@iamsaroj/replicax 0.0.1 → 0.0.3

package/README.md

@@ -1,62 +1,75 @@
 <div align="center">
 
-# ReplicaX
+<h1>ReplicaX</h1>
+
+<h3><em>Copy the setup, not the code.</em></h3>
+
+<p>
+  Extract a project's entire development environment — <strong>tooling, folder structure, and conventions</strong> —
+  into a portable profile, then recreate it anywhere in seconds.<br/>
+  None of your business code. None of your secrets. Just the setup.
+</p>
+
+[![npm](https://img.shields.io/badge/npm-%40iamsaroj%2Freplicax-CB3837?style=flat-square&logo=npm&logoColor=white)](https://www.npmjs.com/package/@iamsaroj/replicax)
+[![Node](https://img.shields.io/badge/Node-%E2%89%A5%2020-339933?style=flat-square&logo=node.js&logoColor=white)](https://nodejs.org)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5-3178C6?style=flat-square&logo=typescript&logoColor=white)](https://www.typescriptlang.org)
+![ESM](https://img.shields.io/badge/Module-ESM-F7DF1E?style=flat-square&logo=javascript&logoColor=black)
+[![License](https://img.shields.io/badge/License-MIT-3FB950?style=flat-square)](LICENSE)
+
+<sub>
+  <a href="#quick-start"><b>Quick start</b></a> &nbsp;•&nbsp;
+  <a href="#commands"><b>Commands</b></a> &nbsp;•&nbsp;
+  <a href="#what-gets-captured"><b>What gets captured</b></a> &nbsp;•&nbsp;
+  <a href="#security"><b>Security</b></a> &nbsp;•&nbsp;
+  <a href="#how-it-works"><b>How it works</b></a> &nbsp;•&nbsp;
+  <a href="#faq"><b>FAQ</b></a>
+</sub>
 
-### _Copy the setup, not the code._
+</div>
 
-Extract a project's development environment — tooling config, folder structure, and
-conventions — into a reusable profile, then recreate it in seconds anywhere.
+---
 
-![Node](https://img.shields.io/badge/node-%3E%3D20-43853d)
-![TypeScript](https://img.shields.io/badge/TypeScript-5.x-3178c6)
-![Module](https://img.shields.io/badge/module-ESM-f7df1e)
-![License](https://img.shields.io/badge/license-MIT-blue)
+> **ReplicaX captures the _setup_ of a project — the parts you copy‑paste between every new repo — and leaves
+the _implementation_ behind.**
 
-</div>
+Every new project starts the same way: copy `tsconfig.json`, port the ESLint and Prettier config, recreate the
+Dockerfiles, re‑add the CI workflow, rebuild `src/`'s folder layout. It's slow, error‑prone, and quietly drifts out of
+sync across a team.
 
----
+ReplicaX captures that ritual **once** and replays it **on demand** — locally, or straight from any GitHub repo.
 
-ReplicaX captures the **setup** of a project — the parts you copy-paste between every
-new repo — and leaves the **implementation** behind. New projects start with your
-exact tooling and folder layout, and **zero** of your business code, secrets, or
-build artifacts.
+> It is **not** a code generator, a project cloner, or a backup tool.
 
-It is **not** a code generator, a project cloner, or a backup tool.
+---
 
-## Why
+## Why ReplicaX
 
-Every new project repeats the same ritual: copy `tsconfig.json`, port the ESLint and
-Prettier setup, recreate the Docker files, re-add the CI workflow, rebuild `src/`'s
-folder layout. It's slow, error-prone, and drifts out of sync across a team.
+|                       | Without ReplicaX                           | With ReplicaX                   |
+|-----------------------|--------------------------------------------|---------------------------------|
+| **New project setup** | 30+ minutes of copy‑paste from an old repo | `replicax create my-app`        |
+| **What you copy**     | Whatever you remember to grab              | A complete, validated profile   |
+| **Secrets**           | One stray `.env` away from a leak          | Blocked unconditionally         |
+| **Team consistency**  | Drifts repo to repo                        | One shareable `.tar.gz` profile |
+| **Source code**       | Tangled up with the config                 | Never touched                   |
 
