@mcptoolshop/shipcheck 1.0.0

package/README.ja.md

@@ -0,0 +1,105 @@
+<p align="center">
+  <a href="README.md">English</a> | <a href="README.zh.md">中文</a> | <a href="README.es.md">Español</a> | <a href="README.fr.md">Français</a> | <a href="README.hi.md">हिन्दी</a> | <a href="README.it.md">Italiano</a> | <a href="README.pt-BR.md">Português (BR)</a>
+</p>
+
+<p align="center">
+  <img src="https://raw.githubusercontent.com/mcp-tool-shop-org/brand/main/logos/shipcheck/readme.png" alt="Shipcheck" width="400">
+</p>
+
+<p align="center">
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT License"></a>
+  <a href="https://mcp-tool-shop-org.github.io/shipcheck/"><img src="https://img.shields.io/badge/Landing_Page-live-blue" alt="Landing Page"></a>
+</p>
+
+<p align="center">
+  Product standards for MCP Tool Shop.<br>
+  Templates, contracts, and adoption guides that define what "done" means before anything ships.
+</p>
+
+---
+
+## なぜ
+
+以前は、「完了」とはコードが動作することを意味していました。しかし、それだけでは不十分です。製品とは、コードに加えて、安全性、エラー処理、ドキュメント、アイデンティティ、そして適切なリリース体制を意味します。Shipcheckは、その基準を定義します。
+
+## 内容
+
+| 標準 | 対象範囲 |
+|----------|----------------|
+| [Ship Gate](templates/SHIP_GATE.md) | 厳格なチェック項目27個 + 柔軟なチェック項目4個を含む、リリース前のチェックリスト |
+| [Error Contract](contracts/error-contract.md) | コード登録機能付きの、2段階構造のエラー基準 |
+| [Security Baseline](templates/SECURITY.md) | レポートメール、対応までの時間、リスク範囲 |
+| [Handbook](templates/HANDBOOK.md) | 複雑なツール向けの運用マニュアル |
+| [Scorecard](templates/SCORECARD.md) | 修正前後の評価 |
+| [Adoption Guide](ADOPTION.md) | Shipcheckを、30分以内に任意のレポジトリに適用 |
+
+## クイックスタート
+
+1. [ADOPTION.md](ADOPTION.md) を読んでください。
+2. `templates/SHIP_GATE.md` をレポジトリのルートディレクトリにコピーします。
+3. 該当する項目にチェックを入れ、該当しない項目には `SKIP:` と記述します。
+4. すべての厳格なチェック項目が完了したら、リリースします。
+
+## 仕組み
+
+**厳格なチェック項目** (A～D) は、リリースをブロックします。
+
+- **A. セキュリティ基準** — SECURITY.md、脅威モデル、機密情報の非保持、テレメトリーの非使用、デフォルトの安全対策
+- **B. エラー処理** — 構造化されたエラー形式 (コード/メッセージ/ヒント/再試行可能)、安全な出力、エラー発生時の適切な対応
+- **C. 運用者向けドキュメント** — README、CHANGELOG、LICENSE、ツールのドキュメント
+- **D. リリース体制** — スクリプトの検証、バージョンの一致、依存関係のスキャン、ロックファイルの確認
+
+**柔軟なチェック項目** (E) は、リリースをブロックしませんが、「全体像」を定義します。
+
+- **E. アイデンティティ** — ロゴ、翻訳、ランディングページ、レポジトリのメタデータ
+
+チェック項目は、**何を**満たすべきかを定義するものであり、**どのように**実装するかを定義するものではありません。適用範囲を示すタグ (`[all]`, `[npm]`, `[mcp]`, `[cli]`, `[desktop]`, `[vsix]`, `[container]`) は、該当する項目がないレポジトリでの不必要なチェックを避けるために使用されます。
