@imdeadpool/guardex 7.0.8 → 7.0.11

package/README.md

@@ -1,28 +1,28 @@
-# GuardeX — Guardian T-Rex for your repo
+# GitGuardex — Guardian T-Rex for your repo
 
 [![npm version](https://img.shields.io/npm/v/%40imdeadpool%2Fguardex?color=cb3837&logo=npm)](https://www.npmjs.com/package/@imdeadpool/guardex)
-[![CI](https://github.com/recodeee/guardex/actions/workflows/ci.yml/badge.svg)](https://github.com/recodeee/guardex/actions/workflows/ci.yml)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/recodeee/guardex/badge)](https://securityscorecards.dev/viewer/?uri=github.com/recodeee/guardex)
+[![CI](https://github.com/recodeee/gitguardex/actions/workflows/ci.yml/badge.svg)](https://github.com/recodeee/gitguardex/actions/workflows/ci.yml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/recodeee/gitguardex/badge)](https://securityscorecards.dev/viewer/?uri=github.com/recodeee/gitguardex)
 
-GuardeX is a safety layer for parallel Codex/agent work in git repos.
+**GitGuardex is a safety layer for parallel agent work in git repos.** If you're running more than one Codex or Claude agent on the same codebase, this is what keeps them from deleting each other's work.
 
 > [!WARNING]
-> Not affiliated with OpenAI or Codex. Not an official tool.
+> Not affiliated with OpenAI, Anthropic, or Codex. Not an official tool.
 
-## Frontend Repo
+> [!IMPORTANT]
+> GitGuardex is still being tested in real multi-agent repos. If something feels rough or broken, especially around cleanup, finish, merge, or recovery flows, sorry. We need to test those paths under real load first, and we'll patch issues as we find them.
 
-- Standalone frontend repository: https://github.com/Webu-PRO/guardex-frontend
-- This repository tracks/mirrors the frontend under `frontend/` as documented below.
+---
 
-## The problem (what was going wrong)
+## The problem
 
-Multiple Codex agents worked on the same files at the same time.
-They started overwriting or deleting each other's changes.
-Progress became **de-progressive**: more activity, less real forward movement.
+I was running ~30 Codex agents in parallel and hit a wall: they kept working on the same files at the same time — especially tests — and started overwriting or deleting each other's changes. More agents meant *less* forward progress, not more. Classic de-progressive loop.
 
-GuardeX exists to stop that loop.
+GitGuardex exists to stop that loop. Every agent gets its own worktree, claims the files it's touching, and can't clobber files another agent has claimed. Your local branch stays clean; agents stay in their lanes.
 
-![Multi-agent dashboard example](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/dashboard-multi-agent.png)
+![Multi-agent dashboard example](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/dashboard-multi-agent.png)
+
+Coming soon: [recodee.com](https://recodee.com) — live account health, usage, routing, and capacity in one place.
 
 ```mermaid
 flowchart LR
@@ -38,15 +38,21 @@ flowchart LR
     I --> F
 ```
 
-## What GuardeX enforces
+---
+
+## What it does
+
+- **Isolated `agent/*` branch + worktree per task** — agents never share a working directory.
+- **Explicit file lock claiming** — an agent declares which files it's editing before it edits them.
+- **Deletion guard** — claimed files can't be removed by another agent.
+- **Protected-base safety** — `main`, `dev`, `master` are blocked by default; agents must go through PRs.
+- **Auto-merges agent configs into every worktree** — `oh-my-codex`, `oh-my-claudecode`, caveman mode, and OpenSpec all get applied automatically so every spawned agent starts tuned, not bare.
+- **Repair/doctor flow** — when drift happens (and it will), `gx doctor` gets you back to a clean state.
+- **Auto-finish** — when Codex exits a session, Guardex commits sandbox changes, syncs against the base, retries once if the base moved, and opens a PR.
 
-- isolated `agent/*` branch + worktree per task
-- explicit file lock claiming before edits
-- deletion guard for claimed files
-- protected-base branch safety (`main`, `dev`, `master` by default)
-- repair/doctor flow when drift appears
+---
 
-## Copy-paste: install + bootstrap
+## Quick start
 
 ```sh
 npm i -g @imdeadpool/guardex
@@ -54,293 +60,351 @@ cd /path/to/your/repo
 gx setup
 ```
 
-Alias support:
+That's it. Setup installs hooks, scripts, templates, and scaffolds OpenSpec/caveman/OMX wiring. Aliases: `gx` (preferred), `gitguardex` (full), `guardex` (legacy).
+
+---
+
+## What `gx` shows first
+
+Before you branch, repair, or start agents, run plain `gx`. It gives you a one-screen status view for the CLI, global helpers, repo safety service, current repo path, and active branch.
 
-- preferred: `gx`
-- full: `guardex`
+![GitGuardex terminal status output](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-gx-terminal-status.svg)
 
-## Copy-paste: daily workflow (per new user task)
+Use `gx setup` the first time you wire GitGuardex into a repo. It bootstraps the managed hooks, scripts, templates, and optional workspace/OpenSpec wiring. If the repo drifts later, use `gx doctor` as the repair path: it reapplies the managed safety files, verifies the setup, and on protected `main` it auto-sandboxes the repair so your visible base branch stays clean.
+
+---
+
+## Daily workflow
+
+Per new agent task:
 
 ```sh
 # 1) Start isolated branch/worktree
 bash scripts/agent-branch-start.sh "task-name" "agent-name"
 
-# 2) Claim ownership
-python3 scripts/agent-file-locks.py claim --branch "$(git rev-parse --abbrev-ref HEAD)" <file...>
+# 2) Claim the files you're going to touch
+python3 scripts/agent-file-locks.py claim \
+  --branch "$(git rev-parse --abbrev-ref HEAD)" <file...>
 
 # 3) Implement + verify
 npm test
 
-# 4) Finish (commit/push/PR/merge flow)
-bash scripts/agent-branch-finish.sh --branch "$(git rev-parse --abbrev-ref HEAD)" --base dev --via-pr --wait-for-merge
+# 4) Finish (commit + push + PR + merge)
+bash scripts/agent-branch-finish.sh \
+  --branch "$(git rev-parse --abbrev-ref HEAD)" \
+  --base dev --via-pr --wait-for-merge
 
-# 5) Optional cleanup after merge
+# 5) Optional: cleanup after merge
 gx cleanup --branch "$(git rev-parse --abbrev-ref HEAD)"
 ```
 
-If you use `scripts/codex-agent.sh`, the finish flow is auto-run after the Codex session exits.
-It auto-commits sandbox changes, retries once after syncing if the branch moved behind base during the run, then pushes/opens PR merge flow against `dev`.
+If you use `scripts/codex-agent.sh`, the finish flow runs automatically when the Codex session exits — it auto-commits, retries once after syncing if the base moved during the run, then pushes and opens the PR.
 
