@mushi-mushi/cli 0.4.0 → 0.5.1

package/dist/index.js

@@ -4,12 +4,14 @@
 import { Command } from "commander";
 
 // src/config.ts
-import { readFileSync, writeFileSync, existsSync } from "fs";
+import { chmodSync, readFileSync, statSync, writeFileSync, existsSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 var CONFIG_PATH = join(homedir(), ".mushirc");
+var SECURE_FILE_MODE = 384;
 function loadConfig(path = CONFIG_PATH) {
   if (!existsSync(path)) return {};
+  tightenPermissions(path);
   try {
     return JSON.parse(readFileSync(path, "utf-8"));
   } catch {
@@ -17,14 +19,24 @@ function loadConfig(path = CONFIG_PATH) {
   }
 }
 function saveConfig(config, path = CONFIG_PATH) {
-  writeFileSync(path, JSON.stringify(config, null, 2));
+  writeFileSync(path, JSON.stringify(config, null, 2), { mode: SECURE_FILE_MODE });
+  tightenPermissions(path);
+}
+function tightenPermissions(path) {
+  if (process.platform === "win32") return;
+  try {
+    const current = statSync(path).mode & 511;
+    if (current !== SECURE_FILE_MODE) chmodSync(path, SECURE_FILE_MODE);
+  } catch {
+  }
 }
 
 // src/init.ts
 import * as p from "@clack/prompts";
 import { spawn } from "child_process";
-import { appendFileSync, existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { join as join3 } from "path";
+import { randomUUID } from "crypto";
+import { appendFileSync, existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
+import { join as join4 } from "path";
 
 // src/detect.ts
 import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
@@ -256,11 +268,198 @@ function collectDeps(pkg) {
   ]);
 }
 
+// src/endpoint.ts
+var DEFAULT_ENDPOINT = "https://api.mushimushi.dev";
+var TEST_REPORT_TIMEOUT_MS = 1e4;
+var TEST_REPORT_FETCH_TIMEOUT_MS = TEST_REPORT_TIMEOUT_MS;
+function assertEndpoint(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`Invalid endpoint URL: ${url}`);
+  }
+  const host = parsed.hostname;
+  const isLocal = host === "localhost" || host === "127.0.0.1" || host === "::1" || host.endsWith(".local");
+  if (parsed.protocol !== "https:" && !isLocal) {
+    throw new Error(`Endpoint must use https:// (got ${parsed.protocol}//${host}).`);
+  }
+  return parsed.origin + (parsed.pathname === "/" ? "" : parsed.pathname);
+}
+function normalizeEndpoint(url) {
+  const input = url ?? DEFAULT_ENDPOINT;
+  let end = input.length;
+  while (end > 0 && input.charCodeAt(end - 1) === 47) end--;
+  return input.slice(0, end);
+}
+
+// src/freshness.ts
+var REGISTRY = "https://registry.npmjs.org";
+var DEFAULT_TIMEOUT_MS = 2e3;
+async function checkFreshness(packageName, currentVersion, opts = {}) {
+  if (process.env.MUSHI_NO_UPDATE_CHECK === "1") return null;
+  const registry = opts.registry ?? REGISTRY;
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(
+      `${registry}/${encodeURIComponent(packageName)}/latest`,
+      {
+        signal: controller.signal,
+        headers: { Accept: "application/json" }
+      }
+    );
+    if (!res.ok) return null;
+    const body = await res.json();
+    const latest = typeof body.version === "string" ? body.version : null;
+    if (!latest) return null;
+    return {
+      current: currentVersion,
+      latest,
+      isOutdated: isNewerStableVersion(latest, currentVersion)
+    };
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function isNewerStableVersion(latest, current) {
