@shipwellapp/cli 0.1.0

package/README.md

@@ -0,0 +1,65 @@
+# @shipwell/cli
+
+Command-line interface for Shipwell. Run deep codebase analysis from your terminal.
+
+## Usage
+
+```bash
+# Build
+pnpm build
+
+# Run
+node dist/index.js <operation> <source> [options]
+```
+
+## Operations
+
+```bash
+# Security audit
+shipwell audit ./my-repo
+
+# Migration plan (specify target)
+shipwell migrate ./my-repo --target "React 19"
+
+# Refactor analysis
+shipwell refactor ./my-repo
+
+# Generate documentation
+shipwell docs ./my-repo
+
+# Dependency upgrade plan
+shipwell upgrade ./my-repo
+```
+
+## Options
+
+```
+-k, --api-key <key>      Anthropic API key (or set ANTHROPIC_API_KEY)
+-m, --model <model>      Claude model (or set SHIPWELL_MODEL)
+-t, --target <target>    Migration target (for migrate operation)
+-c, --context <context>  Additional context for analysis
+-r, --raw                Also print raw streaming output
+-h, --help               Display help
+```
+
+## Output
+
+The CLI displays:
+
+1. **Ingestion stats** — files read, tokens estimated, files skipped
+2. **Bundle stats** — files included in the analysis
+3. **Live progress** — finding/metric count updates during analysis
+4. **Findings** — numbered list with severity badges, descriptions, affected files
+5. **Metrics** — before/after comparisons with color-coded values
+6. **Summary** — overall analysis summary
+
+Severity levels are color-coded: `CRITICAL` (red), `HIGH` (orange), `MEDIUM` (yellow), `LOW` (blue), `INFO` (dim).
+
+Cross-file issues are marked with `⟷ cross-file`.
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `ANTHROPIC_API_KEY` | Anthropic API key (required if not using --api-key) |
+| `SHIPWELL_MODEL` | Default model (default: claude-sonnet-4-5-20250929) |

package/dist/index.js

@@ -0,0 +1,898 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/analyze.ts
+import ora from "ora";
+import chalk from "chalk";
+
+// ../../packages/core/dist/models.js
+var AVAILABLE_MODELS = [
+  { id: "claude-sonnet-4-5-20250929", label: "Claude Sonnet 4.5", contextWindow: 2e5, default: true },
+  { id: "claude-opus-4-6", label: "Claude Opus 4.6", contextWindow: 2e5 },
+  { id: "claude-haiku-4-5-20251001", label: "Claude Haiku 4.5", contextWindow: 2e5 }
+];
+var DEFAULT_MODEL = "claude-sonnet-4-5-20250929";
+function getMaxCodebaseTokens(modelId) {
+  const model = AVAILABLE_MODELS.find((m) => m.id === modelId);
+  const contextWindow = model?.contextWindow ?? 2e5;
+  const outputTokens = 16e3;
+  const systemOverhead = 8e3;
+  const safetyMargin = 1e4;
+  return contextWindow - outputTokens - systemOverhead - safetyMargin;
+}
+
+// ../../packages/core/dist/ingest/reader.js
+import { readFile, stat } from "fs/promises";
+import { join } from "path";
+import { simpleGit } from "simple-git";
+import { glob } from "glob";
+
+// ../../packages/core/dist/ingest/filters.js
+import ignore from "ignore";
+var ALWAYS_IGNORE = [
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  ".turbo",
+  "coverage",
+  "__pycache__",
+  ".venv",
+  "venv",
+  ".env",
+  ".env.local",
+  "*.lock",
+  "package-lock.json",
+  "pnpm-lock.yaml",
+  "yarn.lock",
+  "*.min.js",
+  "*.min.css",
+  "*.map",
+  "*.woff",
+  "*.woff2",
+  "*.ttf",
+  "*.eot",
+  "*.ico",
+  "*.png",
+  "*.jpg",
+  "*.jpeg",
+  "*.gif",
+  "*.svg",
+  "*.webp",
+  "*.mp4",
+  "*.mp3",
+  "*.pdf",
+  "*.zip",
+  "*.tar.gz",
+  "*.exe",
+  "*.dll",
+  "*.so",
+  "*.dylib",
+  "*.bin",
+  "*.dat",
+  "*.db",
+  "*.sqlite",
+  ".DS_Store",
+  "Thumbs.db"
+];
+var CODE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".py",
