cortexhawk 3.2.0 → 3.3.1

package/install.sh

@@ -7,6 +7,16 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 if [ -f ".env" ]; then
     while IFS='=' read -r key value; do
         [[ -z "$key" || "$key" == \#* ]] && continue
+        # Validate key format: uppercase letters, digits, underscore only (POSIX env var names)
+        [[ "$key" =~ ^[A-Z_][A-Z0-9_]{0,63}$ ]] || continue
+        # Block dangerous variable names that could hijack script/shell behavior
+        case "$key" in
+            PATH|LD_PRELOAD|LD_LIBRARY_PATH|LD_AUDIT|LD_DEBUG|BASH_ENV|BASH_FUNC_*|\
+            SCRIPT_DIR|HOME|SHELL|IFS|CDPATH|ENV|PYTHONPATH|PYTHONSTARTUP|\
+            GIT_SSH|GIT_SSH_COMMAND|GIT_PROXY_COMMAND|GIT_EXEC_PATH|\
+            NPM_CONFIG_*|NODE_OPTIONS|RUBYLIB|RUBYOPT|PERL5LIB|PERL5OPT)
+                continue ;;
+        esac
         # Strip double quotes
         value="${value%\"}" && value="${value#\"}"
         # Strip single quotes
@@ -24,7 +34,7 @@ green() { printf "\033[32m%s\033[0m\n" "$1"; }
 yellow() { printf "\033[33m%s\033[0m\n" "$1"; }
 
 get_version() {
-    grep -m1 '## \[' "$SCRIPT_DIR/CHANGELOG.md" | sed 's/.*\[\([^]]*\)\].*/\1/'
+    grep -m1 '## \[[0-9]' "$SCRIPT_DIR/CHANGELOG.md" | sed 's/.*\[\([^]]*\)\].*/\1/'
 }
 
 # Portable sed -i (GNU vs BSD)
@@ -161,7 +171,26 @@ STATS_MODE=false
 PUBLISH_SKILL_PATH=""
 CHECK_UPDATE_MODE=false
 DEMO_MODE=false
+TRUST_SKILL=false
 MAX_SNAPSHOTS=10
+POST_MERGE_HOOK_MODE=false
+
+# === Component Registry ===
+# Single source of truth for all CortexHawk components.
+# Format: "name:executable"
+#   - executable = "yes" runs chmod +x *.sh after copy (hooks, scripts)
+#   - executable = "no" for markdown-only components (agents, commands, modes)
+#   - skills handled specially via copy_skills()/sync_skills_update() for profile filtering
+# Used by: copy_all_components(), sync_all_components(), count_component_files()
+COMPONENTS=(
+    "agents:no"
+    "commands:no"
+    "skills:no"
+    "hooks:yes"
+    "modes:no"
+    "mcp:no"
+    "scripts:yes"
+)
 
 while [ $# -gt 0 ]; do
     case "$1" in
@@ -300,6 +329,10 @@ while [ $# -gt 0 ]; do
             DEMO_MODE=true
             shift
             ;;
+        --trust)
+            TRUST_SKILL=true
+            shift
+            ;;
         --publish-skill)
             PUBLISH_SKILL_PATH="$2"
             if [ -z "$PUBLISH_SKILL_PATH" ]; then
@@ -352,6 +385,10 @@ while [ $# -gt 0 ]; do
             fi
             shift 2
             ;;
+        --post-merge-hook)
+            POST_MERGE_HOOK_MODE=true
+            shift
+            ;;
         --version|-v)
             echo "CortexHawk $(get_version)"
             exit 0
@@ -455,7 +492,7 @@ if [ -n "$PACK_NAME" ]; then
         exit 1
     fi
     _skills_csv=$(echo "$_row" | awk -F'|' '{print $3}' | sed 's/^ *//;s/ *$//')
-    _description=$(echo "$_row" | awk -F'|' '{print $4}' | sed 's/^ *//;s/ *$//')
+    _description=$(echo "$_row" | awk -F'|' '{print $4}' | sed 's/^ *//;s/ *$//' | sed 's/"/\\"/g')
     _tmp_profile=$(mktemp /tmp/cortexhawk-pack-XXXXXX.json)
     {
         echo '{'
@@ -505,11 +542,12 @@ detect_installed_clis() {
 copy_skills() {
     local target_dir="$1"
     local profile="$2"
+    local source_dir="${3:-$SCRIPT_DIR}"
     if [ -z "$profile" ]; then
-        cp -r "$SCRIPT_DIR/skills/"* "$target_dir/skills/" 2>/dev/null || true
+        cp -r "$source_dir/skills/"* "$target_dir/skills/" 2>/dev/null || true
     else
         grep '"[a-z]' "$PROFILE_FILE" | sed 's/.*"\([a-z][^"]*\)".*/\1/' | grep '/' | while read -r skill; do
-            local src="$SCRIPT_DIR/skills/$skill"
+            local src="$source_dir/skills/$skill"
             local dest="$target_dir/skills/$skill"
             if [ ! -d "$src" ]; then
                 yellow "  Warning: skill '$skill' not found in source — skipping"
@@ -574,6 +612,9 @@ convert_modes_to_skills() {
     done
 }
 
+# NOTE: profiles/*.json contain an "mcp" field listing recommended servers, but install.sh
+# currently installs all mcp/*.json regardless of profile. Per-profile MCP filtering is planned
+# for a future phase of #137 (install.sh modularization).
 # merge_mcp_json(output_file) — merges mcp/*.json into single JSON file
 merge_mcp_json() {
     local output_file="$1"
@@ -582,7 +623,7 @@ merge_mcp_json() {
         [ -f "$mcp_file" ] || continue
         local server_name command_val args_val entry
         server_name=$(basename "$mcp_file" .json)
-        command_val=$(grep '"command"' "$mcp_file" | sed 's/.*"command"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
+        command_val=$(grep '"command"' "$mcp_file" | sed 's/.*"command"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/' | sed 's/"/\\"/g')
         args_val=$(grep '"args"' "$mcp_file" | sed 's/.*"args"[[:space:]]*:[[:space:]]*\(\[.*\]\).*/\1/')
         entry="    \"$server_name\": {\n      \"command\": \"$command_val\",\n      \"args\": $args_val\n    }"
         if [ -n "$entries" ]; then
@@ -658,14 +699,18 @@ $target_dir/" "$gitignore"
     if [ -d "$project_root/docs" ] && ! grep -qx "docs/" "$gitignore" 2>/dev/null; then
         echo ""
         echo "  docs/ contains agent outputs (brainstorms, plans, research)."
-        read -r -p "  Track docs/ in git? [Y/n]: " docs_choice
+        if [ -t 0 ]; then
+            read -r -p "  Track docs/ in git? [Y/n]: " docs_choice
+        else
+            docs_choice="Y"
+        fi
         case "$docs_choice" in
             [nN]*)
                 echo "docs/" >> "$gitignore"
                 green "  Added docs/ to .gitignore"
                 ;;
             *)
-                green "  docs/ will be tracked in git"
+                green "  docs/ will be tracked in git (default)"
                 ;;
         esac
     fi
@@ -876,6 +921,10 @@ cleanup_update() {
 }
 
 update_source_git() {
+    if ! git -C "$SCRIPT_DIR" rev-parse --git-dir >/dev/null 2>&1; then
+        echo "  CortexHawk installed via npm — run: npm update -g cortexhawk"
+        exit 0
+    fi
     local current_branch
     current_branch=$(git -C "$SCRIPT_DIR" rev-parse --abbrev-ref HEAD 2>/dev/null || echo "main")
     if [ "$current_branch" != "main" ]; then
@@ -888,7 +937,8 @@ update_source_git() {
 }
 
