@prompts-gpt/client 0.1.0 → 0.2.2

package/CHANGELOG.md

@@ -1,5 +1,100 @@
 # Changelog
 
+## Unreleased
+
+### Security
+
+- Validate `constraints` and `desiredOutput` length (max 1600 chars) client-side before network requests
+- Validate token prefix (`pgpt_`) in `saveLocalCredentials` to reject malformed tokens at save time
+- Sanitize Copilot prompt-file variable names to strip `$`, `{`, `}` injection characters
+- Sanitize managed-block content to prevent marker injection via prompt content
+- Validate API URL scheme (must be `https` or `http`) in `normalizeApiUrl`
+- Auto-generate client-side request IDs (`pgcli_*`) when caller doesn't provide one for correlation
+
+### Fixed
+
+- Fix package version mismatch between `package.json` (0.2.1) and CHANGELOG (0.2.2)
+- Fix npm publish failure on unsupported CI providers by removing forced provenance from package metadata
+- Fix race condition in file writes: use atomic `wx` flag with `EEXIST` catch instead of `existsSync` + `wx`
+- Fix `formatPromptMarkdown` producing double blank lines when both `usageNotes` and `variables` are empty
+- Fix `normalizeAgentTargets` deduplication when `all` is mixed with explicit targets (e.g. `all,codex`)
+- Fix `normalizeAgentTargets` returning empty array for empty string input
+- Fix `loadLocalCredentials` returning empty-string token instead of `null` for whitespace-only stored tokens
+- Fix `safeSlug` for unicode-only input by normalizing NFKD and stripping combining marks
+- Fix `ensureGitignoreEntry` to preserve CRLF line endings on Windows-style `.gitignore` files
+- Fix `parseRetryAfterHeader` to cap parsed values at 10 minutes, preventing unbounded waits
+- Fix `assertInside` / `assertSafeOutputDir` boundary comparison for paths at the project root
+- Fix `writePromptIndex` to escape `[` and `]` in Markdown link text to prevent broken rendering
+- Fix `yamlScalar` to handle multi-line strings by normalizing `\r\n` before quoting
+- Serialize agent file writes sequentially to prevent concurrent write races on shared files
+
+### Improvements
+
+- Add `--dry-run` flag to `sync` and `install-agents` commands for previewing changes
+- Add dedicated CLI exit code `4` for rate-limit errors (HTTP 429)
+- Use longer default timeout (60s) for prompt generation requests
+- Add `DEFAULT_GENERATE_TIMEOUT_MS` constant for prompt generation timeout
+
+### Packaging
+
+- Add npm `homepage` and `bugs.email` metadata so package consumers have a first-party support path from the registry page
+- Clarify the project-local CLI install path and pre-publish `npm pack --dry-run` verification flow in the README
+
+## 0.2.2 (2026-05-16)
+
+### Local Sync
+
+- Reject prompt filename collisions after slug normalization before writing local artifacts
+- Respect each prompt pack's declared `agentTargets` when generating Codex, Cursor, VS Code, and Copilot files
+- Skip existing non-managed agent files unless `--overwrite` is explicitly passed
+- Expand `manifest.json` with agent targets, recommended path, and generated file locations for downstream discovery
+- Emit GitHub Copilot prompt files in prompt-file format instead of generic prompt-pack Markdown
+- Add `.github/instructions/prompts-gpt.instructions.md` so Copilot treats synced agent artifacts as generated files
+
+## 0.2.1 (2026-05-16)
+
+### Packaging
+
+- Add an explicit `default` export target for better ESM consumer and bundler compatibility
+- Enable npm provenance on publish for stronger package registry attestation
+- Remove the redundant `typesVersions` entry and rely on the package `types` field plus export metadata
+
+### Documentation
+
+- Replace stale `npx`-only examples with `npm exec` flows that pin to the latest published package
+- Clarify that the importable SDK does not read `process.env` and requires explicit `fetch`
+- Align CI/CD examples with the real CLI contract of passing tokens as flags instead of ambient env reads
+- Document the packed artifact contents shipped to npm
+
+## 0.2.0 (2026-05-16)
+
+### Security
+
+- Token prefix validation now enforced client-side before any network request
+- Response content-type validation prevents processing non-JSON responses
+- Retry delay capped at 30 seconds to prevent retry-after abuse
+- Token length validation on `saveLocalCredentials` prevents oversized storage
+- Control characters stripped from shell-quoted CLI output
+
+### Improvements
+
+- Add `accept: application/json` header to all API requests
+- Validate response `content-type` before parsing JSON
+- Cap retry sleep to prevent unbounded waits from malicious `retry-after` headers
+- Improved error messages with structured `code` and `recovery` fields
+- Added `package.json` subpath export for bundler compatibility
+- Extended npm keywords for better discoverability
+- Added `typesVersions` for legacy TypeScript resolution
+
+### Fixed
+
+- Fixed potential timeout leak when retries re-create AbortControllers
+
+## 0.1.1 (2026-05-16)
+
+- Remove public GitHub repository metadata from the npm package manifest while the source repository remains non-public.
+- Preserve executable permissions for the `prompts-gpt` CLI after package builds.
+
 ## 0.1.0 (2026-05-16)
 