+  const latestCore = stripPreRelease(latest);
+  if (hasPreReleaseTag(latest)) return false;
+  const [la, lb, lc] = parse(latestCore);
+  const [ca, cb, cc] = parse(stripPreRelease(current));
+  if (la !== ca) return la > ca;
+  if (lb !== cb) return lb > cb;
+  return lc > cc;
+}
+function stripPreRelease(version) {
+  const idx = version.indexOf("-");
+  return idx === -1 ? version : version.slice(0, idx);
+}
+function hasPreReleaseTag(version) {
+  return version.includes("-");
+}
+function parse(version) {
+  const parts = version.split(".").map((part) => Number(part));
+  return [
+    Number.isFinite(parts[0]) ? parts[0] : 0,
+    Number.isFinite(parts[1]) ? parts[1] : 0,
+    Number.isFinite(parts[2]) ? parts[2] : 0
+  ];
+}
+
+// src/monorepo.ts
+import { existsSync as existsSync3, readFileSync as readFileSync3, readdirSync, statSync as statSync2 } from "fs";
+import { dirname, join as join3, resolve } from "path";
+var WORKSPACE_GLOB_CANDIDATES = ["apps/*", "packages/*", "examples/*"];
+var FRAMEWORK_DEPS = {
+  next: "Next.js",
+  nuxt: "Nuxt",
+  "@sveltejs/kit": "SvelteKit",
+  "@angular/core": "Angular",
+  expo: "Expo",
+  "react-native": "React Native",
+  "@capacitor/core": "Capacitor",
+  svelte: "Svelte",
+  vue: "Vue",
+  react: "React"
+};
+function detectWorkspaceHint(cwd) {
+  const root = findWorkspaceRoot(cwd);
+  if (!root) return null;
+  const rootPkg = readPackageJsonSafely(join3(root, "package.json"));
+  if (rootPkg && getFrameworkFromPkg(rootPkg)) return null;
+  const source = existsSync3(join3(root, "pnpm-workspace.yaml")) ? "pnpm-workspace" : root === cwd ? "package-json" : "parent";
+  const apps = collectAppsFromGlobs(root);
+  if (apps.length === 0) return null;
+  return { root, apps, source };
+}
+function findWorkspaceRoot(start) {
+  let dir = resolve(start);
+  for (let i = 0; i < 8; i++) {
+    if (isWorkspaceRoot(dir)) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+function isWorkspaceRoot(dir) {
+  if (existsSync3(join3(dir, "pnpm-workspace.yaml"))) return true;
+  const pkg = readPackageJsonSafely(join3(dir, "package.json"));
+  if (!pkg) return false;
+  return Boolean(pkg.workspaces);
+}
+function collectAppsFromGlobs(root) {
+  const results = [];
+  for (const glob of WORKSPACE_GLOB_CANDIDATES) {
+    const prefix = glob.replace("/*", "");
+    const parentDir = join3(root, prefix);
+    if (!existsSync3(parentDir)) continue;
+    let entries;
+    try {
+      entries = readdirSync(parentDir);
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      const pkgPath = join3(parentDir, entry, "package.json");
+      if (!isFileSafe(pkgPath)) continue;
+      const pkg = readPackageJsonSafely(pkgPath);
+      if (!pkg) continue;
+      const framework = getFrameworkFromPkg(pkg);
+      if (!framework) continue;
+      results.push({
+        name: pkg.name ?? `${prefix}/${entry}`,
+        relativePath: `${prefix}/${entry}`,
+        framework
+      });
+    }
+  }
+  return results;
+}
+function readPackageJsonSafely(path) {
+  if (!isFileSafe(path)) return null;
+  try {
+    return JSON.parse(readFileSync3(path, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function isFileSafe(path) {
+  try {
+    return existsSync3(path) && statSync2(path).isFile();
+  } catch {
+    return false;
