Improve notification system and fix release workflow

## Notification System Improvements
- Use terminal-notifier first for better macOS notification reliability
- Add DND bypass flags for critical work-life balance notifications
- Implement priority-based notification handling with extended timeouts
- Fallback to osascript if terminal-notifier unavailable

## Release Workflow Fix
- Generate GitHub App installation token for homebrew-tap authentication
- Use installation-id for precise repository targeting
- Resolves 403 permissions error when updating Homebrew formula

## Configuration Updates
- Enable notifications in user config with break and end-of-day reminders
- Configure sound alerts and session completion notifications

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: v1truv1us

.github/workflows/release.yml

@@ -40,6 +40,14 @@ jobs:
          environment: production
          version: ${{ github.ref_name }}
 
+    - name: Generate Homebrew App Token
+      id: homebrew-app-token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.HOMEBREW_APP_ID }}
+        private-key: ${{ secrets.HOMEBREW_APP_PRIVATE_KEY }}
+        installation-id: ${{ secrets.HOMEBREW_APP_INSTALLATION_ID }}
+
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v5
       with:
@@ -48,7 +56,7 @@ jobs:
         args: release --clean
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        HOMEBREW_TAP_PAT: ${{ secrets.GITHUB_TOKEN }}
+        HOMEBREW_TAP_PAT: ${{ steps.homebrew-app-token.outputs.token }}
         RUNE_SEGMENT_WRITE_KEY: ${{ secrets.RUNE_SEGMENT_WRITE_KEY }}
         RUNE_SENTRY_DSN: ${{ secrets.RUNE_SENTRY_DSN }}
     - name: Finalize Sentry Release

.github/workflows/security.yml

@@ -0,0 +1,156 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run security scans daily at 2 AM UTC
+    - cron: '0 2 * * *'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.24'
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Run Gosec Security Scanner
+        uses: securecodewarrior/github-action-gosec@master
+        with:
+          args: '-fmt sarif -out gosec-results.sarif ./...'
+        continue-on-error: true
+
+      - name: Upload Gosec results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: gosec-results.sarif
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...
+
+      - name: Install Nancy (dependency vulnerability scanner)
+        run: go install github.com/sonatypecommunity/nancy@latest
+
+      - name: Run Nancy dependency scan
+        run: |
+          go list -json -deps ./... | nancy sleuth --loud
+
+      - name: Run Semgrep SAST
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/security-audit
+            p/secrets
+            p/golang
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+        continue-on-error: true
+
+      - name: Secret scanning with TruffleHog
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: main
+          head: HEAD
+          extra_args: --debug --only-verified
+
+      - name: Build binary for security analysis
+        run: |
+          make build
+          
+      - name: Check binary for embedded secrets
+        run: |
+          echo "Checking binary for potential secrets..."
+          if strings ./bin/rune | grep -E "(password|secret|key|token)" | grep -v -E "(segmentWriteKey|sentryDSN|RUNE_)" ; then
+            echo "❌ Potential secrets found in binary"
+            exit 1
+          else
+            echo "✅ No obvious secrets found in binary"
+          fi
+
+      - name: Run security tests
+        run: |
+          go test -v ./... -tags=security
+
+      - name: Generate SBOM (Software Bill of Materials)
+        uses: anchore/sbom-action@v0
+        with:
+          path: ./
+          format: spdx-json
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: ./sbom.spdx.json
+
+  dependency-review:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v3
+        with:
+          fail-on-severity: moderate
+          allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

CLAUDE.md

@@ -0,0 +1,96 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Rune is a developer-first CLI productivity platform written in Go that automates daily work rituals, enforces healthy work-life boundaries, and integrates seamlessly with existing developer workflows. It's built using Cobra for CLI functionality, Viper for configuration management, and includes telemetry via Segment and Sentry.
+
+## Architecture
+
+### Core Components
+
+- **Commands** (`internal/commands/`): CLI command implementations using Cobra framework
+  - Root command with global configuration and telemetry initialization
+  - Subcommands: start, stop, pause, resume, status, report, ritual, config, init, update
+- **Configuration** (`internal/config/`): YAML-based configuration management using Viper
+- **Tracking** (`internal/tracking/`): Time tracking, session management, and project detection
+- **Rituals** (`internal/rituals/`): Automation engine for executing custom commands/workflows
+- **Telemetry** (`internal/telemetry/`): Analytics and error reporting integration
+- **Notifications** (`internal/notifications/`): System notification handling
+- **DND** (`internal/dnd/`): Do Not Disturb functionality for focus management
+
+### Key Technologies
+
+- **Go 1.23+** with toolchain 1.24.5
+- **Cobra** for CLI framework
+- **Viper** for configuration management
+- **BBolt** for local database storage
+- **Sentry** for error tracking
+- **Segment** for analytics
+
+### Entry Point
+
+- Main entry: `cmd/rune/main.go` → `internal/commands/Execute()`
+- Commands are defined in `internal/commands/` with each command in its own file
+
+## Development Commands
+
+### Building
+- `make build` - Build the binary
+- `make dev` - Build with race detection for development
+- `make build-telemetry` - Build with telemetry support (embeds API keys)
+
+### Testing
+- `make test` - Run all tests
+- `make test-coverage` - Run tests with coverage report
+- `make test-coverage-detailed` - Detailed coverage with 70% threshold
+- `make test-watch` - Run tests in watch mode (requires `entr`)
+
+### Code Quality
+- `make lint` - Run golangci-lint
+- `make fmt` - Format code with go fmt and gofmt
+- `make vet` - Run go vet
+- `make pre-commit` - Run fmt, vet, lint, and test
+
+### Security
+- `make security` - Basic vulnerability check with govulncheck
+- `make security-all` - Comprehensive security checks (deps, vulns, static analysis, secrets)
+- `make security-build` - Check built binary for embedded secrets
+
+### Running
+- `make run` - Run the application (use `ARGS="..."` for arguments)
+- `./bin/rune` - Run built binary directly
+
+## Configuration
+
+Rune uses YAML configuration at `~/.rune/config.yaml` with the following structure:
+- **settings**: work hours, break intervals, idle thresholds
+- **projects**: project detection rules (git repos, directories)
+- **rituals**: start/stop automation commands (global and per-project)
+- **integrations**: git, slack, calendar, telemetry settings
+
+## Testing Approach
+
+- Unit tests alongside source files (`*_test.go`)
+- Integration tests in telemetry package
+- Benchmark tests for performance-critical components
+- Coverage reporting with HTML output
+- Test utilities in `internal/commands/utils.go`
+
+## Telemetry Integration
+
+Rune includes optional telemetry for usage analytics and error reporting:
+- **Segment** for usage analytics (embedded key: starts with `ZkEZXHRWH96y8EviNkbYJUByqGR9QI4G`)
+- **Sentry** for error tracking (DSN: `https://3b20acb23bbbc5958448bb41900cdca2@sentry.fergify.work/10`)
+- Telemetry can be disabled via `RUNE_TELEMETRY_DISABLED=true`
+- Debug mode: `RUNE_DEBUG=true`
+
+## Important Files
+
+- `Makefile` - Comprehensive build and development commands
+- `go.mod` - Go module dependencies
+- `internal/commands/root.go` - Main CLI setup and initialization
+- `internal/config/config.go` - Configuration structure and loading
+- `internal/tracking/session.go` - Core time tracking logic
+- `internal/rituals/engine.go` - Automation execution engine

