@altotyler/alto-rootstock-cli 1.0.0

package/README.md

@@ -0,0 +1,140 @@
+# alto-rootstock-cli
+
+CLI for creating and managing Rootstock Salesforce DX projects with AI agent scaffolding pre-installed for Claude Code, Cursor, and VS Code Copilot.
+
+## What it does
+
+```
+altors new      Create a new SFDX project with Rootstock agent skills injected
+altors update   Update Rootstock skill files in the current project
+altors install  Install/update the global VS Code Copilot agent + save GitHub token
+```
+
+After `altors new`, the generated project contains:
+- `.claude/CLAUDE.md` + `.claude/skills/` — Claude Code (router + 10 skill files)
+- `.cursor/rules/rootstock.mdc` — Cursor AI
+- `.github/agents/Rootstock Agent.agent.md` — VS Code Copilot
+- `.github/copilot-instructions.md` — VS Code Copilot always-on
+- `.vscode/mcp.json` — Salesforce DX MCP server
+- `.vscode/tasks.json` — Command palette tasks (see below)
+
+## VS Code / Cursor Command Palette
+
+Once a project is open, `Ctrl+Shift+P` → **"Tasks: Run Task"** exposes:
+- **Rootstock: Update Skills** — pulls latest skill files from the distribution repo
+- **Rootstock: Check Version** — shows installed CLI version
+- **Rootstock: Install Global Agent** — installs the VS Code Copilot agent globally
+
+---
+
+## Deploying and packaging
+
+### 1. Create the GitHub repo
+
+Create a **private** repo: `github.com/alto-tyler/alto-rootstock-cli`
+
+This repo is separate from `rootstock-agent-distribution` — it's the CLI source code only.
+
+### 2. Push the code
+
+```bash
+cd alto-rootstock-cli
+git init
+git add .
+git commit -m "Initial release"
+git remote add origin git@github.com:alto-tyler/alto-rootstock-cli.git
+git push -u origin main
+```
+
+### 3. Publish a version
+
+Tag a release — GitHub Actions publishes it automatically to GitHub Packages:
+
+```bash
+git tag v1.0.0
+git push origin v1.0.0
+```
+
+The workflow in `.github/workflows/publish.yml` runs `npm publish` to npmjs.com using the `NPM_TOKEN` secret (add this in the repo Settings → Secrets → Actions).
+
+---
+
+## How users install it
+
+No auth required — the package is public on npmjs.com:
+
+```bash
+npm install -g @altotyler/alto-rootstock-cli
+```
+
+After install, run `altors install` once to save your GitHub token for fetching skill files from the private distribution repo.
+
+After the one-time setup, updates are one command:
+
+```bash
+npm update -g @altotyler/alto-rootstock-cli
+altors install   # updates global VS Code agent files
+```
+
+---
+
+## How the update notification works
+
+Every time `altors` runs any command, it fetches `version.json` from the distribution repo in the background (2.5s timeout, non-blocking). If the remote `cliVersion` is newer than the installed version, it prints after the command:
+
+```
+┌──────────────────────────────────────────────────────┐
+│  Update available: 1.0.0 → 1.2.0                    │
+│  Run: npm update -g @altotyler/alto-rootstock-cli  │
+└──────────────────────────────────────────────────────┘
+```
+
+To support this, keep `version.json` in `rootstock-agent-distribution` updated with a `cliVersion` field:
+
+```json
+{
+  "version": "1.0.0",
+  "cliVersion": "1.2.0"
+}
+```
+
+---
+
+## Repository layout
+
+```
+alto-rootstock-cli/          ← this repo (CLI source, publish to GitHub Packages)
+├── bin/altors.js
+├── src/
+│   ├── commands/new.js
+│   ├── commands/update.js
+│   ├── commands/install.js
+│   └── lib/
+│       ├── config.js        ← ~/.alto-rootstock/config.json + ~/.npmrc auth
+│       ├── fetcher.js       ← GitHub raw file fetcher (auth-aware)
+│       ├── scaffold.js      ← writes IDE files into project
+│       └── updater.js       ← version check (non-blocking)
+├── project-template/        ← template files (publish to rootstock-agent-distribution)
+│   └── vscode/tasks.json
+└── .github/workflows/publish.yml
+
+rootstock-agent-distribution/   ← separate repo (skill files + version manifest)
+├── version.json                 ← bump cliVersion here to trigger update notices
+└── project-template/
+    ├── claude/CLAUDE.md
+    ├── claude/skills/*.md
+    ├── cursor/rules/rootstock.mdc
+    ├── github/agents/Rootstock Agent.agent.md
+    ├── github/copilot-instructions.md
+    └── vscode/mcp.json + tasks.json
+```
+
+---
+
+## Releasing a new version
+
+1. Update `version` in `package.json`
+2. Commit and tag: `git tag v1.x.x && git push origin v1.x.x`
+3. GitHub Actions publishes to GitHub Packages
+4. Update `cliVersion` in `rootstock-agent-distribution/version.json`
+5. Users see the update prompt on their next `altors` command

