sinapse-ai 7.7.2 → 7.7.4

package/.sinapse-ai/infrastructure/templates/safe-collab/apply.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+# apply.sh — Apply safe-collab template to a target project
+# Usage: bash apply.sh <target-dir> <owner-github> <collab-github> [user1-prefix] [user2-prefix]
+#
+# Example:
+#   bash apply.sh /path/to/my-project caioimori Matheus-soier caio soier
+
+set -e
+
+TARGET="${1:?Usage: bash apply.sh <target-dir> <owner-github> <collab-github> [user1] [user2]}"
+OWNER="${2:?Missing owner GitHub username}"
+COLLAB="${3:?Missing collaborator GitHub username}"
+USER1="${4:-dev1}"
+USER2="${5:-dev2}"
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+echo "=== Safe Collaboration Setup ==="
+echo "Target: $TARGET"
+echo "Owner: @$OWNER"
+echo "Collaborator: @$COLLAB"
+echo "Branch prefixes: $USER1/, $USER2/"
+echo ""
+
+# Create directories
+mkdir -p "$TARGET/.claude/rules"
+mkdir -p "$TARGET/.github"
+mkdir -p "$TARGET/docs/guides"
+
+# Copy and customize rule file
+sed -e "s/{{USER_1}}/$USER1/g" \
+    -e "s/{{USER_2}}/$USER2/g" \
+    -e "s/{{user1}}/$USER1/g" \
+    -e "s/{{user2}}/$USER2/g" \
+    "$SCRIPT_DIR/safe-collaboration-rule.md" > "$TARGET/.claude/rules/safe-collaboration.md"
+echo "[OK] .claude/rules/safe-collaboration.md"
+
+# Copy PR template
+cp "$SCRIPT_DIR/pull_request_template.md" "$TARGET/.github/PULL_REQUEST_TEMPLATE.md"
+echo "[OK] .github/PULL_REQUEST_TEMPLATE.md"
+
+# Copy and customize CODEOWNERS
+sed -e "s/{{PROJECT_NAME}}/$(basename "$TARGET")/g" \
+    -e "s/{{OWNER_GITHUB}}/$OWNER/g" \
+    -e "s/{{COLLAB_GITHUB}}/$COLLAB/g" \
+    "$SCRIPT_DIR/CODEOWNERS.template" > "$TARGET/.github/CODEOWNERS"
+echo "[OK] .github/CODEOWNERS"
+
+# Copy workflow guide
+cp "$SCRIPT_DIR/parallel-workflow-guide.md" "$TARGET/docs/guides/parallel-workflow.md"
+echo "[OK] docs/guides/parallel-workflow.md"
+
+# Add runtime patterns to .gitignore if not already present
+GITIGNORE="$TARGET/.gitignore"
+if [ -f "$GITIGNORE" ]; then
+  if ! grep -q '.sinapse-ai/.cache/' "$GITIGNORE" 2>/dev/null; then
+    echo "" >> "$GITIGNORE"
+    echo "# SINAPSE runtime artifacts" >> "$GITIGNORE"
+    echo ".sinapse-ai/.cache/" >> "$GITIGNORE"
+    echo ".sinapse-ai/.tmp/" >> "$GITIGNORE"
+    echo "[OK] .gitignore updated"
+  else
+    echo "[OK] .gitignore already has runtime patterns"
+  fi
+else
+  echo "[SKIP] No .gitignore found"
+fi
+
+echo ""
+echo "=== Files applied. Now configure GitHub: ==="
+echo ""
+echo "1. Settings > Rules > Rulesets > New ruleset (target: main)"
+echo "   - Block direct pushes"
+echo "   - Require 1 PR approval"
+echo "   - Block force pushes"
+echo "   - Block branch deletion"
+echo "   - Dismiss stale reviews"
+echo ""
+echo "2. Settings > Collaborators"
+echo "   - Add @$COLLAB with Write permission"
+echo ""
+echo "3. Settings > General"
+echo "   - Check 'Automatically delete head branches'"
+echo ""
+echo "Done. Safe collaboration is ready."

package/.sinapse-ai/infrastructure/templates/safe-collab/safe-collaboration-rule.md

@@ -33,6 +33,17 @@ Before ANY work begins, the agent MUST:
 
