@mushi-mushi/cli 0.4.0 → 0.5.0

package/README.md

@@ -6,41 +6,52 @@ CLI for Mushi Mushi — set up the SDK in one command, then triage reports and m
 
 ```bash
 npx @mushi-mushi/cli init
-# or, equivalently:
-npx mushi-mushi init
+# equivalently:
+npx mushi-mushi
 ```
 
 The wizard:
 
 1. Detects your framework (Next.js, Nuxt, SvelteKit, Angular, Expo, Capacitor, plain React/Vue/Svelte, or vanilla JS) from `package.json` and config files.
 2. Picks the right SDK package (`@mushi-mushi/react`, `@mushi-mushi/vue`, etc.) plus `@mushi-mushi/web` when the framework SDK is API-only.
-3. Detects your package manager (npm / pnpm / yarn / bun) from your lockfile and installs with that.
+3. Detects your package manager (npm / pnpm / yarn / bun) from your lockfile and installs with that — `shell: false`, with Windows `.cmd` shim resolution.
 4. Writes `MUSHI_PROJECT_ID` and `MUSHI_API_KEY` (with the right framework prefix — `NEXT_PUBLIC_`, `NUXT_PUBLIC_`, `VITE_`) to `.env.local` (or `.env`).
-5. Warns you if `.env.local` isn't in `.gitignore`.
+5. Warns you if `.env.local` isn't in `.gitignore` (covers `.env*.local`, `*.local`, etc.).
 6. Prints the framework-specific provider snippet to copy-paste.
+7. Offers to **send a real test report** so you see your first classified bug in the console immediately. Opt out via `--skip-test-report`.
 
-It never silently overwrites existing env vars or modifies application code.
+It never silently overwrites existing env vars or modifies application code. Pasted credentials are sanitized (stripped of quotes / CR / LF / NUL) and validated against `^proj_[A-Za-z0-9_-]{10,}$` / `^mushi_[A-Za-z0-9_-]{10,}$` before anything is written to disk.
 
 ### Flags
 
 ```bash
-mushi init --framework next         # skip framework detection
-mushi init --project-id proj_xxx --api-key mushi_xxx  # skip credential prompts
-mushi init --skip-install           # print the install command instead of running it
-mushi init -y                       # accept the detected framework without confirmation
+mushi init --framework next                             # skip framework detection
+mushi init --project-id proj_xxx --api-key mushi_xxx    # skip credential prompts
+mushi init --skip-install                               # print the install command instead
+mushi init --skip-test-report                           # don't offer to send a test report
+mushi init --cwd apps/web                               # run in a sub-package of a monorepo
+mushi init --endpoint https://mushi.your-company.com    # self-hosted Mushi API
+mushi init -y                                           # accept the detected framework
 ```
 
+Non-interactive use (CI): pass `--yes --project-id proj_xxx --api-key mushi_xxx` or the wizard exits with a clear error instead of hanging on a prompt.
+
+Stale-version hint: the wizard checks the npm registry (2s timeout) and prints a one-line upgrade nudge if a newer stable is published. Opt out with `MUSHI_NO_UPDATE_CHECK=1`.
+
+Monorepo awareness: if you run the wizard at a workspace root with no framework dep, it scans `apps/*`, `packages/*`, `examples/*` and tells you which sub-package you probably meant (`mushi init --cwd apps/web`).
+
 ## Install globally
 
 ```bash
 npm install -g @mushi-mushi/cli
 mushi --help
+mushi --version
 ```
 
 ## Other commands
 
 ```bash
-mushi login --api-key mushi_xxx     # store credentials in ~/.mushirc
+mushi login --api-key mushi_xxx     # store credentials in ~/.mushirc (mode 0o600)
 mushi status                         # project overview
 mushi reports list                   # recent reports
 mushi reports show <id>              # one report
@@ -48,8 +59,16 @@ mushi reports triage <id> --status acknowledged --severity high
 mushi deploy check                   # edge-function health probe
 mushi index <path>                   # walk a local repo and feed RAG
 mushi test                           # submit a test report end-to-end
+mushi config endpoint https://...    # set API endpoint (https:// required outside localhost)
 ```
 
+## Security notes
+
+- `~/.mushirc` is written with mode `0o600` on Unix. Legacy configs with looser permissions are tightened on load.
+- `--endpoint` values are parsed through `new URL()` and required to use `https://` except for `localhost` / `127.0.0.1` / `*.local`.
+- The `--api-key` flag leaks into `ps -ef` — prefer the interactive prompt on shared machines.
+- Full stack traces on error: `DEBUG=mushi mushi init`.
+
 ## License
 
 MIT

package/dist/chunk-I3FFGUE5.js

@@ -0,0 +1,6 @@
+// src/version.ts
+var MUSHI_CLI_VERSION = true ? "0.5.0" : "0.0.0-dev";
+
+export {
+  MUSHI_CLI_VERSION
+};

package/dist/{chunk-YZOGONU4.js → chunk-ZZNVMBMG.js}

@@ -1,6 +1,22 @@
 // src/detect.ts
 import { readFileSync, existsSync } from "fs";
 import { join } from "path";
+var FRAMEWORK_IDS = [
+  "next",
+  "react",
+  "vue",
+  "nuxt",
+  "svelte",
+  "sveltekit",
+  "angular",
+  "expo",
+  "react-native",
+  "capacitor",
+  "vanilla"
+];
+function isFrameworkId(value) {
+  return typeof value === "string" && FRAMEWORK_IDS.includes(value);
+}
 var FRAMEWORKS = {
   next: {
     id: "next",
@@ -229,6 +245,8 @@ function collectDeps(pkg) {
 }
 
 export {
+  FRAMEWORK_IDS,
+  isFrameworkId,
   FRAMEWORKS,
   readPackageJson,
   detectFramework,

package/dist/detect.d.ts

@@ -18,6 +18,8 @@ interface PackageJson {
     peerDependencies?: Record<string, string>;
 }
 type PackageManager = 'npm' | 'pnpm' | 'yarn' | 'bun';
+declare const FRAMEWORK_IDS: ReadonlyArray<FrameworkId>;
+declare function isFrameworkId(value: unknown): value is FrameworkId;
 declare const FRAMEWORKS: Record<FrameworkId, Framework>;
 declare function readPackageJson(cwd: string): PackageJson | null;
 declare function detectFramework(cwd: string, pkg: PackageJson | null): Framework;
@@ -25,4 +27,4 @@ declare function detectPackageManager(cwd: string): PackageManager;
 declare function installCommand(pm: PackageManager, packages: string[]): string;
 declare function envVarsToWrite(apiKey: string, projectId: string, framework: Framework): string;
 
-export { FRAMEWORKS, type Framework, type FrameworkId, type PackageJson, type PackageManager, detectFramework, detectPackageManager, envVarsToWrite, installCommand, readPackageJson };
+export { FRAMEWORKS, FRAMEWORK_IDS, type Framework, type FrameworkId, type PackageJson, type PackageManager, detectFramework, detectPackageManager, envVarsToWrite, installCommand, isFrameworkId, readPackageJson };

package/dist/detect.js

@@ -1,16 +1,20 @@
 import {
   FRAMEWORKS,
+  FRAMEWORK_IDS,
   detectFramework,
   detectPackageManager,
   envVarsToWrite,
   installCommand,
+  isFrameworkId,
   readPackageJson
-} from "./chunk-YZOGONU4.js";
+} from "./chunk-ZZNVMBMG.js";
 export {
   FRAMEWORKS,
+  FRAMEWORK_IDS,
   detectFramework,
   detectPackageManager,
   envVarsToWrite,
   installCommand,
+  isFrameworkId,
   readPackageJson
 };

package/dist/index.js

@@ -4,12 +4,14 @@
 import { Command } from "commander";
 
