cortexhawk 3.2.0 → 3.3.1

package/.cortexhawk-lint.yml.example

@@ -0,0 +1,21 @@
+# .cortexhawk-lint.yml — per-project lint-guard config (optional)
+# Copy to .cortexhawk-lint.yml to override defaults.
+# By default, all tools are auto-detected via their config files.
+# Set a tool to false to disable it even if its config file is present.
+
+formatters:
+  prettier: true      # .prettierrc* / prettier.config.* / package.json "prettier"
+  black: true         # pyproject.toml [tool.black]
+  gofmt: true         # active if .go files staged (no config file required)
+  rustfmt: true       # rustfmt.toml / .rustfmt.toml
+  stylelint: true     # .stylelintrc* / stylelint.config.*
+
+linters:
+  eslint: true        # .eslintrc* / eslint.config.*
+  flake8: true        # .flake8 / setup.cfg [flake8]
+  mypy: false         # pyproject.toml [tool.mypy] / mypy.ini — set to false to disable (can be slow)
+
+options:
+  run_on_push: false       # run on git push too (overrides LINT_ON_PUSH in git-workflow.conf)
+  fail_on_formatter: false # block commit if a formatter fails (default: non-blocking)
+  timeout: 30              # max seconds per tool (requires timeout/gtimeout in PATH)

package/.gitmessage

@@ -0,0 +1,10 @@
+
+# type(scope): subject
+#
+# Types: feat, fix, docs, style, refactor, test, chore, perf, security
+# Scope: optional module/component name
+# Subject: imperative mood, lowercase, no period, max 72 chars
+#
+# Body: explain WHY, not WHAT (the diff shows the what)
+#
+# Footer: BREAKING CHANGE: description | Closes #123 | Backlog #N

package/CHANGELOG.md

@@ -3,9 +3,54 @@
 All notable changes to CortexHawk are documented here.
 Format: [Keep a Changelog](https://keepachangelog.com/)
 
+## [3.3.1] - 2026-02-20
+
+### Added
+- Native git `post-merge` hook opt-in: `cortexhawk post-merge-hook` (or `install --post-merge-hook`) installs `.git/hooks/post-merge` that auto-runs cleanup after every `git merge`; also offered interactively during `cortexhawk install` (#150)
+- Gitflow strategy support in `post-merge-cleanup.sh`: dual-target merge detection (feat→develop, release/hotfix→main), conditional `release/*`/`hotfix/*` protection, resync `develop ← main` after release merges (#151)
+
+### Security
+- `codex-dispatcher.sh`: reject paths containing `../` before dispatch to hooks, preventing arbitrary file scanning via path traversal (#152)
+- MCP configs: pin all `npx -y` packages to exact versions — context7@2.1.1, sequential-thinking@2025.12.18, puppeteer@2025.5.12, github@2025.4.8; also fix puppeteer package name (`@modelcontextprotocol/server-puppeteer` replaces removed `@anthropic-ai/mcp-server-puppeteer`) (#153)
+
+### Changed
+- `post-merge-cleanup.sh` refactored to dispatch-by-strategy architecture: central `PROTECTED_BRANCHES` list + `is_protected()`, extracted helpers (`delete_branch`, `delete_merged_branches`, `resync_work_branch`, `prompt_new_feature_branch`), strategy dispatch via `strategy_*()` functions + `case` (#149)
+- `install.sh` modularized: extracted `install_claude()`, `do_update()`, `do_snapshot()`, `do_restore()`, `do_doctor()` into `scripts/` modules (4114 → 3168 lines, -23%); install.sh sources them before dispatch (#137)
+
+### Fixed
+- `post-merge-cleanup.sh`: `MAIN_BRANCH` was assigned `WORK_BRANCH` value (e.g. `dev`) for `dev-branch` and `gitflow` strategies — merged-branch detection, resync, and post-cleanup were all targeting the wrong branch; now always `MAIN_BRANCH="main"` (#148)
+- `post-merge-cleanup.sh`: script exited early when no merged branches, skipping resync for `dev-branch`/`gitflow`; resync now always runs after cleanup (#148)
+- `post-merge-cleanup.sh`: added `--dry-run` flag (preview actions without executing) and resync block `WORK_BRANCH ← MAIN_BRANCH` with `--ff-only` + interactive merge fallback (#148)
