo with nested git repos (e.g. /mainfolder/.git + /mainfolder/apps/*/.git)
-# setup auto-installs into every nested repo; use --no-recursive to limit to the top-level
+```sh
 gx setup --target /mainfolder
 gx setup --target /mainfolder --no-recursive
+```
+
+### Protected branches
 
-# protected branch management
+```sh
 gx protect list
 gx protect add release staging
 gx protect remove release
+gx protect set main release hotfix
+gx protect reset
+```
+
+Defaults: `dev`, `main`, `master`. Stored in git config key `multiagent.protectedBranches`.
 
-# sync current agent branch with origin/<base>
+### Sync current agent branch
+
+```sh
 gx sync --check
 gx sync
+```
+
+### Background bots
 
-# background bots (review monitor + stale cleanup)
-gx agents start
+```sh
+gx agents start           # review monitor + stale cleanup
 gx agents stop
 gx agents status
 
-# per-agent-branch lifecycle
-gx finish --all           # commit + PR + merge every ready agent/* branch
-gx cleanup                # prune merged/stale branches and worktrees
-gx cleanup --watch --interval 60
-
-# AI-ready setup prompt (paste into Codex/Claude)
-gx prompt                 # full checklist        (v6 name: gx copy-prompt)
-gx prompt --exec          # commands only         (v6 name: gx copy-commands)
-gx prompt --snippet       # AGENTS.md managed block template
-
-# reports
-gx report scorecard --repo github.com/recodeee/guardex
+# tuning
+gx agents start --review-interval 30 --cleanup-interval 60 --idle-minutes 10
 ```
 
-### v6 → v7 command migration
-
-Five commands were consolidated into flags. Old names still work and print a one-line deprecation notice; they'll be removed in v8.
-
-| v6 command             | v7 replacement           |
-| ---------------------- | ------------------------ |
-| `gx init`              | `gx setup`               |
-| `gx install`           | `gx setup --install-only`|
-| `gx fix`               | `gx setup --repair`      |
-| `gx scan`              | `gx status --strict`     |
-| `gx copy-prompt`       | `gx prompt`              |
-| `gx copy-commands`     | `gx prompt --exec`       |
-| `gx print-agents-snippet` | `gx prompt --snippet` |
-| `gx review`            | `gx agents start` (runs review + cleanup) |
-
-### Continuous stale branch cleanup bot
-
-Use this to auto-prune idle `agent/*` worktrees created by Codex while keeping active worktrees untouched.
+### Lifecycle
 
 ```sh
-# watch cleanup loop every minute (default idle threshold is 10 minutes when --watch is enabled)
+gx finish --all           # commit + PR + merge every ready agent/* branch
+gx cleanup                # prune merged/stale branches and worktrees
 gx cleanup --watch --interval 60
-
-# one-shot cleanup for branches idle at least 10 minutes
 gx cleanup --idle-minutes 10
-
-# run a single watch cycle (helpful for cron/CI checks)
 gx cleanup --watch --once --interval 60
 ```
 
-### Repo Agent Supervisor (start both bots with one command)
+### Prompts for your agents
 
 ```sh
-# starts review bot + cleanup bot in background for the current repo
-gx agents start
-
-# optional tuning
-gx agents start --review-interval 30 --cleanup-interval 60 --idle-minutes 10
-
-# show whether both bots are running for this repo
-gx agents status
-
-# stop both bots and clear repo-local state
-gx agents stop
+gx prompt                 # full checklist (paste into Codex/Claude)
+gx prompt --exec          # commands only
+gx prompt --snippet       # AGENTS.md managed-block template
 ```
 
-## Important behavior defaults
+### Reports
 
-- No command defaults to `gx status`.
-- `gx init` is alias of `gx setup`.
-- Setup/doctor can install missing global OMX/OpenSpec/codex-auth with explicit Y/N confirmation.
-- `gx setup` checks GitHub CLI (`gh`) and prints install guidance if missing.
-- Optional parent-folder VS Code Source Control view: `gx setup --target /path/to/repo --parent-workspace-view` creates `../<repo>-branches.code-workspace`.
-- Monorepo-aware: when the target contains nested git repos (e.g. `apps/*/.git`), `gx setup` installs the workflow into every discovered repo. Git submodules (`.git` files) and guardex worktrees under `.omx/agent-worktrees/` are skipped. Opt out with `--no-recursive`; tune discovery with `--max-depth <n>`, `--skip-nested <dir>`, and `--include-submodules`.
-- Interactive self-update prompt defaults to **No** (`[y/N]`).
-- In initialized repos, `setup`/`install`/`fix` block protected-base writes unless explicitly overridden.
-- Direct commits/pushes to protected branches are blocked by default.
-- Exception: VS Code Source Control commits are allowed on protected branches that exist only locally (no upstream and no remote branch).
-- Optional repo override for manual VS Code protected-branch writes: `git config multiagent.allowVscodeProtectedBranchWrites true`.
-- Codex/agent sessions stay blocked on protected branches and must use `agent/*` branch + PR workflow.
-- On protected `main`, `gx doctor` auto-runs in a sandbox agent branch/worktree.
-- In-place agent branching is disabled; `scripts/agent-branch-start.sh` always creates a separate worktree to keep your visible local/base branch unchanged.
-- Fresh sandbox branches intentionally start without any git upstream; guardex records the protected base in `branch.<name>.guardexBase`, and the first `git push -u` publishes the real upstream branch.
-- `scripts/agent-branch-start.sh` hydrates `scripts/codex-agent.sh` into new sandbox worktrees when missing, so auto-finish launcher flow stays available.
+```sh
+gx report scorecard --repo github.com/recodeee/gitguardex
+```
 
-## Configure protected branches
+---
 
-Default protected branches:
+## v6 → v7 migration
 
-- `dev`
-- `main`
-- `master`
+Five commands were consolidated into flags. Old names still work and print a deprecation notice; they'll be removed in v8.
 
-```sh
-gx protect list
-gx protect set main release hotfix
-gx protect reset
-```
+| v6                          | v7                            |
+| --------------------------- | ----------------------------- |
+| `gx init`                   | `gx setup`                    |
+| `gx install`                | `gx setup --install-only`     |
+| `gx fix`                    | `gx setup --repair`           |
+| `gx scan`                   | `gx status --strict`          |
+| `gx copy-prompt`            | `gx prompt`                   |
+| `gx copy-commands`          | `gx prompt --exec`            |
+| `gx print-agents-snippet`   | `gx prompt --snippet`         |
+| `gx review`                 | `gx agents start`             |
 
-Stored in git config key:
+---
 
-```text
-multiagent.protectedBranches
-```
+## Default behavior
 
-## Companion dependency: GitHub CLI (`gh`)
+A few things worth knowing up front:
 
-GuardeX PR/merge automation depends on GitHub CLI (`gh`), including
-`agent-branch-finish.sh` PR flows and `codex-agent.sh` auto-finish behavior.
+- Running `gx` with no command opens the status/health view.
+- `gx init` is just an alias for `gx setup`.
+- Setup/doctor can install missing global OMX, OpenSpec, and codex-auth — but only with explicit Y/N confirmation.
+- Direct commits/pushes to protected branches are **blocked** by default. Agents must use the `agent/*` + PR flow.
+- **Exception:** VS Code Source Control commits are allowed on protected branches that exist only locally (no upstream, no remote branch).
+- On protected `main`, `gx doctor` auto-runs in a sandbox agent branch/worktree so it can't touch your real main.
+- In-place agent branching is disabled. `scripts/agent-branch-start.sh` always creates a separate worktree so your visible local/base branch never changes.
+- Fresh sandbox branches start with no git upstream. Guardex records the protected base in `branch.<name>.guardexBase`, and the first `git push -u` publishes the real upstream.
+- Interactive self-update prompt defaults to **No** (`[y/N]`).
 
-Install + verify:
+Optional override for manual VS Code protected-branch writes:
 
