cortexhawk 3.2.0 → 3.3.1

package/scripts/update.sh

@@ -0,0 +1,280 @@
+#!/bin/bash
+# update.sh — CortexHawk update flow
+# Sourced by install.sh when --update is used
+# Uses shared functions: detect_source_type, get_version, do_snapshot, update_source_git,
+#   update_source_release, compute_checksum, sync_all_components, generate_hooks_config,
+#   write_manifest, run_audit, update_gitignore, setup_templates, cleanup_update
+
+do_update() {
+    # 1. Validate target
+    if [ "$TARGET_CLI" != "claude" ]; then
+        echo "Error: --update is currently supported for Claude Code only"
+        echo "For Kimi CLI, re-run: install.sh --target kimi"
+        exit 1
+    fi
+
+    if [ "$GLOBAL" = true ]; then
+        TARGET="$HOME/.claude"
+    else
+        TARGET="$(pwd)/.claude"
+    fi
+
+    if [ ! -d "$TARGET" ]; then
+        echo "Error: no CortexHawk installation found at $TARGET"
+        echo "Run install.sh without --update for a fresh install"
+        exit 1
+    fi
+
+    # 2. Read manifest
+    local manifest="$TARGET/.cortexhawk-manifest"
+    local current_version="unknown"
+    local current_profile="all"
+    local source_type
+    source_type=$(detect_source_type)
+
+    if [ -f "$manifest" ]; then
+        current_version=$(grep '"version"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
+        current_profile=$(grep '"profile"' "$manifest" | sed 's/.*: *"\([^"]*\)".*/\1/')
+        local manifest_source
+        manifest_source=$(grep '"source"' "$manifest" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/')
+        # Only trust manifest's "git" source if SCRIPT_DIR is actually a git repo
+        if [ -n "$manifest_source" ]; then
+            if [ "$manifest_source" = "git" ] && git -C "$SCRIPT_DIR" rev-parse --git-dir >/dev/null 2>&1; then
+                source_type="git"
+            elif [ "$manifest_source" != "git" ]; then
+                source_type="$manifest_source"
+            fi
+        fi
+    else
+        echo "  No manifest found — treating as pre-update installation"
+    fi
+
+    # 3. Profile override
+    local update_profile="$current_profile"
+    if [ -n "$PROFILE" ]; then
+        update_profile="$PROFILE"
+    fi
+
+    if [ "$DRY_RUN" = true ]; then
+        echo "CortexHawk Dry Run (update)"
+        echo "============================"
+    else
+        echo "CortexHawk Update"
+        echo "==================="
+    fi
+    echo "  Current version: $current_version"
+    echo "  Profile: $update_profile"
+    echo "  Source: $source_type"
+    echo ""
+
+    # 3b. Auto-snapshot before update (skip in dry-run)
+    if [ "$DRY_RUN" != true ] && [ -f "$manifest" ]; then
+        echo "Creating pre-update snapshot..."
+        do_snapshot || echo "  Warning: pre-update snapshot failed — continuing without rollback point"
+        PRE_UPDATE_SNAP=$(ls -t "$TARGET/.cortexhawk-snapshots"/*.json 2>/dev/null | head -1)
+        [ -n "$PRE_UPDATE_SNAP" ] && echo "  Saved: $(basename "$PRE_UPDATE_SNAP")"
+        echo ""
+    fi
+
+    # 4. Pull source (skip in dry-run — compare against current source)
+    if [ "$DRY_RUN" != true ]; then
+        if [ "$source_type" = "git" ]; then
+            echo "Updating CortexHawk source via git pull..."
+            update_source_git
+        else
+            echo "Updating CortexHawk source via download..."
+            update_source_release
+        fi
+        echo "  Source updated successfully."