+- `cortexhawk update` crash when installed via npm: manifest's `source: "git"` was overriding runtime detection, causing `git pull` to run on the npm global dir (not a git repo); now validates SCRIPT_DIR is a real git repo before trusting manifest source (#154)
+- `get_version()` in `cortexhawk` wrapper now skips `[Unreleased]` heading (fixes `self-update` version display)
+- `branch-guard`: work branch (dev) was incorrectly added to `PROTECTED_BRANCHES` for `dev-branch` strategy, blocking all regular `git push origin dev` operations
+
+## [3.3.0] - 2026-02-19
+
+### Added
+- `lint-guard` Phase 3 performance: linters run in parallel (`&` + `wait` + tmpdir error signaling); detection results cached in `.claude/lint-guard-cache` (1hr TTL, safe key=value); hook extracted to `scripts/lint-guard-runner.sh` to stay within 150-line limit (#142)
+- `lint-guard` advanced YAML options: `timeout` (per-tool kill with `timeout`/`gtimeout`, default 30s), `fail_on_formatter` (block commit on formatter failure, default false), `run_on_push` in yml (overrides git-workflow.conf) (#141)
+- `lint-guard` pre-commit delegation: if `.pre-commit-config.yaml` + `pre-commit` CLI are present, lint-guard delegates entirely to the framework — no duplication for projects already using pre-commit (#143)
+- `lint-guard` hook (PreToolUse): auto-detects formatters and linters on staged files before commit — formatters auto-fix + re-stage (prettier, black, gofmt, rustfmt, stylelint), linters check-only + block on errors (eslint, flake8, mypy); opt-out via `LINT_SKIP` in `git-workflow.conf` or `.cortexhawk-lint.yml` (#140)
+- `/review-pr` command: fetch, triage, and address PR review comments — batch mode by default (one commit + one batched review reply = one notification); `--sequential` flag for complex interdependent threads (#145)
+- MCP GitHub config: `mcp/github.json` (`@modelcontextprotocol/server-github`) — unlocks native GitHub API for `git-manager`, `/ship`, `pr-review-comments`, `/review-pr`; listed as recommended in fullstack + api profiles (#146)
+- `/cleanup` command: delete merged local/remote branches, optional post-merge hook for auto-cleanup after PR merges (#139)
+- Smart PR detection in `/ship`: reuses existing PR branch instead of creating duplicate branches when iterating with `/task` followed by review feedback (#138)
+
+### Fixed
+- `branch-guard` hook: `git push --delete` (remote branch deletion) was incorrectly blocked when on a protected branch — `/cleanup` remote cleanup now works correctly
+- `post-merge-cleanup.sh`: auto-detects missing TTY (`[ ! -t 0 ]`) and switches to auto mode — `/cleanup` called via Claude Bash tool or CI no longer hangs on `read` prompt
+- `.gitignore`: add `docs/.context/` and `docs/.metrics/` — auto-generated session artifacts (snapshots, analytics logs, agent context) are ephemeral and should not be committed
+- GitHub Actions (`claude.yml`, `claude-code-review.yml`): grant `pull-requests: write` + `issues: write` — Claude could read PRs but not post reviews or replies
+- **Security (MEDIUM)**: replace predictable PID/timestamp temp paths with `mktemp` (portable, no `.json` suffix) in `autodetect-profile.sh` and `interactive-init.sh`
+- **Security (MEDIUM)**: extend `.env` parser blocklist (`PYTHONPATH`, `GIT_SSH_COMMAND`, `NPM_CONFIG_*`, `NODE_OPTIONS`, `RUBYLIB`, `LD_AUDIT`, etc.) + add key format validation (`^[A-Z_][A-Z0-9_]{0,63}$`) to reject malformed variable names
+- **Security (LOW)**: atomic `cache_set` in `lint-guard-runner.sh` via `mktemp` unique tmp + `mv` — eliminates race condition on concurrent hook invocations