 ```sh
-# install guide: https://cli.github.com/
-gh --version
-gh auth status
+git config multiagent.allowVscodeProtectedBranchWrites true
 ```
 
-## Optional GitHub Apps: fork sync + PR review
+---
+
+## Companion tools
 
-### Pull app (Probot fork sync)
+GitGuardex is designed to work alongside these. All optional — but if you're running many agents, you probably want them.
 
-GuardeX setup now installs a starter file at `.github/pull.yml.example`.
+### GitHub CLI (`gh`)
 
-To enable fork auto-sync:
+Required for PR/merge automation. `agent-branch-finish.sh` and `codex-agent.sh` auto-finish both depend on it.
 
 ```sh
-cp .github/pull.yml.example .github/pull.yml
+# https://cli.github.com/
+gh --version
+gh auth status
 ```
 
-Then edit `.github/pull.yml`:
+### codex-auth — multi-account switcher
 
-- set `rules[].base` to your fork branch (`main`, `master`, or `dev`)
-- set `rules[].upstream` to `<upstream-owner>:<branch>`
+For multi-identity Codex workflows. I built this because switching accounts manually for 30 agents was impossible.
 
-Install the app: <https://github.com/apps/pull>  
-Validate config: `https://pull.git.ci/check/<owner>/<repo>`
+```sh
+npm i -g @imdeadpool/codex-account-switcher
 
-### CR-GPT code review app
+codex-auth save <name>
+codex-auth use <name>
+codex-auth list --details
+codex-auth current
+```
 
-Install app: <https://github.com/apps/cr-gpt>
+Repo: [recodeecom/codex-account-switcher-cli](https://github.com/recodeecom/codex-account-switcher-cli)
 
-`gx setup` also installs `.github/workflows/cr.yml` (GitHub Actions review workflow).
+### Pull app — fork auto-sync
 
-Then in your repo:
+Guardex installs a starter config at `.github/pull.yml.example`.
 
-1. `Settings -> Secrets and variables -> Actions`
-2. open `Variables`
-3. add `OPENAI_API_KEY`
+```sh
+cp .github/pull.yml.example .github/pull.yml
+# edit rules[].base and rules[].upstream
+```
 
-After that, the app reviews new and updated pull requests automatically.
+Install the app: <https://github.com/apps/pull>
+Validate: `https://pull.git.ci/check/<owner>/<repo>`
 
-## Frontend mirror sync (`Webu-PRO/guardex-frontend`)
+### CR-GPT — AI PR reviews
 
-This repo includes `.github/workflows/sync-frontend-mirror.yml`, which mirrors
-the `frontend/` subtree to a separate repository whenever `main` receives
-changes under `frontend/**`.
+Install: <https://github.com/apps/cr-gpt>
 
-Default target:
+`gx setup` installs `.github/workflows/cr.yml`. Then add `OPENAI_API_KEY` under `Settings → Secrets and variables → Actions → Variables`. After that, new and updated PRs get reviewed automatically.
 
-- repo: `Webu-PRO/guardex-frontend`
-- branch: `main`
+---
 
-Required setup (in this repository):
+## OpenSpec integration
 
-1. `Settings -> Secrets and variables -> Actions`
-2. Add repository secret `GUARDEX_FRONTEND_MIRROR_PAT`
-   - value must be a token with `contents:write` access to `Webu-PRO/guardex-frontend`
+If you installed OpenSpec during setup (`@fission-ai/openspec`), the full guide is at [`docs/openspec-getting-started.md`](./docs/openspec-getting-started.md).
 
-Optional overrides (Actions Variables):
+Default flow:
 
-- `GUARDEX_FRONTEND_MIRROR_REPO` (default `Webu-PRO/guardex-frontend`)
-- `GUARDEX_FRONTEND_MIRROR_BRANCH` (default `main`)
+```text
+/opsx:propose <change-name> → /opsx:apply → /opsx:archive
+```
 
-Manual run:
+Expanded flow:
 
-```sh
-gh workflow run sync-frontend-mirror.yml
+```text
+/opsx:new <change-name> → /opsx:ff or /opsx:continue → /opsx:apply → /opsx:verify → /opsx:archive
 ```
 
-## Companion dependency: `codex-auth` account switcher
+### OpenSpec in agent sub-branches
 
-For multi-identity Codex workflows, GuardeX pairs with
-[`codex-auth`](https://github.com/recodeecom/codex-account-switcher-cli).
+- `scripts/codex-agent.sh` enforces OpenSpec workspaces before launching Codex.
+- `scripts/agent-branch-start.sh` can scaffold both `openspec/changes/<slug>/` and `openspec/plan/<slug>/` when `GUARDEX_OPENSPEC_AUTO_INIT=true`.
 
-Install:
+Environment variables:
 
-```sh
-npm i -g @imdeadpool/codex-account-switcher
-```
+| Var | Purpose |
+|---|---|
+| `GUARDEX_OPENSPEC_AUTO_INIT` | `true` to auto-bootstrap on branch start (default `false`) |
+| `GUARDEX_OPENSPEC_PLAN_SLUG` | force a specific plan workspace name |
+| `GUARDEX_OPENSPEC_CHANGE_SLUG` | force a specific change workspace name |
+| `GUARDEX_OPENSPEC_CAPABILITY_SLUG` | override capability folder for `spec.md` scaffolding |
 
-Common commands:
-
-```sh
-codex-auth save <name>
-codex-auth use <name>
-codex-auth list --details
-codex-auth current
-```
+---
 
 ## Files installed by setup
 
@@ -354,8 +332,8 @@ scripts/install-agent-git-hooks.sh
 scripts/openspec/init-plan-workspace.sh
 .githooks/pre-commit
 .githooks/pre-push
-.codex/skills/guardex/SKILL.md
-.claude/commands/guardex.md
+.codex/skills/gitguardex/SKILL.md
+.claude/commands/gitguardex.md
 .github/pull.yml.example
 .github/workflows/cr.yml
 .omx/state/agent-file-locks.json
@@ -363,44 +341,51 @@ scripts/openspec/init-plan-workspace.sh
 
 If `package.json` exists, setup also adds `agent:*` helper scripts.
 
-## OpenSpec quick start after `gx setup`
+---
 
-If you enabled global OpenSpec install during setup (`@fission-ai/openspec`), use the full guide here:
+## Frontend mirror
 
-- [`docs/openspec-getting-started.md`](./docs/openspec-getting-started.md)
+- Standalone frontend repo: <https://github.com/Webu-PRO/guardex-frontend>
+- This repo tracks the frontend under `frontend/` and auto-mirrors it via `.github/workflows/sync-frontend-mirror.yml` on changes to `main`.
 