+
+## エラー基準の概要
+
+**Tier 1 — 形状 (必須):**
+
+```json
+{
+  "code": "INPUT_TEXT_EMPTY",
+  "message": "Text must not be empty",
+  "hint": "Provide at least one character of text",
+  "retryable": false
+}
+```
+
+**Tier 2 — 基本タイプ + エラーコード (CLI/MCP/デスクトップ):**
+
+| エラーコード | 意味 |
+|-----------|---------|
+| 0 | OK |
+| 1 | ユーザーエラー (不正な入力、設定の欠如) |
+| 2 | 実行時エラー (クラッシュ、バックエンドの障害) |
+| 3 | 部分的な成功 (一部の項目が成功) |
+
+エラーコードは、名前空間付きのプレフィックスを使用します: `IO_`, `CONFIG_`, `PERM_`, `DEP_`, `RUNTIME_`, `PARTIAL_`, `INPUT_`, `STATE_`. コードは、リリース後に安定します。
+
+## 参考実装
+
+[mcp-voice-soundboard](https://github.com/mcp-tool-shop-org/mcp-voice-soundboard) は、Ship Gateを最初に通過したレポジトリであり、修正後に **46/50** のスコアを獲得しました。
+
+## 評価項目
+
+| カテゴリ | スコア | 備考 |
+|----------|-------|-------|
+| A. セキュリティ | 10/10 | SECURITY.md、実行可能なコードなし、データ収集なし |
+| B. エラー処理 | 該当なし | 標準レポジトリ — エラーに関するコードなし |
+| C. 運用者向けドキュメント | 10/10 | README、CHANGELOG、ADOPTION、すべてのテンプレートがドキュメント化されています |
+| D. リリース体制 | 8/10 | 検証/テストするコードなし、すべての標準がバージョン管理されています |
+| E. アイデンティティ | 10/10 | ロゴ、翻訳、ランディングページ、メタデータ |
+| **Total** | **38/40** | B は除外 (該当なし) |
+
+## ライセンス
+
+[MIT](LICENSE)
+
+---
+
+<p align="center">
+  Built by <a href="https://mcp-tool-shop.github.io/">MCP Tool Shop</a>
+</p>

package/README.md

@@ -0,0 +1,105 @@
+<p align="center">
+  <a href="README.ja.md">日本語</a> | <a href="README.zh.md">中文</a> | <a href="README.es.md">Español</a> | <a href="README.fr.md">Français</a> | <a href="README.hi.md">हिन्दी</a> | <a href="README.it.md">Italiano</a> | <a href="README.pt-BR.md">Português (BR)</a>
+</p>
+
+<p align="center">
+  <img src="https://raw.githubusercontent.com/mcp-tool-shop-org/brand/main/logos/shipcheck/readme.jpg" alt="Shipcheck" width="400">
+</p>
+
+<p align="center">
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT License"></a>
+  <a href="https://mcp-tool-shop-org.github.io/shipcheck/"><img src="https://img.shields.io/badge/Landing_Page-live-blue" alt="Landing Page"></a>
+</p>
+
+<p align="center">
+  Product standards for MCP Tool Shop.<br>
+  Templates, contracts, and adoption guides that define what "done" means before anything ships.
+</p>
+
+---
+
+## Why
+
+"Done" used to mean the code works. That's not enough. A product is code + safety + error handling + docs + identity + shipping hygiene. Shipcheck defines the bar.
