sequant 1.5.6 → 1.6.1

package/README.md

@@ -121,7 +121,6 @@ npx sequant run 123 --quality-loop
 |---------|---------|
 | `/assess` | Issue triage and status assessment |
 | `/docs` | Generate feature documentation |
-| `/release` | Automated release workflow |
 | `/clean` | Repository cleanup |
 | `/security-review` | Deep security analysis |
 | `/reflect` | Workflow improvement analysis |

package/dist/src/commands/doctor.js

@@ -19,7 +19,7 @@ export async function doctorCommand() {
                 message: `Outdated: ${versionResult.currentVersion} → ${versionResult.latestVersion} available`,
             });
             // Show remediation steps
-            console.log(chalk.yellow(`  ⚠️  ${getVersionWarning(versionResult.currentVersion, versionResult.latestVersion)}`));
+            console.log(chalk.yellow(`  ⚠️  ${getVersionWarning(versionResult.currentVersion, versionResult.latestVersion, versionResult.isLocalInstall)}`));
             console.log("");
         }
         else {

package/dist/src/commands/run.js

@@ -742,7 +742,7 @@ export async function runCommand(issues, options) {
         try {
             const versionResult = await checkVersionCached();
             if (versionResult.isOutdated && versionResult.latestVersion) {
-                console.log(chalk.yellow(`  ⚠️  ${getVersionWarning(versionResult.currentVersion, versionResult.latestVersion)}`));
+                console.log(chalk.yellow(`  ⚠️  ${getVersionWarning(versionResult.currentVersion, versionResult.latestVersion, versionResult.isLocalInstall)}`));
                 console.log("");
             }
         }

package/dist/src/lib/version-check.d.ts

@@ -12,6 +12,7 @@ export interface VersionCheckResult {
     currentVersion: string;
     latestVersion: string | null;
     isOutdated: boolean;
+    isLocalInstall?: boolean;
     error?: string;
 }
 /**
@@ -26,6 +27,17 @@ export declare function getCachePath(): string;
  * Get the current version from package.json
  */
 export declare function getCurrentVersion(): string;
+/**
+ * Check if running from a local node_modules install (vs npx cache)
+ *
+ * Local installs are in: <project>/node_modules/sequant/
+ * npx installs are in: ~/.npm/_npx/<hash>/node_modules/sequant/
+ *
+ * This matters because:
+ * - Local installs should be updated with: npm update sequant
+ * - npx installs should be updated with: npx sequant@latest
+ */
+export declare function isLocalNodeModulesInstall(): boolean;
 /**
  * Read the version cache
  */
@@ -53,8 +65,11 @@ export declare function compareVersions(a: string, b: string): number;
 export declare function isOutdated(currentVersion: string, latestVersion: string): boolean;
 /**
  * Get the version warning message
+ *
+ * For local node_modules installs, recommends `npm update sequant`
+ * For npx usage, recommends `npx sequant@latest`
  */
-export declare function getVersionWarning(currentVersion: string, latestVersion: string): string;
+export declare function getVersionWarning(currentVersion: string, latestVersion: string, isLocal?: boolean): string;
 /**
  * Check version freshness (thorough - for doctor command)
  * Always fetches from npm registry