 Initial release.

package/README.md

@@ -1,147 +1,271 @@
 # @prompts-gpt/client
 
-CLI and SDK for downloading Prompts-GPT prompt packs into a local project and syncing them into agent-readable files for Codex, Cursor, VS Code, and GitHub Copilot.
+CLI and Node.js SDK for syncing [Prompts-GPT](https://prompts-gpt.com) prompt packs into any local project — with first-class integrations for **Codex**, **Cursor**, **VS Code**, and **GitHub Copilot**.
 
-## Quick Start
+---
+
+## Why
+
+AI coding agents work best when they have stable, discoverable instructions inside the repository. This package bridges Prompts-GPT's cloud prompt library with the local files each agent reads:
+
+| Agent | What gets written |
+|-------|-------------------|
+| **Codex** | `AGENTS.md` managed block |
+| **Cursor** | `.cursor/rules/prompts-gpt-*.mdc` |
+| **VS Code** | `.github/copilot-instructions.md` + `.github/instructions/*.instructions.md` + `.vscode/*.code-snippets` |
+| **Copilot** | `.github/prompts/*.prompt.md` |
+
+Prompt Markdown files and a `manifest.json` are always written to `.prompts-gpt/` for discovery.
+
+---
+
+## Quick start
 
 ```bash
-# Initialize with a project token
-npx @prompts-gpt/client init --token <project-token>
+# Run the latest CLI without installing it globally
+npm exec --yes @prompts-gpt/client@latest -- init --token <project-token>
 
-# Sync prompt packs and agent files
-npx @prompts-gpt/client sync --limit 25 --agent all
+# Sync prompt packs + agent files in one command
+npm exec --yes @prompts-gpt/client@latest -- sync --agent all
 
-# Generate a project-aware prompt
-npx @prompts-gpt/client generate --goal "Review this diff" --context "Next.js app" --agent codex,cursor,vscode
+# Generate a project-aware prompt and sync it
+npm exec --yes @prompts-gpt/client@latest -- generate \
+  --goal "Review this diff for security issues" \
+  --context "Node.js API with PostgreSQL" \
+  --agent codex,cursor,vscode
 ```
 
-## Installation
+---
+
+## Install
 
 ```bash
 npm install @prompts-gpt/client
 ```
 
-Or use directly with `npx`:
+If you want a project-local CLI instead of one-off `npm exec` usage, install it as a dev dependency and call the bin from `package.json` scripts:
+
+```json
+{
+  "scripts": {
+    "prompts:sync": "prompts-gpt sync --agent all",
+    "prompts:generate": "prompts-gpt generate --goal \"Review this diff for security issues\" --agent codex"
+  }
+}
+```
+
+Or run directly with `npx` — no install required:
 
 ```bash
-npx @prompts-gpt/client <command>
+npx @prompts-gpt/client@latest <command>
 ```
 
-**Requirements:** Node.js >= 18.18
+**Requires** Node.js 18.18 or later.
+
+---
 
 ## Authentication
 
-Create a project token in the [Prompts-GPT dashboard](https://prompts-gpt.com/dashboard/agents), then initialize:
+Create a project token in the [Prompts-GPT dashboard](https://prompts-gpt.com/dashboard/agents), then:
 
 ```bash
-prompts-gpt init --token pgpt_your_token_here
+prompts-gpt init --token-prompt
 ```
 
-This saves credentials to `.prompts-gpt/.credentials.json` (automatically added to `.gitignore`).
+Credentials are saved to `.prompts-gpt/.credentials.json` with `0600` permissions and automatically added to `.gitignore`.
 
