@prasenjeet/shipli 1.0.0

package/src/auditor.js

@@ -0,0 +1,524 @@
+const GEMINI_API_URL = 'https://generativelanguage.googleapis.com/v1beta/models';
+const CLAUDE_API_URL = 'https://api.anthropic.com/v1/messages';
+
+// ── Response format (shared across all prompts) ──
+
+const RESPONSE_FORMAT = `
+RESPONSE FORMAT (strict JSON):
+{
+  "summary": "One-paragraph overall assessment",
+  "score": "PASS" | "WARNING" | "FAIL",
+  "categories": [
+    {
+      "name": "Category Name",
+      "status": "PASS" | "WARNING" | "FAIL",
+      "findings": [
+        {
+          "severity": "pass" | "warning" | "fail",
+          "title": "Short finding title",
+          "detail": "Explanation with specific file/dependency references",
+          "guideline": "Relevant guideline or best practice reference"
+        }
+      ]
+    }
+  ],
+  "recommendations": ["Actionable recommendation 1", "Actionable recommendation 2"]
+}
+
+Be thorough but practical. Flag real risks, not theoretical ones. Reference specific file paths and dependency names in your findings.
+Respond ONLY with the JSON object, no markdown fencing, no extra text.`;
+
+// ── Store categories ──
+
+const IOS_STORE_CATEGORIES = `
+iOS APP STORE AUDIT CATEGORIES (evaluate each):
+1. PRIVACY & PERMISSIONS — Are all used sensitive APIs declared in Info.plist with descriptive, specific usage strings? Are there undeclared permissions implied by dependencies?
+2. DATA COLLECTION & TRACKING — Does the app collect user data? Is App Tracking Transparency needed? Are analytics/crash SDKs present?
+3. CONTENT & DESIGN — Does the app meet minimum functionality? Any signs of webview-only wrapping? Responsive layout issues?
+4. IN-APP PURCHASES — If payment/purchase code exists, is it using Apple's StoreKit/IAP? Signs of third-party payment for digital goods?
+5. LEGAL & COMPLIANCE — Privacy policy requirements, export compliance (encryption), COPPA concerns, age ratings?
+6. FORBIDDEN PATTERNS — Code push/dynamic code loading (not allowed by Apple), hot-patching, remote code execution?`;
+
+const ANDROID_STORE_CATEGORIES = `
+GOOGLE PLAY STORE AUDIT CATEGORIES (evaluate each):
+1. PERMISSIONS & DATA SAFETY — Are all declared permissions in AndroidManifest.xml necessary? Does the app comply with Google Play's Data Safety requirements? Are runtime permissions handled correctly?
+2. DATA COLLECTION & PRIVACY — Does the app collect personal/sensitive user data? Is a privacy policy provided? Does the app comply with Google Play's User Data policy?
+3. CONTENT & BEHAVIOR — Does the app contain restricted content (gambling, financial services, health)? Any deceptive behavior, ad fraud, or misleading functionality?
+4. BILLING & MONETIZATION — If the app sells digital goods, is it using Google Play Billing Library? Are subscriptions handled per Google Play policy?
+5. TARGET API LEVEL & COMPATIBILITY — Does the app target the required minimum API level? Are there compatibility issues with recent Android versions?
+6. MALWARE & ABUSE — Any signs of stalkerware, spyware, or abusive notifications? Does the app misuse device APIs or background services?`;
+
+const CODE_CATEGORIES = `
+CODE QUALITY AUDIT CATEGORIES (evaluate each):
+1. SECURITY — Hardcoded API keys, insecure HTTP calls, SQL injection, command injection, known vulnerable patterns?
+2. ARCHITECTURE — State management patterns, separation of concerns, proper layering, overly coupled components?
+3. ERROR HANDLING — try/catch coverage, error boundaries, crash handling, graceful degradation?
+4. PERFORMANCE — Heavy/problematic dependencies, unnecessary widget rebuilds, memory leaks, large synchronous operations on main thread?
+5. BEST PRACTICES — Proper dispose/lifecycle handling, null safety compliance, deprecated API usage, resource cleanup?