+  }
+}
+function getFrameworkFromPkg(pkg) {
+  const deps = {
+    ...pkg.dependencies ?? {},
+    ...pkg.devDependencies ?? {},
+    ...pkg.peerDependencies ?? {}
+  };
+  for (const dep of Object.keys(FRAMEWORK_DEPS)) {
+    if (dep in deps) return FRAMEWORK_DEPS[dep];
+  }
+  return void 0;
+}
+
+// src/version.ts
+var MUSHI_CLI_VERSION = true ? "0.5.1" : "0.0.0-dev";
+
 // src/init.ts
 var ENV_FILES = [".env.local", ".env"];
+var PROJECT_ID_PATTERN = /^proj_[A-Za-z0-9_-]{10,}$/;
+var API_KEY_PATTERN = /^mushi_[A-Za-z0-9_-]{10,}$/;
 async function runInit(options = {}) {
   const cwd = options.cwd ?? process.cwd();
+  ensureInteractiveOrBailOut(options);
   p.intro("\u{1F41B} Mushi Mushi setup wizard");
+  await printFreshnessHint();
+  warnIfWorkspaceRoot(cwd);
   const pkg = readPackageJson(cwd);
   if (!pkg) {
     p.log.warn("No package.json found in this directory.");
@@ -279,15 +478,28 @@ async function runInit(options = {}) {
   const pm = detectPackageManager(cwd);
   const packagesToInstall = framework.needsWebPackage ? [framework.packageName, "@mushi-mushi/web"] : [framework.packageName];
   if (!options.skipInstall) {
-    await installPackages(pm, packagesToInstall);
+    await installPackages(pm, packagesToInstall, cwd);
   } else {
     p.log.info(`Skipped install. Run \`${installCommand(pm, packagesToInstall)}\` yourself.`);
   }
   writeEnvFile(cwd, credentials.apiKey, credentials.projectId, framework);
   persistCliConfig(credentials.apiKey, credentials.projectId);
   printNextSteps(framework, credentials.apiKey, credentials.projectId);
+  await maybeSendTestReport(credentials, options);
   p.outro("Setup complete. Happy bug squashing \u{1F41B}");
 }
+function ensureInteractiveOrBailOut(options) {
+  const isTTY = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  if (isTTY) return;
+  const hasAllFlags = Boolean(
+    (options.framework || options.yes) && options.projectId && options.apiKey
+  );
+  if (hasAllFlags) return;
+  process.stderr.write(
+    "mushi-mushi: non-interactive terminal detected.\nPass all of --yes (or --framework), --project-id, and --api-key to run unattended.\nExample: npx mushi-mushi --yes --project-id proj_xxx --api-key mushi_xxx\n"
+  );
+  process.exit(1);
+}
 async function chooseFramework(detected, options) {
   if (options.framework) {
     const explicit = FRAMEWORKS[options.framework];
@@ -316,23 +528,48 @@ async function chooseFramework(detected, options) {
 }
 async function collectCredentials(options) {
   const existing = loadConfig();
-  const projectId = options.projectId ?? existing.projectId ?? await promptText({
+  const rawProjectId = options.projectId ?? existing.projectId ?? await promptText({
     message: "Project ID",
     placeholder: "proj_xxxxxxxxxxxx",
-    hint: "Find this at https://kensaur.us/mushi-mushi/projects"
+    hint: "Find this at https://kensaur.us/mushi-mushi/projects",
+    validate: (v) => PROJECT_ID_PATTERN.test(v) ? void 0 : "Expected format: proj_ followed by 10+ alphanumeric characters"
   });
-  const apiKey = options.apiKey ?? existing.apiKey ?? await promptText({
+  const rawApiKey = options.apiKey ?? existing.apiKey ?? await promptText({
     message: "API key",
     placeholder: "mushi_xxxxxxxxxxxx",
-    hint: "Treat this like a password \u2014 it goes in your env file, not in source."