 // src/config.ts
-import { readFileSync, writeFileSync, existsSync } from "fs";
+import { chmodSync, readFileSync, statSync, writeFileSync, existsSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 var CONFIG_PATH = join(homedir(), ".mushirc");
+var SECURE_FILE_MODE = 384;
 function loadConfig(path = CONFIG_PATH) {
   if (!existsSync(path)) return {};
+  tightenPermissions(path);
   try {
     return JSON.parse(readFileSync(path, "utf-8"));
   } catch {
@@ -17,14 +19,24 @@ function loadConfig(path = CONFIG_PATH) {
   }
 }
 function saveConfig(config, path = CONFIG_PATH) {
-  writeFileSync(path, JSON.stringify(config, null, 2));
+  writeFileSync(path, JSON.stringify(config, null, 2), { mode: SECURE_FILE_MODE });
+  tightenPermissions(path);
+}
+function tightenPermissions(path) {
+  if (process.platform === "win32") return;
+  try {
+    const current = statSync(path).mode & 511;
+    if (current !== SECURE_FILE_MODE) chmodSync(path, SECURE_FILE_MODE);
+  } catch {
+  }
 }
 
 // src/init.ts
 import * as p from "@clack/prompts";
 import { spawn } from "child_process";
-import { appendFileSync, existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { join as join3 } from "path";
+import { randomUUID } from "crypto";
+import { appendFileSync, existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
+import { join as join4 } from "path";
 
 // src/detect.ts
 import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
@@ -256,11 +268,198 @@ function collectDeps(pkg) {
   ]);
 }
 