+6. DEPENDENCIES — Outdated/unmaintained packages, overly broad version constraints, misplaced dev dependencies?`;
+
+// ── System prompt builders ──
+
+function buildStorePrompt(platform) {
+  const isIos = platform === 'ios';
+  const isAndroid = platform === 'android';
+  const isBoth = platform === 'both';
+
+  const guidelinesRef = [];
+  if (isIos || isBoth) {
+    guidelinesRef.push('You have been provided the CURRENT Apple App Store Review Guidelines in the "APPLE_APP_STORE_GUIDELINES" section (if available). Cite specific Apple guideline section numbers (e.g., "5.1.1", "3.1.1").');
+  }
+  if (isAndroid || isBoth) {
+    guidelinesRef.push('You have been provided the CURRENT Google Play Developer Program Policies in the "GOOGLE_PLAY_GUIDELINES" section (if available). Cite specific Google Play policy names.');
+  }
+
+  const knowledge = [];
+  if (isIos || isBoth) {
+    knowledge.push(
+      "- Apple's App Store Review Guidelines (all sections)",
+      '- iOS privacy requirements (Info.plist usage descriptions, App Tracking Transparency)',
+      '- In-app purchase requirements (StoreKit vs third-party payment)',
+      '- Common iOS rejection reasons for Flutter apps',
+    );
+  }
+  if (isAndroid || isBoth) {
+    knowledge.push(
+      "- Google Play Developer Program Policies (all sections)",
+      '- Android permissions model and Data Safety requirements',
+      '- Google Play Billing Library requirements for digital goods',
+      '- Common Android rejection reasons for Flutter apps',
+    );
+  }
+  knowledge.push(
+    '- Data safety and encryption export compliance',
+    '- Minimum functionality and content policy requirements',
+  );
+
+  const evidence = ['- "PUBSPEC_METADATA": App name, version, and list of pub.dev package dependencies'];
+  if (isIos || isBoth) evidence.push('- "INFO_PLIST_PERMISSIONS": NS*UsageDescription keys from Info.plist');
+  if (isAndroid || isBoth) evidence.push('- "ANDROID_MANIFEST_PERMISSIONS": uses-permission entries from AndroidManifest.xml');
+  evidence.push('- "DART_SKELETONS": Architectural skeleton of Dart files');
+
+  const categories = [];
+  if (isIos || isBoth) categories.push(IOS_STORE_CATEGORIES);
+  if (isAndroid || isBoth) categories.push(ANDROID_STORE_CATEGORIES);
+
+  const platformLabel = isBoth ? 'Apple App Store and Google Play' : isIos ? 'Apple App Store' : 'Google Play Store';
+
+  return `You are an experienced ${platformLabel} reviewer conducting a pre-submission compliance audit of a Flutter/Dart application.
+
+${guidelinesRef.join('\n')}
+
+You have deep knowledge of:
+${knowledge.join('\n')}
+
+Focus ONLY on store compliance — not code quality or architecture.
+
+EVIDENCE FORMAT:
+${evidence.join('\n')}
+${categories.join('\n')}
+${RESPONSE_FORMAT}`;
+}
+
+function buildCodePrompt() {
+  return `You are a senior Flutter/Dart software engineer conducting a code quality and security review. You have deep knowledge of:
+
+- Flutter best practices, widget lifecycle, state management patterns
+- Dart language features, null safety, async patterns
+- Common security vulnerabilities in mobile apps (OWASP Mobile Top 10)
+- Performance optimization for Flutter (build methods, rebuilds, isolates)
+- Dependency management and pub.dev ecosystem health
+
+Focus ONLY on code quality, security, and engineering best practices — not store compliance or legal requirements.
