@mushi-mushi/cli 0.6.1 → 0.7.0

package/CONTRIBUTING.md

@@ -91,6 +91,33 @@ pnpm changeset
 
 Select the affected packages, the semver bump type, and write a summary. The changeset file gets committed with your PR.
 
+## Release flow
+
+Releases are fully automated. Maintainers don't run `npm publish` by hand.
+
+1. PRs land on `master` with one or more changeset files in `.changeset/`.
+2. `release.yml` runs on every push to `master`. It opens (or updates) a `chore: version packages` PR that bumps every affected `package.json`, rolls up the changelogs, and deletes the consumed changesets.
+3. Merging that "Version Packages" PR re-fires `release.yml`. The publish step authenticates to npm via **OpenID Connect (OIDC) Trusted Publishers** — no long-lived `NPM_TOKEN` is exchanged — and every tarball ships with a **Sigstore provenance attestation** uploaded to the public transparency log.
+
+If GitHub's anti-loop protection suppresses the auto re-fire (the squash merge can be attributed to `github-actions[bot]`), trigger the workflow manually: **Actions → release → Run workflow → master**.
+
+### Adding a brand-new publishable package
+
+Trusted Publisher bindings are configured **per package** on `npmjs.com` and require the package to already exist on the registry. New packages therefore need a one-time bootstrap before OIDC can take over.
+
+1. Add the package under `packages/<name>/` with a real `version`, `files`, `publishConfig.access: "public"`, `LICENSE`, and the standard fields enforced by `pnpm check:publish-readiness`.
+2. Build it locally: `pnpm install && pnpm -r build`.
+3. Mint a short-lived granular access token at `https://www.npmjs.com/settings/<your-user>/tokens/granular-access-tokens/new` — **Bypass 2FA: ON**, **Read and write: All packages**, **Expiration: 7 days**.
+4. Bootstrap-publish:
+   ```bash
+   NPM_TOKEN=npm_xxx pnpm bootstrap:new-package
+   ```
+   The script auto-detects which workspace packages are missing on npm and publishes them via `pnpm publish --no-provenance` (so `workspace:^` specifiers get rewritten to real semver in the tarball).
+5. The script prints one URL per freshly-published package. Open each, click **GitHub Actions** under "Trusted Publisher", confirm the auto-filled fields (`<owner>` / `<repo>` / `release.yml`), and tap your security key.
+6. Revoke the bootstrap token at `https://www.npmjs.com/settings/<your-user>/tokens`.
+
+From the next changeset bump onward, that package publishes through the normal `release.yml` flow with full OIDC provenance — same as the rest.
+
 ## Code Style
 
 - **TypeScript strict mode** — no `any` unless absolutely necessary

package/README.md

@@ -62,8 +62,25 @@ mushi test                           # submit a test report end-to-end
 mushi migrate                        # suggest the most relevant migration guide
 mushi migrate --json                 # machine-readable JSON for CI
 mushi config endpoint https://...    # set API endpoint (https:// required outside localhost)
+mushi sourcemaps upload --release <ver> --dir <dist>   # upload .js.map / .css.map (sha256-idempotent)
 ```
 
+### `mushi sourcemaps upload`
+
+Recursively scans `--dir` for `.js.map` and `.css.map` files and uploads them
+under the given `--release`. Each file is hashed (sha256) and skipped if the
+server already has it for that release, so the command is safe to run from
+every CI build without churning storage.
+
+```bash
+mushi sourcemaps upload --release 1.4.2 --dir ./dist
+mushi sourcemaps upload --release "$GITHUB_SHA" --dir ./build --dry-run
+mushi sourcemaps upload --release "$GITHUB_SHA" --dir ./build --silent
+```
+
+Requires `MUSHI_API_ENDPOINT` and `MUSHI_API_KEY` (or pass `--endpoint` /
+`--api-key`). Exits non-zero on any upload failure so CI gates fail fast.
+
 ### `mushi migrate`
 
 Reads `package.json` (deps + devDeps + peerDeps) and prints links to the

package/SECURITY.md

@@ -19,15 +19,59 @@ If you discover a security vulnerability, please report it responsibly.
 
 **Do NOT open a public GitHub issue.**
 
-Instead, email: **kensaurus@gmail.com**
+Use either channel below:
+
+1. **GitHub Private Vulnerability Reporting** — strongly preferred.
+   <https://github.com/kensaurus/mushi-mushi/security/advisories/new>
+   Routes the report into a private advisory with built-in CVE issuance,
+   patch coordination, and contributor-credit workflow.
+2. **Email** — `kensaurus@gmail.com`, subject prefix `[mushi-security]`.
+   PGP welcome but not required.
 
 Include:
 - Description of the vulnerability
-- Steps to reproduce
-- Impact assessment
+- Steps to reproduce (smallest reproducer wins)
+- Impact assessment (what an attacker gains)
 - Suggested fix (if any)
+- Whether you want public credit (and how to spell your name)
+
+### Coordinated-disclosure timeline
+
+| Day | Action |
+|-----|--------|
+| 0 | Report received |
+| ≤ 2 | Acknowledgment + assigned a tracking ID |
+| ≤ 7 | Triage complete: severity assigned (CVSS 3.1) and target patch date communicated |
+| ≤ 30 | Patch released for critical / high (CVSS ≥ 7.0); ≤ 60 days for medium; best-effort for low |
+| Patch + 7 | Public advisory + CVE published; reporter credited unless they declined |
+| Patch + 90 | Embargo expires regardless; if upstream is unresponsive, the reporter is free to publish |
+
+### Safe harbor
+
+Good-faith security research on Mushi Mushi is welcome. If you stay
+within the rules below, we will not pursue legal action, will not ask
+your hosting provider to take you offline, and will publicly credit your
+work:
+
+- Test only against your own self-hosted instance, the public demo at
+  <https://kensaur.us/mushi-mushi/admin/>, or accounts you own.
