test: improve test coverage from 37.6% to 40.0%

.github/workflows/release.yml

@@ -30,3 +30,49 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+
+  update-homebrew-tap:
+    needs: goreleaser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version
+        id: version
+        run: echo "version=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
+
+      - name: Get source tarball SHA256
+        id: sha
+        run: |
+          SHA=$(curl -sL "https://github.com/${{ github.repository }}/archive/refs/tags/${{ steps.version.outputs.version }}.tar.gz" | sha256sum | cut -d' ' -f1)
+          echo "sha256=$SHA" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout Homebrew tap
+        uses: actions/checkout@v4
+        with:
+          repository: marcus/homebrew-tap
+          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          path: homebrew-tap
+
+      - name: Update formula
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          SHA="${{ steps.sha.outputs.sha256 }}"
+          FORMULA="homebrew-tap/Formula/nightshift.rb"
+
+          # Update URL (version in tag)
+          sed -i "s|archive/refs/tags/v[0-9]*\.[0-9]*\.[0-9]*\.tar\.gz|archive/refs/tags/${VERSION}.tar.gz|" "$FORMULA"
+
+          # Update SHA256
+          sed -i "s|sha256 \"[a-f0-9]*\"|sha256 \"${SHA}\"|" "$FORMULA"
+
+          echo "Updated $FORMULA to ${VERSION} (sha256: ${SHA})"
+          cat "$FORMULA"
+
+      - name: Commit and push
+        run: |
+          cd homebrew-tap
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add Formula/nightshift.rb
+          git diff --cached --quiet && echo "No changes" && exit 0
+          git commit -m "nightshift: bump to ${{ steps.version.outputs.version }}"
+          git push

CHANGELOG.md

@@ -4,6 +4,30 @@ All notable changes to nightshift are documented in this file.
 
 ## [v0.3.1] - 2026-02-08
 
+### Security
+
+#### Breaking Changes (Opt-In Required for Old Behavior)
+- **Default behavior change:** `dangerously_skip_permissions` and `dangerously_bypass_approvals_and_sandbox` now default to `false` (secure)
+  - In v0.3.0, these defaulted to `true`, which skipped security prompts
+  - Users upgrading from v0.3.0 **who run unattended** (daemon, cron, CI) must explicitly set these flags to `true` in config, or use `--yes` flag
+  - Users running **interactively** will now see security prompts (recommended)
+  - See [Migration Guide](docs/MIGRATION-v0.3.0-to-v0.3.1.md) for details
+- **Database directory permissions:** changed from `0755` to `0700`
+  - Existing databases continue to work (no action required)
+  - New databases now restrict access to owner only (security improvement)
+
+#### Non-Breaking Improvements
+- Shell path escaping improved in setup wizard
+- Better security defaults for new installations
+
+### Backward Compatibility
+- All v0.3.0 configuration files load correctly in v0.3.1
+- Configuration defaults (except dangerous flags) remain unchanged
+- Existing databases work without migration
+- Environment variable overrides still work
+- CLI interface stable for scripts and automation
+- Full backward compatibility testing added
+
 ### Improvements
 - Homebrew formula now builds from source (avoids macOS Gatekeeper warnings)