+
+EVIDENCE FORMAT:
+- "PUBSPEC_METADATA": App name, version, and list of pub.dev package dependencies
+- "DART_SKELETONS": Architectural skeleton of Dart files
+${CODE_CATEGORIES}
+${RESPONSE_FORMAT}`;
+}
+
+function buildBothPrompt(platform) {
+  const isIos = platform === 'ios';
+  const isAndroid = platform === 'android';
+  const isBoth = platform === 'both';
+
+  const guidelinesRef = [];
+  if (isIos || isBoth) {
+    guidelinesRef.push('You have been provided the CURRENT Apple App Store Review Guidelines in the "APPLE_APP_STORE_GUIDELINES" section (if available). Cite specific Apple guideline numbers.');
+  }
+  if (isAndroid || isBoth) {
+    guidelinesRef.push('You have been provided the CURRENT Google Play Developer Program Policies in the "GOOGLE_PLAY_GUIDELINES" section (if available). Cite specific Google Play policy names.');
+  }
+
+  const knowledge = [];
+  if (isIos || isBoth) {
+    knowledge.push(
+      "- Apple's App Store Review Guidelines (all sections)",
+      '- iOS privacy requirements (Info.plist usage descriptions, App Tracking Transparency)',
+      '- In-app purchase requirements (StoreKit vs third-party payment)',
+    );
+  }
+  if (isAndroid || isBoth) {
+    knowledge.push(
+      "- Google Play Developer Program Policies (all sections)",
+      '- Android permissions model and Data Safety requirements',
+      '- Google Play Billing Library requirements',
+    );
+  }
+  knowledge.push(
+    '- Flutter best practices, widget lifecycle, state management patterns',
+    '- Common security vulnerabilities in mobile apps (OWASP Mobile Top 10)',
+    '- Performance optimization and dependency management',
+  );
+
+  const evidence = ['- "PUBSPEC_METADATA": App name, version, and list of pub.dev package dependencies'];
+  if (isIos || isBoth) evidence.push('- "INFO_PLIST_PERMISSIONS": NS*UsageDescription keys from Info.plist');
+  if (isAndroid || isBoth) evidence.push('- "ANDROID_MANIFEST_PERMISSIONS": uses-permission entries from AndroidManifest.xml');
+  evidence.push('- "DART_SKELETONS": Architectural skeleton of Dart files');
+
+  const categories = [];
+  if (isIos || isBoth) categories.push(IOS_STORE_CATEGORIES);
+  if (isAndroid || isBoth) categories.push(ANDROID_STORE_CATEGORIES);
+  categories.push(CODE_CATEGORIES);
+
+  const platformLabel = isBoth ? 'Apple App Store and Google Play' : isIos ? 'Apple App Store' : 'Google Play Store';
+
+  return `You are an experienced ${platformLabel} reviewer AND senior Flutter/Dart engineer conducting a comprehensive audit.
+
+${guidelinesRef.join('\n')}
+
+You have deep knowledge of:
+${knowledge.join('\n')}
+
+Analyze the provided Flutter project evidence and produce a comprehensive audit report covering both store compliance and code quality.
+
+EVIDENCE FORMAT:
+${evidence.join('\n')}
+${categories.join('\n')}
+${RESPONSE_FORMAT}`;
+}
+
+// ── Package prompt builders ──
+
+const PKG_STORE_CATEGORIES = `
+PACKAGE STORE AUDIT CATEGORIES (evaluate each):
+1. PLATFORM DECLARATIONS — Do declared platforms in pubspec match actual platform channel implementations? Are MethodChannel names consistent? Missing platforms?
+2. CONSUMER PERMISSIONS GUIDANCE — Does the plugin use sensitive APIs (camera, location, contacts, etc.)? If so, are the required Info.plist keys / AndroidManifest permissions documented for host apps?
+3. LEGAL & COMPLIANCE — License clarity, export compliance signals (encryption), data handling implications for consuming apps?`;
+
+const PKG_CODE_CATEGORIES = `
+PACKAGE CODE AUDIT CATEGORIES (evaluate each):
+1. API SURFACE & DOCUMENTATION — Is the public API clean and well-structured? Are exported symbols intentional? Clear entry point?
+2. DEPENDENCY HYGIENE — Are dependency constraints appropriate? Any problematic or heavy transitive dependencies? Should any deps be dev_dependencies?
+3. SECURITY — Hardcoded API keys, insecure HTTP calls, unsafe platform channel data handling?
+4. COMPATIBILITY & VERSIONING — Dart SDK constraints, Flutter SDK constraints, breaking change risks, deprecated API usage?
+5. EXAMPLE APP QUALITY — Does the example/ app exist and demonstrate key features? Is it a good integration test?
+6. FLUTTER-SPECIFIC — Proper dispose/lifecycle handling, memory leak risks, platform channel error handling, null safety compliance?`;
+
+function buildPkgStorePrompt() {
+  return `You are an experienced Flutter plugin reviewer focused on compliance and platform integration. You have deep knowledge of:
+
+- Flutter plugin architecture (platform channels, federated plugins)
+- iOS and Android platform integration requirements for Flutter plugins
+- Privacy and permission implications for consuming apps
+- Apple App Store Review Guidelines and Google Play Developer Policies as they affect plugins
+
+Focus ONLY on store compliance and consumer-facing requirements — not code quality.