-Default core flow:
+Setup (in this repo):
 
-```text
-/opsx:propose <change-name> -> /opsx:apply -> /opsx:archive
-```
+1. `Settings → Secrets and variables → Actions`
+2. Add secret `GUARDEX_FRONTEND_MIRROR_PAT` with `contents:write` on `Webu-PRO/guardex-frontend`
+
+Optional overrides (Actions Variables):
 
-Optional expanded flow:
+- `GUARDEX_FRONTEND_MIRROR_REPO` (default `Webu-PRO/guardex-frontend`)
+- `GUARDEX_FRONTEND_MIRROR_BRANCH` (default `main`)
+
+Manual run:
 
 ```sh
-openspec config profile <profile-name>
-openspec update
+gh workflow run sync-frontend-mirror.yml
 ```
 
-```text
-/opsx:new <change-name> -> /opsx:ff or /opsx:continue -> /opsx:apply -> /opsx:verify -> /opsx:archive
-```
+---
 
-### OpenSpec in agent sub-branches
+## Known rough edges
+
+Being honest about where this still has issues:
+
+- **Usage limit mid-task.** When an agent hits its Codex/Claude usage limit partway through, the cleanup flow currently has to be handed to a different agent. It works, but the handoff is uglier than I'd like.
+- **Conflict-stuck probes.** Fixed in v7.0.2 — earlier versions could leak `__source-probe-*` worktrees when the sync-guard rebase hit conflicts. If you're on an older release, `gx cleanup` sweeps these.
+- **Windows.** Most of the hook surface assumes a POSIX shell. Use WSL or symlink-enabled git if you're on Windows.
 
-- `scripts/codex-agent.sh` enforces OpenSpec workspaces before it launches Codex in each sandbox branch/worktree.
-- `scripts/agent-branch-start.sh` can scaffold both `openspec/changes/<agent-branch-slug>/` and `openspec/plan/<agent-branch-slug>/` when you set `GUARDEX_OPENSPEC_AUTO_INIT=true`.
-- Set `GUARDEX_OPENSPEC_AUTO_INIT=false` (default for `agent-branch-start`) to skip branch-start auto-bootstrap.
-- Set `GUARDEX_OPENSPEC_PLAN_SLUG=<kebab-case-slug>` to force a specific plan workspace name.
-- Set `GUARDEX_OPENSPEC_CHANGE_SLUG=<kebab-case-slug>` to force a specific change workspace name.
-- Set `GUARDEX_OPENSPEC_CAPABILITY_SLUG=<kebab-case-slug>` to override the default capability folder used for `spec.md` scaffolding.
+PRs and issues welcome.
 
-## Security and maintenance posture
+---
 
-- CI matrix on Node 18/20/22 (`npm test`, `node --check`, `npm pack --dry-run`)
-- trusted publishing with provenance in GitHub Actions
+## Security & maintenance
+
+- CI matrix on Node 18 / 20 / 22 (`npm test`, `node --check`, `npm pack --dry-run`)
+- Trusted publishing with provenance via GitHub Actions
 - OpenSSF Scorecard + Dependabot for Actions
-- disclosure policy in [`SECURITY.md`](./SECURITY.md)
+- Disclosure policy in [`SECURITY.md`](./SECURITY.md)
+
+---
 
