cortexhawk 3.3.0 → 3.3.2

package/CHANGELOG.md

@@ -3,7 +3,27 @@
 All notable changes to CortexHawk are documented here.
 Format: [Keep a Changelog](https://keepachangelog.com/)
 
-## [Unreleased]
+## [3.3.1] - 2026-02-20
+
+### Added
+- Native git `post-merge` hook opt-in: `cortexhawk post-merge-hook` (or `install --post-merge-hook`) installs `.git/hooks/post-merge` that auto-runs cleanup after every `git merge`; also offered interactively during `cortexhawk install` (#150)
+- Gitflow strategy support in `post-merge-cleanup.sh`: dual-target merge detection (feat→develop, release/hotfix→main), conditional `release/*`/`hotfix/*` protection, resync `develop ← main` after release merges (#151)
+
+### Security
+- `codex-dispatcher.sh`: reject paths containing `../` before dispatch to hooks, preventing arbitrary file scanning via path traversal (#152)
+- MCP configs: pin all `npx -y` packages to exact versions — context7@2.1.1, sequential-thinking@2025.12.18, puppeteer@2025.5.12, github@2025.4.8; also fix puppeteer package name (`@modelcontextprotocol/server-puppeteer` replaces removed `@anthropic-ai/mcp-server-puppeteer`) (#153)
+
+### Changed
+- `post-merge-cleanup.sh` refactored to dispatch-by-strategy architecture: central `PROTECTED_BRANCHES` list + `is_protected()`, extracted helpers (`delete_branch`, `delete_merged_branches`, `resync_work_branch`, `prompt_new_feature_branch`), strategy dispatch via `strategy_*()` functions + `case` (#149)
+- `install.sh` modularized: extracted `install_claude()`, `do_update()`, `do_snapshot()`, `do_restore()`, `do_doctor()` into `scripts/` modules (4114 → 3168 lines, -23%); install.sh sources them before dispatch (#137)
+
+### Fixed
+- `post-merge-cleanup.sh`: `MAIN_BRANCH` was assigned `WORK_BRANCH` value (e.g. `dev`) for `dev-branch` and `gitflow` strategies — merged-branch detection, resync, and post-cleanup were all targeting the wrong branch; now always `MAIN_BRANCH="main"` (#148)
+- `post-merge-cleanup.sh`: script exited early when no merged branches, skipping resync for `dev-branch`/`gitflow`; resync now always runs after cleanup (#148)
+- `post-merge-cleanup.sh`: added `--dry-run` flag (preview actions without executing) and resync block `WORK_BRANCH ← MAIN_BRANCH` with `--ff-only` + interactive merge fallback (#148)
+- `cortexhawk update` crash when installed via npm: manifest's `source: "git"` was overriding runtime detection, causing `git pull` to run on the npm global dir (not a git repo); now validates SCRIPT_DIR is a real git repo before trusting manifest source (#154)
+- `get_version()` in `cortexhawk` wrapper now skips `[Unreleased]` heading (fixes `self-update` version display)
+- `branch-guard`: work branch (dev) was incorrectly added to `PROTECTED_BRANCHES` for `dev-branch` strategy, blocking all regular `git push origin dev` operations
 
 ## [3.3.0] - 2026-02-19
 

package/README.md

@@ -2,16 +2,28 @@
 
 [![GitHub stars](https://img.shields.io/github/stars/Spechawk94/CortexHawk?style=flat-square)](https://github.com/Spechawk94/CortexHawk/stargazers)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?style=flat-square)](LICENSE)
-[![Version](https://img.shields.io/badge/version-3.2.0-green.svg?style=flat-square)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-3.3.1-green.svg?style=flat-square)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/cortexhawk?style=flat-square&color=red)](https://www.npmjs.com/package/cortexhawk)
 [![Skills](https://img.shields.io/badge/skills-36%20built--in%20%7C%2087k%2B%20via%20SkillsMP-orange.svg?style=flat-square)](https://skillsmp.com)
-[![Components](https://img.shields.io/badge/20%20agents%20%7C%2033%20commands%20%7C%209%20hooks%20%7C%207%20modes-purple.svg?style=flat-square)](#whats-inside)
+[![Components](https://img.shields.io/badge/20%20agents%20%7C%2035%20commands%20%7C%2011%20hooks%20%7C%207%20modes-purple.svg?style=flat-square)](#whats-inside)
 
 An open-source, community-driven development toolkit for Claude Code.
 