+
+EVIDENCE FORMAT:
+- "PUBSPEC_METADATA": Package name, version, description, dependencies
+- "PLUGIN_PLATFORMS": Supported platforms and native integration classes
+- "DART_SKELETONS": Architectural skeleton of Dart files
+- "EXAMPLE_APP" (if present): Skeleton of the example/ app
+${PKG_STORE_CATEGORIES}
+${RESPONSE_FORMAT}`;
+}
+
+function buildPkgCodePrompt() {
+  return `You are a senior Flutter/Dart package engineer conducting a code quality review. You have deep knowledge of:
+
+- pub.dev scoring criteria (documentation, API design, maintenance, platform support)
+- Dart package best practices (semantic versioning, dependency constraints, export hygiene)
+- Flutter plugin architecture and platform channel patterns
+- Performance and memory management in plugins
+
+Focus ONLY on code quality, API design, and engineering best practices — not store compliance.
+
+EVIDENCE FORMAT:
+- "PUBSPEC_METADATA": Package name, version, description, dependencies
+- "PLUGIN_PLATFORMS": Supported platforms and native integration classes
+- "DART_SKELETONS": Architectural skeleton of Dart files
+- "EXAMPLE_APP" (if present): Skeleton of the example/ app
+${PKG_CODE_CATEGORIES}
+${RESPONSE_FORMAT}`;
+}
+
+function buildPkgBothPrompt() {
+  return `You are an experienced Flutter/Dart package reviewer and pub.dev quality auditor. You have deep knowledge of:
+
+- Flutter plugin architecture (platform channels, federated plugins, platform interface patterns)
+- pub.dev scoring criteria (documentation, API design, maintenance, platform support)
+- Dart package best practices (semantic versioning, dependency constraints, export hygiene)
+- iOS and Android platform integration requirements
+- Privacy and permission implications for consuming apps
+
+Analyze the provided Flutter package/plugin evidence and produce a comprehensive audit report.
+
+EVIDENCE FORMAT:
+- "PUBSPEC_METADATA": Package name, version, description, dependencies
+- "PLUGIN_PLATFORMS": Supported platforms and native integration classes
+- "DART_SKELETONS": Architectural skeleton of Dart files
+- "EXAMPLE_APP" (if present): Skeleton of the example/ app
+${PKG_STORE_CATEGORIES}
+${PKG_CODE_CATEGORIES}
+${RESPONSE_FORMAT}`;
+}
+
+// ── Prompt selection ──
+
+function selectPrompt(projectType, mode, platform) {
+  if (projectType === 'package') {
+    if (mode === 'store') return buildPkgStorePrompt();
+    if (mode === 'code') return buildPkgCodePrompt();
+    return buildPkgBothPrompt();
+  }
+  // App
+  if (mode === 'store') return buildStorePrompt(platform);
+  if (mode === 'code') return buildCodePrompt();
+  return buildBothPrompt(platform);
+}
+
+// ── Message builder ──
+
+function buildUserMessage({ files, exampleFiles, permissions, androidPermissions, pubspec, plistFound, androidManifestFound, projectType, appleGuidelines, googleGuidelines }) {
+  const sections = [];
+  const isPackage = projectType === 'package';
+
+  // Inject live guidelines as grounding context
+  if (appleGuidelines?.content) {
+    sections.push('=== APPLE_APP_STORE_GUIDELINES ===');
+    sections.push('(Apple App Store Review Guidelines)');
+    sections.push(appleGuidelines.content);
+  }
+
+  if (googleGuidelines?.content) {
+    sections.push('\n=== GOOGLE_PLAY_GUIDELINES ===');
+    sections.push('(Google Play Developer Program Policies)');
+    sections.push(googleGuidelines.content);
+  }
+
+  sections.push('\n=== PUBSPEC_METADATA ===');
+  sections.push(`${isPackage ? 'Package' : 'App'}: ${pubspec.name}${pubspec.version ? ` v${pubspec.version}` : ''}`);
+  if (pubspec.description) {
+    sections.push(`Description: ${pubspec.description}`);
+  }
+  sections.push(`Dependencies: ${pubspec.dependencies.join(', ') || '(none)'}`);
+  sections.push(`Dev Dependencies: ${pubspec.devDependencies.join(', ') || '(none)'}`);
+
+  if (isPackage && pubspec.pluginPlatforms) {
+    sections.push('\n=== PLUGIN_PLATFORMS ===');
+    for (const [platform, config] of Object.entries(pubspec.pluginPlatforms)) {
+      sections.push(`${platform}: ${JSON.stringify(config)}`);
+    }
+  }
+
+  // iOS permissions
+  if (!isPackage && plistFound !== undefined) {
+    sections.push('\n=== INFO_PLIST_PERMISSIONS ===');
