@mangtre/cli 0.1.0

package/LICENSE

@@ -0,0 +1,26 @@
+Măng — Proprietary License
+
+Copyright © 2026 RumitX. All rights reserved.
+
+This software and its source code (the "Software"), including the Măng shell,
+the @mangtre/* packages, and the bundled mini-apps in this repository, are the
+confidential and proprietary property of RumitX.
+
+No license, right, or permission is granted to any person to use, copy, modify,
+merge, publish, distribute, sublicense, sell, or create derivative works of the
+Software, in whole or in part, without the prior written consent of RumitX.
+
+Unauthorized copying, distribution, or use of the Software, via any medium, is
+strictly prohibited.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL RUMITX BE LIABLE
+FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY ARISING FROM, OUT OF, OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+Note: this proprietary notice protects the codebase during the early (NOW)
+horizon. When Măng opens to third-party creators, a separate license may be
+issued for the fork-able starter kit.
+
+For licensing inquiries: RumitX — https://rumitx.com

package/dist/chunk-2ZQJSRHJ.js

@@ -0,0 +1,380 @@
+import {
+  extractManifestComment
+} from "./chunk-MLWT65G7.js";
+
+// ../standard/src/manifest.ts
+import { z } from "zod";
+var APP_SLUG = /^[a-z][a-z0-9-]{1,38}[a-z0-9]$/;
+var SEMVER = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?$/;
+var PERMISSIONS = ["storage", "theme", "ai", "identity", "context", "data"];
+var SURFACES = ["desktop", "web", "zalo"];
+var AI_CAPABILITIES = ["fast", "balanced", "quality", "code", "reasoning"];
+var localizedText = z.object({ vi: z.string().min(1), en: z.string().min(1) });
+var commandSchema = z.object({
+  id: z.string().min(1).max(40).regex(/^[a-z][a-z0-9-]*$/),
+  title: localizedText,
+  keywords: z.array(z.string().max(40)).max(20).optional(),
+  icon: z.string().max(16).optional(),
+  surfaces: z.array(z.enum(SURFACES)).optional()
+});
+var flowStepSchema = z.object({
+  id: z.string().min(1).max(40).regex(/^[a-z][a-z0-9-]*$/),
+  title: localizedText,
+  command: z.string().min(1).max(40).regex(/^[a-z][a-z0-9-]*$/).optional(),
+  checkpoint: z.string().min(1).max(60),
+  caption: localizedText.optional(),
+  surfaces: z.array(z.enum(SURFACES)).optional()
+});
+var manifestSchema = z.object({
+  id: z.string().regex(APP_SLUG, "id must be a lowercase slug, 3\u201340 chars"),
+  name: z.string().min(1).max(60),
+  icon: z.string().min(1).max(16),
+  version: z.string().regex(SEMVER, "version must be semver (x.y.z)"),
+  permissions: z.array(z.enum(PERMISSIONS)),
+  commands: z.array(commandSchema).max(50).optional(),
+  surfaces: z.array(z.enum(SURFACES)).optional(),
+  // The app's main flow — the canonical happy-path screens walked for review + screenshot capture.
+  // Mirror of `@mangtre/core` MangManifest.flow. See `@mangtre/core` FlowStep + Tech Foundations §2.8.
+  flow: z.array(flowStepSchema).max(20).optional(),
+  ai: z.object({ capabilities: z.array(z.enum(AI_CAPABILITIES)) }).optional(),
+  // Declared remote-data needs (present when `permissions` includes "data"). Drives the cloud/realtime
+  // badges; declaration-only (no runtime gate), mirroring `ai`. See `@mangtre/core` MangDataDeclaration.
+  data: z.object({ shared: z.boolean().optional(), realtime: z.boolean().optional() }).optional()
+});
+function parseManifest(value) {
+  const res = manifestSchema.safeParse(value);
+  if (res.success) return { ok: true, manifest: res.data };
+  const errors = res.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`);
+  return { ok: false, errors };
+}
+
+// ../standard/src/safety-scan.ts
+var RULES = [
+  {
+    check: "safety.eval",
+    severity: "fail",
+    pattern: /\beval\s*\(/,
+    message: "D\xF9ng eval() \u2014 b\u1ECB c\u1EA5m (code injection). H\xE3y b\u1ECF eval."
+  },
+  {
+    check: "safety.new-function",
+    severity: "fail",
+    pattern: /\bnew\s+Function\s*\(/,
+    message: "D\xF9ng new Function() \u2014 b\u1ECB c\u1EA5m (code injection)."
