npm - @iamsaroj/replicax - Versions diffs - 0.0.4 → 0.0.5 - Mend

@iamsaroj/replicax 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -5,23 +5,25 @@
 <h3><em>Copy the setup, not the code.</em></h3>
 <p>
-  Extract a project's entire development environment — <strong>tooling, folder structure, and conventions</strong> —
+  Extract a project's entire development environment - <strong>tooling, folder structure, and conventions</strong>
   into a portable profile, then recreate it anywhere in seconds.<br/>
   None of your business code. None of your secrets. Just the setup.
 </p>
 [![npm](https://img.shields.io/badge/npm-%40iamsaroj%2Freplicax-CB3837?style=flat-square&logo=npm&logoColor=white)](https://www.npmjs.com/package/@iamsaroj/replicax)
+[![CI](https://img.shields.io/github/actions/workflow/status/khanalsaroj/replicaX/ci.yml?branch=main&style=flat-square&label=CI&logo=github)](https://github.com/khanalsaroj/replicaX/actions/workflows/ci.yml)
+[![Release](https://img.shields.io/github/actions/workflow/status/khanalsaroj/replicaX/release.yml?branch=main&style=flat-square&label=release&logo=github)](https://github.com/khanalsaroj/replicaX/actions/workflows/release.yml)
 [![Node](https://img.shields.io/badge/Node-%E2%89%A5%2020-339933?style=flat-square&logo=node.js&logoColor=white)](https://nodejs.org)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5-3178C6?style=flat-square&logo=typescript&logoColor=white)](https://www.typescriptlang.org)
 ![ESM](https://img.shields.io/badge/Module-ESM-F7DF1E?style=flat-square&logo=javascript&logoColor=black)
 [![License](https://img.shields.io/badge/License-MIT-3FB950?style=flat-square)](LICENSE)
 <sub>
-  <a href="#quick-start"><b>Quick start</b></a> &nbsp;•&nbsp;
-  <a href="#commands"><b>Commands</b></a> &nbsp;•&nbsp;
-  <a href="#what-gets-captured"><b>What gets captured</b></a> &nbsp;•&nbsp;
-  <a href="#security"><b>Security</b></a> &nbsp;•&nbsp;
-  <a href="#how-it-works"><b>How it works</b></a> &nbsp;•&nbsp;
+  <a href="#quick-start"><b>Quick start</b></a> &nbsp;|&nbsp;
+  <a href="#commands"><b>Commands</b></a> &nbsp;|&nbsp;
+  <a href="#what-gets-captured"><b>What gets captured</b></a> &nbsp;|&nbsp;
+  <a href="#security"><b>Security</b></a> &nbsp;|&nbsp;
+  <a href="#how-it-works"><b>How it works</b></a> &nbsp;|&nbsp;
   <a href="#faq"><b>FAQ</b></a>
 </sub>
@@ -29,14 +31,14 @@
 ---
-> **ReplicaX captures the _setup_ of a project — the parts you copy‑paste between every new repo — and leaves
-the _implementation_ behind.**
+> **ReplicaX captures the _setup_ of a project - the parts you copy-paste between every new repo - and leaves
+> the _implementation_ behind.**
 Every new project starts the same way: copy `tsconfig.json`, port the ESLint and Prettier config, recreate the
-Dockerfiles, re‑add the CI workflow, rebuild `src/`'s folder layout. It's slow, error‑prone, and quietly drifts out of
+Dockerfiles, re-add the CI workflow, rebuild `src/`'s folder layout. It's slow, error-prone, and quietly drifts out of
 sync across a team.
-ReplicaX captures that ritual **once** and replays it **on demand** — locally, or straight from any GitHub repo.
+ReplicaX captures that ritual **once** and replays it **on demand** - locally, or straight from any GitHub repo.
 > It is **not** a code generator, a project cloner, or a backup tool.
@@ -46,7 +48,7 @@ ReplicaX captures that ritual **once** and replays it **on demand** — locally,
 |                       | Without ReplicaX                           | With ReplicaX                   |
 |-----------------------|--------------------------------------------|---------------------------------|
-| **New project setup** | 30+ minutes of copy‑paste from an old repo | `replicax create my-app`        |
+| **New project setup** | 30+ minutes of copy-paste from an old repo | `replicax create my-app`        |
 | **What you copy**     | Whatever you remember to grab              | A complete, validated profile   |
 | **Secrets**           | One stray `.env` away from a leak          | Blocked unconditionally         |
 | **Team consistency**  | Drifts repo to repo                        | One shareable `.tar.gz` profile |
@@ -58,16 +60,16 @@ ReplicaX captures that ritual **once** and replays it **on demand** — locally,
 |                               |                                                                                                                  |
 |-------------------------------|------------------------------------------------------------------------------------------------------------------|
-| **One‑command capture**       | `init` scans the current project into a reusable profile.                                                        |
-| **Capture any GitHub repo**   | `extract owner/repo` profiles a remote repo — no clone, no `git` required.                                       |
-| **One‑command scaffold**      | `create` reproduces the setup in a fresh directory.                                                              |
-| **AI assistant skills**       | `init-skill` uses your own AI (Claude · Codex · Gemini) to author a ready‑to‑use skill for agentic coding tools. |
-| **`.ts` _and_ `.js` configs** | Copied byte‑for‑byte — never compiled, never executed.                                                           |
-| **Secret‑safe by design**     | `.env`, keys, and certs can never enter a profile; `.npmrc` tokens are stripped automatically.                   |
+| **One-command capture**       | `init` scans the current project into a reusable profile.                                                        |
+| **Capture any GitHub repo**   | `extract owner/repo` profiles a remote repo - no clone, no `git` required.                                       |
+| **One-command scaffold**      | `create` reproduces the setup in a fresh directory.                                                              |
+| **AI assistant skills**       | `init-skill` uses your own AI (Claude / Codex / Gemini) to author a ready-to-use skill for agentic coding tools. |
+| **`.ts` _and_ `.js` configs** | Copied byte-for-byte - never compiled, never executed.                                                           |
+| **Secret-safe by design**     | `.env`, keys, and certs can never enter a profile; `.npmrc` tokens are stripped automatically.                   |
 | **No business code**          | Folders are recreated empty; source files are never read.                                                        |
-| **Stays in sync**             | `sync --diff` shows what drifted; `validate` verifies integrity via SHA‑256.                                     |
+| **Stays in sync**             | `sync --diff` shows what drifted; `validate` verifies integrity via SHA-256.                                     |
 | **Portable & shareable**      | `export` / `import` a whole profile as a single `.tar.gz`.                                                       |
-| **`.replicaxignore`**         | gitignore‑style control over exactly what gets captured.                                                         |
+| **`.replicaxignore`**         | gitignore-style control over exactly what gets captured.                                                         |
 ---
@@ -86,15 +88,15 @@ pnpm add -g @iamsaroj/replicax
 ## Quick start
 ```bash
-# 1 — In an existing, well-configured project
+# 1  In an existing, well-configured project
 cd my-project
-replicax init                  # → writes a profile to .replicax/
+replicax init                  # -> writes a profile to .replicax/
-# 2 — Anywhere the profile lives, scaffold a fresh project
-replicax create my-new-app     # → same setup, none of the code
+# 2  Anywhere the profile lives, scaffold a fresh project
+replicax create my-new-app     # -> same setup, none of the code
 ```
-…and here's what `init` actually shows you:
+...and here's what `init` actually shows you:
 ```console
 $ replicax init
@@ -136,14 +138,14 @@ my-app/
   Create a project from it with: replicax create <project-name>
 ```
-> 💡 **Tip:** run `replicax init --dry-run` first to preview exactly what would be captured — nothing is written.
