fix: v5.2.8 — auto-untrack Kit artifacts on init/update

[emredursun]

Summary

Closes a persistent class of failures where Kit files end up tracked in user repos despite being gitignored. Addresses the exact issue reported against deelmarkt on 2026-04-11 where .cursor/commands/*.md, .claude/, and dev/null/ got committed to branch claude/mystifying-cohen.

Root cause

An agent or contributor runs git add -A before Kit's gitignore is configured → bridge files and .agent/ get committed → gitignore later added → gitignore has no effect on already-tracked files → Kit files pollute the user's tracked tree forever.

Previous Kit versions detected this and printed a warning asking the user to run git rm -r --cached manually. v5.2.8 closes the loop by doing it automatically.

Changes

• New untrackKitArtifacts(projectRoot) in lib/io.js — removes known Kit paths from the git index while keeping working-tree files
• New KIT_TRACKED_ARTIFACTS frozen constant — single source of truth for artifact paths, including dev/null/ for the Windows literal-path bug
• kit init Step 4 — replaces two passive "warn if tracked" branches with a single auto-untrack call
• kit update Step 4 — new step between gitignore add and worktree regeneration
• 10 new tests in tests/unit/untrack-artifacts.test.js

Why include dev/null/?

On Windows, running git config core.hooksPath dev/null (without the leading slash — easy typo when trying to disable hooks) and then git lfs install creates a literal dev/null/ directory containing the 4 LFS hook files. These are never Kit files but they're always bogus. Including them in the auto-untrack list means Kit now cleans up this Windows-specific artifact wherever it's found.

Test plan

• 1028 tests passing (54 files)
• 10 new tests cover: not-a-git-repo, no-op, .cursor/commands/, .agent/, dev/null/, full-sweep, non-Kit-file preservation, idempotency, absolute-path guard, frozen constant
• After merge: publish 5.2.8 to npm
• After publish: run npx @devran-ai/kit@5.2.8 init --force on deelmarkt main repo + every affected worktree to finalize cleanup

Related

• Reported against deelmarkt PR (file tree screenshot showed .claude/, .cursor/commands/, dev/null/ tracked)
• Complements v5.2.7's gitignore pipeline by handling the "already tracked" case

[gemini-code-assist]

Code Review

This pull request updates the Devran AI Kit to version 5.2.8, introducing a mechanism to automatically untrack Kit-generated artifacts that may have been accidentally committed to a user's git repository. The changes include a new untrackKitArtifacts function in lib/io.js, integration into kit init and kit update, and comprehensive unit tests. Feedback indicates that the untracking logic is currently too broad and could inadvertently remove user-created files or break "shared" mode configurations. It is recommended to refine the list of targeted artifacts and verify that files are explicitly ignored by git before attempting to untrack them.

[gemini-code-assist]

The applyUpdate function calls untrackKitArtifacts (and addToGitignore previously) without checking if the project is in "shared" mode. For users who have intentionally opted into tracking the .agent/ directory (using kit init --shared), running kit update will now force these files into .gitignore and subsequently untrack them from the git index. This breaks the shared workflow during framework upgrades. The updater should detect if the project is in shared mode (e.g., by checking if .agent/ is currently tracked and not ignored) before attempting to modify the gitignore or untrack artifacts.

[emredursun]

Addressed in 4c40231. lib/updater.js now wraps Steps 1–4 (narrow → cleanup → addToGitignore → untrack) in an isSharedMode(targetRoot) check. The helper (new lib/io.js:isSharedMode) returns true when .agent/ is currently tracked AND not gitignored (requires git check-ignore --no-index so tracked paths aren't silently skipped). In shared mode the entire gitignore pipeline is a no-op and report.sharedMode is set instead. Verified end-to-end by the new CLI Updater — Shared Mode test in tests/unit/updater.test.js, which sets up a real git repo with .agent/ tracked + absent from .gitignore, runs applyUpdate, and asserts .gitignore is untouched and .agent/ files stay in the index.

[gemini-code-assist]

Untracking entire directories such as .cursor/rules/, .github/prompts/, and .opencode/ is overly aggressive. These are standard directories used by their respective IDEs and may contain user-created configurations or prompts that are not managed by Kit. Automatically untracking the entire directory will remove these user files from the git index, forcing users to manually re-add them after every Kit update. It is safer to only untrack the specific files that Kit generates (e.g., .cursor/rules/kit-governance.mdc, .opencode/opencode.json) or to verify that the path is actually ignored by git before untracking.