+  ".pyw",
+  ".rs",
+  ".go",
+  ".java",
+  ".kt",
+  ".kts",
+  ".c",
+  ".cpp",
+  ".cc",
+  ".h",
+  ".hpp",
+  ".cs",
+  ".rb",
+  ".php",
+  ".swift",
+  ".scala",
+  ".clj",
+  ".cljs",
+  ".ex",
+  ".exs",
+  ".hs",
+  ".lua",
+  ".r",
+  ".R",
+  ".sql",
+  ".sh",
+  ".bash",
+  ".zsh",
+  ".html",
+  ".htm",
+  ".css",
+  ".scss",
+  ".sass",
+  ".less",
+  ".vue",
+  ".svelte",
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".xml",
+  ".md",
+  ".mdx",
+  ".txt",
+  ".rst",
+  ".dockerfile",
+  ".dockerignore",
+  ".env.example",
+  ".gitignore",
+  ".eslintrc",
+  ".prettierrc",
+  ".graphql",
+  ".gql",
+  ".proto"
+]);
+var LANGUAGE_MAP = {
+  ".ts": "typescript",
+  ".tsx": "tsx",
+  ".js": "javascript",
+  ".jsx": "jsx",
+  ".mjs": "javascript",
+  ".cjs": "javascript",
+  ".py": "python",
+  ".pyw": "python",
+  ".rs": "rust",
+  ".go": "go",
+  ".java": "java",
+  ".kt": "kotlin",
+  ".kts": "kotlin",
+  ".c": "c",
+  ".cpp": "cpp",
+  ".cc": "cpp",
+  ".h": "c",
+  ".hpp": "cpp",
+  ".cs": "csharp",
+  ".rb": "ruby",
+  ".php": "php",
+  ".swift": "swift",
+  ".scala": "scala",
+  ".clj": "clojure",
+  ".cljs": "clojurescript",
+  ".ex": "elixir",
+  ".exs": "elixir",
+  ".hs": "haskell",
+  ".lua": "lua",
+  ".r": "r",
+  ".R": "r",
+  ".sql": "sql",
+  ".sh": "bash",
+  ".bash": "bash",
+  ".zsh": "zsh",
+  ".html": "html",
+  ".htm": "html",
+  ".css": "css",
+  ".scss": "scss",
+  ".sass": "sass",
+  ".less": "less",
+  ".vue": "vue",
+  ".svelte": "svelte",
+  ".json": "json",
+  ".yaml": "yaml",
+  ".yml": "yaml",
+  ".toml": "toml",
+  ".xml": "xml",
+  ".md": "markdown",
+  ".mdx": "mdx",
+  ".txt": "text",
+  ".rst": "rst",
+  ".graphql": "graphql",
+  ".gql": "graphql",
+  ".proto": "protobuf"
+};
+function createFilter(gitignoreContent) {
+  const ig = ignore();
+  ig.add(ALWAYS_IGNORE);
+  if (gitignoreContent) {
+    ig.add(gitignoreContent);
+  }
+  return ig;
+}
+function isCodeFile(filePath) {
+  const lower = filePath.toLowerCase();
+  const basename = lower.split("/").pop() || "";
+  if (basename === "dockerfile" || basename === "makefile" || basename === "rakefile" || basename === "gemfile" || basename === "procfile" || basename === "cmakelists.txt") {
+    return true;
+  }
+  const ext = "." + basename.split(".").slice(1).join(".");
+  if (CODE_EXTENSIONS.has(ext))
+    return true;
+  const lastExt = "." + (basename.split(".").pop() || "");
+  return CODE_EXTENSIONS.has(lastExt);
+}
+function getLanguage(filePath) {
+  const basename = filePath.split("/").pop() || "";
+  const lower = basename.toLowerCase();
+  if (lower === "dockerfile")
+    return "dockerfile";
+  if (lower === "makefile")
+    return "makefile";
+  const ext = "." + (basename.split(".").pop() || "");
+  return LANGUAGE_MAP[ext] || "text";
+}
+
+// ../../packages/core/dist/ingest/tokens.js
+function estimateTokens(text) {
+  return Math.ceil(text.length / 3.2);
+}
+
+// ../../packages/core/dist/ingest/priority.js
+var CONFIG_FILES = /* @__PURE__ */ new Set([
+  "package.json",
+  "tsconfig.json",
+  "next.config.ts",
+  "next.config.js",
+  "next.config.mjs",
+  "vite.config.ts",
+  "vite.config.js",
+  "webpack.config.js",
+  "webpack.config.ts",
+  ".eslintrc.js",
+  ".eslintrc.json",
+  "eslint.config.js",
+  "eslint.config.mjs",
+  "tailwind.config.ts",
+  "tailwind.config.js",
+  "postcss.config.js",
+  "postcss.config.mjs",
+  "cargo.toml",
+  "go.mod",
+  "requirements.txt",
+  "pyproject.toml",
+  "gemfile",
+  "build.gradle",
+  "pom.xml",
+  "cmakelists.txt",