-If you run Codex in multiple existing agent worktrees directly (for example from VS Code Source Control), finalize all completed branches with:
+Running Codex across several existing worktrees (e.g. from VS Code Source Control)? Finalize everything ready at once:
 
 ```sh
 gx finish --all
 ```
 
-## Visual workflow
-
-### Setup status
-
-![gx setup behavior screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/setup-success.svg)
-
-### Service logs/status
+---
 
-![gx status logs screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/status-tools-logs.svg)
+## Visual reference
 
-### Branch/worktree start protocol
+| | |
+|---|---|
+| ![Setup status](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/setup-success.svg) | **`gx setup`** — bootstraps everything in one command |
+| ![Service logs](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/status-tools-logs.svg) | **`gx status`** — health check for tools, hooks, services |
+| ![Branch start](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-branch-start.svg) | **Branch/worktree start protocol** |
+| ![Lock guard](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-lock-guard.svg) | **Lock + delete-guard protocol** |
+| ![VS Code layout](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-source-control.svg) | **VS Code Source Control view** with agent + OpenSpec files |
 
-![gx branch start protocol screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/workflow-branch-start.svg)
+### How It Works In VS Code
 
-### Lock + delete guard protocol
+This is the real Source Control shape Guardex is aiming for: isolated agent branches, clear OpenSpec artifacts, and no pile-up on one shared checkout.
 
-![gx lock and delete guard screenshot](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/workflow-lock-guard.svg)
+![Exact VS Code Source Control workflow screenshot](https://raw.githubusercontent.com/recodeee/gitguardex/main/docs/images/workflow-vscode-source-control-exact.png)
 
-### VS Code Source Control layout (agent + OpenSpec files)
+---
 
-![VS Code Source Control layout with OpenSpec files](https://raw.githubusercontent.com/recodeee/guardex/main/docs/images/workflow-source-control.svg)
+## Commands
 
-## Copy-paste: common commands
+### Core
 
 ```sh
-# health check (default when run with no args)
-gx status
-gx status --strict        # exit non-zero on findings (v6 name: gx scan)
-
-# bootstrap, repair, verify — all in one
-gx setup
-gx setup --repair         # repair only (v6 name: gx fix)
-gx setup --install-only   # scaffold templates, skip global installs (v6 name: gx install)
+gx status                 # health check (default)
+gx status --strict        # exit non-zero on findings
+gx setup                  # full bootstrap
+gx setup --repair         # repair only
+gx setup --install-only   # scaffold templates, skip global installs
 gx doctor                 # repair + verify (auto-sandboxes on protected main)
+```
 
-# target another repo without switching your current checkout
+### Targeting other repos
+
+```sh
 gx setup --target /path/to/repo
 gx doctor --target /path/to/repo
-# optional VS Code workspace showing repo + agent worktrees
+
+# optional: VS Code workspace showing repo + agent worktrees
 gx setup --target /path/to/repo --parent-workspace-view
+```
+
+### Monorepo support
+
+Setup auto-installs into every nested git repo (e.g. `apps/*/.git`). Submodules and worktrees under `.omx/agent-worktrees/` are skipped.
 
-# monorepo with nested git repos (e.g. /mainfolder/.git + /mainfolder/apps/*/.git)
-# setup auto-installs into every nested repo; use --no-recursive to limit to the top-level
+```sh
 gx setup --target /mainfolder
 gx setup --target /mainfolder --no-recursive
+```
 
-# protected branch management
+### Protected branches
+
+```sh
 gx protect list
 gx protect add release staging
 gx protect remove release
+gx protect set main release hotfix
+gx protect reset
+```
+
+Defaults: `dev`, `main`, `master`. Stored in git config key `multiagent.protectedBranches`.
 
-# sync current agent branch with origin/<base>
+### Sync current agent branch
+
+```sh
 gx sync --check
 gx sync
+```
 
-# background bots (review monitor + stale cleanup)
-gx agents start
+### Background bots
+
+```sh
+gx agents start           # review monitor + stale cleanup
 gx agents stop
 gx agents status
 
-# per-agent-branch lifecycle
+# tuning
+gx agents start --review-interval 30 --cleanup-interval 60 --idle-minutes 10
+```
+
+### Lifecycle
+
+```sh
 gx finish --all           # commit + PR + merge every ready agent/* branch
 gx cleanup                # prune merged/stale branches and worktrees
 gx cleanup --watch --interval 60
+gx cleanup --idle-minutes 10
+gx cleanup --watch --once --interval 60
+```
 
-# AI-ready setup prompt (paste into Codex/Claude)
-gx prompt                 # full checklist        (v6 name: gx copy-prompt)
-gx prompt --exec          # commands only         (v6 name: gx copy-commands)
-gx prompt --snippet       # AGENTS.md managed block template
+### Prompts for your agents
 
-# reports
-gx report scorecard --repo github.com/recodeee/guardex
+```sh
+gx prompt                 # full checklist (paste into Codex/Claude)
+gx prompt --exec          # commands only
+gx prompt --snippet       # AGENTS.md managed-block template
 ```
 
-### v6 → v7 command migration
+### Reports
 
-Five commands were consolidated into flags. Old names still work and print a one-line deprecation notice; they'll be removed in v8.
+```sh
+gx report scorecard --repo github.com/recodeee/gitguardex
+```
 
-| v6 command             | v7 replacement           |
-| ---------------------- | ------------------------ |
-| `gx init`              | `gx setup`               |
-| `gx install`           | `gx setup --install-only`|
-| `gx fix`               | `gx setup --repair`      |
-| `gx scan`              | `gx status --strict`     |
-| `gx copy-prompt`       | `gx prompt`              |
-| `gx copy-commands`     | `gx prompt --exec`       |
-| `gx print-agents-snippet` | `gx prompt --snippet` |
-| `gx review`            | `gx agents start` (runs review + cleanup) |
+---
 
-### Continuous stale branch cleanup bot
+## v6 → v7 migration
 
-Use this to auto-prune idle `agent/*` worktrees created by Codex while keeping active worktrees untouched.
+Five commands were consolidated into flags. Old names still work and print a deprecation notice; they'll be removed in v8.
 