-ReplicaX captures that ritual once and replays it on demand.
+---
 
 ## Features
 
-- **One-command capture** — `init` scans the current project into a profile.
-- **One-command scaffold** — `create` reproduces it in a new directory.
-- **`.ts` _and_ `.js` configs** — copied byte-for-byte, never compiled or executed.
-- **Secret-safe by design** — `.env`, keys, and certs can never enter a profile; `.npmrc` auth tokens are stripped
-  automatically.
-- **No business code** — folders are recreated empty; source files are never copied.
-- **Stays in sync** — `sync --diff` shows what drifted; `validate` checks integrity via SHA-256.
-- **Portable & shareable** — `export`/`import` a profile as a single `.tar.gz`.
-- **`.replicaxignore`** — gitignore-style control over what gets exported.
-
-## Table of contents
-
-- [Installation](#installation)
-- [Quick start](#quick-start)
-- [Worked example](#worked-example)
-- [Commands](#commands)
-- [What gets captured](#what-gets-captured)
-- [Security](#security)
-- [replicaxignore](#replicaxignore)
-- [Profile format](#profile-format)
-- [How it works](#how-it-works)
-- [Development](#development)
-- [FAQ](#faq)
-- [License](#license)
+|                               |                                                                                                                  |
+|-------------------------------|------------------------------------------------------------------------------------------------------------------|
+| **One‑command capture**       | `init` scans the current project into a reusable profile.                                                        |
+| **Capture any GitHub repo**   | `extract owner/repo` profiles a remote repo — no clone, no `git` required.                                       |
+| **One‑command scaffold**      | `create` reproduces the setup in a fresh directory.                                                              |
+| **AI assistant skills**       | `init-skill` uses your own AI (Claude · Codex · Gemini) to author a ready‑to‑use skill for agentic coding tools. |
+| **`.ts` _and_ `.js` configs** | Copied byte‑for‑byte — never compiled, never executed.                                                           |
+| **Secret‑safe by design**     | `.env`, keys, and certs can never enter a profile; `.npmrc` tokens are stripped automatically.                   |
+| **No business code**          | Folders are recreated empty; source files are never read.                                                        |
+| **Stays in sync**             | `sync --diff` shows what drifted; `validate` verifies integrity via SHA‑256.                                     |
+| **Portable & shareable**      | `export` / `import` a whole profile as a single `.tar.gz`.                                                       |
+| **`.replicaxignore`**         | gitignore‑style control over exactly what gets captured.                                                         |
+
+---
 
 ## Installation
 
@@ -66,26 +79,81 @@ npm install -g @iamsaroj/replicax
 pnpm add -g @iamsaroj/replicax
 ```
 
-Requires **Node.js 20+**. ReplicaX is a standalone CLI with no external services.
+> **Requires Node.js 20+.** ReplicaX is a standalone CLI with zero external services.
+
+---
 
 ## Quick start
 
 ```bash
-# 1. In an existing, well-configured project:
+# 1 — In an existing, well-configured project
 cd my-project
 replicax init                  # → writes a profile to .replicax/
 