package/bin/altors.js

@@ -0,0 +1,55 @@
+#!/usr/bin/env node
+'use strict';
+
+const { Command } = require('commander');
+const chalk = require('chalk');
+const { checkForUpdate } = require('../src/lib/updater');
+const pkg = require('../package.json');
+
+const program = new Command();
+
+program
+  .name('altors')
+  .description('Rootstock Salesforce DX project creator and agent manager')
+  .version(pkg.version, '-v, --version', 'Show installed version');
+
+program
+  .command('new')
+  .description('Create a new Salesforce DX project with Rootstock agent scaffolding')
+  .action(async () => {
+    const { run } = require('../src/commands/new');
+    await run();
+  });
+
+program
+  .command('update')
+  .description('Update Rootstock agent skill files in the current project')
+  .action(async () => {
+    const { run } = require('../src/commands/update');
+    await run();
+  });
+
+program
+  .command('install')
+  .description('Install or update the global Rootstock agent for VS Code Copilot')
+  .action(async () => {
+    const { run } = require('../src/commands/install');
+    await run();
+  });
+
+(async () => {
+  // Non-blocking version check — runs in background, prints after command
+  const updatePromise = checkForUpdate(pkg.version).catch(() => null);
+
+  await program.parseAsync(process.argv);
+
+  // Print update notice after command output if one is available
+  const update = await updatePromise;
+  if (update) {
+    console.log();
+    console.log(chalk.yellow('┌─────────────────────────────────────────────────────┐'));
+    console.log(chalk.yellow('│') + chalk.white(`  Update available: ${chalk.dim(update.current)} → ${chalk.green(update.latest)}`.padEnd(53)) + chalk.yellow('│'));
+    console.log(chalk.yellow('│') + chalk.white(`  Run: ${chalk.cyan('npm update -g @altotyler/alto-rootstock-cli')}`.padEnd(53)) + chalk.yellow('│'));
+    console.log(chalk.yellow('└─────────────────────────────────────────────────────┘'));
+  }
+})();

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@altotyler/alto-rootstock-cli",
+  "version": "1.0.0",
+  "description": "CLI for creating and managing Rootstock Salesforce DX projects with AI agent scaffolding",
+  "bin": {
+    "altors": "./bin/altors.js"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/alto-tyler/alto-rootstock-cli.git"
+  },
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "commander": "^12.1.0",
+    "prompts": "^2.4.2"
+  }
+}