+    hint: "Treat this like a password \u2014 it goes in your env file, not in source.",
+    validate: (v) => API_KEY_PATTERN.test(v) ? void 0 : "Expected format: mushi_ followed by 10+ alphanumeric characters"
   });
+  const projectId = sanitizeSecret(rawProjectId);
+  const apiKey = sanitizeSecret(rawApiKey);
+  if (!PROJECT_ID_PATTERN.test(projectId)) {
+    throw new Error(
+      `Invalid project ID. Expected format: proj_[A-Za-z0-9_-]{10,}. Got: ${redact(projectId)}`
+    );
+  }
+  if (!API_KEY_PATTERN.test(apiKey)) {
+    throw new Error(
+      `Invalid API key. Expected format: mushi_[A-Za-z0-9_-]{10,}. Got: ${redact(apiKey)}`
+    );
+  }
   return { projectId, apiKey };
 }
+function sanitizeSecret(raw) {
+  return raw.trim().replace(/^['"]|['"]$/g, "").replace(/[\r\n\0]/g, "");
+}
+function redact(value) {
+  if (value.length <= 8) return "***";
+  return `${value.slice(0, 4)}\u2026${value.slice(-2)}`;
+}
 async function promptText(opts) {
   const value = await p.text({
     message: opts.message,
     placeholder: opts.placeholder,
-    validate: (v) => v.length === 0 ? "Required" : void 0
+    validate: (v) => {
+      const clean = sanitizeSecret(v);
+      if (clean.length === 0) return "Required";
+      return opts.validate ? opts.validate(clean) : void 0;
+    }
   });
   if (p.isCancel(value)) {
     p.cancel("Aborted.");
@@ -341,34 +578,40 @@ async function promptText(opts) {
   if (opts.hint) p.log.info(opts.hint);
   return value;
 }
-async function installPackages(pm, packages) {
+async function installPackages(pm, packages, cwd) {
   const command = installCommand(pm, packages);
   const spinner2 = p.spinner();
   spinner2.start(`Installing ${packages.join(", ")} via ${pm}\u2026`);
   try {
-    await runCommand(pm, packages);
+    await runCommand(pm, packages, cwd);
     spinner2.stop(`Installed ${packages.join(", ")}`);
   } catch (err) {
     spinner2.stop(`Install failed \u2014 run \`${command}\` manually.`);
-    p.log.error(err instanceof Error ? err.message : String(err));
+    p.log.error(err instanceof Error ? err.name + ": " + err.message : String(err));
   }
 }
-function runCommand(pm, packages) {
-  return new Promise((resolve, reject) => {
-    const verb = pm === "npm" ? "install" : "add";
-    const child = spawn(pm, [verb, ...packages], { stdio: "inherit", shell: true });
+function runCommand(pm, packages, cwd) {
+  const verb = pm === "npm" ? "install" : "add";
+  const command = process.platform === "win32" ? `${pm}.cmd` : pm;
+  return new Promise((resolve2, reject) => {
+    const child = spawn(command, [verb, ...packages], {
+      stdio: "inherit",
+      shell: false,
+      cwd,
+      env: process.env
+    });
     child.on("error", reject);
     child.on("exit", (code) => {
-      if (code === 0) resolve();
-      else reject(new Error(`${pm} exited with code ${code}`));
+      if (code === 0) resolve2();
+      else reject(new Error(`${pm} exited with code ${code ?? "null"}`));
     });
   });
 }
 function writeEnvFile(cwd, apiKey, projectId, framework) {
-  const target = ENV_FILES.find((f) => existsSync3(join3(cwd, f))) ?? ENV_FILES[0];
-  const targetPath = join3(cwd, target);
+  const target = ENV_FILES.find((f) => existsSync4(join4(cwd, f))) ?? ENV_FILES[0];
+  const targetPath = join4(cwd, target);
   const newVars = envVarsToWrite(apiKey, projectId, framework);
-  const existing = existsSync3(targetPath) ? readFileSync3(targetPath, "utf-8") : "";
+  const existing = existsSync4(targetPath) ? readFileSync4(targetPath, "utf-8") : "";
   if (existing.includes("MUSHI_PROJECT_ID")) {
     p.log.warn(`Existing MUSHI_* vars found in ${target} \u2014 leaving them untouched.`);
     return;
@@ -378,20 +621,38 @@ function writeEnvFile(cwd, apiKey, projectId, framework) {
 # Mushi Mushi
 ${newVars}
 `);
-  if (!existing) {
-    writeFileSync2(targetPath, readFileSync3(targetPath, "utf-8"));
-  }
