@mushi-mushi/cli 0.4.0 → 0.5.1

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,51 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior:
+
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project team at **security@mushimushi.dev**.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/),
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.

package/CONTRIBUTING.md

@@ -0,0 +1,122 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Contributing to Mushi Mushi
+
+Thanks for wanting to help. Here's everything you need to get started.
+
+## Prerequisites
+
+- **Node.js >= 22** (see `.node-version`)
+- **pnpm >= 10** — install with `corepack enable`
+
+## Setup
+
+```bash
+git clone https://github.com/kensaurus/mushi-mushi.git
+cd mushi-mushi
+pnpm install
+pnpm build
+```
+
+## Development
+
+```bash
+pnpm dev          # Start all dev servers (admin on :6464)
+pnpm test         # Run Vitest across all packages
+pnpm typecheck    # TypeScript checks
+pnpm lint         # ESLint
+pnpm format       # Prettier
+```
+
+### Working on a single package
+
+```bash
+cd packages/core
+pnpm dev          # Watch mode
+pnpm test         # Tests for this package only
+```
+
+## Project Structure
+
+```
+packages/
+  core/          Types, API client, offline queue (MIT)
+  web/           Browser SDK — widget, capture (MIT)
+  react/         React bindings (MIT)
+  vue/           Vue 3 plugin (MIT)
+  svelte/        Svelte SDK (MIT)
+  angular/       Angular SDK (MIT)
+  react-native/  React Native SDK (MIT)
+  cli/           CLI tool (MIT)
+  mcp/           MCP server for coding agents (MIT)
+  server/        Supabase Edge Functions (BSL)
+  agents/        Agentic fix pipeline (BSL)
+  verify/        Fix verification (BSL)
+apps/
+  admin/         Admin dashboard (React + Tailwind)
+  docs/          Documentation site (planned)
+tooling/
+  eslint-config/ Shared ESLint flat config
+  tsconfig/      Shared TypeScript configs
+```
+
+## Making Changes
+
+1. Create a feature branch from `master`
+2. Make your changes
+3. Add tests for new functionality
+4. Run `pnpm typecheck && pnpm lint && pnpm test` to verify
+5. Create a changeset if your change affects published packages:
+   ```bash
+   pnpm changeset
+   ```
+6. Open a pull request
+
+## Changesets
+
+We use [Changesets](https://github.com/changesets/changesets) for versioning. If your PR modifies a published package (`core`, `web`, `react`, `vue`, `svelte`, `angular`, `react-native`, `cli`, `mcp`), add a changeset:
+
+```bash
+pnpm changeset
+```
+
+Select the affected packages, the semver bump type, and write a summary. The changeset file gets committed with your PR.
+
+## Code Style
+
+- **TypeScript strict mode** — no `any` unless absolutely necessary
+- **Prettier** formats everything — run `pnpm format` before committing
+- **ESLint** catches bugs — `pnpm lint` must pass
+- **No default exports** in library packages — use named exports
+- **Dual ESM/CJS** builds via tsup for all SDK packages
+
+## Commit Messages
+
+Use conventional commits:
+
+```
+feat(core): add batch report submission
+fix(web): prevent widget from opening during screenshot
+docs(react): update provider usage example
+chore: bump dependencies
+```
+
+## Tests
+
+- **Framework:** Vitest
+- **Location:** Co-located with source (`src/foo.test.ts`)
+- **Coverage:** Required for `core`, `web`, `react` — encouraged for all packages
+
+## License
+
+- SDK packages are MIT — your contributions will be MIT-licensed
+- Server/agents/verify are BSL 1.1 — contributions to those packages fall under BSL
+
+## Questions?
+
+Open an issue or start a discussion. We're happy to help.

package/README.md

@@ -6,41 +6,52 @@ CLI for Mushi Mushi — set up the SDK in one command, then triage reports and m
 
 ```bash
 npx @mushi-mushi/cli init
-# or, equivalently:
-npx mushi-mushi init
+# equivalently:
+npx mushi-mushi
 ```
 
 The wizard:
 