package/src/commands/install.js

@@ -0,0 +1,151 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const chalk = require('chalk');
+const prompts = require('prompts');
+const { fetchRemoteFile } = require('../lib/fetcher');
+const { getToken, saveToken } = require('../lib/config');
+
+// VS Code Copilot global agent directory by platform
+function getVsCodeAgentDir() {
+  switch (process.platform) {
+    case 'win32':
+      return path.join(process.env.APPDATA || '', 'Code', 'User', 'prompts', 'agents');
+    case 'darwin':
+      return path.join(os.homedir(), 'Library', 'Application Support', 'Code', 'User', 'prompts', 'agents');
+    default:
+      return path.join(os.homedir(), '.config', 'Code', 'User', 'prompts', 'agents');
+  }
+}
+
+// Global Claude Code commands directory
+function getClaudeCommandsDir() {
+  return path.join(os.homedir(), '.claude', 'commands');
+}
+
+const GLOBAL_FILES = [
+  {
+    remote: 'project-template/github/agents/Rootstock Agent.agent.md',
+    getTarget: () => path.join(getVsCodeAgentDir(), 'Rootstock Agent.agent.md'),
+    label: 'VS Code Copilot global agent',
+  },
+];
+
+async function promptForToken() {
+  console.log();
+  console.log(chalk.yellow('  No GitHub token found.'));
+  console.log(chalk.dim('  A token with read:packages scope is required to access the private distribution repo.'));
+  console.log();
+
+  const { token } = await prompts(
+    {
+      type: 'password',
+      name: 'token',
+      message: 'GitHub Personal Access Token (read:packages)',
+    },
+    { onCancel: () => process.exit(0) }
+  );
+
+  if (!token) return null;
+
+  const { save } = await prompts(
+    {
+      type: 'confirm',
+      name: 'save',
+      message: 'Save token to ~/.alto-rootstock/config.json for future use?',
+      initial: true,
+    },
+    { onCancel: () => {} }
+  );
+
+  if (save) {
+    saveToken(token);
+    console.log(`  ${chalk.green('✓')} Token saved to ~/.alto-rootstock/config.json`);
+  }
+
+  // Also write to ~/.npmrc so npm update works without re-entering the token
+  const npmrcPath = path.join(os.homedir(), '.npmrc');
+  const npmrcLine = `//npm.pkg.github.com/:_authToken=${token}`;
+  const npmrcScope = '@alto-tyler:registry=https://npm.pkg.github.com';
+
+  let npmrcContent = '';
+  if (fs.existsSync(npmrcPath)) {
+    npmrcContent = fs.readFileSync(npmrcPath, 'utf8');
+  }
+
+  let updated = false;
+  if (!npmrcContent.includes('//npm.pkg.github.com/:_authToken=')) {
+    npmrcContent += `\n${npmrcLine}\n`;
+    updated = true;
+  } else {
+    // Replace existing token line
+    npmrcContent = npmrcContent.replace(/\/\/npm\.pkg\.github\.com\/:_authToken=.*/g, npmrcLine);
+    updated = true;
+  }
+  if (!npmrcContent.includes('@alto-tyler:registry=')) {
+    npmrcContent += `${npmrcScope}\n`;
+    updated = true;
+  }
+
+  if (updated) {
+    fs.writeFileSync(npmrcPath, npmrcContent.trimStart(), 'utf8');
+    console.log(`  ${chalk.green('✓')} ~/.npmrc updated — ${chalk.cyan('npm update -g @altotyler/alto-rootstock-cli')} will work without re-entering a token`);
+  }
+
+  process.env.GITHUB_TOKEN = token;
+  return token;
+}
+
+async function run() {
+  console.log();
+  console.log(chalk.bold('  Rootstock: Global Install / Update'));
+  console.log(chalk.dim('  ─────────────────────────────────────────────────'));
+  console.log();
+
+  let token = getToken();
+  if (!token) {
+    token = await promptForToken();
+    if (!token) {
+      console.error(chalk.red('  ✗ No token provided. Cannot access private distribution repo.'));
+      process.exit(1);
+    }
+  } else {
+    console.log(`  ${chalk.green('✓')} GitHub token found`);
+  }
+
+  console.log();
+
+  for (const entry of GLOBAL_FILES) {
+    const target = entry.getTarget();
+    const dir = path.dirname(target);
+
+    try {
+      process.stdout.write(chalk.dim(`  Fetching ${entry.label}...`));
+      const content = await fetchRemoteFile(entry.remote);
+
+      if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+      const existed = fs.existsSync(target);
+      fs.writeFileSync(target, content, 'utf8');
+
+      const label = existed ? chalk.blue('↑ Updated') : chalk.green('+ Installed');
+      process.stdout.write(`\r  ${label}: ${target}\n`);
+    } catch (err) {
+      process.stdout.write(`\r  ${chalk.red('✗')} ${entry.label}: ${err.message}\n`);
+    }
+  }
+
+  console.log();
+  console.log(chalk.bold('  After install:'));
+  console.log(chalk.dim('    1. Reload VS Code (or open a new chat window)'));
+  console.log(chalk.dim('    2. Select "Rootstock Agent" in the chat agent picker'));
+  console.log(chalk.dim('    3. For project-level skills: run altors new or altors update in your project'));
+  console.log();
+  console.log(chalk.bold('  To update in future:'));
+  console.log(chalk.cyan('    npm update -g @altotyler/alto-rootstock-cli'));
+  console.log(chalk.cyan('    altors install'));
+  console.log();
+}
+
+module.exports = { run };