   p.log.success(`Wrote env vars to ${target}`);
   warnIfMissingFromGitignore(cwd, target);
 }
+function isEnvFileCoveredByGitignore(gitignoreContent, envFile) {
+  const lines = gitignoreContent.split("\n").map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#"));
+  let covered = false;
+  for (const line of lines) {
+    if (line.startsWith("!")) {
+      if (matchesGitignorePattern(line.slice(1), envFile)) covered = false;
+      continue;
+    }
+    if (matchesGitignorePattern(line, envFile)) covered = true;
+  }
+  return covered;
+}
+function matchesGitignorePattern(pattern, filename) {
+  if (pattern.endsWith("/")) return false;
+  const normalized = pattern.startsWith("/") ? pattern.slice(1) : pattern;
+  const regexSource = normalized.split("").map((ch) => ch === "*" ? "[^/]*" : escapeRegexChar(ch)).join("");
+  return new RegExp(`^${regexSource}$`).test(filename);
+}
+function escapeRegexChar(ch) {
+  return /[-/\\^$+?.()|[\]{}]/.test(ch) ? `\\${ch}` : ch;
+}
 function warnIfMissingFromGitignore(cwd, envFile) {
-  const gitignorePath = join3(cwd, ".gitignore");
-  if (!existsSync3(gitignorePath)) {
+  const gitignorePath = join4(cwd, ".gitignore");
+  if (!existsSync4(gitignorePath)) {
     p.log.warn(`No .gitignore found \u2014 make sure ${envFile} is not committed.`);
     return;
   }
-  const content = readFileSync3(gitignorePath, "utf-8");
-  if (!content.split("\n").some((line) => line.trim() === envFile || line.trim() === ".env*")) {
+  const content = readFileSync4(gitignorePath, "utf-8");
+  if (!isEnvFileCoveredByGitignore(content, envFile)) {
     p.log.warn(`${envFile} is not in .gitignore \u2014 add it before committing.`);
   }
 }
@@ -406,10 +667,105 @@ function printNextSteps(framework, apiKey, projectId) {
   p.log.message("  \u2022 Look for the \u{1F41B} button in the bottom-right corner (or shake on mobile)");
   p.log.message("  \u2022 Submit a test report \u2014 it should appear at https://kensaur.us/mushi-mushi/reports");
 }
+async function maybeSendTestReport(credentials, options) {
+  if (options.sendTestReport === false) return;
+  let shouldSend;
+  if (options.sendTestReport === true || options.yes) {
+    shouldSend = true;
+  } else {
+    const answer = await p.confirm({
+      message: "Send a test report now to verify the pipeline?",
+      initialValue: true
+    });
+    if (p.isCancel(answer)) return;
+    shouldSend = answer;
+  }
+  if (!shouldSend) return;
+  const spinner2 = p.spinner();
+  spinner2.start("Sending test report\u2026");
+  const endpoint = normalizeEndpoint(options.endpoint);
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), TEST_REPORT_FETCH_TIMEOUT_MS);
+  try {
+    const res = await fetch(`${endpoint}/v1/reports`, {
+      method: "POST",
+      signal: controller.signal,
+      headers: {
+        "Content-Type": "application/json",
+        "X-Mushi-Api-Key": credentials.apiKey,
+        "X-Mushi-Project": credentials.projectId
+      },
+      body: JSON.stringify({
+        projectId: credentials.projectId,
+        description: "Test report from the mushi-mushi setup wizard",
+        category: "other",
+        reporterToken: `wizard-${randomUUID()}`,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        environment: {
+          url: "cli://wizard",
+          userAgent: `mushi-wizard/${process.platform}-${process.arch}`,
+          platform: process.platform,
+          language: "en",
+          viewport: { width: 0, height: 0 },
+          referrer: "",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          timezone: Intl.DateTimeFormat().resolvedOptions().timeZone
+        }
+      })
+    });
+    if (!res.ok) {
+      spinner2.stop(`Test report rejected (HTTP ${res.status}).`);
+      p.log.warn(
+        res.status === 401 || res.status === 403 ? "Credentials did not authenticate \u2014 double-check the project ID and API key." : "Skipping test report. You can retry with `mushi test`."
