javi-forge 1.6.0 → 1.6.1

package/templates/github/deploy-docker-zero-downtime.yml

@@ -0,0 +1,140 @@
+# ===========================================
+# Zero-Downtime Docker Deploy (docker rollout)
+# ===========================================
+# Copy to: .github/workflows/deploy.yml
+#
+# Requires:
+#   - SSH access to the deploy target (secrets.DEPLOY_HOST, secrets.DEPLOY_USER, secrets.DEPLOY_KEY)
+#   - docker-rollout installed on the target: https://github.com/Wowu/docker-rollout
+#   - A docker-compose.yml on the target with healthcheck-enabled services
+#
+# Flow:
+#   1. Build & push image to registry
+#   2. SSH into deploy target
+#   3. Pull new image
+#   4. `docker rollout <service>` — spins up new container, waits for healthcheck, drains old
+# ===========================================
+
+name: Deploy (Zero-Downtime)
+
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '.gitignore'
+  workflow_dispatch:
+    inputs:
+      service:
+        description: 'Service to deploy (from docker-compose.yml)'
+        required: true
+        default: '__SERVICE_NAME__'
+      skip_build:
+        description: 'Skip image build (deploy existing latest)'
+        default: false
+        type: boolean
+
+permissions:
+  contents: read
+  packages: write
+
+concurrency:
+  group: deploy-${{ github.ref }}
+  cancel-in-progress: false  # Never cancel in-progress deploys
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+  DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+
+jobs:
+  build-and-push:
+    if: ${{ github.event.inputs.skip_build != 'true' }}
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.meta.outputs.tags }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=raw,value=latest
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  deploy:
+    needs: [build-and-push]
+    if: always() && (needs.build-and-push.result == 'success' || github.event.inputs.skip_build == 'true')
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - name: Deploy via SSH + docker rollout
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ env.DEPLOY_HOST }}
+          username: ${{ env.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_KEY }}
+          script: |
+            set -euo pipefail
+
+            cd ${{ secrets.DEPLOY_DIR || '~/app' }}
+
+            # Pull latest images
+            docker compose pull
+
+            # Zero-downtime rollout for the target service
+            SERVICE="${{ github.event.inputs.service || '__SERVICE_NAME__' }}"
+            echo "::group::Rolling out ${SERVICE}"
+            docker rollout "${SERVICE}"
+            echo "::endgroup::"
+
+            # Cleanup dangling images
+            docker image prune -f
+
+      - name: Verify deployment
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ env.DEPLOY_HOST }}
+          username: ${{ env.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_KEY }}
+          script: |
+            set -euo pipefail
+            cd ${{ secrets.DEPLOY_DIR || '~/app' }}
+            SERVICE="${{ github.event.inputs.service || '__SERVICE_NAME__' }}"
+
+            # Wait for healthcheck (max 60s)
+            TIMEOUT=60
+            ELAPSED=0
+            while [ $ELAPSED -lt $TIMEOUT ]; do
+              HEALTH=$(docker compose ps "${SERVICE}" --format json | jq -r '.[0].Health // "none"' 2>/dev/null || echo "unknown")
+              if [ "$HEALTH" = "healthy" ]; then
+                echo "✅ ${SERVICE} is healthy"
+                exit 0
+              fi
+              sleep 5
+              ELAPSED=$((ELAPSED + 5))
+              echo "⏳ Waiting for healthcheck... (${ELAPSED}s/${TIMEOUT}s)"
+            done
+
+            echo "❌ ${SERVICE} did not become healthy within ${TIMEOUT}s"
+            docker compose logs --tail=50 "${SERVICE}"
+            exit 1

package/templates/github/repoforge-graph.yml

@@ -0,0 +1,45 @@
+# ===========================================
+# RepoForge Call Graph — keep graph fresh on every push
+# ===========================================
+# Copy to: .github/workflows/repoforge-graph.yml
+# ===========================================
+
+name: RepoForge Graph
+
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '.gitignore'
+  pull_request:
+    branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '.gitignore'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: repoforge-graph-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  graph:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install repoforge
+        run: npm install -g repoforge
+
+      - name: Generate call graph
+        run: repoforge graph --type calls --output .repoforge/call-graph.json
+
+      - name: Upload graph artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: call-graph
+          path: .repoforge/call-graph.json
+          retention-days: 30