+  "docker-compose.yml",
+  "docker-compose.yaml",
+  "dockerfile",
+  ".env.example",
+  "makefile"
+]);
+var ENTRY_PATTERNS = [
+  /^src\/(index|main|app)\.[tj]sx?$/,
+  /^src\/app\/layout\.[tj]sx?$/,
+  /^src\/app\/page\.[tj]sx?$/,
+  /^src\/pages\/_app\.[tj]sx?$/,
+  /^src\/pages\/index\.[tj]sx?$/,
+  /^app\/layout\.[tj]sx?$/,
+  /^app\/page\.[tj]sx?$/,
+  /^src\/lib\/.*\.[tj]sx?$/,
+  /^lib\/.*\.[tj]sx?$/,
+  /^main\.\w+$/,
+  /^index\.\w+$/
+];
+function getFilePriority(filePath) {
+  const basename = (filePath.split("/").pop() || "").toLowerCase();
+  const normalized = filePath.replace(/\\/g, "/").toLowerCase();
+  if (CONFIG_FILES.has(basename))
+    return 100;
+  for (const pattern of ENTRY_PATTERNS) {
+    if (pattern.test(normalized))
+      return 90;
+  }
+  if (/\/(api|routes?)\//.test(normalized))
+    return 85;
+  if (/middleware\.[tj]sx?$/.test(normalized))
+    return 85;
+  if (/auth/.test(normalized))
+    return 80;
+  if (/^src\//.test(normalized))
+    return 70;
+  if (/components?\//.test(normalized))
+    return 65;
+  if (/hooks?\//.test(normalized))
+    return 60;
+  if (/(utils?|helpers?|lib)\//.test(normalized))
+    return 60;
+  if (/types?\.[tj]s$/.test(normalized))
+    return 55;
+  if (/\.(test|spec)\.[tj]sx?$/.test(normalized))
+    return 30;
+  if (/__(tests?|mocks?)__\//.test(normalized))
+    return 30;
+  if (/\.md$/.test(normalized))
+    return 20;
+  return 50;
+}
+
+// ../../packages/core/dist/ingest/reader.js
+var MAX_FILE_SIZE = 512 * 1024;
+var DEFAULT_MAX_TOKENS = 865e3;
+function isGitHubUrl(source) {
+  return source.startsWith("https://github.com/") || source.startsWith("git@github.com:");
+}
+async function cloneRepo(url) {
+  const tmpDir = join("/tmp", "shipwell-" + Date.now().toString(36));
+  const git = simpleGit();
+  await git.clone(url, tmpDir, ["--depth", "1", "--single-branch"]);
+  return tmpDir;
+}
+async function ingestRepo(options) {
+  const maxTokens = options.maxTokens ?? DEFAULT_MAX_TOKENS;
+  let repoPath;
+  if (isGitHubUrl(options.source)) {
+    repoPath = await cloneRepo(options.source);
+  } else {
+    repoPath = options.source;
+  }
+  let gitignoreContent;
+  try {
+    gitignoreContent = await readFile(join(repoPath, ".gitignore"), "utf-8");
+  } catch {
+  }
+  const filter = createFilter(gitignoreContent);
+  const allFiles = await glob("**/*", {
+    cwd: repoPath,
+    nodir: true,
+    dot: false,
+    absolute: false
+  });
+  const files = [];
+  let skippedFiles = 0;
+  for (const filePath of allFiles) {
+    if (filter.ignores(filePath)) {
+      skippedFiles++;
+      continue;
+    }
+    if (!isCodeFile(filePath)) {
+      skippedFiles++;
+      continue;
+    }
+    const fullPath = join(repoPath, filePath);
+    try {
+      const fileStat = await stat(fullPath);
+      if (fileStat.size > MAX_FILE_SIZE) {
+        skippedFiles++;
+        continue;
+      }
+    } catch {
+      skippedFiles++;
+      continue;
+    }
+    try {
+      const content = await readFile(fullPath, "utf-8");
+      if (content.includes("\0")) {
+        skippedFiles++;
+        continue;
+      }
+      const xmlOverhead = `<file path="${filePath}" language="${getLanguage(filePath)}">
+</file>
+`;
+      const tokens = estimateTokens(content + xmlOverhead);
+      files.push({
+        path: filePath,
+        content,
+        language: getLanguage(filePath),
+        tokens,
+        priority: getFilePriority(filePath)
+      });
+    } catch {
+      skippedFiles++;
+    }
+  }
+  files.sort((a, b) => b.priority - a.priority);