+> 💡 **Tip:** run `replicax init --dry-run` first to preview exactly what would be captured - nothing is written.
 ---
 ## Before & After
 Starting from a typical **Vite + React + TypeScript** project, `replicax init && replicax create my-new-app` produces a
-clean skeleton — same tooling, zero application code, zero secrets.
+clean skeleton - same tooling, zero application code, zero secrets.
 <table>
 <tr>
@@ -164,14 +166,14 @@ my-project/
 ├── docker-compose.yml
 ├── .github/workflows/ci.yml
 ├── .husky/pre-commit
-├── .env                  ← secret
-├── package.json          ← runtime deps
+├── .env                  <- secret
+├── package.json          <- runtime deps
 └── src/
     ├── components/
-    │   └── Button.tsx     ← business code
+    │   └── Button.tsx     <- business code
     ├── hooks/
     ├── services/
-    │   └── UserService.ts ← business code
+    │   └── UserService.ts <- business code
     └── pages/
 </pre>
@@ -211,16 +213,16 @@ No `.env`. No `Button.tsx`. No `UserService.ts`. No `react` runtime dependency.
 | Command                                                                              | What it does                                       |
 |--------------------------------------------------------------------------------------|----------------------------------------------------|
-| [`replicax init`](#replicax-init)                                                    | Scan the current project → profile in `.replicax/` |
+| [`replicax init`](#replicax-init)                                                    | Scan the current project -> profile in `.replicax/` |
 | [`replicax extract <repo>`](#replicax-extract-repo)                                  | Profile a **remote GitHub repo** (no clone)        |
 | [`replicax create <name>`](#replicax-create-project-name)                            | Scaffold a new project from a profile              |
 | [`replicax sync`](#replicax-sync)                                                    | Update the profile from the current project        |
 | [`replicax inspect`](#replicax-inspect)                                              | Display captured config & structure                |
-| [`replicax validate`](#replicax-validate)                                            | Schema + integrity (SHA‑256) check — CI‑friendly   |
+| [`replicax validate`](#replicax-validate)                                            | Schema + integrity (SHA-256) check  CI-friendly   |
 | [`replicax export`](#replicax-export--import) / [`import`](#replicax-export--import) | Portable `.tar.gz` profile in/out                  |
-| [`replicax init-skill`](#replicax-init-skill)                                        | Author an AI‑assistant skill from your stack       |
+| [`replicax init-skill`](#replicax-init-skill)                                        | Author an AI-assistant skill from your stack       |
 | [`replicax doctor`](#replicax-doctor)                                                | Check which dev tools are installed locally        |
-| [`replicax compare <a> <b>`](#replicax-compare-source-target)                        | Diff two profiles/projects: tooling, config, …     |
+| [`replicax compare <a> <b>`](#replicax-compare-source-target)                        | Diff two profiles/projects: tooling, config, ...     |
 | [`replicax audit`](#replicax-audit)                                                  | Score a setup vs best practices + recommendations  |
 > Every write operation accepts `--dry-run` (preview, touch nothing) and `--verbose` (list every file).
@@ -237,7 +239,7 @@ replicax init --verbose                    # list every detected file
 ### `replicax extract <repo>`
-Capture a profile from a **remote GitHub repository** instead of the current directory — the same scan as `init`,
+Capture a profile from a **remote GitHub repository** instead of the current directory - the same scan as `init`,
 pointed at a repo you don't even have checked out. The repo is downloaded as a tarball over the GitHub API (no `git`
 required) into a temp directory, scanned, then discarded; only the profile is kept.
@@ -254,27 +256,36 @@ replicax extract owner/repo --dry-run                       # preview, write not
 Accepts `owner/repo`, a `github.com` URL (including `/tree/<branch>` links), an ssh remote, or a `#branch` / `@tag`
 suffix.
-> **Private repos & rate limits:** set `GITHUB_TOKEN` (or `GH_TOKEN`) in your environment — it's read from the
+> **Private repos & rate limits:** set `GITHUB_TOKEN` (or `GH_TOKEN`) in your environment - it's read from the
 > environment, used for the one request, and **never stored**. The same secret guard applies, so a remote repo's
 `.env` /
 > keys are never captured.
 ### `replicax create <project-name>`
-Create a new project from a profile. Existing files trigger an interactive overwrite/skip prompt (auto‑skips when
-non‑interactive).
+Create a new project from a profile. Existing files trigger an interactive overwrite/skip prompt (auto-skips when
+non-interactive).
 ```bash
 replicax create my-app
 replicax create my-app --profile ./shared/.replicax   # use a profile elsewhere
-replicax create my-app --skip-install                  # don't run the package manager
+replicax create my-app --skip-install                  # never run the package manager
+replicax create my-app --install                       # install even for untrusted profiles
 replicax create my-app --force                         # overwrite conflicts, no prompt
 replicax create my-app --dry-run                        # preview the file plan
 ```
+> **Dependency install is a trust boundary.** Running the package manager executes
+> any `preinstall`/`postinstall` lifecycle scripts declared by the captured
+> `devDependencies`. Profiles you made locally (`init`/`sync`) install by default.
+> Profiles from **`extract` (remote)** or **`import` (an archive someone sent you)**
+> are marked untrusted: `create` prints the package manager and the exact
+> dependency list, then **stops** without installing. Review it, then run the
+> install yourself or re-run with `--install`.
 ### `replicax sync`
-Re‑scan and update the profile to match the current project.
+Re-scan and update the profile to match the current project.
 ```bash
 replicax sync           # update, print a change summary
@@ -300,13 +311,13 @@ Tooling (14 file(s))
 │ Language & Type Checking       │ tsconfig.json            │ json    │ 226 B    │
 │ Build Tools                    │ vite.config.ts           │ ts      │ 98 B     │
 │ Formatting                     │ .prettierrc              │ other   │ 63 B     │
-│ …                              │ …                        │ …       │ …        │
+│ ...                              │ ...                        │ ...       │ ...        │
 └────────────────────────────────┴──────────────────────────┴─────────┴──────────┘
 ```
 ### `replicax validate`
-Check the profile's schema and integrity (SHA‑256 checksums + path safety). Exits non‑zero on failure — handy in CI.
+Check the profile's schema and integrity (SHA-256 checksums + path safety). Exits non-zero on failure - handy in CI.
 ```bash
 replicax validate
@@ -324,12 +335,12 @@ replicax import ./react-enterprise.tar.gz --force  # overwrite an existing profi
 ### `replicax init-skill`
-Generate an AI‑assistant **skill** from the current project — a ready‑to‑use bundle (an entry `SKILL.md` plus optional
+Generate an AI-assistant **skill** from the current project - a ready-to-use bundle (an entry `SKILL.md` plus optional
 `references/`) that teaches an assistant the tech stack, the install/build/test/lint commands, the tooling, and the
 folder layout, written where your assistant looks for skills.
