@mushi-mushi/cli 0.5.2 → 0.6.0

package/CODE_OF_CONDUCT.md

@@ -40,7 +40,7 @@ Examples of unacceptable behavior:
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the project team at **security@mushimushi.dev**.
+reported to the project team at **kensaurus@gmail.com**.
 
 All complaints will be reviewed and investigated promptly and fairly.
 

package/CONTRIBUTING.md

@@ -33,6 +33,10 @@ pnpm lint         # ESLint
 pnpm format       # Prettier
 ```
 
+Ad-hoc screenshots captured during UI reviews can live temporarily at the repo
+root, but root-level `*.png` files are intentionally ignored. Canonical
+screenshots that should be versioned belong under `docs/screenshots/`.
+
 ### Working on a single package
 
 ```bash

package/README.md

@@ -59,9 +59,32 @@ mushi reports triage <id> --status acknowledged --severity high
 mushi deploy check                   # edge-function health probe
 mushi index <path>                   # walk a local repo and feed RAG
 mushi test                           # submit a test report end-to-end
+mushi migrate                        # suggest the most relevant migration guide
+mushi migrate --json                 # machine-readable JSON for CI
 mushi config endpoint https://...    # set API endpoint (https:// required outside localhost)
 ```
 
+### `mushi migrate`
+
+Reads `package.json` (deps + devDeps + peerDeps) and prints links to the
+matching guides on the docs site. Detects:
+
+- **In-transition shapes** — Capacitor + React Native side-by-side, Cordova
+  (or `cordova-ios`/`cordova-android`), Create React App.
+- **Competitor SDKs** — Instabug / Luciq, Shake, LogRocket Feedback,
+  BugHerd, Pendo Feedback.
+
+Exits non-zero when nothing matches, so it composes in shell scripts:
+
+```bash
+mushi migrate || echo "no migration suggestions for this project"
+```
+
+Only `published` guides ever surface — `draft` entries are filtered out so
+the CLI never points users at a 404. This safety property is unit-pinned in
+`packages/cli/src/migrate.test.ts` (positive control + negative control +
+real-catalog regression guard).
+
 ## Security notes
 
 - `~/.mushirc` is written with mode `0o600` on Unix. Legacy configs with looser permissions are tightened on load.

package/SECURITY.md

@@ -19,7 +19,7 @@ If you discover a security vulnerability, please report it responsibly.
 
 **Do NOT open a public GitHub issue.**
 
-Instead, email: **security@mushimushi.dev**
+Instead, email: **kensaurus@gmail.com**
 
 Include:
 - Description of the vulnerability
@@ -48,3 +48,77 @@ We will acknowledge receipt within 48 hours and aim to release a patch within 7
 - **Rotate API keys** regularly via the admin console
 - **Enable SSO** for team projects (Enterprise tier)
 - **Review audit logs** periodically for suspicious activity
+
+## Supply-chain hardening (how this package is protected)
+
+Mushi Mushi is built and published with the controls below. Consumers can
+verify each control independently — the goal is to make tampering both
+difficult and detectable.
+
+### Publish-time controls
+
+| Control | What it does | How to verify |
+|---|---|---|
+| **npm Trusted Publisher (OIDC)** | Every release is published from `.github/workflows/release.yml` on `master` using a short-lived OIDC token. Long-lived `NPM_TOKEN` is not used for publishing. | `npm view @mushi-mushi/<pkg> --json` shows `"trustedPublisher"` populated for recent versions. |
+| **npm provenance attestations** | Every published tarball ships a [Sigstore provenance attestation](https://docs.npmjs.com/generating-provenance-statements) cryptographically linking the tarball to the exact GitHub Actions run that built it. | `npm audit signatures` (run inside any project that depends on `@mushi-mushi/*`) reports `verified registry signatures` and `verified attestations`. The npm web UI shows a "Built and signed on GitHub Actions" badge on each version. |
+| **Pre-publish workspace-protocol guard** | Aborts the publish if `workspace:*` ranges leaked into the tarball (the bug class behind the v0.1.0 incident). | `scripts/check-workspace-protocol.mjs` runs before `changeset publish` in `pnpm release`. |
+| **Post-publish tarball verification** | Re-downloads each just-published tarball and asserts it doesn't contain `workspace:*`. | See the "Verify published tarballs do not contain workspace:*" step in `release.yml`. |