package/templates/gitlab/deploy-docker-zero-downtime.yml

@@ -0,0 +1,57 @@
+# ===========================================
+# Zero-Downtime Docker Deploy (docker rollout)
+# ===========================================
+# Merge into: .gitlab-ci.yml
+#
+# Requires:
+#   - CI/CD variables: DEPLOY_HOST, DEPLOY_USER, DEPLOY_KEY, DEPLOY_DIR
+#   - docker-rollout installed on target: https://github.com/Wowu/docker-rollout
+#   - A docker-compose.yml on the target with healthcheck-enabled services
+# ===========================================
+
+stages:
+  - build
+  - deploy
+
+variables:
+  SERVICE_NAME: "__SERVICE_NAME__"
+
+build-image:
+  stage: build
+  image: docker:latest
+  services:
+    - docker:dind
+  before_script:
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
+  script:
+    - docker build -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA" -t "$CI_REGISTRY_IMAGE:latest" .
+    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA"
+    - docker push "$CI_REGISTRY_IMAGE:latest"
+  only:
+    - main
+
+deploy-zero-downtime:
+  stage: deploy
+  image: alpine:latest
+  needs: ["build-image"]
+  before_script:
+    - apk add --no-cache openssh-client
+    - eval "$(ssh-agent -s)"
+    - echo "$DEPLOY_KEY" | ssh-add -
+    - mkdir -p ~/.ssh && chmod 700 ~/.ssh
+    - ssh-keyscan "$DEPLOY_HOST" >> ~/.ssh/known_hosts
+  script:
+    - |
+      ssh "$DEPLOY_USER@$DEPLOY_HOST" << 'ENDSSH'
+        set -euo pipefail
+        cd ${DEPLOY_DIR:-~/app}
+        docker compose pull
+        docker rollout "${SERVICE_NAME}"
+        docker image prune -f
+        echo "Deploy complete"
+      ENDSSH
+  environment:
+    name: production
+  only:
+    - main
+  when: manual

package/templates/local-ai/.env.example

@@ -0,0 +1,17 @@
+# Local AI Stack — Environment Variables
+# Copy to .env in your project: cp .env.example .env
+
+# ── Ollama ──────────────────────────────────────────────────────────────────
+OLLAMA_PORT=11434
+
+# ── Open WebUI ──────────────────────────────────────────────────────────────
+WEBUI_PORT=3000
+WEBUI_AUTH=false
+
+# ── n8n ─────────────────────────────────────────────────────────────────────
+N8N_PORT=5678
+
+# ── Supabase (Postgres) ────────────────────────────────────────────────────
+SUPABASE_DB_PORT=5432
+SUPABASE_DB_PASSWORD=postgres
+SUPABASE_DB_NAME=app

package/templates/local-ai/docker-compose.yml

@@ -0,0 +1,95 @@
+# Local AI Development Stack
+# Generated by javi-forge — https://github.com/JNZader/javi-forge
+#
+# Usage:
+#   docker compose up -d              # Start Ollama (core)
+#   docker compose --profile ui up -d # Start Ollama + Open WebUI
+#   docker compose --profile auto up -d # Start Ollama + n8n + Open WebUI
+#   docker compose --profile full up -d # Start everything
+#
+# Pull a model after starting:
+#   docker exec ollama ollama pull llama3.2
+#   docker exec ollama ollama pull codellama
+
+services:
+  # ── Core: Ollama (local LLM inference) ────────────────────────────────────
+  ollama:
+    image: ollama/ollama:latest
+    container_name: ollama
+    restart: unless-stopped
+    ports:
+      - "${OLLAMA_PORT:-11434}:11434"
+    volumes:
+      - ollama_data:/root/.ollama
+    environment:
+      - OLLAMA_HOST=0.0.0.0
+    # Uncomment for NVIDIA GPU support:
+    # deploy:
+    #   resources:
+    #     reservations:
+    #       devices:
+    #         - driver: nvidia
+    #           count: all
+    #           capabilities: [gpu]
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:11434/api/tags || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+  # ── Optional: Open WebUI (chat interface) ─────────────────────────────────
+  open-webui:
+    image: ghcr.io/open-webui/open-webui:main
+    container_name: open-webui
+    profiles: ["ui", "auto", "full"]
+    restart: unless-stopped
+    ports:
+      - "${WEBUI_PORT:-3000}:8080"
+    volumes:
+      - open_webui_data:/app/backend/data
+    environment:
+      - OLLAMA_BASE_URL=http://ollama:11434
+      - WEBUI_AUTH=${WEBUI_AUTH:-false}
+    depends_on:
+      ollama:
+        condition: service_healthy
+
+  # ── Optional: n8n (workflow automation) ───────────────────────────────────
+  n8n:
+    image: n8nio/n8n:latest
+    container_name: n8n
+    profiles: ["auto", "full"]
+    restart: unless-stopped
+    ports:
+      - "${N8N_PORT:-5678}:5678"
+    volumes:
+      - n8n_data:/home/node/.n8n
+    environment:
+      - N8N_SECURE_COOKIE=false
+      - OLLAMA_HOST=http://ollama:11434
+
+  # ── Optional: Supabase (Postgres + Auth + Realtime) ───────────────────────
+  supabase-db:
+    image: supabase/postgres:15.6.1.145
+    container_name: supabase-db
+    profiles: ["full"]
+    restart: unless-stopped
+    ports:
+      - "${SUPABASE_DB_PORT:-5432}:5432"
+    volumes:
+      - supabase_db_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${SUPABASE_DB_PASSWORD:-postgres}
+      POSTGRES_DB: ${SUPABASE_DB_NAME:-app}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  ollama_data:
+  open_webui_data:
+  n8n_data:
+  supabase_db_data:

package/templates/security-hooks/claude-settings-security.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://raw.githubusercontent.com/anthropics/claude-code/main/settings-schema.json",
+  "_comment": "Runtime security hooks (kiteguard-style) — scaffolded by javi-forge",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hook": "COMMAND=\"$CLAUDE_TOOL_INPUT\"\nBLOCKED_PATTERNS=(\n  'rm -rf /'\n  'rm -rf ~'\n  'chmod 777'\n  'curl.*|.*sh'\n  'wget.*|.*sh'\n  'eval.*\\$'\n  'base64.*-d.*|.*sh'\n  ':(){:|:&};:'\n)\nfor pattern in \"${BLOCKED_PATTERNS[@]}\"; do\n  if echo \"$COMMAND\" | grep -qE \"$pattern\"; then\n    echo \"BLOCKED: Dangerous command pattern detected: $pattern\"\n    exit 2\n  fi\ndone\nexit 0",
+        "description": "Block dangerous shell commands (rm -rf /, chmod 777, pipe-to-sh, fork bombs)"
+      },
+      {
+        "matcher": "Bash",
+        "hook": "COMMAND=\"$CLAUDE_TOOL_INPUT\"\nSENSITIVE_PATHS=(\n  '.env'\n  '.env.local'\n  '.env.production'\n  'credentials'\n  'secrets'\n  '.ssh'\n  '.gnupg'\n  '.aws/credentials'\n)\nfor path in \"${SENSITIVE_PATHS[@]}\"; do\n  if echo \"$COMMAND\" | grep -qE \"(cat|less|head|tail|bat|read).*$path\"; then\n    echo \"BLOCKED: Attempt to read sensitive file: $path\"\n    exit 2\n  fi\ndone\nexit 0",
+        "description": "Prevent reading sensitive files (.env, credentials, SSH keys)"
+      },
+      {
+        "matcher": "Write|Edit",
+        "hook": "INPUT=\"$CLAUDE_TOOL_INPUT\"\nPROTECTED_FILES=(\n  '.env'\n  '.env.production'\n  'credentials.json'\n  'serviceAccountKey.json'\n  '.ssh/'\n  '.gnupg/'\n)\nfor pf in \"${PROTECTED_FILES[@]}\"; do\n  if echo \"$INPUT\" | grep -q \"$pf\"; then\n    echo \"BLOCKED: Cannot modify protected file: $pf\"\n    exit 2\n  fi\ndone\nexit 0",
+        "description": "Prevent writing to credential and secret files"
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Bash",
+        "hook": "OUTPUT=\"$CLAUDE_TOOL_OUTPUT\"\nLEAK_PATTERNS=(\n  'AKIA[0-9A-Z]{16}'\n  'ghp_[A-Za-z0-9]{36}'\n  'sk_live_[0-9a-zA-Z]{24,}'\n  'xox[baprs]-[0-9a-zA-Z-]+'\n  '-----BEGIN.*PRIVATE KEY-----'\n)\nfor pattern in \"${LEAK_PATTERNS[@]}\"; do\n  if echo \"$OUTPUT\" | grep -qE \"$pattern\"; then\n    echo \"WARNING: Command output may contain secrets. Review carefully.\"\n    exit 0\n  fi\ndone\nexit 0",
+        "description": "Warn if command output contains potential secrets"
+      }
+    ]
+  }
+}