+- **Security**: replace `eval` with `xargs -0` in `lint-guard-runner.sh` — prevents command injection via crafted filenames in staged file lists
+
 ## [3.2.0] - 2026-02-15
 
 ### Added
+- Component registry: `COMPONENTS` array + `copy_all_components`/`sync_all_components`/`count_component_files` — adding a new component is 1 line instead of modifying 5 functions
 - `/commit` command: lightweight conventional commit + push without review or PR — use `/ship` for full workflow, `/commit` for quick iterations
 - Install auto-detects existing PR/commit templates; generates CortexHawk defaults (`.github/PULL_REQUEST_TEMPLATE.md`, `.gitmessage`) if missing — agents (`git-manager`, `/ship`, `/commit`) read templates at runtime
 - `--version` / `-v` flag: displays CortexHawk version

package/CLAUDE.md

@@ -6,13 +6,13 @@ Open-source development toolkit for Claude Code — optimized agents, skills, co
 
 ```
 agents/       — 20 specialized AI agents
-commands/     — 33 slash commands
+commands/     — 35 slash commands
 scripts/      — Validation and post-install audit scripts
 skills/       — 36 domain-specific knowledge modules
-hooks/        — 9 lifecycle hooks
+hooks/        — 11 lifecycle hooks
 modes/        — 7 behavioral presets
 profiles/     — 3 install profiles (fullstack, api, data)
-mcp/          — Pre-configured MCP server configs
+mcp/          — Pre-configured MCP server configs (github, context7, sequential-thinking, puppeteer)
 docs/         — Agent outputs (brainstorms, plans, decisions, research, audits, conversations, chains)
 templates/    — Templates for contributing new components (agents, commands, skills, chain presets, personas)
 CONTRIBUTING.md — Contribution guidelines
@@ -49,7 +49,7 @@ Custom agents in `.cortexhawk-agents/` at project root. Each `.md` file uses `ex
 
 ## Commands
 
-`/plan` `/build` `/test` `/review` `/ship` `/commit` `/debug` `/scan` `/check` `/refactor` `/research` `/doc` `/bootstrap` `/tdd` `/optimize` `/migrate` `/monitor` `/api-gen` `/changelog` `/journal` `/brainstorm` `/simplify` `/deploy` `/export` `/backlog` `/pulse` `/map` `/learn` `/chain` `/task` `/ci` `/context` `/upgrade`
+`/plan` `/build` `/test` `/review` `/review-pr` `/ship` `/commit` `/cleanup` `/debug` `/scan` `/check` `/refactor` `/research` `/doc` `/bootstrap` `/tdd` `/optimize` `/migrate` `/monitor` `/api-gen` `/changelog` `/journal` `/brainstorm` `/simplify` `/deploy` `/export` `/backlog` `/pulse` `/map` `/learn` `/chain` `/task` `/ci` `/context` `/upgrade`
 
 ## Skills
 
@@ -80,6 +80,7 @@ Custom agents in `.cortexhawk-agents/` at project root. Each `.md` file uses `ex
 - `file-guard` (PreToolUse) — Blocks access to .env, secrets, keys
 - `branch-guard` (PreToolUse) — Prevents direct push to protected branches
 - `commit-guard` (PreToolUse) — Validates conventional commits, checks staged secrets
+- `lint-guard` (PreToolUse) — Auto-detects formatters/linters on staged files; auto-fix for prettier/black/gofmt/rustfmt/stylelint, check-only for eslint/flake8/mypy
 - `self-review` (PostToolUse) — Checks for TODO/FIXME, secrets, debug artifacts
 - `dependency-check` (PostToolUse) — Alerts when dependency files are modified
 - `test-reminder` (PostToolUse) — Reminds to update tests for modified source files
@@ -94,3 +95,10 @@ Custom agents in `.cortexhawk-agents/` at project root. Each `.md` file uses `ex
 - Checklists > paragraphs, code examples > prose
 - One responsibility per component
 - All agents follow: frontmatter → description → Process → Output Format → Rules
+
+## Git Workflow
+
+- **Branching**: dev-branch (working branch: dev)
+- **Commits**: conventional
+- **PR preference**: on-demand
+- **Auto-push**: after-commit

package/agents/git-manager.md

@@ -11,9 +11,10 @@ You are a release engineer managing version control workflows.