Suggested change

	'.windsurf/workflows/',
	'.github/prompts/',
	// IDE config files
	'.cursor/rules/kit-governance.mdc',
	'.cursor/rules/',
	'.opencode/opencode.json',
	'.opencode/',
	'.codex/',
	'.windsurf/workflows/',
	// IDE config files
	'.cursor/rules/kit-governance.mdc',
	'.opencode/opencode.json',
	'.codex/config.toml',

[emredursun]

Addressed in 4c40231. KIT_TRACKED_ARTIFACTS now lists only the specific Kit-written paths for IDE configs — .cursor/rules/kit-governance.mdc, .opencode/opencode.json, .codex/instructions.md — instead of the parent directories. Removed: .cursor/rules/, .opencode/, .codex/. Directory-level entries are retained only for dirs Kit fully owns (.agent/, .claude/commands/, .cursor/commands/, .opencode/commands/, .windsurf/workflows/, .github/prompts/) where every file is a regenerated bridge. New regression test leaves user-authored files under .cursor/rules/ alone (specific-path gate) verifies a user's my-custom-rule.mdc survives while kit-governance.mdc is untracked.

[gemini-code-assist]

To prevent accidental untracking of intentionally tracked files (such as in shared mode or user-customized IDE configs), untrackKitArtifacts should verify that an artifact is actually ignored by git before attempting to remove it from the index. This ensures that Kit only cleans up files that the user (or Kit) has already marked as local-only via .gitignore.

Suggested change

	for (const artifact of KIT_TRACKED_ARTIFACTS) {
	// Ask git which files at this path are tracked (if any)
	for (const artifact of KIT_TRACKED_ARTIFACTS) {
	// Skip if not ignored (intentional tracking/shared mode)
	try {
	execSync(`git check-ignore --quiet -- "${artifact}"`, {
	cwd: projectRoot, stdio: ['ignore', 'pipe', 'ignore'],
	});
	} catch {
	skipped.push(artifact);
	continue;
	}
	// Ask git which files at this path are tracked (if any)

[emredursun]

Addressed in 4c40231. untrackKitArtifacts now runs git check-ignore --no-index -q -- <path> as the first gate for every artifact. If the path is not ignored, it goes into skipped[] and nothing is touched. The --no-index flag is load-bearing: without it git's default behavior is to skip any path already present in the index and return exit 1 regardless of .gitignore contents, which would have broken the untrack loop entirely (no tracked path would ever look "ignored"). Also switched the whole function from shell execSync to execFileSync with argument arrays and -- pathspec terminators while I was in there, so the artifact list has no injection surface even if it grows in the future. New test skips artifacts that are NOT listed in .gitignore (check-ignore gate) covers the shared-mode-like scenario where .agent/ is tracked without being gitignored.

[emredursun]

Gemini review — all 3 comments addressed in 4c40231

Severity	Comment	Fix
HIGH	applyUpdate breaks kit init --shared workflow	New isSharedMode(projectRoot) helper in lib/io.js; lib/updater.js short-circuits Steps 1–4 (narrow → cleanup → add → untrack) when .agent/ is tracked but not gitignored. report.sharedMode surfaces the decision.
MED	Directory-level untrack of .cursor/rules/, .opencode/, .codex/ too aggressive	KIT_TRACKED_ARTIFACTS now lists only specific Kit-written paths: .cursor/rules/kit-governance.mdc, .opencode/opencode.json, .codex/instructions.md. Directory entries retained only where Kit fully owns every file (.agent/, .*/commands/, .windsurf/workflows/, .github/prompts/).
MED	Must verify gitignore status before untracking	untrackKitArtifacts now runs git check-ignore --no-index -q -- <path> as the first gate per artifact. --no-index is load-bearing — default behavior is to skip tracked paths regardless of .gitignore.

Extra hardening (unrelated to Gemini but landed together):

• untrackKitArtifacts + isSharedMode use execFileSync with argument arrays and -- pathspec terminators. Zero shell interpolation, zero injection surface even for future artifact list changes.

Tests: 1028 → 1037 (+9)

• untrackKitArtifacts: check-ignore gate skips non-ignored paths, specific-path gate leaves user .cursor/rules/*.mdc alone, trimmed KIT_TRACKED_ARTIFACTS export invariants
• isSharedMode: non-git, untracked, bug scenario (tracked+ignored → false), shared mode (tracked+not-ignored → true), non-absolute path
• Updater: end-to-end shared-mode short-circuit — real git repo with .agent/ tracked and absent from .gitignore, verifies .gitignore is untouched and .agent/ stays in the index after applyUpdate

Full suite: 1037/1037 passing locally.