 It uses **whatever AI you already have configured**. ReplicaX prefers a locally installed CLI (reusing its login) and
-falls back to a provider API key from your environment — it never stores credentials:
+falls back to a provider API key from your environment - it never stores credentials:
 | Provider | CLI (preferred) | API key (fallback)                  | API model default  |
 |----------|-----------------|-------------------------------------|--------------------|
@@ -346,22 +357,22 @@ replicax init-skill --target claude --dry-run                  # preview (no AI
 replicax init-skill --target claude --force                    # overwrite existing skill files
 ```
-**Targets** (`--target`, required) control the on‑disk _format/location_: `claude` → `.claude/skills/<name>/SKILL.md`,
-`codex` → `.codex/skills/<name>/SKILL.md`, `antigravity` → `.agents/skills/<name>.md`. The **provider** (auto‑detected,
-or forced with `--provider`) is the AI that _authors_ it — the two are independent.
+**Targets** (`--target`, required) control the on-disk _format/location_: `claude` -> `.claude/skills/<name>/SKILL.md`,
+`codex` -> `.codex/skills/<name>/SKILL.md`, `antigravity` -> `.agents/skills/<name>.md`. The **provider** (auto-detected,
+or forced with `--provider`) is the AI that _authors_ it - the two are independent.
 > **Bring your own template.** If the project root has a `SKILL.md`, `init-skill` hands it to the AI as the **base** to
-> refine — the model preserves your headings, structure, and instructions and fills them in from the detected setup,
+> refine - the model preserves your headings, structure, and instructions and fills them in from the detected setup,
 > instead of starting from scratch.
-> **Privacy:** only the project's _setup_ is sent to the provider — the same safe surface ReplicaX captures (config
+> **Privacy:** only the project's _setup_ is sent to the provider - the same safe surface ReplicaX captures (config
 > files, structure, `package.json` scripts/deps). Source code and secrets are never sent. With `--no-ai` (or no provider
 > configured), ReplicaX falls back to a deterministic, fully offline template.
 ### `replicax doctor`
-Report which developer tools are installed locally — runtimes, package managers, Docker, and editors — with versions.
-Cross‑platform and read‑only; a missing tool is a finding, not an error.
+Report which developer tools are installed locally - runtimes, package managers, Docker, and editors - with versions.
+Cross-platform and read-only; a missing tool is a finding, not an error.
 ```bash
 replicax doctor
@@ -383,7 +394,7 @@ Developer environment
 ### `replicax compare <source> <target>`
-Diff two profiles — or two project directories — across tooling, configuration files, `package.json`, structure, and
+Diff two profiles - or two project directories - across tooling, configuration files, `package.json`, structure, and
 metadata. Each argument may be a `.replicax` profile, a directory containing one, or a plain project folder (scanned on
 the fly), so you can compare anything against anything.
@@ -400,12 +411,12 @@ Removed:
   - Jest (Tooling)
 Changed:
   ~ eslint.config.js (Configuration files)
-  ~ language: javascript → typescript (Metadata)
+  ~ language: javascript -> typescript (Metadata)
 ```
 ### `replicax audit`
-Score a project's setup against best‑practice rules — linting, formatting, testing, git hooks, CI/CD, containerization —
+Score a project's setup against best-practice rules - linting, formatting, testing, git hooks, CI/CD, containerization
 and get concrete recommendations for what's missing. Scans the current directory by default, or evaluates a stored
 profile with `--profile`.
@@ -433,7 +444,7 @@ Recommendations:
 ```
 > `compare` and `audit` build on the detection engine: every scan now reports the **detected stack** (React, TypeScript,
-> Docker, GitHub Actions, …) with a confidence score, persisted in the profile and viewable via `inspect --section
+> Docker, GitHub Actions, ...) with a confidence score, persisted in the profile and viewable via `inspect --section
 > detections`.
 ---
@@ -445,10 +456,10 @@ Recommendations:
 | TS/JS configs, ESLint, Prettier                     | Application source (components, services, controllers)         |
 | Vite / Webpack / Rollup / esbuild                   | Runtime `dependencies` in `package.json`                       |
 | Tailwind / PostCSS                                  | `.env*`, `*.pem`, `*.key`, certificates                        |
-| Docker, CI/CD (Actions, GitLab, CircleCI, Jenkins)  | `node_modules/`, `dist/`, `build/`, `coverage/`, `.next/`, …   |
+| Docker, CI/CD (Actions, GitLab, CircleCI, Jenkins)  | `node_modules/`, `dist/`, `build/`, `coverage/`, `.next/`, ...   |
 | `.editorconfig`, Husky hooks                        | IDE folders (`.vscode/`, `.idea/`, `.vs/`, `.fleet/`, `.zed/`) |
 | Test configs (Vitest/Jest/Playwright/Cypress)       | Anything matched by `.replicaxignore`                          |
-| Monorepo files, commitlint/lint‑staged/release/knip |                                                                |
+| Monorepo files, commitlint/lint-staged/release/knip |                                                                |
 | JVM build (Maven/Gradle) + Spring `application.*`   | Compiled output (`target/`, `*.class`), the gradle wrapper JAR |
 | Folder hierarchy (directories only)                 | Folder _contents_                                              |
@@ -456,7 +467,7 @@ Recommendations:
 config blocks like `lint-staged` are kept. Runtime `dependencies` are deliberately dropped (that's your application),
 and the new project's name is stamped in on `create`.
-Both `.ts` and `.js` config variants work because ReplicaX copies them **verbatim** — it never needs to compile or
+Both `.ts` and `.js` config variants work because ReplicaX copies them **verbatim**  it never needs to compile or
 execute a config to capture it.
 ---
@@ -466,23 +477,32 @@ execute a config to capture it.
 ReplicaX treats secret exclusion as a **hard guarantee, not a best effort.**
 > 🛡️ **Secrets are never captured.** `.env`, `.env.*`, `*.pem`, `*.key`, `*.crt`, SSH keys, and friends are blocked *
-*unconditionally** — this cannot be overridden by configuration.
+*unconditionally** - this cannot be overridden by configuration.
-> 🧼 **`.npmrc` is sanitized.** It's a legitimate setup file, but auth tokens (`_authToken`, `_password`, …) are stripped
+> 🧼 **`.npmrc` is sanitized.** It's a legitimate setup file, but auth tokens (`_authToken`, `_password`, ...) are stripped
 > out before it enters a profile.
 > 🚧 **No path escapes.** Every path read from a profile (or from an AI response) is validated against traversal (`..`)
 > and absolute paths before anything is written, so a malicious profile can never write outside its target directory.
-`validate` re‑checks this.
+> `validate` re-checks this.
+> 📦 **Archive extraction is a trust boundary.** An imported `.tar.gz` is validated before a single byte is written:
+> entries that escape the target (`..`, absolute paths), symlinks/hardlinks, and device entries are rejected, and the
+> archive is capped on compressed size, uncompressed size, file count, and per-file size, so a tar bomb is aborted up
+> front. The same guard (with links skipped) protects the GitHub tarball that `extract` downloads.
+> 🧯 **Install is opt-in for untrusted profiles.** Because `npm install` runs dependency lifecycle scripts, `create`
+> will not auto-install for an `extract`ed or `import`ed profile - it prints the dependency list and waits for you to
+> review and pass `--install`. See [`replicax create`](#replicax-create-project-name).
-The same guarantees apply to `extract` — a remote repo's secrets are filtered exactly as a local project's are.
+The same guarantees apply to `extract` - a remote repo's secrets are filtered exactly as a local project's are.