+  },
+  {
+    check: "safety.remote-import",
+    severity: "fail",
+    pattern: /\bimport\s*\(\s*['"`]https?:\/\//,
+    message: "import() t\u1EEB URL ngo\xE0i \u2014 b\u1ECB c\u1EA5m (supply-chain). Bundle ph\u1EA3i t\u1EF1 \u0111\xF3ng g\xF3i."
+  },
+  {
+    check: "safety.websocket",
+    severity: "fail",
+    pattern: /\bnew\s+WebSocket\s*\(|\bnew\s+EventSource\s*\(/,
+    message: "M\u1EDF WebSocket/EventSource \u2014 b\u1ECB c\u1EA5m. App ch\u1EC9 trao \u0111\u1ED5i d\u1EEF li\u1EC7u qua sdk.*."
+  },
+  {
+    check: "safety.fetch",
+    severity: "warn",
+    pattern: /\bfetch\s*\(|\bXMLHttpRequest\b|\bnavigator\.sendBeacon\b/,
+    message: "C\xF3 d\u1EA5u hi\u1EC7u g\u1ECDi m\u1EA1ng tr\u1EF1c ti\u1EBFp (fetch/XHR/sendBeacon). D\u1EEF li\u1EC7u ph\u1EA3i \u0111i qua sdk.*."
+  },
+  {
+    check: "safety.storage",
+    severity: "warn",
+    pattern: /\b(?:local|session)Storage\b|\bindexedDB\b/,
+    message: "Truy c\u1EADp localStorage/indexedDB tr\u1EF1c ti\u1EBFp. H\xE3y d\xF9ng sdk.storage."
+  },
+  {
+    check: "safety.document-write",
+    severity: "warn",
+    pattern: /\bdocument\s*\.\s*write\s*\(/,
+    message: "D\xF9ng document.write \u2014 kh\xF4ng khuy\u1EBFn kh\xEDch."
+  }
+];
+function scanBundleSource(source) {
+  const findings = [];
+  for (const rule of RULES) {
+    if (rule.pattern.test(source)) {
+      findings.push({ check: rule.check, severity: rule.severity, message: rule.message });
+    }
+  }
+  return findings;
+}
+
+// ../standard/src/validate.ts
+var MAX_BUNDLE_BYTES = 2 * 1024 * 1024;
+function validateBundle(input) {
+  const findings = [];
+  let permissions = [];
+  let surfaces;
+  if (input.bytes > MAX_BUNDLE_BYTES) {
+    findings.push({
+      check: "size",
+      severity: "fail",
+      message: `Bundle ${(input.bytes / 1024).toFixed(0)} KB v\u01B0\u1EE3t gi\u1EDBi h\u1EA1n ${MAX_BUNDLE_BYTES / 1024 / 1024} MB.`
+    });
+  }
+  if (input.bytes === 0) {
+    findings.push({ check: "size.empty", severity: "fail", message: "Bundle r\u1ED7ng." });
+  }
+  const parsed = parseManifest(input.manifest);
+  if (!parsed.ok) {
+    for (const err of parsed.errors) {
+      findings.push({ check: "manifest.schema", severity: "fail", message: err });
+    }
+  } else {
+    permissions = parsed.manifest.permissions;
+    surfaces = parsed.manifest.surfaces;
+    if (parsed.manifest.id !== input.appId) {
+      findings.push({
+        check: "manifest.slug",
+        severity: "fail",
+        message: `manifest.id "${parsed.manifest.id}" kh\xF4ng kh\u1EDBp app "${input.appId}".`
+      });
+    }
+    const ungranted = permissions.filter((p) => p === "ai" || p === "identity" || p === "context");
+    if (ungranted.length > 0) {
+      findings.push({
+        check: "manifest.permissions",
+        severity: "warn",
+        message: `Quy\u1EC1n ${ungranted.join(", ")} ch\u01B0a \u0111\u01B0\u1EE3c c\u1EA5p cho app sandbox tr\xEAn web (ch\u1EC9 ch\u1EA1y \u1EDF desktop ch\xEDnh ch\u1EE7).`
+      });
+    }
+    if (permissions.includes("data")) {
+      const decl = parsed.manifest.data;
+      const shape = decl?.shared ? "ph\xF2ng chia s\u1EBB (nhi\u1EC1u ng\u01B0\u1EDDi)" : "l\u01B0u ri\xEAng theo thi\u1EBFt b\u1ECB";
+      findings.push({
+        check: "manifest.data",
+        severity: "warn",
+        message: `App d\xF9ng d\u1EEF li\u1EC7u tr\xEAn m\xE1y ch\u1EE7 M\u0103ng (${shape}). Ki\u1EC3m tra m\u1EE5c \u0111\xEDch l\u01B0u tr\u1EEF khi duy\u1EC7t.`
+      });
+    }
+    findings.push(...checkFlow(parsed.manifest));
+  }
+  findings.push(...scanBundleSource(input.source));
+  const passed = !findings.some((f) => f.severity === "fail");
+  return {
+    passed,
+    findings,
+    bytes: input.bytes,
+    permissions,
+    surfaces,
+    checkedAt: input.now
+  };
+}
+function checkFlow(manifest) {
+  const findings = [];
+  const flow = manifest.flow;
+  if (!flow || flow.length === 0) {
+    findings.push({
+      check: "flow.declared",
+      severity: "warn",
+      message: "App ch\u01B0a khai b\xE1o lu\u1ED3ng ch\xEDnh (flow). B\u1EAFt bu\u1ED9c s\u1EAFp t\u1EDBi \u0111\u1EC3 duy\u1EC7t + ch\u1EE5p \u1EA3nh t\u1EF1 \u0111\u1ED9ng."