+// src/endpoint.ts
+var DEFAULT_ENDPOINT = "https://api.mushimushi.dev";
+var TEST_REPORT_TIMEOUT_MS = 1e4;
+var TEST_REPORT_FETCH_TIMEOUT_MS = TEST_REPORT_TIMEOUT_MS;
+function assertEndpoint(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`Invalid endpoint URL: ${url}`);
+  }
+  const host = parsed.hostname;
+  const isLocal = host === "localhost" || host === "127.0.0.1" || host === "::1" || host.endsWith(".local");
+  if (parsed.protocol !== "https:" && !isLocal) {
+    throw new Error(`Endpoint must use https:// (got ${parsed.protocol}//${host}).`);
+  }
+  return parsed.origin + (parsed.pathname === "/" ? "" : parsed.pathname);
+}
+function normalizeEndpoint(url) {
+  const input = url ?? DEFAULT_ENDPOINT;
+  let end = input.length;
+  while (end > 0 && input.charCodeAt(end - 1) === 47) end--;
+  return input.slice(0, end);
+}
+
+// src/freshness.ts
+var REGISTRY = "https://registry.npmjs.org";
+var DEFAULT_TIMEOUT_MS = 2e3;
+async function checkFreshness(packageName, currentVersion, opts = {}) {
+  if (process.env.MUSHI_NO_UPDATE_CHECK === "1") return null;
+  const registry = opts.registry ?? REGISTRY;
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(
+      `${registry}/${encodeURIComponent(packageName)}/latest`,
+      {
+        signal: controller.signal,
+        headers: { Accept: "application/json" }
+      }
+    );
+    if (!res.ok) return null;
+    const body = await res.json();
+    const latest = typeof body.version === "string" ? body.version : null;
+    if (!latest) return null;
+    return {
+      current: currentVersion,
+      latest,
+      isOutdated: isNewerStableVersion(latest, currentVersion)
+    };
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function isNewerStableVersion(latest, current) {
+  const latestCore = stripPreRelease(latest);
+  if (hasPreReleaseTag(latest)) return false;
+  const [la, lb, lc] = parse(latestCore);
+  const [ca, cb, cc] = parse(stripPreRelease(current));
+  if (la !== ca) return la > ca;
+  if (lb !== cb) return lb > cb;
+  return lc > cc;
+}
+function stripPreRelease(version) {
+  const idx = version.indexOf("-");
+  return idx === -1 ? version : version.slice(0, idx);
+}
+function hasPreReleaseTag(version) {
+  return version.includes("-");
+}
+function parse(version) {
+  const parts = version.split(".").map((part) => Number(part));
+  return [
+    Number.isFinite(parts[0]) ? parts[0] : 0,
+    Number.isFinite(parts[1]) ? parts[1] : 0,
+    Number.isFinite(parts[2]) ? parts[2] : 0
+  ];
+}
+
+// src/monorepo.ts
+import { existsSync as existsSync3, readFileSync as readFileSync3, readdirSync, statSync as statSync2 } from "fs";
+import { dirname, join as join3, resolve } from "path";
+var WORKSPACE_GLOB_CANDIDATES = ["apps/*", "packages/*", "examples/*"];
+var FRAMEWORK_DEPS = {
+  next: "Next.js",
+  nuxt: "Nuxt",
+  "@sveltejs/kit": "SvelteKit",
+  "@angular/core": "Angular",
+  expo: "Expo",
+  "react-native": "React Native",
+  "@capacitor/core": "Capacitor",
+  svelte: "Svelte",
+  vue: "Vue",
+  react: "React"
+};
+function detectWorkspaceHint(cwd) {
+  const root = findWorkspaceRoot(cwd);
+  if (!root) return null;
+  const rootPkg = readPackageJsonSafely(join3(root, "package.json"));
+  if (rootPkg && getFrameworkFromPkg(rootPkg)) return null;
+  const source = existsSync3(join3(root, "pnpm-workspace.yaml")) ? "pnpm-workspace" : root === cwd ? "package-json" : "parent";
+  const apps = collectAppsFromGlobs(root);
+  if (apps.length === 0) return null;
+  return { root, apps, source };
+}
+function findWorkspaceRoot(start) {
+  let dir = resolve(start);
+  for (let i = 0; i < 8; i++) {
+    if (isWorkspaceRoot(dir)) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+function isWorkspaceRoot(dir) {
+  if (existsSync3(join3(dir, "pnpm-workspace.yaml"))) return true;
+  const pkg = readPackageJsonSafely(join3(dir, "package.json"));
+  if (!pkg) return false;
+  return Boolean(pkg.workspaces);
+}
+function collectAppsFromGlobs(root) {
+  const results = [];
+  for (const glob of WORKSPACE_GLOB_CANDIDATES) {
+    const prefix = glob.replace("/*", "");
+    const parentDir = join3(root, prefix);
+    if (!existsSync3(parentDir)) continue;
+    let entries;
+    try {
+      entries = readdirSync(parentDir);
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const pkgPath = join3(parentDir, entry, "package.json");
+      if (!isFileSafe(pkgPath)) continue;
+      const pkg = readPackageJsonSafely(pkgPath);
+      if (!pkg) continue;
+      const framework = getFrameworkFromPkg(pkg);
+      if (!framework) continue;
+      results.push({
+        name: pkg.name ?? `${prefix}/${entry}`,
+        relativePath: `${prefix}/${entry}`,
+        framework
+      });
+    }
+  }
+  return results;
+}
+function readPackageJsonSafely(path) {
+  if (!isFileSafe(path)) return null;
+  try {
+    return JSON.parse(readFileSync3(path, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function isFileSafe(path) {
+  try {
+    return existsSync3(path) && statSync2(path).isFile();
+  } catch {
+    return false;
+  }
+}
+function getFrameworkFromPkg(pkg) {
+  const deps = {
+    ...pkg.dependencies ?? {},
+    ...pkg.devDependencies ?? {},
+    ...pkg.peerDependencies ?? {}
+  };
+  for (const dep of Object.keys(FRAMEWORK_DEPS)) {
+    if (dep in deps) return FRAMEWORK_DEPS[dep];
+  }
+  return void 0;
+}
+
+// src/version.ts
+var MUSHI_CLI_VERSION = true ? "0.5.0" : "0.0.0-dev";
+
 // src/init.ts
 var ENV_FILES = [".env.local", ".env"];
+var PROJECT_ID_PATTERN = /^proj_[A-Za-z0-9_-]{10,}$/;
+var API_KEY_PATTERN = /^mushi_[A-Za-z0-9_-]{10,}$/;
 async function runInit(options = {}) {
   const cwd = options.cwd ?? process.cwd();
+  ensureInteractiveOrBailOut(options);
   p.intro("\u{1F41B} Mushi Mushi setup wizard");
+  await printFreshnessHint();
+  warnIfWorkspaceRoot(cwd);
   const pkg = readPackageJson(cwd);
   if (!pkg) {
     p.log.warn("No package.json found in this directory.");
@@ -279,15 +478,28 @@ async function runInit(options = {}) {
   const pm = detectPackageManager(cwd);
   const packagesToInstall = framework.needsWebPackage ? [framework.packageName, "@mushi-mushi/web"] : [framework.packageName];
   if (!options.skipInstall) {
-    await installPackages(pm, packagesToInstall);
+    await installPackages(pm, packagesToInstall, cwd);
   } else {
     p.log.info(`Skipped install. Run \`${installCommand(pm, packagesToInstall)}\` yourself.`);
   }
   writeEnvFile(cwd, credentials.apiKey, credentials.projectId, framework);
   persistCliConfig(credentials.apiKey, credentials.projectId);
   printNextSteps(framework, credentials.apiKey, credentials.projectId);
+  await maybeSendTestReport(credentials, options);
   p.outro("Setup complete. Happy bug squashing \u{1F41B}");
 }
+function ensureInteractiveOrBailOut(options) {
+  const isTTY = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  if (isTTY) return;
+  const hasAllFlags = Boolean(
+    (options.framework || options.yes) && options.projectId && options.apiKey
+  );
+  if (hasAllFlags) return;
+  process.stderr.write(
+    "mushi-mushi: non-interactive terminal detected.\nPass all of --yes (or --framework), --project-id, and --api-key to run unattended.\nExample: npx mushi-mushi --yes --project-id proj_xxx --api-key mushi_xxx\n"
+  );
+  process.exit(1);
+}
 async function chooseFramework(detected, options) {
   if (options.framework) {
     const explicit = FRAMEWORKS[options.framework];
@@ -316,23 +528,48 @@ async function chooseFramework(detected, options) {
 }
 async function collectCredentials(options) {
   const existing = loadConfig();
-  const projectId = options.projectId ?? existing.projectId ?? await promptText({
+  const rawProjectId = options.projectId ?? existing.projectId ?? await promptText({
     message: "Project ID",
     placeholder: "proj_xxxxxxxxxxxx",
-    hint: "Find this at https://kensaur.us/mushi-mushi/projects"
+    hint: "Find this at https://kensaur.us/mushi-mushi/projects",
+    validate: (v) => PROJECT_ID_PATTERN.test(v) ? void 0 : "Expected format: proj_ followed by 10+ alphanumeric characters"
   });
-  const apiKey = options.apiKey ?? existing.apiKey ?? await promptText({
+  const rawApiKey = options.apiKey ?? existing.apiKey ?? await promptText({
     message: "API key",
     placeholder: "mushi_xxxxxxxxxxxx",
-    hint: "Treat this like a password \u2014 it goes in your env file, not in source."
+    hint: "Treat this like a password \u2014 it goes in your env file, not in source.",
+    validate: (v) => API_KEY_PATTERN.test(v) ? void 0 : "Expected format: mushi_ followed by 10+ alphanumeric characters"
   });
+  const projectId = sanitizeSecret(rawProjectId);
+  const apiKey = sanitizeSecret(rawApiKey);
+  if (!PROJECT_ID_PATTERN.test(projectId)) {
+    throw new Error(
+      `Invalid project ID. Expected format: proj_[A-Za-z0-9_-]{10,}. Got: ${redact(projectId)}`
+    );
+  }
+  if (!API_KEY_PATTERN.test(apiKey)) {
+    throw new Error(
+      `Invalid API key. Expected format: mushi_[A-Za-z0-9_-]{10,}. Got: ${redact(apiKey)}`
+    );
+  }
   return { projectId, apiKey };
 }
+function sanitizeSecret(raw) {
+  return raw.trim().replace(/^['"]|['"]$/g, "").replace(/[\r\n\0]/g, "");
+}
+function redact(value) {
+  if (value.length <= 8) return "***";
+  return `${value.slice(0, 4)}\u2026${value.slice(-2)}`;
+}
 async function promptText(opts) {
   const value = await p.text({
     message: opts.message,
     placeholder: opts.placeholder,
-    validate: (v) => v.length === 0 ? "Required" : void 0
+    validate: (v) => {
+      const clean = sanitizeSecret(v);
+      if (clean.length === 0) return "Required";
+      return opts.validate ? opts.validate(clean) : void 0;
+    }
   });
   if (p.isCancel(value)) {
     p.cancel("Aborted.");
@@ -341,34 +578,40 @@ async function promptText(opts) {
   if (opts.hint) p.log.info(opts.hint);
   return value;
 }
-async function installPackages(pm, packages) {
+async function installPackages(pm, packages, cwd) {
   const command = installCommand(pm, packages);
   const spinner2 = p.spinner();
   spinner2.start(`Installing ${packages.join(", ")} via ${pm}\u2026`);
   try {
-    await runCommand(pm, packages);
+    await runCommand(pm, packages, cwd);
     spinner2.stop(`Installed ${packages.join(", ")}`);
   } catch (err) {
     spinner2.stop(`Install failed \u2014 run \`${command}\` manually.`);
-    p.log.error(err instanceof Error ? err.message : String(err));
+    p.log.error(err instanceof Error ? err.name + ": " + err.message : String(err));
   }
 }
-function runCommand(pm, packages) {
-  return new Promise((resolve, reject) => {
-    const verb = pm === "npm" ? "install" : "add";
-    const child = spawn(pm, [verb, ...packages], { stdio: "inherit", shell: true });
+function runCommand(pm, packages, cwd) {
+  const verb = pm === "npm" ? "install" : "add";
+  const command = process.platform === "win32" ? `${pm}.cmd` : pm;
+  return new Promise((resolve2, reject) => {
+    const child = spawn(command, [verb, ...packages], {
+      stdio: "inherit",
+      shell: false,
+      cwd,
+      env: process.env
+    });
     child.on("error", reject);
     child.on("exit", (code) => {
-      if (code === 0) resolve();
-      else reject(new Error(`${pm} exited with code ${code}`));
+      if (code === 0) resolve2();
+      else reject(new Error(`${pm} exited with code ${code ?? "null"}`));
     });
   });
 }
 function writeEnvFile(cwd, apiKey, projectId, framework) {
-  const target = ENV_FILES.find((f) => existsSync3(join3(cwd, f))) ?? ENV_FILES[0];
-  const targetPath = join3(cwd, target);
+  const target = ENV_FILES.find((f) => existsSync4(join4(cwd, f))) ?? ENV_FILES[0];
+  const targetPath = join4(cwd, target);
   const newVars = envVarsToWrite(apiKey, projectId, framework);
-  const existing = existsSync3(targetPath) ? readFileSync3(targetPath, "utf-8") : "";
+  const existing = existsSync4(targetPath) ? readFileSync4(targetPath, "utf-8") : "";
   if (existing.includes("MUSHI_PROJECT_ID")) {
     p.log.warn(`Existing MUSHI_* vars found in ${target} \u2014 leaving them untouched.`);
     return;
@@ -378,20 +621,38 @@ function writeEnvFile(cwd, apiKey, projectId, framework) {
 # Mushi Mushi
 ${newVars}
 `);
-  if (!existing) {
-    writeFileSync2(targetPath, readFileSync3(targetPath, "utf-8"));
-  }
   p.log.success(`Wrote env vars to ${target}`);
   warnIfMissingFromGitignore(cwd, target);
 }
+function isEnvFileCoveredByGitignore(gitignoreContent, envFile) {
+  const lines = gitignoreContent.split("\n").map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#"));
+  let covered = false;
+  for (const line of lines) {
+    if (line.startsWith("!")) {
+      if (matchesGitignorePattern(line.slice(1), envFile)) covered = false;
+      continue;
+    }
+    if (matchesGitignorePattern(line, envFile)) covered = true;
+  }
+  return covered;
+}
+function matchesGitignorePattern(pattern, filename) {
+  if (pattern.endsWith("/")) return false;
+  const normalized = pattern.startsWith("/") ? pattern.slice(1) : pattern;
+  const regexSource = normalized.split("").map((ch) => ch === "*" ? "[^/]*" : escapeRegexChar(ch)).join("");
+  return new RegExp(`^${regexSource}$`).test(filename);
+}
+function escapeRegexChar(ch) {
+  return /[-/\\^$+?.()|[\]{}]/.test(ch) ? `\\${ch}` : ch;
+}
 function warnIfMissingFromGitignore(cwd, envFile) {
-  const gitignorePath = join3(cwd, ".gitignore");
-  if (!existsSync3(gitignorePath)) {
+  const gitignorePath = join4(cwd, ".gitignore");
+  if (!existsSync4(gitignorePath)) {
     p.log.warn(`No .gitignore found \u2014 make sure ${envFile} is not committed.`);
     return;
   }
-  const content = readFileSync3(gitignorePath, "utf-8");
-  if (!content.split("\n").some((line) => line.trim() === envFile || line.trim() === ".env*")) {
+  const content = readFileSync4(gitignorePath, "utf-8");
+  if (!isEnvFileCoveredByGitignore(content, envFile)) {
     p.log.warn(`${envFile} is not in .gitignore \u2014 add it before committing.`);
   }
 }
@@ -406,10 +667,105 @@ function printNextSteps(framework, apiKey, projectId) {
   p.log.message("  \u2022 Look for the \u{1F41B} button in the bottom-right corner (or shake on mobile)");
   p.log.message("  \u2022 Submit a test report \u2014 it should appear at https://kensaur.us/mushi-mushi/reports");
 }
+async function maybeSendTestReport(credentials, options) {
+  if (options.sendTestReport === false) return;
+  let shouldSend;
+  if (options.sendTestReport === true || options.yes) {
+    shouldSend = true;
+  } else {
+    const answer = await p.confirm({
+      message: "Send a test report now to verify the pipeline?",
+      initialValue: true
+    });
+    if (p.isCancel(answer)) return;
+    shouldSend = answer;
+  }
+  if (!shouldSend) return;
+  const spinner2 = p.spinner();
+  spinner2.start("Sending test report\u2026");
+  const endpoint = normalizeEndpoint(options.endpoint);
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), TEST_REPORT_FETCH_TIMEOUT_MS);
+  try {
+    const res = await fetch(`${endpoint}/v1/reports`, {
+      method: "POST",
+      signal: controller.signal,
+      headers: {
+        "Content-Type": "application/json",
+        "X-Mushi-Api-Key": credentials.apiKey,
+        "X-Mushi-Project": credentials.projectId
+      },
+      body: JSON.stringify({
+        projectId: credentials.projectId,
+        description: "Test report from the mushi-mushi setup wizard",
+        category: "other",
+        reporterToken: `wizard-${randomUUID()}`,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        environment: {
+          url: "cli://wizard",
+          userAgent: `mushi-wizard/${process.platform}-${process.arch}`,
+          platform: process.platform,
+          language: "en",
+          viewport: { width: 0, height: 0 },
+          referrer: "",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          timezone: Intl.DateTimeFormat().resolvedOptions().timeZone
+        }
+      })
+    });
+    if (!res.ok) {
+      spinner2.stop(`Test report rejected (HTTP ${res.status}).`);
+      p.log.warn(
+        res.status === 401 || res.status === 403 ? "Credentials did not authenticate \u2014 double-check the project ID and API key." : "Skipping test report. You can retry with `mushi test`."
+      );
+      return;
+    }
+    spinner2.stop("Test report sent.");
+    p.log.success("View it at https://kensaur.us/mushi-mushi/reports");
+  } catch (err) {
+    const aborted = err instanceof Error && err.name === "AbortError";
+    spinner2.stop(aborted ? "Timed out reaching the Mushi API." : "Could not reach the Mushi API.");
+    p.log.warn(err instanceof Error ? err.message : String(err));
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function printFreshnessHint() {
+  const result = await checkFreshness("mushi-mushi", MUSHI_CLI_VERSION);
+  if (!result || !result.isOutdated) return;
+  p.log.info(
+    `A newer version of mushi-mushi is available: ${result.current} \u2192 ${result.latest}. Run \`npx mushi-mushi@latest\` to get the freshest wizard.`
+  );
+}
+function warnIfWorkspaceRoot(cwd) {
+  let hint;
+  try {
+    hint = detectWorkspaceHint(cwd);
+  } catch {
+    return;
+  }
+  if (!hint || hint.apps.length === 0) return;
+  const hasFrameworkAtCwd = hint.apps.some(
+    (app) => isSameDirectory(cwd, resolveWorkspaceAppPath(hint.root, app.relativePath))
+  );
+  if (hasFrameworkAtCwd) return;
+  const apps = hint.apps.slice(0, 5).map((app) => `  \u2022 ${app.relativePath} (${app.framework})`).join("\n");
+  p.log.warn(
+    `You appear to be at a workspace root (source: ${hint.source}). Mushi will install into the current directory, which has no framework dep. You probably meant one of these sub-packages:
+${apps}
+Run \`mushi init --cwd <path>\` \u2014 or re-run the wizard from inside that package.`
+  );
+}
+function resolveWorkspaceAppPath(root, relativePath) {
+  return `${root}/${relativePath}`.replace(/\\/g, "/");
+}
+function isSameDirectory(a, b) {
+  return a.replace(/\\/g, "/").replace(/\/+$/, "") === b.replace(/\\/g, "/").replace(/\/+$/, "");
+}
 