 update_source_release() {
-    local tmp_dir="/tmp/cortexhawk-update-$$"
+    local tmp_dir
+    tmp_dir=$(mktemp -d /tmp/cortexhawk-update-XXXXXX)
     local repo_url
     repo_url=$(get_source_url)
     if [ -z "$repo_url" ] && [ -f "$TARGET/.cortexhawk-manifest" ]; then
@@ -899,13 +949,19 @@ update_source_release() {
         echo "Set CORTEXHAWK_REPO environment variable and retry"
         exit 1
     fi
-    mkdir -p "$tmp_dir"
     echo "  Downloading from $repo_url..."
-    if ! curl -sL "$repo_url/archive/refs/heads/main.tar.gz" | tar xz -C "$tmp_dir" --strip-components=1; then
+    local tarball="$tmp_dir/update.tar.gz"
+    if ! curl -sL "$repo_url/archive/refs/heads/main.tar.gz" -o "$tarball"; then
         echo "Error: failed to download latest release"
         rm -rf "$tmp_dir"
         exit 1
     fi
+    if ! tar xzf "$tarball" -C "$tmp_dir" --strip-components=1; then
+        echo "Error: failed to extract update archive"
+        rm -rf "$tmp_dir"
+        exit 1
+    fi
+    rm -f "$tarball"
     SCRIPT_DIR="$tmp_dir"
     UPDATE_CLEANUP_DIR="$tmp_dir"
 }
@@ -1097,431 +1153,46 @@ sync_skills_update() {
     fi
 }
 
