Improve CLI release and org switching

.claude/settings.local.json → .claude/settings.json

@@ -29,9 +29,7 @@
       "Bash(pgrep:*)",
       "Bash(timeout:*)",
       "Bash(gtimeout:*)",
-      "Bash(source:*)",
       "Bash(unalias:*)",
-      "Bash(open:*)",
       "Bash(git add:*)",
       "Bash(git commit:*)",
       "Bash(git status:*)",
@@ -40,7 +38,6 @@
       "Bash(git fetch:*)",
       "Bash(git pull:*)",
       "Bash(git checkout:*)",
-      "Bash(git rm:*)",
       "Bash(git tag:*)",
       "Bash(git stash:*)",
       "Bash(git worktree:*)",
@@ -69,22 +66,9 @@
       "Bash(npm run test:*)",
       "Bash(npm run dev:*)",
       "Bash(npm test)",
-      "Bash(npx:*)",
       "Bash(claude --version)",
-      "Bash(claude mcp:*)",
       "Bash(./scripts/test-db.sh:*)",
       "WebSearch",
-      "WebFetch(domain:docs.anthropic.com)",
-      "WebFetch(domain:github.com)",
-      "WebFetch(domain:supabase.com)",
-      "WebFetch(domain:goo.gle)",
-      "WebFetch(domain:docs.developers.webflow.com)",
-      "WebFetch(domain:developers.webflow.com)",
-      "WebFetch(domain:loops.so)",
-      "WebFetch(domain:knock.app)",
-      "WebFetch(domain:www.emailtooltester.com)",
-      "WebFetch(domain:www.implicator.ai)",
-      "WebFetch(domain:codingforseo.com)",
       "Edit",
       "Write",
       "MultiEdit",
@@ -99,7 +83,6 @@
       "mcp__supabase__get_logs",
       "mcp__supabase__list_projects",
       "mcp__supabase__list_tables",
-      "mcp__supabase__execute_sql",
       "mcp__plugin_serena_serena__initial_instructions",
       "mcp__plugin_serena_serena__list_dir",
       "mcp__plugin_serena_serena__get_symbols_overview",
@@ -119,9 +102,20 @@
       "Bash(bash scripts/pr-status-check.sh)",
       "Bash(bash scripts/pr-comment-reply.sh:*)",
       "Bash(bash scripts/pr-comment-reply.sh)",
-      "Bash(npm audit:*)"
+      "Bash(npm audit:*)",
+      "Bash(git show:*)",
+      "Bash(npx prettier --write:*)",
+      "Bash(npx eslint --fix:*)"
     ],
-    "deny": []
+    "deny": [
+      "Bash(git push --force:*)",
+      "Bash(git reset --hard:*)",
+      "Bash(rm -rf:*)",
+      "Bash(npm publish:*)"
+    ]
+  },
+  "env": {
+    "PATH": "/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
   },
   "enableAllProjectMcpServers": false
 }

.github/workflows/auto-release.yml

@@ -70,80 +70,19 @@ jobs:
 
             core.setOutput('should_skip', shouldSkip ? 'true' : 'false');
 