-# 2. Anywhere the profile lives, scaffold a fresh project:
+# 2 — Anywhere the profile lives, scaffold a fresh project
 replicax create my-new-app     # → same setup, none of the code
 ```
 
-> Tip: try `replicax init --dry-run` first to preview exactly what would be captured.
+…and here's what `init` actually shows you:
+
+```console
+$ replicax init
+
+✔ Scanned 14 config file(s) and 9 director(ies)
+
+ℹ Captured setup
+  language       typescript
+  framework      react
+  packageManager npm
+  nodeVersion    20.x
+
+ℹ Tooling (14 files)
+  Build Tools                      1
+  CI/CD                            1
+  Docker                           2
+  Editor                           1
+  Formatting                       1
+  Git                              1
+  Git Hooks                        1
+  Language & Type Checking         3
+  Linting                          1
+  Testing                          1
+  package.json                     1
+
+ℹ Structure (9 directories)
+my-app/
+├── .github/
+│   └── workflows/
+├── .husky/
+├── public/
+└── src/
+    ├── components/
+    ├── hooks/
+    ├── pages/
+    └── services/
+
+✔ Profile "my-app" written to .replicax/
+  Create a project from it with: replicax create <project-name>
+```
+
+> 💡 **Tip:** run `replicax init --dry-run` first to preview exactly what would be captured — nothing is written.
 
-## Worked example
+---
 
-Starting from a typical Vite + React + TypeScript project:
+## Before & After
 
-```text
+Starting from a typical **Vite + React + TypeScript** project, `replicax init && replicax create my-new-app` produces a
+clean skeleton — same tooling, zero application code, zero secrets.
+
+<table>
+<tr>
+<th align="left">📁 Source project</th>
+<th align="left">✨ Generated by ReplicaX</th>
+</tr>
+<tr>
+<td valign="top">
+
+<pre>
 my-project/
 ├── vite.config.ts
 ├── tsconfig.json
@@ -96,46 +164,64 @@ my-project/
 ├── docker-compose.yml
 ├── .github/workflows/ci.yml
 ├── .husky/pre-commit
-├── .env                       # ← secret
-├── package.json               # ← incl. runtime deps
+├── .env                  ← secret
+├── package.json          ← runtime deps
 └── src/
-    ├── components/Button.tsx   # ← business code
+    ├── components/
+    │   └── Button.tsx     ← business code
     ├── hooks/
-    ├── services/UserService.ts # ← business code
+    ├── services/
+    │   └── UserService.ts ← business code
     └── pages/
-```
-
-```bash
-replicax init
-replicax create my-new-app --skip-install
-```
+</pre>
 
-ReplicaX produces:
+</td>
+<td valign="top">
 
-```text
+<pre>
 my-new-app/
-├── vite.config.ts             # copied verbatim
-├── tsconfig.json
-├── tsconfig.node.json
-├── .prettierrc
-├── eslint.config.js
-├── Dockerfile
-├── docker-compose.yml
+├── vite.config.ts        ✓ verbatim
+├── tsconfig.json         ✓
+├── tsconfig.node.json    ✓
+├── .prettierrc           ✓
+├── eslint.config.js      ✓
+├── Dockerfile            ✓
+├── docker-compose.yml    ✓
 ├── .github/workflows/ci.yml
-├── .husky/pre-commit
-├── package.json               # name renamed; scripts/devDeps kept, runtime deps dropped
+├── .husky/pre-commit     ✓
+├── package.json          ✓ curated
 └── src/
-    ├── components/             # recreated, but EMPTY
-    ├── hooks/
-    ├── services/               # recreated, but EMPTY
-    └── pages/
-```
+    ├── components/        ✓ EMPTY
+    │
+    ├── hooks/             ✓ EMPTY
+    ├── services/          ✓ EMPTY
+    │
+    └── pages/             ✓ EMPTY
+</pre>
+
+</td>
+</tr>
+</table>
+
+No `.env`. No `Button.tsx`. No `UserService.ts`. No `react` runtime dependency. **Only the setup.**
 
-No `.env`, no `Button.tsx`, no `UserService.ts`, no `react` runtime dependency — only
-the setup.
+---
 
 ## Commands
 
+| Command                                                                              | What it does                                       |
+|--------------------------------------------------------------------------------------|----------------------------------------------------|
+| [`replicax init`](#replicax-init)                                                    | Scan the current project → profile in `.replicax/` |
+| [`replicax extract <repo>`](#replicax-extract-repo)                                  | Profile a **remote GitHub repo** (no clone)        |
+| [`replicax create <name>`](#replicax-create-project-name)                            | Scaffold a new project from a profile              |
+| [`replicax sync`](#replicax-sync)                                                    | Update the profile from the current project        |
+| [`replicax inspect`](#replicax-inspect)                                              | Display captured config & structure                |
+| [`replicax validate`](#replicax-validate)                                            | Schema + integrity (SHA‑256) check — CI‑friendly   |
+| [`replicax export`](#replicax-export--import) / [`import`](#replicax-export--import) | Portable `.tar.gz` profile in/out                  |
+| [`replicax init-skill`](#replicax-init-skill)                                        | Author an AI‑assistant skill from your stack       |
+
+> Every write operation accepts `--dry-run` (preview, touch nothing) and `--verbose` (list every file).
+
 ### `replicax init`
 
 Scan the current project and write a profile to `.replicax/`.
@@ -146,10 +232,34 @@ replicax init --dry-run                    # preview, write nothing
 replicax init --verbose                    # list every detected file
 ```
 