-do_update() {
-    # 1. Validate target
-    if [ "$TARGET_CLI" != "claude" ]; then
-        echo "Error: --update is currently supported for Claude Code only"
-        echo "For Kimi CLI, re-run: install.sh --target kimi"
-        exit 1
-    fi
-
-    if [ "$GLOBAL" = true ]; then
-        TARGET="$HOME/.claude"
-    else
-        TARGET="$(pwd)/.claude"
-    fi
-
-    if [ ! -d "$TARGET" ]; then
-        echo "Error: no CortexHawk installation found at $TARGET"
-        echo "Run install.sh without --update for a fresh install"
-        exit 1
-    fi
-
-    # 2. Read manifest
-    local manifest="$TARGET/.cortexhawk-manifest"
-    local current_version="unknown"
-    local current_profile="all"
-    local source_type
-    source_type=$(detect_source_type)
-
-    if [ -f "$manifest" ]; then
-        current_version=$(grep '"version"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
-        current_profile=$(grep '"profile"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
-        local manifest_source
-        manifest_source=$(grep '"source"' "$manifest" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/')
-        [ -n "$manifest_source" ] && source_type="$manifest_source"
-    else
-        echo "  No manifest found — treating as pre-update installation"
-    fi
-
-    # 3. Profile override
-    local update_profile="$current_profile"
-    if [ -n "$PROFILE" ]; then
-        update_profile="$PROFILE"
-    fi
-
-    if [ "$DRY_RUN" = true ]; then
-        echo "CortexHawk Dry Run (update)"
-        echo "============================"
-    else
-        echo "CortexHawk Update"
-        echo "==================="
-    fi
-    echo "  Current version: $current_version"
-    echo "  Profile: $update_profile"
-    echo "  Source: $source_type"
-    echo ""
-
-    # 3b. Auto-snapshot before update (skip in dry-run)
-    if [ "$DRY_RUN" != true ] && [ -f "$manifest" ]; then
-        echo "Creating pre-update snapshot..."
-        do_snapshot 2>/dev/null
-        PRE_UPDATE_SNAP=$(ls -t "$TARGET/.cortexhawk-snapshots"/*.json 2>/dev/null | head -1)
-        [ -n "$PRE_UPDATE_SNAP" ] && echo "  Saved: $(basename "$PRE_UPDATE_SNAP")"
-        echo ""
-    fi
-
-    # 4. Pull source (skip in dry-run — compare against current source)
-    if [ "$DRY_RUN" != true ]; then
-        if [ "$source_type" = "git" ]; then
-            echo "Updating CortexHawk source via git pull..."
-            update_source_git
+# === Generic Component Operations ===
+# These use the COMPONENTS array to avoid hardcoding directory lists.
+
+# copy_all_components(source_dir, target_dir, profile)
+copy_all_components() {
+    local src="$1" dst="$2" profile="$3"
+    for entry in "${COMPONENTS[@]}"; do
+        IFS=':' read -r name exec_flag <<< "$entry"
+        [ -d "$src/$name" ] || continue
+        mkdir -p "$dst/$name"
+        if [ "$name" = "skills" ] && [ -n "$profile" ]; then
+            copy_skills "$dst" "$profile" "$src"
         else
-            echo "Updating CortexHawk source via download..."
-            update_source_release
-        fi
-        echo "  Source updated successfully."
-    fi
-
-    # 5. Compare versions
-    local new_version
-    new_version=$(get_version)
-    echo "  New version: $new_version"
-    echo ""
-
-    if [ "$current_version" = "$new_version" ] && [ "$FORCE_MODE" != true ]; then
-        # Same version — check if files actually changed (checksum comparison)
-        local files_changed=0
-        if [ -f "$manifest" ]; then
-            while IFS= read -r line; do
-                local fpath fhash
-                fpath=$(echo "$line" | sed 's/.*"\([^"]*\)": "sha256:\([^"]*\)".*/\1/')
-                fhash=$(echo "$line" | sed 's/.*"sha256:\([^"]*\)".*/\1/')
-                [ -z "$fpath" ] || [ -z "$fhash" ] && continue
-                local source_file="$SCRIPT_DIR/$fpath"
-                [ -f "$source_file" ] || continue
-                local source_hash
-                source_hash=$(compute_checksum "$source_file")
-                if [ "$fhash" != "$source_hash" ]; then
-                    files_changed=$((files_changed + 1))
-                fi
-            done < <(grep '"sha256:' "$manifest")
-        fi
-
-        if [ "$files_changed" -eq 0 ] && [ "$DRY_RUN" != true ]; then
-            # Still apply install improvements even if no component files changed
-            local target_dir_name=".${TARGET_CLI:-claude}"
-            update_gitignore "$(dirname "$TARGET")" "$target_dir_name"
-            [ "$TARGET_CLI" = "codex" ] && update_gitignore "$(dirname "$TARGET")" ".agents"
-            if [ ! -f "$TARGET/git-workflow.conf" ]; then
-                GIT_BRANCHING="direct-main"
-                GIT_COMMIT_CONVENTION="conventional"
-                GIT_PR_PREFERENCE="on-demand"
-                GIT_AUTO_PUSH="after-commit"
-                GIT_WORK_BRANCH=""
-                source "$SCRIPT_DIR/scripts/git-workflow-init.sh" "$(dirname "$TARGET")" "$TARGET"
-            fi
-            echo "Already up to date ($new_version). No component files changed."
-            cleanup_update
-            exit 0
-        elif [ "$files_changed" -gt 0 ]; then
-            echo "  Same version ($new_version) but $files_changed file(s) changed in source."
-        fi
-    fi
-
-    if [ "$DRY_RUN" = true ]; then
-        echo "  Comparing source $new_version vs installed $current_version"
-    elif [ "$current_version" = "$new_version" ]; then
-        echo "  Syncing changed files ($new_version)..."
-    else
-        echo "  Updating $current_version -> $new_version"
-    fi
-    echo ""
-
-    # Set up profile file for skill filtering
-    if [ -n "$update_profile" ] && [ "$update_profile" != "all" ]; then
-        PROFILE_FILE="$SCRIPT_DIR/profiles/${update_profile}.json"
-        if [ ! -f "$PROFILE_FILE" ]; then
-            echo "  Warning: profile '$update_profile' not found in source — installing all skills"
-            update_profile="all"
-            PROFILE_FILE=""
+            cp -r "$src/$name/"* "$dst/$name/" 2>/dev/null || true
         fi
-    fi
-
-    # 6. Reset counters and sync components
-    SYNC_ADDED=0
-    SYNC_UPDATED=0
-    SYNC_UNCHANGED=0
-    SYNC_SKIPPED=0
-    SYNC_CONFLICTS=0
-
-    sync_component "agents"
-    sync_component "commands"
-    sync_skills_update "$update_profile"
-    sync_component "hooks"
-    sync_component "modes"
-    sync_component "mcp"
-
-    # 6b. Sync agent personas from project root
-    local project_root
-    project_root="$(dirname "$TARGET")"
-    if [ -d "$project_root/.cortexhawk-agents" ] && [ "$DRY_RUN" != true ]; then
-        cp -r "$project_root/.cortexhawk-agents/"*.md "$TARGET/agents/" 2>/dev/null || true
-        local pc
-        pc=$(find "$project_root/.cortexhawk-agents" -name "*.md" -type f 2>/dev/null | wc -l | tr -d ' ')
-        [ "$pc" -gt 0 ] && echo "  Synced $pc agent persona(s) from .cortexhawk-agents/"
-    fi
-
-    # 7. Detect removed upstream files
-    if [ -f "$manifest" ]; then
-        while IFS= read -r line; do
-            local file_relpath
-            file_relpath=$(echo "$line" | sed 's/.*"\([^"]*\)": "sha256:.*/\1/')
-            [ -z "$file_relpath" ] && continue
-            if [ ! -f "$SCRIPT_DIR/$file_relpath" ] && [ -f "$TARGET/$file_relpath" ]; then
-                echo "  Warning: $file_relpath was removed upstream (kept locally)"
-            fi
-        done < <(grep '"sha256:' "$manifest")
-    fi
-
-    if [ "$DRY_RUN" != true ]; then
-        # Make hooks executable
-        chmod +x "$TARGET/hooks/"*.sh 2>/dev/null || true
-
-        # 7b. Regenerate settings.json hooks + merge new permissions from compose.yml
-        if [ -f "$SCRIPT_DIR/hooks/compose.yml" ]; then
-            local hooks_json
-            hooks_json=$(generate_hooks_config "$SCRIPT_DIR/hooks/compose.yml" ".claude/hooks")
-            if [ -n "$hooks_json" ] && [ "$hooks_json" != "{}" ]; then
-                echo "$hooks_json" | python3 -c "
-import json, sys
-hooks = json.load(sys.stdin)
-current = {}
-try:
-    with open(sys.argv[1]) as f:
-        current = json.load(f)
-except:
-    pass
-current['hooks'] = hooks
-# Merge new permissions from source
-try:
-    with open(sys.argv[2]) as f:
-        src_perms = json.load(f).get('permissions', {})
-    cur_perms = current.get('permissions', {})
-    for key in ('allow', 'deny'):
-        src_list = src_perms.get(key, [])
-        cur_list = cur_perms.get(key, [])
-        added = [p for p in src_list if p not in cur_list]
-        if added:
-            cur_list.extend(added)
-        cur_perms[key] = cur_list
-    current['permissions'] = cur_perms
-except:
-    pass
-with open(sys.argv[1], 'w') as f:
-    json.dump(current, f, indent=2)
-    f.write('\n')
-" "$TARGET/settings.json" "$SCRIPT_DIR/settings.json"
-                echo "  Regenerated settings.json hooks from compose.yml"
-            fi
-        fi
-
-        # 8. Write new manifest
-        write_manifest "$TARGET" "$update_profile" "$TARGET_CLI" true
-
-        # 9. Run audit
-        run_audit "$(dirname "$TARGET")"
-
-        # 10. Apply install improvements (gitignore, git-workflow defaults)
-        local target_dir_name=".${TARGET_CLI:-claude}"
-        update_gitignore "$(dirname "$TARGET")" "$target_dir_name"
-        [ "$TARGET_CLI" = "codex" ] && update_gitignore "$(dirname "$TARGET")" ".agents"
-        setup_templates "$(dirname "$TARGET")"
-
-        if [ ! -f "$TARGET/git-workflow.conf" ]; then
-            GIT_BRANCHING="direct-main"
-            GIT_COMMIT_CONVENTION="conventional"
-            GIT_PR_PREFERENCE="on-demand"
-            GIT_AUTO_PUSH="after-commit"
-            GIT_WORK_BRANCH=""
-            source "$SCRIPT_DIR/scripts/git-workflow-init.sh" "$(dirname "$TARGET")" "$TARGET"
-        fi
-    fi
-
-    # 10. Print summary
-    echo ""
-    if [ "$DRY_RUN" = true ]; then
-        echo "Dry run summary:"
-        echo "  Would add:     $SYNC_ADDED"
-        echo "  Would update:  $SYNC_UPDATED"
-        echo "  Unchanged:     $SYNC_UNCHANGED"
-        echo "  Would skip:    $SYNC_SKIPPED"
-        echo "  Conflicts:     $SYNC_CONFLICTS"
-        echo ""
-        echo "No files were modified (dry run)."
-    else
-        echo "Update complete: $current_version -> $new_version"
-        echo "  Added:     $SYNC_ADDED"
-        echo "  Updated:   $SYNC_UPDATED"
-        echo "  Unchanged: $SYNC_UNCHANGED"
-        echo "  Skipped:   $SYNC_SKIPPED"
-        echo "  Conflicts: $SYNC_CONFLICTS"
-        if [ -n "${PRE_UPDATE_SNAP:-}" ]; then
-            echo "  Rollback: install.sh --restore $PRE_UPDATE_SNAP"
-        fi
-        echo ""
-        echo "  To activate: exit your CLI (ctrl+c) and relaunch in this directory."
-    fi
-
-    cleanup_update
+        [ "$exec_flag" = "yes" ] && chmod +x "$dst/$name/"*.sh 2>/dev/null || true
+    done
 }
 
-# --- rotate_snapshots() ---
-# Keeps only the N most recent snapshots, deletes the rest
-rotate_snapshots() {
-    local snap_dir="$1"
-    local snaps
-    snaps=$(find "$snap_dir" -maxdepth 1 -name '*.json' -type f 2>/dev/null)
-    [ -z "$snaps" ] && return 0
-    local count
-    count=$(echo "$snaps" | wc -l | tr -d ' ')
-    if [ "$count" -gt "$MAX_SNAPSHOTS" ]; then
-        local to_delete=$((count - MAX_SNAPSHOTS))
-        ls -1t "$snap_dir"/*.json | tail -n "$to_delete" | while read -r old_snap; do
-            rm -f "$old_snap"
-        done
-        echo "  Rotated: removed $to_delete old snapshot(s), keeping $MAX_SNAPSHOTS"
-    fi
+# sync_all_components(profile)
+sync_all_components() {
+    local profile="$1"
+    for entry in "${COMPONENTS[@]}"; do
+        IFS=':' read -r name exec_flag <<< "$entry"
+        if [ "$name" = "skills" ]; then
+            sync_skills_update "$profile"
+        else
+            sync_component "$name"
+        fi
+    done
 }
 