+      );
+      return;
+    }
+    spinner2.stop("Test report sent.");
+    p.log.success("View it at https://kensaur.us/mushi-mushi/reports");
+  } catch (err) {
+    const aborted = err instanceof Error && err.name === "AbortError";
+    spinner2.stop(aborted ? "Timed out reaching the Mushi API." : "Could not reach the Mushi API.");
+    p.log.warn(err instanceof Error ? err.message : String(err));
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function printFreshnessHint() {
+  const result = await checkFreshness("mushi-mushi", MUSHI_CLI_VERSION);
+  if (!result || !result.isOutdated) return;
+  p.log.info(
+    `A newer version of mushi-mushi is available: ${result.current} \u2192 ${result.latest}. Run \`npx mushi-mushi@latest\` to get the freshest wizard.`
+  );
+}
+function warnIfWorkspaceRoot(cwd) {
+  let hint;
+  try {
+    hint = detectWorkspaceHint(cwd);
+  } catch {
+    return;
+  }
+  if (!hint || hint.apps.length === 0) return;
+  const hasFrameworkAtCwd = hint.apps.some(
+    (app) => isSameDirectory(cwd, resolveWorkspaceAppPath(hint.root, app.relativePath))
+  );
+  if (hasFrameworkAtCwd) return;
+  const apps = hint.apps.slice(0, 5).map((app) => `  \u2022 ${app.relativePath} (${app.framework})`).join("\n");
+  p.log.warn(
+    `You appear to be at a workspace root (source: ${hint.source}). Mushi will install into the current directory, which has no framework dep. You probably meant one of these sub-packages:
+${apps}
+Run \`mushi init --cwd <path>\` \u2014 or re-run the wizard from inside that package.`
+  );
+}
+function resolveWorkspaceAppPath(root, relativePath) {
+  return `${root}/${relativePath}`.replace(/\\/g, "/");
+}
+function isSameDirectory(a, b) {
+  return a.replace(/\\/g, "/").replace(/\/+$/, "") === b.replace(/\\/g, "/").replace(/\/+$/, "");
+}
 
 // src/index.ts
 async function apiCall(path, config, options = {}) {
-  const endpoint = config.endpoint ?? "https://api.mushimushi.dev";
+  const endpoint = config.endpoint ?? DEFAULT_ENDPOINT;
   const res = await fetch(`${endpoint}${path}`, {
     ...options,
     headers: {
@@ -422,23 +778,26 @@ async function apiCall(path, config, options = {}) {
   });
   return res.json();
 }
-var program = new Command().name("mushi").description("Mushi Mushi CLI \u2014 set up the SDK, manage bug reports, monitor pipeline").version("0.3.0");
-program.command("init").description("Set up the Mushi Mushi SDK in this project (auto-detects framework)").option("--project-id <id>", "Skip the prompt by passing the project ID").option("--api-key <key>", "Skip the prompt by passing the API key").option("--framework <id>", "Force a framework (next, react, vue, nuxt, svelte, sveltekit, angular, expo, react-native, capacitor, vanilla)").option("--skip-install", "Don't auto-install the SDK package \u2014 print the command instead").option("-y, --yes", "Accept detected framework without prompting").action(async (opts) => {
+var program = new Command().name("mushi").description("Mushi Mushi CLI \u2014 set up the SDK, manage bug reports, monitor pipeline").version(MUSHI_CLI_VERSION);
