@prompts-gpt/client 0.2.2 → 0.2.4

package/LICENSE

@@ -1,21 +1,75 @@
-MIT License
-
-Copyright (c) 2026 Prompts-GPT
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+Prompts-GPT Source Available License
+Version 1.0 — Effective 2026
+
+Copyright (c) 2026 Prompts-GPT. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person or organization
+("Licensee") obtaining a copy of this software and associated documentation
+files (the "Software"), to use the Software for personal and commercial
+purposes, subject to the following conditions:
+
+1. GRANT OF LICENSE
+
+   Licensee may:
+
+   a) Use the Software without restriction for personal projects,
+      commercial products, internal development, CI/CD pipelines,
+      and production deployments.
+
+   b) Install the Software in any number of environments.
+
+2. RESTRICTIONS
+
+   Licensee shall NOT:
+
+   a) Redistribute the Software, in whole or in part, as a standalone
+      package, download, or bundled component of another software
+      distribution system.
+
+   b) Modify, adapt, translate, reverse engineer, decompile, or
+      create derivative works of the Software's source code or
+      compiled artifacts.
+
+   c) Sublicense, rent, lease, sell, or otherwise transfer the
+      Software or rights to it to any third party.
+
+   d) Remove, alter, or obscure any proprietary notices, attribution
+      markers, or license text embedded in the Software.
+
+   e) Use the Software to build a competing prompt management
+      platform, agent orchestration service, or equivalent product.
+
+3. ATTRIBUTION
+
+   Build artifacts and runtime telemetry may contain account attribution
+   metadata. Tampering with or removing attribution data is prohibited.
+
+4. INTELLECTUAL PROPERTY
+
+   The Software is and remains the exclusive property of Prompts-GPT.
+   No title or ownership is transferred to Licensee.
+
+5. WARRANTY DISCLAIMER
+
+   THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
+   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+   OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
+   NONINFRINGEMENT.
+
+6. LIMITATION OF LIABILITY
+
+   IN NO EVENT SHALL PROMPTS-GPT BE LIABLE FOR ANY INDIRECT,
+   INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING
+   OUT OF THE USE OR INABILITY TO USE THE SOFTWARE.
+
+7. TERMINATION
+
+   This license terminates automatically if Licensee breaches any
+   term. Upon termination, Licensee must stop using the Software.
+
+8. GOVERNING LAW
+
+   This agreement is governed by the laws of the State of Delaware,
+   USA, without regard to conflict of laws principles.
+
+For licensing inquiries: licensing@prompts-gpt.com

package/README.md

@@ -1,346 +1,173 @@
 # @prompts-gpt/client
 
-CLI and Node.js SDK for syncing [Prompts-GPT](https://prompts-gpt.com) prompt packs into any local project — with first-class integrations for **Codex**, **Cursor**, **VS Code**, and **GitHub Copilot**.
+CLI and SDK for syncing [Prompts-GPT](https://prompts-gpt.com) prompt packs into any project — with integrations for **Codex**, **Claude Code**, **Cursor**, **VS Code**, **GitHub Copilot**, **Continue**, **Gemini CLI**, **Windsurf**, **Cline**, **Junie**, and **Amp**.
 
 ---
 
-## Why
-
-AI coding agents work best when they have stable, discoverable instructions inside the repository. This package bridges Prompts-GPT's cloud prompt library with the local files each agent reads:
-
-| Agent | What gets written |
-|-------|-------------------|
-| **Codex** | `AGENTS.md` managed block |
-| **Cursor** | `.cursor/rules/prompts-gpt-*.mdc` |
-| **VS Code** | `.github/copilot-instructions.md` + `.github/instructions/*.instructions.md` + `.vscode/*.code-snippets` |
-| **Copilot** | `.github/prompts/*.prompt.md` |
-
-Prompt Markdown files and a `manifest.json` are always written to `.prompts-gpt/` for discovery.
-
----
-
-## Quick start
+## Get Started
 
 ```bash
-# Run the latest CLI without installing it globally
-npm exec --yes @prompts-gpt/client@latest -- init --token <project-token>
-
-# Sync prompt packs + agent files in one command
-npm exec --yes @prompts-gpt/client@latest -- sync --agent all
+# Install
+npm install -D @prompts-gpt/client
 
-# Generate a project-aware prompt and sync it
-npm exec --yes @prompts-gpt/client@latest -- generate \
-  --goal "Review this diff for security issues" \
-  --context "Node.js API with PostgreSQL" \
-  --agent codex,cursor,vscode
+# Interactive setup — handles credentials, config, and shows runnable commands
+npx prompts-gpt quickstart
 ```
 