package/src/commands/new.js

@@ -0,0 +1,137 @@
+'use strict';
+
+const { spawnSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+const chalk = require('chalk');
+const prompts = require('prompts');
+const { injectScaffolding } = require('../lib/scaffold');
+const { getToken } = require('../lib/config');
+
+function banner() {
+  console.log();
+  console.log(chalk.bold.blue('  ┌─────────────────────────────────────────────┐'));
+  console.log(chalk.bold.blue('  │') + chalk.bold.white('  alto-rootstock-cli                         ') + chalk.bold.blue('│'));
+  console.log(chalk.bold.blue('  │') + chalk.dim('  Rootstock Salesforce Project Creator       ') + chalk.bold.blue('│'));
+  console.log(chalk.bold.blue('  └─────────────────────────────────────────────┘'));
+  console.log();
+}
+
+function checkSfCli() {
+  const result = spawnSync('sf', ['--version'], { encoding: 'utf8', shell: true });
+  if (result.status !== 0 || result.error) {
+    console.error(chalk.red('  ✗ Salesforce CLI (sf) not found.'));
+    console.error(chalk.dim('    Install it from: https://developer.salesforce.com/tools/salesforcecli'));
+    process.exit(1);
+  }
+  const version = (result.stdout || '').split('\n')[0].trim();
+  console.log(`  ${chalk.green('✓')} Salesforce CLI detected ${chalk.dim(`(${version})`)}`);
+}
+
+function checkGithubToken() {
+  const token = getToken();
+  if (!token) {
+    console.log();
+    console.log(chalk.yellow('  ⚠  No GitHub token found.'));
+    console.log(chalk.dim('     Skill files are hosted on a private repo.'));
+    console.log(chalk.dim('     Set GITHUB_TOKEN or run:') + chalk.cyan(' altors install --save-token'));
+    console.log();
+  }
+  return token;
+}
+
+async function promptProjectDetails() {
+  console.log();
+  const response = await prompts(
+    [
+      {
+        type: 'text',
+        name: 'projectName',
+        message: 'Project name',
+        validate: v => v.trim().length > 0 ? true : 'Project name is required',
+      },
+      {
+        type: 'text',
+        name: 'outputDir',
+        message: 'Output directory',
+        initial: '.',
+        format: v => v.trim() || '.',
+      },
+    ],
+    {
+      onCancel: () => {
+        console.log(chalk.dim('\n  Cancelled.'));
+        process.exit(0);
+      },
+    }
+  );
+  return response;
+}
+
+function runSfProjectGenerate(projectName, outputDir) {
+  console.log();
+  console.log(chalk.dim(`  Running: sf project generate --manifest --name ${projectName} --output-dir ${outputDir}`));
+  console.log(chalk.dim('  ─────────────────────────────────────────────────'));
+  console.log();
+
+  // stdio: inherit lets sf prompt the user for remaining questions
+  // (default package dir, API version, etc.) natively
+  const result = spawnSync(
+    'sf',
+    ['project', 'generate', '--manifest', '--name', projectName, '--output-dir', outputDir],
+    { stdio: 'inherit', shell: true }
+  );
+
+  console.log();
+
+  if (result.status !== 0) {
+    console.error(chalk.red('  ✗ sf project generate failed.'));
+    process.exit(1);
+  }
+}
+
+async function run() {
+  banner();
+  checkSfCli();
+  checkGithubToken();
+
+  const { projectName, outputDir } = await promptProjectDetails();
+
+  runSfProjectGenerate(projectName, outputDir);
+
+  // sf creates the project at <outputDir>/<projectName>
+  const projectRoot = path.resolve(outputDir, projectName);
+
+  if (!fs.existsSync(projectRoot)) {
+    console.error(chalk.red(`  ✗ Expected project directory not found: ${projectRoot}`));
+    console.error(chalk.dim('    sf may have used a different path. Run altors update from inside the project directory.'));
+    process.exit(1);
+  }
+
+  console.log(`  ${chalk.green('✓')} Salesforce DX project created`);
+  console.log();
+  console.log(chalk.bold('  Injecting Rootstock agent scaffolding...'));
+  console.log();
+
+  const results = await injectScaffolding(projectRoot);
+
+  console.log();
+
+  if (results.failed.length > 0) {
+    console.log(chalk.yellow(`  ⚠  ${results.failed.length} file(s) failed to fetch. Run ${chalk.cyan('altors update')} inside the project to retry.`));
+    console.log();
+  }
+
+  console.log(chalk.bold.blue('  ┌─────────────────────────────────────────────┐'));
+  console.log(chalk.bold.blue('  │') + chalk.bold.green(`  ✓ Project ready: ${path.relative(process.cwd(), projectRoot)}`.padEnd(46)) + chalk.bold.blue('│'));
+  console.log(chalk.bold.blue('  └─────────────────────────────────────────────┘'));
+  console.log();
+  console.log(chalk.bold('  Next steps:'));
+  console.log(chalk.dim(`    cd ${path.relative(process.cwd(), projectRoot)}`));
+  console.log(chalk.dim('    sf org login web --alias myorg'));
+  console.log(chalk.dim('    code .                              # open in VS Code'));
+  console.log(chalk.dim('    # Reload VS Code to activate the Salesforce DX MCP server'));
+  console.log();
+}
+
+module.exports = { run };