-```sh
-# watch cleanup loop every minute (default idle threshold is 10 minutes when --watch is enabled)
-gx cleanup --watch --interval 60
-
-# one-shot cleanup for branches idle at least 10 minutes
-gx cleanup --idle-minutes 10
+| v6                          | v7                            |
+| --------------------------- | ----------------------------- |
+| `gx init`                   | `gx setup`                    |
+| `gx install`                | `gx setup --install-only`     |
+| `gx fix`                    | `gx setup --repair`           |
+| `gx scan`                   | `gx status --strict`          |
+| `gx copy-prompt`            | `gx prompt`                   |
+| `gx copy-commands`          | `gx prompt --exec`            |
+| `gx print-agents-snippet`   | `gx prompt --snippet`         |
+| `gx review`                 | `gx agents start`             |
 
-# run a single watch cycle (helpful for cron/CI checks)
-gx cleanup --watch --once --interval 60
-```
+---
 
-### Repo Agent Supervisor (start both bots with one command)
+## Default behavior
 
-```sh
-# starts review bot + cleanup bot in background for the current repo
-gx agents start
+A few things worth knowing up front:
 
-# optional tuning
-gx agents start --review-interval 30 --cleanup-interval 60 --idle-minutes 10
+- Running `gx` with no command opens the status/health view.
+- `gx init` is just an alias for `gx setup`.
+- Setup/doctor can install missing global companion CLIs (OMC runtime, OpenSpec, cavemem, codex-auth) — but only with explicit Y/N confirmation.
+- Direct commits/pushes to protected branches are **blocked** by default. Agents must use the `agent/*` + PR flow.
+- **Exception:** VS Code Source Control commits are allowed on protected branches that exist only locally (no upstream, no remote branch).
+- On protected `main`, `gx doctor` auto-runs in a sandbox agent branch/worktree so it can't touch your real main.
+- In-place agent branching is disabled. `scripts/agent-branch-start.sh` always creates a separate worktree so your visible local/base branch never changes.
+- Fresh sandbox branches start with no git upstream. Guardex records the protected base in `branch.<name>.guardexBase`, and the first `git push -u` publishes the real upstream.
+- Interactive self-update prompt defaults to **No** (`[y/N]`).
 
-# show whether both bots are running for this repo
-gx agents status
+Optional override for manual VS Code protected-branch writes:
 
-# stop both bots and clear repo-local state
-gx agents stop
+```sh
+git config multiagent.allowVscodeProtectedBranchWrites true
 ```
 
-## Important behavior defaults
+---
 
-- No command defaults to `gx status`.
-- `gx init` is alias of `gx setup`.
-- Setup/doctor can install missing global OMX/OpenSpec/codex-auth with explicit Y/N confirmation.
-- `gx setup` checks GitHub CLI (`gh`) and prints install guidance if missing.
-- Optional parent-folder VS Code Source Control view: `gx setup --target /path/to/repo --parent-workspace-view` creates `../<repo>-branches.code-workspace`.
-- Monorepo-aware: when the target contains nested git repos (e.g. `apps/*/.git`), `gx setup` installs the workflow into every discovered repo. Git submodules (`.git` files) and guardex worktrees under `.omx/agent-worktrees/` are skipped. Opt out with `--no-recursive`; tune discovery with `--max-depth <n>`, `--skip-nested <dir>`, and `--include-submodules`.
-- Interactive self-update prompt defaults to **No** (`[y/N]`).
-- In initialized repos, `setup`/`install`/`fix` block protected-base writes unless explicitly overridden.
-- Direct commits/pushes to protected branches are blocked by default.
-- Exception: VS Code Source Control commits are allowed on protected branches that exist only locally (no upstream and no remote branch).
-- Optional repo override for manual VS Code protected-branch writes: `git config multiagent.allowVscodeProtectedBranchWrites true`.
-- Codex/agent sessions stay blocked on protected branches and must use `agent/*` branch + PR workflow.
-- On protected `main`, `gx doctor` auto-runs in a sandbox agent branch/worktree.
-- In-place agent branching is disabled; `scripts/agent-branch-start.sh` always creates a separate worktree to keep your visible local/base branch unchanged.
-- Fresh sandbox branches intentionally start without any git upstream; guardex records the protected base in `branch.<name>.guardexBase`, and the first `git push -u` publishes the real upstream branch.
-- `scripts/agent-branch-start.sh` hydrates `scripts/codex-agent.sh` into new sandbox worktrees when missing, so auto-finish launcher flow stays available.
+## Companion tools
 
-## Configure protected branches
+GitGuardex is designed to work alongside these. All optional — but if you're running many agents, you probably want them. `gx status` reports the machine-detectable global helpers; plugin/skills-first add-ons like `caveman` and `cavekit` are documented below for manual setup.
 
-Default protected branches:
+```text
+● oh-my-codex: active
+● oh-my-claude-sisyphus: active
+● @fission-ai/openspec: active
+● cavemem: active
+● @imdeadpool/codex-account-switcher: active
+● gh: active
+```
+
+### oh-my-codex — Codex config + skills framework
 
-- `dev`
-- `main`
-- `master`
+Loads skills, slash commands, and session defaults into Codex. Guardex merges `oh-my-codex` into every agent worktree automatically, so every spawned agent starts with the same tuned config instead of vanilla Codex.
 
 ```sh
-gx protect list
-gx protect set main release hotfix
-gx protect reset
+npm i -g oh-my-codex
 ```
 
-Stored in git config key:
+Repo: <https://github.com/Yeachan-Heo/oh-my-codex>
 
-```text
-multiagent.protectedBranches
+### oh-my-claudecode — Claude Code equivalent
+
+Claude-side mirror of oh-my-codex. Same idea: skills, commands, and defaults loaded into every Claude Code session. Guardex merges it into worktrees alongside oh-my-codex so mixed Codex + Claude agent fleets behave consistently. For the npm CLI/runtime path, the published package name is `oh-my-claude-sisyphus`.
+
+```sh
+npm i -g oh-my-claude-sisyphus@latest
 ```
 
-## Companion dependency: GitHub CLI (`gh`)
+Repo: <https://github.com/Yeachan-Heo/oh-my-claudecode>
 
-GuardeX PR/merge automation depends on GitHub CLI (`gh`), including
-`agent-branch-finish.sh` PR flows and `codex-agent.sh` auto-finish behavior.
+### Caveman — output compression for long agent runs
 
-Install + verify:
+Ultra-compressed response mode for Claude/Codex-style agents. Useful when you want less output-token churn during long reviews, debug loops, or multi-agent sessions.
 
 ```sh
-# install guide: https://cli.github.com/
-gh --version
-gh auth status
+npx skills add JuliusBrussee/caveman
 ```
 
-## Optional GitHub Apps: fork sync + PR review
-
-### Pull app (Probot fork sync)
+Repo: <https://github.com/JuliusBrussee/caveman>
 
-GuardeX setup now installs a starter file at `.github/pull.yml.example`.
+### Cavemem — local persistent memory for agents
 
-To enable fork auto-sync:
+Cross-agent memory with local SQLite + MCP. Helpful when you want Codex or Claude sessions to retain compressed history across runs. `gx setup` can install the CLI; you still run the IDE wiring once per machine.
 
 ```sh
-cp .github/pull.yml.example .github/pull.yml
+npm install -g cavemem
+cavemem install --ide codex
+cavemem status
 ```
 
-Then edit `.github/pull.yml`:
+Repo: <https://github.com/JuliusBrussee/cavemem>
 
-- set `rules[].base` to your fork branch (`main`, `master`, or `dev`)
-- set `rules[].upstream` to `<upstream-owner>:<branch>`
+### Cavekit — spec-driven build loop
 
-Install the app: <https://github.com/apps/pull>  
-Validate config: `https://pull.git.ci/check/<owner>/<repo>`
+Spec-driven workflow layer for building from durable specs with explicit build/check commands. The current install path also brings in its `spec`, `build`, `check`, `caveman`, and `backprop` skills.
 