 ## Local development
 
@@ -410,201 +395,133 @@ node --check bin/multiagent-safety.js
 npm pack --dry-run
 ```
 
+---
+
 ## Release notes
 
-### v7.0.7
+<details>
+<summary><strong>v7.x</strong></summary>
 
-- **Fixed: next publish target now advances past npm.** Bumped `@imdeadpool/guardex` from `7.0.6` to `7.0.7` so the next `npm publish` does not collide with the already-published registry version.
-- **Fixed: root package metadata drift in `package-lock.json`.** The lockfile root version had fallen behind the package manifest (`7.0.4` vs. `7.0.6`), which made release metadata inconsistent. The bump resynchronized `package.json` and `package-lock.json` on `7.0.7`.
+### v7.0.10
+- Primary user-facing long name is now **GitGuardex**. CLI/help presents `gitguardex` as the long-form command; `gx` stays the preferred short alias; `guardex` remains as legacy compatibility.
+- Installed Codex/Claude startup files now use `gitguardex` paths: `.codex/skills/gitguardex/SKILL.md` and `.claude/commands/gitguardex.md`.
+- Startup context shrunk further. Managed marker block + skill + command compressed from 4340 B → 1930 B across the three always-loaded template files.
+- Bumped `@imdeadpool/guardex` from `7.0.9` → `7.0.10`.
 
-### v7.0.6
+### v7.0.9
+- `gx doctor` and `gx setup` now refresh AGENTS with repo-toggle examples. Managed AGENTS block states Guardex is enabled by default and shows exact `.env` lines: `GUARDEX_ON=0` disables per repo, `GUARDEX_ON=1` re-enables.
+- Bumped to `7.0.9`.
 
-- **Fixed: self-updater lied about success.** `gx`'s update prompt runs `npm i -g @imdeadpool/guardex@latest` and previously trusted npm's exit code. When npm's resolution cache made it report "changed 1 package" without actually overwriting the files (a known quirk triggered when the user just bumped from N-1 → N in the same session, or with a warm metadata cache), the prompt kept re-firing on every subsequent `gx` invocation because the on-disk `package.json` was still stale. `gx` now re-reads the globally installed `package.json` after the `@latest` install returns, compares its `version` field to the advertised latest, and if they don't match runs a pinned retry `npm i -g @imdeadpool/guardex@<latest>` to force the cache past the obstructing entry. If the pinned retry also fails to advance the on-disk version, the user gets a clear hint (`npm root -g && npm cache verify`) instead of a silent loop.
+### v7.0.8
+- Added `REPO TOGGLE` section to `gx` status/help output. Operators see the repo-local switch immediately.
+- Bumped to `7.0.8`.
 
-### v7.0.5
+### v7.0.7
+- Advanced next publish target past npm. Bumped to `7.0.7`.
+- Fixed root package metadata drift in `package-lock.json` (root version had fallen behind manifest).
 
-- **Added: `oh-my-claude` to `gx status` global-toolchain check.** The Claude-side mirror of `oh-my-codex` is now reported alongside the existing services (`oh-my-codex`, `@fission-ai/openspec`, `@imdeadpool/codex-account-switcher`, `gh`). Users who have not yet installed it will see a clear "inactive" line instead of silent omission, matching the existing codex detection contract.
-- **Added: `.omc/` to the managed `.gitignore` block.** `gx setup` / `gx doctor` write a `.omc/` entry next to `.omx/` so Claude-specific runtime state (notepad, worktrees landing there in a follow-up) stays out of commits by default, parity with the existing `.omx/` treatment.
+### v7.0.6
+- **Fixed: self-updater lied about success.** `gx`'s update prompt runs `npm i -g @imdeadpool/guardex@latest` and previously trusted npm's exit code. When npm's resolution cache reported "changed 1 package" without actually overwriting files (known quirk, triggers when user just bumped N-1 → N in the same session, or with a warm metadata cache), the prompt kept re-firing on every subsequent `gx` invocation because the on-disk `package.json` was stale. `gx` now re-reads the globally installed `package.json` after `@latest` returns, compares its `version` to the advertised latest, and if they don't match runs a pinned retry `npm i -g @imdeadpool/guardex@<latest>` to force past the obstructing cache entry. If the pinned retry also fails, the user gets a clear hint (`npm root -g && npm cache verify`) instead of a silent loop.
 
-### v7.0.4
+### v7.0.5
+- Added `oh-my-claude` to `gx status` global-toolchain check. Claude-side mirror of `oh-my-codex` is reported alongside existing services (`oh-my-codex`, `@fission-ai/openspec`, `@imdeadpool/codex-account-switcher`, `gh`).
+- Added `.omc/` to the managed `.gitignore` block so Claude-specific runtime state (notepad, worktrees) stays out of commits, parity with `.omx/`.
 
-- **Fixed: publish collision on npm.** Advanced the package metadata from `7.0.3` to `7.0.4` so `npm publish` no longer targets an already published version.
-- **Changed: release-note sync for versioning rule.** Added this versioned entry in README in the same change as the package bump to keep publish metadata and release notes aligned.
+### v7.0.4
+- Fixed publish collision on npm. Bumped `7.0.3` → `7.0.4`.
 
 ### v7.0.3
-
-- **Branch/worktree naming refactor.** `agent-branch-start.sh` now produces `agent/<role>/<task>-<YYYY-MM-DD>-<HH-MM>` instead of `agent/<role+account-email>/<snapshot-slug>-<task>-<cksum6>`. Codex account names (e.g. `Zeus Edix Hu`) and 6-hex checksums no longer leak into branch or worktree paths.
-- **Role normalization.** `AGENT_NAME` is collapsed to `{claude, codex, <explicit>}` via (in order) the `GUARDEX_AGENT_TYPE` env override, a substring match against `claude`/`codex`, the `CLAUDECODE=1` sentinel, or a fallback to `codex`. Other roles (`integrator`, `executor`, etc.) pass through when set via `GUARDEX_AGENT_TYPE`.
-- **New `--print-name-only` flag** on `agent-branch-start.sh` for deterministic tests; honours `GUARDEX_BRANCH_TIMESTAMP` for reproducible output.
-- **`--tier` flag accepted silently** for CLAUDE.md compatibility (scaffold sizing not wired through yet).
-- Tests `install.test.js` covering the old snapshot-slug format were rewritten to assert the new role-datetime shape.
+- **Branch/worktree naming refactor.** `agent-branch-start.sh` now produces `agent/<role>/<task>-<YYYY-MM-DD>-<HH-MM>` instead of `agent/<role+account-email>/<snapshot-slug>-<task>-<cksum6>`. Account names and 6-hex checksums no longer leak into branch/worktree paths.
+- **Role normalization.** `AGENT_NAME` collapses to `{claude, codex, <explicit>}` via (in order) `GUARDEX_AGENT_TYPE` env override, substring match against `claude`/`codex`, `CLAUDECODE=1` sentinel, or fallback to `codex`. Other roles (`integrator`, `executor`, etc.) pass through when set via `GUARDEX_AGENT_TYPE`.
+- New `--print-name-only` flag for deterministic tests; honors `GUARDEX_BRANCH_TIMESTAMP` for reproducible output.
+- `--tier` flag accepted silently for CLAUDE.md compatibility (scaffold sizing not wired through yet).
 
 ### v7.0.2
-
-- **Fix: `__source-probe-*` worktree leak on conflict exit.** `agent-branch-finish.sh` was registering its `cleanup()` trap *after* the sync-guard rebase block, so when that rebase hit conflicts and the script exited, the throwaway probe worktree was never removed. `gx doctor` sweeps against stalled branches accumulated one new probe per run.
-- The cleanup trap is now installed immediately after probe creation, and aborts any in-progress `rebase`/`merge` before `worktree remove --force` so conflict-stuck probes are cleaned up reliably.
