@roleplay-sh/cli 0.1.1

package/.env.example

@@ -0,0 +1,12 @@
+# Optional agent credentials used by your own HTTP/CLI target.
+AGENT_API_KEY=
+
+# Team Cloud upload settings.
+ROLEPLAY_CLOUD_URL=https://app.roleplay.sh
+ROLEPLAY_PROJECT_ID=
+ROLEPLAY_API_KEY=
+ROLEPLAY_AGENT_NAME=
+
+# Built-in social-engineering-core target. Set exactly one for CI.
+ROLEPLAY_TARGET_URL=http://localhost:3000/agent
+ROLEPLAY_TARGET_COMMAND=

package/CHANGELOG.md

@@ -0,0 +1,31 @@
+# Changelog
+
+All notable changes to roleplay.sh will be documented in this file.
+
+This project follows semantic versioning after the public `0.1.0` release.
+
+## 0.1.0 - 2026-05-17
+
+### Added
+
+- Initial `roleplay` CLI.
+- Scenario YAML validation with Zod.
+- HTTP, CLI, and mock target adapters.
+- Mock and OpenAI roleplayed-user providers.
+- Mock and OpenAI judge implementations.
+- Local run storage under `.roleplay/runs`.
+- JSON and Markdown report generation.
+- `init`, `scenario:create`, `run`, `report`, `replay`, `list`, `doctor`, `redteam`, and experimental `mcp` commands.
+- Example agents and scenarios.
+- Vitest test suite, linting, strict TypeScript, tsup build, CI, and npm publish workflow.
+- Package smoke test that verifies tarball contents and installed CLI behavior.
+- Failed-run artifact persistence for target/provider/judge errors.
+- Safer CLI target execution defaults and explicit `shell: true` opt-in.
+- Red-team target validation and optional `--save` for generated scenarios.
+- HTTP target diagnostics for text responses, missing fields, and timeouts.
+
+### Notes
+
+- MCP support is a roadmap stub in this release.
+- Mock provider and mock judge are the stable path for first local usage.
+- OpenAI mode requires `OPENAI_API_KEY` and should be treated as experimental until more live usage is collected.

package/CONTRIBUTING.md

@@ -0,0 +1,25 @@
+# Contributing
+
+Thanks for helping improve roleplay.sh.
+
+## Development
+
+```bash
+corepack enable
+pnpm install
+pnpm test
+pnpm build
+```
+
+Use mock providers for tests and examples unless you are intentionally testing OpenAI integration.
+
+## Pull requests
+
+- Keep changes focused.
+- Add tests for behavior changes.
+- Run `pnpm lint`, `pnpm typecheck`, `pnpm test`, and `pnpm build`.
+- Do not commit secrets, `.env`, or generated run artifacts.
+
+## Security
+
+Scenarios and transcripts can contain sensitive data. Avoid pasting real customer data into issues or pull requests.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 roleplay.sh contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,102 @@
+# roleplay.sh CLI
+
+Social-engineering regression tests for AI agents.
+
+`roleplay` runs adversarial roleplay scenarios against local, HTTP, CLI, or mock agents, records replayable evidence, and can upload sanitized findings to Team Cloud.
+
+## Install
+
+```bash
+npm install -g @roleplay-sh/cli
+```
+
+Or run without installing:
+
+```bash
+npx @roleplay-sh/cli --help
+```
+
+## Quickstart
+
+```bash
+roleplay init
+roleplay run social-engineering-core --target mock --fail-on critical
+roleplay report latest
+roleplay replay latest
+```
+
+## Test A Local Agent
+
+HTTP target:
+
+```bash
+roleplay run social-engineering-core \
+  --target http://localhost:3000/agent \
+  --fail-on critical
+```
+
+CLI target:
+
+```bash
+roleplay run social-engineering-core \
+  --target-command "node ./agent.js" \
+  --fail-on critical \
+  --yes
+```
+
+## Upload Sanitized Findings To Team Cloud
+
+Create a project and API key in Team Cloud at `https://app.roleplay.sh`, then run:
+
+```bash
+ROLEPLAY_CLOUD_URL=https://app.roleplay.sh \
+ROLEPLAY_PROJECT_ID=<project-id> \
+ROLEPLAY_API_KEY=<project-api-key> \
+roleplay upload all --mode sanitized_findings --source ci
+```
+
+Sanitized upload is the default. Full transcripts, raw scenario YAML, and local metadata stay in your environment unless full transcript upload is explicitly enabled by project policy and CLI mode.
+
+## Commands
+
+- `roleplay init` creates local config and starter scenarios.
+- `roleplay run` runs a scenario file or built-in attack pack.
+- `roleplay report` prints a saved run report.
+- `roleplay replay` replays transcript evidence.
+- `roleplay upload` uploads sanitized findings to Team Cloud.
+- `roleplay list` lists local runs.
+- `roleplay doctor` checks local and Cloud configuration.
+- `roleplay mcp` exposes roleplay.sh through MCP.
+
+## CI Example
+
+```yaml
+- name: Run roleplay.sh attack pack
+  run: pnpm dlx @roleplay-sh/cli run social-engineering-core --fail-on critical
+  env:
+    ROLEPLAY_TARGET_URL: ${{ secrets.ROLEPLAY_TARGET_URL }}
+
+- name: Upload sanitized findings
+  if: always()
+  run: pnpm dlx @roleplay-sh/cli upload all --source ci --mode sanitized_findings
+  env:
+    ROLEPLAY_CLOUD_URL: https://app.roleplay.sh
+    ROLEPLAY_PROJECT_ID: ${{ secrets.ROLEPLAY_PROJECT_ID }}
+    ROLEPLAY_API_KEY: ${{ secrets.ROLEPLAY_API_KEY }}
+```
+
+## Development
+
+```bash
+corepack enable
+corepack pnpm install
+corepack pnpm lint
+corepack pnpm typecheck
+corepack pnpm vitest run --testTimeout=60000
+corepack pnpm build
+corepack pnpm package:smoke
+```
+
+## License
+
+MIT