 ---
-## Configuration — `.replicaxignore` and `.replicaxinclude`
+## Configuration - `.replicaxignore` and `.replicaxinclude`
 **`.replicaxignore`** controls what gets *excluded*, with **gitignore syntax**. `init` can scaffold a starter for you.
-Ignored files are excluded from the profile — but their parent directories are still captured for structure.
+Ignored files are excluded from the profile - but their parent directories are still captured for structure.
 ```gitignore
 # Business logic (folders kept, contents dropped)
@@ -496,7 +516,7 @@ src/**/*.ts
 **`.replicaxinclude`** is the opposite: a list of **glob patterns** (one per line, `#` comments) for *extra* files to
 capture verbatim, on top of the auto-detected catalogue. Use it for config ReplicaX doesn't recognize by default
-(`*.toml`, a `config/` directory, an IDE file you do want shared, …). A trailing `/` means "the whole directory".
+(`*.toml`, a `config/` directory, an IDE file you do want shared, ...). A trailing `/` means "the whole directory".
 ```gitignore
 # Capture these in addition to the auto-detected setup
@@ -505,9 +525,9 @@ config/**
 .vscode/extensions.json
 ```
-**Precedence** (highest first): the **secret guard** always wins (a secret can never be included) →
-**`.replicaxignore`** (your excludes beat your includes) → **`.replicaxinclude`** (overrides the default prune/ignore
-lists, so it can reach normally-skipped locations) → the **built-in catalogue**.
+**Precedence** (highest first): the **secret guard** always wins (a secret can never be included) ->
+**`.replicaxignore`** (your excludes beat your includes) -> **`.replicaxinclude`** (overrides the default prune/ignore
+lists, so it can reach normally-skipped locations) -> the **built-in catalogue**.
 ---
@@ -525,10 +545,10 @@ A profile is five required JSON files under `.replicax/`, plus an optional manif
 └── manifest.json    # content-free index of artifacts (path, category, size, hash)
 ```
-All files are schema‑validated (zod) on load; `validate` additionally re‑checks checksums and rejects unsafe paths.
+All files are schema-validated (zod) on load; `validate` additionally re-checks checksums and rejects unsafe paths.
 **Schema version 2.1.0** added the detected stack (`metadata.detections`), an optional `registry` block (for future
-registry support), and `manifest.json` — all backward‑compatible. Profiles written by older ReplicaX (2.0.0) are
+registry support), and `manifest.json` - all backward-compatible. Profiles written by older ReplicaX (2.0.0) are
 **migrated automatically on load** and the manifest is synthesized when absent, so existing profiles keep working.
 ---
@@ -552,7 +572,7 @@ flowchart LR
 - **Scanner** detects config files (via a glob catalogue), the folder hierarchy, and project metadata (package manager,
   framework, language).
-- **Ignore engine** layers default ignores + `.replicaxignore`, with a separate, **non‑overridable secret guard**.
+- **Ignore engine** layers default ignores + `.replicaxignore`, with a separate, **non-overridable secret guard**.
 - **Profile generator** assembles the bundle and computes checksums.
 - **Project generator** reproduces the setup, adapting names/paths, with a **conflict resolver** for existing files.
@@ -562,7 +582,7 @@ flowchart LR
 ```bash
 npm install
-npm run build         # tsup → dist/index.js (single ESM file, with shebang)
+npm run build         # tsup -> dist/index.js (single ESM file, with shebang)
 npm run typecheck     # tsc --noEmit (covers src AND tests)
 npm test              # vitest (real temp-dir fixtures, no mocks)
 npm run format        # prettier --write .
@@ -581,15 +601,15 @@ npx vitest run -t "sanitizes a captured .npmrc"
 <br/>
 **Lockfile.** `package-lock.json` is maintained with **npm 10** (what CI's Node 20/22 ship with). On npm 11+, regenerate
-with `npx npm@10 install` when changing dependencies — npm 11 resolves a different tree and will desync `npm ci`.
+with `npx npm@10 install` when changing dependencies - npm 11 resolves a different tree and will desync `npm ci`.
-**Path alias.** Imports use a `@/*` → `src/*` alias resolved by tsc, tsup/esbuild, and the `vite-tsconfig-paths` vitest
+**Path alias.** Imports use a `@/*` -> `src/*` alias resolved by tsc, tsup/esbuild, and the `vite-tsconfig-paths` vitest
 plugin. The build bundles to one file, so the alias never reaches the published output.
-**Stack.** TypeScript 5 · Node 20+ · ESM · commander · fast‑glob · fs‑extra · ignore · zod · tar · picocolors · ora ·
-@inquirer/prompts · cli‑table3 · vitest · tsup · prettier.
+**Stack.** TypeScript 5 / Node 20+ / ESM / commander / fast-glob / fs-extra / ignore / zod / tar / picocolors / ora /
+@inquirer/prompts / cli-table3 / vitest / tsup / prettier.
-**Audit note.** `npm audit` flags `esbuild` (a build‑time transitive of `tsup`). The advisory concerns esbuild's dev
+**Audit note.** `npm audit` flags `esbuild` (a build-time transitive of `tsup`). The advisory concerns esbuild's dev
 server, which ReplicaX never runs, and esbuild is not part of the published runtime (`dist/`). Fixing it requires a
 breaking tsup downgrade, so the toolchain is left intact.
@@ -608,7 +628,7 @@ No. Only configuration files and the empty folder hierarchy. Application code is
 <details>
 <summary><b>What about <code>.ts</code> config files like <code>vite.config.ts</code>?</b></summary>
 <br/>
-Fully supported — they're copied as text, so both <code>.ts</code> and <code>.js</code> variants work without any compile step.
+Fully supported - they're copied as text, so both <code>.ts</code> and <code>.js</code> variants work without any compile step.
 </details>
 <details>
@@ -626,22 +646,22 @@ They're part of your application, not your setup. <code>devDependencies</code>,
 <details>
 <summary><b>Does <code>extract</code> need <code>git</code> installed?</b></summary>
 <br/>
-No. It downloads the repo as a tarball over the GitHub API using Node's built-in <code>fetch</code> — no <code>git</code> binary, no full clone.
+No. It downloads the repo as a tarball over the GitHub API using Node's built-in <code>fetch</code>  no <code>git</code> binary, no full clone.
 </details>
 <details>
 <summary><b>Is it cross-platform?</b></summary>
 <br/>
-Yes — Windows (native + WSL), macOS, and Linux.
+Yes  Windows (native + WSL), macOS, and Linux.
 </details>
 ---
 ## License
-**MIT** — see [LICENSE](LICENSE).
+**MIT**  see [LICENSE](LICENSE).
 <div align="center">
 <br/>
-<sub><i>ReplicaX — copy the setup, not the code.</i></sub>
+<sub><i>ReplicaX - copy the setup, not the code.</i></sub>
 </div>

package/dist/index.js CHANGED Viewed

@@ -70,7 +70,7 @@ var REPLICAX_DIR = ".replicax";
 var IGNORE_FILE = ".replicaxignore";
 var INCLUDE_FILE = ".replicaxinclude";
 var ROOT_SKILL_FILE = "SKILL.md";
-var REPLICAX_VERSION = "2.1.0";
+var REPLICAX_VERSION = "2.2.0";
 var PROFILE_FILES = {
   profile: "profile.json",
   tooling: "tooling.json",
@@ -1273,13 +1273,16 @@ function buildBundle(args) {
     name: args.name,
     description: args.description ?? args.existing.description,
     replicaxVersion: REPLICAX_VERSION,
-    updatedAt: now
+    updatedAt: now,
+    // Preserve the original provenance on sync unless explicitly overridden.