package/src/commands/update.js

@@ -0,0 +1,55 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const chalk = require('chalk');
+const { updateScaffolding } = require('../lib/scaffold');
+
+function findProjectRoot(startDir) {
+  let dir = startDir;
+  for (let i = 0; i < 10; i++) {
+    if (fs.existsSync(path.join(dir, 'sfdx-project.json'))) return dir;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+async function run() {
+  console.log();
+  console.log(chalk.bold('  Rootstock: Update Skills'));
+  console.log(chalk.dim('  ─────────────────────────────────────────────────'));
+  console.log();
+
+  const projectRoot = findProjectRoot(process.cwd());
+
+  if (!projectRoot) {
+    console.error(chalk.red('  ✗ No Salesforce DX project found (sfdx-project.json missing).'));
+    console.error(chalk.dim('    Run this command from inside a Salesforce DX project directory.'));
+    process.exit(1);
+  }
+
+  console.log(`  ${chalk.dim('Project root:')} ${projectRoot}`);
+  console.log();
+
+  const results = await updateScaffolding(projectRoot);
+
+  const total = results.updated.length + results.added.length;
+  console.log();
+
+  if (results.failed.length > 0) {
+    console.log(chalk.yellow(`  ⚠  ${results.failed.length} file(s) could not be fetched.`));
+    console.log(chalk.dim('     Check your GITHUB_TOKEN or network connection.'));
+  }
+
+  if (total === 0 && results.failed.length === 0) {
+    console.log(chalk.green('  ✓ All skill files are already up to date.'));
+  } else {
+    console.log(chalk.green(`  ✓ Done.`) + chalk.dim(` ${results.updated.length} updated, ${results.added.length} added, ${results.failed.length} failed.`));
+  }
+
+  console.log();
+}
+
+module.exports = { run };