-# --- do_snapshot() ---
-do_snapshot() {
-    if [ "$GLOBAL" = true ]; then
-        TARGET="$HOME/.claude"
-    else
-        TARGET="$(pwd)/.claude"
-    fi
-
-    local manifest="$TARGET/.cortexhawk-manifest"
-    if [ ! -f "$manifest" ]; then
-        echo "Error: no CortexHawk manifest found at $manifest"
-        echo "Run install.sh first to create an installation"
-        exit 1
-    fi
-
-    # Read manifest metadata
-    local version
-    version=$(grep '"version"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local profile
-    profile=$(grep '"profile"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local source_type
-    source_type=$(grep '"source"' "$manifest" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local source_url
-    source_url=$(grep '"source_url"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local source_path
-    source_path=$(grep '"source_path"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
-
-    # Read settings.json
-    local settings_json="null"
-    if [ -f "$TARGET/settings.json" ]; then
-        settings_json=$(cat "$TARGET/settings.json")
-    fi
-
-    # Read git-workflow.conf
-    local git_branching="" git_commit="" git_pr="" git_push=""
-    if [ -f "$TARGET/git-workflow.conf" ]; then
-        git_branching=$(grep '^BRANCHING=' "$TARGET/git-workflow.conf" | cut -d= -f2)
-        git_commit=$(grep '^COMMIT_CONVENTION=' "$TARGET/git-workflow.conf" | cut -d= -f2)
-        git_pr=$(grep '^PR_PREFERENCE=' "$TARGET/git-workflow.conf" | cut -d= -f2)
-        git_push=$(grep '^AUTO_PUSH=' "$TARGET/git-workflow.conf" | cut -d= -f2)
-    fi
-
-    # Read custom profile if applicable (use PROFILE_FILE from current run, never glob /tmp/)
-    local profile_def="null"
-    if [ -n "$PROFILE_FILE" ] && [ -f "$PROFILE_FILE" ]; then
-        profile_def=$(cat "$PROFILE_FILE")
-    fi
-
-    # Build files checksums from manifest
-    local files_json
-    files_json=$(sed -n '/"files"/,/^  }/p' "$manifest" | sed '1d;$d')
-
-    # Collect file contents (base64 encoded for binary safety)
-    local git_workflow_content="" claude_md_content=""
-    if [ -f "$TARGET/git-workflow.conf" ]; then
-        git_workflow_content=$(base64 < "$TARGET/git-workflow.conf" | tr -d '\n')
-    fi
-    if [ -f "$TARGET/../CLAUDE.md" ]; then
-        claude_md_content=$(base64 < "$TARGET/../CLAUDE.md" | tr -d '\n')
-    fi
-
-    # Generate snapshot
-    local now
-    now=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-    local snap_name
-    snap_name=$(date -u +"%Y-%m-%d-%H%M%S")
-    local snap_dir="$TARGET/.cortexhawk-snapshots"
-    local snap_file="$snap_dir/${snap_name}.json"
-
-    mkdir -p "$snap_dir"
-
-    # Write snapshot JSON
-    printf '{\n' > "$snap_file"
-    printf '  "snapshot_version": "2",\n' >> "$snap_file"
-    printf '  "snapshot_date": "%s",\n' "$now" >> "$snap_file"
-    printf '  "cortexhawk_version": "%s",\n' "$version" >> "$snap_file"
-    printf '  "target": "claude",\n' >> "$snap_file"
-    printf '  "profile": "%s",\n' "$profile" >> "$snap_file"
-    printf '  "profile_definition": %s,\n' "$profile_def" >> "$snap_file"
-    printf '  "source": "%s",\n' "$source_type" >> "$snap_file"
-    printf '  "source_url": "%s",\n' "$source_url" >> "$snap_file"
-    printf '  "source_path": "%s",\n' "$source_path" >> "$snap_file"
-    printf '  "settings": %s,\n' "$settings_json" >> "$snap_file"
-    printf '  "git_workflow": {\n' >> "$snap_file"
-    printf '    "BRANCHING": "%s",\n' "$git_branching" >> "$snap_file"
-    printf '    "COMMIT_CONVENTION": "%s",\n' "$git_commit" >> "$snap_file"
-    printf '    "PR_PREFERENCE": "%s",\n' "$git_pr" >> "$snap_file"
-    printf '    "AUTO_PUSH": "%s"\n' "$git_push" >> "$snap_file"
-    printf '  },\n' >> "$snap_file"
-    printf '  "files": {\n' >> "$snap_file"
-    printf '%s\n' "$files_json" >> "$snap_file"
-    printf '  },\n' >> "$snap_file"
-    printf '  "file_contents": {\n' >> "$snap_file"
-    [ -n "$git_workflow_content" ] && printf '    "git-workflow.conf": "%s",\n' "$git_workflow_content" >> "$snap_file"
-    [ -n "$claude_md_content" ] && printf '    "CLAUDE.md": "%s",\n' "$claude_md_content" >> "$snap_file"
-    # Remove trailing comma from last entry
-    sed_inplace '$ s/,$//' "$snap_file"
-    printf '  }\n' >> "$snap_file"
-    printf '}\n' >> "$snap_file"
-
-    echo "CortexHawk Snapshot"
-    echo "====================="
-    echo "  Version:  $version"
-    echo "  Profile:  $profile"
-    echo "  Target:   $TARGET"
-    echo "  Saved to: $snap_file"
-
-    # Create portable archive if requested
-    if [ "$PORTABLE_MODE" = true ]; then
-        local archive_name="${snap_name}.tar.gz"
-        local archive_path="$snap_dir/$archive_name"
-        local tmp_dir
-        tmp_dir=$(mktemp -d)
-
-        # Copy snapshot and files to temp structure
-        cp "$snap_file" "$tmp_dir/snapshot.json"
-        mkdir -p "$tmp_dir/files"
-        cp -r "$TARGET/agents" "$tmp_dir/files/" 2>/dev/null || true
-        cp -r "$TARGET/commands" "$tmp_dir/files/" 2>/dev/null || true
-        cp -r "$TARGET/skills" "$tmp_dir/files/" 2>/dev/null || true
-        cp -r "$TARGET/hooks" "$tmp_dir/files/" 2>/dev/null || true
-        cp -r "$TARGET/modes" "$tmp_dir/files/" 2>/dev/null || true
-        cp -r "$TARGET/mcp" "$tmp_dir/files/" 2>/dev/null || true
-        cp "$TARGET/settings.json" "$tmp_dir/files/" 2>/dev/null || true
-        cp "$TARGET/git-workflow.conf" "$tmp_dir/files/" 2>/dev/null || true
-
-        # Create archive
-        tar -czf "$archive_path" -C "$tmp_dir" .
-        rm -rf "$tmp_dir"
-
-        echo "  Archive:  $archive_path"
-        echo ""
-        echo "Restore with: install.sh --restore $archive_path"
-    else
-        rotate_snapshots "$snap_dir"
-        echo ""
-        echo "Restore with: install.sh --restore $snap_file"
-    fi
+# count_component_files(source_dir)
+count_component_files() {
+    local src="$1"
+    for entry in "${COMPONENTS[@]}"; do
+        IFS=':' read -r name _ <<< "$entry"
+        local c; c=$(find "$src/$name" -type f 2>/dev/null | wc -l | tr -d ' ')
+        printf "  %-12s %s files\n" "$name/" "$c"
+    done
 }
 