 
 0. **Context** — Read `docs/.context/_shared.md` and `docs/.context/git-manager.md`
 1. **Assess** — Review current branch state, staged changes, and recent history
+1.5. **Detect PR** — Run `gh pr view --json state,url 2>/dev/null`, parse output; if PR exists with state=OPEN, note branch has active PR (skip creation later); if gh fails or no PR, proceed normally
 2. **Stage** — Select files for commit, verify no secrets or debug artifacts
 3. **Commit** — Generate conventional commit message matching change scope
-4. **Push** — Push to remote, create PR with description and checklist
+4. **Push** — Push to remote, create PR with description and checklist (skip if active PR detected in step 1.5)
 5. **Manage** — Handle branching, tagging, merging, and release prep
 
 ## Commit Convention
@@ -63,5 +64,8 @@ Description: imperative mood, lowercase, no period, max 72 chars
 - Always verify no secrets in staged files before commit
 - Read `## Git Workflow` in CLAUDE.md for project preferences (branching, commits, PRs, auto-push)
 - Respect configured branching strategy, PR preference, and auto-push behavior
-- If no Git Workflow section, default to: feature branches, conventional commits, on-demand PR, auto-push
+- If no Git Workflow section and no `.claude/config/git-workflow.conf`, default to: feature branches, conventional commits, on-demand PR, auto-push
+- Before creating a feature branch, check if current branch has open PR — if yes, reuse branch and push to update PR; if no or state!=OPEN, create new branch
+- PR detection edge cases: gh CLI not installed (skip detection, proceed with branch creation), detached HEAD (skip detection, create new branch), gh fails (silent fail with warning, continue with branch creation), no remote configured (warn and stop)
+- Silent fail on PR detection errors — log warning to user, continue with normal branch creation flow
 - Update `docs/.context/git-manager.md` with patterns, decisions, and key files discovered

package/commands/backlog.md

@@ -12,7 +12,7 @@ Activate the **project-manager** agent in backlog mode.
 3. Score: impact (H/M/L), effort (H/M/L), feasibility (H/M/L)
 4. Update `docs/backlog.md` — add new items, re-prioritize existing ones
 5. Mark items already implemented as done
-6. Run `bash scripts/refresh-context.sh` to update shared context
+6. Run `bash .claude/scripts/refresh-context.sh` to update shared context
 
 Backlog format in `docs/backlog.md`:
 

package/commands/cleanup.md

@@ -0,0 +1,37 @@
+---
+name: cleanup
+description: Delete merged branches and optionally enable auto-cleanup hook
+---
+
+# /cleanup
+
+Delete merged local branches and optionally delete remote branches.
+
+## Process
+
+1. Check if `.claude/.cleanup-configured` exists — if not, prompt for hook opt-in
+2. If marker missing, ask: "Enable auto-cleanup hook after merging PRs? [y/N]"
+3. If user chooses yes:
+   - Uncomment post-merge composition in `.claude/hooks/compose.yml` via sed
+   - Create marker: `echo 'enabled' > .claude/.cleanup-configured`
+   - Notify: "Auto-cleanup hook enabled. Runs automatically after git merge."
+4. If user chooses no:
+   - Create marker: `echo 'manual' > .claude/.cleanup-configured`
+5. Run cleanup script: `.claude/scripts/post-merge-cleanup.sh` (interactive mode)
+6. Script detects branching strategy from `.claude/git-workflow.conf` or `CLAUDE.md`
+7. Lists merged branches (excluding main/master/dev/develop/current)
+8. Prompts before deleting each local branch
+9. Prompts before deleting each remote branch (default: no)
+10. If on main branch: pulls latest changes
+11. If `BRANCHING=feature-branches`: optionally creates new feature branch
+
+## Rules
+
+- First-run hook prompt only shows once (marker file persists preference)
+- Remote deletion requires explicit confirmation (default: no)
+- Never delete main/master/dev/develop or current branch
+- Handle missing config files gracefully (fallback to defaults)
+- Handle git errors without crashing (network, permissions, no remote)
+- If compose.yml missing, warn and skip hook enablement
+- If sed fails, report error but continue cleanup
+- For a native git hook (fires on all `git merge`, not just via Claude): `cortexhawk post-merge-hook`

package/commands/review-pr.md

@@ -0,0 +1,31 @@
+---
+name: review-pr
+description: Fetch, triage, and address PR review comments in batch — one commit, one notification.