+  let totalTokens = 0;
+  const includedFiles = [];
+  for (const file of files) {
+    if (totalTokens + file.tokens > maxTokens) {
+      skippedFiles++;
+      continue;
+    }
+    totalTokens += file.tokens;
+    includedFiles.push(file);
+  }
+  return {
+    files: includedFiles,
+    totalTokens,
+    totalFiles: includedFiles.length,
+    skippedFiles,
+    repoPath
+  };
+}
+
+// ../../packages/core/dist/ingest/bundler.js
+function bundleCodebase(ingestResult) {
+  const parts = ["<codebase>"];
+  for (const file of ingestResult.files) {
+    parts.push(`<file path="${escapeXmlAttr(file.path)}" language="${file.language}">`);
+    parts.push(file.content);
+    parts.push("</file>");
+  }
+  parts.push("</codebase>");
+  const xml = parts.join("\n");
+  return {
+    xml,
+    totalTokens: estimateTokens(xml),
+    includedFiles: ingestResult.totalFiles,
+    skippedFiles: ingestResult.skippedFiles
+  };
+}
+function escapeXmlAttr(str) {
+  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+
+// ../../packages/core/dist/engine/client.js
+import Anthropic from "@anthropic-ai/sdk";
+
+// ../../packages/core/dist/prompts/audit.js
+var AUDIT_PROMPT = `Perform a comprehensive SECURITY AUDIT of this codebase.
+
+Focus on:
+1. **Injection vulnerabilities** \u2014 SQL injection, XSS, command injection, path traversal
+2. **Authentication & authorization flaws** \u2014 missing auth checks, insecure session handling, broken access control
+3. **Data exposure** \u2014 hardcoded secrets, sensitive data in logs, unencrypted PII
+4. **Cross-file security issues** \u2014 middleware bypasses, inconsistent validation across endpoints, shared state vulnerabilities
+5. **Dependency risks** \u2014 known vulnerable patterns, insecure configurations
+6. **Cryptographic issues** \u2014 weak algorithms, improper random generation
+7. **API security** \u2014 missing rate limiting, CORS misconfiguration, insecure headers
+
+For each finding:
+- Assign a severity (critical/high/medium/low/info)
+- Explain the attack vector
+- Show the vulnerable code
+- Provide a fixed version as a diff
+- Mark cross-file issues that span multiple files
+
+Provide metrics:
+- Security score (0-100, before and after your suggested fixes)
+- Total vulnerabilities by severity
+- Cross-file issues count`;
+
+// ../../packages/core/dist/prompts/migrate.js
+function getMigratePrompt(target) {
+  return `Perform a comprehensive MIGRATION PLAN for this codebase to ${target}.
+
+Analyze the entire codebase and produce:
+
+1. **Breaking changes** \u2014 identify every usage of deprecated/changed APIs across ALL files
+2. **Migration steps** \u2014 ordered list of changes, grouped by file, with dependencies between steps
+3. **Cross-file impacts** \u2014 changes in one file that require changes in other files (imports, types, shared state)
+4. **Configuration changes** \u2014 package.json, tsconfig, config files that need updating
+5. **Type changes** \u2014 type definitions that need updating and all their downstream consumers
+6. **Test updates** \u2014 tests that will break and how to fix them
+
+For each change:
+- Show exact before/after code as diffs
+- Explain why the change is needed
+- Note if it's a breaking change
+- Mark cross-file dependencies
+
+Provide metrics:
+- Total files requiring changes
+- Breaking changes count
+- Estimated migration completeness (percentage)
+- Cross-file dependency chains identified`;
+}
+
+// ../../packages/core/dist/prompts/refactor.js
+var REFACTOR_PROMPT = `Perform a comprehensive REFACTORING ANALYSIS of this codebase.