 # --- do_snapshots_list() ---
@@ -1873,370 +1544,6 @@ do_export_team() {
     echo "Share this file with your team. Install with: install.sh --team"
 }
 
-# --- do_restore() ---
-do_restore() {
-    local snap_file="$1"
-    local archive_tmp=""
-    local portable_files=""
-
-    if [ -z "$snap_file" ] || [ ! -f "$snap_file" ]; then
-        echo "Error: snapshot file not found: $snap_file"
-        exit 1
-    fi
-
-    # Handle portable archive (.tar.gz)
-    if [[ "$snap_file" == *.tar.gz ]]; then
-        archive_tmp=$(mktemp -d)
-        tar -xzf "$snap_file" -C "$archive_tmp"
-        snap_file="$archive_tmp/snapshot.json"
-        portable_files="$archive_tmp/files"
-        if [ ! -f "$snap_file" ]; then
-            echo "Error: invalid archive — snapshot.json not found"
-            rm -rf "$archive_tmp"
-            exit 1
-        fi
-        echo "Extracting portable archive..."
-    fi
-
-    # Extract metadata from snapshot
-    local snap_version
-    snap_version=$(grep '"cortexhawk_version"' "$snap_file" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local snap_profile
-    snap_profile=$(grep '"profile"' "$snap_file" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local snap_source
-    snap_source=$(grep '"source"' "$snap_file" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local snap_source_url
-    snap_source_url=$(grep '"source_url"' "$snap_file" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    local snap_source_path
-    snap_source_path=$(grep '"source_path"' "$snap_file" | sed 's/.*: *"\([^"]*\)".*/\1/')
-
-    echo "CortexHawk Restore"
-    echo "====================="
-    echo "  Snapshot version: $snap_version"
-    echo "  Profile: $snap_profile"
-    echo "  Source: $snap_source"
-    echo ""
-
-    # Determine CortexHawk source
-    local restore_source="$SCRIPT_DIR"
-    if [ "$snap_source" = "git" ] && [ -n "$snap_source_path" ] && [ -d "$snap_source_path" ]; then
-        restore_source="$snap_source_path"
-    fi
-    if [ ! -d "$restore_source/agents" ]; then
-        echo "Error: CortexHawk source not found at $restore_source"
-        echo "Ensure the CortexHawk repo is available or set CORTEXHAWK_REPO"
-        exit 1
-    fi
-
-    # Warn if source version differs from snapshot
-    local current_version
-    current_version=$(get_version)
-    if [ "$snap_version" != "$current_version" ]; then
-        echo "  Warning: snapshot is v$snap_version but source is v$current_version"
-        echo "  Some file checksums may not match"
-        echo ""
-    fi
-
-    # Set profile for reinstall
-    if [ -n "$snap_profile" ] && [ "$snap_profile" != "all" ]; then
-        PROFILE="$snap_profile"
-        PROFILE_FILE="$restore_source/profiles/${snap_profile}.json"
-        if [ ! -f "$PROFILE_FILE" ]; then
-            echo "  Warning: profile '$snap_profile' not found — installing all skills"
-            PROFILE=""
-            PROFILE_FILE=""
-        fi
-    fi
-
-    # Determine target
-    if [ "$GLOBAL" = true ]; then
-        TARGET="$HOME/.claude"
-    else
-        TARGET="$(pwd)/.claude"
-    fi
-
-    # Save the original SCRIPT_DIR, use snapshot source
-    local orig_script_dir="$SCRIPT_DIR"
-    SCRIPT_DIR="$restore_source"
-
-    # Reinstall using the standard flow
-    echo "Reinstalling CortexHawk components..."
-    mkdir -p "$TARGET"/{agents,commands,skills,hooks,modes,mcp}
-
-    # Use portable archive files if available, otherwise use source repo
-    if [ -n "$portable_files" ] && [ -d "$portable_files" ]; then
-        echo "  Using files from portable archive..."
-        cp -r "$portable_files/agents/"* "$TARGET/agents/" 2>/dev/null || true
-        cp -r "$portable_files/commands/"* "$TARGET/commands/" 2>/dev/null || true
-        cp -r "$portable_files/skills/"* "$TARGET/skills/" 2>/dev/null || true
-        cp -r "$portable_files/hooks/"* "$TARGET/hooks/" 2>/dev/null || true
-        cp -r "$portable_files/modes/"* "$TARGET/modes/" 2>/dev/null || true
-        cp -r "$portable_files/mcp/"* "$TARGET/mcp/" 2>/dev/null || true
-    else
-        cp -r "$SCRIPT_DIR/agents/"* "$TARGET/agents/" 2>/dev/null || true
-        cp -r "$SCRIPT_DIR/commands/"* "$TARGET/commands/" 2>/dev/null || true
-        copy_skills "$TARGET" "$PROFILE"
-        cp -r "$SCRIPT_DIR/hooks/"* "$TARGET/hooks/" 2>/dev/null || true
-        cp -r "$SCRIPT_DIR/modes/"* "$TARGET/modes/" 2>/dev/null || true
-        cp -r "$SCRIPT_DIR/mcp/"* "$TARGET/mcp/" 2>/dev/null || true
-    fi
-    chmod +x "$TARGET/hooks/"*.sh 2>/dev/null || true
-
-    # Restore settings.json from snapshot
-    if command -v python3 >/dev/null 2>&1; then
-        python3 -c "
-import json, sys
-with open(sys.argv[1]) as f:
-    snap = json.load(f)
-settings = snap.get('settings')
-if settings is not None:
-    with open(sys.argv[2], 'w') as f:
-        json.dump(settings, f, indent=2)
-        f.write('\n')
-    print('  Restored settings.json')
-" "$snap_file" "$TARGET/settings.json"
-    else
-        echo "  Warning: python3 not found — settings.json not restored from snapshot"
-    fi
-
-    # Restore git-workflow.conf from snapshot
-    local branching commit_conv pr_pref auto_push
-    branching=$(grep '"BRANCHING"' "$snap_file" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    commit_conv=$(grep '"COMMIT_CONVENTION"' "$snap_file" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    pr_pref=$(grep '"PR_PREFERENCE"' "$snap_file" | sed 's/.*: *"\([^"]*\)".*/\1/')
-    auto_push=$(grep '"AUTO_PUSH"' "$snap_file" | sed 's/.*: *"\([^"]*\)".*/\1/')
-
-    if [ -n "$branching" ] || [ -n "$commit_conv" ] || [ -n "$pr_pref" ] || [ -n "$auto_push" ]; then
-        {
-            echo "BRANCHING=$branching"
-            echo "COMMIT_CONVENTION=$commit_conv"
-            echo "PR_PREFERENCE=$pr_pref"
-            echo "AUTO_PUSH=$auto_push"
-        } > "$TARGET/git-workflow.conf"
-        echo "  Restored git-workflow.conf (from git_workflow keys)"
-    fi
-
-    # Restore file_contents (snapshot v2) — overwrites git-workflow.conf if present
-    if grep -q '"file_contents"' "$snap_file" && command -v python3 >/dev/null 2>&1; then
-        python3 -c "
-import json, base64, sys, os
-snap_file, target_dir = sys.argv[1], sys.argv[2]
-with open(snap_file) as f:
-    snap = json.load(f)
-contents = snap.get('file_contents', {})
-for filename, b64data in contents.items():
-    try:
-        data = base64.b64decode(b64data).decode('utf-8')
-        if filename == 'CLAUDE.md':
-            target_path = os.path.dirname(target_dir) + '/CLAUDE.md'
-        else:
-            target_path = target_dir + '/' + filename
-        os.makedirs(os.path.dirname(target_path), exist_ok=True)
-        with open(target_path, 'w') as f:
-            f.write(data)
-        print(f'  Restored {filename} (from file_contents)')
-    except Exception as e:
-        print(f'  Warning: could not restore {filename}: {e}', file=sys.stderr)
-" "$snap_file" "$TARGET"
-    fi
-
-    # Write new manifest
-    write_manifest "$TARGET" "$PROFILE" "claude" false
-
-    # Verify checksums against snapshot
-    local verified=0 mismatched=0 missing=0