+---
+
+# /review-pr
+
+Activate the **reviewer** agent using the `pr-review-comments` skill. Target PR: current branch.
+
+1. **Auth** — Check MCP GitHub (`mcp__github__list_pull_requests`); fall back to `gh pr view` if unavailable
+2. **Fetch** — Get all open inline threads, review submissions, and conversation comments
+3. **Triage** — Group by author: Copilot / human reviewers / bots; skip resolved and outdated
+4. **Present** — Show numbered threads with `file:line`, author, summary, and proposed fix
+5. **Confirm** — Ask which to address (`1, 3, 5` or `all`) before touching any file
+6. **Fix** (batch, default) — Apply all selected fixes in one pass
+7. **Commit** — `fix: address PR review comments` (single commit)
+8. **Push** — Push to remote
+9. **Reply** — `mcp__github__create_pull_request_review` (batch) or `gh pr comment` — one reply per thread, referencing the commit sha
+
+## Flags
+
+- `--sequential` — fix → commit → reply per thread; use when comments are complex or interdependent
+
+## Rules
+
+- Always present threads and wait for user selection before fixing
+- Batch mode: one commit + one review submission = one notification to reviewers
+- Sequential mode: one commit per thread, reply immediately after each fix
+- Never fix resolved or outdated threads unless explicitly requested
+- If no open threads, report and stop
+- If auth fails, prompt `gh auth login` or check `GITHUB_PERSONAL_ACCESS_TOKEN`

package/commands/ship.md

@@ -8,6 +8,7 @@ description: Commit, create PR, and prepare for deployment.
 Activate the **git-manager** agent, then the **reviewer** agent. Ship: `$ARGUMENTS`
 
 0. Read `## Git Workflow` from CLAUDE.md if present — respect PR preference and auto-push settings
+0.5. Check if current branch has open PR — run `gh pr view --json state,url 2>/dev/null`; if PR exists and state=OPEN, skip branch creation (update existing PR); if gh unavailable or no PR found, proceed with normal flow
 1. Stage changes and generate conventional commit message
 2. Run quick review pass — reviewer runs Pass 1 (Correctness) and Pass 2 (Security) only, reporting Critical findings exclusively
 3. If review passes, commit and push

package/commands/task.md

@@ -16,7 +16,7 @@ Activate the **project-manager** agent as orchestrator. Execute backlog item `$A
 6. Update `CHANGELOG.md` with a one-line entry under the current version's `### Added` section
 7. If chain completes without critical blockers, execute `/ship`
 8. Mark item as `done` in backlog
-9. Run `bash scripts/refresh-context.sh` to update shared context
+9. Run `bash .claude/scripts/refresh-context.sh` to update shared context
 
 ## Save Rules
 

package/cortexhawk

@@ -29,7 +29,7 @@ yellow() { printf "\033[33m%s\033[0m\n" "$1"; }
 red() { printf "\033[31m%s\033[0m\n" "$1"; }
 
 get_version() {
-    grep -m1 '## \[' "$CORTEXHAWK_HOME/CHANGELOG.md" 2>/dev/null | sed 's/.*\[\([^]]*\)\].*/\1/' || echo "unknown"
+    grep -m1 '## \[[0-9]' "$CORTEXHAWK_HOME/CHANGELOG.md" 2>/dev/null | sed 's/.*\[\([^]]*\)\].*/\1/' || echo "unknown"
 }
 
 # --- validate command ---
@@ -120,8 +120,8 @@ do_validate() {
 
                 # settings.json
                 if [ -f "$target_dir/settings.json" ]; then