+- **Fix: `__source-probe-*` worktree leak on conflict exit.** `agent-branch-finish.sh` was registering its `cleanup()` trap *after* the sync-guard rebase block, so when rebase hit conflicts and the script exited, the throwaway probe worktree was never removed. `gx doctor` sweeps accumulated one new probe per run.
+- Cleanup trap is now installed immediately after probe creation, and aborts any in-progress `rebase`/`merge` before `worktree remove --force`.
 
 ### v7.0.1
-
 - Maintenance release.
 
 ### v7.0.0
-
-- **Breaking (soft).** Consolidated 17 commands into 12 visible commands with flag-based subcommands. Five removed names (`init`, `install`, `fix`, `scan`, `copy-prompt`, `copy-commands`, `print-agents-snippet`, `review`) still work but print a one-line deprecation notice on stderr and will be removed in v8. See the migration table in "Copy-paste: common commands" above.
-- **Token-usage improvements.** Trimmed the auto-installed agent templates that live inside every consumer repo and get loaded into every Claude/Codex session:
+- **Breaking (soft).** Consolidated 17 commands into 12 visible commands with flag-based subcommands. Removed names still work but print a deprecation notice; will be removed in v8.
+- **Token-usage improvements.** Trimmed auto-installed agent templates that live in every consumer repo and get loaded into every session:
   - `templates/AGENTS.multiagent-safety.md`: 6990 B → 1615 B (−77%)
   - `templates/codex/skills/guardex/SKILL.md`: 2732 B → 1086 B (−60%)
   - `templates/claude/commands/guardex.md`: 472 B → 357 B (−24%)
   - Total: 10194 B → 3058 B per consumer repo (−70%, ~1.5k fewer tokens per agent session).
+- New `gx prompt` command replaces three prompt-emitting commands.
+- New flag surface on `gx setup`: `--install-only`, `--repair`.
+- New `gx status --strict` mirrors old `gx scan`.
 
-  The `AI_SETUP_PROMPT` and `AI_SETUP_COMMANDS` constants used by `gx prompt` are now compact checklists, so piping `gx prompt` into a model context is cheaper too.
-- **New `gx prompt` command** replaces three prompt-emitting commands: `gx prompt` (full checklist), `gx prompt --exec` (commands only), `gx prompt --snippet` (AGENTS.md managed-block template).
-- **New flag surface on `gx setup`**: `--install-only` (templates/hooks/locks only), `--repair` (fix drift), plus the existing `--target`, `--parent-workspace-view`, `--dry-run`, etc.
-- **New `gx status --strict`** mirrors the old `gx scan` behavior (exit non-zero on findings).
-- Updated internal `REQUIRED_PACKAGE_SCRIPTS` for consumer `package.json` so `agent:safety:scan` and `agent:safety:fix` helper scripts now invoke the new v7 surface (`gx status --strict`, `gx setup --repair`).
+</details>
 
-### v6.0.1
+<details>
+<summary><strong>v6.x</strong></summary>
 
-- Preserve existing repo-owned `AGENTS.md` marker content during `gx setup` / `gx doctor` by default; only rewrite marker blocks when `--force` is explicitly used.
-- Preserve existing `agent:*` package scripts during setup/doctor repairs by default so repo-local command customizations are not silently replaced.
-- Forward `--force` through sandboxed doctor execution so intentional canonical template/script rewrites still work end-to-end.
-- Added regression tests for both preservation behaviors (`setup` + `doctor`).
-- Bumped package version from `6.0.0` to `6.0.1` for the next npm publish.
+### v6.0.1
+- Preserve existing repo-owned `AGENTS.md` marker content during `gx setup` / `gx doctor` by default; only rewrite marker blocks when `--force` is explicit.
+- Preserve existing `agent:*` package scripts during setup/doctor repairs by default.
+- Forward `--force` through sandboxed doctor execution.
+- Added regression tests for both preservation behaviors.
 
 ### v6.0.0
+- **Breaking** — removed legacy `musafety` bin alias and all `MUSAFETY_*` environment variables. Callers must migrate to `guardex` / `gx` and `GUARDEX_*`.
+- **Breaking** — bootstrap manifest filename changed from `musafety-bootstrap-manifest.json` to `guardex-bootstrap-manifest.json`; existing sandbox worktrees must be pruned + re-bootstrapped.
+- Rebranded `musafety` → `guardex` across scripts, templates, hooks, tests, docs.
+- The descriptive phrase `multiagent-safety` (including `bin/multiagent-safety.js`) is preserved — only the short codename changed.
 
-- **Breaking** — removed the legacy `musafety` bin alias and all `MUSAFETY_*` environment variables. Callers must migrate to the `guardex` / `gx` bins and the `GUARDEX_*` env-var surface.
-- **Breaking** — bootstrap manifest filename changed from `musafety-bootstrap-manifest.json` to `guardex-bootstrap-manifest.json`; existing sandbox worktrees must be pruned + re-bootstrapped (or have their manifest manually renamed).
-- Rebranded all remaining `musafety` / `Musafety` / `MUSAFETY` codename tokens to `guardex` / `Guardex` / `GUARDEX` across scripts, templates, hooks, tests, and docs.
-- The descriptive phrase `multiagent-safety` (including `bin/multiagent-safety.js` and `templates/AGENTS.multiagent-safety.md`) is preserved intentionally — only the short codename changed.
-- Bumped package version from `5.0.17` to `6.0.0` for the next npm publish.
-
-### v5.0.17
-
-- Bumped package version from `5.0.16` to `5.0.17` for the next npm publish.
-
-### v5.0.16
-
-- Fixed `gx doctor` runtime crash (`parseDoctorArgs is not defined`) by restoring the doctor argument parser for `--target` and `--strict`.
-- Fixed `gx doctor` command routing so the repair-first doctor flow remains the active command path (duplicate legacy doctor definition no longer overrides it).
-- Updated worktree change detection to run `git status --porcelain --untracked-files=normal --` for consistent normal untracked-file behavior.
-- Added regression coverage that asserts the doctor parser function exists in `bin/multiagent-safety.js`.
-- Bumped package version from `5.0.15` to `5.0.16`.
-
-### v5.0.15
-
-- Added `gx setup --parent-workspace-view` to generate a parent-folder VS Code workspace (`../<repo>-branches.code-workspace`) that shows both the base repo and `.omx/agent-worktrees` in Source Control.
-- Added dry-run-safe parent workspace operations (`would-create` / `would-update`) and setup output that prints the created workspace path.
-- Added regression coverage for parent workspace generation and dry-run behavior.
-- Bumped package version from `5.0.14` to `5.0.15`.
-
-### v5.0.14
-
-- Changed release metadata for the next npm publish by bumping package version from `5.0.13` to `5.0.14`.
-- Kept Guardex release notes synchronized with the published package version.
-
-### v5.0.13
-
-- Bumped package version from `5.0.12` to `5.0.13` for the next npm publish.
-
-### v5.0.12
-
-- Bumped package version from `5.0.11` to `5.0.12` for the next npm publish.
-- Updated repository metadata and README links to the renamed GitHub repository (`recodeee/guardex`).
-
-### v5.0.11
-
-- Updated the managed AGENTS contract wording to use `GX` naming and added an explicit OMX completion policy requiring commit + push + PR creation/update at task completion.
-- Ensured `gx install` explicitly configures the managed `AGENTS.md` policy block and added regression coverage for this install-path behavior.
-- Bumped package version from `5.0.10` to `5.0.11` for the next npm publish.
-
-### v5.0.10
+</details>
 
-- Bumped package version from `5.0.9` to `5.0.10` for the next npm publish.
+<details>