+| **Post-publish `npm audit signatures`** | Re-installs each published version and validates registry signatures + provenance against npm's transparency log. | See the "Audit signatures of installed dependencies" step in `release.yml`. |
+
+### Build-time controls
+
+| Control | What it does |
+|---|---|
+| **All third-party GitHub Actions pinned to commit SHAs** | Every `uses:` in every workflow under `.github/workflows/` is pinned to a 40-character commit SHA with a version comment. Floating tags (`@v4`, `@main`) are mutable and were the entry point for the [tj-actions/changed-files compromise (CVE-2025-30066)](https://github.com/step-security/harden-runner#detected-attacks). |
+| **Harden-Runner egress audit on every job** | [step-security/harden-runner](https://github.com/step-security/harden-runner) records every outbound network call, file write, and process spawn on every CI runner. Detects exfiltration attempts in real time — caught the tj-actions, NX, Shai-Hulud, and Axios attacks for other projects. |
+| **OpenSSF Scorecard** | Weekly + on-push score of the repo's security posture (Pinned-Dependencies, Token-Permissions, Branch-Protection, Code-Review, Dangerous-Workflow, Maintained, SAST, Security-Policy, Signed-Releases, Vulnerabilities). Public results at [scorecard.dev](https://scorecard.dev/viewer/?uri=github.com/kensaurus/mushi-mushi). |
+| **Server-side secret scan (Gitleaks)** | Every PR and every push to `master` runs Gitleaks across the diff / full tree. Belt-and-suspenders to the local pre-commit hook (`scripts/check-no-secrets.mjs`) which can be bypassed with `--no-verify`. |
+| **Local pre-commit secret scanner** | `scripts/check-no-secrets.mjs` runs as a git hook installed by `pnpm install`, blocking commits that look like AWS / Stripe / GitHub / Anthropic / OpenAI / Slack / Supabase keys. |
+| **CodeQL `security-extended`** | Semantic analysis of every TypeScript / JavaScript change finds injection sinks, taint flows, prototype pollution, etc. Runs on every PR, push, and weekly cron. |
+| **Dependency review on PRs** | `actions/dependency-review-action` blocks the PR if it adds or upgrades a dep with a high-severity advisory. |
+| **`pnpm audit --prod --audit-level=high`** | Weekly cron + every push to `master` fails on any high/critical advisory in production deps. |
+
+### Install-time controls (protect the project's own dependency graph)
+
+| Control | What it does |
+|---|---|
+| **`min-release-age` (npm) / `minimumReleaseAge` (pnpm)** | Refuses to resolve any dep version published less than 7 days ago. The Axios 1.14.1 / 0.30.4 compromise (Mar 2026) was detected and removed within ~5 hours; Shai-Hulud (Sep 2025) within <12 hours — a 7-day cooldown blocks every publicly-disclosed 2025–2026 npm supply-chain attack outright. |
+| **`strictDepBuilds: true`** | Fails the install if any transitive dep tries to run a `postinstall` hook the workspace hasn't pre-approved (`onlyBuiltDependencies` allow-list). |
+| **`blockExoticSubdeps: true`** | Refuses to resolve transitive deps from git URLs, tarball URLs, or filesystem paths — anything that didn't go through the npm registry's signing pipeline. |
+| **Dependabot with cooldown** | Routine dep upgrades wait 7 days; security advisories bypass the cooldown automatically. |
+| **`pnpm audit signatures`-style verification** | The release pipeline re-runs `npm audit signatures` against each published version after the publish, with `--audit-level=high`. |
+
+### Verifying a Mushi Mushi tarball before installing
+
+```bash
+# 1. Check provenance attestation matches the public GitHub Actions run
+npm view @mushi-mushi/core --json | jq '.signatures, .dist'
+
+# 2. Inside your own project after install
+npm audit signatures
+
+# Expected: every @mushi-mushi/* package reports
+#   "verified registry signature"
+#   "verified attestation"
+```
+
+If `npm audit signatures` reports any `@mushi-mushi/*` package as unsigned
+or with an invalid attestation, **stop the install and email
+kensaurus@gmail.com immediately** — that's the symptom of either a
+registry compromise or a tampered tarball, and we want to know within
+hours, not days.
+
+### What this hardening does NOT cover
+
+- **Self-hosted deployments.** Once the package is on your machine, the
+  security of your `node_modules`, build pipeline, and runtime is your
+  responsibility. The hardening above protects the path from source to
+  registry; it cannot protect a tarball after it has been downloaded.