+- Do not access, exfiltrate, or modify data belonging to other users.
+- Do not run automated scanning that affects availability for others
+  (rate-limit your tooling, exclude `/health`).
+- Disclose privately first (channels above); do not publish before the
+  embargo above expires.
+- Do not intentionally exploit a finding to escalate beyond proving it
+  exists.
+
+If a finding requires touching production data to confirm, **stop and
+ask first** — describe what you'd need to do and we'll spin up a sandbox.
+
+### Hall of fame
 
-We will acknowledge receipt within 48 hours and aim to release a patch within 7 days for critical issues.
+Researchers who report a confirmed vulnerability are credited in the
+release notes for the patched version and added to
+[`docs/SECURITY_HALL_OF_FAME.md`](./docs/SECURITY_HALL_OF_FAME.md) (with
+permission).
 
 ## Scope
 
@@ -48,6 +92,125 @@ We will acknowledge receipt within 48 hours and aim to release a patch within 7
 - **Rotate API keys** regularly via the admin console
 - **Enable SSO** for team projects (Enterprise tier)
 - **Review audit logs** periodically for suspicious activity
+- **Verify SDK integrity** with `npm audit signatures` after install
+- **Set `Content-Security-Policy`** on any page embedding the Mushi widget;
+  the widget itself ships with `script-src 'self'` and does not load
+  remote scripts.
+
+## Threat model
+
+What we treat as in-scope attacker capabilities, and what we don't.
+
+| Capability | In scope | Notes |
+|-----------|----------|-------|
+| Unauthenticated network attacker hitting public endpoints | ✅ | Rate-limit + HMAC + replay protection on every webhook endpoint (`packages/server/supabase/functions/_shared/webhook-middleware.ts`). |
+| Authenticated user trying to read another tenant's data | ✅ | Postgres RLS on every `public.*` table; advisor lints reviewed monthly. |
+| Authenticated user trying to escalate to super-admin | ✅ | Role lives in `auth.users.raw_app_meta_data.role`; cannot be self-edited via PostgREST. |
+| Compromised dependency (npm supply-chain attack) | ✅ | 7-day cooldown + provenance + Harden-Runner + pinned SHAs (see "Supply-chain hardening" below). |
+| Stolen API key | ✅ | Per-key scopes (`api_key_has_scope`), revocation via admin console, audit log of every use. |
+| User pasting a Stripe / OpenAI / GitHub PAT into a bug report | ✅ | PII scrubber redacts ~15 vendor token formats client-side before the report leaves the device. Mirrors `packages/core/src/pii-scrubber.ts` across iOS, Android, Flutter, React Native. |
+| Stolen end-user device with the SDK installed | ⚠️ partial | Offline queue is AsyncStorage / Keychain / SharedPreferences — no app-level encryption beyond the OS default. Reports waiting to flush are vulnerable to a forensic attacker. |
+| Compromised Supabase service-role key | ❌ | Treated as a tier-0 incident; would require key rotation and audit-log forensics. Not defendable in software. |
+| Compromise of `kensaurus@gmail.com` | ❌ | Treated as a project-fork event; downstream consumers should pin to the last known-good version and follow the new release channel. |
+| Physical / OS-level attacker on an end-user device | ❌ | Out of scope. |
+| Malicious fork using the Mushi name to ship malware | ❌ (technical) ✅ (legal) | The MIT/BSL grant lets the fork exist; the trademark policy (`TRADEMARK.md`) makes shipping it under the Mushi name an infringement we will pursue. |
+
+## Data handling and PII
+
+### What the SDK collects by default
+
+| Field | Scope | PII risk |
+|-------|-------|----------|
+| URL / route the user was on | Always | Low — strip query strings if your routes encode user IDs. |
+| Browser / OS / device | Always | None |
+| Console errors (last 50) | Opt-in via `captureConsole: true` | Medium — can include user data your code logs. |
+| Network failures (URL + status) | Opt-in via `captureNetwork: true` | Medium — query params logged as-is unless you redact in-app. |
+| User id / email / role | Only if you call `setUser()` | High — only set what you need; we do not auto-discover. |
+| Session replay frames | Off by default | High — handled by the masking layer; passwords / cards / opted-out elements never leave the page. |
+| Free-text bug description | Always | Medium — passed through the PII scrubber (see below). |
+
+### What the PII scrubber redacts before send
+
+Implemented identically across `@mushi-mushi/core`, the iOS, Android,
+Flutter, and React Native SDKs. Defaults are below — every category can
+be toggled off, but `secretTokens` is on by default and we recommend
+keeping it that way.