+    ...args.source ?? args.existing.source ? { source: args.source ?? args.existing.source } : {}
   } : {
     name: args.name,
     version: "1.0.0",
     createdAt: now,
     replicaxVersion: REPLICAX_VERSION,
-    ...args.description ? { description: args.description } : {}
+    ...args.description ? { description: args.description } : {},
+    ...args.source ? { source: args.source } : {}
   };
   const checksum = computeChecksum(args.tooling);
   return {
@@ -1308,6 +1311,7 @@ var RegistrySchema = z.object({
   /** Where the profile originated (URL, registry name, …). */
   source: z.string().optional()
 });
+var ProfileSourceSchema = z.enum(["local", "github", "import"]);
 var ProfileSchema = z.object({
   name: z.string().min(1),
   version: z.string().min(1),
@@ -1315,6 +1319,8 @@ var ProfileSchema = z.object({
   updatedAt: z.string().optional(),
   replicaxVersion: z.string().min(1),
   description: z.string().optional(),
+  /** Provenance of the captured setup (added in schema 2.2.0). */
+  source: ProfileSourceSchema.optional(),
   /** Optional registry metadata (future registry compatibility). */
   registry: RegistrySchema.optional()
 });
@@ -1417,6 +1423,13 @@ var MIGRATIONS = [
       }
       return raw;
     }
+  },
+  {
+    from: "2.1.0",
+    to: "2.2.0",
+    apply(raw) {
+      return raw;
+    }
   }
 ];
 var KNOWN_VERSIONS = /* @__PURE__ */ new Set([
@@ -1619,7 +1632,8 @@ async function initCommand(options) {
     name,
     tooling: scan.tooling,
     structure: scan.structure,
-    metadata: scan.metadata
+    metadata: scan.metadata,
+    source: "local"
   });
   reportSkippedSecrets(scan.skippedSecrets);
   printScanSummary(bundle);
@@ -1973,6 +1987,14 @@ async function runWithStdin(bin, args, input, timeoutMs = 12e4) {
 }
 // src/core/ai/providers.ts
+var ApiHttpError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "ApiHttpError";
+  }
+  status;
+};
 async function postJson(url, headers, body) {
   const res = await fetch(url, {
     method: "POST",
@@ -1981,10 +2003,33 @@ async function postJson(url, headers, body) {
   });
   if (!res.ok) {
     const text = await res.text().catch(() => "");
-    throw new Error(`HTTP ${res.status}: ${text.slice(0, 300) || res.statusText}`);
+    throw new ApiHttpError(res.status, text.slice(0, 300) || res.statusText);
   }
   return res.json();
 }
+function enrichProviderError(err, def, model) {
+  const status = err instanceof ApiHttpError ? err.status : void 0;
+  const detail = err instanceof Error ? err.message : String(err);
+  const overrideHint = `Override the model with --model <id> or ${def.modelEnvVar}=<id>.`;
+  if (status === 404 || status === 400) {
+    return new ReplicaxError(
+      `${def.label} API rejected model "${model}" (HTTP ${status}). ${overrideHint}`,
+      [`Provider response: ${detail}`]
+    );
+  }
+  if (status === 401 || status === 403) {
+    return new ReplicaxError(`${def.label} API rejected the credentials (HTTP ${status}).`, [
+      `Check ${def.apiEnvVars[0]} holds a valid API key.`,
+      `Provider response: ${detail}`
+    ]);
+  }
+  if (status === 429) {
+    return new ReplicaxError(`${def.label} API rate limit hit (HTTP 429).`, [
+      "Wait a moment and try again."
+    ]);
+  }
+  return new ReplicaxError(`${def.label} API request failed: ${detail}`);
+}
 async function callAnthropic(prompt, apiKey, model) {
   const data = await postJson(
     "https://api.anthropic.com/v1/messages",
@@ -2061,7 +2106,13 @@ function apiInvoker(def, apiKey, modelOverride) {
   return {
     id: def.id,
     via: `${def.label} API (${model})`,
-    run: (prompt) => def.callApi(prompt, apiKey, model)
+    run: async (prompt) => {
+      try {
+        return await def.callApi(prompt, apiKey, model);
+      } catch (err) {
+        throw enrichProviderError(err, def, model);
+      }
+    }
   };
 }
 async function resolveProvider(preference, modelOverride) {
@@ -2234,7 +2285,9 @@ async function initSkillCommand(options) {
         }
       } catch (err) {
         aiSpinner.fail("AI generation failed");
-        logger.warn(`${err.message}. Falling back to the built-in template.`);
+        logger.warn(`${err.message}`);
+        if (err instanceof ReplicaxError) for (const hint of err.hints) logger.hint(hint);
+        logger.warn("Falling back to the built-in template.");
       }
     } else {
       logger.info("No configured AI provider found \u2014 using the built-in template.");
@@ -2278,14 +2331,180 @@ async function initSkillCommand(options) {
 }
 // src/commands/extract.ts
-import path10 from "path";
+import path11 from "path";
 import ora3 from "ora";
 // src/core/github.ts
+import os2 from "os";
+import path10 from "path";
+import fs9 from "fs-extra";
+// src/core/archive.ts
+import { createReadStream } from "fs";
 import os from "os";
 import path9 from "path";
 import fs8 from "fs-extra";
-import { extract as tarExtract } from "tar";
+import { create as tarCreate, extract as tarExtract, Parser } from "tar";
+async function exportProfile(profileDirectory, outPath) {
+  const resolvedOut = path9.resolve(outPath);
+  await fs8.ensureDir(path9.dirname(resolvedOut));
+  const parent = path9.dirname(profileDirectory);
+  const base = path9.basename(profileDirectory);
+  await tarCreate(
+    {
+      gzip: true,
+      file: resolvedOut,
+      cwd: parent,
+      // tar strips leading "/" and ".." by default, so extraction stays scoped.
+      portable: true
+    },
+    [base]
+  );
+}
+var PROFILE_ARCHIVE_LIMITS = {
+  maxCompressedBytes: 50 * 1024 * 1024,
+  // 50 MB
+  maxTotalBytes: 200 * 1024 * 1024,
+  // 200 MB uncompressed
+  maxEntries: 2e4,
+  maxEntryBytes: 50 * 1024 * 1024,
+  // 50 MB per file
+  allowSymlinks: false
+};
+var REPO_ARCHIVE_LIMITS = {
+  maxCompressedBytes: 250 * 1024 * 1024,
+  // 250 MB
+  maxTotalBytes: 1024 * 1024 * 1024,
+  // 1 GB uncompressed
+  maxEntries: 2e5,
+  maxEntryBytes: 200 * 1024 * 1024,
+  // 200 MB per file
+  allowSymlinks: true
+};
+function inspectEntry(entry, limits) {
+  const type = String(entry.type);
+  const entryPath = entry.path;
+  if (type === "File" || type === "Directory" || type === "GNUDumpDir") {
+    if (safeJoinable(entryPath) === null) {
+      throw new ReplicaxError(`Refusing to extract unsafe path from archive: "${entryPath}".`, [
+        "The archive may be malicious (path traversal)."