-                    if python3 -c "import json; json.load(open('$target_dir/settings.json'))" 2>/dev/null || \
-                       node -e "JSON.parse(require('fs').readFileSync('$target_dir/settings.json'))" 2>/dev/null; then
+                    if python3 -c "import json,sys; json.load(open(sys.argv[1]))" "$target_dir/settings.json" 2>/dev/null || \
+                       node -e "JSON.parse(require('fs').readFileSync(process.argv[1]))" "$target_dir/settings.json" 2>/dev/null; then
                         check "settings.json valid JSON" "ok"
                     else
                         check "settings.json invalid JSON" "fail"
@@ -383,6 +383,7 @@ show_help() {
     echo "  enable-hook <name>    Enable a hook"
     echo "  disable-hook <name>   Disable a hook"
     echo "  test-hooks            Dry-run hooks with synthetic inputs"
+    echo "  post-merge-hook       Install native git post-merge hook (auto-cleanup)"
     echo ""
     echo "Other:"
     echo "  self-update           Update CortexHawk source (git pull)"
@@ -501,6 +502,11 @@ case "$cmd" in
         shift
         bash "$INSTALL_SH" --test-hooks "$@"
         ;;
+    post-merge-hook)
+        check_home
+        shift
+        bash "$INSTALL_SH" --post-merge-hook "$@"
+        ;;
     self-update)
         check_home
         if [ ! -d "$CORTEXHAWK_HOME/.git" ]; then

package/hooks/branch-guard.sh

@@ -21,17 +21,24 @@ fi
 
 PROTECTED_BRANCHES=("main" "master" "production" "release")
 
-# Load git workflow config — allow direct-main push if configured
+# Load git workflow config — adjust protected branches based on branching strategy
 CONF_FILE="$(git rev-parse --show-toplevel 2>/dev/null)/.claude/git-workflow.conf"
 if [[ -f "$CONF_FILE" ]]; then
   _BRANCHING=$(grep '^BRANCHING=' "$CONF_FILE" | cut -d= -f2)
   if [[ "$_BRANCHING" == "direct-main" ]]; then
     PROTECTED_BRANCHES=("master" "production" "release")
+  elif [[ "$_BRANCHING" == "dev-branch" ]]; then
+    : # Work branch is the normal push target — only main stays protected
   fi
 fi
 
 # Check for git push to protected branches
 if echo "$CMD" | grep -qE 'git\s+push'; then
+  # Allow --delete operations (deleting remote branches, not pushing code)
+  if echo "$CMD" | grep -qE 'git\s+push\s+.*--delete|git\s+push\s+.*-d\s'; then
+    exit 0
+  fi
+
   CURRENT_BRANCH=$(git branch --show-current 2>/dev/null)
 
   for branch in "${PROTECTED_BRANCHES[@]}"; do

package/hooks/codex-dispatcher.sh

@@ -59,6 +59,9 @@ HOOKS_DIR="$(cd "$(dirname "$0")" && pwd)"
 while IFS= read -r file; do
     [ -z "$file" ] && continue
 
+    # Reject path traversal attempts
+    case "$file" in "."|".."|*../*|*/..*) continue ;; esac
+
     # Resolve to absolute path
     if [[ "$file" != /* ]]; then
         file="$CWD/$file"

package/hooks/compose.yml

@@ -45,3 +45,9 @@ compositions:
     matcher: "*"
     hooks:
       - session-telemetry
+
+  # post-merge:
+  #   event: GitHook
+  #   matcher: "post-merge"
+  #   hooks:
+  #     - post-merge

package/hooks/file-guard.sh

@@ -9,12 +9,16 @@ BLOCKED_PATTERNS=(
   "*.key"
   "id_rsa"
   "id_ed25519"
+  "id_ecdsa"
   "*.p12"
   "*.pfx"
   "*.keystore"
+  "*.jks"
   "credentials.json"
   "credentials.yml"
   "credentials.yaml"
+  "*secret*"
+  "service-account*.json"
 )
 