package/dist/src/lib/version-check.js

@@ -54,6 +54,25 @@ export function getCurrentVersion() {
         return "0.0.0";
     }
 }
+/**
+ * Check if running from a local node_modules install (vs npx cache)
+ *
+ * Local installs are in: <project>/node_modules/sequant/
+ * npx installs are in: ~/.npm/_npx/<hash>/node_modules/sequant/
+ *
+ * This matters because:
+ * - Local installs should be updated with: npm update sequant
+ * - npx installs should be updated with: npx sequant@latest
+ */
+export function isLocalNodeModulesInstall() {
+    // Check if our path contains node_modules/sequant but NOT in .npm/_npx
+    const normalizedPath = __dirname.replace(/\\/g, "/");
+    // Running from local node_modules (not npx cache)
+    const inNodeModules = normalizedPath.includes("/node_modules/sequant");
+    const inNpxCache = normalizedPath.includes("/.npm/_npx/") ||
+        normalizedPath.includes("\\.npm\\_npx\\");
+    return inNodeModules && !inNpxCache;
+}
 /**
  * Read the version cache
  */
@@ -158,10 +177,19 @@ export function isOutdated(currentVersion, latestVersion) {
 }
 /**
  * Get the version warning message
+ *
+ * For local node_modules installs, recommends `npm update sequant`
+ * For npx usage, recommends `npx sequant@latest`
  */
-export function getVersionWarning(currentVersion, latestVersion) {
+export function getVersionWarning(currentVersion, latestVersion, isLocal) {
+    const isLocalInstall = isLocal ?? isLocalNodeModulesInstall();
+    if (isLocalInstall) {
+        return `sequant ${latestVersion} is available (you have ${currentVersion})
+   Run: npm update sequant
+   Note: You have sequant as a local dependency. npx uses your node_modules version.`;
+    }
     return `sequant ${latestVersion} is available (you have ${currentVersion})
-   Run: npx sequant@latest or npm update sequant`;
+   Run: npx sequant@latest`;
 }
 /**
  * Check version freshness (thorough - for doctor command)
@@ -169,12 +197,14 @@ export function getVersionWarning(currentVersion, latestVersion) {
  */
 export async function checkVersionThorough() {
     const currentVersion = getCurrentVersion();
+    const isLocal = isLocalNodeModulesInstall();
     const latestVersion = await fetchLatestVersion();
     if (!latestVersion) {
         return {
             currentVersion,
             latestVersion: null,
             isOutdated: false,
+            isLocalInstall: isLocal,
             error: "Could not fetch latest version",
         };
     }
@@ -184,6 +214,7 @@ export async function checkVersionThorough() {
         currentVersion,
         latestVersion,
         isOutdated: isOutdated(currentVersion, latestVersion),
+        isLocalInstall: isLocal,
     };
 }
 /**
@@ -192,6 +223,7 @@ export async function checkVersionThorough() {
  */
 export async function checkVersionCached() {
     const currentVersion = getCurrentVersion();
+    const isLocal = isLocalNodeModulesInstall();
     // Check cache first
     const cache = readCache();
     if (cache && isCacheFresh(cache)) {
@@ -199,6 +231,7 @@ export async function checkVersionCached() {
             currentVersion,
             latestVersion: cache.latestVersion,
             isOutdated: isOutdated(currentVersion, cache.latestVersion),
+            isLocalInstall: isLocal,
         };
     }
     // Fetch new version (with timeout)
@@ -210,12 +243,14 @@ export async function checkVersionCached() {
                 currentVersion,
                 latestVersion: cache.latestVersion,
                 isOutdated: isOutdated(currentVersion, cache.latestVersion),
+                isLocalInstall: isLocal,
             };
         }
         return {
             currentVersion,
             latestVersion: null,
             isOutdated: false,
+            isLocalInstall: isLocal,
         };
     }
     // Update cache
@@ -224,5 +259,6 @@ export async function checkVersionCached() {
         currentVersion,
         latestVersion,
         isOutdated: isOutdated(currentVersion, latestVersion),
+        isLocalInstall: isLocal,
     };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sequant",
-  "version": "1.5.6",
+  "version": "1.6.1",
   "description": "Quantize your development workflow - Sequential AI phases with quality gates",
   "type": "module",
   "bin": {

package/templates/hooks/pre-tool.sh

@@ -108,6 +108,50 @@ if echo "$TOOL_INPUT" | grep -qE 'git push.*(--force| -f($| ))'; then
     exit 2
 fi
 