+### `replicax extract <repo>`
+
+Capture a profile from a **remote GitHub repository** instead of the current directory — the same scan as `init`,
+pointed at a repo you don't even have checked out. The repo is downloaded as a tarball over the GitHub API (no `git`
+required) into a temp directory, scanned, then discarded; only the profile is kept.
+
+```bash
+replicax extract khanalsaroj/typegen-ui                     # owner/repo shorthand
+replicax extract https://github.com/khanalsaroj/typegen-ui  # or a full URL
+replicax extract owner/repo --ref develop                   # a branch, tag, or commit
+replicax extract owner/repo#v1.2.3                          # ref via #fragment / @tag too
+replicax extract owner/repo --name react-enterprise         # name the profile
+replicax extract owner/repo --out ./profiles/react          # write .replicax elsewhere
+replicax extract owner/repo --dry-run                       # preview, write nothing
+```
+
+Accepts `owner/repo`, a `github.com` URL (including `/tree/<branch>` links), an ssh remote, or a `#branch` / `@tag`
+suffix.
+
+> **Private repos & rate limits:** set `GITHUB_TOKEN` (or `GH_TOKEN`) in your environment — it's read from the
+> environment, used for the one request, and **never stored**. The same secret guard applies, so a remote repo's
+`.env` /
+> keys are never captured.
+
 ### `replicax create <project-name>`
 
-Create a new project from a profile. Existing files trigger an interactive
-overwrite/skip prompt (auto-skips when non-interactive).
+Create a new project from a profile. Existing files trigger an interactive overwrite/skip prompt (auto‑skips when
+non‑interactive).
 
 ```bash
 replicax create my-app
@@ -161,7 +271,7 @@ replicax create my-app --dry-run                        # preview the file plan
 
 ### `replicax sync`
 
-Re-scan and update the profile to match the current project.
+Re‑scan and update the profile to match the current project.
 
 ```bash
 replicax sync           # update, print a change summary
@@ -193,8 +303,7 @@ Tooling (14 file(s))
 
 ### `replicax validate`
 
-Check the profile's schema and integrity (SHA-256 checksums + path safety). Exits
-non-zero on failure — handy in CI.
+Check the profile's schema and integrity (SHA‑256 checksums + path safety). Exits non‑zero on failure — handy in CI.
 
 ```bash
 replicax validate
@@ -210,7 +319,39 @@ replicax import ./react-enterprise.tar.gz          # validates before adopting
 replicax import ./react-enterprise.tar.gz --force  # overwrite an existing profile
 ```
 