+
+## What's in here
+
+| Standard | What it covers |
+|----------|----------------|
+| [Ship Gate](templates/SHIP_GATE.md) | 27 hard-gate + 4 soft-gate pre-release checklist |
+| [Error Contract](contracts/error-contract.md) | 2-tier structured error standard with code registry |
+| [Security Baseline](templates/SECURITY.md) | Report email, response timeline, threat scope |
+| [Handbook](templates/HANDBOOK.md) | Operational field manual for complex tools |
+| [Scorecard](templates/SCORECARD.md) | Pre/post remediation scoring |
+| [Adoption Guide](ADOPTION.md) | Apply shipcheck to any repo in <30 minutes |
+
+## Quick start
+
+1. Read [ADOPTION.md](ADOPTION.md)
+2. Copy `templates/SHIP_GATE.md` into your repo root
+3. Check off applicable items, mark non-applicable with `SKIP:`
+4. Ship when all hard gates pass
+
+## How it works
+
+**Hard gates** (A-D) block release:
+
+- **A. Security Baseline** — SECURITY.md, threat model, no secrets, no telemetry, default safety posture
+- **B. Error Handling** — structured error shape (code/message/hint/retryable), safe output, graceful degradation
+- **C. Operator Docs** — README, CHANGELOG, LICENSE, tool documentation
+- **D. Shipping Hygiene** — verify script, version alignment, dependency scanning, lockfile
+
+**Soft gate** (E) doesn't block but defines "whole":
+
+- **E. Identity** — logo, translations, landing page, repo metadata
+
+The gate says **what** must be true, not **how** to implement it. Applicability tags (`[all]`, `[npm]`, `[mcp]`, `[cli]`, `[desktop]`, `[vsix]`, `[container]`) prevent checkbox shame on repos where items don't apply.
+
+## Error contract at a glance
+
+**Tier 1 — Shape (mandatory everywhere):**
+
+```json
+{
+  "code": "INPUT_TEXT_EMPTY",
+  "message": "Text must not be empty",
+  "hint": "Provide at least one character of text",
+  "retryable": false
+}
+```
+
+**Tier 2 — Base type + exit codes (CLI/MCP/desktop):**
+
+| Exit code | Meaning |
+|-----------|---------|
+| 0 | OK |
+| 1 | User error (bad input, missing config) |
+| 2 | Runtime error (crash, backend failure) |
+| 3 | Partial success (some items succeeded) |
+
+Error codes use namespaced prefixes: `IO_`, `CONFIG_`, `PERM_`, `DEP_`, `RUNTIME_`, `PARTIAL_`, `INPUT_`, `STATE_`. Codes are stable once released.
+
+## Reference implementation
+
+[mcp-voice-soundboard](https://github.com/mcp-tool-shop-org/mcp-voice-soundboard) was the first repo to pass Ship Gate — scoring **46/50** after remediation.
+
+## Scorecard
+
+| Category | Score | Notes |
+|----------|-------|-------|
+| A. Security | 10/10 | SECURITY.md, no executable code, no data collection |
+| B. Error Handling | N/A | Standards repo — no code to error |
+| C. Operator Docs | 10/10 | README, CHANGELOG, ADOPTION, all templates documented |
+| D. Shipping Hygiene | 8/10 | No code to verify/test, all standards versioned |
+| E. Identity | 10/10 | Logo, translations, landing page, metadata |
+| **Total** | **38/40** | B excluded (not applicable) |
+
+## License
+
+[MIT](LICENSE)
+
+---
+
+<p align="center">
+  Built by <a href="https://mcp-tool-shop.github.io/">MCP Tool Shop</a>
+</p>

package/README.pt-BR.md

@@ -0,0 +1,105 @@
+<p align="center">
+  <a href="README.ja.md">日本語</a> | <a href="README.zh.md">中文</a> | <a href="README.es.md">Español</a> | <a href="README.fr.md">Français</a> | <a href="README.hi.md">हिन्दी</a> | <a href="README.it.md">Italiano</a> | <a href="README.md">English</a>
+</p>
+
+<p align="center">
+  <img src="https://raw.githubusercontent.com/mcp-tool-shop-org/brand/main/logos/shipcheck/readme.jpg" alt="Shipcheck" width="400">
+</p>
+
+<p align="center">
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT License"></a>
+  <a href="https://mcp-tool-shop-org.github.io/shipcheck/"><img src="https://img.shields.io/badge/Landing_Page-live-blue" alt="Landing Page"></a>
+</p>
+
+<p align="center">
+  Product standards for MCP Tool Shop.<br>
+  Templates, contracts, and adoption guides that define what "done" means before anything ships.