 1. Detects your framework (Next.js, Nuxt, SvelteKit, Angular, Expo, Capacitor, plain React/Vue/Svelte, or vanilla JS) from `package.json` and config files.
 2. Picks the right SDK package (`@mushi-mushi/react`, `@mushi-mushi/vue`, etc.) plus `@mushi-mushi/web` when the framework SDK is API-only.
-3. Detects your package manager (npm / pnpm / yarn / bun) from your lockfile and installs with that.
+3. Detects your package manager (npm / pnpm / yarn / bun) from your lockfile and installs with that — `shell: false`, with Windows `.cmd` shim resolution.
 4. Writes `MUSHI_PROJECT_ID` and `MUSHI_API_KEY` (with the right framework prefix — `NEXT_PUBLIC_`, `NUXT_PUBLIC_`, `VITE_`) to `.env.local` (or `.env`).
-5. Warns you if `.env.local` isn't in `.gitignore`.
+5. Warns you if `.env.local` isn't in `.gitignore` (covers `.env*.local`, `*.local`, etc.).
 6. Prints the framework-specific provider snippet to copy-paste.
+7. Offers to **send a real test report** so you see your first classified bug in the console immediately. Opt out via `--skip-test-report`.
 
-It never silently overwrites existing env vars or modifies application code.
+It never silently overwrites existing env vars or modifies application code. Pasted credentials are sanitized (stripped of quotes / CR / LF / NUL) and validated against `^proj_[A-Za-z0-9_-]{10,}$` / `^mushi_[A-Za-z0-9_-]{10,}$` before anything is written to disk.
 
 ### Flags
 
 ```bash
-mushi init --framework next         # skip framework detection
-mushi init --project-id proj_xxx --api-key mushi_xxx  # skip credential prompts
-mushi init --skip-install           # print the install command instead of running it
-mushi init -y                       # accept the detected framework without confirmation
+mushi init --framework next                             # skip framework detection
+mushi init --project-id proj_xxx --api-key mushi_xxx    # skip credential prompts
+mushi init --skip-install                               # print the install command instead
+mushi init --skip-test-report                           # don't offer to send a test report
+mushi init --cwd apps/web                               # run in a sub-package of a monorepo
+mushi init --endpoint https://mushi.your-company.com    # self-hosted Mushi API
+mushi init -y                                           # accept the detected framework
 ```
 
+Non-interactive use (CI): pass `--yes --project-id proj_xxx --api-key mushi_xxx` or the wizard exits with a clear error instead of hanging on a prompt.
+
+Stale-version hint: the wizard checks the npm registry (2s timeout) and prints a one-line upgrade nudge if a newer stable is published. Opt out with `MUSHI_NO_UPDATE_CHECK=1`.
+
+Monorepo awareness: if you run the wizard at a workspace root with no framework dep, it scans `apps/*`, `packages/*`, `examples/*` and tells you which sub-package you probably meant (`mushi init --cwd apps/web`).
+
 ## Install globally
 
 ```bash
 npm install -g @mushi-mushi/cli
 mushi --help
+mushi --version
 ```
 
 ## Other commands
 
 ```bash
-mushi login --api-key mushi_xxx     # store credentials in ~/.mushirc
+mushi login --api-key mushi_xxx     # store credentials in ~/.mushirc (mode 0o600)
 mushi status                         # project overview
 mushi reports list                   # recent reports
 mushi reports show <id>              # one report
@@ -48,8 +59,16 @@ mushi reports triage <id> --status acknowledged --severity high
 mushi deploy check                   # edge-function health probe
 mushi index <path>                   # walk a local repo and feed RAG
 mushi test                           # submit a test report end-to-end
+mushi config endpoint https://...    # set API endpoint (https:// required outside localhost)
 ```
 
+## Security notes
+
+- `~/.mushirc` is written with mode `0o600` on Unix. Legacy configs with looser permissions are tightened on load.
+- `--endpoint` values are parsed through `new URL()` and required to use `https://` except for `localhost` / `127.0.0.1` / `*.local`.
+- The `--api-key` flag leaks into `ps -ef` — prefer the interactive prompt on shared machines.
+- Full stack traces on error: `DEBUG=mushi mushi init`.
+
 ## License
 