+
+| Category | Default | Patterns |
+|----------|---------|----------|
+| `ssns` | on | `123-45-6789` |
+| `creditCards` | on | 12–19 digit Luhn-shaped sequences with optional separators |
+| `secretTokens` | on | AWS access key (`AKIA…` / `ASIA…`), AWS secret (`aws_secret_access_key=…`), Stripe (`sk_live_…`, `sk_test_…`, `rk_…`, `pk_…`), Slack (`xox[abpor]-…`), GitHub PAT (`ghp_…`, `github_pat_…`), OpenAI (`sk-…`, `sk-proj-…`), Anthropic (`sk-ant-…`), Google API (`AIza…`), JWT (`eyJ…` 3-segment) |
+| `emails` | on | RFC-5322 lite |
+| `phones` | on | E.164 with optional country code |
+| `ipAddresses` | off | IPv4 (off because internal IPs are usually not PII and noise hurts triage) |
+| `ipv6` | off | Same |
+
+The fields scrubbed are:
+
+- `description` — primary free-text field of every bug report
+- `summary` — short summary, in the same composer
+- `breadcrumbs[].message` — auto-captured user-action trail (clicks, route changes, console messages)
+
+Structured fields you set explicitly (`metadata.userEmail`,
+`metadata.userId`, etc.) are intentionally **not** scrubbed — those are
+opt-in attribution data, and silently rewriting them would break
+support workflows.
+
+### Where data lives
+
+- **Reports & telemetry** — Supabase Postgres in the `us-west-1` region.
+- **Session replays** — Supabase Storage, same region. Lifecycle policy
+  trims replays older than 30 days unless explicitly retained from the
+  admin console.
+- **Inbound webhook bodies** — only a SHA-256 hash + `delivery_id` of
+  the body is persisted (`webhook_audit_log`). The full body is
+  processed in memory and discarded.
+- **Outbound integrations** (Slack, Jira, …) — Mushi is a sender only;
+  the receiving system's retention applies.
+
+### Encryption
+
+| Surface | At rest | In transit |
+|---------|---------|------------|
+| Postgres (Supabase) | AES-256 (Supabase default) | TLS 1.2+ |
+| Supabase Storage (replays) | AES-256 | TLS 1.2+ |
+| Edge Function ↔ Postgres | — | TLS via the Supavisor pooler |
+| SDK ↔ ingest endpoint | — | TLS 1.2+ enforced; HSTS preload on `kensaur.us` |
+| Inbound webhooks | — | TLS terminated at CloudFront / Supabase edge |
+| Audit log integrity | append-only by RLS; no in-row signing | — |
+
+### Cryptographic primitives
+
+| Use | Algorithm | Implementation |
+|-----|-----------|---------------|
+| Webhook HMAC verification (Sentry, GitHub, Datadog, Honeycomb, Grafana, Bugsnag, Rollbar, Crashlytics) | HMAC-SHA256, constant-time compare | Web Crypto in Deno; `crypto.subtle.timingSafeEqual` analogue |
+| AWS SNS subscription confirmation | RSA-SHA1 / RSA-SHA256 | Deno `crypto.subtle.verify` with the cert from `SigningCertURL` (URL allow-listed to `*.sns.*.amazonaws.com`) |
+| Opsgenie JWT shared-token | HS256 with `aud` claim verification | `jose` (Deno-compatible) |
+| API-key hashing (database) | SHA-256 prefix + bcrypt secret half | `pgcrypto` |
+| Provenance attestations (npm) | Sigstore (Fulcio + Rekor) | `npm publish --provenance` |
+
+We deliberately do not roll our own crypto. If you find an algorithm or
+library above that has been deprecated, please file a security advisory.
+
+### Operator security checklist
+
+When you provision a new self-hosted Mushi instance:
+
+- [ ] Set `auth_leaked_password_protection = true` in Supabase Auth
+      (HaveIBeenPwned blocklist; flagged as `auth_leaked_password_protection`
+      in the security advisor).
+- [ ] Enable at least two MFA factors in Supabase Auth (`auth_insufficient_mfa_options`).
+- [ ] Rotate the service-role key on day 1, then quarterly.
+- [ ] Restrict Postgres direct connections to your CI / migration runners
+      via Supabase network restrictions.
+- [ ] Run `pnpm dlx supabase advisors --project-ref <ref>` after every
+      migration; aim for zero ERROR-level findings.
+- [ ] Configure a Supabase log drain to your SIEM if you are subject to
+      SOC 2 / ISO 27001.
+- [ ] Set CSP `frame-ancestors` on the host page if you embed the Mushi
+      widget (the widget is iframe-friendly but does not enforce
+      framing constraints itself).