package/src/lib/config.js

@@ -0,0 +1,36 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const CONFIG_DIR = path.join(os.homedir(), '.alto-rootstock');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+
+const DEFAULTS = {
+  baseUrl: 'https://raw.githubusercontent.com/alto-tyler/rootstock-agent-distribution/main',
+};
+
+function load() {
+  try {
+    if (fs.existsSync(CONFIG_FILE)) {
+      return { ...DEFAULTS, ...JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8')) };
+    }
+  } catch (_) {}
+  return { ...DEFAULTS };
+}
+
+function save(data) {
+  if (!fs.existsSync(CONFIG_DIR)) fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(data, null, 2), 'utf8');
+}
+
+function getToken() {
+  return process.env.GITHUB_TOKEN || load().token || null;
+}
+
+function saveToken(token) {
+  save({ ...load(), token });
+}
+
+module.exports = { load, save, getToken, saveToken, CONFIG_FILE };

package/src/lib/fetcher.js

@@ -0,0 +1,40 @@
+'use strict';
+
+const https = require('https');
+const { load, getToken } = require('./config');
+
+function fetchUrl(url, token) {
+  return new Promise((resolve, reject) => {
+    const opts = new URL(url);
+    const headers = { 'User-Agent': 'alto-rootstock-cli' };
+    if (token) headers['Authorization'] = `Bearer ${token}`;
+
+    https.get({ hostname: opts.hostname, path: opts.pathname + opts.search, headers }, (res) => {
+      if (res.statusCode === 302 || res.statusCode === 301) {
+        return fetchUrl(res.headers.location, token).then(resolve).catch(reject);
+      }
+      if (res.statusCode !== 200) {
+        res.resume();
+        return reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+      }
+      const chunks = [];
+      res.on('data', c => chunks.push(c));
+      res.on('end', () => resolve(Buffer.concat(chunks).toString('utf8')));
+      res.on('error', reject);
+    }).on('error', reject);
+  });
+}
+
+async function fetchRemoteFile(remotePath) {
+  const { baseUrl } = load();
+  const token = getToken();
+  const url = `${baseUrl}/${remotePath}`;
+  return fetchUrl(url, token);
+}
+
+async function fetchRemoteJson(remotePath) {
+  const text = await fetchRemoteFile(remotePath);
+  return JSON.parse(text);
+}
+
+module.exports = { fetchRemoteFile, fetchRemoteJson, fetchUrl };