-### CR-GPT code review app
+```sh
+npx skills add JuliusBrussee/cavekit
+```
 
-Install app: <https://github.com/apps/cr-gpt>
+Repo: <https://github.com/JuliusBrussee/cavekit>
 
-`gx setup` also installs `.github/workflows/cr.yml` (GitHub Actions review workflow).
+### OpenSpec — spec-driven workflows
 
-Then in your repo:
+Structured plan/change/apply/archive flow for agents. Prevents them from drifting off-task on long jobs. Full guide: [`docs/openspec-getting-started.md`](./docs/openspec-getting-started.md).
 
-1. `Settings -> Secrets and variables -> Actions`
-2. open `Variables`
-3. add `OPENAI_API_KEY`
+```sh
+npm i -g @fission-ai/openspec
+```
 
-After that, the app reviews new and updated pull requests automatically.
+Repo: <https://github.com/Fission-AI/OpenSpec>
 
-## Frontend mirror sync (`Webu-PRO/guardex-frontend`)
+### codex-auth — multi-account switcher
 
-This repo includes `.github/workflows/sync-frontend-mirror.yml`, which mirrors
-the `frontend/` subtree to a separate repository whenever `main` receives
-changes under `frontend/**`.
+For multi-identity Codex workflows. I built this because switching accounts manually for 30 agents was impossible. Auto-registers accounts to a dashboard on `codex login` so you can see every account and switch with one command.
 
-Default target:
+```sh
+npm i -g @imdeadpool/codex-account-switcher
 
-- repo: `Webu-PRO/guardex-frontend`
-- branch: `main`
+codex-auth save <name>
+codex-auth use <name>
+codex-auth list --details
+codex-auth current
+```
 
-Required setup (in this repository):
+Repo: [recodeecom/codex-account-switcher-cli](https://github.com/recodeecom/codex-account-switcher-cli)
 
-1. `Settings -> Secrets and variables -> Actions`
-2. Add repository secret `GUARDEX_FRONTEND_MIRROR_PAT`
-   - value must be a token with `contents:write` access to `Webu-PRO/guardex-frontend`
+### GitHub CLI (`gh`)
 
-Optional overrides (Actions Variables):
+Required for PR/merge automation. `agent-branch-finish.sh` and `codex-agent.sh` auto-finish both depend on it.
 
-- `GUARDEX_FRONTEND_MIRROR_REPO` (default `Webu-PRO/guardex-frontend`)
-- `GUARDEX_FRONTEND_MIRROR_BRANCH` (default `main`)
+```sh
+# https://cli.github.com/
+gh --version
+gh auth status
+```
 
-Manual run:
+### Pull app — fork auto-sync
+
+Guardex installs a starter config at `.github/pull.yml.example`.
 
 ```sh
-gh workflow run sync-frontend-mirror.yml
+cp .github/pull.yml.example .github/pull.yml
+# edit rules[].base and rules[].upstream
 ```
 
-## Companion dependency: `codex-auth` account switcher
+Install the app: <https://github.com/apps/pull>
+Validate: `https://pull.git.ci/check/<owner>/<repo>`
 
-For multi-identity Codex workflows, GuardeX pairs with
-[`codex-auth`](https://github.com/recodeecom/codex-account-switcher-cli).
+### CR-GPT — AI PR reviews
 
-Install:
+Install: <https://github.com/apps/cr-gpt>
 
-```sh
-npm i -g @imdeadpool/codex-account-switcher
+`gx setup` installs `.github/workflows/cr.yml`. Add `OPENAI_API_KEY` under `Settings → Secrets and variables → Actions → Secrets`. After that, new and updated PRs get reviewed automatically.
+
+---
+
+## OpenSpec integration
+
+If you installed OpenSpec during setup (`@fission-ai/openspec`), the full guide is at [`docs/openspec-getting-started.md`](./docs/openspec-getting-started.md).
+
+Default flow:
+
+```text
+/opsx:propose <change-name> → /opsx:apply → /opsx:archive
 ```
 
-Common commands:
+Expanded flow:
 
-```sh
-codex-auth save <name>
-codex-auth use <name>
-codex-auth list --details
-codex-auth current
+```text
+/opsx:new <change-name> → /opsx:ff or /opsx:continue → /opsx:apply → /opsx:verify → /opsx:archive
 ```
 
+### OpenSpec in agent sub-branches
+
+- `scripts/codex-agent.sh` enforces OpenSpec workspaces before launching Codex.
+- `scripts/agent-branch-start.sh` can scaffold both `openspec/changes/<slug>/` and `openspec/plan/<slug>/` when `GUARDEX_OPENSPEC_AUTO_INIT=true`.
+
+Environment variables:
+
+| Var | Purpose |
+|---|---|
+| `GUARDEX_OPENSPEC_AUTO_INIT` | `true` to auto-bootstrap on branch start (default `false`) |
+| `GUARDEX_OPENSPEC_PLAN_SLUG` | force a specific plan workspace name |
+| `GUARDEX_OPENSPEC_CHANGE_SLUG` | force a specific change workspace name |
+| `GUARDEX_OPENSPEC_CAPABILITY_SLUG` | override capability folder for `spec.md` scaffolding |
+
+---
+
 ## Files installed by setup
 
 ```text
@@ -354,8 +418,8 @@ scripts/install-agent-git-hooks.sh
 scripts/openspec/init-plan-workspace.sh
 .githooks/pre-commit
 .githooks/pre-push
-.codex/skills/guardex/SKILL.md
-.claude/commands/guardex.md
+.codex/skills/gitguardex/SKILL.md
+.claude/commands/gitguardex.md
 .github/pull.yml.example
 .github/workflows/cr.yml
 .omx/state/agent-file-locks.json
@@ -363,44 +427,51 @@ scripts/openspec/init-plan-workspace.sh
 
 If `package.json` exists, setup also adds `agent:*` helper scripts.
 
-## OpenSpec quick start after `gx setup`
+---
 
-If you enabled global OpenSpec install during setup (`@fission-ai/openspec`), use the full guide here:
+## Frontend mirror
 
-- [`docs/openspec-getting-started.md`](./docs/openspec-getting-started.md)
+- Standalone frontend repo: <https://github.com/Webu-PRO/guardex-frontend>
+- This repo tracks the frontend under `frontend/` and auto-mirrors it via `.github/workflows/sync-frontend-mirror.yml` on changes to `main`.
 
-Default core flow:
+Setup (in this repo):
 
-```text
-/opsx:propose <change-name> -> /opsx:apply -> /opsx:archive
-```
+1. `Settings → Secrets and variables → Actions`
+2. Add secret `GUARDEX_FRONTEND_MIRROR_PAT` with `contents:write` on `Webu-PRO/guardex-frontend`
+
+Optional overrides (Actions Variables):
 
-Optional expanded flow:
+- `GUARDEX_FRONTEND_MIRROR_REPO` (default `Webu-PRO/guardex-frontend`)
+- `GUARDEX_FRONTEND_MIRROR_BRANCH` (default `main`)
+
+Manual run:
 