+</p>
+
+---
+
+## Por que
+
+"Concluído" costumava significar que o código funcionava. Isso não é suficiente. Um produto é código + segurança + tratamento de erros + documentação + identidade + higiene no processo de lançamento. O Shipcheck define o padrão.
+
+## O que está incluído aqui
+
+| Padrão | O que isso cobre |
+|----------|----------------|
+| [Ship Gate](templates/SHIP_GATE.md) | Lista de verificação de pré-lançamento com 27 itens obrigatórios + 4 itens opcionais. |
+| [Error Contract](contracts/error-contract.md) | Padrão estruturado de tratamento de erros com registro de código. |
+| [Security Baseline](templates/SECURITY.md) | E-mail de relatório, tempo de resposta, escopo das ameaças. |
+| [Handbook](templates/HANDBOOK.md) | Manual operacional para ferramentas complexas. |
+| [Scorecard](templates/SCORECARD.md) | Pontuação antes e depois da correção. |
+| [Adoption Guide](ADOPTION.md) | Aplique o Shipcheck a qualquer repositório em menos de 30 minutos. |
+
+## Como começar
+
+1. Leia [ADOPTION.md](ADOPTION.md)
+2. Copie `templates/SHIP_GATE.md` para a raiz do seu repositório.
+3. Marque os itens aplicáveis, e marque os itens não aplicáveis com `SKIP:`.
+4. Lance quando todos os itens obrigatórios forem aprovados.
+
+## Como funciona
+
+**Itens obrigatórios** (A-D) bloqueiam o lançamento:
+
+- **A. Segurança básica** — SECURITY.md, modelo de ameaças, sem segredos, sem telemetria, postura de segurança padrão.
+- **B. Tratamento de erros** — estrutura de erro padronizada (código/mensagem/dica/tentável), saída segura, degradação graciosa.
+- **C. Documentação para o usuário** — README, CHANGELOG, LICENÇA, documentação da ferramenta.
+- **D. Higiene no processo de lançamento** — verificação de script, alinhamento de versão, análise de dependências, arquivo de bloqueio.
+
+**Item opcional** (E) não bloqueia, mas define o "todo":
+
+- **E. Identidade** — logotipo, traduções, página de destino, metadados do repositório.
+
+O item indica **o que** deve ser verdadeiro, não **como** implementá-lo. As tags de aplicabilidade (`[all]`, `[npm]`, `[mcp]`, `[cli]`, `[desktop]`, `[vsix]`, `[container]`) evitam constrangimentos em repositórios onde os itens não se aplicam.
+
+## Contrato de erro em resumo
+
+**Nível 1 — Estrutura (obrigatório em todos os lugares):**
+
+```json
+{
+  "code": "INPUT_TEXT_EMPTY",
+  "message": "Text must not be empty",
+  "hint": "Provide at least one character of text",
+  "retryable": false
+}
+```
+
+**Nível 2 — Tipo base + códigos de saída (CLI/MCP/desktop):**
+
+| Código de saída | Significado |
+|-----------|---------|
+| 0 | OK |
+| 1 | Erro do usuário (entrada inválida, configuração ausente) |
+| 2 | Erro em tempo de execução (falha, falha no backend) |
+| 3 | Sucesso parcial (alguns itens foram bem-sucedidos) |
+
+Os códigos de erro usam prefixos com namespace: `IO_`, `CONFIG_`, `PERM_`, `DEP_`, `RUNTIME_`, `PARTIAL_`, `INPUT_`, `STATE_`. Os códigos são estáveis após o lançamento.
+
+## Implementação de referência
+
+[mcp-voice-soundboard](https://github.com/mcp-tool-shop-org/mcp-voice-soundboard) foi o primeiro repositório a passar no Ship Gate — obtendo uma pontuação de **46/50** após a correção.