 // src/index.ts
 async function apiCall(path, config, options = {}) {
-  const endpoint = config.endpoint ?? "https://api.mushimushi.dev";
+  const endpoint = config.endpoint ?? DEFAULT_ENDPOINT;
   const res = await fetch(`${endpoint}${path}`, {
     ...options,
     headers: {
@@ -422,23 +778,26 @@ async function apiCall(path, config, options = {}) {
   });
   return res.json();
 }
-var program = new Command().name("mushi").description("Mushi Mushi CLI \u2014 set up the SDK, manage bug reports, monitor pipeline").version("0.3.0");
-program.command("init").description("Set up the Mushi Mushi SDK in this project (auto-detects framework)").option("--project-id <id>", "Skip the prompt by passing the project ID").option("--api-key <key>", "Skip the prompt by passing the API key").option("--framework <id>", "Force a framework (next, react, vue, nuxt, svelte, sveltekit, angular, expo, react-native, capacitor, vanilla)").option("--skip-install", "Don't auto-install the SDK package \u2014 print the command instead").option("-y, --yes", "Accept detected framework without prompting").action(async (opts) => {
+var program = new Command().name("mushi").description("Mushi Mushi CLI \u2014 set up the SDK, manage bug reports, monitor pipeline").version(MUSHI_CLI_VERSION);
+program.command("init").description("Set up the Mushi Mushi SDK in this project (auto-detects framework)").option("--project-id <id>", "Skip the prompt by passing the project ID").option("--api-key <key>", "Skip the prompt by passing the API key").option("--framework <id>", "Force a framework (next, react, vue, nuxt, svelte, sveltekit, angular, expo, react-native, capacitor, vanilla)").option("--skip-install", "Don't auto-install the SDK package \u2014 print the command instead").option("-y, --yes", "Accept detected framework without prompting").option("--cwd <path>", "Run the wizard in a different directory").option("--endpoint <url>", "Override the Mushi API endpoint (self-hosted)").option("--skip-test-report", 'Skip the end-of-wizard "send a test report" prompt').action(async (opts) => {
   await runInit({
     projectId: opts.projectId,
     apiKey: opts.apiKey,
     framework: opts.framework,
     skipInstall: opts.skipInstall,
-    yes: opts.yes
+    yes: opts.yes,
+    cwd: opts.cwd,
+    endpoint: opts.endpoint,
+    sendTestReport: opts.skipTestReport ? false : void 0
   });
 });
 program.command("login").description("Store API key for authentication").requiredOption("--api-key <key>", "API key").option("--endpoint <url>", "API endpoint URL").option("--project-id <id>", "Default project ID").action((opts) => {
   const config = loadConfig();
   config.apiKey = opts.apiKey;
-  if (opts.endpoint) config.endpoint = opts.endpoint;
+  if (opts.endpoint) config.endpoint = assertEndpoint(opts.endpoint);
   if (opts.projectId) config.projectId = opts.projectId;
   saveConfig(config);
-  console.log("Saved credentials to ~/.mushirc");
+  console.log("Saved credentials to ~/.mushirc (mode 0o600)");
 });
 program.command("status").description("Show project stats").action(async () => {
   const config = loadConfig();
@@ -493,10 +852,10 @@ reports.command("triage <id>").description("Update report status/severity").opti
 program.command("config").description("View or update CLI config").argument("[key]", "Config key to set").argument("[value]", "Value").action((key, value) => {
   const config = loadConfig();
   if (key && value) {
-    ;
-    config[key] = value;
+    const safeValue = key === "endpoint" ? assertEndpoint(value) : value;
+    config[key] = safeValue;
     saveConfig(config);
-    console.log(`Set ${key} = ${value}`);
+    console.log(`Set ${key} = ${safeValue}`);
   } else {
     console.log(JSON.stringify(config, null, 2));
   }