 
 ## Supply-chain hardening (how this package is protected)
 

package/dist/chunk-LBQX6RYS.js

@@ -0,0 +1,6 @@
+// src/version.ts
+var MUSHI_CLI_VERSION = true ? "0.7.0" : "0.0.0-dev";
+
+export {
+  MUSHI_CLI_VERSION
+};

package/dist/index.js

@@ -275,7 +275,6 @@ function collectDeps(pkg) {
 }
 
 // src/endpoint.ts
-var DEFAULT_ENDPOINT = "https://api.mushimushi.dev";
 var TEST_REPORT_TIMEOUT_MS = 1e4;
 var TEST_REPORT_FETCH_TIMEOUT_MS = TEST_REPORT_TIMEOUT_MS;
 function assertEndpoint(url) {
@@ -293,10 +292,14 @@ function assertEndpoint(url) {
   return parsed.origin + (parsed.pathname === "/" ? "" : parsed.pathname);
 }
 function normalizeEndpoint(url) {
-  const input = url ?? DEFAULT_ENDPOINT;
-  let end = input.length;
-  while (end > 0 && input.charCodeAt(end - 1) === 47) end--;
-  return input.slice(0, end);
+  if (!url) {
+    throw new Error(
+      "No API endpoint configured. Run `mushi init` or set MUSHI_API_ENDPOINT. Set endpoint to your Supabase edge function URL, e.g. https://xyz.supabase.co/functions/v1/api"
+    );
+  }
+  let end = url.length;
+  while (end > 0 && url.charCodeAt(end - 1) === 47) end--;
+  return url.slice(0, end);
 }
 
 // src/freshness.ts
@@ -454,7 +457,7 @@ function getFrameworkFromPkg(pkg) {
 }
 
 // src/version.ts
-var MUSHI_CLI_VERSION = true ? "0.6.1" : "0.0.0-dev";
+var MUSHI_CLI_VERSION = true ? "0.7.0" : "0.0.0-dev";
 
 // src/init.ts
 var ENV_FILES = [".env.local", ".env"];
@@ -490,7 +493,8 @@ async function runInit(options = {}) {
   }
   writeEnvFile(cwd, credentials.apiKey, credentials.projectId, framework);
   persistCliConfig(credentials.apiKey, credentials.projectId);
-  printNextSteps(framework, credentials.apiKey, credentials.projectId);
+  const enableRewards = await maybeEnableRewards(options);
+  printNextSteps(framework, credentials.apiKey, credentials.projectId, enableRewards);
   await maybeSendTestReport(credentials, options);
   p.outro("Setup complete. Happy bug squashing \u{1F41B}");
 }
@@ -589,13 +593,13 @@ async function promptText(opts) {
 }
 async function installPackages(pm, packages, cwd) {
   const command = installCommand(pm, packages);
-  const spinner2 = p.spinner();
-  spinner2.start(`Installing ${packages.join(", ")} via ${pm}\u2026`);
+  const spinner3 = p.spinner();
+  spinner3.start(`Installing ${packages.join(", ")} via ${pm}\u2026`);
   try {
     await runCommand(pm, packages, cwd);
-    spinner2.stop(`Installed ${packages.join(", ")}`);
+    spinner3.stop(`Installed ${packages.join(", ")}`);
   } catch (err) {
-    spinner2.stop(`Install failed \u2014 run \`${command}\` manually.`);
+    spinner3.stop(`Install failed \u2014 run \`${command}\` manually.`);
     p.log.error(err instanceof Error ? err.name + ": " + err.message : String(err));
   }
 }
@@ -669,13 +673,34 @@ function persistCliConfig(apiKey, projectId) {
   const existing = loadConfig();
   saveConfig({ ...existing, apiKey, projectId });
 }
-function printNextSteps(framework, apiKey, projectId) {
+function printNextSteps(framework, apiKey, projectId, enableRewards = false) {
   p.note(framework.snippet(apiKey, projectId), "Add this to your app:");
+  if (enableRewards) {
+    const badgeSnippet = framework.id === "react" ? `// Add to your user menu or profile UI:
+import { MushiRewardsBadge } from '@mushi-mushi/react';
+
+// Inside your component:
+<MushiRewardsBadge showPoints />` : `// Add to your user menu:
+// import { MushiRewardsBadge } from '@mushi-mushi/react';
+// <MushiRewardsBadge showPoints />`;
+    p.note(badgeSnippet, "Rewards badge snippet:");
+    p.log.info("Enable rewards in your project settings at https://kensaur.us/mushi-mushi/rewards");
+    p.log.info("Users will earn points for bug reports, screen navigation, and app activity.");
+  }
   p.log.message("Verify the install:");
   p.log.message("  \u2022 Start your dev server");
   p.log.message("  \u2022 Look for the \u{1F41B} button in the bottom-right corner (or shake on mobile)");
   p.log.message("  \u2022 Submit a test report \u2014 it should appear at https://kensaur.us/mushi-mushi/reports");
 }
+async function maybeEnableRewards(options) {
+  if (options.yes) return false;
+  const answer = await p.confirm({
+    message: "Enable Mushi Rewards? (users earn points for bug reports + app activity)",
+    initialValue: false
+  });
+  if (p.isCancel(answer)) return false;
+  return Boolean(answer);
+}
 async function maybeSendTestReport(credentials, options) {
   if (options.sendTestReport === false) return;
   let shouldSend;
@@ -690,8 +715,15 @@ async function maybeSendTestReport(credentials, options) {
     shouldSend = answer;
   }
   if (!shouldSend) return;
-  const spinner2 = p.spinner();
-  spinner2.start("Sending test report\u2026");
+  if (!options.endpoint) {
+    p.note(
+      "No endpoint configured \u2014 skipping test report.\nSet endpoint to your Supabase edge function URL, e.g. https://xyz.supabase.co/functions/v1/api",
+      "Skipped"
+    );
+    return;
+  }
+  const spinner3 = p.spinner();
+  spinner3.start("Sending test report\u2026");
   const endpoint = normalizeEndpoint(options.endpoint);
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), TEST_REPORT_FETCH_TIMEOUT_MS);
@@ -723,17 +755,24 @@ async function maybeSendTestReport(credentials, options) {
       })
     });
     if (!res.ok) {
-      spinner2.stop(`Test report rejected (HTTP ${res.status}).`);
+      spinner3.stop(`Test report rejected (HTTP ${res.status}).`);
       p.log.warn(
         res.status === 401 || res.status === 403 ? "Credentials did not authenticate \u2014 double-check the project ID and API key." : "Skipping test report. You can retry with `mushi test`."