package/templates/security-hooks/commit-msg-signing

@@ -0,0 +1,29 @@
+#!/bin/bash
+# =============================================================================
+# SECURITY LAYER 6: Commit Message Signing Reminder (commit-msg)
+# =============================================================================
+# Reminds developers to sign commits if signing is configured but the
+# current commit is not signed. Non-blocking — just a nudge.
+#
+# This complements layer 4 (pre-push signing) with an earlier reminder.
+# =============================================================================
+
+set -e
+
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+echo "SECURITY [6/6]: Commit signing reminder..."
+
+GPG_SIGN=$(git config --get commit.gpgsign 2>/dev/null || echo "false")
+
+if [ "$GPG_SIGN" = "true" ]; then
+    echo -e "${GREEN}  Commit signing is enabled. Good.${NC}"
+else
+    echo -e "${YELLOW}  Tip: Enable commit signing for supply-chain security.${NC}"
+    echo -e "${CYAN}  git config commit.gpgsign true${NC}"
+fi
+
+exit 0

package/templates/security-hooks/pre-commit-permissions

@@ -0,0 +1,74 @@
+#!/bin/bash
+# =============================================================================
+# SECURITY LAYER 3: Permission Boundaries (pre-commit)
+# =============================================================================
+# Validates that staged files don't introduce overly permissive file modes,
+# executable flags on non-script files, or world-writable permissions.
+#
+# To skip:  git commit --no-verify (NOT recommended)
+# =============================================================================
+
+set -e
+
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+echo "SECURITY [3/6]: Permission boundary check..."
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+    echo -e "${GREEN}  No staged files to check.${NC}"
+    exit 0
+fi
+
+ISSUES=0
+
+# Check for world-writable files (o+w)
+for file in $STAGED_FILES; do
+    if [ -f "$file" ]; then
+        PERMS=$(stat -c '%a' "$file" 2>/dev/null || stat -f '%Lp' "$file" 2>/dev/null || echo "")
+        if [ -n "$PERMS" ]; then
+            # Check if last digit (other permissions) has write (2, 3, 6, 7)
+            OTHERS=${PERMS: -1}
+            if [[ "$OTHERS" =~ [2367] ]]; then
+                echo -e "${RED}  World-writable: $file (mode $PERMS)${NC}"
+                ISSUES=$((ISSUES + 1))
+            fi
+        fi
+    fi
+done
+
+# Check for executable flag on non-script files
+SCRIPT_EXTENSIONS='\.sh$|\.bash$|\.zsh$|\.py$|\.rb$|\.pl$'
+for file in $STAGED_FILES; do
+    if [ -f "$file" ] && [ -x "$file" ]; then
+        # Allow scripts and hooks (no extension = likely a hook)
+        BASENAME=$(basename "$file")
+        if echo "$file" | grep -qE "$SCRIPT_EXTENSIONS"; then
+            continue
+        fi
+        # Allow files in hooks/ directories
+        if echo "$file" | grep -q '/hooks/'; then
+            continue
+        fi
+        # Allow if it has a shebang
+        if head -1 "$file" 2>/dev/null | grep -q '^#!'; then
+            continue
+        fi
+        echo -e "${YELLOW}  Unexpected executable: $file${NC}"
+        ISSUES=$((ISSUES + 1))
+    fi
+done
+
+if [ "$ISSUES" -gt 0 ]; then
+    echo -e ""
+    echo -e "${RED}COMMIT BLOCKED: $ISSUES permission issue(s) found.${NC}"
+    echo -e "${YELLOW}  Fix file permissions before committing.${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}  Permissions OK.${NC}"
+exit 0