-      - name: Check changelog for release marker
+      - name: Check changelog and calculate version
         id: check
         run: |
-          # Check if CHANGELOG.md has [Unreleased:*] and non-empty content under it
-          if grep -q "^## \[Unreleased" CHANGELOG.md; then
-            # Extract the release type from changelog
-            CHANGELOG_HEADER=$(grep "^## \[Unreleased" CHANGELOG.md | head -1)
-
-            if echo "$CHANGELOG_HEADER" | grep -qi "\[Unreleased:major\]"; then
-              RELEASE_TYPE="major"
-            elif echo "$CHANGELOG_HEADER" | grep -qi "\[Unreleased:minor\]"; then
-              RELEASE_TYPE="minor"
-            else
-              # Default to patch for [Unreleased] or [Unreleased:patch]
-              RELEASE_TYPE="patch"
-            fi
-
-            # Extract content between [Unreleased] and next version header
-            UNRELEASED_CONTENT=$(awk '/^## \[Unreleased/ {flag=1; next} /^## \[[0-9]/ {flag=0} flag' CHANGELOG.md)
-
-            # Only create release when there is actual content (non-blank)
-            if [ -z "$(echo "$UNRELEASED_CONTENT" | grep -v '^[[:space:]]*$')" ]; then
-              echo "should_release=false" >> $GITHUB_OUTPUT
-              echo "Unreleased section is empty - skipping release"
-            else
-              echo "should_release=true" >> $GITHUB_OUTPUT
-              echo "release_type=$RELEASE_TYPE" >> $GITHUB_OUTPUT
-              echo "Detected release type: $RELEASE_TYPE"
-            fi
-          else
-            echo "should_release=false" >> $GITHUB_OUTPUT
-            echo "No [Unreleased] section found - skipping release"
-          fi
-
-      - name: Determine version bump
-        if:
-          steps.check.outputs.should_release == 'true' &&
-          steps.skip.outputs.should_skip != 'true'
-        id: bump
-        run: |
-          # Get current version (strip 'v' prefix and any suffix)
-          CURRENT_TAG=$(git tag -l 'v[0-9]*' --sort=-version:refname | head -1)
-          CURRENT_TAG=${CURRENT_TAG:-v0.6.4}
-          CURRENT_VERSION=${CURRENT_TAG#v}
-          CURRENT_VERSION=${CURRENT_VERSION%%-*}
-
-          # Parse version components
-          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT_VERSION"
-
-          # Determine bump type from changelog
-          RELEASE_TYPE="${{ steps.check.outputs.release_type }}"
-
-          if [ "$RELEASE_TYPE" = "major" ]; then
-            MAJOR=$((MAJOR + 1))
-            MINOR=0
-            PATCH=0
-          elif [ "$RELEASE_TYPE" = "minor" ]; then
-            MINOR=$((MINOR + 1))
-            PATCH=0
-          else
-            # Default: patch bump
-            PATCH=$((PATCH + 1))
-          fi
-
-          NEW_VERSION="v${MAJOR}.${MINOR}.${PATCH}"
-          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
-          echo "Next version: $NEW_VERSION"
+          # Use shared script for changelog parsing and version calculation
+          bash scripts/changelog-version.sh
 
       - name: Update changelog
         if:
           steps.check.outputs.should_release == 'true' &&
           steps.skip.outputs.should_skip != 'true'
+        env:
+          NEW_VERSION: ${{ steps.check.outputs.next_version }}
         run: |
-          NEW_VERSION="${{ steps.bump.outputs.new_version }}"
           VERSION_NO_V="${NEW_VERSION#v}"
           TODAY=$(date +%Y-%m-%d)
 
@@ -175,7 +114,7 @@ jobs:
           PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
           if [ -z "$PREV_TAG" ]; then
             echo "cli_changed=true" >> $GITHUB_OUTPUT
-          elif git diff --name-only "$PREV_TAG"..HEAD -- cmd/hover/ | grep -q .; then
+          elif git diff --name-only "$PREV_TAG"..HEAD -- cmd/hover/ npm/ | grep -q .; then
             echo "cli_changed=true" >> $GITHUB_OUTPUT
             echo "CLI code changed since $PREV_TAG"
           else
@@ -187,11 +126,13 @@ jobs:
         if:
           steps.check.outputs.should_release == 'true' &&
           steps.skip.outputs.should_skip != 'true'
+        env:
+          NEW_VERSION: ${{ steps.check.outputs.next_version }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a "${{ steps.bump.outputs.new_version }}" -m "Release ${{ steps.bump.outputs.new_version }}"
-          git push origin "${{ steps.bump.outputs.new_version }}"
+          git tag -a "$NEW_VERSION" -m "Release $NEW_VERSION"
+          git push origin "$NEW_VERSION"
 
       - name: Create and push CLI tag
         if:
@@ -200,7 +141,7 @@ jobs:
           steps.cli.outputs.cli_changed == 'true'
         run: |
           # Independent CLI version — find latest cli-v* tag and bump patch
-          LATEST_CLI_TAG=$(git tag -l 'cli-v*' --sort=-version:refname | head -1)
+          LATEST_CLI_TAG=$(git tag -l 'cli-v[0-9]*.[0-9]*.[0-9]*' --sort=-version:refname | head -1)
           if [ -z "$LATEST_CLI_TAG" ]; then
             CLI_VERSION="cli-v0.1.0"
           else
@@ -217,17 +158,18 @@ jobs:
           steps.check.outputs.should_release == 'true' &&
           steps.skip.outputs.should_skip != 'true'
         id: changelog
+        env:
+          NEW_VERSION: ${{ steps.check.outputs.next_version }}
         run: |
-          VERSION_NO_V="${{ steps.bump.outputs.new_version }}"
-          VERSION_NO_V="${VERSION_NO_V#v}"
+          VERSION_NO_V="${NEW_VERSION#v}"
 