+    fi
+
+    # 5. Compare versions
+    local new_version
+    new_version=$(get_version)
+    echo "  New version: $new_version"
+    echo ""
+
+    if [ "$current_version" = "$new_version" ] && [ "$FORCE_MODE" != true ]; then
+        # Same version — check if files actually changed (checksum comparison)
+        local files_changed=0
+        if [ -f "$manifest" ]; then
+            while IFS= read -r line; do
+                local fpath fhash
+                fpath=$(echo "$line" | sed 's/.*"\([^"]*\)": "sha256:\([^"]*\)".*/\1/')
+                fhash=$(echo "$line" | sed 's/.*"sha256:\([^"]*\)".*/\1/')
+                [ -z "$fpath" ] || [ -z "$fhash" ] && continue
+                local source_file="$SCRIPT_DIR/$fpath"
+                [ -f "$source_file" ] || continue
+                local source_hash
+                source_hash=$(compute_checksum "$source_file")
+                if [ "$fhash" != "$source_hash" ]; then
+                    files_changed=$((files_changed + 1))
+                fi
+            done < <(grep '"sha256:' "$manifest")
+        fi
+
+        if [ "$files_changed" -eq 0 ] && [ "$DRY_RUN" != true ]; then
+            # Still apply install improvements even if no component files changed
+            local target_dir_name=".${TARGET_CLI:-claude}"
+            update_gitignore "$(dirname "$TARGET")" "$target_dir_name"
+            [ "$TARGET_CLI" = "codex" ] && update_gitignore "$(dirname "$TARGET")" ".agents"
+            if [ ! -f "$TARGET/git-workflow.conf" ]; then
+                GIT_BRANCHING="direct-main"
+                GIT_COMMIT_CONVENTION="conventional"
+                GIT_PR_PREFERENCE="on-demand"
+                GIT_AUTO_PUSH="after-commit"
+                GIT_WORK_BRANCH=""
+                source "$SCRIPT_DIR/scripts/git-workflow-init.sh" "$(dirname "$TARGET")" "$TARGET"
+            fi
+            echo "Already up to date ($new_version). No component files changed."
+            cleanup_update
+            exit 0
+        elif [ "$files_changed" -gt 0 ]; then
+            echo "  Same version ($new_version) but $files_changed file(s) changed in source."
+        fi
+    fi
+
+    if [ "$DRY_RUN" = true ]; then
+        echo "  Comparing source $new_version vs installed $current_version"
+    elif [ "$current_version" = "$new_version" ]; then
+        echo "  Syncing changed files ($new_version)..."
+    else
+        echo "  Updating $current_version -> $new_version"
+    fi
+    echo ""
+
+    # Set up profile file for skill filtering
+    if [ -n "$update_profile" ] && [ "$update_profile" != "all" ]; then
+        PROFILE_FILE="$SCRIPT_DIR/profiles/${update_profile}.json"
+        if [ ! -f "$PROFILE_FILE" ]; then
+            echo "  Warning: profile '$update_profile' not found in source — installing all skills"
+            update_profile="all"
+            PROFILE_FILE=""
+        fi
+    fi
+
+    # 6. Reset counters and sync components
+    SYNC_ADDED=0
+    SYNC_UPDATED=0
+    SYNC_UNCHANGED=0
+    SYNC_SKIPPED=0
+    SYNC_CONFLICTS=0
+
+    sync_all_components "$update_profile"
+
+    # 6b. Sync agent personas from project root
+    local project_root
+    project_root="$(dirname "$TARGET")"
+    if [ -d "$project_root/.cortexhawk-agents" ] && [ "$DRY_RUN" != true ]; then
+        cp -r "$project_root/.cortexhawk-agents/"*.md "$TARGET/agents/" 2>/dev/null || true
+        local pc
+        pc=$(find "$project_root/.cortexhawk-agents" -name "*.md" -type f 2>/dev/null | wc -l | tr -d ' ')
+        [ "$pc" -gt 0 ] && echo "  Synced $pc agent persona(s) from .cortexhawk-agents/"
+    fi
+
+    # 7. Detect removed upstream files
+    if [ -f "$manifest" ]; then
+        while IFS= read -r line; do
+            local file_relpath
+            file_relpath=$(echo "$line" | sed 's/.*"\([^"]*\)": "sha256:.*/\1/')
+            [ -z "$file_relpath" ] && continue
+            if [ ! -f "$SCRIPT_DIR/$file_relpath" ] && [ -f "$TARGET/$file_relpath" ]; then
+                echo "  Warning: $file_relpath was removed upstream (kept locally)"