 ```sh
-openspec config profile <profile-name>
-openspec update
+gh workflow run sync-frontend-mirror.yml
 ```
 
-```text
-/opsx:new <change-name> -> /opsx:ff or /opsx:continue -> /opsx:apply -> /opsx:verify -> /opsx:archive
-```
+---
 
-### OpenSpec in agent sub-branches
+## Known rough edges
+
+Being honest about where this still has issues:
+
+- **Usage limit mid-task.** When an agent hits its Codex/Claude usage limit partway through, the cleanup flow currently has to be handed to a different agent. It works, but the handoff is uglier than I'd like.
+- **Conflict-stuck probes.** Fixed in v7.0.2 — earlier versions could leak `__source-probe-*` worktrees when the sync-guard rebase hit conflicts. If you're on an older release, `gx cleanup` sweeps these.
+- **Windows.** Most of the hook surface assumes a POSIX shell. Use WSL or symlink-enabled git if you're on Windows.
 
-- `scripts/codex-agent.sh` enforces OpenSpec workspaces before it launches Codex in each sandbox branch/worktree.
-- `scripts/agent-branch-start.sh` can scaffold both `openspec/changes/<agent-branch-slug>/` and `openspec/plan/<agent-branch-slug>/` when you set `GUARDEX_OPENSPEC_AUTO_INIT=true`.
-- Set `GUARDEX_OPENSPEC_AUTO_INIT=false` (default for `agent-branch-start`) to skip branch-start auto-bootstrap.
-- Set `GUARDEX_OPENSPEC_PLAN_SLUG=<kebab-case-slug>` to force a specific plan workspace name.
-- Set `GUARDEX_OPENSPEC_CHANGE_SLUG=<kebab-case-slug>` to force a specific change workspace name.
-- Set `GUARDEX_OPENSPEC_CAPABILITY_SLUG=<kebab-case-slug>` to override the default capability folder used for `spec.md` scaffolding.
+PRs and issues welcome.
 
-## Security and maintenance posture
+---
 
-- CI matrix on Node 18/20/22 (`npm test`, `node --check`, `npm pack --dry-run`)
-- trusted publishing with provenance in GitHub Actions
+## Security & maintenance
+
+- CI matrix on Node 18 / 20 / 22 (`npm test`, `node --check`, `npm pack --dry-run`)
+- Trusted publishing with provenance via GitHub Actions
 - OpenSSF Scorecard + Dependabot for Actions
-- disclosure policy in [`SECURITY.md`](./SECURITY.md)
+- Disclosure policy in [`SECURITY.md`](./SECURITY.md)
+
+---
 
 ## Local development
 
@@ -410,206 +481,138 @@ node --check bin/multiagent-safety.js
 npm pack --dry-run
 ```
 
+---
+
 ## Release notes
 
-### v7.0.8
+<details>
+<summary><strong>v7.x</strong></summary>
 
-- **Added: repo toggle guidance in `gx` status/help output.** The command summary now shows a dedicated `REPO TOGGLE` section so operators can see the repo-local switch immediately: `GUARDEX_ON=0` disables Guardex for a repo and `GUARDEX_ON=1` turns it back on.
-- **Changed: package metadata advanced to the next publishable release.** Bumped `@imdeadpool/guardex` from `7.0.7` to `7.0.8` so the current `main` branch state can be published without colliding with the existing release number.
+### v7.0.11
+- Fixed the npm release workflow trigger so publishes run from `release.published` or explicit manual dispatch, instead of double-firing on both the tag push and the release event.
+- This keeps the GitHub `npm` environment from collecting duplicate cancelled deploy cards for the same version and leaves one canonical release deployment to monitor.
+- Bumped `@imdeadpool/guardex` from `7.0.10` → `7.0.11` so the next release can publish cleanly after `7.0.10` was already taken on npm.
 
-### v7.0.7
+### v7.0.10
+- Primary user-facing long name is now **GitGuardex**. CLI/help presents `gitguardex` as the long-form command; `gx` stays the preferred short alias; `guardex` remains as legacy compatibility.
+- Installed Codex/Claude startup files now use `gitguardex` paths: `.codex/skills/gitguardex/SKILL.md` and `.claude/commands/gitguardex.md`.
+- Startup context shrunk further. Managed marker block + skill + command compressed from 4340 B → 1930 B across the three always-loaded template files.
+- Bumped `@imdeadpool/guardex` from `7.0.9` → `7.0.10`.
 
-- **Fixed: next publish target now advances past npm.** Bumped `@imdeadpool/guardex` from `7.0.6` to `7.0.7` so the next `npm publish` does not collide with the already-published registry version.
-- **Fixed: root package metadata drift in `package-lock.json`.** The lockfile root version had fallen behind the package manifest (`7.0.4` vs. `7.0.6`), which made release metadata inconsistent. The bump resynchronized `package.json` and `package-lock.json` on `7.0.7`.
+### v7.0.9
+- `gx doctor` and `gx setup` now refresh AGENTS with repo-toggle examples. Managed AGENTS block states Guardex is enabled by default and shows exact `.env` lines: `GUARDEX_ON=0` disables per repo, `GUARDEX_ON=1` re-enables.
+- Bumped to `7.0.9`.
 
-### v7.0.6
+### v7.0.8
+- Added `REPO TOGGLE` section to `gx` status/help output. Operators see the repo-local switch immediately.
+- Bumped to `7.0.8`.
+
+### v7.0.7
+- Advanced next publish target past npm. Bumped to `7.0.7`.
+- Fixed root package metadata drift in `package-lock.json` (root version had fallen behind manifest).
 