           # Extract content for this version from updated CHANGELOG.md
           # Get content between this version header and the next version header
           # Use awk to stop before the next version header (more reliable than sed)
           CHANGELOG_CONTENT=$(awk "/^## \[$VERSION_NO_V\]/ {flag=1; next} /^## \[/ {flag=0} flag" CHANGELOG.md)
 
           # Save to file to preserve newlines
-          echo "$CHANGELOG_CONTENT" > /tmp/changelog_extract.md
+          echo "$CHANGELOG_CONTENT" > "$RUNNER_TEMP/changelog_extract.md"
 
           echo "Extracted changelog content for $VERSION_NO_V"
 
@@ -236,10 +178,14 @@ jobs:
           steps.check.outputs.should_release == 'true' &&
           steps.skip.outputs.should_skip != 'true'
         uses: actions/github-script@v8
+        env:
+          NEW_VERSION: ${{ steps.check.outputs.next_version }}
+          RUNNER_TEMP: ${{ runner.temp }}
         with:
           script: |
             const fs = require('fs');
-            const newVersion = '${{ steps.bump.outputs.new_version }}';
+            const newVersion = process.env.NEW_VERSION;
+            const runnerTemp = process.env.RUNNER_TEMP;
             const prNumber = context.payload.pull_request && context.payload.pull_request.number;
             const prTitle = context.payload.pull_request && context.payload.pull_request.title;
             const commitSha = context.sha;
@@ -248,7 +194,7 @@ jobs:
             // Read changelog content
             let changelogContent = '';
             try {
-              changelogContent = fs.readFileSync('/tmp/changelog_extract.md', 'utf8').trim();
+              changelogContent = fs.readFileSync(`${runnerTemp}/changelog_extract.md`, 'utf8').trim();
             } catch (err) {
               console.log('Could not read changelog extract:', err);
               changelogContent = `Automated release from PR #${prNumber}: ${prTitle}`;

.github/workflows/changelog-check.yml

@@ -6,6 +6,7 @@ on:
       - main
     paths-ignore:
       - "**.md"
+      - "!CHANGELOG.md"
       - "docs/**"
       - "LICENSE"
       - ".gitignore"
@@ -31,8 +32,10 @@ jobs:
 
       - name: Check for changelog updates
         id: check
+        env:
+          COMPARE_REF: origin/main
         run: |
-          # Check if CHANGELOG.md has content under [Unreleased]
+          # Fail with helpful message if [Unreleased] section is missing
           if ! grep -q "^## \[Unreleased" CHANGELOG.md; then
             echo "❌ ERROR: No [Unreleased] section found in CHANGELOG.md"
             echo ""
@@ -43,57 +46,35 @@ jobs:
             exit 1
           fi
 
-          # Extract content between [Unreleased] and next version header
-          UNRELEASED_CONTENT=$(sed -n '/^## \[Unreleased/,/^## \[0-9/p' CHANGELOG.md | sed '$d' | tail -n +2)
+          # Use shared script for changelog parsing and version calculation
+          bash scripts/changelog-version.sh
 
-          # Check if there's actual content (not just whitespace)
-          if [ -z "$(echo "$UNRELEASED_CONTENT" | grep -v '^[[:space:]]*$')" ]; then
-            echo "⚠️  [Unreleased] section is empty - release will have blank changelog"
-          else
+          # Report status
+          if grep -q 'should_release=true' "$GITHUB_OUTPUT"; then
             echo "✅ Changelog has been updated with changes"
-          fi
-
-          # Determine release type from changelog header
-          CHANGELOG_HEADER=$(grep "^## \[Unreleased" CHANGELOG.md | head -1)
-
-          if echo "$CHANGELOG_HEADER" | grep -qi "\[Unreleased:major\]"; then
-            RELEASE_TYPE="major"
-          elif echo "$CHANGELOG_HEADER" | grep -qi "\[Unreleased:minor\]"; then
-            RELEASE_TYPE="minor"
-          else
-            RELEASE_TYPE="patch"
-          fi
-
-          echo "release_type=$RELEASE_TYPE" >> $GITHUB_OUTPUT
-
-          # Calculate next version
-          CURRENT_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.6.4")
-          CURRENT_VERSION=${CURRENT_TAG#v}
-          CURRENT_VERSION=${CURRENT_VERSION%%-*}
-
-          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT_VERSION"
-
-          if [ "$RELEASE_TYPE" = "major" ]; then
-            MAJOR=$((MAJOR + 1))
-            MINOR=0
-            PATCH=0
-          elif [ "$RELEASE_TYPE" = "minor" ]; then
-            MINOR=$((MINOR + 1))
-            PATCH=0
           else
-            PATCH=$((PATCH + 1))
+            echo "⚠️  [Unreleased] section is empty — release will have blank changelog"
           fi
 