package/RELEASE.md

@@ -0,0 +1,61 @@
+# Release Guide
+
+This repository publishes the standalone `@roleplay-sh/cli` npm package.
+
+## Preflight
+
+```bash
+corepack pnpm install --frozen-lockfile
+corepack pnpm lint
+corepack pnpm typecheck
+corepack pnpm vitest run --testTimeout=60000
+corepack pnpm build
+corepack pnpm package:smoke
+```
+
+## npm Trusted Publishing
+
+Configure npm Trusted Publishing for:
+
+- Package: `@roleplay-sh/cli`
+- Owner: `roleplay-sh`
+- Repository: `cli`
+- Workflow file: `publish.yml`
+
+The publish workflow uses GitHub OIDC and intentionally does not require an npm token.
+
+## Publish
+
+Create a GitHub release or push a version tag:
+
+```bash
+git tag v0.1.1
+git push origin v0.1.1
+```
+
+The publish workflow runs checks and then publishes with:
+
+```bash
+pnpm publish --access public --no-git-checks
+```
+
+## Verify
+
+```bash
+npm view @roleplay-sh/cli version
+npm install -g @roleplay-sh/cli
+roleplay --help
+roleplay init
+roleplay run social-engineering-core --target mock --fail-on critical
+roleplay report latest
+roleplay replay latest
+```
+
+For Team Cloud upload verification, create a project API key at `https://app.roleplay.sh` and run:
+
+```bash
+ROLEPLAY_CLOUD_URL=https://app.roleplay.sh \
+ROLEPLAY_PROJECT_ID=<project-id> \
+ROLEPLAY_API_KEY=<project-api-key> \
+roleplay upload all --mode sanitized_findings
+```

package/SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+roleplay.sh is pre-1.0. Security fixes will be released on the latest published minor version.
+
+## Reporting A Vulnerability
+
+Please report security issues privately by opening a GitHub security advisory for the repository, or by emailing the project maintainers once a public security contact is listed.
+
+Do not include real API keys, customer data, private prompts, transcripts, or production scenario files in public issues.
+
+## Data Handling
+
+roleplay.sh stores runs locally under `.roleplay/runs`. Scenario files, hidden context, transcripts, and reports may contain sensitive information.
+
+When using OpenAI providers or judges, scenario data and transcripts are sent to the external provider. Use `--provider mock --judge mock` for local-only testing.
+
+## CLI Target Execution
+
+CLI target scenarios can execute local commands. roleplay.sh requires `--yes` before running CLI targets in automated workflows. By default, commands run without a shell; scenario authors must opt into `shell: true` when shell behavior is required. Review scenario files before running commands from untrusted sources.
+
+## Secrets
+
+roleplay.sh attempts to redact common secret-like values from output and reports. Redaction is best effort. Treat `.env`, scenario hidden context, and generated reports as sensitive by default.

package/dist/cli.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node