package/dist/init.d.ts

@@ -16,7 +16,24 @@ interface InitOptions {
     framework?: FrameworkId;
     skipInstall?: boolean;
     yes?: boolean;
+    endpoint?: string;
+    sendTestReport?: boolean;
 }
 declare function runInit(options?: InitOptions): Promise<void>;
+/**
+ * Strip whitespace, quotes, and any control characters a user might paste by
+ * accident. Prevents env-file injection via newlines in a pasted secret.
+ * Exported for test coverage of the env-file-injection defense.
+ */
+declare function sanitizeSecret(raw: string): string;
+/**
+ * Return true when any line in the user's `.gitignore` actually matches the
+ * env file we just wrote. Subtle point: `.env` in gitignore does NOT cover
+ * `.env.local` — gitignore matches by filename, not prefix. We build a tiny
+ * glob matcher (only `*` as wildcard, gitignore's common case) and test each
+ * non-comment line. `!`-prefixed negations are treated as "not covered" to
+ * stay on the safe side — better a false warning than a silent leak.
+ */
+declare function isEnvFileCoveredByGitignore(gitignoreContent: string, envFile: string): boolean;
 
-export { type InitOptions, runInit };
+export { type InitOptions, isEnvFileCoveredByGitignore, runInit, sanitizeSecret };

package/dist/init.js

@@ -5,21 +5,27 @@ import {
   envVarsToWrite,
   installCommand,
   readPackageJson
-} from "./chunk-YZOGONU4.js";
+} from "./chunk-ZZNVMBMG.js";
+import {
+  MUSHI_CLI_VERSION
+} from "./chunk-I3FFGUE5.js";
 
 // src/init.ts
 import * as p from "@clack/prompts";
 import { spawn } from "child_process";
-import { appendFileSync, existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
-import { join as join2 } from "path";
+import { randomUUID } from "crypto";
+import { appendFileSync, existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
+import { join as join3 } from "path";
 