 Types: `feat`, `fix`, `refactor`, `docs`, `chore`, `test`
 
+**User Detection (priority order):**
+1. `git config user.name` -> lookup in mapping table (case-insensitive)
+2. `$USERNAME` (Windows) or `$USER` (Unix) -> lookup
+3. Fallback: `dev/`
+
+| git config / env contains | Branch prefix |
+|----------------------------|---------------|
+| {{user1}} (case-insensitive) | `{{user1}}/` |
+| {{user2}} (case-insensitive) | `{{user2}}/` |
+| (anything else)              | `dev/`        |
+
 ## Before Every Commit — Safety Checks
 
 1. `git status` — verify only expected files changed

package/.sinapse-ai/install-manifest.yaml

@@ -7,10 +7,10 @@
 # - SHA256 hashes for change detection
 # - File types for categorization
 #
-version: 7.7.2
-generated_at: "2026-04-02T01:18:27.515Z"
+version: 7.7.4
+generated_at: "2026-04-03T00:06:05.314Z"
 generator: scripts/generate-install-manifest.js
-file_count: 1112
+file_count: 1117
 files:
   - path: cli/commands/config/index.js
     hash: sha256:66f111eceef0f60fa0a8904add783b615d55b01d5fe36408623c3dd828e702f6
@@ -189,9 +189,9 @@ files:
     type: cli
     size: 5907
   - path: core-config.yaml
-    hash: sha256:1dfc00cfc993bacb17f683aacdf898b856744a33a76183adab2d1c1896be8b31
+    hash: sha256:fc24a8286b20ec2558c90186e99124b96d26b287ff107b747c2b68b1102e0cc8
     type: config
-    size: 10514
+    size: 10513
   - path: core/code-intel/code-intel-client.js
     hash: sha256:6c9a08a37775acf90397aa079a4ad2c5edcc47f2cfd592b26ae9f3d154d1deb8
     type: core
@@ -1237,9 +1237,9 @@ files:
     type: data
     size: 9586
   - path: data/entity-registry.yaml
-    hash: sha256:0a28211d3375c09475cbcbe0753a0add546e8243d0853a99e998fd9fe642dcac
+    hash: sha256:265b44f0e9c36e85375f05ba88dbf19ed9033244a6eea338f4b8e3a4e453dd12
     type: data
-    size: 512100
+    size: 514885
   - path: data/learned-patterns.yaml
     hash: sha256:24ac0b160615583a0ff783d3da8af80b7f94191575d6db2054ec8e10a3f945dc
     type: data
@@ -3052,14 +3052,18 @@ files:
     hash: sha256:47b3f9044ce9b92b8c486a75da82afc4cc6b49d5d97e722ef5a1938fbf49943a
     type: script
     size: 40744
+  - path: infrastructure/scripts/codex-parity/catalog.js
+    hash: sha256:cfef97860788a119c44cbb18b4249ad538814f99a03b2ca13e66dd74aa8b5242
+    type: script
+    size: 3527
   - path: infrastructure/scripts/codex-skills-sync/index.js
-    hash: sha256:cea7c65175ebf5f1f7d47d0dc536e5889e420e6c137a41acd522be8b69fe6327
+    hash: sha256:9eb2637a4f1f6edeabf358734b14e4c709bed37560f2e40aebf1ea3ef4572c3c
     type: script
-    size: 5268
+    size: 7494
   - path: infrastructure/scripts/codex-skills-sync/validate.js
-    hash: sha256:07c2d17438890bc5bd3f2cc208692ff65f6d1f394390066ff9869e03973c7e2b
+    hash: sha256:1a1301d2e3f558bedf3a1ab2c5c9ee2868a4c253068311d5014987917f367443
     type: script
-    size: 4577
+    size: 5626
   - path: infrastructure/scripts/collect-tool-usage.js
     hash: sha256:510b621078602273fb146eef57d115b08988ea43d03eb5d92192050c13e95efe
     type: script
@@ -3372,6 +3376,10 @@ files:
     hash: sha256:ceb0450fa12fa48f0255bb4565858eb1a97b28c30b98d36cb61d52d72e08b054
     type: script
     size: 22394
+  - path: infrastructure/scripts/sync-codex-local-first.js
