cortexhawk 3.3.0 → 3.3.1

package/CHANGELOG.md

@@ -3,7 +3,27 @@
 All notable changes to CortexHawk are documented here.
 Format: [Keep a Changelog](https://keepachangelog.com/)
 
-## [Unreleased]
+## [3.3.1] - 2026-02-20
+
+### Added
+- Native git `post-merge` hook opt-in: `cortexhawk post-merge-hook` (or `install --post-merge-hook`) installs `.git/hooks/post-merge` that auto-runs cleanup after every `git merge`; also offered interactively during `cortexhawk install` (#150)
+- Gitflow strategy support in `post-merge-cleanup.sh`: dual-target merge detection (feat→develop, release/hotfix→main), conditional `release/*`/`hotfix/*` protection, resync `develop ← main` after release merges (#151)
+
+### Security
+- `codex-dispatcher.sh`: reject paths containing `../` before dispatch to hooks, preventing arbitrary file scanning via path traversal (#152)
+- MCP configs: pin all `npx -y` packages to exact versions — context7@2.1.1, sequential-thinking@2025.12.18, puppeteer@2025.5.12, github@2025.4.8; also fix puppeteer package name (`@modelcontextprotocol/server-puppeteer` replaces removed `@anthropic-ai/mcp-server-puppeteer`) (#153)
+
+### Changed
+- `post-merge-cleanup.sh` refactored to dispatch-by-strategy architecture: central `PROTECTED_BRANCHES` list + `is_protected()`, extracted helpers (`delete_branch`, `delete_merged_branches`, `resync_work_branch`, `prompt_new_feature_branch`), strategy dispatch via `strategy_*()` functions + `case` (#149)
+- `install.sh` modularized: extracted `install_claude()`, `do_update()`, `do_snapshot()`, `do_restore()`, `do_doctor()` into `scripts/` modules (4114 → 3168 lines, -23%); install.sh sources them before dispatch (#137)
+
+### Fixed
+- `post-merge-cleanup.sh`: `MAIN_BRANCH` was assigned `WORK_BRANCH` value (e.g. `dev`) for `dev-branch` and `gitflow` strategies — merged-branch detection, resync, and post-cleanup were all targeting the wrong branch; now always `MAIN_BRANCH="main"` (#148)
+- `post-merge-cleanup.sh`: script exited early when no merged branches, skipping resync for `dev-branch`/`gitflow`; resync now always runs after cleanup (#148)
+- `post-merge-cleanup.sh`: added `--dry-run` flag (preview actions without executing) and resync block `WORK_BRANCH ← MAIN_BRANCH` with `--ff-only` + interactive merge fallback (#148)
+- `cortexhawk update` crash when installed via npm: manifest's `source: "git"` was overriding runtime detection, causing `git pull` to run on the npm global dir (not a git repo); now validates SCRIPT_DIR is a real git repo before trusting manifest source (#154)
+- `get_version()` in `cortexhawk` wrapper now skips `[Unreleased]` heading (fixes `self-update` version display)
+- `branch-guard`: work branch (dev) was incorrectly added to `PROTECTED_BRANCHES` for `dev-branch` strategy, blocking all regular `git push origin dev` operations
 
 ## [3.3.0] - 2026-02-19
 

package/commands/cleanup.md

@@ -34,3 +34,4 @@ Delete merged local branches and optionally delete remote branches.
 - Handle git errors without crashing (network, permissions, no remote)
 - If compose.yml missing, warn and skip hook enablement
 - If sed fails, report error but continue cleanup
+- For a native git hook (fires on all `git merge`, not just via Claude): `cortexhawk post-merge-hook`

package/cortexhawk

@@ -29,7 +29,7 @@ yellow() { printf "\033[33m%s\033[0m\n" "$1"; }
 red() { printf "\033[31m%s\033[0m\n" "$1"; }
 
 get_version() {
-    grep -m1 '## \[' "$CORTEXHAWK_HOME/CHANGELOG.md" 2>/dev/null | sed 's/.*\[\([^]]*\)\].*/\1/' || echo "unknown"
+    grep -m1 '## \[[0-9]' "$CORTEXHAWK_HOME/CHANGELOG.md" 2>/dev/null | sed 's/.*\[\([^]]*\)\].*/\1/' || echo "unknown"
 }
 
 # --- validate command ---
@@ -383,6 +383,7 @@ show_help() {
     echo "  enable-hook <name>    Enable a hook"
     echo "  disable-hook <name>   Disable a hook"
     echo "  test-hooks            Dry-run hooks with synthetic inputs"
+    echo "  post-merge-hook       Install native git post-merge hook (auto-cleanup)"
     echo ""
     echo "Other:"
     echo "  self-update           Update CortexHawk source (git pull)"
@@ -501,6 +502,11 @@ case "$cmd" in
         shift
         bash "$INSTALL_SH" --test-hooks "$@"
         ;;
+    post-merge-hook)
+        check_home
+        shift
+        bash "$INSTALL_SH" --post-merge-hook "$@"
+        ;;
     self-update)
         check_home
         if [ ! -d "$CORTEXHAWK_HOME/.git" ]; then

package/hooks/branch-guard.sh

@@ -28,8 +28,7 @@ if [[ -f "$CONF_FILE" ]]; then
   if [[ "$_BRANCHING" == "direct-main" ]]; then
     PROTECTED_BRANCHES=("master" "production" "release")
   elif [[ "$_BRANCHING" == "dev-branch" ]]; then
-    _WORK_BRANCH=$(grep '^WORK_BRANCH=' "$CONF_FILE" | cut -d= -f2)
-    [[ -n "$_WORK_BRANCH" ]] && PROTECTED_BRANCHES+=("$_WORK_BRANCH")
+    : # Work branch is the normal push target — only main stays protected
   fi
 fi
 

package/hooks/codex-dispatcher.sh

@@ -59,6 +59,9 @@ HOOKS_DIR="$(cd "$(dirname "$0")" && pwd)"
 while IFS= read -r file; do
     [ -z "$file" ] && continue
 
+    # Reject path traversal attempts
+    case "$file" in "."|".."|*../*|*/..*) continue ;; esac
+
     # Resolve to absolute path
     if [[ "$file" != /* ]]; then
         file="$CWD/$file"