 // src/config.ts
-import { readFileSync, writeFileSync, existsSync } from "fs";
+import { chmodSync, readFileSync, statSync, writeFileSync, existsSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 var CONFIG_PATH = join(homedir(), ".mushirc");
+var SECURE_FILE_MODE = 384;
 function loadConfig(path = CONFIG_PATH) {
   if (!existsSync(path)) return {};
+  tightenPermissions(path);
   try {
     return JSON.parse(readFileSync(path, "utf-8"));
   } catch {
@@ -27,14 +33,193 @@ function loadConfig(path = CONFIG_PATH) {
   }
 }
 function saveConfig(config, path = CONFIG_PATH) {
-  writeFileSync(path, JSON.stringify(config, null, 2));
+  writeFileSync(path, JSON.stringify(config, null, 2), { mode: SECURE_FILE_MODE });
+  tightenPermissions(path);
+}
+function tightenPermissions(path) {
+  if (process.platform === "win32") return;
+  try {
+    const current = statSync(path).mode & 511;
+    if (current !== SECURE_FILE_MODE) chmodSync(path, SECURE_FILE_MODE);
+  } catch {
+  }
+}
+
+// src/endpoint.ts
+var DEFAULT_ENDPOINT = "https://api.mushimushi.dev";
+var TEST_REPORT_TIMEOUT_MS = 1e4;
+var TEST_REPORT_FETCH_TIMEOUT_MS = TEST_REPORT_TIMEOUT_MS;
+function normalizeEndpoint(url) {
+  const input = url ?? DEFAULT_ENDPOINT;
+  let end = input.length;
+  while (end > 0 && input.charCodeAt(end - 1) === 47) end--;
+  return input.slice(0, end);
+}
+
+// src/freshness.ts
+var REGISTRY = "https://registry.npmjs.org";
+var DEFAULT_TIMEOUT_MS = 2e3;
+async function checkFreshness(packageName, currentVersion, opts = {}) {
+  if (process.env.MUSHI_NO_UPDATE_CHECK === "1") return null;
+  const registry = opts.registry ?? REGISTRY;
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(
+      `${registry}/${encodeURIComponent(packageName)}/latest`,
+      {
+        signal: controller.signal,
+        headers: { Accept: "application/json" }
+      }
+    );
+    if (!res.ok) return null;
+    const body = await res.json();
+    const latest = typeof body.version === "string" ? body.version : null;
+    if (!latest) return null;
+    return {
+      current: currentVersion,
+      latest,
+      isOutdated: isNewerStableVersion(latest, currentVersion)
+    };
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function isNewerStableVersion(latest, current) {
+  const latestCore = stripPreRelease(latest);
+  if (hasPreReleaseTag(latest)) return false;
+  const [la, lb, lc] = parse(latestCore);
+  const [ca, cb, cc] = parse(stripPreRelease(current));
+  if (la !== ca) return la > ca;
+  if (lb !== cb) return lb > cb;
+  return lc > cc;
+}
+function stripPreRelease(version) {
+  const idx = version.indexOf("-");
+  return idx === -1 ? version : version.slice(0, idx);
+}
+function hasPreReleaseTag(version) {
+  return version.includes("-");
+}
+function parse(version) {
+  const parts = version.split(".").map((part) => Number(part));
+  return [
+    Number.isFinite(parts[0]) ? parts[0] : 0,
+    Number.isFinite(parts[1]) ? parts[1] : 0,
+    Number.isFinite(parts[2]) ? parts[2] : 0
+  ];
+}
+
+// src/monorepo.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2, readdirSync, statSync as statSync2 } from "fs";
+import { dirname, join as join2, resolve } from "path";
+var WORKSPACE_GLOB_CANDIDATES = ["apps/*", "packages/*", "examples/*"];
+var FRAMEWORK_DEPS = {
+  next: "Next.js",
+  nuxt: "Nuxt",
+  "@sveltejs/kit": "SvelteKit",
+  "@angular/core": "Angular",
+  expo: "Expo",
+  "react-native": "React Native",
+  "@capacitor/core": "Capacitor",
+  svelte: "Svelte",
+  vue: "Vue",
+  react: "React"
+};
+function detectWorkspaceHint(cwd) {
+  const root = findWorkspaceRoot(cwd);
+  if (!root) return null;
+  const rootPkg = readPackageJsonSafely(join2(root, "package.json"));
+  if (rootPkg && getFrameworkFromPkg(rootPkg)) return null;
+  const source = existsSync2(join2(root, "pnpm-workspace.yaml")) ? "pnpm-workspace" : root === cwd ? "package-json" : "parent";
+  const apps = collectAppsFromGlobs(root);
+  if (apps.length === 0) return null;
+  return { root, apps, source };
+}
+function findWorkspaceRoot(start) {
+  let dir = resolve(start);
+  for (let i = 0; i < 8; i++) {
+    if (isWorkspaceRoot(dir)) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+function isWorkspaceRoot(dir) {
+  if (existsSync2(join2(dir, "pnpm-workspace.yaml"))) return true;
+  const pkg = readPackageJsonSafely(join2(dir, "package.json"));
+  if (!pkg) return false;
+  return Boolean(pkg.workspaces);
+}
+function collectAppsFromGlobs(root) {
+  const results = [];
+  for (const glob of WORKSPACE_GLOB_CANDIDATES) {
+    const prefix = glob.replace("/*", "");
+    const parentDir = join2(root, prefix);
+    if (!existsSync2(parentDir)) continue;
+    let entries;
+    try {
+      entries = readdirSync(parentDir);
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const pkgPath = join2(parentDir, entry, "package.json");
+      if (!isFileSafe(pkgPath)) continue;
+      const pkg = readPackageJsonSafely(pkgPath);
+      if (!pkg) continue;
+      const framework = getFrameworkFromPkg(pkg);
+      if (!framework) continue;
+      results.push({
+        name: pkg.name ?? `${prefix}/${entry}`,
+        relativePath: `${prefix}/${entry}`,
+        framework
+      });
+    }
+  }
+  return results;
+}
+function readPackageJsonSafely(path) {
+  if (!isFileSafe(path)) return null;
+  try {
+    return JSON.parse(readFileSync2(path, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function isFileSafe(path) {
+  try {
+    return existsSync2(path) && statSync2(path).isFile();
+  } catch {
+    return false;
+  }
+}
+function getFrameworkFromPkg(pkg) {
+  const deps = {
+    ...pkg.dependencies ?? {},
+    ...pkg.devDependencies ?? {},
+    ...pkg.peerDependencies ?? {}
+  };
+  for (const dep of Object.keys(FRAMEWORK_DEPS)) {
+    if (dep in deps) return FRAMEWORK_DEPS[dep];
+  }
+  return void 0;
 }
 