+    hash: sha256:ad5245ead7243a39cd5116f44fcf1234ad54b016e365dfefa017764a76f4f3eb
+    type: script
+    size: 4089
   - path: infrastructure/scripts/template-engine.js
     hash: sha256:de1bc8ce51eeabf6f6ec558d35107fbc4843ac76e3361044ba9f47bb6af4f058
     type: script
@@ -3420,22 +3428,30 @@ files:
     hash: sha256:4447fbf8cffdf20b34fad71eb4caf5aec0726f2b8f27cd49cd1bd59d69cdc009
     type: script
     size: 2838
+  - path: infrastructure/scripts/validate-codex-command-registry.js
+    hash: sha256:a37a4c5fc8a4c3a7ce7ba240aeea16abc0a75871751f66eeb84991604ff066bf
+    type: script
+    size: 7266
   - path: infrastructure/scripts/validate-codex-integration.js
-    hash: sha256:01065d27f1c9e002b3985f1b5090cf123369fcf528012c2ec8c4a02df9b3645e
+    hash: sha256:c553cc493ddbfecf41b865f8a1075df56b6500c3b2b315bae8b7e7bcec4db85a
     type: script
-    size: 4127
+    size: 4742
+  - path: infrastructure/scripts/validate-codex-sync.js
+    hash: sha256:f7f2963f995df0dc1fc0a4662146318aa4dba2699c8dbfc4fa748b3201b1db56
+    type: script
+    size: 4427
   - path: infrastructure/scripts/validate-output-pattern.js
     hash: sha256:91111d656e8d7b38a20a1bda753e663b74318f75cdab2025c7e0b84c775fc83d
     type: script
     size: 6692
   - path: infrastructure/scripts/validate-parity.js
-    hash: sha256:5cbd1c4458fb3e485872635e2210b3d3406c22381185039ef112db8912887201
+    hash: sha256:284c7715cc65b76579284024bbe5176b9230340d841dbfe79559c8f5844109cb
     type: script
-    size: 12121
+    size: 12266
   - path: infrastructure/scripts/validate-paths.js
-    hash: sha256:f657c32be91ed63e0b82d5b134b143d03174622eba60fb4b556adc570b8c7f5a
+    hash: sha256:942f6de9e621b7331f61dc915db5d24b987b67d1ae3377882330f7013dd214e9
     type: script
-    size: 3779
+    size: 3671
   - path: infrastructure/scripts/validate-user-profile.js
     hash: sha256:0f78a5aebd85b4b0d2a5b0f2d81ccbbbe0f2d25ed1cfcafeb129734852217683
     type: script
@@ -3508,6 +3524,10 @@ files:
     hash: sha256:4c9b70cacde88097d53f9d4d6e2319f65cabf6a076047195cdcf949d9e949512
     type: template
     size: 5567
+  - path: infrastructure/templates/safe-collab/apply.sh
+    hash: sha256:1f9d39834ff301e3ee1adf1779fc3dd9e22bd12c9a603f8ff11d430c1328ed82
+    type: template
+    size: 2738
   - path: infrastructure/templates/safe-collab/CODEOWNERS.template
     hash: sha256:988d5f6e373df03913d84c11cc42af42917f702920059ef296b2b236be7387e8
     type: template
@@ -3521,13 +3541,13 @@ files:
     type: template
     size: 338
   - path: infrastructure/templates/safe-collab/README.md
-    hash: sha256:7738672d855290ba8f039bf1b136650db75a948e57fc307136837cd121c4df42
+    hash: sha256:0b4f3d0ce9b7111d812917312ae504df976245d902eecfa501f73e7aa0719813
     type: template
-    size: 1024
+    size: 2179
   - path: infrastructure/templates/safe-collab/safe-collaboration-rule.md
-    hash: sha256:e68e7df44bcb54d1f9ae1d3b121027819b8a0a2ba7e6a20e0fd181c86301af5e
+    hash: sha256:9631681340fddc314080f9182b76ccfbb1ee3441d92ce181067e76cace960a5e
     type: template
-    size: 2449
+    size: 2871
   - path: infrastructure/templates/sinapse-sync.yaml.template
     hash: sha256:36ada7873fcbd5bab225b528c7be39035a12fc156135cc82c73d75782d7c53a2
     type: template