       );
       return;
     }
-    spinner2.stop("Test report sent.");
-    p.log.success("View it at https://kensaur.us/mushi-mushi/reports");
+    spinner3.stop("Test report sent.");
+    let reportId;
+    try {
+      const body = await res.json();
+      reportId = body.data?.reportId;
+    } catch {
+    }
+    const reportPath = reportId ? `/reports/${reportId}` : "/reports";
+    p.log.success(`View it at https://kensaur.us/mushi-mushi/admin${reportPath}`);
   } catch (err) {
     const aborted = err instanceof Error && err.name === "AbortError";
-    spinner2.stop(aborted ? "Timed out reaching the Mushi API." : "Could not reach the Mushi API.");
+    spinner3.stop(aborted ? "Timed out reaching the Mushi API." : "Could not reach the Mushi API.");
     p.log.warn(err instanceof Error ? err.message : String(err));
   } finally {
     clearTimeout(timer);
@@ -828,7 +867,7 @@ var MIGRATE_CATALOG = [
     category: "competitor",
     status: "published",
     detectionLabel: pkgs[0],
-    match: (d) => pkgs.some((p2) => d.has(p2))
+    match: (d) => pkgs.some((p3) => d.has(p3))
   }))
 ];
 function titleForCompetitor(slug) {
@@ -860,10 +899,10 @@ function depsFromPackageJson(pkg) {
 }
 function runMigrate(opts = {}) {
   const cwd = opts.cwd ?? process.cwd();
-  const log2 = opts.log ?? ((s) => console.log(s));
+  const log3 = opts.log ?? ((s) => console.log(s));
   const pkg = readPackageJson(cwd);
   if (!pkg) {
-    log2(
+    log3(
       opts.json ? JSON.stringify({ ok: false, error: "no-package-json", cwd, matches: [] }, null, 2) : `No package.json found in ${cwd}. Run \`mushi migrate\` from your project root.`
     );
     return { matches: [] };
@@ -871,7 +910,7 @@ function runMigrate(opts = {}) {
   const deps = depsFromPackageJson(pkg);
   const matches = detectMigrations(deps);
   if (opts.json) {
-    log2(
+    log3(
       JSON.stringify(
         {
           ok: true,
@@ -891,26 +930,173 @@ function runMigrate(opts = {}) {
     return { matches };
   }
   if (matches.length === 0) {
-    log2("No migrations suggested for this project.");
-    log2(`Browse the full catalog: ${DOCS_BASE}/migrations`);
+    log3("No migrations suggested for this project.");
+    log3(`Browse the full catalog: ${DOCS_BASE}/migrations`);
     return { matches };
   }
-  log2(`Suggested migration${matches.length > 1 ? "s" : ""} for this project:`);
-  log2("");
+  log3(`Suggested migration${matches.length > 1 ? "s" : ""} for this project:`);
+  log3("");
   for (const { guide, url } of matches) {
-    log2(`  \u2022 ${guide.title}`);
-    if (guide.detectionLabel) log2(`    detected: ${guide.detectionLabel}`);
-    log2(`    ${guide.summary}`);
-    log2(`    ${url}`);
-    log2("");
+    log3(`  \u2022 ${guide.title}`);
+    if (guide.detectionLabel) log3(`    detected: ${guide.detectionLabel}`);
+    log3(`    ${guide.summary}`);
+    log3(`    ${url}`);
+    log3("");
   }
-  log2(`Browse the full catalog: ${DOCS_BASE}/migrations`);
+  log3(`Browse the full catalog: ${DOCS_BASE}/migrations`);
   return { matches };
 }
 
+// src/sourcemaps.ts
+import { createReadStream } from "fs";
+import { readFile, readdir } from "fs/promises";
+import { createHash } from "crypto";
+import { join as join5, relative, basename } from "path";
+import * as p2 from "@clack/prompts";
+async function findMapFiles(dir) {
+  const results = [];
+  async function walk(current) {
+    const entries = await readdir(current, { withFileTypes: true });
+    for (const e of entries) {
+      const full = join5(current, e.name);
+      if (e.isDirectory()) {
+        await walk(full);
+      } else if (e.isFile() && (e.name.endsWith(".js.map") || e.name.endsWith(".css.map"))) {
+        results.push(full);
+      }
+    }
+  }
+  await walk(dir);
+  return results;
+}
+function fileHash(path) {
+  return new Promise((resolve2, reject) => {
+    const hash = createHash("sha256");
+    const stream = createReadStream(path);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve2(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+async function uploadFile(filePath, release, endpoint, apiKey) {
+  const sha256 = await fileHash(filePath);
+  try {
+    const checkRes = await fetch(
+      `${endpoint}/v1/sourcemaps?sha256=${encodeURIComponent(sha256)}&release=${encodeURIComponent(release)}`,
+      { headers: { Authorization: `Bearer ${apiKey}`, "X-Mushi-Api-Key": apiKey } }
+    );
+    if (checkRes.ok) {
+      const json = await checkRes.json();
+      if (json.exists) return { ok: true, skipped: true };
+    }
+  } catch {
+  }
+  const contents = await readFile(filePath);
+  const form = new FormData();
+  form.append("file", new Blob([contents]), basename(filePath));
+  form.append("filename", relative(process.cwd(), filePath).replaceAll("\\", "/"));
+  form.append("release", release);
+  form.append("sha256", sha256);
+  const res = await fetch(`${endpoint}/v1/sourcemaps`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${apiKey}`, "X-Mushi-Api-Key": apiKey },