----
-
-## Install
+Or step by step:
 
 ```bash
-npm install @prompts-gpt/client
+npx prompts-gpt init                  # save your project token (prompts interactively)
+npx prompts-gpt sync                  # pull prompts and write agent files
+npx prompts-gpt list                  # see what's available
+npx prompts-gpt run                   # execute a single prompt
+npx prompts-gpt sweep                 # run a multi-iteration sweep
 ```
 
-If you want a project-local CLI instead of one-off `npm exec` usage, install it as a dev dependency and call the bin from `package.json` scripts:
-
-```json
-{
-  "scripts": {
-    "prompts:sync": "prompts-gpt sync --agent all",
-    "prompts:generate": "prompts-gpt generate --goal \"Review this diff for security issues\" --agent codex"
-  }
-}
-```
-
-Or run directly with `npx` — no install required:
-
-```bash
-npx @prompts-gpt/client@latest <command>
-```
-
-**Requires** Node.js 18.18 or later.
+**Requires** Node.js 18.18+.
 
 ---
 
-## Authentication
+## What It Does
 
-Create a project token in the [Prompts-GPT dashboard](https://prompts-gpt.com/dashboard/agents), then:
+Bridges the Prompts-GPT cloud library with the agent instruction files each tool reads:
 
-```bash
-prompts-gpt init --token-prompt
-```
-
-Credentials are saved to `.prompts-gpt/.credentials.json` with `0600` permissions and automatically added to `.gitignore`.
+| Agent | Written files |
+|-------|--------------|
+| Codex | `AGENTS.md` |
+| Claude Code | `CLAUDE.md` |
+| Cursor | `.cursor/rules/*.mdc` + `.cursor/commands/*.md` |
+| VS Code | `.github/copilot-instructions.md` + `.vscode/*.code-snippets` |
+| Copilot | `.github/prompts/*.prompt.md` |
+| Continue | `.continue/rules/*.md` |
+| Gemini CLI | `GEMINI.md` |
+| Windsurf | `.windsurf/rules/*.md` |
+| Cline | `.clinerules/*.md` |
+| Junie | `.junie/guidelines.md` |
+| Amp | `AGENT.md` |
 
-Project tokens are project-scoped, support separate `Read Prompts` and `Generate Prompts` scopes, and should use the shortest practical expiry for the machine or CI job that needs them.
-
-For CI/CD or secret-manager pipes, use stdin instead of putting the raw token in shell history:
+---
 
-```bash
-printf '%s' "$PROMPTS_GPT_TOKEN" | prompts-gpt sync --token-stdin --agent all
-```
+## Important Use Notes
 
-The importable SDK never reads `process.env` and never captures ambient `globalThis.fetch`. Pass explicit runtime dependencies in code.
+- `@prompts-gpt/client` is the published npm package. If you see examples that reference internal app modules such as `lib/sdk`, those are app-internal examples, not the public package import path.
+- Local orchestration can send prompt text, code context, and repository files to third-party model providers and agent CLIs. Review each provider's terms, privacy settings, and permitted automation paths before using private or regulated data.
+- Run artifacts are written locally and can include prompts, model output, logs, and worktree snapshots. Treat `.scripts/runs` as sensitive and do not commit or share it casually.
 
 ---
 
-## CLI reference
+## CLI Commands
+
+| Command | Description |
+|---------|-------------|
+| `quickstart` | Interactive setup — credentials, config, and first run |
+| `init` | Save project token (prompts interactively if no flags given) |
+| `setup` | Scaffold local orchestration config |
+| `sync` | Pull + generate + write agent files |
+| `pull` | Download prompt packs as Markdown files |
+| `generate` | Generate a prompt pack from a goal |
+| `load-config` | Pull full config from Prompts Studio |
+| `run` | Execute one prompt with a local agent (`-f <file>`) |
+| `run-batch` | Execute multiple prompts |
+| `sweep` | Multi-iteration execution (`-f <file> -n <count>`) |
+| `list` | Show prompts, sweeps, agents |
+| `status` | Show workspace readiness |
+| `providers` | Show detected CLIs |
+| `doctor` | Validate prerequisites |
+| `validate` | Check config for errors |
+| `project` | Show the current project linked to the token |
+
+Run `prompts-gpt help <command>` for detailed options.
 