 // src/init.ts
 var ENV_FILES = [".env.local", ".env"];
+var PROJECT_ID_PATTERN = /^proj_[A-Za-z0-9_-]{10,}$/;
+var API_KEY_PATTERN = /^mushi_[A-Za-z0-9_-]{10,}$/;
 async function runInit(options = {}) {
   const cwd = options.cwd ?? process.cwd();
+  ensureInteractiveOrBailOut(options);
   p.intro("\u{1F41B} Mushi Mushi setup wizard");
+  await printFreshnessHint();
+  warnIfWorkspaceRoot(cwd);
   const pkg = readPackageJson(cwd);
   if (!pkg) {
     p.log.warn("No package.json found in this directory.");
@@ -53,15 +238,28 @@ async function runInit(options = {}) {
   const pm = detectPackageManager(cwd);
   const packagesToInstall = framework.needsWebPackage ? [framework.packageName, "@mushi-mushi/web"] : [framework.packageName];
   if (!options.skipInstall) {
-    await installPackages(pm, packagesToInstall);
+    await installPackages(pm, packagesToInstall, cwd);
   } else {
     p.log.info(`Skipped install. Run \`${installCommand(pm, packagesToInstall)}\` yourself.`);
   }
   writeEnvFile(cwd, credentials.apiKey, credentials.projectId, framework);
   persistCliConfig(credentials.apiKey, credentials.projectId);
   printNextSteps(framework, credentials.apiKey, credentials.projectId);
+  await maybeSendTestReport(credentials, options);
   p.outro("Setup complete. Happy bug squashing \u{1F41B}");
 }
+function ensureInteractiveOrBailOut(options) {
+  const isTTY = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  if (isTTY) return;
+  const hasAllFlags = Boolean(
+    (options.framework || options.yes) && options.projectId && options.apiKey
+  );
+  if (hasAllFlags) return;
+  process.stderr.write(
+    "mushi-mushi: non-interactive terminal detected.\nPass all of --yes (or --framework), --project-id, and --api-key to run unattended.\nExample: npx mushi-mushi --yes --project-id proj_xxx --api-key mushi_xxx\n"
+  );
+  process.exit(1);
+}
 async function chooseFramework(detected, options) {
   if (options.framework) {
     const explicit = FRAMEWORKS[options.framework];
@@ -90,23 +288,48 @@ async function chooseFramework(detected, options) {
 }
 async function collectCredentials(options) {
   const existing = loadConfig();
-  const projectId = options.projectId ?? existing.projectId ?? await promptText({
+  const rawProjectId = options.projectId ?? existing.projectId ?? await promptText({
     message: "Project ID",
     placeholder: "proj_xxxxxxxxxxxx",
-    hint: "Find this at https://kensaur.us/mushi-mushi/projects"
+    hint: "Find this at https://kensaur.us/mushi-mushi/projects",
+    validate: (v) => PROJECT_ID_PATTERN.test(v) ? void 0 : "Expected format: proj_ followed by 10+ alphanumeric characters"
   });
-  const apiKey = options.apiKey ?? existing.apiKey ?? await promptText({
+  const rawApiKey = options.apiKey ?? existing.apiKey ?? await promptText({
     message: "API key",
     placeholder: "mushi_xxxxxxxxxxxx",
-    hint: "Treat this like a password \u2014 it goes in your env file, not in source."
+    hint: "Treat this like a password \u2014 it goes in your env file, not in source.",
+    validate: (v) => API_KEY_PATTERN.test(v) ? void 0 : "Expected format: mushi_ followed by 10+ alphanumeric characters"
   });
+  const projectId = sanitizeSecret(rawProjectId);
+  const apiKey = sanitizeSecret(rawApiKey);
+  if (!PROJECT_ID_PATTERN.test(projectId)) {
+    throw new Error(
+      `Invalid project ID. Expected format: proj_[A-Za-z0-9_-]{10,}. Got: ${redact(projectId)}`
+    );
+  }
+  if (!API_KEY_PATTERN.test(apiKey)) {
+    throw new Error(
+      `Invalid API key. Expected format: mushi_[A-Za-z0-9_-]{10,}. Got: ${redact(apiKey)}`
+    );
+  }
   return { projectId, apiKey };
 }
+function sanitizeSecret(raw) {
+  return raw.trim().replace(/^['"]|['"]$/g, "").replace(/[\r\n\0]/g, "");
+}
+function redact(value) {
+  if (value.length <= 8) return "***";
+  return `${value.slice(0, 4)}\u2026${value.slice(-2)}`;
+}
 async function promptText(opts) {
   const value = await p.text({
     message: opts.message,
     placeholder: opts.placeholder,
-    validate: (v) => v.length === 0 ? "Required" : void 0
+    validate: (v) => {
+      const clean = sanitizeSecret(v);
+      if (clean.length === 0) return "Required";
+      return opts.validate ? opts.validate(clean) : void 0;
+    }
   });
   if (p.isCancel(value)) {
     p.cancel("Aborted.");
@@ -115,34 +338,40 @@ async function promptText(opts) {
   if (opts.hint) p.log.info(opts.hint);
   return value;
 }
-async function installPackages(pm, packages) {
+async function installPackages(pm, packages, cwd) {
   const command = installCommand(pm, packages);
   const spinner2 = p.spinner();
   spinner2.start(`Installing ${packages.join(", ")} via ${pm}\u2026`);
   try {
-    await runCommand(pm, packages);
+    await runCommand(pm, packages, cwd);
     spinner2.stop(`Installed ${packages.join(", ")}`);
   } catch (err) {
     spinner2.stop(`Install failed \u2014 run \`${command}\` manually.`);
-    p.log.error(err instanceof Error ? err.message : String(err));
+    p.log.error(err instanceof Error ? err.name + ": " + err.message : String(err));
   }
 }
-function runCommand(pm, packages) {
-  return new Promise((resolve, reject) => {
-    const verb = pm === "npm" ? "install" : "add";
-    const child = spawn(pm, [verb, ...packages], { stdio: "inherit", shell: true });
+function runCommand(pm, packages, cwd) {
+  const verb = pm === "npm" ? "install" : "add";
+  const command = process.platform === "win32" ? `${pm}.cmd` : pm;
+  return new Promise((resolve2, reject) => {
+    const child = spawn(command, [verb, ...packages], {
+      stdio: "inherit",
+      shell: false,
+      cwd,
+      env: process.env
+    });
     child.on("error", reject);
     child.on("exit", (code) => {
-      if (code === 0) resolve();
-      else reject(new Error(`${pm} exited with code ${code}`));
+      if (code === 0) resolve2();
+      else reject(new Error(`${pm} exited with code ${code ?? "null"}`));
     });
   });
 }
 function writeEnvFile(cwd, apiKey, projectId, framework) {
-  const target = ENV_FILES.find((f) => existsSync2(join2(cwd, f))) ?? ENV_FILES[0];
-  const targetPath = join2(cwd, target);
+  const target = ENV_FILES.find((f) => existsSync3(join3(cwd, f))) ?? ENV_FILES[0];
+  const targetPath = join3(cwd, target);
   const newVars = envVarsToWrite(apiKey, projectId, framework);
-  const existing = existsSync2(targetPath) ? readFileSync2(targetPath, "utf-8") : "";
+  const existing = existsSync3(targetPath) ? readFileSync3(targetPath, "utf-8") : "";
   if (existing.includes("MUSHI_PROJECT_ID")) {
     p.log.warn(`Existing MUSHI_* vars found in ${target} \u2014 leaving them untouched.`);
     return;
@@ -152,20 +381,38 @@ function writeEnvFile(cwd, apiKey, projectId, framework) {
 # Mushi Mushi
 ${newVars}
 `);
-  if (!existing) {
-    writeFileSync2(targetPath, readFileSync2(targetPath, "utf-8"));
-  }
   p.log.success(`Wrote env vars to ${target}`);
   warnIfMissingFromGitignore(cwd, target);
 }
+function isEnvFileCoveredByGitignore(gitignoreContent, envFile) {
+  const lines = gitignoreContent.split("\n").map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#"));
+  let covered = false;
+  for (const line of lines) {
+    if (line.startsWith("!")) {
+      if (matchesGitignorePattern(line.slice(1), envFile)) covered = false;
+      continue;
+    }
+    if (matchesGitignorePattern(line, envFile)) covered = true;
+  }
+  return covered;
+}
+function matchesGitignorePattern(pattern, filename) {
+  if (pattern.endsWith("/")) return false;
+  const normalized = pattern.startsWith("/") ? pattern.slice(1) : pattern;
+  const regexSource = normalized.split("").map((ch) => ch === "*" ? "[^/]*" : escapeRegexChar(ch)).join("");
+  return new RegExp(`^${regexSource}$`).test(filename);
+}
+function escapeRegexChar(ch) {
+  return /[-/\\^$+?.()|[\]{}]/.test(ch) ? `\\${ch}` : ch;
+}
 function warnIfMissingFromGitignore(cwd, envFile) {
-  const gitignorePath = join2(cwd, ".gitignore");
-  if (!existsSync2(gitignorePath)) {
+  const gitignorePath = join3(cwd, ".gitignore");
+  if (!existsSync3(gitignorePath)) {
     p.log.warn(`No .gitignore found \u2014 make sure ${envFile} is not committed.`);
     return;
   }
-  const content = readFileSync2(gitignorePath, "utf-8");
-  if (!content.split("\n").some((line) => line.trim() === envFile || line.trim() === ".env*")) {
+  const content = readFileSync3(gitignorePath, "utf-8");
+  if (!isEnvFileCoveredByGitignore(content, envFile)) {
     p.log.warn(`${envFile} is not in .gitignore \u2014 add it before committing.`);
   }
 }
@@ -180,6 +427,103 @@ function printNextSteps(framework, apiKey, projectId) {
   p.log.message("  \u2022 Look for the \u{1F41B} button in the bottom-right corner (or shake on mobile)");
   p.log.message("  \u2022 Submit a test report \u2014 it should appear at https://kensaur.us/mushi-mushi/reports");
 }
+async function maybeSendTestReport(credentials, options) {
+  if (options.sendTestReport === false) return;
+  let shouldSend;
+  if (options.sendTestReport === true || options.yes) {
+    shouldSend = true;
+  } else {
+    const answer = await p.confirm({
+      message: "Send a test report now to verify the pipeline?",
+      initialValue: true
+    });
+    if (p.isCancel(answer)) return;
+    shouldSend = answer;
+  }
+  if (!shouldSend) return;
+  const spinner2 = p.spinner();
+  spinner2.start("Sending test report\u2026");
+  const endpoint = normalizeEndpoint(options.endpoint);
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), TEST_REPORT_FETCH_TIMEOUT_MS);
+  try {
+    const res = await fetch(`${endpoint}/v1/reports`, {
+      method: "POST",
+      signal: controller.signal,
+      headers: {
+        "Content-Type": "application/json",
+        "X-Mushi-Api-Key": credentials.apiKey,
+        "X-Mushi-Project": credentials.projectId
+      },
+      body: JSON.stringify({
+        projectId: credentials.projectId,
+        description: "Test report from the mushi-mushi setup wizard",
+        category: "other",
+        reporterToken: `wizard-${randomUUID()}`,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        environment: {
+          url: "cli://wizard",
+          userAgent: `mushi-wizard/${process.platform}-${process.arch}`,
+          platform: process.platform,
+          language: "en",
+          viewport: { width: 0, height: 0 },
+          referrer: "",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          timezone: Intl.DateTimeFormat().resolvedOptions().timeZone
+        }
+      })
+    });
+    if (!res.ok) {
+      spinner2.stop(`Test report rejected (HTTP ${res.status}).`);
+      p.log.warn(
+        res.status === 401 || res.status === 403 ? "Credentials did not authenticate \u2014 double-check the project ID and API key." : "Skipping test report. You can retry with `mushi test`."
+      );
+      return;
+    }
+    spinner2.stop("Test report sent.");
+    p.log.success("View it at https://kensaur.us/mushi-mushi/reports");
+  } catch (err) {
+    const aborted = err instanceof Error && err.name === "AbortError";
+    spinner2.stop(aborted ? "Timed out reaching the Mushi API." : "Could not reach the Mushi API.");
+    p.log.warn(err instanceof Error ? err.message : String(err));
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function printFreshnessHint() {
+  const result = await checkFreshness("mushi-mushi", MUSHI_CLI_VERSION);
+  if (!result || !result.isOutdated) return;
+  p.log.info(
+    `A newer version of mushi-mushi is available: ${result.current} \u2192 ${result.latest}. Run \`npx mushi-mushi@latest\` to get the freshest wizard.`
+  );
+}
+function warnIfWorkspaceRoot(cwd) {
+  let hint;
+  try {
+    hint = detectWorkspaceHint(cwd);
+  } catch {
+    return;
+  }
+  if (!hint || hint.apps.length === 0) return;
+  const hasFrameworkAtCwd = hint.apps.some(
+    (app) => isSameDirectory(cwd, resolveWorkspaceAppPath(hint.root, app.relativePath))
+  );
+  if (hasFrameworkAtCwd) return;
+  const apps = hint.apps.slice(0, 5).map((app) => `  \u2022 ${app.relativePath} (${app.framework})`).join("\n");
+  p.log.warn(
+    `You appear to be at a workspace root (source: ${hint.source}). Mushi will install into the current directory, which has no framework dep. You probably meant one of these sub-packages:
+${apps}
+Run \`mushi init --cwd <path>\` \u2014 or re-run the wizard from inside that package.`
+  );
+}
+function resolveWorkspaceAppPath(root, relativePath) {
+  return `${root}/${relativePath}`.replace(/\\/g, "/");
+}
+function isSameDirectory(a, b) {
+  return a.replace(/\\/g, "/").replace(/\/+$/, "") === b.replace(/\\/g, "/").replace(/\/+$/, "");
+}
 export {
-  runInit
+  isEnvFileCoveredByGitignore,
+  runInit,
+  sanitizeSecret
 };