+
+Analyze the entire codebase for:
+
+1. **Code duplication** \u2014 identical or near-identical code across files, extract shared utilities
+2. **Architecture issues** \u2014 circular dependencies, god classes/modules, misplaced logic
+3. **Dead code** \u2014 unused exports, unreachable code paths, orphaned files
+4. **Naming inconsistencies** \u2014 inconsistent naming conventions across the codebase
+5. **Type safety gaps** \u2014 any casts, implicit any, missing generics
+6. **Cross-cutting concerns** \u2014 logging, error handling, validation that should be centralized
+7. **Pattern violations** \u2014 deviations from the codebase's own patterns/conventions
+
+For each finding:
+- Show the current code across all affected files
+- Provide refactored code as diffs
+- Explain the improvement and its impact
+- Mark cross-file refactors that touch multiple files
+
+Provide metrics:
+- Code quality score (0-100, before and after)
+- Duplicated code blocks found
+- Dead code instances
+- Cross-file refactoring opportunities`;
+
+// ../../packages/core/dist/prompts/docs.js
+var DOCS_PROMPT = `Generate comprehensive DOCUMENTATION for this codebase.
+
+Analyze the entire codebase and produce:
+
+1. **Architecture overview** \u2014 high-level system diagram description, key components and their relationships
+2. **API documentation** \u2014 all endpoints/functions with parameters, return types, and examples
+3. **Cross-file data flows** \u2014 how data moves through the system, from input to output
+4. **Setup guide** \u2014 environment setup, dependencies, configuration
+5. **Key patterns** \u2014 design patterns used, conventions to follow
+6. **Type reference** \u2014 important interfaces/types and where they're used
+
+For each documentation section:
+- Reference specific files and line numbers
+- Include code examples from the actual codebase
+- Mark cross-file relationships and data flows
+- Note any undocumented or confusing areas
+
+Provide metrics:
+- Documentation coverage (percentage of public APIs documented)
+- Undocumented public functions count
+- Cross-file flows documented`;
+
+// ../../packages/core/dist/prompts/upgrade.js
+var UPGRADE_PROMPT = `Perform a comprehensive DEPENDENCY UPGRADE analysis for this codebase.
+
+Analyze all dependencies and their usage across the entire codebase:
+
+1. **Outdated dependencies** \u2014 identify packages that need upgrading, check for major version bumps
+2. **Breaking changes** \u2014 for each upgrade, list every file that uses changed APIs
+3. **Security advisories** \u2014 known vulnerable versions in use
+4. **Unused dependencies** \u2014 packages in package.json that aren't imported anywhere
+5. **Missing types** \u2014 @types packages needed but not installed
+6. **Cross-file upgrade impacts** \u2014 how upgrading one dependency affects usage across multiple files
+7. **Peer dependency conflicts** \u2014 potential version conflicts between packages
+
+For each upgrade:
+- Show current vs recommended version
+- List all files that import/use the package
+- Show code changes needed as diffs
+- Mark cross-file impacts
+
+Provide metrics:
+- Dependencies needing upgrade
+- Security vulnerabilities fixed
+- Unused dependencies to remove
+- Breaking changes requiring code updates`;
+
+// ../../packages/core/dist/prompts/system.js
+var SYSTEM_PROMPT = `You are Shipwell, an expert code analysis engine. You perform deep cross-file analysis of entire codebases.
+
+You receive an entire codebase in XML format and perform the requested analysis operation.
+
+CRITICAL RULES:
+1. Your analysis MUST identify cross-file issues \u2014 problems that span multiple files. This is your key differentiator.
+2. Always reference specific file paths and line numbers.
+3. Output your findings in the structured XML format specified.
+4. Be thorough but practical \u2014 prioritize actionable findings over theoretical concerns.
+5. When suggesting changes, provide complete before/after code snippets.