-Alternatively, set the `PROMPTS_GPT_TOKEN` environment variable.
+Project tokens are project-scoped, support separate `Read Prompts` and `Generate Prompts` scopes, and should use the shortest practical expiry for the machine or CI job that needs them.
 
-## CLI Commands
-
-### `init`
-
-Save a project token to the local credentials file.
+For CI/CD or secret-manager pipes, use stdin instead of putting the raw token in shell history:
 
 ```bash
-prompts-gpt init --token <token> [--api-url https://prompts-gpt.com] [--cwd /path/to/repo]
+printf '%s' "$PROMPTS_GPT_TOKEN" | prompts-gpt sync --token-stdin --agent all
 ```
 
-### `pull`
+The importable SDK never reads `process.env` and never captures ambient `globalThis.fetch`. Pass explicit runtime dependencies in code.
+
+---
+
+## CLI reference
 
-Download prompt packs from the library.
+### `init` — Save credentials
 
 ```bash
-prompts-gpt pull [--query "repo audit"] [--category coding] [--tool Codex] [--limit 25] [--out .prompts-gpt] [--overwrite]
+prompts-gpt init (--token <token> | --token-stdin | --token-prompt) [--api-url <url>] [--cwd <path>]
 ```
 
-### `generate`
+Use `--token-prompt` for local interactive setup and `--token-stdin` for CI or secret-manager pipes.
 
-Generate a project-aware prompt via the API.
+### `sync` — Pull + generate + write everything
 
 ```bash
-prompts-gpt generate --goal "Review this diff" [--context "Next.js app"] [--tool Codex] [--agent codex,cursor]
+prompts-gpt sync [--goal "..."] [--limit 25] [--agent all] [--overwrite]
 ```
 
-### `sync`
+The default workflow. Pulls library prompts, optionally generates one, writes Markdown files, agent integration files, and a manifest.
+
+Existing prompt Markdown, Cursor rules, Copilot prompt files, and VS Code snippet files are skipped unless you pass `--overwrite`. Managed Prompts-GPT blocks inside `AGENTS.md` and `.github/copilot-instructions.md` remain idempotent and update in place, and a shared `.github/instructions/prompts-gpt.instructions.md` file teaches Copilot to treat synced artifacts as generated outputs.
 
-Pull library prompts and/or generate a prompt, then write Markdown files, agent integration files, and a manifest.
+### `pull` — Download prompt packs
 
 ```bash
-prompts-gpt sync [--goal "Review this diff"] [--limit 25] [--agent all] [--out .prompts-gpt] [--overwrite]
+prompts-gpt pull [--query "repo audit"] [--category coding] [--tool Codex] [--limit 25] [--overwrite]
 ```
 
-### `install-agents`
+### `generate` — Create a project-aware prompt
 
-Pull prompts and write only the agent integration files (no Markdown).
+```bash
+prompts-gpt generate --goal "Review this diff" [--context "Next.js app"] [--tool Codex] [--agent codex,cursor]
+```
+
+### `install-agents` — Write agent files only
 
 ```bash
 prompts-gpt install-agents [--agent codex,cursor,vscode,copilot]
 ```
 
-### `project`
-
-Print the project name and website from the API.
+### `project` — Print project info
 
 ```bash
 prompts-gpt project
 ```
 