package/dist/version.d.ts

@@ -0,0 +1,11 @@
+/**
+ * FILE: packages/cli/src/version.ts
+ * PURPOSE: Single source of truth for the CLI version at runtime.
+ *
+ * The bundler (tsup) replaces `__MUSHI_CLI_VERSION__` with the literal from
+ * `package.json` at build time. Falling back to `'0.0.0-dev'` keeps
+ * `tsc --noEmit` happy during development.
+ */
+declare const MUSHI_CLI_VERSION: string;
+
+export { MUSHI_CLI_VERSION };

package/dist/version.js

@@ -0,0 +1,6 @@
+import {
+  MUSHI_CLI_VERSION
+} from "./chunk-I3FFGUE5.js";
+export {
+  MUSHI_CLI_VERSION
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mushi-mushi/cli",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "license": "MIT",
   "description": "CLI for Mushi Mushi — `mushi init` wizard installs the right SDK for your framework, plus report triage and pipeline health commands",
   "bin": {
@@ -28,8 +28,13 @@
   "bugs": {
     "url": "https://github.com/kensaurus/mushi-mushi/issues"
   },
+  "funding": {
+    "type": "github",
+    "url": "https://github.com/sponsors/kensaurus"
+  },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "files": [
     "dist",
@@ -78,6 +83,12 @@
         "types": "./dist/detect.d.ts",
         "default": "./dist/detect.js"
       }
+    },
+    "./version": {
+      "import": {
+        "types": "./dist/version.d.ts",
+        "default": "./dist/version.js"
+      }
     }
   },
   "type": "module",