-### `init` — Save credentials
-
-```bash
-prompts-gpt init (--token <token> | --token-stdin | --token-prompt) [--api-url <url>] [--cwd <path>]
-```
-
-Use `--token-prompt` for local interactive setup and `--token-stdin` for CI or secret-manager pipes.
+---
 
-### `sync` — Pull + generate + write everything
+## Examples
 
 ```bash
-prompts-gpt sync [--goal "..."] [--limit 25] [--agent all] [--overwrite]
-```
-
-The default workflow. Pulls library prompts, optionally generates one, writes Markdown files, agent integration files, and a manifest.
+# Run a single prompt (auto-selects if only one exists)
+prompts-gpt run -f .prompts-gpt/review.md --agent cursor
 
-Existing prompt Markdown, Cursor rules, Copilot prompt files, and VS Code snippet files are skipped unless you pass `--overwrite`. Managed Prompts-GPT blocks inside `AGENTS.md` and `.github/copilot-instructions.md` remain idempotent and update in place, and a shared `.github/instructions/prompts-gpt.instructions.md` file teaches Copilot to treat synced artifacts as generated outputs.
+# Run a sweep (auto-detects local sweeps, reads iterations from frontmatter)
+prompts-gpt sweep
+prompts-gpt sweep -f .prompts-gpt/sweeps/design.md -n 5
 
-### `pull` — Download prompt packs
+# Preview what a sweep would do
+prompts-gpt sweep --dry-run
 
-```bash
-prompts-gpt pull [--query "repo audit"] [--category coding] [--tool Codex] [--limit 25] [--overwrite]
-```
+# Sync from cloud
+prompts-gpt sync --agent all
 
-### `generate` — Create a project-aware prompt
+# Generate a prompt pack from a goal
+prompts-gpt generate --goal "Review PRs for security issues" --sync-agents
 
-```bash
-prompts-gpt generate --goal "Review this diff" [--context "Next.js app"] [--tool Codex] [--agent codex,cursor]
-```
-
-### `install-agents` — Write agent files only
-
-```bash
-prompts-gpt install-agents [--agent codex,cursor,vscode,copilot]
+# CI/CD — pipe token from secret
+printf '%s' "$PROMPTS_GPT_TOKEN" | prompts-gpt sync --token-stdin --agent all
 ```
 
-### `project` — Print project info
+---
 
-```bash
-prompts-gpt project
-```
+## Configuration
 
-### `version` / `help`
+Create `.prompts-gpt/config.json` via `prompts-gpt setup`, or manually:
 
-```bash
-prompts-gpt version
-prompts-gpt help
+```json
+{
+  "providerOrder": ["codex", "cursor", "claude", "copilot"],
+  "defaultAgent": "router",
+  "timeoutSeconds": 900,
+  "artifactsDir": ".scripts/runs"
+}
 ```
 
-### Common flags
-
-| Flag | Description |
-|------|-------------|
-| `--token <token>` | Project API token |
-| `--token-stdin` | Read the token from stdin |
-| `--token-prompt` | Prompt for the token without echoing it |
-| `--api-url <url>` | Custom API base URL |
-| `--cwd <path>` | Target directory for config and generated files |
-| `--agent <targets>` | Comma-separated: `codex`, `cursor`, `vscode`, `copilot`, or `all` |
-| `--overwrite` | Replace existing files instead of skipping |
-| `--out <dir>` | Output directory (default: `.prompts-gpt`) |
-
-### Supported tools
-
-Codex, Claude Code, Cursor, GitHub Copilot, ChatGPT, Gemini, Perplexity, Grok, DeepSeek, Claude.
+All options can be overridden via environment variables. See `prompts-gpt help setup`.
 
 ---
 
-## Programmatic SDK
+## SDK
 