-> `--dry-run` is available on every write operation and never touches disk.
+### `replicax init-skill`
+
+Generate an AI‑assistant **skill** from the current project — a ready‑to‑use bundle (an entry `SKILL.md` plus optional
+`references/`) that teaches an assistant the tech stack, the install/build/test/lint commands, the tooling, and the
+folder layout, written where your assistant looks for skills.
+
+It uses **whatever AI you already have configured**. ReplicaX prefers a locally installed CLI (reusing its login) and
+falls back to a provider API key from your environment — it never stores credentials:
+
+| Provider | CLI (preferred) | API key (fallback)                  | API model default  |
+|----------|-----------------|-------------------------------------|--------------------|
+| `claude` | `claude -p`     | `ANTHROPIC_API_KEY`                 | `claude-opus-4-8`  |
+| `openai` | `codex exec`    | `OPENAI_API_KEY`                    | `gpt-5.5`          |
+| `gemini` | `gemini`        | `GEMINI_API_KEY` / `GOOGLE_API_KEY` | `gemini-3.5-flash` |
+
+```bash
+replicax init-skill --target claude                            # auto-detect provider, author the skill
+replicax init-skill --target codex --provider gemini           # force a specific provider
+replicax init-skill --target claude --model claude-sonnet-4-6  # override the API model
+replicax init-skill --target claude --no-ai                    # skip AI; use the built-in template
+replicax init-skill --target claude --dry-run                  # preview (no AI call, nothing written)
+replicax init-skill --target claude --force                    # overwrite existing skill files
+```
+
+**Targets** (`--target`, required) control the on‑disk _format/location_: `claude` → `.claude/skills/<name>/SKILL.md`,
+`codex` → `.codex/skills/<name>/SKILL.md`, `antigravity` → `.agents/skills/<name>.md`. The **provider** (auto‑detected,
+or forced with `--provider`) is the AI that _authors_ it — the two are independent.
+
+> **Privacy:** only the project's _setup_ is sent to the provider — the same safe surface ReplicaX captures (config
+> files, structure, `package.json` scripts/deps). Source code and secrets are never sent. With `--no-ai` (or no provider
+> configured), ReplicaX falls back to a deterministic, fully offline template.
+
+---
 
 ## What gets captured
 
@@ -222,35 +363,40 @@ replicax import ./react-enterprise.tar.gz --force  # overwrite an existing profi
 | Docker, CI/CD (Actions, GitLab, CircleCI, Jenkins)  | `node_modules/`, `dist/`, `build/`, `coverage/`, `.next/`, …   |
 | `.editorconfig`, Husky hooks                        | IDE folders (`.vscode/`, `.idea/`, `.vs/`, `.fleet/`, `.zed/`) |
 | Test configs (Vitest/Jest/Playwright/Cypress)       | Anything matched by `.replicaxignore`                          |
-| Monorepo files, commitlint/lint-staged/release/knip |                                                                |
+| Monorepo files, commitlint/lint‑staged/release/knip |                                                                |
 | Folder hierarchy (directories only)                 | Folder _contents_                                              |
 
-**`package.json`** is curated, not copied: only `scripts`, `devDependencies`,
-`engines`, `type`, `packageManager`, and config blocks like `lint-staged` are kept.
-Runtime `dependencies` are deliberately dropped, and the new project's name is
-stamped in on `create`.
+**`package.json` is curated, not copied.** Only `scripts`, `devDependencies`, `engines`, `type`, `packageManager`, and
+config blocks like `lint-staged` are kept. Runtime `dependencies` are deliberately dropped (that's your application),
+and the new project's name is stamped in on `create`.
+
+Both `.ts` and `.js` config variants work because ReplicaX copies them **verbatim** — it never needs to compile or
+execute a config to capture it.
 