+- **Compromise of `kensaurus@gmail.com`.** A trusted-publisher rule still
+  lets the legitimate maintainer publish from any branch they push. If
+  you find yourself with admin access to this repo, treat
+  `.github/workflows/release.yml` as a tier-0 secret.
+- **First-party bugs.** Provenance proves *who* built the tarball and
+  *when*; it does not prove the code is bug-free. CodeQL + tests cover
+  that surface, but no automation catches everything — please continue
+  to report issues to the address above.

package/dist/chunk-KNU5OWYY.js

@@ -0,0 +1,6 @@
+// src/version.ts
+var MUSHI_CLI_VERSION = true ? "0.6.0" : "0.0.0-dev";
+
+export {
+  MUSHI_CLI_VERSION
+};

package/dist/{chunk-ZZNVMBMG.js → chunk-XHD3H54W.js}

@@ -166,10 +166,16 @@ export default function App() {
     label: "Capacitor (Ionic)",
     packageName: "@mushi-mushi/capacitor",
     needsWebPackage: false,
-    snippet: (apiKey, projectId) => `// src/main.ts
+    /* The Capacitor plugin's public API is `Mushi.configure(...)`, not
+     * `Mushi.init(...)` — see packages/capacitor/src/definitions.ts. We
+     * shipped the wrong call here for two releases and users got a runtime
+     * `TypeError: Mushi.init is not a function`. The accompanying admin
+     * console snippet (apps/admin/src/lib/sdkSnippets.ts) emits the same
+     * `Mushi.configure(...)` shape; both are pinned by tests. */
+    snippet: (apiKey, projectId) => `// src/main.ts \u2014 after install, run \`npx cap sync\`
 import { Mushi } from '@mushi-mushi/capacitor'
 
-Mushi.init({ projectId: '${projectId}', apiKey: '${apiKey}' })`
+await Mushi.configure({ projectId: '${projectId}', apiKey: '${apiKey}' })`
   },
   vanilla: {
     id: "vanilla",

package/dist/detect.js

@@ -7,7 +7,7 @@ import {
   installCommand,
   isFrameworkId,
   readPackageJson
-} from "./chunk-ZZNVMBMG.js";
+} from "./chunk-XHD3H54W.js";
 export {
   FRAMEWORKS,
   FRAMEWORK_IDS,

package/dist/index.js

@@ -190,10 +190,16 @@ export default function App() {
     label: "Capacitor (Ionic)",
     packageName: "@mushi-mushi/capacitor",
     needsWebPackage: false,
-    snippet: (apiKey, projectId) => `// src/main.ts
+    /* The Capacitor plugin's public API is `Mushi.configure(...)`, not
+     * `Mushi.init(...)` — see packages/capacitor/src/definitions.ts. We
+     * shipped the wrong call here for two releases and users got a runtime
+     * `TypeError: Mushi.init is not a function`. The accompanying admin
+     * console snippet (apps/admin/src/lib/sdkSnippets.ts) emits the same
+     * `Mushi.configure(...)` shape; both are pinned by tests. */
+    snippet: (apiKey, projectId) => `// src/main.ts \u2014 after install, run \`npx cap sync\`
 import { Mushi } from '@mushi-mushi/capacitor'
 
-Mushi.init({ projectId: '${projectId}', apiKey: '${apiKey}' })`
+await Mushi.configure({ projectId: '${projectId}', apiKey: '${apiKey}' })`
   },
   vanilla: {
     id: "vanilla",
@@ -448,7 +454,7 @@ function getFrameworkFromPkg(pkg) {
 }
 
 // src/version.ts
-var MUSHI_CLI_VERSION = true ? "0.5.2" : "0.0.0-dev";
+var MUSHI_CLI_VERSION = true ? "0.6.0" : "0.0.0-dev";
 
 // src/init.ts
 var ENV_FILES = [".env.local", ".env"];
@@ -565,8 +571,11 @@ async function promptText(opts) {
   const value = await p.text({
     message: opts.message,
     placeholder: opts.placeholder,
+    // @clack/prompts v1 widened the validate input to `string | undefined`
+    // (the previous v0.x API guaranteed a string). Guard the empty case
+    // explicitly so the rest of the pipeline keeps its `string` invariant.