Makefile

@@ -126,6 +126,65 @@ build-telemetry:
 # Pre-commit checks (run before committing)
 pre-commit: fmt vet lint test
 
+# Security targets
+security-deps:
+	@echo "Checking dependencies for vulnerabilities..."
+	go install github.com/sonatypecommunity/nancy@latest
+	go list -json -deps ./... | nancy sleuth --loud
+
+security-vulns:
+	@echo "Checking for known vulnerabilities..."
+	go install golang.org/x/vuln/cmd/govulncheck@latest
+	govulncheck ./...
+
+security-static:
+	@echo "Running static security analysis..."
+	go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest
+	gosec ./...
+
+security-secrets:
+	@echo "Scanning for secrets..."
+	@if command -v trufflehog >/dev/null 2>&1; then \
+		trufflehog filesystem . --exclude-paths .trufflehogignore; \
+	else \
+		echo "TruffleHog not installed, skipping secret scan"; \
+	fi
+
+security-build:
+	@echo "Checking binary for embedded secrets..."
+	@if [ -f "./bin/rune" ]; then \
+		if strings ./bin/rune | grep -E "(password|secret|key|token)" | grep -v -E "(segmentWriteKey|sentryDSN|RUNE_)" ; then \
+			echo "❌ Potential secrets found in binary"; \
+			exit 1; \
+		else \
+			echo "✅ No obvious secrets found in binary"; \
+		fi \
+	else \
+		echo "Binary not found, run 'make build' first"; \
+		exit 1; \
+	fi
+
+security-all: security-deps security-vulns security-static security-secrets
+	@echo "✅ All security checks completed"
+
+# Enhanced coverage with thresholds
+test-coverage-detailed:
+	@echo "Running tests with detailed coverage..."
+	go test -v -race -coverprofile=coverage.out -covermode=atomic ./...
+	go tool cover -html=coverage.out -o coverage.html
+	@COVERAGE=$$(go tool cover -func=coverage.out | grep total | awk '{print $$3}' | sed 's/%//'); \
+	echo "Total coverage: $$COVERAGE%"; \
+	if [ $$(echo "$$COVERAGE < 70" | bc -l) -eq 1 ]; then \
+		echo "❌ Coverage $$COVERAGE% is below 70% threshold"; \
+		exit 1; \
+	else \
+		echo "✅ Coverage $$COVERAGE% meets threshold"; \
+	fi
+
+# Enhanced pre-commit with security
+pre-commit-security: fmt vet lint test security-static security-vulns
+	@echo "✅ Pre-commit security checks passed"
+
 # Help
 help:
 	@echo "Available targets:"
@@ -134,6 +193,7 @@ help:
 	@echo "  dev          - Build for development with race detection"
 	@echo "  test         - Run tests"
 	@echo "  test-coverage- Run tests with coverage report"
+	@echo "  test-coverage-detailed - Run tests with detailed coverage and thresholds"
 	@echo "  test-watch   - Run tests in watch mode"
 	@echo "  lint         - Run linter"
 	@echo "  fmt          - Format code"
@@ -146,6 +206,13 @@ help:
 	@echo "  run          - Run the application (use ARGS=... for arguments)"
 	@echo "  completions  - Generate shell completions"
 	@echo "  security     - Check for security vulnerabilities"
+	@echo "  security-deps - Check dependencies for vulnerabilities"
+	@echo "  security-vulns - Check for known vulnerabilities"
+	@echo "  security-static - Run static security analysis"
+	@echo "  security-secrets - Scan for secrets"
+	@echo "  security-build - Check binary for embedded secrets"
+	@echo "  security-all - Run all security checks"
 	@echo "  test-telemetry - Test telemetry integration"
 	@echo "  pre-commit   - Run pre-commit checks"
+	@echo "  pre-commit-security - Run pre-commit checks with security"
 	@echo "  help         - Show this help"