+<summary><strong>v5.x</strong></summary>
 
-### v5.0.9
-
-- Enforced OpenSpec workspace bootstrap for sandbox agent execution: `scripts/codex-agent.sh` now initializes `openspec/plan/<agent-branch-slug>/` before launching Codex, and `scripts/agent-branch-start.sh` supports `GUARDEX_OPENSPEC_AUTO_INIT` plus `GUARDEX_OPENSPEC_PLAN_SLUG`.
-- Tightened doctor auto-finish correctness: sandbox finish now waits for merge and exits non-zero if the PR closes without merge, so repair flows are not reported as complete when policy blocks merge.
-- Updated package version from `5.0.8` to `5.0.9` for the next npm publish.
-
-### v5.0.8
-
-- Fixed `bin/multiagent-safety.js` syntax regressions in the doctor sandbox flow (`Unexpected identifier` / `Unexpected end of input`) that were breaking CLI execution and CI tests.
-- Restored `scripts/codex-agent.sh` from `templates/scripts/codex-agent.sh` so critical runtime helper parity checks pass in clean CI clones.
-- Bumped package version from `5.0.7` to `5.0.8` for the next npm publish.
-
-### v5.0.7
-### Unreleased (generated draft, not versioned yet)
-
-- Add the user-facing changes for the next release here before assigning a version number.
-- Keep this section focused on behavior changes (`Added`, `Changed`, `Fixed`) rather than version-bump-only notes.
+### v5.0.17 – v5.0.10
+Version bumps for npm publish continuity plus incremental fixes: doctor arg-parser restored (5.0.16), parent-workspace view added (5.0.15), OMX completion policy wording (5.0.11), OpenSpec sandbox bootstrap enforced (5.0.9), bin syntax regressions fixed (5.0.8).
 
 ### v5.0.6
-
-- `gx cleanup` and auto-finish cleanup now prune clean agent worktrees by default, so VS Code Source Control focuses on your local branch plus worktrees with active changes.
-- Added `gx cleanup --keep-clean-worktrees` to opt out and keep clean worktrees visible.
-- Bumped package version from `5.0.5` to `5.0.6` for the next npm publish.
-
-### v5.0.5
-
-- Bumped package version from `5.0.4` to `5.0.5` so npm publish can proceed with the next patch release.
-
-### v5.0.4
-
-- Bumped package version from `5.0.3` to `5.0.4` to stay one patch ahead of the current npm published version.
-
-### v5.0.3
-
-- Bumped package version from `5.0.2` to `5.0.3` for the next npm publish.
+- `gx cleanup` and auto-finish cleanup now prune clean agent worktrees by default. VS Code Source Control focuses on your local branch + worktrees with active changes.
+- Added `gx cleanup --keep-clean-worktrees` to opt out.
 
 ### v5.0.2
-
-- Auto-closes Codex sandbox branches through PR workflow and keeps merged branch/worktree sandboxes for explicit cleanup via `gx cleanup`.
+- Auto-closes Codex sandbox branches through PR workflow; keeps merged branch/worktree sandboxes for explicit cleanup via `gx cleanup`.
 - Runs `gx doctor` repairs from a sandbox when `main` is protected.
 - Allows tightly guarded Codex-only commits for `AGENTS.md` / `.gitignore` on protected branches.
-- Advanced package version to keep npm publishing unblocked.
 
 ### v5.0.0
-
-- Rebranded the CLI to **GuardeX** with `gx`-first command UX.
-- Published under scoped package name `@imdeadpool/guardex` to avoid npm name collisions.
-- Enforced a repeatable per-message agent branch lifecycle in setup/init flows.
+- Rebranded CLI to **GuardeX** with `gx`-first command UX.
+- Published under scoped package name `@imdeadpool/guardex`.
+- Enforced repeatable per-message agent branch lifecycle in setup/init flows.
 - Added codex-auth-aware sandbox branch naming support.
 
-### v0.4.6
+</details>
 
-- Added repository metadata (`repository`, `bugs`, `homepage`, `funding`) in package manifest.
-- Added CI workflow for Node 18/20/22 with packaging and syntax verification.
-- Added npm provenance-oriented release workflow, OpenSSF Scorecard workflow, and Dependabot for Actions.
+<details>
+<summary><strong>v0.4.x</strong></summary>
+
+### v0.4.6
+- Added repository metadata (`repository`, `bugs`, `homepage`, `funding`).
+- Added CI workflow for Node 18/20/22.
+- Added npm provenance release workflow, OpenSSF Scorecard, Dependabot for Actions.
 - Added explicit `SECURITY.md` and `CONTRIBUTING.md`.
 
 ### v0.4.5
-
 - Added optional pre-commit behind-threshold sync gate (`multiagent.sync.requireBeforeCommit`, `multiagent.sync.maxBehindCommits`).
-- Added `gx sync` workflow (`--check`, sync strategies, report mode).
-- `agent-branch-finish.sh` now blocks finishing when source branch is behind `origin/<base>` (config-aware).
+- Added `gx sync` workflow (`--check`, strategies, report mode).
+- `agent-branch-finish.sh` blocks finishing when source is behind `origin/<base>`.
 
 ### v0.4.4
-
 - Added `scripts/agent-worktree-prune.sh` to templates/install.
-- `agent-branch-finish.sh` now auto-runs prune after merge (best effort).
-- Added npm helper script: `agent:cleanup`.
+- `agent-branch-finish.sh` auto-runs prune after merge.
+- Added npm helper: `agent:cleanup`.
 
 ### v0.4.2
-
-- Setup now detects existing global OMX/OpenSpec installs first.
-- If tools are already present, setup skips global install automatically.
-- Interactive approval is strict `[y/n]` (waits for explicit answer).
-- Added setup screenshot to README.
-- Added workflow screenshots (branch start, lock/delete guard, source-control view).
+- Setup detects existing global OMX/OpenSpec installs first; skips global install if tools are present.
+- Interactive approval is strict `[y/n]`.
+- Added setup + workflow screenshots.
 
 ### v0.4.0
+- Added setup-time Y/N approval for optional global install of `oh-my-codex` and `@fission-ai/openspec`.
+- Added setup flags: `--yes-global-install`, `--no-global-install`.
 
-- Added setup-time Y/N approval prompt for optional global install of:
-  - `oh-my-codex`
-  - `@fission-ai/openspec`
-- Added setup flags for automation:
-  - `--yes-global-install`
-  - `--no-global-install`
-- Added official repo links for OMX and OpenSpec.
+</details>

package/SECURITY.md

@@ -2,7 +2,7 @@
 
 ## Supported Versions
 
-Only the latest published `guardex` version is supported for security fixes.
+Only the latest published GitGuardex CLI build is supported for security fixes.
 
 ## Reporting a Vulnerability
 

package/bin/multiagent-safety.js

@@ -7,7 +7,7 @@ const cp = require('node:child_process');
 const packageJsonPath = path.resolve(__dirname, '..', 'package.json');
 const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
 
-const TOOL_NAME = 'guardex';
+const TOOL_NAME = 'gitguardex';
 const SHORT_TOOL_NAME = 'gx';
 const LEGACY_NAMES = ['guardex', 'multiagent-safety'];
 const OPENSPEC_PACKAGE = '@fission-ai/openspec';
@@ -58,9 +58,9 @@ const TEMPLATE_FILES = [
   'githooks/pre-push',
   'githooks/post-merge',
   'githooks/post-checkout',
-  'codex/skills/guardex/SKILL.md',
+  'codex/skills/gitguardex/SKILL.md',
   'codex/skills/guardex-merge-skills-to-dev/SKILL.md',
-  'claude/commands/guardex.md',
+  'claude/commands/gitguardex.md',
   'github/pull.yml.example',
   'github/workflows/cr.yml',
 ];
@@ -143,9 +143,9 @@ const MANAGED_GITIGNORE_PATHS = [
   '.githooks/post-merge',
   '.githooks/post-checkout',
   'oh-my-codex/',
-  '.codex/skills/guardex/SKILL.md',
+  '.codex/skills/gitguardex/SKILL.md',
   '.codex/skills/guardex-merge-skills-to-dev/SKILL.md',
-  '.claude/commands/guardex.md',
+  '.claude/commands/gitguardex.md',
   LOCK_FILE_RELATIVE,
 ];
 const OMX_SCAFFOLD_DIRECTORIES = [