 ```typescript
-import {
-  DEFAULT_PROMPTS_GPT_API_URL,
-  PromptsGptClient,
-  syncPrompts,
-  writeAgentFiles,
-  formatPromptMarkdown,
-} from "@prompts-gpt/client";
+import { PromptsGptClient, syncPrompts } from "@prompts-gpt/client";
 
 const client = new PromptsGptClient({
-  token: "pgpt_your_token_here",
-  apiUrl: DEFAULT_PROMPTS_GPT_API_URL,
+  token: "pgpt_your_token",
+  apiUrl: "https://prompts-gpt.com",
   fetch,
 });
 
-// Fetch project context
-const project = await client.getProject();
-console.log(project.brandName, project.websiteUrl);
-
-// Pull prompt packs from the library
-const prompts = await client.pullPrompts({ limit: 10, tool: "Codex" });
-
-// Generate a project-aware prompt
-const generated = await client.generatePrompt({
-  goal: "Review production diffs for security issues",
-  context: "Node.js microservice with PostgreSQL",
-  tool: "Codex",
-});
-
-// Sync everything to disk (Markdown + agent files + manifest)
-const result = await syncPrompts([...prompts, generated], {
-  agent: "all",
-  overwrite: true,
-});
-
-console.log(`Wrote ${result.markdown.written.length} prompts`);
-console.log(`Synced ${result.agents.written.length} agent files`);
-```
-
-### Runtime requirements
-
-- `PromptsGptClient` requires an explicit `fetch` implementation. In Node.js 18.18+ you can pass the built-in `fetch`.
-- The SDK is ESM-only. Use `import`, not `require`.
-- File-writing helpers only write inside the provided project directory and reject path traversal.
-
-### API methods
-
-| Method | Description |
-|--------|-------------|
-| `client.getProject()` | Returns project context (brand, competitors, keywords) |
-| `client.pullPrompts(query?)` | Fetches prompt packs from the library |
-| `client.generatePrompt(input)` | Generates a prompt using project context |
-
-### File-writing utilities
-
-| Function | Description |
-|----------|-------------|
-| `syncPrompts(prompts, opts)` | Full sync: Markdown + agents + manifest |
-| `writePromptMarkdownFiles(prompts, opts)` | Write `.md` files only |
-| `writeAgentFiles(prompts, opts)` | Write agent integration files only |
-| `writePromptManifest(prompts, opts)` | Write `manifest.json` only |
-| `formatPromptMarkdown(prompt)` | Render a single prompt as Markdown |
-| `saveLocalCredentials(input)` | Save token to `.prompts-gpt/.credentials.json` |
-| `loadLocalCredentials(cwd?)` | Load saved credentials |
-
----
-
-## Generated file structure
-
-After running `sync --agent all`, your repository will contain:
-
-```
-.prompts-gpt/
-  manifest.json              # Machine-readable index
-  README.md                  # Human-readable index
-  senior-code-reviewer.md    # Prompt pack (YAML frontmatter + Markdown)
-  ...
-
-AGENTS.md                    # Codex: managed <!-- prompts-gpt:start --> block
-
-.cursor/rules/
-  prompts-gpt-senior-code-reviewer.mdc  # Cursor rule file
-
-.github/
-  copilot-instructions.md   # VS Code / Copilot shared instructions
-  instructions/
-    prompts-gpt.instructions.md  # Copilot path-specific instructions for generated artifacts
-  prompts/
-    prompts-gpt-senior-code-reviewer.prompt.md  # Copilot prompt file
-
-.vscode/
-  prompts-gpt.code-snippets  # VS Code snippets
-```
-
-`manifest.json` includes each prompt's supported agent targets, recommended local path, and generated file locations so downstream tools can discover the synced artifacts without guessing paths.
-
----
-
-## Environment variables
-
-| Variable | Description |
-|----------|-------------|
-| `PROMPTS_GPT_TOKEN` | Shell variable you can expand into `--token` for CI or local scripts |
-| `PROMPTS_GPT_API_URL` | Shell variable you can expand into `--api-url` for self-hosted instances |
-
----
-
-## Error handling
-
-```typescript
-import { PromptsGptApiError } from "@prompts-gpt/client";
-
-try {
-  await client.pullPrompts();
-} catch (error) {
-  if (error instanceof PromptsGptApiError) {
-    console.error(error.message);    // Human-readable message