+            fi
+        done < <(grep '"sha256:' "$manifest")
+    fi
+
+    if [ "$DRY_RUN" != true ]; then
+        # Make executable components executable
+        for entry in "${COMPONENTS[@]}"; do
+            IFS=':' read -r name exec_flag <<< "$entry"
+            [ "$exec_flag" = "yes" ] && chmod +x "$TARGET/$name/"*.sh 2>/dev/null || true
+        done
+
+        # 7b. Regenerate settings.json hooks + merge new permissions from compose.yml
+        if [ -f "$SCRIPT_DIR/hooks/compose.yml" ]; then
+            local hooks_json
+            hooks_json=$(generate_hooks_config "$SCRIPT_DIR/hooks/compose.yml" ".claude/hooks")
+            if [ -n "$hooks_json" ] && [ "$hooks_json" != "{}" ] && command -v python3 >/dev/null 2>&1; then
+                echo "$hooks_json" | python3 -c "
+import json, sys
+hooks = json.load(sys.stdin)
+current = {}
+try:
+    with open(sys.argv[1]) as f:
+        current = json.load(f)
+except:
+    pass
+current['hooks'] = hooks
+# Merge new permissions from source
+try:
+    with open(sys.argv[2]) as f:
+        src_perms = json.load(f).get('permissions', {})
+    cur_perms = current.get('permissions', {})
+    for key in ('allow', 'deny'):
+        src_list = src_perms.get(key, [])
+        cur_list = cur_perms.get(key, [])
+        added = [p for p in src_list if p not in cur_list]
+        if added:
+            cur_list.extend(added)
+        cur_perms[key] = cur_list
+    current['permissions'] = cur_perms
+except:
+    pass
+with open(sys.argv[1], 'w') as f:
+    json.dump(current, f, indent=2)
+    f.write('\n')
+" "$TARGET/settings.json" "$SCRIPT_DIR/settings.json"
+                echo "  Regenerated settings.json hooks from compose.yml"
+            fi
+        fi
+
+        # 8. Write new manifest
+        write_manifest "$TARGET" "$update_profile" "$TARGET_CLI" true
+
+        # 9. Run audit
+        run_audit "$(dirname "$TARGET")"
+
+        # 10. Apply install improvements (gitignore, git-workflow defaults)
+        local target_dir_name=".${TARGET_CLI:-claude}"
+        update_gitignore "$(dirname "$TARGET")" "$target_dir_name"
+        [ "$TARGET_CLI" = "codex" ] && update_gitignore "$(dirname "$TARGET")" ".agents"
+        setup_templates "$(dirname "$TARGET")"
+
+        if [ ! -f "$TARGET/git-workflow.conf" ]; then
+            GIT_BRANCHING="direct-main"
+            GIT_COMMIT_CONVENTION="conventional"
+            GIT_PR_PREFERENCE="on-demand"
+            GIT_AUTO_PUSH="after-commit"
+            GIT_WORK_BRANCH=""
+            source "$SCRIPT_DIR/scripts/git-workflow-init.sh" "$(dirname "$TARGET")" "$TARGET"
+        fi
+    fi
+
+    # 10. Print summary
+    echo ""
+    if [ "$DRY_RUN" = true ]; then
+        echo "Dry run summary:"
+        echo "  Would add:     $SYNC_ADDED"
+        echo "  Would update:  $SYNC_UPDATED"
+        echo "  Unchanged:     $SYNC_UNCHANGED"
+        echo "  Would skip:    $SYNC_SKIPPED"
+        echo "  Conflicts:     $SYNC_CONFLICTS"
+        echo ""
+        echo "No files were modified (dry run)."
+    else
+        echo "Update complete: $current_version -> $new_version"
+        echo "  Added:     $SYNC_ADDED"
+        echo "  Updated:   $SYNC_UPDATED"
+        echo "  Unchanged: $SYNC_UNCHANGED"
+        echo "  Skipped:   $SYNC_SKIPPED"
+        echo "  Conflicts: $SYNC_CONFLICTS"
+        if [ -n "${PRE_UPDATE_SNAP:-}" ]; then
+            echo "  Rollback: install.sh --restore $PRE_UPDATE_SNAP"
+        fi
+        echo ""
+        echo "  To activate: exit your CLI (ctrl+c) and relaunch in this directory."
+    fi
+
+    cleanup_update
+}

package/settings.json

@@ -14,7 +14,18 @@
       "Write(*)",
       "Edit(*)"
     ],
-    "deny": []
+    "deny": [
+      "Write(/etc/*)",
+      "Write(~/.bashrc)",
+      "Write(~/.zshrc)",
+      "Write(~/.profile)",
+      "Write(~/.ssh/*)",
+      "Edit(/etc/*)",
+      "Edit(~/.bashrc)",
+      "Edit(~/.zshrc)",
+      "Edit(~/.profile)",
+      "Edit(~/.ssh/*)"
+    ]
   },
   "hooks": {
     "SessionStart": [