-## Programmatic Usage
+### `version` / `help`
+
+```bash
+prompts-gpt version
+prompts-gpt help
+```
+
+### Common flags
+
+| Flag | Description |
+|------|-------------|
+| `--token <token>` | Project API token |
+| `--token-stdin` | Read the token from stdin |
+| `--token-prompt` | Prompt for the token without echoing it |
+| `--api-url <url>` | Custom API base URL |
+| `--cwd <path>` | Target directory for config and generated files |
+| `--agent <targets>` | Comma-separated: `codex`, `cursor`, `vscode`, `copilot`, or `all` |
+| `--overwrite` | Replace existing files instead of skipping |
+| `--out <dir>` | Output directory (default: `.prompts-gpt`) |
+
+### Supported tools
+
+Codex, Claude Code, Cursor, GitHub Copilot, ChatGPT, Gemini, Perplexity, Grok, DeepSeek, Claude.
+
+---
+
+## Programmatic SDK
 
 ```typescript
-import { PromptsGptClient, syncPrompts } from "@prompts-gpt/client";
+import {
+  DEFAULT_PROMPTS_GPT_API_URL,
+  PromptsGptClient,
+  syncPrompts,
+  writeAgentFiles,
+  formatPromptMarkdown,
+} from "@prompts-gpt/client";
 
 const client = new PromptsGptClient({
-  token: process.env.PROMPTS_GPT_TOKEN,
+  token: "pgpt_your_token_here",
+  apiUrl: DEFAULT_PROMPTS_GPT_API_URL,
+  fetch,
 });
 
 // Fetch project context
 const project = await client.getProject();
-console.log(project.brandName);
+console.log(project.brandName, project.websiteUrl);
 
-// Pull prompt packs
+// Pull prompt packs from the library
 const prompts = await client.pullPrompts({ limit: 10, tool: "Codex" });
 
-// Generate a prompt
+// Generate a project-aware prompt
 const generated = await client.generatePrompt({
   goal: "Review production diffs for security issues",
   context: "Node.js microservice with PostgreSQL",
   tool: "Codex",
 });
 
-// Sync everything to disk
+// Sync everything to disk (Markdown + agent files + manifest)
 const result = await syncPrompts([...prompts, generated], {
   agent: "all",
   overwrite: true,
 });
+
+console.log(`Wrote ${result.markdown.written.length} prompts`);
+console.log(`Synced ${result.agents.written.length} agent files`);
 ```
 
-## Generated Files
+### Runtime requirements
 
-| Target | Files | Description |
-|--------|-------|-------------|
-| Markdown | `.prompts-gpt/*.md` | Prompt packs with YAML frontmatter |
-| Manifest | `.prompts-gpt/manifest.json` | Index for agent discovery |
-| Codex | `AGENTS.md` | Managed block with prompt-pack links |
-| Cursor | `.cursor/rules/prompts-gpt-*.mdc` | Per-prompt rule files |
-| VS Code | `.github/copilot-instructions.md`, `.vscode/*.code-snippets` | Copilot instructions and snippets |
-| Copilot | `.github/prompts/*.prompt.md` | Prompt files for GitHub Copilot |
+- `PromptsGptClient` requires an explicit `fetch` implementation. In Node.js 18.18+ you can pass the built-in `fetch`.
+- The SDK is ESM-only. Use `import`, not `require`.
+- File-writing helpers only write inside the provided project directory and reject path traversal.
 
-## Configuration
+### API methods
 
-| Environment Variable | Description |
-|---------------------|-------------|
-| `PROMPTS_GPT_TOKEN` | Project API token (alternative to `init`) |
-| `PROMPTS_GPT_API_URL` | Custom API base URL for self-hosted instances |
+| Method | Description |
+|--------|-------------|
+| `client.getProject()` | Returns project context (brand, competitors, keywords) |
+| `client.pullPrompts(query?)` | Fetches prompt packs from the library |
+| `client.generatePrompt(input)` | Generates a prompt using project context |
 