-- **Fixed: self-updater lied about success.** `gx`'s update prompt runs `npm i -g @imdeadpool/guardex@latest` and previously trusted npm's exit code. When npm's resolution cache made it report "changed 1 package" without actually overwriting the files (a known quirk triggered when the user just bumped from N-1 → N in the same session, or with a warm metadata cache), the prompt kept re-firing on every subsequent `gx` invocation because the on-disk `package.json` was still stale. `gx` now re-reads the globally installed `package.json` after the `@latest` install returns, compares its `version` field to the advertised latest, and if they don't match runs a pinned retry `npm i -g @imdeadpool/guardex@<latest>` to force the cache past the obstructing entry. If the pinned retry also fails to advance the on-disk version, the user gets a clear hint (`npm root -g && npm cache verify`) instead of a silent loop.
+### v7.0.6
+- **Fixed: self-updater lied about success.** `gx`'s update prompt runs `npm i -g @imdeadpool/guardex@latest` and previously trusted npm's exit code. When npm's resolution cache reported "changed 1 package" without actually overwriting files (known quirk, triggers when user just bumped N-1 → N in the same session, or with a warm metadata cache), the prompt kept re-firing on every subsequent `gx` invocation because the on-disk `package.json` was stale. `gx` now re-reads the globally installed `package.json` after `@latest` returns, compares its `version` to the advertised latest, and if they don't match runs a pinned retry `npm i -g @imdeadpool/guardex@<latest>` to force past the obstructing cache entry. If the pinned retry also fails, the user gets a clear hint (`npm root -g && npm cache verify`) instead of a silent loop.
 
 ### v7.0.5
-
-- **Added: `oh-my-claude` to `gx status` global-toolchain check.** The Claude-side mirror of `oh-my-codex` is now reported alongside the existing services (`oh-my-codex`, `@fission-ai/openspec`, `@imdeadpool/codex-account-switcher`, `gh`). Users who have not yet installed it will see a clear "inactive" line instead of silent omission, matching the existing codex detection contract.
-- **Added: `.omc/` to the managed `.gitignore` block.** `gx setup` / `gx doctor` write a `.omc/` entry next to `.omx/` so Claude-specific runtime state (notepad, worktrees landing there in a follow-up) stays out of commits by default, parity with the existing `.omx/` treatment.
+- Added `oh-my-claude` to `gx status` global-toolchain check. Claude-side mirror of `oh-my-codex` is reported alongside existing services (`oh-my-codex`, `@fission-ai/openspec`, `@imdeadpool/codex-account-switcher`, `gh`).
+- Added `.omc/` to the managed `.gitignore` block so Claude-specific runtime state (notepad, worktrees) stays out of commits, parity with `.omx/`.
 
 ### v7.0.4
-
-- **Fixed: publish collision on npm.** Advanced the package metadata from `7.0.3` to `7.0.4` so `npm publish` no longer targets an already published version.
-- **Changed: release-note sync for versioning rule.** Added this versioned entry in README in the same change as the package bump to keep publish metadata and release notes aligned.
+- Fixed publish collision on npm. Bumped `7.0.3` → `7.0.4`.
 
 ### v7.0.3
-
-- **Branch/worktree naming refactor.** `agent-branch-start.sh` now produces `agent/<role>/<task>-<YYYY-MM-DD>-<HH-MM>` instead of `agent/<role+account-email>/<snapshot-slug>-<task>-<cksum6>`. Codex account names (e.g. `Zeus Edix Hu`) and 6-hex checksums no longer leak into branch or worktree paths.
-- **Role normalization.** `AGENT_NAME` is collapsed to `{claude, codex, <explicit>}` via (in order) the `GUARDEX_AGENT_TYPE` env override, a substring match against `claude`/`codex`, the `CLAUDECODE=1` sentinel, or a fallback to `codex`. Other roles (`integrator`, `executor`, etc.) pass through when set via `GUARDEX_AGENT_TYPE`.
-- **New `--print-name-only` flag** on `agent-branch-start.sh` for deterministic tests; honours `GUARDEX_BRANCH_TIMESTAMP` for reproducible output.
-- **`--tier` flag accepted silently** for CLAUDE.md compatibility (scaffold sizing not wired through yet).
-- Tests `install.test.js` covering the old snapshot-slug format were rewritten to assert the new role-datetime shape.
+- **Branch/worktree naming refactor.** `agent-branch-start.sh` now produces `agent/<role>/<task>-<YYYY-MM-DD>-<HH-MM>` instead of `agent/<role+account-email>/<snapshot-slug>-<task>-<cksum6>`. Account names and 6-hex checksums no longer leak into branch/worktree paths.
+- **Role normalization.** `AGENT_NAME` collapses to `{claude, codex, <explicit>}` via (in order) `GUARDEX_AGENT_TYPE` env override, substring match against `claude`/`codex`, `CLAUDECODE=1` sentinel, or fallback to `codex`. Other roles (`integrator`, `executor`, etc.) pass through when set via `GUARDEX_AGENT_TYPE`.
+- New `--print-name-only` flag for deterministic tests; honors `GUARDEX_BRANCH_TIMESTAMP` for reproducible output.
+- `--tier` flag accepted silently for CLAUDE.md compatibility (scaffold sizing not wired through yet).
 
 ### v7.0.2
-
-- **Fix: `__source-probe-*` worktree leak on conflict exit.** `agent-branch-finish.sh` was registering its `cleanup()` trap *after* the sync-guard rebase block, so when that rebase hit conflicts and the script exited, the throwaway probe worktree was never removed. `gx doctor` sweeps against stalled branches accumulated one new probe per run.
-- The cleanup trap is now installed immediately after probe creation, and aborts any in-progress `rebase`/`merge` before `worktree remove --force` so conflict-stuck probes are cleaned up reliably.
+- **Fix: `__source-probe-*` worktree leak on conflict exit.** `agent-branch-finish.sh` was registering its `cleanup()` trap *after* the sync-guard rebase block, so when rebase hit conflicts and the script exited, the throwaway probe worktree was never removed. `gx doctor` sweeps accumulated one new probe per run.
+- Cleanup trap is now installed immediately after probe creation, and aborts any in-progress `rebase`/`merge` before `worktree remove --force`.
 