package/src/lib/scaffold.js

@@ -0,0 +1,78 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const chalk = require('chalk');
+const { fetchRemoteFile } = require('./fetcher');
+
+// Maps remote template paths → local project paths
+const SCAFFOLD_MANIFEST = [
+  { remote: 'project-template/claude/CLAUDE.md',                              local: '.claude/CLAUDE.md' },
+  { remote: 'project-template/claude/skills/rootstock-core.md',               local: '.claude/skills/rootstock-core.md' },
+  { remote: 'project-template/claude/skills/rootstock-soapi.md',              local: '.claude/skills/rootstock-soapi.md' },
+  { remote: 'project-template/claude/skills/rootstock-sydata.md',             local: '.claude/skills/rootstock-sydata.md' },
+  { remote: 'project-template/claude/skills/rootstock-sydatat.md',            local: '.claude/skills/rootstock-sydatat.md' },
+  { remote: 'project-template/claude/skills/rootstock-poloader.md',           local: '.claude/skills/rootstock-poloader.md' },
+  { remote: 'project-template/claude/skills/rootstock-manufacturing.md',      local: '.claude/skills/rootstock-manufacturing.md' },
+  { remote: 'project-template/claude/skills/rootstock-inventory.md',          local: '.claude/skills/rootstock-inventory.md' },
+  { remote: 'project-template/claude/skills/rootstock-testing.md',            local: '.claude/skills/rootstock-testing.md' },
+  { remote: 'project-template/claude/skills/rootstock-debug.md',              local: '.claude/skills/rootstock-debug.md' },
+  { remote: 'project-template/claude/skills/rootstock-session.md',            local: '.claude/skills/rootstock-session.md' },
+  { remote: 'project-template/cursor/rules/rootstock.mdc',                    local: '.cursor/rules/rootstock.mdc' },
+  { remote: 'project-template/github/agents/Rootstock Agent.agent.md',        local: '.github/agents/Rootstock Agent.agent.md' },
+  { remote: 'project-template/github/copilot-instructions.md',                local: '.github/copilot-instructions.md' },
+  { remote: 'project-template/vscode/mcp.json',                               local: '.vscode/mcp.json' },
+  { remote: 'project-template/vscode/tasks.json',                             local: '.vscode/tasks.json' },
+];
+
+function writeFile(projectRoot, relPath, content) {
+  const full = path.join(projectRoot, relPath);
+  const dir = path.dirname(full);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(full, content, 'utf8');
+}
+
+async function injectScaffolding(projectRoot) {
+  const results = { ok: [], failed: [] };
+
+  for (const entry of SCAFFOLD_MANIFEST) {
+    try {
+      process.stdout.write(chalk.dim(`  Fetching ${entry.local}...`));
+      const content = await fetchRemoteFile(entry.remote);
+      writeFile(projectRoot, entry.local, content);
+      process.stdout.write(`\r  ${chalk.green('✓')} ${entry.local}\n`);
+      results.ok.push(entry.local);
+    } catch (err) {
+      process.stdout.write(`\r  ${chalk.red('✗')} ${entry.local} ${chalk.dim(`(${err.message})`)}\n`);
+      results.failed.push(entry.local);
+    }
+  }
+
+  return results;
+}
+
+async function updateScaffolding(projectRoot) {
+  // Same as inject but reports updated vs new
+  const results = { updated: [], added: [], failed: [] };
+
+  for (const entry of SCAFFOLD_MANIFEST) {
+    const fullPath = path.join(projectRoot, entry.local);
+    const exists = fs.existsSync(fullPath);
+    try {
+      process.stdout.write(chalk.dim(`  Fetching ${entry.local}...`));
+      const content = await fetchRemoteFile(entry.remote);
+      writeFile(projectRoot, entry.local, content);
+      const label = exists ? chalk.blue('↑') : chalk.green('+');
+      process.stdout.write(`\r  ${label} ${entry.local}\n`);
+      if (exists) results.updated.push(entry.local);
+      else results.added.push(entry.local);
+    } catch (err) {
+      process.stdout.write(`\r  ${chalk.red('✗')} ${entry.local} ${chalk.dim(`(${err.message})`)}\n`);
+      results.failed.push(entry.local);
+    }
+  }
+
+  return results;
+}
+
+module.exports = { injectScaffolding, updateScaffolding, SCAFFOLD_MANIFEST };

package/src/lib/updater.js

@@ -0,0 +1,43 @@
+'use strict';
+
+const { fetchRemoteJson } = require('./fetcher');
+
+function parseVersion(v) {
+  return (v || '0.0.0').replace(/^v/, '').split('.').map(Number);
+}
+
+function isNewer(latest, current) {
+  const l = parseVersion(latest);
+  const c = parseVersion(current);
+  for (let i = 0; i < 3; i++) {
+    if (l[i] > c[i]) return true;
+    if (l[i] < c[i]) return false;
+  }
+  return false;
+}
+
+async function checkForUpdate(currentVersion) {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 2500);
+
+    const data = await Promise.race([
+      fetchRemoteJson('version.json'),
+      new Promise((_, reject) =>
+        setTimeout(() => reject(new Error('timeout')), 2500)
+      ),
+    ]);
+
+    clearTimeout(timeout);
+
+    const latest = data.cliVersion || data.version;
+    if (latest && isNewer(latest, currentVersion)) {
+      return { current: currentVersion, latest };
+    }
+  } catch (_) {
+    // Network unavailable or timeout — silently skip
+  }
+  return null;
+}
+
+module.exports = { checkForUpdate, isNewer };