package/templates/security-hooks/pre-commit-secrets

@@ -0,0 +1,74 @@
+#!/bin/bash
+# =============================================================================
+# SECURITY LAYER 1: Secret Scanning (pre-commit)
+# =============================================================================
+# Scans staged files for hardcoded secrets, API keys, and credentials.
+# Runs on every commit to prevent accidental secret leaks.
+#
+# Requires: git
+# To skip:  git commit --no-verify (NOT recommended)
+# =============================================================================
+
+set -e
+
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+echo "SECURITY [1/6]: Secret scanning..."
+
+# Patterns that indicate hardcoded secrets
+SECRET_PATTERNS=(
+    # AWS
+    'AKIA[0-9A-Z]{16}'
+    # Generic API keys (long hex/base64 strings assigned to key-like vars)
+    '(?i)(api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\s*[:=]\s*["\x27][A-Za-z0-9+/=_-]{20,}["\x27]'
+    # Private keys
+    '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'
+    # GitHub tokens
+    'gh[pousr]_[A-Za-z0-9_]{36,}'
+    # Generic password assignments
+    '(?i)(password|passwd|pwd)\s*[:=]\s*["\x27][^\s"'\'']{8,}["\x27]'
+    # Slack tokens
+    'xox[baprs]-[0-9a-zA-Z-]+'
+    # Stripe keys
+    'sk_live_[0-9a-zA-Z]{24,}'
+    'rk_live_[0-9a-zA-Z]{24,}'
+    # SendGrid
+    'SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}'
+)
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+    echo -e "${GREEN}  No staged files to scan.${NC}"
+    exit 0
+fi
+
+FOUND=0
+for pattern in "${SECRET_PATTERNS[@]}"; do
+    # Use grep -P for perl-compatible regex, fall back to -E
+    MATCHES=$(echo "$STAGED_FILES" | xargs git diff --cached -- | grep -nP "$pattern" 2>/dev/null || true)
+    if [ -n "$MATCHES" ]; then
+        if [ "$FOUND" -eq 0 ]; then
+            echo -e "${RED}  Potential secrets detected in staged changes:${NC}"
+        fi
+        echo -e "${YELLOW}  Pattern: $pattern${NC}"
+        echo "$MATCHES" | head -5 | while read -r line; do
+            echo -e "${RED}    $line${NC}"
+        done
+        FOUND=$((FOUND + 1))
+    fi
+done
+
+if [ "$FOUND" -gt 0 ]; then
+    echo -e ""
+    echo -e "${RED}COMMIT BLOCKED: $FOUND secret pattern(s) detected.${NC}"
+    echo -e "${YELLOW}  Remove secrets and use environment variables instead.${NC}"
+    echo -e "${YELLOW}  If this is a false positive, add to .secret-scan-ignore${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}  No secrets found.${NC}"
+exit 0

package/templates/security-hooks/pre-push-branch-protection

@@ -0,0 +1,62 @@
+#!/bin/bash
+# =============================================================================
+# SECURITY LAYER 5: Branch Protection (pre-push)
+# =============================================================================
+# Prevents direct pushes to protected branches (main, master, release/*).
+# Forces use of pull requests for protected branches.
+#
+# To skip:  git push --no-verify (NOT recommended)
+# =============================================================================
+
+set -e
+
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+echo "SECURITY [5/6]: Branch protection check..."
+
+# Protected branch patterns
+PROTECTED_BRANCHES=(
+    "main"
+    "master"
+    "release/*"
+    "production"
+    "staging"
+)
+
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
+
+if [ -z "$CURRENT_BRANCH" ]; then
+    echo -e "${YELLOW}  Could not determine current branch. Skipping.${NC}"
+    exit 0
+fi
+
+for pattern in "${PROTECTED_BRANCHES[@]}"; do
+    # Support glob patterns
+    if [[ "$CURRENT_BRANCH" == $pattern ]]; then
+        # Check if we're on CI (allow CI pushes)
+        if [ -n "$CI" ] || [ -n "$GITHUB_ACTIONS" ] || [ -n "$GITLAB_CI" ]; then
+            echo -e "${GREEN}  CI environment detected. Allowing push to $CURRENT_BRANCH.${NC}"
+            exit 0
+        fi
+
+        echo -e ""
+        echo -e "${RED}PUSH BLOCKED: Direct push to protected branch '$CURRENT_BRANCH'.${NC}"
+        echo -e ""
+        echo -e "${YELLOW}  Protected branches require pull requests:${NC}"
+        for b in "${PROTECTED_BRANCHES[@]}"; do
+            echo -e "${YELLOW}    - $b${NC}"
+        done
+        echo -e ""
+        echo -e "${YELLOW}  Create a feature branch and open a PR instead:${NC}"
+        echo -e "${GREEN}    git checkout -b feat/my-feature${NC}"
+        echo -e "${GREEN}    git push -u origin feat/my-feature${NC}"
+        echo -e "${GREEN}    gh pr create${NC}"
+        exit 1
+    fi
+done
+
+echo -e "${GREEN}  Branch '$CURRENT_BRANCH' is not protected. OK.${NC}"
+exit 0