 ### v7.0.1
-
 - Maintenance release.
 
 ### v7.0.0
-
-- **Breaking (soft).** Consolidated 17 commands into 12 visible commands with flag-based subcommands. Five removed names (`init`, `install`, `fix`, `scan`, `copy-prompt`, `copy-commands`, `print-agents-snippet`, `review`) still work but print a one-line deprecation notice on stderr and will be removed in v8. See the migration table in "Copy-paste: common commands" above.
-- **Token-usage improvements.** Trimmed the auto-installed agent templates that live inside every consumer repo and get loaded into every Claude/Codex session:
+- **Breaking (soft).** Consolidated 17 commands into 12 visible commands with flag-based subcommands. Removed names still work but print a deprecation notice; will be removed in v8.
+- **Token-usage improvements.** Trimmed auto-installed agent templates that live in every consumer repo and get loaded into every session:
   - `templates/AGENTS.multiagent-safety.md`: 6990 B → 1615 B (−77%)
   - `templates/codex/skills/guardex/SKILL.md`: 2732 B → 1086 B (−60%)
   - `templates/claude/commands/guardex.md`: 472 B → 357 B (−24%)
   - Total: 10194 B → 3058 B per consumer repo (−70%, ~1.5k fewer tokens per agent session).
+- New `gx prompt` command replaces three prompt-emitting commands.
+- New flag surface on `gx setup`: `--install-only`, `--repair`.
+- New `gx status --strict` mirrors old `gx scan`.
 
-  The `AI_SETUP_PROMPT` and `AI_SETUP_COMMANDS` constants used by `gx prompt` are now compact checklists, so piping `gx prompt` into a model context is cheaper too.
-- **New `gx prompt` command** replaces three prompt-emitting commands: `gx prompt` (full checklist), `gx prompt --exec` (commands only), `gx prompt --snippet` (AGENTS.md managed-block template).
-- **New flag surface on `gx setup`**: `--install-only` (templates/hooks/locks only), `--repair` (fix drift), plus the existing `--target`, `--parent-workspace-view`, `--dry-run`, etc.
-- **New `gx status --strict`** mirrors the old `gx scan` behavior (exit non-zero on findings).
-- Updated internal `REQUIRED_PACKAGE_SCRIPTS` for consumer `package.json` so `agent:safety:scan` and `agent:safety:fix` helper scripts now invoke the new v7 surface (`gx status --strict`, `gx setup --repair`).
+</details>
 
-### v6.0.1
+<details>
+<summary><strong>v6.x</strong></summary>
 
-- Preserve existing repo-owned `AGENTS.md` marker content during `gx setup` / `gx doctor` by default; only rewrite marker blocks when `--force` is explicitly used.
-- Preserve existing `agent:*` package scripts during setup/doctor repairs by default so repo-local command customizations are not silently replaced.
-- Forward `--force` through sandboxed doctor execution so intentional canonical template/script rewrites still work end-to-end.
-- Added regression tests for both preservation behaviors (`setup` + `doctor`).
-- Bumped package version from `6.0.0` to `6.0.1` for the next npm publish.
+### v6.0.1
+- Preserve existing repo-owned `AGENTS.md` marker content during `gx setup` / `gx doctor` by default; only rewrite marker blocks when `--force` is explicit.
+- Preserve existing `agent:*` package scripts during setup/doctor repairs by default.
+- Forward `--force` through sandboxed doctor execution.
+- Added regression tests for both preservation behaviors.
 
 ### v6.0.0
+- **Breaking** — removed legacy `musafety` bin alias and all `MUSAFETY_*` environment variables. Callers must migrate to `guardex` / `gx` and `GUARDEX_*`.
+- **Breaking** — bootstrap manifest filename changed from `musafety-bootstrap-manifest.json` to `guardex-bootstrap-manifest.json`; existing sandbox worktrees must be pruned + re-bootstrapped.
+- Rebranded `musafety` → `guardex` across scripts, templates, hooks, tests, docs.
+- The descriptive phrase `multiagent-safety` (including `bin/multiagent-safety.js`) is preserved — only the short codename changed.
 
-- **Breaking** — removed the legacy `musafety` bin alias and all `MUSAFETY_*` environment variables. Callers must migrate to the `guardex` / `gx` bins and the `GUARDEX_*` env-var surface.
-- **Breaking** — bootstrap manifest filename changed from `musafety-bootstrap-manifest.json` to `guardex-bootstrap-manifest.json`; existing sandbox worktrees must be pruned + re-bootstrapped (or have their manifest manually renamed).
-- Rebranded all remaining `musafety` / `Musafety` / `MUSAFETY` codename tokens to `guardex` / `Guardex` / `GUARDEX` across scripts, templates, hooks, tests, and docs.
-- The descriptive phrase `multiagent-safety` (including `bin/multiagent-safety.js` and `templates/AGENTS.multiagent-safety.md`) is preserved intentionally — only the short codename changed.
-- Bumped package version from `5.0.17` to `6.0.0` for the next npm publish.
-
-### v5.0.17
-
-- Bumped package version from `5.0.16` to `5.0.17` for the next npm publish.
-
-### v5.0.16
-
-- Fixed `gx doctor` runtime crash (`parseDoctorArgs is not defined`) by restoring the doctor argument parser for `--target` and `--strict`.
-- Fixed `gx doctor` command routing so the repair-first doctor flow remains the active command path (duplicate legacy doctor definition no longer overrides it).
-- Updated worktree change detection to run `git status --porcelain --untracked-files=normal --` for consistent normal untracked-file behavior.
-- Added regression coverage that asserts the doctor parser function exists in `bin/multiagent-safety.js`.
-- Bumped package version from `5.0.15` to `5.0.16`.
-
-### v5.0.15
-
-- Added `gx setup --parent-workspace-view` to generate a parent-folder VS Code workspace (`../<repo>-branches.code-workspace`) that shows both the base repo and `.omx/agent-worktrees` in Source Control.
-- Added dry-run-safe parent workspace operations (`would-create` / `would-update`) and setup output that prints the created workspace path.
-- Added regression coverage for parent workspace generation and dry-run behavior.
-- Bumped package version from `5.0.14` to `5.0.15`.
-
-### v5.0.14
-
-- Changed release metadata for the next npm publish by bumping package version from `5.0.13` to `5.0.14`.
-- Kept Guardex release notes synchronized with the published package version.
-
-### v5.0.13
-
-- Bumped package version from `5.0.12` to `5.0.13` for the next npm publish.
-
-### v5.0.12
-
-- Bumped package version from `5.0.11` to `5.0.12` for the next npm publish.
-- Updated repository metadata and README links to the renamed GitHub repository (`recodeee/guardex`).
-
-### v5.0.11
+</details>
 
-- Updated the managed AGENTS contract wording to use `GX` naming and added an explicit OMX completion policy requiring commit + push + PR creation/update at task completion.
-- Ensured `gx install` explicitly configures the managed `AGENTS.md` policy block and added regression coverage for this install-path behavior.
-- Bumped package version from `5.0.10` to `5.0.11` for the next npm publish.
+<details>
+<summary><strong>v5.x</strong></summary>
 