+
+OUTPUT FORMAT:
+Wrap all output in <analysis> tags. Each finding goes in a <finding> tag:
+
+<analysis>
+<summary>Brief overall summary of the analysis</summary>
+
+<metrics>
+<metric label="Label" before="value" after="value" unit="optional unit" />
+</metrics>
+
+<finding id="1" type="issue|suggestion|change|doc" severity="critical|high|medium|low|info">
+<title>Short descriptive title</title>
+<description>Detailed explanation of the finding</description>
+<files>
+<file>path/to/file1.ts</file>
+<file>path/to/file2.ts</file>
+</files>
+<cross-file>true|false</cross-file>
+<category>security|performance|type-safety|architecture|etc</category>
+<diff>
+\`\`\`diff
+--- a/path/to/file.ts
++++ b/path/to/file.ts
+@@ -10,5 +10,5 @@
+-old code
++new code
+\`\`\`
+</diff>
+</finding>
+
+</analysis>`;
+
+// ../../packages/core/dist/prompts/index.js
+function getOperationPrompt(operation, options) {
+  let prompt;
+  switch (operation) {
+    case "audit":
+      prompt = AUDIT_PROMPT;
+      break;
+    case "migrate":
+      prompt = getMigratePrompt(options?.target || "latest version");
+      break;
+    case "refactor":
+      prompt = REFACTOR_PROMPT;
+      break;
+    case "docs":
+      prompt = DOCS_PROMPT;
+      break;
+    case "upgrade":
+      prompt = UPGRADE_PROMPT;
+      break;
+  }
+  if (options?.context) {
+    prompt += `
+
+Additional context from the user:
+${options.context}`;
+  }
+  return prompt;
+}
+
+// ../../packages/core/dist/engine/client.js
+async function* streamAnalysis(options) {
+  const { apiKey, operation, codebaseXml, model, target, context, onText } = options;
+  const client = new Anthropic({ apiKey });
+  const userPrompt = `${getOperationPrompt(operation, { target, context })}
+
+Here is the complete codebase to analyze:
+
+${codebaseXml}`;
+  const stream = client.messages.stream({
+    model: model || DEFAULT_MODEL,
+    max_tokens: 16e3,
+    system: SYSTEM_PROMPT,
+    messages: [{ role: "user", content: userPrompt }]
+  });
+  for await (const event of stream) {
+    if (event.type === "content_block_delta" && "text" in event.delta) {
+      const text = event.delta.text;
+      onText?.(text);
+      yield text;
+    }
+  }
+}
+
+// ../../packages/core/dist/output/parser.js
+var StreamingParser = class {
+  buffer = "";
+  findingCount = 0;
+  emittedFindings = /* @__PURE__ */ new Set();
+  emittedMetrics = /* @__PURE__ */ new Set();
+  /** Append new text chunk and extract any complete findings */
+  push(chunk) {
+    this.buffer += chunk;
+    return {
+      findings: this.extractFindings(),
+      metrics: this.extractMetrics()
+    };
+  }
+  extractFindings() {
+    const findings = [];
+    const regex = /<finding\s+id="([^"]*)"[^>]*type="([^"]*)"[^>]*(?:severity="([^"]*)")?[^>]*>([\s\S]*?)<\/finding>/g;
+    let match;
+    while ((match = regex.exec(this.buffer)) !== null) {
+      const id = match[1];
+      if (this.emittedFindings.has(id))
+        continue;
+      this.emittedFindings.add(id);
+      const body = match[4];
+      const title = extractTag(body, "title") || "Untitled";
+      const description = extractTag(body, "description") || "";
+      const crossFile = extractTag(body, "cross-file") === "true";
+      const category = extractTag(body, "category") || void 0;
+      const diff = extractTag(body, "diff") || void 0;
+      const files = [];
+      const fileRegex = /<file>(.*?)<\/file>/g;
+      let fileMatch;
+      while ((fileMatch = fileRegex.exec(body)) !== null) {
+        files.push(fileMatch[1].trim());
+      }
+      findings.push({
+        id,
+        type: match[2],
+        severity: match[3] || void 0,
+        title,
+        description,
+        files,
+        crossFile,
+        category,
+        diff
+      });
+    }
+    return findings;
+  }
+  extractMetrics() {
+    const metrics = [];
+    const regex = /<metric\s+label="([^"]*)"[^>]*before="([^"]*)"[^>]*after="([^"]*)"[^>]*(?:unit="([^"]*)")?[^>]*\/>/g;
+    let match;
+    while ((match = regex.exec(this.buffer)) !== null) {
+      const key = `${match[1]}:${match[2]}:${match[3]}`;
+      if (this.emittedMetrics.has(key))
+        continue;
+      this.emittedMetrics.add(key);
+      metrics.push({
+        label: match[1],
+        before: match[2],
+        after: match[3],