+    body: form
+  });
+  if (!res.ok) {
+    const text2 = await res.text().catch(() => "");
+    return {
+      ok: false,
+      skipped: false,
+      reason: `HTTP ${res.status}: ${text2.slice(0, 120)}`
+    };
+  }
+  return { ok: true, skipped: false };
+}
+async function runSourcemapsUpload(opts) {
+  const endpoint = opts.endpoint ?? process.env["MUSHI_API_ENDPOINT"] ?? "";
+  const apiKey = opts.apiKey ?? process.env["MUSHI_API_KEY"] ?? "";
+  if (!opts.dryRun && !endpoint) {
+    p2.log.error(
+      "No API endpoint configured. Pass --endpoint <url>, set MUSHI_API_ENDPOINT,\n  or run `mushi config endpoint <url>` to persist it. For Supabase self-hosting,\n  this is your edge-functions URL, e.g. https://xyz.supabase.co/functions/v1/api"
+    );
+    process.exit(1);
+  }
+  if (!opts.dryRun && !apiKey) {
+    p2.log.error("No API key \u2014 set MUSHI_API_KEY or pass --api-key <key>");
+    process.exit(1);
+  }
+  if (!opts.silent) p2.intro(`sourcemaps upload \xB7 release ${opts.release}`);
+  const spin = p2.spinner();
+  spin.start(`Scanning ${opts.dir} for .map files\u2026`);
+  let files;
+  try {
+    files = await findMapFiles(opts.dir);
+  } catch (err) {
+    spin.stop("Scan failed");
+    p2.log.error(
+      `Cannot read ${opts.dir}: ${err instanceof Error ? err.message : String(err)}`
+    );
+    process.exit(1);
+  }
+  spin.stop(
+    `Found ${files.length} map file${files.length === 1 ? "" : "s"}`
+  );
+  if (files.length === 0) {
+    p2.log.warn("No .js.map or .css.map files found \u2014 nothing to upload.");
+    return;
+  }
+  if (opts.dryRun) {
+    p2.log.info("Dry run \u2014 files that would be uploaded:");
+    for (const f of files) {
+      p2.log.message(`  ${relative(process.cwd(), f).replaceAll("\\", "/")}`);
+    }
+    p2.outro(`${files.length} file${files.length === 1 ? "" : "s"} would be uploaded`);
+    return;
+  }
+  let uploaded = 0;
+  let skipped = 0;
+  let failed = 0;
+  for (const filePath of files) {
+    const rel = relative(process.cwd(), filePath).replaceAll("\\", "/");
+    const fs = p2.spinner();
+    fs.start(rel);
+    const result = await uploadFile(filePath, opts.release, endpoint, apiKey);
+    if (result.skipped) {
+      fs.stop(`\u21A9  ${rel} (already uploaded)`);
+      skipped++;
+    } else if (result.ok) {
+      fs.stop(`\u2713  ${rel}`);
+      uploaded++;
+    } else {
+      fs.stop(`\u2717  ${rel} \u2014 ${result.reason ?? "unknown error"}`);
+      failed++;
+    }
+  }
+  const total = files.length;
+  const parts = [
+    `Uploaded ${uploaded} / ${total} file${total === 1 ? "" : "s"}`,
+    skipped > 0 ? `(${skipped} already existed)` : "",
+    failed > 0 ? `\u2014 ${failed} failed` : ""
+  ].filter(Boolean);
+  const summary = parts.join(" ");
+  if (!opts.silent) {
+    if (failed > 0) {
+      p2.log.error(summary);
+    } else {
+      p2.outro(summary);
+    }
+  }
+  if (failed > 0) process.exit(1);
+}
+
 // src/index.ts
 async function apiCall(path, config, options = {}) {
-  const endpoint = config.endpoint ?? DEFAULT_ENDPOINT;
+  const endpoint = config.endpoint;
+  if (!endpoint) {
+    throw new Error(
+      "No API endpoint configured. Run `mushi init` or set MUSHI_API_ENDPOINT. Set endpoint to your Supabase edge function URL, e.g. https://xyz.supabase.co/functions/v1/api"
+    );
+  }
   const res = await fetch(`${endpoint}${path}`, {
     ...options,
     headers: {
@@ -1018,7 +1204,13 @@ deploy.command("check").description("Check edge function health").action(async (
     console.error("Run `mushi login` first");
     process.exit(1);
   }
-  const endpoint = config.endpoint ?? "https://api.mushimushi.dev";
+  if (!config.endpoint) {
+    console.error(
+      "No API endpoint configured. Run `mushi init` or set MUSHI_API_ENDPOINT.\nSet endpoint to your Supabase edge function URL, e.g. https://xyz.supabase.co/functions/v1/api"
+    );
+    process.exit(1);
+  }
+  const endpoint = config.endpoint;
   try {
     const res = await fetch(`${endpoint}/health`);
     console.log(`Health: ${res.status === 200 ? "OK" : "FAIL"} (${res.status})`);
@@ -1036,12 +1228,12 @@ program.command("index <path>").description("Walk a local repo and upload code c
     console.error("Set projectId via `mushi config projectId <id>`");
     process.exit(1);
   }
-  const { readdir, readFile, stat } = await import("fs/promises");
+  const { readdir: readdir2, readFile: readFile2, stat } = await import("fs/promises");
   const nodePath = await import("path");
   const SKIP = /node_modules|\.git|dist|build|\.next|\.turbo|coverage/;
   const EXTS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".py", ".go", ".rs"]);
   async function* walk(dir) {
-    const entries = await readdir(dir, { withFileTypes: true });
+    const entries = await readdir2(dir, { withFileTypes: true });
     for (const e of entries) {
       const full = nodePath.join(dir, e.name);
       if (SKIP.test(full)) continue;
@@ -1057,24 +1249,24 @@ program.command("index <path>").description("Walk a local repo and upload code c