-## Error Handling
+### File-writing utilities
 
-The client throws `PromptsGptApiError` for API errors with structured fields:
+| Function | Description |
+|----------|-------------|
+| `syncPrompts(prompts, opts)` | Full sync: Markdown + agents + manifest |
+| `writePromptMarkdownFiles(prompts, opts)` | Write `.md` files only |
+| `writeAgentFiles(prompts, opts)` | Write agent integration files only |
+| `writePromptManifest(prompts, opts)` | Write `manifest.json` only |
+| `formatPromptMarkdown(prompt)` | Render a single prompt as Markdown |
+| `saveLocalCredentials(input)` | Save token to `.prompts-gpt/.credentials.json` |
+| `loadLocalCredentials(cwd?)` | Load saved credentials |
+
+---
+
+## Generated file structure
+
+After running `sync --agent all`, your repository will contain:
+
+```
+.prompts-gpt/
+  manifest.json              # Machine-readable index
+  README.md                  # Human-readable index
+  senior-code-reviewer.md    # Prompt pack (YAML frontmatter + Markdown)
+  ...
+
+AGENTS.md                    # Codex: managed <!-- prompts-gpt:start --> block
+
+.cursor/rules/
+  prompts-gpt-senior-code-reviewer.mdc  # Cursor rule file
+
+.github/
+  copilot-instructions.md   # VS Code / Copilot shared instructions
+  instructions/
+    prompts-gpt.instructions.md  # Copilot path-specific instructions for generated artifacts
+  prompts/
+    prompts-gpt-senior-code-reviewer.prompt.md  # Copilot prompt file
+
+.vscode/
+  prompts-gpt.code-snippets  # VS Code snippets
+```
+
+`manifest.json` includes each prompt's supported agent targets, recommended local path, and generated file locations so downstream tools can discover the synced artifacts without guessing paths.
+
+---
+
+## Environment variables
+
+| Variable | Description |
+|----------|-------------|
+| `PROMPTS_GPT_TOKEN` | Shell variable you can expand into `--token` for CI or local scripts |
+| `PROMPTS_GPT_API_URL` | Shell variable you can expand into `--api-url` for self-hosted instances |
+
+---
+
+## Error handling
 
 ```typescript
 import { PromptsGptApiError } from "@prompts-gpt/client";
@@ -150,22 +274,73 @@ try {
   await client.pullPrompts();
 } catch (error) {
   if (error instanceof PromptsGptApiError) {
-    console.error(error.message);   // Human-readable message
-    console.error(error.code);      // Machine-readable code (e.g. AUTH_ERROR)
-    console.error(error.status);    // HTTP status code
-    console.error(error.recovery);  // Suggested fix
+    console.error(error.message);    // Human-readable message
+    console.error(error.code);       // Machine-readable code
+    console.error(error.status);     // HTTP status (e.g. 401, 429)
+    console.error(error.recovery);   // Suggested fix
   }
 }
 ```
 
+**Error codes:** `AUTH_ERROR`, `VALIDATION_ERROR`, `RATE_LIMIT_ERROR`, `TIMEOUT`, `NETWORK_ERROR`, `INVALID_RESPONSE`, `MISSING_FETCH`.
+
+The client automatically retries on `429`, `502`, `503`, and `504` responses with exponential backoff and jitter.
+
+SDK responses include `X-Request-Id` plus rate-limit headers so CLI errors can be correlated with one server-side request path during support or incident triage.
+
+---
+
+## CI/CD usage
+
+```yaml
+# GitHub Actions example
+- name: Sync Prompts-GPT agent files
+  env:
+    PROMPTS_GPT_TOKEN: ${{ secrets.PROMPTS_GPT_TOKEN }}
+  run: npm exec --yes @prompts-gpt/client@latest -- sync --token "$PROMPTS_GPT_TOKEN" --agent all --overwrite
+```
+
+Use `npm exec` here so the job always resolves the package bin explicitly and does not depend on a preinstalled global CLI.
+
+---
+
+## Package contents
+
+The published tarball includes:
+
+- `dist/` ESM JavaScript, source maps, and `.d.ts` files
+- `README.md`
+- `CHANGELOG.md`
+- `LICENSE`
+- `package.json`
+
+This package intentionally does not publish source TypeScript, test fixtures, or local credential files.
+
+Before publishing a new release, run:
+
+```bash
+TMPDIR=/private/tmp npm_config_cache=/private/tmp/prompts-gpt-npm-cache npm pack --dry-run
+```
+
+That verifies the `files` whitelist, the generated `dist/` output, and the executable mode on `dist/cli.js` without mutating the real npm cache.
+
+Publish with the default npm flow unless the release runs inside a provider that supports npm provenance attestation. If you want provenance, enable it explicitly in that CI job instead of forcing it in `package.json`.
+
+---
+
 ## Security
 
-- Credentials are stored with `0600` file permissions
-- Tokens are validated to start with the `pgpt_` prefix before sending
-- HTTPS is enforced in production
-- Path traversal is blocked for all file writes
-- Project context sent to `generate` is ephemeral and not persisted
+- Credentials stored with `0600` file permissions (owner read/write only)
+- Token prefix (`pgpt_`) validated before any network request
+- HTTPS enforced in production
+- Response content-type validated before JSON parsing
+- Path traversal blocked for all file writes
+- Control characters sanitized from CLI output
+- Retry delays capped to prevent abuse via `retry-after`
+- Context sent to `generate` is ephemeral — never persisted server-side
+
+---
 
 ## License
 
-MIT
+[MIT](./LICENSE)