package/.sinapse-ai/project-config.yaml

@@ -70,7 +70,7 @@ github_integration:
         "style/": "style"
         "build/": "build"
       default_type: "feat"
-    auto_assign_reviewers: false
+    auto_assign_reviewers: true
     draft_by_default: false
   semantic_release:
     enabled: true

package/bin/utils/collab-start.js

@@ -0,0 +1,267 @@
+'use strict';
+
+const { execFileSync, execSync } = require('child_process');
+const path = require('path');
+
+function execGit(command) {
+  return execSync(command, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  }).trim();
+}
+
+function safeExec(command) {
+  try {
+    return execGit(command);
+  } catch {
+    return '';
+  }
+}
+
+function parseArgs(argv) {
+  const parsed = {
+    adoptCurrent: false,
+    check: false,
+    type: 'feat',
+    owner: null,
+    storyId: null,
+    slug: null,
+  };
+
+  for (const arg of argv) {
+    if (arg === '--adopt-current') {
+      parsed.adoptCurrent = true;
+      continue;
+    }
+    if (arg === '--check') {
+      parsed.check = true;
+      continue;
+    }
+    if (arg.startsWith('--type=')) {
+      parsed.type = arg.split('=')[1] || parsed.type;
+      continue;
+    }
+    if (arg.startsWith('--owner=')) {
+      parsed.owner = arg.split('=')[1] || null;
+      continue;
+    }
+    if (!parsed.storyId) {
+      parsed.storyId = arg;
+      continue;
+    }
+    if (!parsed.slug) {
+      parsed.slug = arg;
+    }
+  }
+
+  return parsed;
+}
+
+function resolveDefaultBranch() {
+  try {
+    const remoteHead = execGit('git symbolic-ref --short refs/remotes/origin/HEAD');
+    return remoteHead.replace(/^origin\//, '');
+  } catch {
+    return 'main';
+  }
+}
+
+function getCurrentBranch() {
+  return execGit('git rev-parse --abbrev-ref HEAD');
+}
+
+function getStatusLines() {
+  const output = safeExec('git status --porcelain');
+  return output ? output.split('\n').filter(Boolean) : [];
+}
+
+function sanitizeSegment(value) {
+  return String(value || '')
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .replace(/-{2,}/g, '-');
+}
+
+function detectOwnerPrefix(explicitOwner) {
+  if (explicitOwner) {
+    return sanitizeSegment(explicitOwner) || 'dev';
+  }
+
+  const rawSignals = [
+    safeExec('git config user.name'),
+    safeExec('git config user.email'),
+    process.env.USERNAME || '',
+    process.env.USER || '',
+  ]
+    .join(' ')
+    .toLowerCase();
+
+  if (/(caio|imori)/.test(rawSignals)) {
+    return 'caio';
+  }
+
+  if (/(matheus|soier|sawyer)/.test(rawSignals)) {
+    return 'soier';
+  }
+
+  return 'dev';
+}
+
+function buildWorkItemSlug(storyId, slug) {
+  const sanitizedStory = sanitizeSegment(storyId);
+  const sanitizedSlug = sanitizeSegment(slug || storyId);
+  if (!sanitizedSlug) {
+    return sanitizedStory;
+  }
+  if (!sanitizedStory) {
+    return sanitizedSlug;
+  }
+  return sanitizedSlug.startsWith(`${sanitizedStory}-`) || sanitizedSlug === sanitizedStory
+    ? sanitizedSlug
+    : `${sanitizedStory}-${sanitizedSlug}`;
+}
+
+function buildBranchName({ owner, type, storyId, slug }) {
+  return `${owner}/${sanitizeSegment(type) || 'feat'}/${buildWorkItemSlug(storyId, slug)}`;
+}
+
+function buildWorktreePath(worktreeKey) {
+  return path.join(process.cwd(), '.sinapse', 'worktrees', worktreeKey);
+}
+
+function ensureReadyDefaultBranch(defaultBranch) {
+  const branchName = getCurrentBranch();
+  const statusLines = getStatusLines();
+
+  if (branchName !== defaultBranch) {
+    throw new Error(
+      `Run collab:start from a clean '${defaultBranch}' checkout. Current branch: '${branchName}'.`,
+    );
+  }
+
+  if (statusLines.length > 0) {
+    throw new Error(
+      `Working tree is dirty on '${defaultBranch}'. Commit or stash your changes before opening a new worktree.`,
+    );
+  }
+}
+
+function ensureOnDefaultBranch(defaultBranch) {
+  const branchName = getCurrentBranch();
+  if (branchName !== defaultBranch) {
+    throw new Error(
+      `Run this command from '${defaultBranch}'. Current branch: '${branchName}'.`,
+    );
+  }
+}
+
+function ensureUpToDate(defaultBranch) {
+  execFileSync('git', ['fetch', 'origin'], {
+    stdio: ['ignore', 'ignore', 'pipe'],
+  });
+
+  const localSha = safeExec(`git rev-parse ${defaultBranch}`);
+  const remoteSha = safeExec(`git rev-parse origin/${defaultBranch}`);
+
+  if (localSha && remoteSha && localSha !== remoteSha) {
+    execFileSync('git', ['pull', '--ff-only', 'origin', defaultBranch], {
+      stdio: 'inherit',
+    });
+  }
+}
+
+function createWorktree({ branchName, defaultBranch, worktreePath }) {
+  execFileSync('git', ['worktree', 'add', worktreePath, '-b', branchName, defaultBranch], {
+    stdio: 'inherit',
+  });
+}
+
+function adoptCurrentWorkspace(branchName) {
+  execFileSync('git', ['checkout', '-b', branchName], {
+    stdio: 'inherit',
+  });
+}
+
+function runCheck() {
+  const defaultBranch = resolveDefaultBranch();
+  const currentBranch = getCurrentBranch();
+  const statusLines = getStatusLines();
+  const owner = detectOwnerPrefix(null);
+
+  console.log(`Default branch: ${defaultBranch}`);
+  console.log(`Current branch: ${currentBranch}`);
+  console.log(`Detected maintainer prefix: ${owner}`);
+  console.log(`Working tree clean: ${statusLines.length === 0 ? 'yes' : 'no'}`);
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args.check) {
+    runCheck();
+    return;
+  }
+
+  if (!args.storyId) {
+    console.error(
+      'Usage: npm run collab:start -- <story-id> <slug> [--type=feat] [--owner=caio] [--adopt-current]',
+    );
+    process.exit(1);
+  }
+
+  const defaultBranch = resolveDefaultBranch();
+  const owner = detectOwnerPrefix(args.owner);
+  const branchName = buildBranchName({
+    owner,
+    type: args.type,
+    storyId: args.storyId,
+    slug: args.slug,
+  });
+  const worktreeKey = sanitizeSegment(branchName.replace(/\//g, '-'));
+  const worktreePath = buildWorktreePath(worktreeKey);
+
+  try {
+    if (args.adoptCurrent) {
+      ensureOnDefaultBranch(defaultBranch);
+      adoptCurrentWorkspace(branchName);
+    } else {
+      ensureReadyDefaultBranch(defaultBranch);
+      ensureUpToDate(defaultBranch);
+      createWorktree({ branchName, defaultBranch, worktreePath });
+    }
+  } catch (error) {
+    console.error('');
+    console.error(`collab:start failed: ${error.message}`);
+    console.error('');
+    process.exit(1);
+  }
+
+  console.log('');
+  if (args.adoptCurrent) {
+    console.log('Current workspace adopted into a safe maintainer branch.');
+    console.log(`Branch: ${branchName}`);
+    console.log('');
+    console.log('Continue working in the current directory, now outside main.');
+  } else {
+    console.log('Safe maintainer workspace created.');
+    console.log(`Branch:   ${branchName}`);
+    console.log(`Worktree: ${worktreePath}`);
+    console.log('');
+    console.log(`Next step: cd "${worktreePath}"`);
+  }
+  console.log('');
+}
+
+module.exports = {
+  buildBranchName,
+  buildWorkItemSlug,
+  detectOwnerPrefix,
+  parseArgs,
+  resolveDefaultBranch,
+  sanitizeSegment,
+};
+
+if (require.main === module) {
+  main();
+}