 CortexHawk provides a modular collection of optimized agents, skills, commands, hooks, and behavioral modes that transform Claude Code into a full-stack development team. Every prompt has been written for maximum efficiency — less token bloat, sharper instructions, better agent coordination.
 
-### What's New in v3.2
+### What's New in v3.3
+
+- **Gitflow strategy** — full gitflow support in `/cleanup`: dual-target merge detection (feat→develop, release/hotfix→main), conditional branch protection, auto-resync `develop ← main`
+- **`/cleanup` command** — unified post-merge cleanup with 4 strategies (direct-main, feature-branches, dev-branch, gitflow), `--dry-run` preview, native `post-merge` hook opt-in
+- **`/review-pr` command** — fetch, triage, and fix PR review comments in batch (one commit, one notification)
+- **`lint-guard` hook** — auto-detects formatters/linters on staged files; auto-fix for prettier/black/gofmt/rustfmt, check-only for eslint/flake8/mypy; parallel execution, pre-commit delegation
+- **`install.sh` modularized** — extracted 5 modules into `scripts/` (4114 → 3168 lines, -23%)
+- **MCP configs hardened** — all packages pinned to exact versions, puppeteer package name fixed
+- **Security fixes** — path traversal guards in codex-dispatcher and restore, python3 availability guards
+- **10+ bug fixes** — see [CHANGELOG.md](CHANGELOG.md) for full details
+
+<details>
+<summary>v3.2 changes</summary>
 
 - **`/commit` command** — lightweight conventional commit + push without review or PR (use `/ship` for full workflow)
 - **`--version` flag** — standard CLI version display
@@ -21,6 +33,8 @@ CortexHawk provides a modular collection of optimized agents, skills, commands,
 - **`--init` wizard** — "Auto-detect" target option, improved multi-target support
 - **15+ bug fixes** — see [CHANGELOG.md](CHANGELOG.md) for full details
 
+</details>
+
 <details>
 <summary>v3.1 changes</summary>
 
@@ -116,7 +130,7 @@ Specialized AI agents that coordinate together instead of working in silos.
 | `fullstack-developer` | Full-stack orchestration front+back |
 | `teacher` | Teaches concepts with 3 pedagogical levels (guided, mentor, professor) |
 
-### Commands (33)
+### Commands (35)
 
 Slash commands for common workflows.
 
@@ -126,8 +140,10 @@ Slash commands for common workflows.
 | `/build` | Implement code from plan or description |
 | `/test` | Generate and run tests |
 | `/review` | Multi-agent code review |
+| `/review-pr` | Fetch, triage, and fix PR review comments in batch |
 | `/ship` | Commit + PR pipeline |
 | `/commit` | Lightweight commit + push (no review, no PR) |
+| `/cleanup` | Post-merge branch cleanup (auto-detects strategy) |
 | `/debug` | Debug and fix issues |
 | `/scan` | Full security audit |
 | `/check` | Pre-commit quality gate (lint + test + scan + review → GO/NO-GO) |
@@ -270,7 +286,7 @@ Create custom agents that inherit from base agents with rule/style overrides:
 
 Personas use `extends:` frontmatter and are auto-copied to `.claude/agents/` on install/update.
 
-### Hooks (9)
+### Hooks (11)
 
 Automatic lifecycle hooks that run during Claude Code sessions.
 
@@ -279,12 +295,14 @@ Automatic lifecycle hooks that run during Claude Code sessions.
 | `file-guard` | PreToolUse | Blocks access to .env, secrets, credentials |
 | `branch-guard` | PreToolUse | Prevents direct push to protected branches |
 | `commit-guard` | PreToolUse | Validates conventional commits, checks staged secrets |
+| `lint-guard` | PreToolUse | Auto-detects formatters/linters on staged files; auto-fix or check-only |
 | `self-review` | PostToolUse | Checks for TODO/FIXME, secrets, debug artifacts |
 | `dependency-check` | PostToolUse | Alerts when dependency files are modified |
 | `test-reminder` | PostToolUse | Reminds to update tests for modified source files |
 | `agent-analytics` | PostToolUse | Tracks agent invocations, tokens, timestamps to `docs/.metrics/` |
 | `session-telemetry` | SessionEnd | Generates session summary (agents, tokens, duration, files) |
 | `session-start` | SessionStart | Project context injection, daily stats display |
+| `post-merge` | git post-merge | Auto-runs cleanup after `git merge` (opt-in native git hook) |
 