+    if (!plistFound) {
+      sections.push('Info.plist NOT FOUND at ios/Runner/Info.plist');
+    } else if (Object.keys(permissions).length === 0) {
+      sections.push('No NS*UsageDescription keys found in Info.plist.');
+    } else {
+      for (const [key, value] of Object.entries(permissions)) {
+        sections.push(`${key}: "${value}"`);
+      }
+    }
+  }
+
+  // Android permissions
+  if (!isPackage && androidManifestFound !== undefined) {
+    sections.push('\n=== ANDROID_MANIFEST_PERMISSIONS ===');
+    if (!androidManifestFound) {
+      sections.push('AndroidManifest.xml NOT FOUND at android/app/src/main/AndroidManifest.xml');
+    } else if (androidPermissions.length === 0) {
+      sections.push('No <uses-permission> entries found in AndroidManifest.xml.');
+    } else {
+      for (const perm of androidPermissions) {
+        sections.push(perm);
+      }
+    }
+  }
+
+  sections.push('\n=== DART_SKELETONS ===');
+  for (const file of files) {
+    sections.push(`\n--- ${file.relativePath} ---`);
+    sections.push(file.skeleton);
+  }
+
+  if (exampleFiles && exampleFiles.length > 0) {
+    sections.push('\n=== EXAMPLE_APP ===');
+    for (const file of exampleFiles) {
+      sections.push(`\n--- example/${file.relativePath} ---`);
+      sections.push(file.skeleton);
+    }
+  } else if (isPackage) {
+    sections.push('\n=== EXAMPLE_APP ===');
+    sections.push('No example/ app found in this package.');
+  }
+
+  return sections.join('\n');
+}
+
+// ── API callers ──
+
+async function callGemini(userMessage, { apiKey, model, systemPrompt }) {
+  const url = `${GEMINI_API_URL}/${model}:generateContent`;
+
+  const body = {
+    system_instruction: { parts: [{ text: systemPrompt }] },
+    contents: [{ parts: [{ text: userMessage }] }],
+    generationConfig: {
+      temperature: 0.2,
+      responseMimeType: 'application/json',
+    },
+  };
+
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'x-goog-api-key': apiKey,
+    },
+    body: JSON.stringify(body),
+  });
+
+  if (!res.ok) {
+    const errBody = await res.text();
+    if (res.status === 400 && errBody.includes('API_KEY')) {
+      throw new Error('Invalid API key. Check your Gemini API key and try again.');
+    }
+    throw new Error(`Gemini API error (${res.status}): ${errBody}`);
+  }
+
+  const data = await res.json();
+  const text = data.candidates?.[0]?.content?.parts?.[0]?.text;
+
+  if (!text) {
+    const reason = data.candidates?.[0]?.finishReason;
+    throw new Error(`Gemini returned an empty response${reason ? ` (reason: ${reason})` : ''}`);
+  }
+
+  const usage = data.usageMetadata || {};
+  return {
+    text,
+    tokens: {
+      input: usage.promptTokenCount || null,
+      output: usage.candidatesTokenCount || null,
+      total: usage.totalTokenCount || null,
+    },
+  };
+}
+
+async function callClaude(userMessage, { apiKey, model, systemPrompt }) {
+  const body = {
+    model,
+    max_tokens: 8192,
+    system: systemPrompt,
+    messages: [{ role: 'user', content: userMessage }],
+    temperature: 0.2,
+  };
+
+  const res = await fetch(CLAUDE_API_URL, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'x-api-key': apiKey,
+      'anthropic-version': '2023-06-01',
+    },
+    body: JSON.stringify(body),
+  });
+
+  if (!res.ok) {
+    const errBody = await res.text();
+    if (res.status === 401) {
+      throw new Error('Invalid API key. Check your Anthropic API key and try again.');
+    }
+    throw new Error(`Claude API error (${res.status}): ${errBody}`);
+  }
+
+  const data = await res.json();
+  const text = data.content?.[0]?.text;
+
+  if (!text) {
+    throw new Error(`Claude returned an empty response (stop_reason: ${data.stop_reason || 'unknown'})`);
+  }
+
+  const usage = data.usage || {};
+  return {
+    text,
+    tokens: {
+      input: usage.input_tokens || null,
+      output: usage.output_tokens || null,
+      total: (usage.input_tokens || 0) + (usage.output_tokens || 0) || null,
+    },
+  };
+}
+
+// ── Main audit function ──
+
+function estimateTokens(text) {
+  return Math.ceil(text.length / 4);
+}
+
+// Context window limits (input tokens) with buffer for output