-    console.error(error.code);       // Machine-readable code
-    console.error(error.status);     // HTTP status (e.g. 401, 429)
-    console.error(error.recovery);   // Suggested fix
-  }
-}
+const prompts = await client.pullPrompts();
+await syncPrompts(prompts, { agent: "all" });
 ```
 
-**Error codes:** `AUTH_ERROR`, `VALIDATION_ERROR`, `RATE_LIMIT_ERROR`, `TIMEOUT`, `NETWORK_ERROR`, `INVALID_RESPONSE`, `MISSING_FETCH`.
-
-The client automatically retries on `429`, `502`, `503`, and `504` responses with exponential backoff and jitter.
-
-SDK responses include `X-Request-Id` plus rate-limit headers so CLI errors can be correlated with one server-side request path during support or incident triage.
-
 ---
 
-## CI/CD usage
+## Data Privacy
 
-```yaml
-# GitHub Actions example
-- name: Sync Prompts-GPT agent files
-  env:
-    PROMPTS_GPT_TOKEN: ${{ secrets.PROMPTS_GPT_TOKEN }}
-  run: npm exec --yes @prompts-gpt/client@latest -- sync --token "$PROMPTS_GPT_TOKEN" --agent all --overwrite
-```
+**What stays local:**
+- `.prompts-gpt/*.md` prompt files are written locally
+- Agent files (`AGENTS.md`, `.cursor/rules/`, etc.) are updated locally
+- Run artifacts (`.scripts/runs/`) including logs, diffs, and summaries stay local
+- No local files, repo content, or uncommitted changes are uploaded
 
-Use `npm exec` here so the job always resolves the package bin explicitly and does not depend on a preinstalled global CLI.
+**What is sent to prompts-gpt.com:**
+- `prompts-gpt generate --goal ...` — the text you explicitly pass via `--goal`, `--context`, and `--constraints` flags is sent to the API for AI-powered prompt generation
+- `prompts-gpt sync --goal ...` — same as above when `--goal` is used
+- `prompts-gpt pull` / `sync` / `load-config` — your project token is sent to authenticate and download prompts from your library
 
----
-
-## Package contents
-
-The published tarball includes:
-
-- `dist/` ESM JavaScript, source maps, and `.d.ts` files
-- `README.md`
-- `CHANGELOG.md`
-- `LICENSE`
-- `package.json`
-
-This package intentionally does not publish source TypeScript, test fixtures, or local credential files.
-
-Before publishing a new release, run:
-
-```bash
-TMPDIR=/private/tmp npm_config_cache=/private/tmp/prompts-gpt-npm-cache npm pack --dry-run
-```
-
-That verifies the `files` whitelist, the generated `dist/` output, and the executable mode on `dist/cli.js` without mutating the real npm cache.
-
-Publish with the default npm flow unless the release runs inside a provider that supports npm provenance attestation. If you want provenance, enable it explicitly in that CI job instead of forcing it in `package.json`.
-
----
+**Do not include PII, secrets, or confidential data** in `--goal`, `--context`, or `--constraints` flags. Use `--dry-run` with `sync` to preview what would be sent.
 
 ## Security
 
-- Credentials stored with `0600` file permissions (owner read/write only)
-- Token prefix (`pgpt_`) validated before any network request
-- HTTPS enforced in production
-- Response content-type validated before JSON parsing
+- Credentials stored with `0600` permissions
+- Credentials added to `.gitignore`
+- Token prefix (`pgpt_`) validated before requests
+- HTTPS enforced for non-localhost
 - Path traversal blocked for all file writes
-- Control characters sanitized from CLI output
-- Retry delays capped to prevent abuse via `retry-after`
-- Context sent to `generate` is ephemeral — never persisted server-side
+- Secret patterns (`pgpt_`, `sk-`, `ghp_`) are redacted from API-bound input, command previews, and error output
+- SIGINT/SIGTERM cleanup releases locks
+- Run artifact directories are intended to stay local and may contain sensitive prompt, output, and diff data
 
 ---
 
 ## License
 
-[MIT](./LICENSE)
+[Prompts-GPT Source Available License](./LICENSE) — free for personal and commercial use. Redistribution and modification of the package are not permitted.