+    });
+    return findings;
+  }
+  const commandIds = new Set((manifest.commands ?? []).map((c) => c.id));
+  const seenStepIds = /* @__PURE__ */ new Set();
+  const seenCheckpoints = /* @__PURE__ */ new Set();
+  for (const step of flow) {
+    if (step.command && !commandIds.has(step.command)) {
+      findings.push({
+        check: "flow.command-ref",
+        severity: "fail",
+        message: `B\u01B0\u1EDBc "${step.id}" tham chi\u1EBFu command "${step.command}" kh\xF4ng t\u1ED3n t\u1EA1i trong commands.`
+      });
+    }
+    if (seenStepIds.has(step.id)) {
+      findings.push({
+        check: "flow.step-dup",
+        severity: "fail",
+        message: `Tr\xF9ng id b\u01B0\u1EDBc flow "${step.id}".`
+      });
+    }
+    seenStepIds.add(step.id);
+    if (seenCheckpoints.has(step.checkpoint)) {
+      findings.push({
+        check: "flow.checkpoint-dup",
+        severity: "fail",
+        message: `Tr\xF9ng checkpoint "${step.checkpoint}" gi\u1EEFa c\xE1c b\u01B0\u1EDBc flow.`
+      });
+    }
+    seenCheckpoints.add(step.checkpoint);
+  }
+  return findings;
+}
+
+// src/lib/check.ts
+function manifestId(manifest) {
+  if (typeof manifest === "object" && manifest !== null && !Array.isArray(manifest)) {
+    const id = manifest.id;
+    if (typeof id === "string") return id;
+  }
+  return void 0;
+}
+function checkBundle(opts) {
+  const manifest = opts.manifest ?? extractManifestComment(opts.source);
+  const manifestFound = manifest !== void 0;
+  const appId = opts.appId ?? manifestId(manifest) ?? "";
+  const report = validateBundle({
+    source: opts.source,
+    bytes: Buffer.byteLength(opts.source, "utf8"),
+    appId,
+    manifest: manifest ?? {},
+    now: opts.now ?? Date.now()
+  });
+  return { ...report, manifestFound };
+}
+
+// src/lib/api.ts
+var ApiError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "ApiError";
+  }
+};
+async function apiFetch(path, opts) {
+  const headers = {};
+  if (opts.token) headers.Authorization = `Bearer ${opts.token}`;
+  let body;
+  if (opts.body instanceof FormData) {
+    body = opts.body;
+  } else if (opts.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+    body = JSON.stringify(opts.body);
+  }
+  const res = await fetch(`${opts.base}${path}`, {
+    method: opts.method ?? (body ? "POST" : "GET"),
+    headers,
+    body
+  });
+  const text = await res.text();
+  const data = text ? safeJson(text) : {};
+  if (!res.ok) {
+    let message = `HTTP ${res.status}`;
+    if (data && typeof data === "object" && "error" in data) {
+      message = String(data.error);
+    }
+    throw new ApiError(res.status, message);
+  }
+  return data;
+}
+function safeJson(text) {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return { raw: text };
+  }
+}
+
+// src/lib/config.ts
+import { homedir } from "os";
+import { join } from "path";
+
+// src/commands/args.ts
+function getFlag(argv, name) {
+  const eq = argv.find((a) => a.startsWith(`--${name}=`));
+  if (eq) return eq.slice(name.length + 3);
+  const idx = argv.indexOf(`--${name}`);
+  if (idx >= 0 && idx + 1 < argv.length) {
+    const next = argv[idx + 1];
+    if (next && !next.startsWith("-")) return next;
+  }
+  return void 0;
+}
+function titleFromSlug(slug) {
+  return slug.split("-").filter(Boolean).map((w) => w[0]?.toUpperCase() + w.slice(1)).join(" ");