-Both `.ts` and `.js` config variants are supported because ReplicaX copies them
-**verbatim** — it never needs to compile or execute a config to capture it.
+---
 
 ## Security
 
-ReplicaX treats secret exclusion as a hard guarantee, not a best effort:
+ReplicaX treats secret exclusion as a **hard guarantee, not a best effort.**
 
-- **Secrets are never captured.** `.env`, `.env.*`, `*.pem`, `*.key`, `*.crt`,
-  SSH keys, and friends are blocked unconditionally — this cannot be overridden by
-  configuration.
-- **`.npmrc` is sanitized.** It's a legitimate setup file, but auth tokens
-  (`_authToken`, `_password`, …) are stripped out before it enters a profile.
-- **No path escapes.** Every path read from a profile is validated against traversal
-  (`..`) and absolute paths before anything is written, so a malicious profile can't
-  write outside its target directory.
+> 🛡️ **Secrets are never captured.** `.env`, `.env.*`, `*.pem`, `*.key`, `*.crt`, SSH keys, and friends are blocked *
+*unconditionally** — this cannot be overridden by configuration.
 
-## `.replicaxignore`
+> 🧼 **`.npmrc` is sanitized.** It's a legitimate setup file, but auth tokens (`_authToken`, `_password`, …) are stripped
+> out before it enters a profile.
 
-Control what gets exported with gitignore syntax. `init` can scaffold a starter for
-you. Ignored files are excluded from the profile — but their parent directories are
-still captured for structure.
+> 🚧 **No path escapes.** Every path read from a profile (or from an AI response) is validated against traversal (`..`)
+> and absolute paths before anything is written, so a malicious profile can never write outside its target directory.
+`validate` re‑checks this.
+
+The same guarantees apply to `extract` — a remote repo's secrets are filtered exactly as a local project's are.
+
+---
+
+## Configuration — `.replicaxignore`
+
+Control what gets exported with **gitignore syntax**. `init` can scaffold a starter for you. Ignored files are excluded
+from the profile — but their parent directories are still captured for structure.
 
 ```gitignore
 # Business logic (folders kept, contents dropped)
@@ -262,6 +408,8 @@ src/**/*.ts
 *.log
 ```
 
+---
+
 ## Profile format
 
 A profile is five JSON files under `.replicax/`:
@@ -275,120 +423,119 @@ A profile is five JSON files under `.replicax/`:
 └── checksum.json    # SHA-256 integrity hashes
 ```
 
-All five are schema-validated (zod) on load; `validate` additionally re-checks
-checksums and rejects unsafe paths.
+All five are schema‑validated (zod) on load; `validate` additionally re‑checks checksums and rejects unsafe paths.
+
+---
 
 ## How it works
 
-```text
-              ┌─────────┐      ┌──────────────────┐      ┌──────────────┐
-  init/sync   │ Scanner │ ───▶ │ Profile Generator│ ───▶ │ .replicax/   │
-              └─────────┘      └──────────────────┘      └──────────────┘
-                  │                                            │
-       ignore engine + secret guard                   load + zod validate
-                                                             │
-              ┌──────────────────┐                           ▼
-  create      │ Project Generator│ ◀───────────────────  ProfileBundle
-              └──────────────────┘
-                  │
-       conflict resolver (overwrite/skip)
+```mermaid
+flowchart LR
+    A["📁 Local project"] -- "init / sync" --> S["🔎 Scanner"]
+    G["🌐 GitHub repo"] -- "extract" --> S
+    S --> F{"Ignore engine<br/>+ secret guard"}
+    F -- "safe setup only" --> P["🧬 Profile Generator"]
+    P --> D[("📦 .replicax/<br/>5 JSON files")]
+    D -- "load + zod validate" --> B["ProfileBundle"]
+    B -- "create" --> PG["🏗️ Project Generator"]
+    PG --> N["✨ New project<br/>setup, no code"]
+
+    style F fill:#1f2937,stroke:#f59e0b,color:#fff
+    style D fill:#0f172a,stroke:#38bdf8,color:#fff
 ```
 