+program.command("init").description("Set up the Mushi Mushi SDK in this project (auto-detects framework)").option("--project-id <id>", "Skip the prompt by passing the project ID").option("--api-key <key>", "Skip the prompt by passing the API key").option("--framework <id>", "Force a framework (next, react, vue, nuxt, svelte, sveltekit, angular, expo, react-native, capacitor, vanilla)").option("--skip-install", "Don't auto-install the SDK package \u2014 print the command instead").option("-y, --yes", "Accept detected framework without prompting").option("--cwd <path>", "Run the wizard in a different directory").option("--endpoint <url>", "Override the Mushi API endpoint (self-hosted)").option("--skip-test-report", 'Skip the end-of-wizard "send a test report" prompt').action(async (opts) => {
   await runInit({
     projectId: opts.projectId,
     apiKey: opts.apiKey,
     framework: opts.framework,
     skipInstall: opts.skipInstall,
-    yes: opts.yes
+    yes: opts.yes,
+    cwd: opts.cwd,
+    endpoint: opts.endpoint,
+    sendTestReport: opts.skipTestReport ? false : void 0
   });
 });
 program.command("login").description("Store API key for authentication").requiredOption("--api-key <key>", "API key").option("--endpoint <url>", "API endpoint URL").option("--project-id <id>", "Default project ID").action((opts) => {
   const config = loadConfig();
   config.apiKey = opts.apiKey;
-  if (opts.endpoint) config.endpoint = opts.endpoint;
+  if (opts.endpoint) config.endpoint = assertEndpoint(opts.endpoint);
   if (opts.projectId) config.projectId = opts.projectId;
   saveConfig(config);
-  console.log("Saved credentials to ~/.mushirc");
+  console.log("Saved credentials to ~/.mushirc (mode 0o600)");
 });
 program.command("status").description("Show project stats").action(async () => {
   const config = loadConfig();
@@ -493,10 +852,10 @@ reports.command("triage <id>").description("Update report status/severity").opti
 program.command("config").description("View or update CLI config").argument("[key]", "Config key to set").argument("[value]", "Value").action((key, value) => {
   const config = loadConfig();
   if (key && value) {
-    ;
-    config[key] = value;
+    const safeValue = key === "endpoint" ? assertEndpoint(value) : value;
+    config[key] = safeValue;
     saveConfig(config);
-    console.log(`Set ${key} = ${value}`);
+    console.log(`Set ${key} = ${safeValue}`);
   } else {
     console.log(JSON.stringify(config, null, 2));
   }

package/dist/init.d.ts

@@ -16,7 +16,24 @@ interface InitOptions {
     framework?: FrameworkId;
     skipInstall?: boolean;
     yes?: boolean;
+    endpoint?: string;
+    sendTestReport?: boolean;
 }
 declare function runInit(options?: InitOptions): Promise<void>;
+/**
+ * Strip whitespace, quotes, and any control characters a user might paste by
+ * accident. Prevents env-file injection via newlines in a pasted secret.
+ * Exported for test coverage of the env-file-injection defense.
+ */
+declare function sanitizeSecret(raw: string): string;
+/**
+ * Return true when any line in the user's `.gitignore` actually matches the
+ * env file we just wrote. Subtle point: `.env` in gitignore does NOT cover
+ * `.env.local` — gitignore matches by filename, not prefix. We build a tiny
+ * glob matcher (only `*` as wildcard, gitignore's common case) and test each
+ * non-comment line. `!`-prefixed negations are treated as "not covered" to
+ * stay on the safe side — better a false warning than a silent leak.
+ */
+declare function isEnvFileCoveredByGitignore(gitignoreContent: string, envFile: string): boolean;
 
-export { type InitOptions, runInit };
+export { type InitOptions, isEnvFileCoveredByGitignore, runInit, sanitizeSecret };