-    while IFS= read -r line; do
-        local file_relpath
-        file_relpath=$(echo "$line" | sed 's/.*"\([^"]*\)": "sha256:\([^"]*\)".*/\1/')
-        local expected_checksum
-        expected_checksum=$(echo "$line" | sed 's/.*"sha256:\([^"]*\)".*/\1/')
-        [ -z "$file_relpath" ] || [ -z "$expected_checksum" ] && continue
-
-        local target_file="$TARGET/$file_relpath"
-        if [ ! -f "$target_file" ]; then
-            missing=$((missing + 1))
-        else
-            local actual_checksum
-            actual_checksum=$(compute_checksum "$target_file")
-            if [ "$actual_checksum" = "$expected_checksum" ]; then
-                verified=$((verified + 1))
-            else
-                mismatched=$((mismatched + 1))
-            fi
-        fi
-    done < <(grep '"sha256:' "$snap_file")
-
-    SCRIPT_DIR="$orig_script_dir"
-
-    echo ""
-    echo "Restore complete"
-    echo "  Verified:   $verified files match snapshot checksums"
-    [ "$mismatched" -gt 0 ] && echo "  Mismatched: $mismatched files differ (source version may differ from snapshot)"
-    [ "$missing" -gt 0 ] && echo "  Missing:    $missing files not found in source"
-    echo ""
-    echo "  To activate: exit your CLI (ctrl+c) and relaunch in this directory."
-
-    # Cleanup temp dir from portable archive
-    [ -n "$archive_tmp" ] && rm -rf "$archive_tmp"
-}
-
-# --- do_doctor() ---
-# Diagnose installation health
-do_doctor() {
-    if [ "$GLOBAL" = true ]; then
-        TARGET="$HOME/.claude"
-    else
-        TARGET="$(pwd)/.claude"
-    fi
-
-    local ok=0 warn=0 err=0
-    _doc_ok()   { echo "  [OK]   $1"; ok=$((ok+1)); }
-    _doc_warn() { echo "  [WARN] $1"; warn=$((warn+1)); }
-    _doc_err()  { echo "  [ERR]  $1"; err=$((err+1)); }
-
-    # Header
-    local version="" profile="" target_cli_name=""
-    if [ -f "$TARGET/.cortexhawk-manifest" ]; then
-        version=$(grep -o '"version": "[^"]*"' "$TARGET/.cortexhawk-manifest" | head -1 | cut -d'"' -f4)
-        profile=$(grep -o '"profile": "[^"]*"' "$TARGET/.cortexhawk-manifest" | head -1 | cut -d'"' -f4)
-        target_cli_name=$(grep -o '"target": "[^"]*"' "$TARGET/.cortexhawk-manifest" | head -1 | cut -d'"' -f4)
-    fi
-    echo "CortexHawk Doctor"
-    echo "==================="
-    echo "  Installation: $TARGET"
-    echo "  Version:      ${version:-unknown}"
-    echo "  Profile:      ${profile:-unknown}"
-    echo "  Target:       ${target_cli_name:-claude}"
-    echo ""
-    echo "Checks:"
-
-    # 1. Manifest
-    if [ -f "$TARGET/.cortexhawk-manifest" ]; then
-        _doc_ok "Manifest present"
-    else
-        _doc_err "Manifest missing — run install.sh to create an installation"
-    fi
-
-    # 2. settings.json valid JSON
-    if [ -f "$TARGET/settings.json" ]; then
-        if python3 -c "import json,sys; json.load(open(sys.argv[1]))" "$TARGET/settings.json" 2>/dev/null; then
-            _doc_ok "settings.json valid JSON"
-        else
-            _doc_err "settings.json invalid JSON"
-        fi
-    else
-        _doc_warn "settings.json not found"
-    fi
-
-    # 3. Component counts (compare installed vs source)
-    for comp in agents commands modes; do
-        local installed=0 source_count=0
-        installed=$(find "$TARGET/$comp" -name "*.md" -type f 2>/dev/null | wc -l)
-        source_count=$(find "$SCRIPT_DIR/$comp" -name "*.md" -type f 2>/dev/null | wc -l)
-        if [ "$installed" -eq "$source_count" ] 2>/dev/null; then
-            _doc_ok "$installed/$source_count $comp installed"
-        elif [ "$installed" -gt 0 ] 2>/dev/null; then
-            _doc_warn "$installed/$source_count $comp installed"
-        else
-            _doc_err "0/$source_count $comp installed"
-        fi
-    done
-
-    # 4. Skills (profile-dependent, just count what's there)
-    local skills_installed=0 skills_source=0
-    skills_installed=$(find "$TARGET/skills" -name "*.md" -type f 2>/dev/null | wc -l)
-    skills_source=$(find "$SCRIPT_DIR/skills" -name "*.md" -type f 2>/dev/null | wc -l)
-    if [ "$skills_installed" -gt 0 ] 2>/dev/null; then
-        _doc_ok "$skills_installed/$skills_source skills installed (profile: ${profile:-all})"
-    else
-        _doc_err "No skills installed"
-    fi
-
-    # 5. Hooks executable
-    local hooks_ok=0 hooks_total=0
-    for hook in "$TARGET/hooks/"*.sh; do
-        [ -f "$hook" ] || continue
-        hooks_total=$((hooks_total+1))
-        if [ -x "$hook" ]; then
-            hooks_ok=$((hooks_ok+1))
-        else
-            _doc_warn "Hook not executable: $(basename "$hook")"
-        fi
-    done
-    if [ "$hooks_total" -gt 0 ]; then
-        if [ "$hooks_ok" -eq "$hooks_total" ]; then
-            _doc_ok "$hooks_ok/$hooks_total hooks executable"
-        fi
-    else
-        _doc_warn "No hooks found"
-    fi
-
-    # 6. compose.yml vs settings.json coherence
-    if [ -f "$TARGET/../hooks/compose.yml" ] || [ -f "$SCRIPT_DIR/hooks/compose.yml" ]; then
-        _doc_ok "compose.yml present"
-    fi
-
-    # 7. MCP configs
-    if [ -d "$TARGET/mcp" ] && [ "$(find "$TARGET/mcp" -type f 2>/dev/null | wc -l)" -gt 0 ]; then
-        _doc_ok "MCP configs present"
-    elif [ -d "$TARGET/mcp" ]; then
-        _doc_warn "MCP directory exists but empty"
-    fi
-
-    # 8. docs/ workspace
-    local project_root
-    project_root="$(dirname "$TARGET")"
-    if [ -d "$project_root/docs" ]; then
-        _doc_ok "docs/ workspace exists"
-    else
-        _doc_warn "docs/ workspace missing"
-    fi
-
-    # 9. Broken symlinks in docs/plans/
-    local broken=0
-    if [ -d "$project_root/docs/plans" ]; then
-        while IFS= read -r link; do
-            [ -z "$link" ] && continue
-            _doc_warn "Broken symlink: $link"
-            broken=$((broken+1))
-        done < <(find "$project_root/docs/plans" -type l ! -exec test -e {} \; -print 2>/dev/null)
-        [ "$broken" -eq 0 ] && _doc_ok "No broken symlinks in docs/plans/"
-    fi
-
-    # 10. git-workflow.conf
-    if [ -f "$TARGET/git-workflow.conf" ]; then
-        _doc_ok "git-workflow.conf present"
-    else
-        _doc_warn "git-workflow.conf not found (run --init to configure)"
-    fi
-
-    # 11. CLAUDE.md at project root
-    if [ -f "$project_root/CLAUDE.md" ]; then
-        _doc_ok "CLAUDE.md present at project root"
-    else
-        _doc_warn "CLAUDE.md not found at project root"
-    fi
-
-    # 12. Version match source vs manifest
-    if [ -n "$version" ]; then
-        local source_version
-        source_version=$(get_version)
-        if [ "$version" = "$source_version" ]; then
-            _doc_ok "Version match: source $source_version = manifest $version"
-        else
-            _doc_warn "Version mismatch: source $source_version != manifest $version (run --update)"
-        fi
-    fi
-
-    # Summary
-    echo ""
-    echo "Summary: $ok OK, $warn WARN, $err ERR"
-
-    # Exit code: 1 if any errors
-    [ "$err" -gt 0 ] && exit 1
-    return 0
-}
-
 # --- do_uninstall() ---
 # Remove CortexHawk installation cleanly
 do_uninstall() {
@@ -2707,10 +2014,17 @@ do_add_skill() {
         exit 1
     fi
 