+# --- Hard Reset Protection (Issue #85, enhanced) ---
+# Block git reset --hard when there is local work that would be lost:
+# - Unpushed commits on main/master
+# - Uncommitted changes (staged or unstaged)
+# - Unfinished merge in progress
+if echo "$TOOL_INPUT" | grep -qE 'git reset.*(--hard|origin)'; then
+    CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
+    BLOCK_REASONS=""
+    
+    # Check 1: Unpushed commits (only on main/master)
+    if [[ "$CURRENT_BRANCH" == "main" || "$CURRENT_BRANCH" == "master" ]]; then
+        UNPUSHED=$(git log origin/$CURRENT_BRANCH..HEAD --oneline 2>/dev/null | wc -l | tr -d ' ')
+        if [[ "$UNPUSHED" -gt 0 ]]; then
+            BLOCK_REASONS="${BLOCK_REASONS}  - $UNPUSHED unpushed commit(s) on $CURRENT_BRANCH\n"
+        fi
+    fi
+    
+    # Check 2: Uncommitted changes (staged or unstaged)
+    UNCOMMITTED=$(git status --porcelain 2>/dev/null | wc -l | tr -d ' ')
+    if [[ "$UNCOMMITTED" -gt 0 ]]; then
+        BLOCK_REASONS="${BLOCK_REASONS}  - $UNCOMMITTED uncommitted file(s)\n"
+    fi
+    
+    # Check 3: Unfinished merge
+    GIT_DIR=$(git rev-parse --git-dir 2>/dev/null || echo ".git")
+    if [[ -f "$GIT_DIR/MERGE_HEAD" ]]; then
+        BLOCK_REASONS="${BLOCK_REASONS}  - Unfinished merge in progress\n"
+    fi
+    
+    # Block if any reasons found
+    if [[ -n "$BLOCK_REASONS" ]]; then
+        {
+            echo "HOOK_BLOCKED: git reset --hard would lose local work:"
+            echo -e "$BLOCK_REASONS"
+            echo "  Resolve with:"
+            echo "    git push origin $CURRENT_BRANCH  # push commits"
+            echo "    git stash                        # save changes"
+            echo "    git merge --abort                # cancel merge"
+            echo "  Or run directly in terminal (outside Claude Code) to bypass"
+        } | tee -a /tmp/claude-hook.log >&2
+        exit 2
+    fi
+fi
+
 # CI/CD triggers (automation shouldn't trigger more automation)
 if echo "$TOOL_INPUT" | grep -qE 'gh workflow run'; then
     echo "HOOK_BLOCKED: Workflow trigger" | tee -a /tmp/claude-hook.log >&2
@@ -273,22 +317,33 @@ if [[ "$TOOL_NAME" == "Bash" ]] && echo "$TOOL_INPUT" | grep -qE 'git commit'; t
     fi
 fi
 
-# === WORKTREE PATH ENFORCEMENT FOR PARALLEL AGENTS ===
-# When a parallel marker exists with a worktree path, block edits outside that worktree
+# === WORKTREE PATH ENFORCEMENT ===
+# Enforces that file operations stay within the designated worktree
+# Sources for worktree path (in priority order):
+#   1. SEQUANT_WORKTREE env var - set by `sequant run` for isolated issue execution
+#   2. Parallel marker file - for parallel agent execution
 # This prevents agents from accidentally editing the main repo instead of the worktree
-# Marker file format: First line contains the expected worktree path
 if [[ "$TOOL_NAME" == "Edit" || "$TOOL_NAME" == "Write" ]]; then
     EXPECTED_WORKTREE=""
-    for marker in "${PARALLEL_MARKER_PREFIX}"*.marker; do
-        if [[ -f "$marker" ]]; then
-            # Read expected worktree path from marker file (first line)
-            EXPECTED_WORKTREE=$(head -1 "$marker" 2>/dev/null || true)
-            break
-        fi
-    done
+
+    # Priority 1: Check SEQUANT_WORKTREE environment variable (set by sequant run)
+    if [[ -n "${SEQUANT_WORKTREE:-}" ]]; then
+        EXPECTED_WORKTREE="$SEQUANT_WORKTREE"
+    fi
+
+    # Priority 2: Fall back to parallel marker file
+    if [[ -z "$EXPECTED_WORKTREE" ]]; then
+        for marker in "${PARALLEL_MARKER_PREFIX}"*.marker; do
+            if [[ -f "$marker" ]]; then
+                # Read expected worktree path from marker file (first line)
+                EXPECTED_WORKTREE=$(head -1 "$marker" 2>/dev/null || true)
+                break
+            fi
+        done
+    fi
 