@@ -196,7 +196,7 @@ const SUGGESTIBLE_COMMANDS = [
   'release',
 ];
 const CLI_COMMAND_DESCRIPTIONS = [
-  ['status', 'Show GuardeX CLI + service health without modifying files'],
+  ['status', 'Show GitGuardex CLI + service health without modifying files'],
   ['setup', 'Install, repair, and verify guardrails (flags: --repair, --install-only, --target)'],
   ['doctor', 'Repair drift + verify (auto-sandboxes on protected main)'],
   ['protect', 'Manage protected branches (list/add/remove/set/reset)'],
@@ -223,24 +223,20 @@ const AGENT_BOT_DESCRIPTIONS = [
   ['agents', 'Start/stop review + cleanup bots for this repo'],
 ];
 
-const AI_SETUP_PROMPT = `GuardeX (gx) setup checklist for Codex/Claude in this repo.
-
-1) Install:         npm i -g @imdeadpool/guardex && gh --version
-2) Bootstrap:       gx setup         # installs hooks/templates + verifies; prompts Y/N for global OMX/OpenSpec/codex-auth
-3) If degraded:     gx doctor        # repair + re-verify
-4) Per task:        bash scripts/codex-agent.sh "<task>" "<agent>"
-                    # or manual:
-                    #   bash scripts/agent-branch-start.sh "<task>" "<agent>"
-                    #   python3 scripts/agent-file-locks.py claim --branch "$(git rev-parse --abbrev-ref HEAD)" <file...>
-                    #   bash scripts/agent-branch-finish.sh --branch "$(git rev-parse --abbrev-ref HEAD)" --via-pr --wait-for-merge
-5) Finalize all:    gx finish --all
-6) Cleanup:         gx cleanup
-7) OpenSpec:        /opsx:propose -> /opsx:apply -> /opsx:archive   (see docs/openspec-getting-started.md)
-8) Protect:         gx protect add release staging                  (optional)
-9) Sync:            gx sync --check && gx sync                      (optional; rebase onto base)
-10) Fork sync:      cp .github/pull.yml.example .github/pull.yml    (optional; install https://github.com/apps/pull)
-11) PR review bot:  install https://github.com/apps/cr-gpt + set OPENAI_API_KEY in Actions variables (uses .github/workflows/cr.yml)
-12) GitHub repo:    enable Settings -> PRs -> Automatically delete head branches
+const AI_SETUP_PROMPT = `GitGuardex (gx) setup checklist for Codex/Claude in this repo.
+
+1) Install:    npm i -g @imdeadpool/guardex && gh --version
+2) Bootstrap:  gx setup
+3) Repair:     gx doctor
+4) Task loop:  bash scripts/codex-agent.sh "<task>" "<agent>"
+               or branch-start -> claim -> branch-finish
+5) Finish:     gx finish --all
+6) Cleanup:    gx cleanup
+7) OpenSpec:   /opsx:propose -> /opsx:apply -> /opsx:archive
+8) Optional:   gx protect add release staging
+9) Optional:   gx sync --check && gx sync
+10) Review bot: install https://github.com/apps/cr-gpt + set OPENAI_API_KEY
+11) Fork sync:  cp .github/pull.yml.example .github/pull.yml
 `;
 
 const AI_SETUP_COMMANDS = `npm i -g @imdeadpool/guardex
@@ -251,7 +247,7 @@ bash scripts/codex-agent.sh "<task>" "<agent>"
 gx finish --all
 gx cleanup
 gx protect add release staging
-gx sync
+gx sync --check && gx sync
 `;
 
 const SCORECARD_RISK_BY_CHECK = {
@@ -320,10 +316,17 @@ function agentBotCatalogLines(indent = '  ') {
   );
 }
 
+function repoToggleLines(indent = '  ') {
+  return [
+    `${indent}Set repo-root .env: ${GUARDEX_REPO_TOGGLE_ENV}=0 disables Guardex, ${GUARDEX_REPO_TOGGLE_ENV}=1 enables it again`,
+  ];
+}
+
 function printToolLogsSummary() {
   const usageLine = `    $ ${SHORT_TOOL_NAME} <command> [options]`;
   const commandDetails = commandCatalogLines('    ');
   const agentBotDetails = agentBotCatalogLines('    ');
+  const repoToggleDetails = repoToggleLines('    ');
 
   if (!supportsAnsiColors()) {
     console.log(`${TOOL_NAME}-tools logs:`);
@@ -337,6 +340,10 @@ function printToolLogsSummary() {
     for (const line of agentBotDetails) {
       console.log(line);
     }
+    console.log('  REPO TOGGLE');
+    for (const line of repoToggleDetails) {
+      console.log(line);
+    }
     return;
   }
 
@@ -344,6 +351,7 @@ function printToolLogsSummary() {
   const usageHeader = colorize('USAGE', '1');
   const commandsHeader = colorize('COMMANDS', '1');
   const agentBotHeader = colorize('AGENT BOT', '1');
+  const repoToggleHeader = colorize('REPO TOGGLE', '1');
   const pipe = colorize('│', '90');
   const tee = colorize('├', '90');
   const corner = colorize('└', '90');
@@ -367,6 +375,14 @@ function printToolLogsSummary() {
     }
     console.log(`  ${pipe}${line.slice(2)}`);
   }
+  console.log(`  ${tee}─ ${repoToggleHeader}`);
+  for (const line of repoToggleDetails) {
+    if (!line) {
+      console.log(`  ${pipe}`);
+      continue;
+    }
+    console.log(`  ${pipe}${line.slice(2)}`);
+  }
   console.log(`  ${corner}─ ${colorize(`Try '${TOOL_NAME} doctor' for one-step repair + verification.`, '2')}`);
 }
 
@@ -387,6 +403,9 @@ ${commandCatalogLines().join('\n')}
 AGENT BOT
 ${agentBotCatalogLines().join('\n')}
 
+REPO TOGGLE
+${repoToggleLines().join('\n')}
+
 NOTES
   - No command = ${SHORT_TOOL_NAME} status. ${SHORT_TOOL_NAME} init is an alias of ${SHORT_TOOL_NAME} setup.
   - Global installs need Y/N approval; GitHub CLI (gh) is required for PR automation.
@@ -785,7 +804,7 @@ function ensureAgentsSnippet(repoRoot, dryRun, options = {}) {
     if (!dryRun) {
       fs.writeFileSync(agentsPath, next, 'utf8');
     }
-    return { status: 'updated', file: 'AGENTS.md', note: 'refreshed guardex-managed block' };
+    return { status: 'updated', file: 'AGENTS.md', note: 'refreshed gitguardex-managed block' };
   }
 
   if (existing.includes(AGENTS_MARKER_START)) {
@@ -816,7 +835,7 @@ function ensureManagedGitignore(repoRoot, dryRun) {
     if (!dryRun) {
       fs.writeFileSync(gitignorePath, `${managedBlock}\n`, 'utf8');
     }
-    return { status: 'created', file: '.gitignore', note: 'added guardex-managed entries' };
+    return { status: 'created', file: '.gitignore', note: 'added gitguardex-managed entries' };
   }
 
   const existing = fs.readFileSync(gitignorePath, 'utf8');
@@ -828,14 +847,14 @@ function ensureManagedGitignore(repoRoot, dryRun) {
     if (!dryRun) {
       fs.writeFileSync(gitignorePath, next, 'utf8');
     }
-    return { status: 'updated', file: '.gitignore', note: 'refreshed guardex-managed entries' };
+    return { status: 'updated', file: '.gitignore', note: 'refreshed gitguardex-managed entries' };
   }
 
   const separator = existing.endsWith('\n') ? '\n' : '\n\n';
   if (!dryRun) {
     fs.writeFileSync(gitignorePath, `${existing}${separator}${managedBlock}\n`, 'utf8');
   }
-  return { status: 'updated', file: '.gitignore', note: 'appended guardex-managed entries' };
+  return { status: 'updated', file: '.gitignore', note: 'appended gitguardex-managed entries' };
 }
 
 function configureHooks(repoRoot, dryRun) {

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "@imdeadpool/guardex",
-  "version": "7.0.7",
-  "description": "GuardeX: the Guardian T-Rex for your repo, with hardened multi-agent git guardrails.",
+  "version": "7.0.10",
+  "description": "GitGuardex: hardened multi-agent git guardrails for parallel agent work.",
   "license": "MIT",
   "preferGlobal": true,
   "bin": {
+    "gitguardex": "bin/multiagent-safety.js",
     "guardex": "bin/multiagent-safety.js",
     "gx": "bin/multiagent-safety.js",
     "multiagent-safety": "bin/multiagent-safety.js"
@@ -43,6 +44,7 @@
     "CONTRIBUTING.md"
   ],
   "keywords": [
+    "gitguardex",
     "guardex",
     "multi-agent",
     "git-hooks",
@@ -53,10 +55,10 @@