     validate: (v) => {
-      const clean = sanitizeSecret(v);
+      const clean = sanitizeSecret(v ?? "");
       if (clean.length === 0) return "Required";
       return opts.validate ? opts.validate(clean) : void 0;
     }
@@ -763,6 +772,142 @@ function isSameDirectory(a, b) {
   return a.replace(/\\/g, "/").replace(/\/+$/, "") === b.replace(/\\/g, "/").replace(/\/+$/, "");
 }
 
+// src/migrate.ts
+var DOCS_BASE = "https://docs.mushimushi.dev";
+var COMPETITOR_PACKAGES = {
+  "instabug-to-mushi": [
+    "instabug-reactnative",
+    "luciq-reactnative-sdk",
+    "@instabug/web",
+    "instabug"
+  ],
+  "shake-to-mushi": [
+    "@shakebugs/react-native-shake",
+    "@shakebugs/shake-react-native",
+    "@softnoesis/shakebug-js"
+  ],
+  "logrocket-feedback-to-mushi": ["logrocket", "logrocket-react"],
+  "bugherd-to-mushi": ["bugherd-pubsub"],
+  "pendo-feedback-to-mushi": ["pendo-io-browser", "@pendo/web"]
+};
+var MIGRATE_CATALOG = [
+  // ── In-transition / cross-stack shapes (highest priority) ─────────
+  {
+    slug: "capacitor-to-react-native",
+    title: "Capacitor \u2192 React Native",
+    summary: "Looks like you have BOTH Capacitor and React Native installed \u2014 finishing this port? See the full Cap \u2192 RN plan.",
+    category: "mobile",
+    status: "published",
+    detectionLabel: "@capacitor/core + react-native",
+    match: (d) => d.has("@capacitor/core") && d.has("react-native")
+  },
+  {
+    slug: "cordova-to-capacitor",
+    title: "Cordova \u2192 Capacitor",
+    summary: "Cordova detected. Migrate in place to Capacitor for the modern WebView, plugin ecosystem, and first-party Mushi support.",
+    category: "mobile",
+    status: "published",
+    detectionLabel: "cordova",
+    match: (d) => d.has("cordova") || d.has("cordova-android") || d.has("cordova-ios")
+  },
+  // ── Web framework legacy shapes ───────────────────────────────────
+  {
+    slug: "cra-to-vite",
+    title: "Create React App \u2192 Vite",
+    summary: "react-scripts detected. CRA is unmaintained \u2014 `npx migrate-to-vite@latest cra` covers ~90 % of the move.",
+    category: "web",
+    status: "published",
+    detectionLabel: "react-scripts",
+    match: (d) => d.has("react-scripts")
+  },
+  // ── Competitor packages ───────────────────────────────────────────
+  ...Object.entries(COMPETITOR_PACKAGES).map(([slug, pkgs]) => ({
+    slug,
+    title: titleForCompetitor(slug),
+    summary: `Found ${pkgs.join(" / ")} \u2014 Mushi covers the same surface with built-in AI triage and a Shadow-DOM widget.`,
+    category: "competitor",
+    status: "published",
+    detectionLabel: pkgs[0],
+    match: (d) => pkgs.some((p2) => d.has(p2))
+  }))
+];
+function titleForCompetitor(slug) {
+  switch (slug) {
+    case "instabug-to-mushi":
+      return "Instabug (Luciq) \u2192 Mushi";
+    case "shake-to-mushi":
+      return "Shake \u2192 Mushi";
+    case "logrocket-feedback-to-mushi":
+      return "LogRocket Feedback \u2192 Mushi";
+    case "bugherd-to-mushi":
+      return "BugHerd \u2192 Mushi";
+    case "pendo-feedback-to-mushi":
+      return "Pendo Feedback \u2192 Mushi";
+    default:
+      return slug;
+  }
+}
+function detectMigrations(deps, catalog = MIGRATE_CATALOG) {
+  return catalog.filter((g) => g.status === "published" && g.match?.(deps)).map((g) => ({ guide: g, url: `${DOCS_BASE}/migrations/${g.slug}` }));
+}
+function depsFromPackageJson(pkg) {
+  if (!pkg) return /* @__PURE__ */ new Set();
+  return /* @__PURE__ */ new Set([
+    ...Object.keys(pkg.dependencies ?? {}),
+    ...Object.keys(pkg.devDependencies ?? {}),
+    ...Object.keys(pkg.peerDependencies ?? {})
+  ]);
+}
+function runMigrate(opts = {}) {
+  const cwd = opts.cwd ?? process.cwd();
+  const log2 = opts.log ?? ((s) => console.log(s));
+  const pkg = readPackageJson(cwd);
+  if (!pkg) {
+    log2(
+      opts.json ? JSON.stringify({ ok: false, error: "no-package-json", cwd, matches: [] }, null, 2) : `No package.json found in ${cwd}. Run \`mushi migrate\` from your project root.`