+
+## Tabela de pontuação
+
+| Categoria | Pontuação | Observações |
+|----------|-------|-------|
+| A. Segurança | 10/10 | SECURITY.md, sem código executável, sem coleta de dados. |
+| B. Tratamento de erros | N/A | Repositório de padrões — sem código para tratamento de erros. |
+| C. Documentação para o usuário | 10/10 | README, CHANGELOG, ADOPTION, todos os modelos documentados. |
+| D. Higiene no processo de lançamento | 8/10 | Sem código para verificar/testar, todas as versões dos padrões versionadas. |
+| E. Identidade | 10/10 | Logotipo, traduções, página de destino, metadados. |
+| **Total** | **38/40** | B excluído (não aplicável) |
+
+## Licença
+
+[MIT](LICENSE)
+
+---
+
+<p align="center">
+  Built by <a href="https://mcp-tool-shop.github.io/">MCP Tool Shop</a>
+</p>

package/README.zh.md

@@ -0,0 +1,105 @@
+<p align="center">
+  <a href="README.ja.md">日本語</a> | <a href="README.md">English</a> | <a href="README.es.md">Español</a> | <a href="README.fr.md">Français</a> | <a href="README.hi.md">हिन्दी</a> | <a href="README.it.md">Italiano</a> | <a href="README.pt-BR.md">Português (BR)</a>
+</p>
+
+<p align="center">
+  <img src="https://raw.githubusercontent.com/mcp-tool-shop-org/brand/main/logos/shipcheck/readme.png" alt="Shipcheck" width="400">
+</p>
+
+<p align="center">
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT License"></a>
+  <a href="https://mcp-tool-shop-org.github.io/shipcheck/"><img src="https://img.shields.io/badge/Landing_Page-live-blue" alt="Landing Page"></a>
+</p>
+
+<p align="center">
+  Product standards for MCP Tool Shop.<br>
+  Templates, contracts, and adoption guides that define what "done" means before anything ships.
+</p>
+
+---
+
+## 为什么
+
+“完成”过去意味着代码可以正常运行。但这还不够。一个产品包括代码、安全性、错误处理、文档、身份标识以及发布流程。Shipcheck 定义了标准。
+
+## 内容
+
+| 标准 | 涵盖内容 |
+|----------|----------------|
+| [Ship Gate](templates/SHIP_GATE.md) | 27 个硬性检查项 + 4 个软性检查项的预发布清单 |
+| [Error Contract](contracts/error-contract.md) | 具有代码注册表的两级结构化错误标准 |
+| [Security Baseline](templates/SECURITY.md) | 报告邮件、响应时间、风险范围 |
+| [Handbook](templates/HANDBOOK.md) | 复杂工具的操作手册 |
+| [Scorecard](templates/SCORECARD.md) | 修复前/后的评分 |
+| [Adoption Guide](ADOPTION.md) | 将 Shipcheck 应用于任何仓库，只需 30 分钟 |
+
+## 快速开始
+
+1. 阅读 [ADOPTION.md](ADOPTION.md)
+2. 将 `templates/SHIP_GATE.md` 复制到您的仓库根目录
+3. 检查适用项，对于不适用项，使用 `SKIP:` 标记
+4. 在所有硬性检查项通过后发布
+
+## 工作原理
+
+**硬性检查项 (A-D)** 会阻止发布：
+
+- **A. 安全基线** — SECURITY.md，威胁模型，无敏感信息，无遥测，默认安全姿态
+- **B. 错误处理** — 结构化的错误格式（代码/消息/提示/可重试），安全输出，优雅降级
+- **C. 操作文档** — README，CHANGELOG，LICENSE，工具文档
+- **D. 发布流程** — 验证脚本，版本对齐，依赖项扫描，锁定文件
+
+**软性检查项 (E)** 不会阻止发布，但定义了“完整性”：
+
+- **E. 身份标识** — logo，翻译，着陆页，仓库元数据
+
+检查项说明的是**必须**满足什么，而不是**如何**实现。适用性标签 (`[all]`, `[npm]`, `[mcp]`, `[cli]`, `[desktop]`, `[vsix]`, `[container]`) 避免在不适用的仓库中出现“未完成”的检查框。
+
+## 错误合约一览