-### v5.0.10
-
-- Bumped package version from `5.0.9` to `5.0.10` for the next npm publish.
-
-### v5.0.9
-
-- Enforced OpenSpec workspace bootstrap for sandbox agent execution: `scripts/codex-agent.sh` now initializes `openspec/plan/<agent-branch-slug>/` before launching Codex, and `scripts/agent-branch-start.sh` supports `GUARDEX_OPENSPEC_AUTO_INIT` plus `GUARDEX_OPENSPEC_PLAN_SLUG`.
-- Tightened doctor auto-finish correctness: sandbox finish now waits for merge and exits non-zero if the PR closes without merge, so repair flows are not reported as complete when policy blocks merge.
-- Updated package version from `5.0.8` to `5.0.9` for the next npm publish.
-
-### v5.0.8
-
-- Fixed `bin/multiagent-safety.js` syntax regressions in the doctor sandbox flow (`Unexpected identifier` / `Unexpected end of input`) that were breaking CLI execution and CI tests.
-- Restored `scripts/codex-agent.sh` from `templates/scripts/codex-agent.sh` so critical runtime helper parity checks pass in clean CI clones.
-- Bumped package version from `5.0.7` to `5.0.8` for the next npm publish.
-
-### v5.0.7
-### Unreleased (generated draft, not versioned yet)
-
-- Add the user-facing changes for the next release here before assigning a version number.
-- Keep this section focused on behavior changes (`Added`, `Changed`, `Fixed`) rather than version-bump-only notes.
+### v5.0.17 – v5.0.10
+Version bumps for npm publish continuity plus incremental fixes: doctor arg-parser restored (5.0.16), parent-workspace view added (5.0.15), OMX completion policy wording (5.0.11), OpenSpec sandbox bootstrap enforced (5.0.9), bin syntax regressions fixed (5.0.8).
 
 ### v5.0.6
-
-- `gx cleanup` and auto-finish cleanup now prune clean agent worktrees by default, so VS Code Source Control focuses on your local branch plus worktrees with active changes.
-- Added `gx cleanup --keep-clean-worktrees` to opt out and keep clean worktrees visible.
-- Bumped package version from `5.0.5` to `5.0.6` for the next npm publish.
-
-### v5.0.5
-
-- Bumped package version from `5.0.4` to `5.0.5` so npm publish can proceed with the next patch release.
-
-### v5.0.4
-
-- Bumped package version from `5.0.3` to `5.0.4` to stay one patch ahead of the current npm published version.
-
-### v5.0.3
-
-- Bumped package version from `5.0.2` to `5.0.3` for the next npm publish.
+- `gx cleanup` and auto-finish cleanup now prune clean agent worktrees by default. VS Code Source Control focuses on your local branch + worktrees with active changes.
+- Added `gx cleanup --keep-clean-worktrees` to opt out.
 
 ### v5.0.2
-
-- Auto-closes Codex sandbox branches through PR workflow and keeps merged branch/worktree sandboxes for explicit cleanup via `gx cleanup`.
+- Auto-closes Codex sandbox branches through PR workflow; keeps merged branch/worktree sandboxes for explicit cleanup via `gx cleanup`.
 - Runs `gx doctor` repairs from a sandbox when `main` is protected.
 - Allows tightly guarded Codex-only commits for `AGENTS.md` / `.gitignore` on protected branches.
-- Advanced package version to keep npm publishing unblocked.
 
 ### v5.0.0
-
-- Rebranded the CLI to **GuardeX** with `gx`-first command UX.
-- Published under scoped package name `@imdeadpool/guardex` to avoid npm name collisions.
-- Enforced a repeatable per-message agent branch lifecycle in setup/init flows.
+- Rebranded CLI to **GuardeX** with `gx`-first command UX.
+- Published under scoped package name `@imdeadpool/guardex`.
+- Enforced repeatable per-message agent branch lifecycle in setup/init flows.
 - Added codex-auth-aware sandbox branch naming support.
 
-### v0.4.6
+</details>
 
-- Added repository metadata (`repository`, `bugs`, `homepage`, `funding`) in package manifest.
-- Added CI workflow for Node 18/20/22 with packaging and syntax verification.
-- Added npm provenance-oriented release workflow, OpenSSF Scorecard workflow, and Dependabot for Actions.
+<details>
+<summary><strong>v0.4.x</strong></summary>
+
+### v0.4.6
+- Added repository metadata (`repository`, `bugs`, `homepage`, `funding`).
+- Added CI workflow for Node 18/20/22.
+- Added npm provenance release workflow, OpenSSF Scorecard, Dependabot for Actions.
 - Added explicit `SECURITY.md` and `CONTRIBUTING.md`.
 
 ### v0.4.5
-
 - Added optional pre-commit behind-threshold sync gate (`multiagent.sync.requireBeforeCommit`, `multiagent.sync.maxBehindCommits`).
-- Added `gx sync` workflow (`--check`, sync strategies, report mode).
-- `agent-branch-finish.sh` now blocks finishing when source branch is behind `origin/<base>` (config-aware).
+- Added `gx sync` workflow (`--check`, strategies, report mode).
+- `agent-branch-finish.sh` blocks finishing when source is behind `origin/<base>`.
 
 ### v0.4.4
-
 - Added `scripts/agent-worktree-prune.sh` to templates/install.
-- `agent-branch-finish.sh` now auto-runs prune after merge (best effort).
-- Added npm helper script: `agent:cleanup`.
+- `agent-branch-finish.sh` auto-runs prune after merge.
+- Added npm helper: `agent:cleanup`.
 
 ### v0.4.2
-
-- Setup now detects existing global OMX/OpenSpec installs first.
-- If tools are already present, setup skips global install automatically.
-- Interactive approval is strict `[y/n]` (waits for explicit answer).
-- Added setup screenshot to README.
-- Added workflow screenshots (branch start, lock/delete guard, source-control view).
+- Setup detects existing global OMX/OpenSpec installs first; skips global install if tools are present.
+- Interactive approval is strict `[y/n]`.
+- Added setup + workflow screenshots.
 
 ### v0.4.0
+- Added setup-time Y/N approval for optional global install of `oh-my-codex` and `@fission-ai/openspec`.
+- Added setup flags: `--yes-global-install`, `--no-global-install`.
 
-- Added setup-time Y/N approval prompt for optional global install of:
-  - `oh-my-codex`
-  - `@fission-ai/openspec`
-- Added setup flags for automation:
-  - `--yes-global-install`
-  - `--no-global-install`
-- Added official repo links for OMX and OpenSpec.
+</details>