-          NEW_VERSION="v${MAJOR}.${MINOR}.${PATCH}"
-          echo "next_version=$NEW_VERSION" >> $GITHUB_OUTPUT
-          echo "Next version will be: $NEW_VERSION"
-
       - name: Comment on PR with version info
         uses: actions/github-script@v8
+        env:
+          RELEASE_TYPE: ${{ steps.check.outputs.release_type }}
+          CURRENT_VERSION: ${{ steps.check.outputs.current_version }}
+          NEXT_VERSION: ${{ steps.check.outputs.next_version }}
+          CLI_CHANGED: ${{ steps.check.outputs.cli_changed }}
+          CLI_CURRENT: ${{ steps.check.outputs.cli_current }}
+          CLI_NEXT: ${{ steps.check.outputs.cli_next }}
+          CHANGELOG_CONTENT: ${{ steps.check.outputs.changelog_content }}
         with:
           script: |
-            const releaseType = '${{ steps.check.outputs.release_type }}';
-            const nextVersion = '${{ steps.check.outputs.next_version }}';
+            const releaseType = process.env.RELEASE_TYPE;
+            const currentVersion = process.env.CURRENT_VERSION;
+            const nextVersion = process.env.NEXT_VERSION;
+            const cliChanged = process.env.CLI_CHANGED === 'true';
+            const cliCurrent = process.env.CLI_CURRENT;
+            const cliNext = process.env.CLI_NEXT;
+            const changelogContent = (process.env.CHANGELOG_CONTENT || '').trim();
 
             const isThrottleError = (error) => {
               const status = error?.status;
@@ -119,22 +100,18 @@ jobs:
               }
             };
 
-            const body = `## 🏷️ Release Preview
-
-            When this PR is merged, it will automatically create:
-
-            - **Version:** \`${nextVersion}\` (${releaseType} release)
-            - **Tag:** \`${nextVersion}\`
-            - **GitHub Release:** Pre-release with changelog content
-
-            The changelog will be updated and committed automatically.
-
-            ---
-
-            💡 **Tip:** Update the changelog heading to control release type:
-            - \`## [Unreleased]\` or \`## [Unreleased:patch]\` → patch release (default)
-            - \`## [Unreleased:minor]\` → minor release
-            - \`## [Unreleased:major]\` → major release`;
+            const lines = [
+              `# Release Versions`,
+              ``,
+              `**App** ${releaseType}: \`${currentVersion}\` → \`${nextVersion}\``,
+            ];
+            if (cliChanged) {
+              lines.push(`**CLI** patch: \`${cliCurrent}\` → \`${cliNext}\``);
+            }
+            if (changelogContent) {
+              lines.push(``, `# Changelog`, ``, changelogContent);
+            }
+            const body = lines.join('\n');
 
             try {
               // Find existing comment
@@ -146,7 +123,7 @@ jobs:
 
               const botComment = comments.find(comment =>
                 comment.user.type === 'Bot' &&
-                comment.body.includes('🏷️ Release Preview')
+                (comment.body.includes('Release Versions') || comment.body.includes('Release Preview'))
               );
 
               if (botComment) {

.github/workflows/cleanup-orphaned-apps.yml

@@ -20,7 +20,7 @@ jobs:
           FLY_API_TOKEN: op://Good Native/hover-fly/FLY_API_TOKEN
 
       - name: Setup Fly.io CLI
-        uses: superfly/flyctl-actions/setup-flyctl@master
+        uses: superfly/flyctl-actions/setup-flyctl@63da3ecc5e2793b98a3f2519b3d75d4f4c11cec2 # pinned
 
       - name: Find and destroy orphaned preview apps
         env:

.github/workflows/fly-deploy.yml

@@ -38,5 +38,5 @@ jobs:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           FLY_API_TOKEN: op://Good Native/hover-fly/FLY_API_TOKEN
 
-      - uses: superfly/flyctl-actions/setup-flyctl@master
+      - uses: superfly/flyctl-actions/setup-flyctl@63da3ecc5e2793b98a3f2519b3d75d4f4c11cec2 # pinned
       - run: flyctl deploy --remote-only