+
+**第一层 — 结构 (所有地方都必须满足):**
+
+```json
+{
+  "code": "INPUT_TEXT_EMPTY",
+  "message": "Text must not be empty",
+  "hint": "Provide at least one character of text",
+  "retryable": false
+}
+```
+
+**第二层 — 基本类型 + 退出码 (CLI/MCP/桌面):**
+
+| 退出码 | 含义 |
+|-----------|---------|
+| 0 | OK |
+| 1 | 用户错误（无效输入，缺少配置） |
+| 2 | 运行时错误（崩溃，后端故障） |
+| 3 | 部分成功（某些项已成功） |
+
+错误代码使用命名空间前缀：`IO_`, `CONFIG_`, `PERM_`, `DEP_`, `RUNTIME_`, `PARTIAL_`, `INPUT_`, `STATE_`。代码在发布后会保持稳定。
+
+## 参考实现
+
+[mcp-voice-soundboard](https://github.com/mcp-tool-shop-org/mcp-voice-soundboard) 是第一个通过 Ship Gate 的仓库，在修复后获得了 **46/50** 的评分。
+
+## 评分卡
+
+| 类别 | 评分 | 备注 |
+|----------|-------|-------|
+| A. 安全性 | 10/10 | SECURITY.md，无可执行代码，无数据收集 |
+| B. 错误处理 | N/A | 标准仓库 — 没有代码产生错误 |
+| C. 操作文档 | 10/10 | README，CHANGELOG，ADOPTION，所有模板均已记录 |
+| D. 发布流程 | 8/10 | 无代码可验证/测试，所有标准均已版本控制 |
+| E. 身份标识 | 10/10 | Logo，翻译，着陆页，元数据 |
+| **Total** | **38/40** | B 排除（不适用） |
+
+## 许可证
+
+[MIT](LICENSE)
+
+---
+
+<p align="center">
+  Built by <a href="https://mcp-tool-shop.github.io/">MCP Tool Shop</a>
+</p>

package/bin/shipcheck.mjs

@@ -0,0 +1,245 @@
+#!/usr/bin/env node
+
+import { readFileSync, readdirSync, writeFileSync, existsSync, copyFileSync } from "node:fs";
+import { join, resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PKG_ROOT = resolve(__dirname, "..");
+const CWD = process.cwd();
+
+const BOLD = "\x1b[1m";
+const GREEN = "\x1b[32m";
+const YELLOW = "\x1b[33m";
+const CYAN = "\x1b[36m";
+const DIM = "\x1b[2m";
+const RESET = "\x1b[0m";
+
+function log(msg) { console.log(msg); }
+function ok(msg) { log(`${GREEN}✓${RESET} ${msg}`); }
+function skip(msg) { log(`${DIM}  skip${RESET} ${msg}`); }
+function warn(msg) { log(`${YELLOW}!${RESET} ${msg}`); }
+
+// --- Detect repo type ---
+
+function detectTypes() {
+  const tags = new Set(["all"]);
+
+  if (existsSync(join(CWD, "package.json"))) {
+    const pkg = JSON.parse(readFileSync(join(CWD, "package.json"), "utf8"));
+    tags.add("npm");
+    // Check if it's an MCP server
+    const desc = (pkg.description || "").toLowerCase();
+    const keywords = (pkg.keywords || []).map(k => k.toLowerCase());
+    if (desc.includes("mcp") || keywords.includes("mcp") || keywords.includes("model-context-protocol")) {
+      tags.add("mcp");
+    }
+    // Check for CLI bin
+    if (pkg.bin) {
+      tags.add("cli");
+    }
+  }
+
+  if (existsSync(join(CWD, "pyproject.toml")) || existsSync(join(CWD, "setup.py"))) {
+    tags.add("pypi");
+  }
+
+  if (existsSync(join(CWD, "Dockerfile")) || existsSync(join(CWD, "docker-compose.yml"))) {
+    tags.add("container");
+  }
+
+  // VS Code extension
+  const vsceFiles = [".vscodeignore", "vsc-extension-quickstart.md"];
+  if (vsceFiles.some(f => existsSync(join(CWD, f)))) {
+    tags.add("vsix");
+  }