+    );
+    return { matches: [] };
+  }
+  const deps = depsFromPackageJson(pkg);
+  const matches = detectMigrations(deps);
+  if (opts.json) {
+    log2(
+      JSON.stringify(
+        {
+          ok: true,
+          cwd,
+          matches: matches.map((m) => ({
+            slug: m.guide.slug,
+            title: m.guide.title,
+            url: m.url,
+            category: m.guide.category,
+            detectionLabel: m.guide.detectionLabel
+          }))
+        },
+        null,
+        2
+      )
+    );
+    return { matches };
+  }
+  if (matches.length === 0) {
+    log2("No migrations suggested for this project.");
+    log2(`Browse the full catalog: ${DOCS_BASE}/migrations`);
+    return { matches };
+  }
+  log2(`Suggested migration${matches.length > 1 ? "s" : ""} for this project:`);
+  log2("");
+  for (const { guide, url } of matches) {
+    log2(`  \u2022 ${guide.title}`);
+    if (guide.detectionLabel) log2(`    detected: ${guide.detectionLabel}`);
+    log2(`    ${guide.summary}`);
+    log2(`    ${url}`);
+    log2("");
+  }
+  log2(`Browse the full catalog: ${DOCS_BASE}/migrations`);
+  return { matches };
+}
+
 // src/index.ts
 async function apiCall(path, config, options = {}) {
   const endpoint = config.endpoint ?? DEFAULT_ENDPOINT;
@@ -791,6 +936,12 @@ program.command("init").description("Set up the Mushi Mushi SDK in this project
     sendTestReport: opts.skipTestReport ? false : void 0
   });
 });
+program.command("migrate").description(
+  "Suggest the most relevant Mushi Mushi migration guide based on your package.json"
+).option("--cwd <path>", "Run from a different directory").option("--json", "Machine-readable JSON output").action((opts) => {
+  const { matches } = runMigrate({ cwd: opts.cwd, json: opts.json });
+  if (matches.length === 0) process.exit(1);
+});
 program.command("login").description("Store API key for authentication").requiredOption("--api-key <key>", "API key").option("--endpoint <url>", "API endpoint URL").option("--project-id <id>", "Default project ID").action((opts) => {
   const config = loadConfig();
   config.apiKey = opts.apiKey;

package/dist/init.js

@@ -5,10 +5,10 @@ import {
   envVarsToWrite,
   installCommand,
   readPackageJson
-} from "./chunk-ZZNVMBMG.js";
+} from "./chunk-XHD3H54W.js";
 import {
   MUSHI_CLI_VERSION
-} from "./chunk-FE5YYKNI.js";
+} from "./chunk-KNU5OWYY.js";
 
 // src/init.ts
 import * as p from "@clack/prompts";
@@ -325,8 +325,11 @@ async function promptText(opts) {
   const value = await p.text({
     message: opts.message,
     placeholder: opts.placeholder,
+    // @clack/prompts v1 widened the validate input to `string | undefined`
+    // (the previous v0.x API guaranteed a string). Guard the empty case
+    // explicitly so the rest of the pipeline keeps its `string` invariant.
     validate: (v) => {
-      const clean = sanitizeSecret(v);
+      const clean = sanitizeSecret(v ?? "");
       if (clean.length === 0) return "Required";
       return opts.validate ? opts.validate(clean) : void 0;
     }

package/dist/version.js

@@ -1,6 +1,6 @@
 import {
   MUSHI_CLI_VERSION
-} from "./chunk-FE5YYKNI.js";
+} from "./chunk-KNU5OWYY.js";
 export {
   MUSHI_CLI_VERSION
 };

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@mushi-mushi/cli",
-  "version": "0.5.2",
+  "version": "0.6.0",
   "license": "MIT",
   "description": "CLI for Mushi Mushi — `mushi init` wizard installs the right SDK for your framework, plus report triage and pipeline health commands",
   "bin": {
     "mushi": "./dist/index.js"
   },
   "dependencies": {
-    "@clack/prompts": "^0.11.0",
+    "@clack/prompts": "^1.2.0",
     "commander": "^14.0.3"
   },
   "devDependencies": {

package/dist/chunk-FE5YYKNI.js

@@ -1,6 +0,0 @@
-// src/version.ts
-var MUSHI_CLI_VERSION = true ? "0.5.2" : "0.0.0-dev";
-
-export {
-  MUSHI_CLI_VERSION
-};