+}
+
+// src/lib/config.ts
+var DEFAULT_API_BASE = "https://api.mang.rumitx.com";
+function normalizeApiBase(raw) {
+  const trimmed = raw.trim().replace(/\/+$/, "");
+  return /^https?:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
+}
+function resolveApiBase(argv) {
+  return normalizeApiBase(getFlag(argv, "api") ?? process.env.MANG_API ?? DEFAULT_API_BASE);
+}
+function authFilePath() {
+  return join(homedir(), ".mang", "auth.json");
+}
+
+// src/lib/auth-store.ts
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "fs";
+import { dirname } from "path";
+function loadAuth() {
+  const path = authFilePath();
+  if (!existsSync(path)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync(path, "utf8"));
+    if (parsed && typeof parsed.token === "string" && typeof parsed.api === "string") {
+      return parsed;
+    }
+  } catch {
+  }
+  return null;
+}
+function saveAuth(auth) {
+  const path = authFilePath();
+  mkdirSync(dirname(path), { recursive: true, mode: 448 });
+  writeFileSync(path, `${JSON.stringify(auth, null, 2)}
+`, { mode: 384 });
+}
+function clearAuth() {
+  const path = authFilePath();
+  if (existsSync(path)) rmSync(path);
+}
+
+// src/lib/scaffold.ts
+import { existsSync as existsSync2 } from "fs";
+import { mkdir, readFile, readdir, writeFile } from "fs/promises";
+import { join as join2 } from "path";
+import { fileURLToPath } from "url";
+function templateRoot() {
+  return fileURLToPath(new URL("../templates/app", import.meta.url));
+}
+function applyPlaceholders(text, opts) {
+  return text.replaceAll("__SLUG__", opts.slug).replaceAll("__NAME__", opts.name).replaceAll("__ICON__", opts.icon);
+}
+async function copyTree(srcDir, destDir, opts) {
+  await mkdir(destDir, { recursive: true });
+  const written = [];
+  for (const entry of await readdir(srcDir, { withFileTypes: true })) {
+    const srcPath = join2(srcDir, entry.name);
+    const outName = entry.name.endsWith(".tmpl") ? entry.name.slice(0, -5) : entry.name;
+    const destPath = join2(destDir, outName);
+    if (entry.isDirectory()) {
+      written.push(...await copyTree(srcPath, destPath, opts));
+    } else {
+      const raw = await readFile(srcPath, "utf8");
+      await writeFile(destPath, applyPlaceholders(raw, opts), "utf8");
+      written.push(destPath);
+    }
+  }
+  return written;
+}
+async function scaffoldApp(opts) {
+  if (existsSync2(opts.targetDir)) {
+    throw new Error(`Th\u01B0 m\u1EE5c \u0111\xE3 t\u1ED3n t\u1EA1i: ${opts.targetDir}`);
+  }
+  return copyTree(templateRoot(), opts.targetDir, opts);
+}
+
+export {
+  APP_SLUG,
+  checkBundle,
+  getFlag,
+  titleFromSlug,
+  ApiError,
+  apiFetch,
+  DEFAULT_API_BASE,
+  resolveApiBase,
+  authFilePath,
+  loadAuth,
+  saveAuth,
+  clearAuth,
+  scaffoldApp
+};

package/dist/chunk-MLWT65G7.js

@@ -0,0 +1,17 @@
+// src/lib/manifest-comment.ts
+var MANIFEST_COMMENT_PREFIX = "// mang-manifest:";
+function extractManifestComment(source) {
+  const firstLine = source.split("\n", 1)[0] ?? "";
+  const match = firstLine.match(/^\/\/\s*mang-manifest:\s*(\{.*\})\s*$/);
+  if (!match?.[1]) return void 0;
+  try {
+    return JSON.parse(match[1]);
+  } catch {
+    return void 0;
+  }
+}
+
+export {
+  MANIFEST_COMMENT_PREFIX,
+  extractManifestComment
+};