+  if (existsSync(join(CWD, "package.json"))) {
+    try {
+      const pkg = JSON.parse(readFileSync(join(CWD, "package.json"), "utf8"));
+      if (pkg.engines?.vscode) tags.add("vsix");
+    } catch {}
+  }
+
+  // Desktop app signals
+  const desktopSignals = ["tauri.conf.json", "electron-builder.yml", "forge.config.js"];
+  if (desktopSignals.some(f => existsSync(join(CWD, f)))) {
+    tags.add("desktop");
+  }
+  // .NET desktop (MAUI, WinUI)
+  try {
+    for (const f of readdirSync(CWD).filter(f => f.endsWith(".csproj"))) {
+      const content = readFileSync(join(CWD, f), "utf8");
+      if (content.includes("Maui") || content.includes("WinUI")) {
+        tags.add("desktop");
+      }
+    }
+  } catch {}
+
+  return [...tags];
+}
+
+// --- Commands ---
+
+function initCommand() {
+  log(`\n${BOLD}shipcheck init${RESET}\n`);
+
+  const types = detectTypes();
+  log(`${CYAN}Detected tags:${RESET} ${types.map(t => `[${t}]`).join(" ")}\n`);
+
+  const files = [
+    { src: "templates/SHIP_GATE.md", dest: "SHIP_GATE.md" },
+    { src: "templates/SECURITY.md", dest: "SECURITY.md", skipIf: "SECURITY.md" },
+    { src: "templates/CHANGELOG.md", dest: "CHANGELOG.md", skipIf: "CHANGELOG.md" },
+    { src: "templates/SCORECARD.md", dest: "SCORECARD.md" },
+  ];
+
+  for (const { src, dest, skipIf } of files) {
+    const destPath = join(CWD, dest);
+    if (skipIf && existsSync(destPath)) {
+      skip(`${dest} already exists`);
+      continue;
+    }
+    const srcPath = join(PKG_ROOT, src);
+    if (!existsSync(srcPath)) {
+      warn(`Template not found: ${src}`);
+      continue;
+    }
+
+    let content = readFileSync(srcPath, "utf8");
+
+    // Inject detected tags into SHIP_GATE header
+    if (dest === "SHIP_GATE.md") {
+      content = content.replace(
+        /<!-- repo type tags -->/,
+        types.map(t => `\`[${t}]\``).join(" ")
+      );
+    }
+
+    // Fill SECURITY.md placeholders
+    if (dest === "SECURITY.md") {
+      // Try to read author email from package.json
+      try {
+        const pkg = JSON.parse(readFileSync(join(CWD, "package.json"), "utf8"));
+        if (pkg.bugs?.url) {
+          content = content.replace(
+            /<!-- report-email -->/g,
+            pkg.bugs.url
+          );
+        }
+      } catch {}
+    }
+
+    writeFileSync(destPath, content, "utf8");
+    ok(dest);
+  }
+
+  log(`\n${BOLD}Next steps:${RESET}`);
+  log(`  1. Open ${CYAN}SHIP_GATE.md${RESET} and check off applicable items`);
+  log(`  2. Mark non-applicable items with ${DIM}SKIP: reason${RESET}`);
+  log(`  3. Ship when all hard gates (A-D) pass`);
+  log(`\n  Read ${CYAN}ADOPTION.md${RESET} for the full walkthrough:`);
+  log(`  ${DIM}https://github.com/mcp-tool-shop-org/shipcheck/blob/main/ADOPTION.md${RESET}\n`);
+}
+
+function auditCommand() {