package/bin/utils/git-branch-guard.js

@@ -0,0 +1,76 @@
+'use strict';
+
+const { execSync } = require('child_process');
+
+function execGit(command, options = {}) {
+  return execSync(command, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+    ...options,
+  }).trim();
+}
+
+function resolveDefaultBranch() {
+  try {
+    const remoteHead = execGit('git symbolic-ref --short refs/remotes/origin/HEAD');
+    return remoteHead.replace(/^origin\//, '');
+  } catch {
+    return 'main';
+  }
+}
+
+function getCurrentBranch() {
+  return execGit('git rev-parse --abbrev-ref HEAD');
+}
+
+function getStagedFiles() {
+  try {
+    const output = execGit('git diff --cached --name-only');
+    return output ? output.split('\n').filter(Boolean) : [];
+  } catch {
+    return [];
+  }
+}
+
+function shouldBlockCommit({ branchName, defaultBranch, stagedFiles }) {
+  const protectedBranches = new Set([defaultBranch, 'master']);
+  return Boolean(stagedFiles.length) && (protectedBranches.has(branchName) || branchName === 'HEAD');
+}
+
+function main() {
+  const defaultBranch = resolveDefaultBranch();
+  const branchName = getCurrentBranch();
+  const stagedFiles = getStagedFiles();
+
+  if (!shouldBlockCommit({ branchName, defaultBranch, stagedFiles })) {
+    process.exit(0);
+  }
+
+  console.error('');
+  console.error('Git Branch Guard: commit blocked.');
+  console.error('');
+  if (branchName === 'HEAD') {
+    console.error('You are in detached HEAD state. Create an isolated branch or worktree first.');
+  } else {
+    console.error(`Commits are blocked on the protected branch '${branchName}'.`);
+  }
+  console.error('');
+  console.error('Start a safe maintainer workspace first:');
+  console.error('  npm run collab:start -- <story-id> <slug>');
+  console.error('');
+  console.error('Example:');
+  console.error('  npm run collab:start -- 7.7.4 codex-collab-hardening');
+  console.error('');
+  process.exit(1);
+}
+
+module.exports = {
+  getCurrentBranch,
+  getStagedFiles,
+  resolveDefaultBranch,
+  shouldBlockCommit,
+};
+
+if (require.main === module) {
+  main();
+}