+const TOKEN_LIMITS = {
+  claude: 150_000,  // 200K context, reserve 50K for output
+  gemini: 900_000,  // 1M context, reserve 100K for output
+};
+
+export async function audit(evidence, { apiKey, model, provider, mode, platform }) {
+  const systemPrompt = selectPrompt(evidence.projectType, mode, platform);
+  const userMessage = buildUserMessage(evidence);
+
+  const estimated = {
+    system: estimateTokens(systemPrompt),
+    user: estimateTokens(userMessage),
+    total: estimateTokens(systemPrompt) + estimateTokens(userMessage),
+  };
+
+  // Safety check: warn if estimated tokens exceed provider limit
+  const limit = TOKEN_LIMITS[provider] || TOKEN_LIMITS.gemini;
+  if (estimated.total > limit) {
+    const pct = Math.round((estimated.total / limit) * 100);
+    throw new Error(
+      `Estimated input (~${estimated.total.toLocaleString()} tokens) exceeds ${provider} safe limit (~${limit.toLocaleString()} tokens) by ${pct - 100}%.\n` +
+      `  Try: --platform ios or --platform android (instead of both), or --mode store or --mode code (instead of both).`
+    );
+  }
+
+  if (estimated.total > limit * 0.8) {
+    const pct = Math.round((estimated.total / limit) * 100);
+    process.stderr.write(
+      `\x1b[33m  ⚠ Token usage is high (~${estimated.total.toLocaleString()} tokens, ${pct}% of ${provider} limit). Results may be truncated.\x1b[0m\n`
+    );
+  }
+
+  const response = provider === 'claude'
+    ? await callClaude(userMessage, { apiKey, model, systemPrompt })
+    : await callGemini(userMessage, { apiKey, model, systemPrompt });
+
+  const cleaned = response.text.replace(/^```(?:json)?\s*\n?/i, '').replace(/\n?```\s*$/i, '').trim();
+
+  try {
+    const result = JSON.parse(cleaned);
+    result._tokens = {
+      estimated,
+      actual: response.tokens,
+    };
+    return result;
+  } catch {
+    throw new Error(`Failed to parse AI response as JSON. Raw output:\n${response.text.slice(0, 500)}`);
+  }
+}

package/src/config.js

@@ -0,0 +1,42 @@
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+
+async function readConfigFile(filePath) {
+  try {
+    const content = await readFile(filePath, 'utf-8');
+    const parsed = JSON.parse(content);
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+      throw new Error('Config must be a JSON object');
+    }
+    return parsed;
+  } catch (err) {
+    if (err.code === 'ENOENT') return null;
+    if (err instanceof SyntaxError) {
+      throw new Error(`Invalid JSON in ${filePath}: ${err.message}`);
+    }
+    throw err;
+  }
+}
+
+export async function loadConfig(projectDir) {
+  // Load home-level config first, then project-level overrides
+  const homeConfig = await readConfigFile(join(homedir(), '.shipli'));
+  const projectConfig = projectDir
+    ? await readConfigFile(join(projectDir, '.shipli'))
+    : null;
+
+  const merged = {
+    ...(homeConfig || {}),
+    ...(projectConfig || {}),
+  };
+
+  return {
+    provider: merged.provider || undefined,
+    model: merged.model || undefined,
+    key: merged.key || undefined,
+    type: merged.type || undefined,
+    mode: merged.mode || undefined,
+    platform: merged.platform || undefined,
+  };
+}

package/src/guidelines.js

@@ -0,0 +1,42 @@
+import { readFile } from 'node:fs/promises';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const STORES = {
+  apple: {
+    file: join(__dirname, 'rules', 'appstore-rules.md'),
+    label: 'App Store',
+  },
+  google: {
+    file: join(__dirname, 'rules', 'android-rules.md'),
+    label: 'Play Store',
+  },
+};
+
+/**
+ * Load guidelines from bundled .md files.
+ * @param {'apple' | 'google'} store
+ */
+export async function fetchGuidelines(store = 'apple') {
+  const config = STORES[store];
+  if (!config) throw new Error(`Unknown store: ${store}`);
+
+  try {
+    const content = await readFile(config.file, 'utf-8');
+
+    return {
+      content,
+      source: 'bundled',
+      store,
+    };
+  } catch (err) {
+    return {
+      content: null,
+      source: 'unavailable',
+      store,
+      warning: `Could not load ${config.label} guidelines (${err.message}). Audit will use the AI model's built-in knowledge.`,
+    };
+  }
+}