+  log(`\n${BOLD}shipcheck audit${RESET}\n`);
+
+  if (!existsSync(join(CWD, "SHIP_GATE.md"))) {
+    warn("No SHIP_GATE.md found. Run 'shipcheck init' first.\n");
+    process.exit(1);
+  }
+
+  const content = readFileSync(join(CWD, "SHIP_GATE.md"), "utf8");
+  const lines = content.split("\n");
+
+  let checked = 0;
+  let unchecked = 0;
+  let skipped = 0;
+  const gaps = [];
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith("- [x]") || trimmed.startsWith("- [X]")) {
+      checked++;
+    } else if (trimmed.startsWith("- [ ]")) {
+      if (trimmed.includes("SKIP:")) {
+        skipped++;
+      } else {
+        unchecked++;
+        // Extract the item text
+        const text = trimmed.replace(/^- \[ \] /, "").substring(0, 80);
+        gaps.push(text);
+      }
+    }
+  }
+
+  const total = checked + unchecked + skipped;
+  const passRate = total > 0 ? Math.round((checked / (checked + unchecked)) * 100) : 0;
+
+  log(`${GREEN}Checked:${RESET}   ${checked}`);
+  log(`${YELLOW}Unchecked:${RESET} ${unchecked}`);
+  log(`${DIM}Skipped:${RESET}   ${skipped}`);
+  log(`${BOLD}Pass rate:${RESET} ${passRate}%\n`);
+
+  if (gaps.length > 0) {
+    log(`${YELLOW}${BOLD}Remaining gaps:${RESET}`);
+    for (const gap of gaps.slice(0, 10)) {
+      log(`  ${YELLOW}○${RESET} ${gap}`);
+    }
+    if (gaps.length > 10) {
+      log(`  ${DIM}...and ${gaps.length - 10} more${RESET}`);
+    }
+    log("");
+  }
+
+  if (unchecked === 0) {
+    log(`${GREEN}${BOLD}All hard gates pass. Ship it.${RESET}\n`);
+  } else {
+    log(`${YELLOW}${unchecked} item(s) still need attention.${RESET}\n`);
+    process.exit(1);
+  }
+}
+
+function helpCommand() {
+  log(`
+${BOLD}shipcheck${RESET} — product standards for MCP Tool Shop
+
+${BOLD}Usage:${RESET}
+  npx @mcptoolshop/shipcheck init     Copy templates into current repo
+  npx @mcptoolshop/shipcheck audit    Check SHIP_GATE.md progress
+  npx @mcptoolshop/shipcheck help     Show this message
+
+${BOLD}What it does:${RESET}
+  init   Detects repo type (npm, pypi, mcp, cli, etc.)
+         Copies SHIP_GATE.md, SECURITY.md, CHANGELOG.md, SCORECARD.md
+         Skips files that already exist (except SHIP_GATE + SCORECARD)
+
+  audit  Counts checked/unchecked/skipped items in SHIP_GATE.md
+         Reports pass rate and lists remaining gaps
+         Exits 0 if all gates pass, 1 if gaps remain
+
+${DIM}https://github.com/mcp-tool-shop-org/shipcheck${RESET}
+`);
+}
+
+// --- Main ---
+
+const command = process.argv[2] || "help";
+
+switch (command) {
+  case "init":
+    initCommand();
+    break;
+  case "audit":
+    auditCommand();
+    break;
+  case "help":
+  case "--help":
+  case "-h":
+    helpCommand();
+    break;
+  default:
+    warn(`Unknown command: ${command}`);
+    helpCommand();
+    process.exit(1);
+}