 Hook pipelines are configured in `hooks/compose.yml`. Manage individual hooks:
 
@@ -327,9 +345,9 @@ Each target adapts components to the CLI's native format:
 | Component | Claude Code | Kimi CLI | Codex CLI |
 |---|---|---|---|
 | Agents (20) | `.claude/agents/*.md` | Skills (`/skill:agent-*`) + `AGENTS.md` | `AGENTS.md` |
-| Commands (33) | `.claude/commands/*.md` → `/plan` | Skills (`/skill:cmd-*`) | Skills (`$cmd-*`) |
+| Commands (35) | `.claude/commands/*.md` → `/plan` | Skills (`/skill:cmd-*`) | Skills (`$cmd-*`) |
 | Skills (36) | `.claude/skills/` | `.kimi/skills/` (auto-discovered) | `.agents/skills/` |
-| Hooks (9) | `settings.json` (automatic) | Skills (`/skill:hook-*`, manual) | Dispatcher (partial) |
+| Hooks (11) | `settings.json` (automatic) | Skills (`/skill:hook-*`, manual) | Dispatcher (partial) |
 | Modes (7) | `.claude/modes/` (native) | Skills (`/skill:modes/*`) | Skills (`$mode-*`) |
 | MCP | `settings.json` | Optional (`MCP-SETUP.md`) | `config.toml` |
 

package/commands/cleanup.md

@@ -34,3 +34,4 @@ Delete merged local branches and optionally delete remote branches.
 - Handle git errors without crashing (network, permissions, no remote)
 - If compose.yml missing, warn and skip hook enablement
 - If sed fails, report error but continue cleanup
+- For a native git hook (fires on all `git merge`, not just via Claude): `cortexhawk post-merge-hook`

package/cortexhawk

@@ -29,7 +29,7 @@ yellow() { printf "\033[33m%s\033[0m\n" "$1"; }
 red() { printf "\033[31m%s\033[0m\n" "$1"; }
 
 get_version() {
-    grep -m1 '## \[' "$CORTEXHAWK_HOME/CHANGELOG.md" 2>/dev/null | sed 's/.*\[\([^]]*\)\].*/\1/' || echo "unknown"
+    grep -m1 '## \[[0-9]' "$CORTEXHAWK_HOME/CHANGELOG.md" 2>/dev/null | sed 's/.*\[\([^]]*\)\].*/\1/' || echo "unknown"
 }
 
 # --- validate command ---
@@ -383,6 +383,7 @@ show_help() {
     echo "  enable-hook <name>    Enable a hook"
     echo "  disable-hook <name>   Disable a hook"
     echo "  test-hooks            Dry-run hooks with synthetic inputs"
+    echo "  post-merge-hook       Install native git post-merge hook (auto-cleanup)"
     echo ""
     echo "Other:"
     echo "  self-update           Update CortexHawk source (git pull)"
@@ -501,6 +502,11 @@ case "$cmd" in
         shift
         bash "$INSTALL_SH" --test-hooks "$@"
         ;;
+    post-merge-hook)
+        check_home
+        shift
+        bash "$INSTALL_SH" --post-merge-hook "$@"
+        ;;
     self-update)
         check_home
         if [ ! -d "$CORTEXHAWK_HOME/.git" ]; then

package/hooks/branch-guard.sh

@@ -28,8 +28,7 @@ if [[ -f "$CONF_FILE" ]]; then
   if [[ "$_BRANCHING" == "direct-main" ]]; then
     PROTECTED_BRANCHES=("master" "production" "release")
   elif [[ "$_BRANCHING" == "dev-branch" ]]; then
-    _WORK_BRANCH=$(grep '^WORK_BRANCH=' "$CONF_FILE" | cut -d= -f2)
-    [[ -n "$_WORK_BRANCH" ]] && PROTECTED_BRANCHES+=("$_WORK_BRANCH")
+    : # Work branch is the normal push target — only main stays protected
   fi
 fi
 

package/hooks/codex-dispatcher.sh

@@ -59,6 +59,9 @@ HOOKS_DIR="$(cd "$(dirname "$0")" && pwd)"
 while IFS= read -r file; do
     [ -z "$file" ] && continue
 
+    # Reject path traversal attempts
+    case "$file" in "."|".."|*../*|*/..*) continue ;; esac
+
     # Resolve to absolute path
     if [[ "$file" != /* ]]; then
         file="$CWD/$file"