     if [[ -n "$EXPECTED_WORKTREE" ]]; then
-        # AC-1 (Issue #550): Check worktree directory exists before path validation
+        # AC-4 (Issue #31): Check worktree directory exists before path validation
         # Prevents Write tool from creating non-existent worktree directories
         if [[ ! -d "$EXPECTED_WORKTREE" ]]; then
             echo "HOOK_BLOCKED: Worktree does not exist: $EXPECTED_WORKTREE" | tee -a /tmp/claude-hook.log >&2
@@ -304,12 +359,23 @@ if [[ "$TOOL_NAME" == "Edit" || "$TOOL_NAME" == "Write" ]]; then
         fi
 
         if [[ -n "$FILE_PATH" ]]; then
+            # Resolve to absolute path for consistent comparison
+            REAL_FILE_PATH=$(realpath "$FILE_PATH" 2>/dev/null || echo "$FILE_PATH")
+            REAL_WORKTREE=$(realpath "$EXPECTED_WORKTREE" 2>/dev/null || echo "$EXPECTED_WORKTREE")
+
             # Check if file path is within the expected worktree
-            if ! echo "$FILE_PATH" | grep -qF "$EXPECTED_WORKTREE"; then
+            if [[ "$REAL_FILE_PATH" != "$REAL_WORKTREE"* ]]; then
                 echo "$(date +%H:%M:%S) WORKTREE_BLOCKED: Edit outside expected worktree" >> "$QUALITY_LOG"
                 echo "  Expected: $EXPECTED_WORKTREE" >> "$QUALITY_LOG"
                 echo "  Got: $FILE_PATH" >> "$QUALITY_LOG"
-                echo "HOOK_BLOCKED: Edit must be in worktree: $EXPECTED_WORKTREE (got: $FILE_PATH)" | tee -a /tmp/claude-hook.log >&2
+                {
+                    echo "HOOK_BLOCKED: File operation must be within worktree"
+                    echo "  Worktree: $EXPECTED_WORKTREE"
+                    echo "  File: $FILE_PATH"
+                    if [[ -n "${SEQUANT_ISSUE:-}" ]]; then
+                        echo "  Issue: #$SEQUANT_ISSUE"
+                    fi
+                } | tee -a /tmp/claude-hook.log >&2
                 exit 2
             fi
         fi
@@ -357,6 +423,31 @@ if [[ "${CLAUDE_HOOKS_FILE_LOCKING:-true}" == "true" ]]; then
     fi
 fi
 
+# === PRE-MERGE WORKTREE CLEANUP ===
+# Auto-remove worktree before `gh pr merge` to prevent --delete-branch failure
+# The worktree locks the branch, causing merge to partially fail
+if [[ "$TOOL_NAME" == "Bash" ]] && echo "$TOOL_INPUT" | grep -qE 'gh pr merge'; then
+    # Extract PR number from command
+    PR_NUM=$(echo "$TOOL_INPUT" | grep -oE 'gh pr merge [0-9]+' | grep -oE '[0-9]+')
+
+    if [[ -n "$PR_NUM" ]]; then
+        # Get the branch name for this PR
+        BRANCH_NAME=$(gh pr view "$PR_NUM" --json headRefName --jq '.headRefName' 2>/dev/null || true)
+
+        if [[ -n "$BRANCH_NAME" ]]; then
+            # Check if a worktree exists for this branch
+            # Note: worktree line is 2 lines before branch line in porcelain output
+            WORKTREE_PATH=$(git worktree list --porcelain 2>/dev/null | grep -B2 "branch refs/heads/$BRANCH_NAME" | grep "^worktree " | sed 's/^worktree //' || true)
+
+            if [[ -n "$WORKTREE_PATH" && -d "$WORKTREE_PATH" ]]; then
+                # Remove the worktree before merge proceeds
+                git worktree remove "$WORKTREE_PATH" --force 2>/dev/null || true
+                echo "PRE-MERGE: Removed worktree $WORKTREE_PATH for branch $BRANCH_NAME" >> /tmp/claude-hook.log
+            fi
+        fi
+    fi
+fi
+
 # === ALLOW EVERYTHING ELSE ===
 # Slash commands need: git, npm, file edits, gh pr/issue, MCP tools
 exit 0