+        unit: match[4] || void 0
+      });
+    }
+    return metrics;
+  }
+  /** Get the analysis summary */
+  getSummary() {
+    return extractTag(this.buffer, "summary");
+  }
+  /** Get full accumulated text */
+  getFullText() {
+    return this.buffer;
+  }
+};
+function extractTag(text, tag) {
+  const regex = new RegExp(`<${tag}>([\\s\\S]*?)<\\/${tag}>`);
+  const match = regex.exec(text);
+  return match ? match[1].trim() : null;
+}
+
+// src/commands/analyze.ts
+var accent = chalk.hex("#6366f1");
+var dim = chalk.dim;
+var bold = chalk.bold;
+var severityColor = {
+  critical: chalk.red.bold,
+  high: chalk.hex("#f97316").bold,
+  medium: chalk.yellow,
+  low: chalk.blue,
+  info: chalk.dim
+};
+var opLabels = {
+  audit: "Security Audit",
+  migrate: "Migration Plan",
+  refactor: "Refactor Analysis",
+  docs: "Documentation",
+  upgrade: "Dependency Upgrade"
+};
+function severityBadge(sev) {
+  if (!sev) return "";
+  const color = severityColor[sev] || chalk.dim;
+  return color(` [${sev.toUpperCase()}]`);
+}
+function formatFinding(f, i) {
+  const lines = [];
+  const num = dim(`${String(i + 1).padStart(2)}.`);
+  const cross = f.crossFile ? accent(" \u27F7 cross-file") : "";
+  lines.push(`  ${num} ${bold(f.title)}${severityBadge(f.severity)}${cross}`);
+  if (f.description) {
+    lines.push(`     ${dim(f.description)}`);
+  }
+  if (f.files.length > 0) {
+    lines.push(`     ${dim("files:")} ${f.files.map((file) => chalk.cyan(file)).join(dim(", "))}`);
+  }
+  return lines.join("\n");
+}
+function formatMetric(m) {
+  return `  ${dim("\u2022")} ${m.label}: ${chalk.red(m.before)} ${dim("\u2192")} ${chalk.green(m.after)}${m.unit ? dim(` ${m.unit}`) : ""}`;
+}
+async function analyzeCommand(operation, source, options) {
+  const apiKey = options.apiKey || process.env.ANTHROPIC_API_KEY;
+  if (!apiKey) {
+    console.error(chalk.red("\n  Error: Anthropic API key is required.\n"));
+    console.error(dim("  Set ANTHROPIC_API_KEY env var or use --api-key flag"));
+    console.error(dim("  Example: shipwell audit ./my-repo --api-key sk-ant-...\n"));
+    process.exit(1);
+  }
+  const model = options.model || process.env.SHIPWELL_MODEL || "claude-sonnet-4-5-20250929";
+  const startTime = Date.now();
+  console.log();
+  console.log(accent("  \u26F5 Shipwell"), dim("\u2014 Full Codebase Autopilot"));
+  console.log(dim(`  ${opLabels[operation] || operation} \xB7 ${model}`));
+  console.log();
+  const spinner = ora({ text: "Reading repository...", color: "cyan", prefixText: "  " }).start();
+  let ingestResult;
+  try {
+    ingestResult = await ingestRepo({ source, maxTokens: getMaxCodebaseTokens(model) });
+    spinner.succeed(
+      `Read ${bold(ingestResult.totalFiles)} files ${dim(`(${ingestResult.skippedFiles} skipped, ~${Math.round(ingestResult.totalTokens / 1e3)}K tokens)`)}`
+    );
+  } catch (err) {
+    spinner.fail(`Failed to read repository: ${err.message}`);
+    process.exit(1);
+  }
+  const bundleSpinner = ora({ text: "Bundling codebase...", color: "cyan", prefixText: "  " }).start();
+  const bundle = bundleCodebase(ingestResult);
+  bundleSpinner.succeed(
+    `Bundled ${bold(bundle.includedFiles)} files ${dim(`(~${Math.round(bundle.totalTokens / 1e3)}K tokens)`)}`
+  );
+  const analyzeSpinner = ora({ text: `Running ${operation} analysis...`, color: "magenta", prefixText: "  " }).start();
+  const parser = new StreamingParser();
+  const allFindings = [];
+  const allMetrics = [];
+  try {
+    for await (const chunk of streamAnalysis({
+      apiKey,
+      operation,
+      model,
+      codebaseXml: bundle.xml,
+      target: options.target,
+      context: options.context
+    })) {
+      const { findings, metrics } = parser.push(chunk);
+      if (findings.length > 0 || metrics.length > 0) {
+        allFindings.push(...findings);
+        allMetrics.push(...metrics);
+        analyzeSpinner.text = `Analyzing... ${dim(`${allFindings.length} findings, ${allMetrics.length} metrics`)}`;
+      }
+      if (options.raw) {
+        process.stdout.write(chunk);
+      }
+    }
+  } catch (err) {
+    analyzeSpinner.fail(`Analysis failed: ${err.message}`);
+    process.exit(1);
+  }
+  const elapsed = ((Date.now() - startTime) / 1e3).toFixed(1);
+  analyzeSpinner.succeed(`Analysis complete ${dim(`(${elapsed}s)`)}`);
