@modelstatus/cli 0.1.73 → 0.1.75

package/README.md

@@ -8,16 +8,19 @@ The free CLI + TUI for [LLM Status](https://llmstatus.ai) — scans your repo fo
 npx @modelstatus/cli status
 ```
 
-That's it. No sign-in, no account, no telemetry — just a snapshot of every model in your repo plus health badges and replacement suggestions.
+That's it. No sign-in, no account, and the scan runs entirely on your machine — you get a snapshot of every model in your repo plus health badges and replacement suggestions. (The CLI sends anonymous usage analytics — event names + counts only, never code, model names, or paths; a one-time notice says so and `MM_NO_ANALYTICS=1` turns it off.)
 
 ## Install
 
 Pick whichever fits your stack:
 
 ```bash
-# Self-contained binary, no Node required:
+# Self-contained binary, no Node required (sha256 + signature verified by the installer):
 curl -fsSL https://llmstatus.ai/install.sh | bash
 
+# Homebrew (macOS + Linux):
+brew install randomartifact/tap/modelstatus-cli
+
 # Via npm (needs Node ≥18):
 npm i -g @modelstatus/cli
 ```
@@ -49,6 +52,19 @@ Models in use:
 
 Works **fully offline** after the first run (cached snapshot at `~/.config/llmstatus/registry-cache.json`).
 
+### Free: fix the dying ones
+
+```bash
+mm fix [dir] --dry-run    # preview the rewrites
+mm fix [dir]              # apply (asks first)
+```
+
+Rewrites deprecated/retiring model ids to their current registry replacement, in
+place. Boundary-safe (`gpt-4` never rewrites inside `gpt-4o`), style-preserving
+(prefixed stays prefixed), and chain-aware — if the replacement is itself dying,
+it follows the chain to the first live model. In the TUI, press `f` for a
+red/green diff preview; nothing is written until you confirm.
+
 ### Sign in for cloud features
 
 ```bash
@@ -65,7 +81,9 @@ You get two binaries — `mm` (short) and `llmstatus` (descriptive). Same binary
 | Command | What it does |
 |---|---|
 | `mm status [dir]` | Free offline model-health check — no account |
-| `mm` | Launch the TUI (inventory, scan, what's-new, alerts, account) |
+| `mm fix [dir]` | Rewrite dying model ids to their replacement (`--dry-run` to preview) |
+| `mm [dir]` | Launch the TUI on a folder (defaults to the current one) — runs locally |
+| `mm update` | Update the binary in place (Homebrew installs: `brew upgrade`) |
 | `mm login [api_key]` | Browser sign-in with polling (or paste a key) |
 | `mm signup` | Create an account in the browser |
 | `mm scan [dir]` | Scan for model usage; interactive TUI, or `--ci`/`--json` for pipelines |
@@ -96,7 +114,9 @@ Secret sources shell out to your already-authenticated CLIs, run **read-only**,
 | Signed registry snapshot, offline cache | ✓ | ✓ |
 | Resolve + health locally, on-device | ✓ | ✓ |
 | Secret-source aware (`env`, `aws-secrets`, `k8s`, `helm`, `sql`) | ✓ | ✓ |
+| `mm fix` — rewrite dying ids to replacements | ✓ | ✓ |
 | Cloud inventory across projects/teams | — | ✓ |
+| GitHub App: PR checks + one-click fix PRs | — | ✓ |
 | Alerts on deprecations/retirements (email/Slack/SMS) | — | ✓ |
 | CI integrations + web dashboard | — | ✓ |
 
@@ -113,6 +133,11 @@ pinned root key (in the CLI binary)
 
 The CLI verifies every byte before trusting the snapshot, refuses any rollback to an older version, and falls back to its local cache when the network's down. The signing key can be rotated without shipping a new CLI release.
 
+The binaries get the same treatment: macOS builds are Developer ID signed and
+Apple-notarized, every release manifest is Ed25519-signed and verified — against
+a public key embedded in the installer and the self-updater, not fetched from the
+CDN — and both refuse to proceed if any check fails.
+
 ## Links
 
 - Website: [llmstatus.ai](https://llmstatus.ai)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@modelstatus/cli",
-  "version": "0.1.73",
+  "version": "0.1.75",
   "description": "Track which AI models you use, where, and never get surprised by a retirement. Free offline model-health for any repo (mm status), browser sign-in for cloud inventory + alerts.",
   "keywords": [
     "llm",

package/src/updater.js

@@ -88,6 +88,33 @@ async function fetchJson(url) {
   return res.json();
 }
 
+// Ed25519 RELEASE public key (committed: packages/cli/release-pubkey.pem). The
+// manifest is signed with the matching private key; verifying that signature is
+// what makes the manifest's sha256 trustworthy on every platform, independent of
+// the CDN. An auto-update that can't verify this signature does not proceed.
+const RELEASE_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEApu4VP7vB6iwxsPcK5KaosjK7SIp9HrWMt5IvcUwjUOM=
+-----END PUBLIC KEY-----`;
+
+/** Fetch the manifest + its detached Ed25519 signature and verify before
+ * parsing. Returns the parsed manifest, or throws if the signature is missing or
+ * invalid (fail closed — never self-update against an unverifiable manifest). */
+async function fetchVerifiedManifest(base) {
+  const [mRes, sRes] = await Promise.all([
+    fetch(`${base}/version.json`, { cache: "no-store" }),
+    fetch(`${base}/version.json.sig`, { cache: "no-store" }),
+  ]);
+  if (!mRes.ok) throw new Error(`GET version.json -> ${mRes.status}`);
+  if (!sRes.ok) throw new Error("manifest signature unavailable — refusing to self-update");
+  const manifestBytes = Buffer.from(await mRes.arrayBuffer());
+  const sig = Buffer.from((await sRes.text()).trim(), "base64");
+  const key = crypto.createPublicKey(RELEASE_PUBKEY);
+  if (!crypto.verify(null, manifestBytes, key, sig)) {
+    throw new Error("manifest signature INVALID — refusing to self-update");
+  }
+  return JSON.parse(manifestBytes.toString("utf8"));
+}
+
 /** True if we can create/rename files in `dir` (needed for an atomic swap). */
 function dirWritable(dir) {
   try {
@@ -189,7 +216,7 @@ export async function forceUpdate() {
     const key = platformKey();
     if (!key) return { status: "unsupported" };
 
-    const manifest = await fetchJson(`${CDN}/cli/${CHANNEL_PATH}/version.json`);
+    const manifest = await fetchVerifiedManifest(`${CDN}/cli/${CHANNEL_PATH}`);
     writeCache({ ...(readCache() || {}), last_check: Date.now(), latest_known: manifest.version });
     if (!manifest.version) return { status: "error", message: "manifest has no version" };
     if (compareVer(manifest.version, BUILD_VERSION) <= 0) return { status: "latest", version: dispVer(BUILD_VERSION) };
@@ -223,7 +250,7 @@ export async function maybeCheckForUpdate(flags = {}) {
     const key = platformKey();
     if (!key) return null;
 
-    const manifest = await fetchJson(`${CDN}/cli/${CHANNEL_PATH}/version.json`);
+    const manifest = await fetchVerifiedManifest(`${CDN}/cli/${CHANNEL_PATH}`);
     // Always update the cache so we don't re-check for 24 h.
     writeCache({ ...cache, last_check: Date.now(), latest_known: manifest.version });