+      ]);
+    }
+    if ((entry.size ?? 0) > limits.maxEntryBytes) {
+      throw new ReplicaxError(`Archive entry "${entryPath}" exceeds the per-file size limit.`);
+    }
+    return "extract";
+  }
+  if (type === "SymbolicLink" || type === "Link") {
+    if (!limits.allowSymlinks) {
+      throw new ReplicaxError(`Refusing to extract link entry from archive: "${entryPath}".`, [
+        "Profile archives never contain symlinks; this one may be malicious."
+      ]);
+    }
+    return "skip";
+  }
+  throw new ReplicaxError(`Refusing to extract "${entryPath}" (unsupported tar entry: ${type}).`);
+}
+function validateArchive(resolved, limits) {
+  return new Promise((resolve, reject) => {
+    let entryCount = 0;
+    let totalBytes = 0;
+    let settled = false;
+    const source = createReadStream(resolved);
+    const parser = new Parser({});
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      source.destroy();
+      reject(err);
+    };
+    const finish = () => {
+      if (settled) return;
+      settled = true;
+      resolve();
+    };
+    parser.on("entry", (entry) => {
+      if (settled) {
+        entry.resume();
+        return;
+      }
+      try {
+        if (inspectEntry(entry, limits) === "extract") {
+          entryCount += 1;
+          if (entryCount > limits.maxEntries) {
+            return fail(
+              new ReplicaxError("Archive contains too many entries; refusing to extract.")
+            );
+          }
+          totalBytes += entry.size ?? 0;
+          if (totalBytes > limits.maxTotalBytes) {
+            return fail(
+              new ReplicaxError("Archive is too large when uncompressed; refusing to extract.")
+            );
+          }
+        }
+      } catch (err) {
+        return fail(err);
+      }
+      entry.resume();
+    });
+    parser.on("end", finish);
+    parser.on("error", (err) => fail(err));
+    source.on("error", (err) => fail(err));
+    source.pipe(parser);
+  });
+}
+async function safeExtract(archivePath, destDir, limits) {
+  const resolved = path9.resolve(archivePath);
+  const stat = await fs8.stat(resolved).catch(() => null);
+  if (!stat) {
+    throw new ReplicaxError(`Archive not found: ${archivePath}`);
+  }
+  if (stat.size > limits.maxCompressedBytes) {
+    throw new ReplicaxError("Archive file is too large; refusing to extract.");
+  }
+  await validateArchive(resolved, limits);
+  await fs8.ensureDir(destDir);
+  await tarExtract({
+    file: resolved,
+    cwd: destDir,
+    strip: 0,
+    filter: (_p, entry) => {
+      try {
+        return inspectEntry(entry, limits) === "extract";
+      } catch {
+        return false;
+      }
+    }
+  });
+}
+async function extractToTemp(archivePath) {
+  if (!await fs8.pathExists(path9.resolve(archivePath))) {
+    throw new ReplicaxError(`Archive not found: ${archivePath}`);
+  }
+  const tmp = await fs8.mkdtemp(path9.join(os.tmpdir(), "replicax-import-"));
+  try {
+    await safeExtract(archivePath, tmp, PROFILE_ARCHIVE_LIMITS);
+  } catch (err) {
+    await fs8.remove(tmp).catch(() => void 0);
+    throw err;
+  }
+  return tmp;
+}
+async function findProfileRoot(dir) {
+  const hasProfile = async (d) => fs8.pathExists(path9.join(d, PROFILE_FILES.profile));
+  if (await hasProfile(dir)) return dir;
+  const entries = await fs8.readdir(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    if (entry.isDirectory()) {
+      const candidate = path9.join(dir, entry.name);
+      if (await hasProfile(candidate)) return candidate;
+    }
+  }
+  return null;
+}
+// src/core/github.ts
 function parseGitHubRef(input) {
   const raw = input.trim();
   if (!raw) {
@@ -2355,9 +2574,9 @@ function httpError(status, slug, hasToken) {
   return new ReplicaxError(`GitHub returned HTTP ${status} for ${slug}.`);
 }
 async function firstSubdir(dir) {
-  const entries = await fs8.readdir(dir, { withFileTypes: true });
+  const entries = await fs9.readdir(dir, { withFileTypes: true });
   for (const entry of entries) {
-    if (entry.isDirectory()) return path9.join(dir, entry.name);
+    if (entry.isDirectory()) return path10.join(dir, entry.name);
   }
   return null;
 }
@@ -2381,14 +2600,14 @@ async function downloadRepo(ref) {
   if (!res.ok) {
     throw httpError(res.status, slug, Boolean(token));
   }
-  const tmpRoot = await fs8.mkdtemp(path9.join(os.tmpdir(), "replicax-extract-"));
-  const cleanup = () => fs8.remove(tmpRoot);
+  const tmpRoot = await fs9.mkdtemp(path10.join(os2.tmpdir(), "replicax-extract-"));
+  const cleanup = () => fs9.remove(tmpRoot);
   try {
-    const tarPath = path9.join(tmpRoot, "repo.tar.gz");
-    await fs8.writeFile(tarPath, Buffer.from(await res.arrayBuffer()));
-    const extractDir = path9.join(tmpRoot, "src");
-    await fs8.ensureDir(extractDir);
-    await tarExtract({ file: tarPath, cwd: extractDir, strip: 0 });
+    const tarPath = path10.join(tmpRoot, "repo.tar.gz");
+    await fs9.writeFile(tarPath, Buffer.from(await res.arrayBuffer()));
+    const extractDir = path10.join(tmpRoot, "src");
+    await fs9.ensureDir(extractDir);
+    await safeExtract(tarPath, extractDir, REPO_ARCHIVE_LIMITS);
     const repoRoot = await firstSubdir(extractDir);
     if (!repoRoot) {
       throw new ReplicaxError(`The downloaded archive for ${slug} was empty.`);
@@ -2430,7 +2649,9 @@ async function extractCommand(repo, options) {
       name,
       tooling: scan.tooling,
       structure: scan.structure,
-      metadata: scan.metadata
+      metadata: scan.metadata,
+      // Captured from a remote repo we don't control — untrusted for auto-install.