 # Basename patterns that are .env.* but NOT .env.example/.env.sample/.env.template

package/hooks/hooks.json

@@ -36,6 +36,12 @@
       "script": "hooks/commit-guard.sh",
       "description": "Validates commit format and checks for staged secrets"
     },
+    {
+      "name": "lint-guard",
+      "type": "PreToolUse",
+      "script": "hooks/lint-guard.sh",
+      "description": "Auto-detect and run formatters/linters on staged files before commit"
+    },
     {
       "name": "test-reminder",
       "type": "PostToolUse",

package/hooks/lint-guard.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# lint-guard — Auto-detect formatters/linters and run before git commit/push
+# Hook type: PreToolUse (Bash)
+# Delegates heavy work to scripts/lint-guard-runner.sh
+
+# --- 1. PARSE COMMAND ---
+if [ -n "$CORTEXHAWK_COMMAND" ]; then
+  CMD="$CORTEXHAWK_COMMAND"
+else
+  INPUT=$(cat)
+  if command -v jq &>/dev/null; then
+    CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+  fi
+  [ -z "$CMD" ] && CMD=$(printf '%s' "$INPUT" \
+    | grep -o '"command" *: *"[^"]*"' | head -1 | sed 's/.*: *"//;s/"$//')
+fi
+[ -z "$CMD" ] && exit 0
+echo "$CMD" | grep -qE 'git\s+(commit|push)' || exit 0
+
+# --- 2. PUSH CHECK — yml takes priority over git-workflow.conf ---
+if echo "$CMD" | grep -qE 'git\s+push'; then
+  _ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
+  _YML_PUSH=$(grep -E "^\s+run_on_push:" "$_ROOT/.cortexhawk-lint.yml" 2>/dev/null \
+    | sed 's/.*: *//' | tr -d ' \r')
+  if [ "$_YML_PUSH" = "true" ]; then
+    :
+  elif [ "$_YML_PUSH" = "false" ]; then
+    exit 0
+  else
+    LINT_ON_PUSH=$(grep '^LINT_ON_PUSH=' "$_ROOT/.claude/git-workflow.conf" 2>/dev/null | cut -d= -f2)
+    [ "$LINT_ON_PUSH" != "true" ] && exit 0
+  fi
+fi
+
+# --- 3. DELEGATE ---
+REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
+[ -z "$REPO_ROOT" ] && exit 0
+
+if command -v pre-commit &>/dev/null && [ -f "$REPO_ROOT/.pre-commit-config.yaml" ]; then
+  echo "lint-guard: pre-commit detected — delegating to pre-commit framework"
+  pre-commit run
+  exit $?
+fi
+
+bash "$REPO_ROOT/.claude/scripts/lint-guard-runner.sh"
+exit $?

package/hooks/post-merge.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# post-merge — Auto-cleanup merged branches after PR merge
+# Hook type: GitHook
+# Disabled by default — enable via /cleanup first run
+
+# Call cleanup script in auto mode (silent, no prompts, skip remote deletion)
+if [ -f ".claude/scripts/post-merge-cleanup.sh" ]; then
+    bash ".claude/scripts/post-merge-cleanup.sh" --auto 2>/dev/null || true
+fi
+
+# Exit silently — don't block merge operation on script failures
+exit 0

package/hooks/session-start.sh

@@ -132,4 +132,4 @@ if [ -d "$SKILL_DIR" ]; then
 fi
 
 echo ""
-echo "Commands: /plan /build /test /review /ship /debug /scan /check /refactor /research /doc /bootstrap /tdd /optimize /migrate /monitor /api-gen /changelog /journal /brainstorm /simplify /deploy /export /backlog /pulse /map /learn /chain /task /ci /context"
+echo "Commands: /plan /build /test /review /ship /commit /cleanup /debug /scan /check /refactor /research /doc /bootstrap /tdd /optimize /migrate /monitor /api-gen /changelog /journal /brainstorm /simplify /deploy /export /backlog /pulse /map /learn /chain /task /ci /context /upgrade"