-- **Scanner** detects config files (via a glob catalogue), the folder hierarchy, and
-  project metadata (package manager, framework, language).
-- **Ignore engine** layers default ignores + `.replicaxignore`, with a separate,
-  non-overridable **secret guard**.
+- **Scanner** detects config files (via a glob catalogue), the folder hierarchy, and project metadata (package manager,
+  framework, language).
+- **Ignore engine** layers default ignores + `.replicaxignore`, with a separate, **non‑overridable secret guard**.
 - **Profile generator** assembles the bundle and computes checksums.
-- **Project generator** reproduces the setup, adapting names/paths, with a
-  **conflict resolver** for existing files.
+- **Project generator** reproduces the setup, adapting names/paths, with a **conflict resolver** for existing files.
+
+---
 
 ## Development
 
 ```bash
 npm install
 npm run build         # tsup → dist/index.js (single ESM file, with shebang)
-npm run typecheck     # tsc --noEmit
-npm test              # vitest (32 tests, real temp-dir fixtures)
+npm run typecheck     # tsc --noEmit (covers src AND tests)
+npm test              # vitest (real temp-dir fixtures, no mocks)
 npm run format        # prettier --write .
 npm run dev           # tsup --watch
 ```
 
-> **Lockfile:** `package-lock.json` is maintained with **npm 10** (the version CI's
-> Node 20/22 ship with). If you're on npm 11+, regenerate it with `npx npm@10 install`
-> when changing dependencies — npm 11 resolves a different tree and will desync `npm ci`.
-
-Imports use a `@/*` → `src/*` alias resolved by tsc, tsup/esbuild, and the
-`vite-tsconfig-paths` vitest plugin. The build bundles to one file, so the alias
-never reaches the published output.
-
-**Stack:** TypeScript 5 · Node 20+ · ESM · commander · fast-glob · fs-extra ·
-ignore · zod · tar · picocolors · ora · @inquirer/prompts · cli-table3 · vitest ·
-tsup · prettier.
-
-> **Audit note:** `npm audit` flags `esbuild` (a build-time transitive of `tsup`).
-> The advisory concerns esbuild's dev server, which ReplicaX never runs, and
-> esbuild is not part of the published runtime (`dist/`). Fixing it requires a
-> breaking tsup downgrade, so the toolchain is left intact.
+```bash
+# Run a single test file, or by name:
+npx vitest run tests/scanner.test.ts
+npx vitest run -t "sanitizes a captured .npmrc"
+```
 
-## Releasing
+<details>
+<summary><b>Toolchain notes &amp; gotchas</b></summary>
 
-Publishing is **fully automated** by [`.github/workflows/release.yml`](.github/workflows/release.yml):
-bump the version, push to `main`, and the workflow tags the commit, runs the full
-CI gate (format, types, tests, build, CLI smoke test), publishes to npm with
-[provenance](https://docs.npmjs.com/generating-provenance-statements), and opens a
-GitHub Release with generated notes. You never create the tag by hand.
+<br/>
 
-**One-time setup:**
+**Lockfile.** `package-lock.json` is maintained with **npm 10** (what CI's Node 20/22 ship with). On npm 11+, regenerate
+with `npx npm@10 install` when changing dependencies — npm 11 resolves a different tree and will desync `npm ci`.
 
-1. Create a **classic Automation token** on npm (Access Tokens → Generate New
-   Token → Classic Token → **Automation**). If your account has 2FA enabled for
-   writes, this is the token type that can publish from CI — it bypasses the
-   interactive 2FA prompt. (A granular or classic _Publish_ token still requires
-   an OTP and will fail in CI with a `403`.)
-2. Add it to the repo as a secret named `NPM_TOKEN`
-   (Settings → Secrets and variables → Actions). Scoping it to a `npm`
-   environment is optional but recommended for required-reviewer protection.
+**Path alias.** Imports use a `@/*` → `src/*` alias resolved by tsc, tsup/esbuild, and the `vite-tsconfig-paths` vitest
+plugin. The build bundles to one file, so the alias never reaches the published output.
 