+      source: "github"
     });
     reportSkippedSecrets(scan.skippedSecrets);
     printScanSummary(bundle);
@@ -2440,7 +2661,7 @@ async function extractCommand(repo, options) {
       logger.info("Dry run \u2014 no files were written.");
       return;
     }
-    const outRoot = options.out ? path10.resolve(options.out) : process.cwd();
+    const outRoot = options.out ? path11.resolve(options.out) : process.cwd();
     const dir = profileDir(outRoot);
     if (await profileExists(dir)) {
       logger.warn(
@@ -2457,8 +2678,7 @@ async function extractCommand(repo, options) {
 }
 // src/commands/create.ts
-import path12 from "path";
-import fs10 from "fs-extra";
+import path13 from "path";
 // src/core/conflict-resolver.ts
 import { select } from "@inquirer/prompts";
@@ -2500,8 +2720,8 @@ var ConflictResolver = class {
 };
 // src/core/project-generator.ts
-import path11 from "path";
-import fs9 from "fs-extra";
+import path12 from "path";
+import fs10 from "fs-extra";
 async function generateProject(options) {
   const { bundle, targetDir, projectName, dryRun, conflict } = options;
   const result = {
@@ -2511,16 +2731,16 @@ async function generateProject(options) {
     filesSkipped: 0,
     unsafeSkipped: []
   };
-  if (!dryRun) await fs9.ensureDir(targetDir);
+  if (!dryRun) await fs10.ensureDir(targetDir);
   for (const dir of bundle.structure.directories) {
     const safe = safeJoinable(dir);
     if (!safe) {
       result.unsafeSkipped.push(dir);
       continue;
     }
-    const full = path11.join(targetDir, safe);
-    const existed = await fs9.pathExists(full);
-    if (!dryRun) await fs9.ensureDir(full);
+    const full = path12.join(targetDir, safe);
+    const existed = await fs10.pathExists(full);
+    if (!dryRun) await fs10.ensureDir(full);
     if (!existed) result.dirsCreated += 1;
     result.entries.push({ kind: "dir", path: safe, action: existed ? "skip" : "create" });
   }
@@ -2544,8 +2764,8 @@ async function writeFile(relPath, content, options, result) {
     logger.warn(`Refusing to write unsafe path from profile: ${relPath}`);
     return;
   }
-  const full = path11.join(options.targetDir, safe);
-  const exists = await fs9.pathExists(full);
+  const full = path12.join(options.targetDir, safe);
+  const exists = await fs10.pathExists(full);
   let action2 = exists ? "overwrite" : "create";
   if (exists) {
     const decision = await options.conflict.resolve(safe);
@@ -2558,8 +2778,8 @@ async function writeFile(relPath, content, options, result) {
     action2 = "overwrite";
   }
   if (!options.dryRun) {
-    await fs9.ensureDir(path11.dirname(full));
-    await fs9.writeFile(full, content, "utf8");
+    await fs10.ensureDir(path12.dirname(full));
+    await fs10.writeFile(full, content, "utf8");
   }
   result.filesWritten += 1;
   result.entries.push({ kind: "file", path: safe, action: action2 });
@@ -2608,9 +2828,9 @@ async function createCommand(projectName, options) {
     logger.warn(`Profile integrity check found ${mismatches.length} issue(s); continuing anyway.`);
     logger.hint("Run `replicax validate` for details.");
   }
-  const targetDir = path12.resolve(process.cwd(), projectName);
-  const leafName = path12.basename(targetDir);
-  if (path12.resolve(process.cwd()) === targetDir) {
+  const targetDir = path13.resolve(process.cwd(), projectName);
+  const leafName = path13.basename(targetDir);
+  if (path13.resolve(process.cwd()) === targetDir) {
     throw new ReplicaxError("Refusing to scaffold into the current directory.", [
       "Pass a new project name, e.g. `replicax create my-app`."
     ]);
@@ -2640,36 +2860,68 @@ async function createCommand(projectName, options) {
     return;
   }
   logger.hint(`Location: ${relPosix(process.cwd(), targetDir)}/`);
-  await maybeInstall(
-    bundle.metadata.packageManager,
-    targetDir,
-    options,
-    Boolean(bundle.tooling.packageJson)
-  );
+  await maybeInstall(bundle, targetDir, options);
   logger.newline();
   logger.success(`Project ${pc.bold(leafName)} is ready.`);
 }
-async function maybeInstall(manager, targetDir, options, hasPackageJson) {
-  if (options.skipInstall) {
-    logger.hint("Skipped dependency install (--skip-install).");
-    return;
-  }
-  if (!hasPackageJson) return;
-  if (manager === "unknown") {
-    logger.hint("No package manager detected; run your install command manually.");
-    return;
-  }
-  const pkgPath = path12.join(targetDir, "package.json");
-  const pkg = await fs10.readJson(pkgPath).catch(() => null);
-  if (!pkg?.devDependencies || Object.keys(pkg.devDependencies).length === 0) {
-    logger.hint("No dependencies to install.");
-    return;
+function decideInstall(bundle, options) {
+  if (options.skipInstall) return { kind: "skip-flag" };
+  const devDeps = bundle.tooling.packageJson?.devDependencies ?? {};
+  if (Object.keys(devDeps).length === 0) return { kind: "no-deps" };
+  const manager = bundle.metadata.packageManager;
+  if (manager === "unknown") return { kind: "no-manager" };
+  const source = bundle.profile.source ?? "local";
+  const trusted = source === "local";
+  if (!trusted && !options.install) return { kind: "blocked", source, manager, devDeps };
+  return { kind: "install", trusted, source, manager, devDeps };
+}
+function printDependencySummary(devDeps) {
+  const names = Object.keys(devDeps).sort();
+  for (const name of names.slice(0, 10)) logger.hint(`  ${name}  ${devDeps[name]}`);
+  if (names.length > 10) logger.hint(`  \u2026and ${names.length - 10} more`);
+}
+async function maybeInstall(bundle, targetDir, options) {
+  const decision = decideInstall(bundle, options);
+  switch (decision.kind) {
+    case "skip-flag":
+      logger.hint("Skipped dependency install (--skip-install).");
+      return;
+    case "no-deps":
+      if (bundle.tooling.packageJson) logger.hint("No dependencies to install.");
+      return;
+    case "no-manager":
+      logger.hint("No package manager detected; run your install command manually.");
+      return;
+    case "blocked":
+      logger.newline();
+      logger.warn(
+        `Profile source is "${decision.source}" \u2014 skipping dependency install for safety.`
+      );
+      logger.hint(
+        `Installing runs package lifecycle scripts. ${Object.keys(decision.devDeps).length} devDependencies would be added with ${decision.manager}:`
+      );
+      printDependencySummary(decision.devDeps);
+      logger.hint(
+        `Review them, then run \`${decision.manager} install\`, or re-run create with --install.`
+      );
+      return;
+    case "install": {
+      logger.newline();
+      if (!decision.trusted) {
+        logger.warn(
+          `Installing for an untrusted ("${decision.source}") profile \u2014 package lifecycle scripts can execute code.`
+        );
+      }
+      logger.info(
+        `Installing ${Object.keys(decision.devDeps).length} devDependencies with ${decision.manager}\u2026`
+      );
+      printDependencySummary(decision.devDeps);
+      const ok = await installDependencies(targetDir, decision.manager);
+      if (ok) logger.success("Dependencies installed.");
+      else logger.warn("Dependency install did not complete; run it manually.");
+      return;
+    }
   }
-  logger.newline();
-  logger.info(`Installing dependencies with ${manager}\u2026`);
-  const ok = await installDependencies(targetDir, manager);
-  if (ok) logger.success("Dependencies installed.");
-  else logger.warn("Dependency install did not complete; run it manually.");
 }
 // src/commands/sync.ts
@@ -2752,6 +3004,8 @@ async function syncCommand(options) {
     tooling: scan.tooling,
     structure: scan.structure,
     metadata: scan.metadata,
+    // A sync re-captures the local project, so the result is locally trusted.
+    source: "local",
     existing: existing.profile
   });
   const diff = diffBundles(existing, next);
@@ -2934,53 +3188,8 @@ async function validateCommand(options) {
 // src/commands/export.ts
 import path14 from "path";
-import fs12 from "fs-extra";
-import ora5 from "ora";
-// src/core/archive.ts
-import os2 from "os";
-import path13 from "path";
 import fs11 from "fs-extra";
-import { create as tarCreate, extract as tarExtract2 } from "tar";
-async function exportProfile(profileDirectory, outPath) {
-  const resolvedOut = path13.resolve(outPath);
-  await fs11.ensureDir(path13.dirname(resolvedOut));
-  const parent = path13.dirname(profileDirectory);
-  const base = path13.basename(profileDirectory);
-  await tarCreate(
-    {
-      gzip: true,
-      file: resolvedOut,
-      cwd: parent,
-      // tar strips leading "/" and ".." by default, so extraction stays scoped.