+  console.log();
+  console.log(accent("  \u2500\u2500\u2500 Results \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log();
+  if (allFindings.length > 0) {
+    const critCount = allFindings.filter((f) => f.severity === "critical").length;
+    const highCount = allFindings.filter((f) => f.severity === "high").length;
+    const medCount = allFindings.filter((f) => f.severity === "medium").length;
+    const lowCount = allFindings.filter((f) => f.severity === "low").length;
+    const crossCount = allFindings.filter((f) => f.crossFile).length;
+    const counts = [
+      critCount > 0 ? chalk.red(`${critCount} critical`) : null,
+      highCount > 0 ? chalk.hex("#f97316")(`${highCount} high`) : null,
+      medCount > 0 ? chalk.yellow(`${medCount} medium`) : null,
+      lowCount > 0 ? chalk.blue(`${lowCount} low`) : null
+    ].filter(Boolean).join(dim(" \xB7 "));
+    console.log(`  ${bold(`${allFindings.length} Findings`)} ${dim("(")}${counts}${dim(")")}`);
+    if (crossCount > 0) {
+      console.log(`  ${accent(`${crossCount} cross-file issues`)}`);
+    }
+    console.log();
+    for (let i = 0; i < allFindings.length; i++) {
+      console.log(formatFinding(allFindings[i], i));
+      if (i < allFindings.length - 1) console.log();
+    }
+  } else {
+    console.log(dim("  No findings."));
+  }
+  if (allMetrics.length > 0) {
+    console.log();
+    console.log(`  ${bold("Metrics")}`);
+    for (const m of allMetrics) {
+      console.log(formatMetric(m));
+    }
+  }
+  const summary = parser.getSummary();
+  if (summary) {
+    console.log();
+    console.log(`  ${bold("Summary")}`);
+    console.log(`  ${dim(summary)}`);
+  }
+  console.log();
+  console.log(accent("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(`  ${chalk.green("\u2713")} ${bold(`${allFindings.length} findings`)} in ${elapsed}s \xB7 ${dim(`${bundle.includedFiles} files \xB7 ~${Math.round(bundle.totalTokens / 1e3)}K tokens`)}`);
+  console.log();
+}
+
+// src/index.ts
+var program = new Command();
+program.name("shipwell").description("Full Codebase Autopilot \u2014 deep cross-file analysis powered by Claude").version("0.1.0");
+var operations = ["audit", "migrate", "refactor", "docs", "upgrade"];
+var opDesc = {
+  audit: "Run a security audit on a codebase",
+  migrate: "Plan a framework/library migration",
+  refactor: "Detect code smells, duplication & architecture issues",
+  docs: "Generate comprehensive documentation",
+  upgrade: "Analyze dependencies & plan safe upgrades"
+};
+for (const op of operations) {
+  program.command(op).description(opDesc[op] || `Run ${op} analysis on a codebase`).argument("<source>", "Local path or GitHub URL").option("-k, --api-key <key>", "Anthropic API key (or set ANTHROPIC_API_KEY env var)").option("-m, --model <model>", "Claude model to use (or set SHIPWELL_MODEL env var)").option("-t, --target <target>", "Migration target (for migrate operation)").option("-c, --context <context>", "Additional context for the analysis").option("-r, --raw", "Also print raw streaming output").action((source, options) => {
+    analyzeCommand(op, source, options);
+  });
+}
+program.parse();

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "@shipwellapp/cli",
+  "version": "0.1.0",
+  "description": "Full Codebase Autopilot — deep cross-file analysis powered by Claude",
+  "type": "module",
+  "bin": {
+    "shipwell": "./dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsc --watch"
+  },
+  "keywords": [
+    "claude",
+    "ai",
+    "codebase",
+    "analysis",
+    "security",
+    "audit",
+    "migration",
+    "refactor",
+    "documentation",
+    "anthropic",
+    "opus",
+    "cli"
+  ],
+  "author": "Manas Dutta",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/manasdutta04/shipwell.git",
+    "directory": "apps/cli"
+  },
+  "homepage": "https://shipwell.app",
+  "bugs": {
+    "url": "https://github.com/manasdutta04/shipwell/issues"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "@anthropic-ai/sdk": "^0.39.0",
+    "@shipwell/core": "workspace:*",
+    "chalk": "^5.4.1",
+    "commander": "^13.1.0",
+    "glob": "^11.0.0",
+    "ignore": "^7.0.0",
+    "ora": "^8.2.0",
+    "simple-git": "^3.27.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "tsup": "^8.5.1",
+    "typescript": "^5.7.0"
+  }
+}