package/bin/utils/pre-push-safety.js

@@ -0,0 +1,110 @@
+'use strict';
+
+const { execFileSync, execSync, spawnSync } = require('child_process');
+const fs = require('fs');
+
+function execGit(command) {
+  return execSync(command, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  }).trim();
+}
+
+function resolveDefaultBranch() {
+  try {
+    const remoteHead = execGit('git symbolic-ref --short refs/remotes/origin/HEAD');
+    return remoteHead.replace(/^origin\//, '');
+  } catch {
+    return 'main';
+  }
+}
+
+function getCurrentBranch() {
+  return execGit('git rev-parse --abbrev-ref HEAD');
+}
+
+function parsePushRefs(stdinBuffer) {
+  const payload = stdinBuffer.toString('utf8').trim();
+  if (!payload) {
+    return [];
+  }
+
+  return payload
+    .split('\n')
+    .filter(Boolean)
+    .map((line) => {
+      const [localRef, localSha, remoteRef, remoteSha] = line.trim().split(/\s+/);
+      return { localRef, localSha, remoteRef, remoteSha };
+    });
+}
+
+function isProtectedPushTarget(remoteRef, defaultBranch) {
+  return remoteRef === `refs/heads/${defaultBranch}` || remoteRef === 'refs/heads/master';
+}
+
+function branchContainsRemoteDefault(defaultBranch) {
+  const result = spawnSync('git', ['merge-base', '--is-ancestor', `origin/${defaultBranch}`, 'HEAD'], {
+    stdio: 'ignore',
+  });
+  return result.status === 0;
+}
+
+function fetchRemoteDefault(defaultBranch) {
+  execFileSync('git', ['fetch', 'origin', defaultBranch, '--quiet'], {
+    stdio: ['ignore', 'ignore', 'pipe'],
+  });
+}
+
+function main() {
+  const defaultBranch = resolveDefaultBranch();
+  const branchName = getCurrentBranch();
+  const refs = parsePushRefs(fs.readFileSync(0));
+
+  if (branchName === defaultBranch || branchName === 'master') {
+    console.error('');
+    console.error(`Pre-push Safety: push blocked on protected branch '${branchName}'.`);
+    console.error('Open a feature branch or worktree first.');
+    console.error('');
+    process.exit(1);
+  }
+
+  if (refs.some((ref) => isProtectedPushTarget(ref.remoteRef, defaultBranch))) {
+    console.error('');
+    console.error(`Pre-push Safety: direct push to '${defaultBranch}' is blocked.`);
+    console.error('Open a pull request instead.');
+    console.error('');
+    process.exit(1);
+  }
+
+  try {
+    fetchRemoteDefault(defaultBranch);
+  } catch {
+    console.error('');
+    console.error(`Pre-push Safety: could not fetch origin/${defaultBranch}.`);
+    console.error('Sync with the remote before pushing.');
+    console.error('');
+    process.exit(1);
+  }
+
+  if (!branchContainsRemoteDefault(defaultBranch)) {
+    console.error('');
+    console.error(`Pre-push Safety: your branch is missing commits from origin/${defaultBranch}.`);
+    console.error(`Merge or rebase origin/${defaultBranch} before pushing.`);
+    console.error('');
+    process.exit(1);
+  }
+
+  process.exit(0);
+}
+
+module.exports = {
+  branchContainsRemoteDefault,
+  getCurrentBranch,
+  isProtectedPushTarget,
+  parsePushRefs,
+  resolveDefaultBranch,
+};
+
+if (require.main === module) {
+  main();
+}