revert: Release v2.4.0

.github/workflows/release.yml

@@ -29,7 +29,7 @@ jobs:
 
       - name: Generate release notes
         run: |
-          awk '/^## \[Unreleased\]/{skip=1; next} /^## \[/{skip=0; c++; if(c>1)exit; if(c==1)next} !skip && c>0' CHANGELOG.md | tail -c +2 > /tmp/release-notes.txt
+          awk '/^## \[/{c++; if(c>1)exit; if(c==1){next}} c>0' CHANGELOG.md | tail -c +2 > /tmp/release-notes.txt
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6

.golangci.yml

@@ -138,9 +138,31 @@ issues:
     - path: main\.go
       linters:
         - goconst
+    - path: cmd/delete\.go
+      linters:
+        - nlreturn
+    - path: cmd/harness\.go
+      linters:
+        - goconst
+        - nlreturn
     - path: cmd/version\.go
       linters:
         - goconst
+    - path: cmd/list\.go
+      linters:
+        - nlreturn
+    - path: cmd/util\.go
+      linters:
+        - nlreturn
+    - path: internal/errors/errors\.go
+      linters:
+        - nlreturn
+    - path: internal/ui/prompt\.go
+      linters:
+        - nlreturn
+    - path: internal/providers/registry\.go
+      linters:
+        - nlreturn
     - text: "exported (function|method|type|const)"
       linters:
         - stylecheck
@@ -163,6 +185,10 @@ issues:
       linters:
         - funlen
     # Context-aware functions with multiple cancellation checks
+    - text: "migrateConfigFile"
+      linters:
+        - funlen
+        - cyclop
     - text: "LoadConfig"
       linters:
         - funlen

.goreleaser.yaml

@@ -48,3 +48,9 @@ changelog:
   # Disable auto-generated changelog since CHANGELOG.md is maintained manually
   disable: true
 
+release:
+  footer: |
+
+    ---
+
+    Released by [GoReleaser](https://github.com/goreleaser/goreleaser).

AGENTS.md

@@ -1,65 +1,43 @@
 # Kairo Development
 
-## Architecture
+## WHAT
 
-Go CLI that wraps Claude/Qwen Code providers with X25519 encryption via age.
+Go CLI wrapper for Claude/Qwen Code API providers with X25519 encryption.
 
-**Stack:** Go 1.26+, Cobra, filippo.io/age, YAML, Go testing
+**Tech Stack:** Go 1.26+, Cobra, age (filippo.io/age), YAML, Go testing
 
-```text
-main.go              # Bootstrap
-cmd/                 # Cobra commands (root, setup, execution, update, version)
-internal/
-  config/            # YAML loading, caching, migration
-  crypto/            # X25519 key gen, age encrypt/decrypt
-  errors/            # Typed error hierarchy with context
-  providers/         # Provider registry and resolution
-  secrets/           # Encrypted secret storage
-  ui/                # ANSI-aware terminal output (build-tagged per OS)
-  validate/          # API key, URL, model, cross-provider validation
-  version/           # Build-time metadata
-  wrapper/           # Shell wrapper script generation
-tests/integration/   # End-to-end workflow tests
-docs/                # Architecture, guides, reference
-```
-
-See `internal/README.md` for package contracts and data flow.
-See `cmd/README.md` for command structure and CLIContext details.
+**Key Directories:**
 
-## Conventions
+- `cmd/` - CLI commands (Cobra) - see `cmd/root.go:1`
+- `internal/` - Business logic (config, crypto, providers, ui, errors, validate)
+- `docs/` - Architecture, guides, reference documentation
 
-- Internal packages (`internal/*`) have zero CLI dependencies. Keep them pure Go.
-- Injectable function variables for testability in `cmd/` — external calls (exec, HTTP, prompts) are assigned to package-level `var` funcs, overridden in tests. See `cmd/update.go` for the pattern.
-- Propagate `context.Context` through all I/O-bound call chains. Check cancellation between sequential operations (file writes, network calls).
-- Error wrapping uses the typed `internal/errors` package — `kairoerrors.WrapError(kind, msg, err)` with `.WithContext(key, val)` for diagnostics.
-- Build tags for platform-specific code (e.g., `//go:build !windows` in `internal/ui/`).
-- Coverage threshold: 70% enforced in CI.
+**Entry Points:**
 