-      portable: true
-    },
-    [base]
-  );
-}
-async function extractToTemp(archivePath) {
-  const resolved = path13.resolve(archivePath);
-  if (!await fs11.pathExists(resolved)) {
-    throw new Error(`Archive not found: ${archivePath}`);
-  }
-  const tmp = await fs11.mkdtemp(path13.join(os2.tmpdir(), "replicax-import-"));
-  await tarExtract2({ file: resolved, cwd: tmp, strip: 0 });
-  return tmp;
-}
-async function findProfileRoot(dir) {
-  const hasProfile = async (d) => fs11.pathExists(path13.join(d, PROFILE_FILES.profile));
-  if (await hasProfile(dir)) return dir;
-  const entries = await fs11.readdir(dir, { withFileTypes: true });
-  for (const entry of entries) {
-    if (entry.isDirectory()) {
-      const candidate = path13.join(dir, entry.name);
-      if (await hasProfile(candidate)) return candidate;
-    }
-  }
-  return null;
-}
-// src/commands/export.ts
+import ora5 from "ora";
 async function exportCommand(options) {
   const dir = options.profile ? await resolveProfileDir(options.profile) : profileDir(process.cwd());
   if (!await profileExists(dir)) {
@@ -2993,7 +3202,7 @@ async function exportCommand(options) {
   const spinner = ora5({ text: "Packaging profile\u2026" }).start();
   await exportProfile(dir, outPath);
   spinner.stop();
-  const { size } = await fs12.stat(outPath);
+  const { size } = await fs11.stat(outPath);
   logger.success(
     `Exported "${bundle.profile.name}" \u2192 ${path14.relative(process.cwd(), outPath)} (${formatBytes(size)})`
   );
@@ -3001,7 +3210,7 @@ async function exportCommand(options) {
 }
 // src/commands/import.ts
-import fs13 from "fs-extra";
+import fs12 from "fs-extra";
 import ora6 from "ora";
 import { confirm as confirm2 } from "@inquirer/prompts";
 async function importCommand(archivePath, options) {
@@ -3017,6 +3226,7 @@ async function importCommand(archivePath, options) {
       throw new ReplicaxError("The archive does not contain a ReplicaX profile.");
     }
     const bundle = await loadBundle(source);
+    bundle.profile.source = "import";
     spinner.succeed(`Validated profile "${bundle.profile.name}"`);
     const dest = profileDir(process.cwd());
     if (await profileExists(dest)) {
@@ -3029,7 +3239,7 @@ async function importCommand(archivePath, options) {
           "Re-run with --force to overwrite it."
         ]);
       }
-      await fs13.remove(dest);
+      await fs12.remove(dest);
     }
     await saveBundle(dest, bundle);
     logger.newline();
@@ -3038,7 +3248,7 @@ async function importCommand(archivePath, options) {
     );
     logger.hint("Create a project with: replicax create <project-name>");
   } finally {
-    await fs13.remove(tmp).catch(() => void 0);
+    await fs12.remove(tmp).catch(() => void 0);
   }
 }
@@ -3123,7 +3333,7 @@ async function doctorCommand(options) {
 // src/commands/compare.ts
 import path15 from "path";
-import fs14 from "fs-extra";
+import fs13 from "fs-extra";
 // src/core/compare.ts
 function detectionsOf(bundle) {
@@ -3233,7 +3443,7 @@ function comparisonHasChanges(comparison) {
 // src/commands/compare.ts
 async function resolveBundle(input) {
   const resolved = path15.resolve(input);
-  if (!await fs14.pathExists(resolved)) {
+  if (!await fs13.pathExists(resolved)) {
     throw new ReplicaxError(`Path not found: ${input}`);
   }
   try {
@@ -3242,7 +3452,7 @@ async function resolveBundle(input) {
     return { bundle: bundle2, label: `${bundle2.profile.name} (profile)` };
   } catch {
   }
-  const stat = await fs14.stat(resolved);
+  const stat = await fs13.stat(resolved);
   if (!stat.isDirectory()) {
     throw new ReplicaxError(`Cannot compare "${input}": not a profile or a project directory.`, [
       "Pass a project folder or a directory containing a .replicax profile."
@@ -3483,7 +3693,7 @@ program.command("init-skill").description(
   "Generate an AI assistant skill from the detected tech stack (uses your configured AI)"
 ).option("--target <ai>", `Target AI assistant: ${SKILL_TARGET_IDS.join("|")}`).option("--name <name>", "Name the skill (defaults to the project folder name)").option("--provider <ai>", "Force the AI provider: claude|openai|gemini (default: auto-detect)").option("--model <id>", "Override the API model id for the chosen provider").option("--no-ai", "Skip the AI provider and use the built-in deterministic template").option("--dry-run", "Preview the skill without writing (no AI call)").option("--force", "Overwrite existing skill files").option("--verbose", "Show every detected file").action(action(initSkillCommand));
 program.command("extract").argument("<repo>", "GitHub repo: owner/repo, a github.com URL, or owner/repo#branch").description("Extract a ReplicaX profile from a remote GitHub repository").option("--ref <ref>", "Branch, tag, or commit to fetch (default: the repo default branch)").option("--name <name>", "Name the profile (defaults to the repo name)").option("--out <dir>", "Directory to write the .replicax profile into (default: current dir)").option("--dry-run", "Preview what would be captured without writing").option("--verbose", "Show every detected file").action(action(extractCommand));
-program.command("create").argument("<project-name>", "Directory/name for the new project").description("Create a new project from a profile").option("--profile <path>", "Use a profile from a custom path").option("--skip-install", "Do not run the package manager install step").option("--dry-run", "Preview the output without writing").option("--force", "Overwrite conflicting files without prompting").option("--verbose", "Show every written file").action(action(createCommand));
+program.command("create").argument("<project-name>", "Directory/name for the new project").description("Create a new project from a profile").option("--profile <path>", "Use a profile from a custom path").option("--skip-install", "Do not run the package manager install step").option("--install", "Install deps even for imported/remote (untrusted) profiles").option("--dry-run", "Preview the output without writing").option("--force", "Overwrite conflicting files without prompting").option("--verbose", "Show every written file").action(action(createCommand));
 program.command("sync").description("Update the profile from the current project state").option("--diff", "Show a detailed list of what changed").option("--force", "Rewrite the profile even if nothing changed").option("--verbose", "Show every detected file").action(action(syncCommand));
 program.command("inspect").description("Display captured configuration and structure").option("--json", "Output as JSON").option("--section <section>", "Inspect one section: profile|tooling|structure|metadata").option("--profile <path>", "Inspect a profile at a custom path").action(action(inspectCommand));
 program.command("validate").description("Check profile schema and integrity").option("--profile <path>", "Validate a profile at a custom path").action(action(validateCommand));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@iamsaroj/replicax",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "description": "Copy the setup, not the code. Extract a project's tooling, structure, and conventions and recreate them in new projects.",
   "type": "module",
   "license": "MIT",