chore(deps): update dependency github:d-kuro/gwq to v0.1.0

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
github:d-kuro/gwq	minor	0.0.19 → 0.1.0	v0.1.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

d-kuro/gwq (github:d-kuro/gwq)

v0.1.0

Compare Source

Release v0.1.0

🔒 Security Fixes

Gate local .gwq.toml behind a trust prompt (#​108)

Fixes a privilege escalation vector where any .gwq.toml in the current working directory was merged into global configuration on every subcommand. A hostile repository could ship a .gwq.toml with repository_settings.setup_commands and silently run arbitrary code on the next gwq add.

New behavior:

• Local .gwq.toml is untrusted until you explicitly accept it. The prompt appears the first time gwq sees a given (absolute path, SHA-256) pair and is persisted to ~/.config/gwq/trusted_configs.json (mode 0600, atomic rename, symlink-guarded), direnv-style.
• A content change to a previously-trusted .gwq.toml invalidates the decision and re-prompts.
• Control bytes (C0/C1, CR, DEL) in the displayed file contents are escaped to \xHH so a hostile config cannot forge the [y/N] prompt via ANSI sequences. Large files are truncated to 4 KiB.
• Prompt and warning output go to stderr so shell integration that uses stdout as a protocol (gwq cd, completion) is not corrupted.
• Non-regular files (directory, FIFO) and non-TTY sessions are skipped with a stderr warning instead of prompting — existing CI and scripted usage with no .gwq.toml is unaffected.

Behavior matrix:

situation	outcome
no .gwq.toml	no disk read, no prompt (lazy load)
.gwq.toml already trusted (same hash)	silent merge
new .gwq.toml in TTY	prompt with sanitized contents; y / yes merges and persists
file content changed since last accept	re-prompt
deny (n, Enter, EOF)	stderr warning, file skipped, command continues
non-TTY / CI	stderr warning, file skipped, no prompt
non-regular file	stderr warning, file skipped
trust store path is a symlink	gwq refuses to write; symlink target untouched

To revoke trust for a previously-accepted config, delete or edit ~/.config/gwq/trusted_configs.json. A dedicated gwq config trust/untrust subcommand is not included in this release.

⚠️ Breaking Changes

• A .gwq.toml in the current directory is no longer merged automatically. The first time gwq sees one in an interactive shell, you must confirm at a [y/N] prompt. Users who relied on implicit merge (including repository_settings.setup_commands) will need to accept the prompt once per file-content version.
• In non-TTY environments (CI, scripts, pipes), .gwq.toml is never merged and is skipped with a stderr warning. If you depended on local config in CI, move those settings to the global ~/.config/gwq/config.toml or wire up trust explicitly by editing ~/.config/gwq/trusted_configs.json.

📦 Upgrade Instructions

Homebrew:

brew upgrade d-kuro/tap/gwq

Go:

go install github.com/d-kuro/gwq/cmd/gwq@v0.1.0

Full Changelog: d-kuro/gwq@v0.0.20...v0.1.0

v0.0.20

Compare Source

Release v0.0.20

🎉 New Features

Auto-cd on gwq add under shell integration (#​103)

When shell integration is enabled with cd.launch_shell = false, gwq add can now change the current shell's directory to the newly created worktree instead of spawning a nested sub-shell.

Two mechanisms:

1. --stay (-s) now does a true cd under shell integration. Previously it always spawned a nested shell, even when cd.launch_shell = false. Now it reuses the same __GWQ_CD_SHIM pipeline as gwq cd and cds the parent shell.
2. New cd.auto_cd_on_add config (default false) — when true under shell integration, any successful gwq add auto-cds into the new worktree without needing -s.

Configuration:

[cd]
launch_shell = false
auto_cd_on_add = true  # optional

Setup (same as gwq cd):

# bash (~/.bashrc)
source <(gwq completion bash)

# zsh (~/.zshrc)
source <(gwq completion zsh)

# fish (~/.config/fish/config.fish)
gwq completion fish | source

After reloading your shell, gwq add -s feature/x (or plain gwq add feature/x with auto_cd_on_add = true) lands you inside the new worktree with no nested shell.

Behavior details

• Outside shell integration (cd.launch_shell = true or wrapper not sourced), --stay still spawns a sub-shell as before.
• Under shell integration, gwq add routes success messages to stderr so stdout can carry the worktree path for the wrapper to consume. Non-shim stdout behavior is unchanged, so gwq add >log.txt still captures the success lines.
• PowerShell is completion-only (no shell integration).

🐛 Bug Fixes

• gwq add --expires <invalid> no longer creates a stray worktree. The duration is now parsed before the worktree is created, so invalid values fail fast.

📦 Upgrade Instructions

Homebrew:

brew upgrade d-kuro/tap/gwq

Go:

go install github.com/d-kuro/gwq/cmd/gwq@v0.0.20

Full Changelog: d-kuro/gwq@v0.0.19...v0.0.20

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.