chore(deps): update dependency github:d-kuro/gwq to v0.1.1

[renovate]

This PR contains the following updates:

Package	Update	Change
github:d-kuro/gwq	minor	0.0.19 → 0.1.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

d-kuro/gwq (github:d-kuro/gwq)

v0.1.1

Compare Source

Release v0.1.1

🎉 New Features

Template variables in setup_commands (#​110)

Each string in [[repository_settings]].setup_commands is now rendered with Go text/template before being executed via POSIX sh -c. Available variables:

Variable	Example
{{.Host}}	github.com (empty if no remote)
{{.Owner}}	d-kuro (empty if no remote)
{{.Repository}}	gwq (empty if no remote)
{{.Branch}}	feature/new-ui (raw, not filesystem-sanitized)
{{.Hash}}	a1b2c3d4 (empty if no remote)
{{.Path}}	absolute worktree path

{{.Path}} is new; the others are the same set that naming.template already recognized.

Because each entry is shelled out through sh -c, familiar shell features (~ expansion, &&, pipes, command substitution, quoting) now work without a wrapper:

[[repository_settings]]
repository = "~/src/myproject"
setup_commands = [
    # Write metadata about the worktree to a local file
    'printf "branch=%s\npath=%s\n" "{{.Branch}}" "{{.Path}}" > .worktree-info',
    # Create a per-worktree build directory (quote {{.Path}} in case it has spaces)
    'mkdir -p "{{.Path}}/build"',
    # Append a line to a history file so you can audit created worktrees
    'echo "{{.Branch}} -> {{.Path}}" >> ~/.gwq-history',
]

Commands that reference an unknown key (e.g. {{.Typo}}) are skipped with a [gwq] setup command template error: ... warning on stderr — they are never passed to the shell with a literal {{ ... }} in them. When the repository has no resolvable origin, {{.Branch}} and {{.Path}} still render and the remote-derived fields remain empty so commands depending only on those two variables keep working.

Closes #​106.

⚠️ Breaking Changes

1. setup_commands entries are no longer tokenized with strings.Fields and passed to exec.Command; each entry is now executed with sh -c. Configs that relied on whitespace-split argv semantics, unescaped shell metacharacters, or literal * (which would have been passed verbatim before) may behave differently and should be quoted as regular shell commands.
2. setup_commands strings pass through text/template. Commands that contain literal {{ or }} must escape them using Go template syntax ({{"{{"}}), otherwise the template will fail to parse and the command will be skipped.

📦 Upgrade Instructions

Homebrew:

brew upgrade d-kuro/tap/gwq

Go:

go install github.com/d-kuro/gwq/cmd/[email protected]

Full Changelog: d-kuro/gwq@v0.1.0...v0.1.1

v0.1.0

Compare Source

Release v0.1.0

🔒 Security Fixes

Gate local .gwq.toml behind a trust prompt (#​108)

Fixes a privilege escalation vector where any .gwq.toml in the current working directory was merged into global configuration on every subcommand. A hostile repository could ship a .gwq.toml with repository_settings.setup_commands and silently run arbitrary code on the next gwq add.

New behavior:

• Local .gwq.toml is untrusted until you explicitly accept it. The prompt appears the first time gwq sees a given (absolute path, SHA-256) pair and is persisted to ~/.config/gwq/trusted_configs.json (mode 0600, atomic rename, symlink-guarded), direnv-style.
• A content change to a previously-trusted .gwq.toml invalidates the decision and re-prompts.
• Control bytes (C0/C1, CR, DEL) in the displayed file contents are escaped to \xHH so a hostile config cannot forge the [y/N] prompt via ANSI sequences. Large files are truncated to 4 KiB.
• Prompt and warning output go to stderr so shell integration that uses stdout as a protocol (gwq cd, completion) is not corrupted.
• Non-regular files (directory, FIFO) and non-TTY sessions are skipped with a stderr warning instead of prompting — existing CI and scripted usage with no .gwq.toml is unaffected.

Behavior matrix:

situation	outcome
no .gwq.toml	no disk read, no prompt (lazy load)
.gwq.toml already trusted (same hash)	silent merge
new .gwq.toml in TTY	prompt with sanitized contents; y / yes merges and persists
file content changed since last accept	re-prompt
deny (n, Enter, EOF)	stderr warning, file skipped, command continues
non-TTY / CI	stderr warning, file skipped, no prompt
non-regular file	stderr warning, file skipped
trust store path is a symlink	gwq refuses to write; symlink target untouched

To revoke trust for a previously-accepted config, delete or edit ~/.config/gwq/trusted_configs.json. A dedicated gwq config trust/untrust subcommand is not included in this release.

⚠️ Breaking Changes

• A .gwq.toml in the current directory is no longer merged automatically. The first time gwq sees one in an interactive shell, you must confirm at a [y/N] prompt. Users who relied on implicit merge (including repository_settings.setup_commands) will need to accept the prompt once per file-content version.
• In non-TTY environments (CI, scripts, pipes), .gwq.toml is never merged and is skipped with a stderr warning. If you depended on local config in CI, move those settings to the global ~/.config/gwq/config.toml or wire up trust explicitly by editing ~/.config/gwq/trusted_configs.json.

📦 Upgrade Instructions

Homebrew:

brew upgrade d-kuro/tap/gwq

Go:

go install github.com/d-kuro/gwq/cmd/[email protected]

Full Changelog: d-kuro/gwq@v0.0.20...v0.1.0

v0.0.20

Compare Source

Release v0.0.20

🎉 New Features

Auto-cd on gwq add under shell integration (#​103)

When shell integration is enabled with cd.launch_shell = false, gwq add can now change the current shell's directory to the newly created worktree instead of spawning a nested sub-shell.

Two mechanisms:

1. --stay (-s) now does a true cd under shell integration. Previously it always spawned a nested shell, even when cd.launch_shell = false. Now it reuses the same __GWQ_CD_SHIM pipeline as gwq cd and cds the parent shell.
2. New cd.auto_cd_on_add config (default false) — when true under shell integration, any successful gwq add auto-cds into the new worktree without needing -s.

Configuration:

[cd]
launch_shell = false
auto_cd_on_add = true  # optional

Setup (same as gwq cd):

# bash (~/.bashrc)
source <(gwq completion bash)

# zsh (~/.zshrc)
source <(gwq completion zsh)

# fish (~/.config/fish/config.fish)
gwq completion fish | source

After reloading your shell, gwq add -s feature/x (or plain gwq add feature/x with auto_cd_on_add = true) lands you inside the new worktree with no nested shell.

Behavior details

• Outside shell integration (cd.launch_shell = true or wrapper not sourced), --stay still spawns a sub-shell as before.
• Under shell integration, gwq add routes success messages to stderr so stdout can carry the worktree path for the wrapper to consume. Non-shim stdout behavior is unchanged, so gwq add >log.txt still captures the success lines.
• PowerShell is completion-only (no shell integration).

🐛 Bug Fixes

• gwq add --expires <invalid> no longer creates a stray worktree. The duration is now parsed before the worktree is created, so invalid values fail fast.

📦 Upgrade Instructions

Homebrew:

brew upgrade d-kuro/tap/gwq

Go:

go install github.com/d-kuro/gwq/cmd/[email protected]

Full Changelog: d-kuro/gwq@v0.0.19...v0.0.20

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.