-    # Security warning if scripts present
+    # Security gate: block skills with executable scripts unless --trust is used
     if find "$tmp_dir/repo" -name "*.sh" -o -name "*.py" 2>/dev/null | grep -q .; then
-        echo "  Warning: this skill contains executable scripts"
-        echo "  Review them before use: $skill_dir/scripts/"
+        if [ "${TRUST_SKILL:-false}" = true ]; then
+            yellow "  Warning: this skill contains executable scripts — installing with --trust"
+        else
+            echo "  ERROR: This skill contains executable scripts (.sh/.py)."
+            echo "  Re-run with --trust to install: install.sh --add-skill $ADD_SKILL_URL --trust"
+            echo "  Review the source first: $ADD_SKILL_URL"
+            rm -rf "$tmp_dir"
+            exit 1
+        fi
     fi
 
     # Create community directory if needed
@@ -2831,7 +2145,8 @@ do_team_install() {
 
     # Generate temporary profile JSON from skills list
     if [ -n "$TEAM_SKILLS" ]; then
-        local tmp_profile="/tmp/cortexhawk-team-$$.json"
+        local tmp_profile
+        tmp_profile=$(mktemp /tmp/cortexhawk-team-XXXXXX.json)
         printf '{\n  "name": "team",\n  "skills": [\n' > "$tmp_profile"
         local first=true
         while IFS= read -r skill; do
@@ -2907,172 +2222,37 @@ do_team_install() {
     echo "Team install complete."
 }
 
-# --- install_claude() ---
-install_claude() {
-    if [ "$GLOBAL" = true ]; then
-        TARGET="$HOME/.claude"
-    else
-        TARGET="$(pwd)/.claude"
-    fi
-
-    if [ "$DRY_RUN" = true ]; then
-        echo "CortexHawk Dry Run (install)"
-        echo "=============================="
-        echo "  Target:  $TARGET"
-        echo "  Profile: ${PROFILE:-all}"
-        echo ""
-        echo "Would install:"
-        for comp in agents commands hooks modes mcp; do
-            local c; c=$(find "$SCRIPT_DIR/$comp" -type f 2>/dev/null | wc -l | tr -d ' ')
-            printf "  %-12s %s files\n" "$comp/" "$c"
-        done
-        local sc; sc=$(find "$SCRIPT_DIR/skills" -type f 2>/dev/null | wc -l | tr -d ' ')
-        printf "  %-12s %s files\n" "skills/" "$sc"
-        echo "  settings.json"
-        [ ! -f "$(pwd)/CLAUDE.md" ] && echo "  CLAUDE.md"
-        echo ""
-        echo "No files were modified (dry run)."
-        return
+# --- install_git_post_merge_hook(project_root) ---
+# Installs .git/hooks/post-merge to auto-run cleanup after git merge (opt-in)
+install_git_post_merge_hook() {
+    local project_root="${1:-$(pwd)}"
+    local git_dir="$project_root/.git"
+    if [ ! -d "$git_dir" ]; then
+        yellow "  Warning: no .git directory found — skipping post-merge hook"
+        return 0
     fi
-
-    echo "Installing for Claude Code to project: $TARGET"
-
-    mkdir -p "$TARGET"/{agents,commands,skills,hooks,modes,mcp}
-
-    cp -r "$SCRIPT_DIR/agents/"* "$TARGET/agents/" 2>/dev/null || true
-    # Copy agent personas from project root if present
-    local project_root
-    project_root="$(dirname "$TARGET")"
-    if [ -d "$project_root/.cortexhawk-agents" ]; then
-        cp -r "$project_root/.cortexhawk-agents/"*.md "$TARGET/agents/" 2>/dev/null || true
-        local persona_count
-        persona_count=$(find "$project_root/.cortexhawk-agents" -name "*.md" -type f 2>/dev/null | wc -l | tr -d ' ')
-        [ "$persona_count" -gt 0 ] && echo "  Loaded $persona_count agent persona(s) from .cortexhawk-agents/"
-    fi
-    cp -r "$SCRIPT_DIR/commands/"* "$TARGET/commands/" 2>/dev/null || true
-    copy_skills "$TARGET" "$PROFILE"
-    cp -r "$SCRIPT_DIR/hooks/"* "$TARGET/hooks/" 2>/dev/null || true
-    cp -r "$SCRIPT_DIR/modes/"* "$TARGET/modes/" 2>/dev/null || true
-    cp -r "$SCRIPT_DIR/mcp/"* "$TARGET/mcp/" 2>/dev/null || true
-
-    local hooks_json
-    hooks_json=$(generate_hooks_config "$SCRIPT_DIR/hooks/compose.yml" ".claude/hooks")
-    if [ ! -f "$TARGET/settings.json" ]; then
-        # Fresh install: generate settings.json from scratch
-        if [ -n "$hooks_json" ] && [ "$hooks_json" != "{}" ]; then
-            echo "$hooks_json" | python3 -c "
-import json, sys
-hooks = json.load(sys.stdin)
-with open(sys.argv[1]) as f:
-    permissions = json.load(f).get('permissions', {})
-with open(sys.argv[2], 'w') as f:
-    json.dump({'permissions': permissions, 'hooks': hooks}, f, indent=2)
-    f.write('\n')
-" "$SCRIPT_DIR/settings.json" "$TARGET/settings.json"
-            echo "  Generated settings.json from hooks/compose.yml"
+    mkdir -p "$git_dir/hooks"
+    local hook_path="$git_dir/hooks/post-merge"
+    if [ -f "$hook_path" ]; then
+        if grep -q "CortexHawk" "$hook_path" 2>/dev/null; then
+            echo "  post-merge hook: already installed"
         else
-            cp "$SCRIPT_DIR/settings.json" "$TARGET/settings.json"
-        fi
-    else
-        # Merge: preserve user customizations, add new hooks + permissions
-        python3 -c "
-import json, sys, shutil, os
-
-raw = sys.stdin.read().strip()
-hooks = json.loads(raw) if raw else {}
-
-# Load current settings (tolerate corrupted JSON)
-try:
-    with open(sys.argv[1]) as f:
-        current = json.load(f)
-except Exception:
-    backup = sys.argv[1] + '.bak'
-    if os.path.isfile(sys.argv[1]):
-        shutil.copy2(sys.argv[1], backup)
-        print(f'  Warning: settings.json corrupted — backed up to {os.path.basename(backup)}', file=sys.stderr)
-    current = {}
-
-try:
-    with open(sys.argv[2]) as f:
-        source = json.load(f)
-except Exception:
-    source = {}
-
-changes = []
-
-# Merge hooks (regenerate from compose.yml)
-if hooks and hooks != {}:
-    current['hooks'] = hooks
-    changes.append('hooks regenerated')
-
-# Merge permissions (union: keep user additions + add new from source)
-src_perms = source.get('permissions', {})
-cur_perms = current.get('permissions', {})
-for key in ('allow', 'deny'):
-    src_list = src_perms.get(key, [])
-    cur_list = cur_perms.get(key, [])
-    added = [p for p in src_list if p not in cur_list]
-    if added:
-        cur_list.extend(added)
-        changes.append(f'{len(added)} new {key} permission(s)')
-    cur_perms[key] = cur_list
-current['permissions'] = cur_perms
-
-with open(sys.argv[1], 'w') as f:
-    json.dump(current, f, indent=2)
-    f.write('\n')
-
-if changes:
-    print('  Merged settings.json: ' + ', '.join(changes))
-else:
-    print('  settings.json up to date — no merge needed')
-" "$TARGET/settings.json" "$SCRIPT_DIR/settings.json" <<< "${hooks_json:-}"
-    fi
-
-    PROJECT_ROOT="$(dirname "$TARGET")"
-    if [ ! -f "$PROJECT_ROOT/CLAUDE.md" ]; then
-        cp "$SCRIPT_DIR/CLAUDE.md" "$PROJECT_ROOT/CLAUDE.md"
-    else
-        echo "CLAUDE.md already exists — skipping"
-    fi
-
-    # Git workflow config (interactive in --init, defaults otherwise)
-    if [ "$GLOBAL" = false ]; then
-        if [ "$INIT_MODE" = true ]; then
-            source "$SCRIPT_DIR/scripts/git-workflow-init.sh" "$PROJECT_ROOT" "$TARGET"
-        elif [ ! -f "$TARGET/git-workflow.conf" ]; then
-            # Apply sensible defaults without asking
-            GIT_BRANCHING="direct-main"
-            GIT_COMMIT_CONVENTION="conventional"
-            GIT_PR_PREFERENCE="on-demand"
-            GIT_AUTO_PUSH="after-commit"
-            GIT_WORK_BRANCH=""
-            source "$SCRIPT_DIR/scripts/git-workflow-init.sh" "$PROJECT_ROOT" "$TARGET"
+            yellow "  post-merge hook: skipped (custom hook exists at .git/hooks/post-merge)"
         fi
+        return 0
     fi
-
-    chmod +x "$TARGET/hooks/"*.sh 2>/dev/null || true
-
-    # Write manifest for future updates
-    write_manifest "$TARGET" "$PROFILE" "claude" false
-
-    # Create docs/ workspace for agent outputs (local only)
-    if [ "$GLOBAL" = false ]; then
-        create_docs_workspace "$(dirname "$TARGET")"
-    fi
-
-    run_audit "$(dirname "$TARGET")"
-    update_gitignore "$(dirname "$TARGET")" ".claude"
-    setup_templates "$(dirname "$TARGET")"
-
-    echo ""
-    echo "CortexHawk installed successfully for Claude Code!"
-    echo ""
-    echo "  33 commands | 20 agents | 36 skills | 9 hooks | 7 modes"
-    echo ""
-    do_quickstart
-    echo ""
-    echo "  To activate: exit Claude Code (ctrl+c) and relaunch 'claude' in this directory."
+    # Write hook — calls cleanup script in auto mode, never blocks the merge
+    cat > "$hook_path" <<'GITHOOK'
+#!/bin/bash
+# post-merge — CortexHawk auto-cleanup after git merge
+# Installed by CortexHawk. Remove this file to disable.
+if [ -f ".claude/scripts/post-merge-cleanup.sh" ]; then
+    bash ".claude/scripts/post-merge-cleanup.sh" --auto 2>/dev/null || true
+fi
+exit 0
+GITHOOK
+    chmod +x "$hook_path"
+    green "  → native git post-merge hook installed (.git/hooks/post-merge)"
 }
 