-**Cut a release** — bump and push, that's it:
+**Stack.** TypeScript 5 · Node 20+ · ESM · commander · fast‑glob · fs‑extra · ignore · zod · tar · picocolors · ora ·
+@inquirer/prompts · cli‑table3 · vitest · tsup · prettier.
 
-```bash
-npm version patch --no-git-tag-version   # minor / major too; bumps package.json + lock
-git commit -am "Release v0.1.0"
-git push                                 # → workflow tags v0.1.0 and publishes
-```
+**Audit note.** `npm audit` flags `esbuild` (a build‑time transitive of `tsup`). The advisory concerns esbuild's dev
+server, which ReplicaX never runs, and esbuild is not part of the published runtime (`dist/`). Fixing it requires a
+breaking tsup downgrade, so the toolchain is left intact.
 
-The release gate is "is this version already on npm?", so:
+</details>
 
-- A normal push with no version change is a **no-op**.
-- Re-running never double-publishes (npm already has the version → skipped).
-- The git tag (`vX.Y.Z`) is created **after** a successful publish, so a failed
-  publish stays retryable.
-- Prerelease versions (e.g. `0.2.0-beta.1`) publish under a matching dist-tag
-  (`beta`) instead of `latest`.
-
-> Don't push tags manually — let the workflow own tagging. Every push and PR is
-> also checked by [`.github/workflows/ci.yml`](.github/workflows/ci.yml) across Node 20 and 22.
+---
 
 ## FAQ
 
-**Does it copy my source code?** No. Only configuration files and the empty folder
-hierarchy. Application code is never read into a profile.
-
-**What about `.ts` config files like `vite.config.ts`?** Fully supported — they're
-copied as text, so both `.ts` and `.js` variants work without any compile step.
-
-**Can a profile leak a secret?** No. Secret exclusion is unconditional and `.npmrc`
-tokens are stripped; `validate` will fail if a secret ever appears in a profile.
-
-**Why are runtime `dependencies` dropped from `package.json`?** They're part of your
-application, not your setup. `devDependencies`, `scripts`, and `engines` are kept.
+<details>
+<summary><b>Does it copy my source code?</b></summary>
+<br/>
+No. Only configuration files and the empty folder hierarchy. Application code is never read into a profile.
+</details>
+
+<details>
+<summary><b>What about <code>.ts</code> config files like <code>vite.config.ts</code>?</b></summary>
+<br/>
+Fully supported — they're copied as text, so both <code>.ts</code> and <code>.js</code> variants work without any compile step.
+</details>
+
+<details>
+<summary><b>Can a profile leak a secret?</b></summary>
+<br/>
+No. Secret exclusion is unconditional and <code>.npmrc</code> tokens are stripped; <code>validate</code> will fail if a secret ever appears in a profile.
+</details>
+
+<details>
+<summary><b>Why are runtime <code>dependencies</code> dropped from <code>package.json</code>?</b></summary>
+<br/>
+They're part of your application, not your setup. <code>devDependencies</code>, <code>scripts</code>, and <code>engines</code> are kept.
+</details>
+
+<details>
+<summary><b>Does <code>extract</code> need <code>git</code> installed?</b></summary>
+<br/>
+No. It downloads the repo as a tarball over the GitHub API using Node's built-in <code>fetch</code> — no <code>git</code> binary, no full clone.
+</details>
+
+<details>
+<summary><b>Is it cross-platform?</b></summary>
+<br/>
+Yes — Windows (native + WSL), macOS, and Linux.
+</details>
 
-**Is it cross-platform?** Yes — Windows (native + WSL), macOS, and Linux.
+---
 
 ## License
 
-MIT — see [LICENSE](LICENSE).
-
----
+**MIT** — see [LICENSE](LICENSE).
 
-<div align="center"><sub><i>ReplicaX — copy the setup, not the code.</i></sub></div>
+<div align="center">
+<br/>
+<sub><i>ReplicaX — copy the setup, not the code.</i></sub>
+</div>