   "author": "recodeecom",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/recodeee/guardex.git"
+    "url": "git+https://github.com/recodeee/gitguardex.git"
   },
   "bugs": {
-    "url": "https://github.com/recodeee/guardex/issues"
+    "url": "https://github.com/recodeee/gitguardex/issues"
   },
   "homepage": "https://guardextutorial.com",
   "funding": "https://github.com/sponsors/recodeecom",

package/templates/AGENTS.multiagent-safety.md

@@ -1,21 +1,21 @@
 <!-- multiagent-safety:START -->
 ## Multi-Agent Safety Contract
 
-**Repo toggle.** Guardex is enabled by default. If the repo root `.env` sets `GUARDEX_ON=0`, `false`, `no`, or `off`, treat this entire Guardex contract as disabled for the repo and do not require Guardex worktrees, lock claims, completion flow, or OpenSpec workflow until `GUARDEX_ON` is re-enabled.
+**Repo toggle.** `GUARDEX_ON=0|false|no|off` disables this contract. `GUARDEX_ON=1|true|yes|on` re-enables it.
 
-**Isolation.** Every task runs on a dedicated `agent/*` branch + worktree. Start with `scripts/agent-branch-start.sh "<task>" "<agent-name>"`. Treat the base branch (`main`/`dev`) as read-only while an agent branch is active. Never `git checkout <branch>` on a primary working tree (including nested repos); use `git worktree add` instead. The `.githooks/post-checkout` hook auto-reverts primary-branch switches during agent sessions — bypass only with `GUARDEX_ALLOW_PRIMARY_BRANCH_SWITCH=1`.
+**Isolation.** One task = one `agent/*` branch + worktree. Start `scripts/agent-branch-start.sh "<task>" "<agent>"`. Base branches stay read-only. No `git checkout` on primary worktrees; use `git worktree add`. `.githooks/post-checkout` auto-reverts primary-branch switches unless `GUARDEX_ALLOW_PRIMARY_BRANCH_SWITCH=1`.
 
-**Ownership.** Before editing, claim files: `scripts/agent-file-locks.py claim --branch "<agent-branch>" <file...>`. Before deleting, confirm the path is in your claim. Don't edit outside your scope unless reassigned.
+**Ownership.** Claim before edits: `scripts/agent-file-locks.py claim --branch "<agent-branch>" <file...>`. Delete only claimed paths.
 
-**Handoff gate.** Post a one-line handoff note (plan/change, owned scope, intended action) before editing. Re-read the latest handoffs before replacing others' code.
+**Handoff.** Post a one-line note before edits. Re-read latest handoffs before replacing nearby work.
 
-**Completion.** Finish with `scripts/agent-branch-finish.sh --branch "<agent-branch>" --via-pr --wait-for-merge --cleanup` (or `gx finish --all`). Task is only complete when: commit pushed, PR URL recorded, state = `MERGED`, sandbox worktree pruned. If anything blocks, append a `BLOCKED:` note and stop — don't half-finish.
+**Completion.** Finish with `scripts/agent-branch-finish.sh --branch "<agent-branch>" --via-pr --wait-for-merge --cleanup` or `gx finish --all`. Done = commit pushed, PR URL recorded, state=`MERGED`, sandbox pruned. If blocked, append `BLOCKED:` and stop.
 
-**Parallel safety.** Assume other agents edit nearby. Never revert unrelated changes. Report conflicts in the handoff.
+**Parallel safety.** Never revert unrelated edits. Report conflicts.
 
-**Reporting.** Every completion handoff includes: files changed, behavior touched, verification commands + results, risks/follow-ups.
+**Reporting.** Completion handoff includes files changed, behavior touched, verification commands/results, and risks/follow-ups.
 
-**OpenSpec (when change-driven).** Keep `openspec/changes/<slug>/tasks.md` checkboxes current during work, not batched at the end. Task scaffolds and manual task edits must include an explicit final completion/cleanup section that ends with PR merge + sandbox cleanup (`gx finish --via-pr --wait-for-merge --cleanup` or `scripts/agent-branch-finish.sh ... --cleanup`) and records PR URL + final `MERGED` evidence. Verify specs with `openspec validate --specs` before archive. Don't archive unverified.
+**OpenSpec.** Keep `openspec/changes/<slug>/tasks.md` current. End task scaffolds with PR merge + sandbox cleanup evidence. Run `openspec validate --specs` before archive.
 
 **Version bumps.** If a change bumps a published version, the same PR updates release notes/changelog.
 <!-- multiagent-safety:END -->

package/templates/claude/commands/gitguardex.md

@@ -0,0 +1,5 @@
+# /gitguardex
+
+Run repo repair flow: `gx status` -> `gx doctor` -> `gx status --strict`.
+
+Report `Repo is guarded` or `Repo is not guarded` with blockers.

package/templates/codex/skills/gitguardex/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: gitguardex
+description: "Repo guardrail check and repair."
+---
+
+Use when repo safety may be broken.
+
+`gx status` -> `gx doctor` -> `gx status --strict`
+
+Bootstrap: `gx setup`
+Ops: `bash scripts/codex-agent.sh "<task>" "<agent>"`, `gx finish --all`, `gx cleanup`

package/templates/scripts/openspec/init-change-workspace.sh

@@ -89,5 +89,5 @@ The system SHALL enforce ${CAPABILITY_SLUG} behavior as defined by this change.
 SPECEOF
 fi
 
-echo "[guardex] OpenSpec change workspace ready: ${CHANGE_DIR}"
-echo "[guardex] OpenSpec change spec scaffold: ${SPEC_DIR}/spec.md"
+echo "[gitguardex] OpenSpec change workspace ready: ${CHANGE_DIR}"
+echo "[gitguardex] OpenSpec change spec scaffold: ${SPEC_DIR}/spec.md"

package/templates/scripts/openspec/init-plan-workspace.sh

@@ -114,5 +114,5 @@ Role workspace for \`${role}\`.
 "
 done
 
-echo "[guardex] OpenSpec plan workspace ready: ${PLAN_DIR}"
-echo "[guardex] Roles: ${ROLES[*]}"
+echo "[gitguardex] OpenSpec plan workspace ready: ${PLAN_DIR}"
+echo "[gitguardex] Roles: ${ROLES[*]}"

package/templates/claude/commands/guardex.md

@@ -1,12 +0,0 @@
-# /guardex
-
-Run a GuardeX check-and-repair for the current repo.
-
-## Steps
-
-1. `gx status` — if green, stop.
-2. If degraded, `gx doctor`.
-3. If still degraded, `gx status --strict` and summarize each finding with a fix.
-4. Report verdict: `Repo is guarded` or `Repo is not guarded` (list blockers).
-
-Keep output short, include the exact commands you ran.

package/templates/codex/skills/guardex/SKILL.md

@@ -1,43 +0,0 @@
----
-name: guardex
-description: "Check, repair, or bootstrap multi-agent safety guardrails in this repository."
----
-
-# GuardeX (Codex skill)
-
-Use when branch safety, lock ownership, or guardrail setup may be broken.
-
-## Fast path
-
-1. `gx status` — one-glance health check.
-2. If degraded, `gx doctor` — repair + verify in one pass.
-3. If issues remain, `gx status --strict` and address each finding.
-
-## Bootstrap (missing guardrails)
-
-```sh
-gx setup      # install + repair + verify
-gx status     # confirm green
-```
-
-In a monorepo with nested git repos (top-level `.git` plus `apps/*/.git`), `gx setup` auto-installs into every discovered repo. Submodules and guardex-managed worktrees are skipped. Pass `--no-recursive` to limit to the top-level only.
-
-## Notes
-
-- Isolation: `scripts/codex-agent.sh "<task>" "<agent>"` is the one-command sandbox start/finish loop.
-- Completion: auto-finish keeps the branch until explicit `gx cleanup`.
-- Never bypass protected-branch safeguards.
-
-## Bulk finish
-
-```sh
-gx finish --all                # commit + PR + merge all ready agent/* branches
-gx cleanup                     # prune merged/stale branches and worktrees
-```
-
-If a branch fails with stale rebase/worktree state:
-
-```sh
-git -C "<worktree>" rebase --abort || true
-gx finish --branch "<agent-branch>" --cleanup
-```