     if (opts.language && opts.language !== lang) continue;
     const stats = await stat(file);
     if (stats.size > 5e5) continue;
-    const source = await readFile(file, "utf8");
-    const relative = nodePath.relative(root, file).replaceAll("\\", "/");
+    const source = await readFile2(file, "utf8");
+    const relative2 = nodePath.relative(root, file).replaceAll("\\", "/");
     count++;
     bytes += source.length;
     if (opts.dryRun) {
-      console.log(`  ${relative} (${source.length} bytes)`);
+      console.log(`  ${relative2} (${source.length} bytes)`);
       continue;
     }
     const res = await apiCall("/v1/admin/codebase/upload", config, {
       method: "POST",
       body: JSON.stringify({
         projectId: config.projectId,
-        filePath: relative,
+        filePath: relative2,
         source
       })
     });
-    if (!res.ok) console.error(`  FAIL ${relative}: ${res.error ?? "unknown"}`);
-    else process.stdout.write(`  ${relative} \u2192 ${res.chunks ?? 0} chunks
+    if (!res.ok) console.error(`  FAIL ${relative2}: ${res.error ?? "unknown"}`);
+    else process.stdout.write(`  ${relative2} \u2192 ${res.chunks ?? 0} chunks
 `);
   }
   console.log(`Indexed ${count} files (${(bytes / 1024).toFixed(1)} KB) into project ${config.projectId}`);
@@ -1107,4 +1299,64 @@ program.command("test").description("Submit a test report to verify pipeline").a
   });
   console.log("Test report submitted:", JSON.stringify(data, null, 2));
 });
+var sourcemaps = program.command("sourcemaps").description("Source map management");
+sourcemaps.command("upload").description("Upload source map files to the Mushi platform (idempotent, sha256-keyed)").requiredOption("--release <version>", "Release version (e.g. 1.0.0 or git SHA)").option("--dir <path>", "Directory containing source maps", "./dist").option("--dry-run", "List files that would be uploaded without uploading").option("-e, --endpoint <url>", "API endpoint (overrides MUSHI_API_ENDPOINT)").option("--api-key <key>", "API key (overrides MUSHI_API_KEY)").option("--silent", "Suppress progress output (exit code still reflects failure)").action(async (opts) => {
+  await runSourcemapsUpload({
+    release: opts.release,
+    dir: opts.dir,
+    dryRun: opts.dryRun,
+    endpoint: opts.endpoint,
+    apiKey: opts.apiKey,
+    silent: opts.silent
+  });
+});
+program.command("sync-lessons").description("Sync promoted lessons from Mushi into .mushi/lessons.json in this repo").option("--cwd <path>", "Target directory (default: current working dir)").option("--dry-run", "Print what would be written without writing").option("--json", "Machine-readable JSON output").action(async (opts) => {
+  const { writeFile, mkdir } = await import("fs/promises");
+  const nodePath = await import("path");
+  const config = loadConfig();
+  if (!config.apiKey) {
+    console.error("Run `mushi login` first");
+    process.exit(1);
+  }
+  if (!config.projectId) {
+    console.error("Set projectId via `mushi config projectId <id>`");
+    process.exit(1);
+  }
+  const cwd = opts.cwd ?? process.cwd();
+  const target = nodePath.join(cwd, ".mushi", "lessons.json");
+  const res = await apiCall(
+    `/v1/admin/lessons?projectId=${config.projectId}&limit=500`,
+    config
+  );
+  if (!res.ok || !res.data) {
+    console.error("Failed to fetch lessons:", res.error ?? JSON.stringify(res));
+    process.exit(1);
+  }
+  const lessons = res.data.map((l) => ({
+    id: l.id,
+    rule: l.rule_text,
+    anti_pattern: l.anti_pattern ?? void 0,
+    severity: l.severity,
+    frequency: l.frequency,
+    last_reinforced: l.last_reinforced_at?.slice(0, 10) ?? "",
+    cluster_id: l.cluster_id ?? void 0
+  }));
+  const output = {
+    schema_version: "1",
+    project_id: config.projectId,
+    generated_at: (/* @__PURE__ */ new Date()).toISOString(),
+    lessons
+  };
+  if (opts.dryRun) {
+    console.log(JSON.stringify(output, null, 2));
+    return;
+  }
+  await mkdir(nodePath.dirname(target), { recursive: true });
+  await writeFile(target, JSON.stringify(output, null, 2) + "\n", "utf8");
+  if (opts.json) {
+    console.log(JSON.stringify({ ok: true, path: target, count: lessons.length }));
+  } else {
+    console.log(`\u2713 Wrote ${lessons.length} lessons to ${target}`);
+  }
+});
 program.parse();

package/dist/init.js

@@ -8,7 +8,7 @@ import {
 } from "./chunk-XHD3H54W.js";
 import {
   MUSHI_CLI_VERSION
-} from "./chunk-ZL3BTW32.js";
+} from "./chunk-LBQX6RYS.js";
 
 // src/init.ts
 import * as p from "@clack/prompts";
@@ -46,14 +46,17 @@ function tightenPermissions(path) {
 }
 
 // src/endpoint.ts
-var DEFAULT_ENDPOINT = "https://api.mushimushi.dev";
 var TEST_REPORT_TIMEOUT_MS = 1e4;
 var TEST_REPORT_FETCH_TIMEOUT_MS = TEST_REPORT_TIMEOUT_MS;
 function normalizeEndpoint(url) {
-  const input = url ?? DEFAULT_ENDPOINT;
-  let end = input.length;
-  while (end > 0 && input.charCodeAt(end - 1) === 47) end--;
-  return input.slice(0, end);