 # --- install_kimi() ---
@@ -3330,7 +2510,8 @@ do_test_hooks() {
     echo ""
 
     local ok=0 fail=0
-    local tmpfile="/tmp/.cortexhawk-hooktest-$$"
+    local tmpfile
+    tmpfile=$(mktemp /tmp/.cortexhawk-hooktest-XXXXXX)
     echo "test file content" > "$tmpfile"
 
     for hook in "$hooks_dir"/*.sh; do
@@ -3668,9 +2849,11 @@ do_publish_skill() {
     # Create GitHub repo
     echo ""
     echo "  Creating repository..."
+    local repo_exists=false
     if gh repo view "$gh_user/$repo_name" &>/dev/null; then
         echo "  Repository already exists: $gh_user/$repo_name"
         echo "  Pushing latest files..."
+        repo_exists=true
     else
         gh repo create "$repo_name" --public --description "CortexHawk skill: $skill_desc" --clone=false
     fi
@@ -3694,7 +2877,11 @@ do_publish_skill() {
     git commit --quiet -m "feat: publish $skill_name skill"
     git branch -M main
     git remote add origin "https://github.com/$gh_user/$repo_name.git"
-    git push -u origin main --force --quiet 2>/dev/null
+    if [ "$repo_exists" = true ]; then
+        git push -u origin main --quiet 2>/dev/null
+    else
+        git push -u origin main --force --quiet 2>/dev/null
+    fi
     cd - >/dev/null
 
     # Cleanup
@@ -3729,7 +2916,8 @@ do_publish_skill() {
 
 # --- do_demo() ---
 do_demo() {
-    local demo_dir="/tmp/cortexhawk-demo-$$"
+    local demo_dir
+    demo_dir=$(mktemp -d /tmp/cortexhawk-demo-XXXXXX)
     mkdir -p "$demo_dir"
 
     echo ""
@@ -3851,6 +3039,13 @@ UTILSJS
     echo ""
 }
 
+# --- Source extracted modules ---
+source "$SCRIPT_DIR/scripts/install-claude.sh"
+source "$SCRIPT_DIR/scripts/update.sh"
+source "$SCRIPT_DIR/scripts/snapshot.sh"
+source "$SCRIPT_DIR/scripts/restore.sh"
+source "$SCRIPT_DIR/scripts/doctor.sh"
+
 # --- Dispatcher ---
 if [ "$DEMO_MODE" = true ]; then
     do_demo
@@ -3892,6 +3087,8 @@ elif [ -n "$ENABLE_HOOK" ]; then
     do_toggle_hook "$ENABLE_HOOK" "enable"
 elif [ -n "$DISABLE_HOOK" ]; then
     do_toggle_hook "$DISABLE_HOOK" "disable"
+elif [ "$POST_MERGE_HOOK_MODE" = true ]; then
+    install_git_post_merge_hook "$(pwd)"
 elif [ -n "$SEARCH_KEYWORD" ]; then
     do_search_skills "$SEARCH_KEYWORD"
 elif [ -n "$ADD_SKILL_URL" ]; then