 MIT

package/SECURITY.md

@@ -0,0 +1,50 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.x     | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly.
+
+**Do NOT open a public GitHub issue.**
+
+Instead, email: **security@mushimushi.dev**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Impact assessment
+- Suggested fix (if any)
+
+We will acknowledge receipt within 48 hours and aim to release a patch within 7 days for critical issues.
+
+## Scope
+
+- All `@mushi-mushi/*` npm packages
+- Supabase Edge Functions (server-side)
+- Admin console application
+- CLI tool
+
+## Out of Scope
+
+- Self-hosted deployments configured by the user
+- Third-party integrations (Jira, Linear, PagerDuty)
+- Vulnerabilities requiring physical access
+
+## Security Best Practices for Users
+
+- **Never commit your API keys** — use environment variables
+- **Rotate API keys** regularly via the admin console
+- **Enable SSO** for team projects (Enterprise tier)
+- **Review audit logs** periodically for suspicious activity

package/dist/chunk-HLROA5KU.js

@@ -0,0 +1,6 @@
+// src/version.ts
+var MUSHI_CLI_VERSION = true ? "0.5.1" : "0.0.0-dev";
+
+export {
+  MUSHI_CLI_VERSION
+};

package/dist/{chunk-YZOGONU4.js → chunk-ZZNVMBMG.js}

@@ -1,6 +1,22 @@
 // src/detect.ts
 import { readFileSync, existsSync } from "fs";
 import { join } from "path";
+var FRAMEWORK_IDS = [
+  "next",
+  "react",
+  "vue",
+  "nuxt",
+  "svelte",
+  "sveltekit",
+  "angular",
+  "expo",
+  "react-native",
+  "capacitor",
+  "vanilla"
+];
+function isFrameworkId(value) {
+  return typeof value === "string" && FRAMEWORK_IDS.includes(value);
+}
 var FRAMEWORKS = {
   next: {
     id: "next",
@@ -229,6 +245,8 @@ function collectDeps(pkg) {
 }
 
 export {
+  FRAMEWORK_IDS,
+  isFrameworkId,
   FRAMEWORKS,
   readPackageJson,
   detectFramework,

package/dist/detect.d.ts

@@ -18,6 +18,8 @@ interface PackageJson {
     peerDependencies?: Record<string, string>;
 }
 type PackageManager = 'npm' | 'pnpm' | 'yarn' | 'bun';
+declare const FRAMEWORK_IDS: ReadonlyArray<FrameworkId>;
+declare function isFrameworkId(value: unknown): value is FrameworkId;
 declare const FRAMEWORKS: Record<FrameworkId, Framework>;
 declare function readPackageJson(cwd: string): PackageJson | null;
 declare function detectFramework(cwd: string, pkg: PackageJson | null): Framework;
@@ -25,4 +27,4 @@ declare function detectPackageManager(cwd: string): PackageManager;
 declare function installCommand(pm: PackageManager, packages: string[]): string;
 declare function envVarsToWrite(apiKey: string, projectId: string, framework: Framework): string;
 
-export { FRAMEWORKS, type Framework, type FrameworkId, type PackageJson, type PackageManager, detectFramework, detectPackageManager, envVarsToWrite, installCommand, readPackageJson };
+export { FRAMEWORKS, FRAMEWORK_IDS, type Framework, type FrameworkId, type PackageJson, type PackageManager, detectFramework, detectPackageManager, envVarsToWrite, installCommand, isFrameworkId, readPackageJson };

package/dist/detect.js

@@ -1,16 +1,20 @@
 import {
   FRAMEWORKS,
+  FRAMEWORK_IDS,
   detectFramework,
   detectPackageManager,
   envVarsToWrite,
   installCommand,
+  isFrameworkId,
   readPackageJson
-} from "./chunk-YZOGONU4.js";
+} from "./chunk-ZZNVMBMG.js";
 export {
   FRAMEWORKS,
+  FRAMEWORK_IDS,
   detectFramework,
   detectPackageManager,
   envVarsToWrite,
   installCommand,
+  isFrameworkId,
   readPackageJson
 };