+  if (!url) {
+    throw new Error(
+      "No API endpoint configured. Run `mushi init` or set MUSHI_API_ENDPOINT. Set endpoint to your Supabase edge function URL, e.g. https://xyz.supabase.co/functions/v1/api"
+    );
+  }
+  let end = url.length;
+  while (end > 0 && url.charCodeAt(end - 1) === 47) end--;
+  return url.slice(0, end);
 }
 
 // src/freshness.ts
@@ -244,7 +247,8 @@ async function runInit(options = {}) {
   }
   writeEnvFile(cwd, credentials.apiKey, credentials.projectId, framework);
   persistCliConfig(credentials.apiKey, credentials.projectId);
-  printNextSteps(framework, credentials.apiKey, credentials.projectId);
+  const enableRewards = await maybeEnableRewards(options);
+  printNextSteps(framework, credentials.apiKey, credentials.projectId, enableRewards);
   await maybeSendTestReport(credentials, options);
   p.outro("Setup complete. Happy bug squashing \u{1F41B}");
 }
@@ -423,13 +427,34 @@ function persistCliConfig(apiKey, projectId) {
   const existing = loadConfig();
   saveConfig({ ...existing, apiKey, projectId });
 }
-function printNextSteps(framework, apiKey, projectId) {
+function printNextSteps(framework, apiKey, projectId, enableRewards = false) {
   p.note(framework.snippet(apiKey, projectId), "Add this to your app:");
+  if (enableRewards) {
+    const badgeSnippet = framework.id === "react" ? `// Add to your user menu or profile UI:
+import { MushiRewardsBadge } from '@mushi-mushi/react';
+
+// Inside your component:
+<MushiRewardsBadge showPoints />` : `// Add to your user menu:
+// import { MushiRewardsBadge } from '@mushi-mushi/react';
+// <MushiRewardsBadge showPoints />`;
+    p.note(badgeSnippet, "Rewards badge snippet:");
+    p.log.info("Enable rewards in your project settings at https://kensaur.us/mushi-mushi/rewards");
+    p.log.info("Users will earn points for bug reports, screen navigation, and app activity.");
+  }
   p.log.message("Verify the install:");
   p.log.message("  \u2022 Start your dev server");
   p.log.message("  \u2022 Look for the \u{1F41B} button in the bottom-right corner (or shake on mobile)");
   p.log.message("  \u2022 Submit a test report \u2014 it should appear at https://kensaur.us/mushi-mushi/reports");
 }
+async function maybeEnableRewards(options) {
+  if (options.yes) return false;
+  const answer = await p.confirm({
+    message: "Enable Mushi Rewards? (users earn points for bug reports + app activity)",
+    initialValue: false
+  });
+  if (p.isCancel(answer)) return false;
+  return Boolean(answer);
+}
 async function maybeSendTestReport(credentials, options) {
   if (options.sendTestReport === false) return;
   let shouldSend;
@@ -444,6 +469,13 @@ async function maybeSendTestReport(credentials, options) {
     shouldSend = answer;
   }
   if (!shouldSend) return;
+  if (!options.endpoint) {
+    p.note(
+      "No endpoint configured \u2014 skipping test report.\nSet endpoint to your Supabase edge function URL, e.g. https://xyz.supabase.co/functions/v1/api",
+      "Skipped"
+    );
+    return;
+  }
   const spinner2 = p.spinner();
   spinner2.start("Sending test report\u2026");
   const endpoint = normalizeEndpoint(options.endpoint);
@@ -484,7 +516,14 @@ async function maybeSendTestReport(credentials, options) {
       return;
     }
     spinner2.stop("Test report sent.");
-    p.log.success("View it at https://kensaur.us/mushi-mushi/reports");
+    let reportId;
+    try {
+      const body = await res.json();
+      reportId = body.data?.reportId;
+    } catch {
+    }
+    const reportPath = reportId ? `/reports/${reportId}` : "/reports";
+    p.log.success(`View it at https://kensaur.us/mushi-mushi/admin${reportPath}`);
   } catch (err) {
     const aborted = err instanceof Error && err.name === "AbortError";
     spinner2.stop(aborted ? "Timed out reaching the Mushi API." : "Could not reach the Mushi API.");

package/dist/version.js

@@ -1,6 +1,6 @@
 import {
   MUSHI_CLI_VERSION
-} from "./chunk-ZL3BTW32.js";
+} from "./chunk-LBQX6RYS.js";
 export {
   MUSHI_CLI_VERSION
 };

package/package.json

@@ -1,21 +1,21 @@
 {
   "name": "@mushi-mushi/cli",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "license": "MIT",
   "description": "CLI for Mushi Mushi — `mushi init` wizard installs the right SDK for your framework, plus report triage and pipeline health commands",
   "bin": {
     "mushi": "./dist/index.js"
   },
   "dependencies": {
-    "@clack/prompts": "^1.2.0",
+    "@clack/prompts": "^1.3.0",
     "commander": "^14.0.3"
   },
   "devDependencies": {
-    "@types/node": "^22.15.3",
-    "eslint": "^10.2.0",
+    "@types/node": "^22.19.17",
+    "eslint": "^10.3.0",
     "tsup": "^8.5.1",
-    "typescript": "^6.0.2",
-    "vitest": "^4.1.4",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.5",
     "@mushi-mushi/eslint-config": "0.0.0"
   },
   "author": "Kenji Sakuramoto",

package/dist/chunk-ZL3BTW32.js

@@ -1,6 +0,0 @@
-// src/version.ts
-var MUSHI_CLI_VERSION = true ? "0.6.1" : "0.0.0-dev";
-
-export {
-  MUSHI_CLI_VERSION
-};