-## Constraints
+- `main.go:1` - Application bootstrap
+- `cmd/root.go:1` - Root command and CLI setup
+- `internal/README.md` - Package contracts, data flow
 
-- Keep `migrateConfigFile` and similar context-aware functions decomposed below cyclop=10. The linter catches this, but the pattern is: extract substeps into named helpers (`statOldConfig`, `readAndValidateConfig`, `finalizeMigration`).
-- `nlreturn` + `whitespace` linters coexist — do not place blank lines at the start of blocks (whitespace rejects) but do place blank lines before returns in the main function flow (nlreturn requires). Short error-guard returns inside `if` blocks are exempt from nlreturn's blank-line rule.
-- Functions with `CheckContext` calls between sequential I/O steps naturally grow complex. Prefer extracting substeps into helpers early.
-- Update checks hit the GitHub Releases API (`api.github.com`) — unauthenticated, 60 req/hr/IP limit. Do not add additional unauthenticated GitHub API calls.
-
-## Commands
+## HOW
 
 ```bash
-just build           # Binary to dist/
-just test            # All tests with -race
-just test-coverage   # Coverage report
-just lint            # gofmt, go vet, golangci-lint
-just pre-release     # Format, lint, pre-commit hooks, test
-just release         # Create release (GITHUB_TOKEN required)
+just build          # Binary to dist/
+just test           # All tests with race detector
+just test-coverage  # Coverage report
+just lint           # gofmt, go vet, golangci-lint
+just pre-release    # Format, lint, pre-commit hooks, test
+just release        # Create release (requires GITHUB_TOKEN)
 ```
 
-CI runs: `golangci-lint run ./...`, `go test -race -coverprofile=coverage.out ./...`, `go mod tidy` check.
+## Docs
+
+Read these if relevant to your task:
 
-Pre-commit hooks (`.pre-commit-config.yaml`): golangci-lint, go test, go mod tidy check.
+- `docs/architecture/README.md` - System design
+- `docs/guides/development-guide.md` - Adding commands, CI workflows
 
-## Patterns
+## Notes
 
-- **Adding a new provider:** See `docs/guides/development-guide.md` for the full workflow.
-- **Architecture decisions:** See `docs/architecture/adr/` for ADRs (X25519 choice, Cobra selection, age library).
-- **Wrapper scripts:** See `docs/architecture/wrapper-scripts.md` for harness execution details.
-- **CI workflows:** See `.github/workflows/ci.yml` (lint, test, cross-platform build), `release.yml`, `vulnerability-scan.yml`.
+- Internal packages have no CLI dependencies - keep them pure
+- Use `just --list` to see all available commands
+- Run `just pre-release` before committing

CHANGELOG.md

@@ -5,24 +5,6 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
-
-### Added
-- `--no-update-check` flag on `kairo version` to skip GitHub API calls
-
-### Changed
-- CLI commands now propagate the Cobra command context to child operations and TUI interactions instead of using `context.Background()`, enabling proper cancellation on Ctrl+C
-- Config loading in `delete` and `list` commands now uses the config cache for consistency
-- Root command decomposed into `runRoot`, `loadRootConfig`, and `dispatchExecution` for maintainability
-- Removed `DecryptSecrets` (string return) in favor of `DecryptSecretsBytes` with `ClearMemory` to allow secure memory clearing of decrypted key material
-
-### Fixed
-- Temp auth directory no longer leaks on error paths — cleanup now runs before `os.Exit`
-- Hyphens in custom provider names no longer produce invalid environment variable names (e.g., `MY-PROVIDER_API_KEY` → `MY_PROVIDER_API_KEY`)
-- `mustParseCIDR` no longer panics on invalid CIDR constants — uses `log.Fatalf` with a clear message
-- HTTP client in update command now has TLS handshake and response header timeouts for better protection against slow/misbehaving servers
-- ANSI color codes are now stripped on Windows terminals that don't support them
-
 ## [2.3.7] - 2026-04-25
 
 ### Added