@trikhub/cli 0.2.0 → 0.3.1

package/README.md

@@ -48,14 +48,15 @@ trik install @scope/trik-name --version 1.2.3
 ```
 
 The install process:
-1. Resolves configuration (see [Local vs Global Configuration](#local-vs-global-configuration))
-2. Fetches trik metadata from the registry
-3. Downloads the tarball from GitHub Releases
-4. Extracts to the configured triks directory
+
+1. **Tries npm registry first** - If the package is published to npm, installs via your package manager (npm/pnpm/yarn)
+2. **Falls back to TrikHub registry** - For GitHub-only packages, downloads the tarball from GitHub Releases
+3. Adds the dependency to `package.json` (npm packages use version, TrikHub packages use tarball URL)
+4. Extracts to `node_modules/`
 5. **Validates** the trik (manifest structure, security rules)
-6. Updates the lockfile
+6. Registers the trik in `.trikhub/config.json`
 
-If validation fails, the trik is removed and installation aborts.
+This hybrid approach means triks work like regular npm packages while supporting GitHub-only distributions.
 
 ### `trik search <query>`
 
@@ -107,6 +108,23 @@ trik upgrade @acme/article-search
 trik upgrade --force
 ```
 
+### `trik sync`
+
+Discover trik packages in `node_modules` and register them in `.trikhub/config.json`.
+
+```bash
+# Scan node_modules and add triks to config
+trik sync
+
+# Preview what would be synced
+trik sync --dry-run
+
+# Output as JSON
+trik sync --json
+```
+
+This is useful when you manually add a trik to `package.json` and run `npm install`. The sync command will detect the trik and register it.
+
 ## Authentication
 
 ### `trik login`
@@ -168,16 +186,19 @@ trik publish --skip-release
 
 The CLI will:
 
-1. Validate your trik structure (manifest.json, trikhub.json, dist/)
-2. Create a tarball with required files
+1. Validate your trik structure (manifest.json, trikhub.json, package.json, dist/)
+2. Create an **npm-compatible tarball** with files inside a `package/` directory
 3. Compute SHA-256 hash for integrity verification
 4. Create a GitHub Release with the tarball attached
 5. Register the trik with the TrikHub registry
 
+The tarball format is compatible with npm, so users can install directly via the tarball URL.
+
 ### Required Files
 
 ```
 your-trik/
+├── package.json       # npm package definition (required)
 ├── manifest.json      # Trik manifest (required)
 ├── trikhub.json       # Registry metadata (required)
 ├── dist/
@@ -210,102 +231,59 @@ Triks use scoped names similar to npm:
 
 **Note:** All trik names are normalized to lowercase. `@Acme/Article-Search` becomes `@acme/article-search`.
 
-## Local vs Global Configuration
-
-The CLI supports both **local** (project-level) and **global** (user-level) configurations. This allows you to have project-specific trik installations or share triks across all projects.
-
-### Configuration Resolution
-
-When you run a command like `trik install`, the CLI resolves configuration in this order:
-
-1. **Local config**: Checks for `.trikhub/config.json` in the current directory
-2. **Global config**: Falls back to `~/.trikhub/config.json` in your home directory
-3. **Setup prompt**: If neither exists, prompts you to choose where to set up
-
-```
-$ trik install @acme/article-search
-
-No TrikHub configuration found.
-Triks need a place to be installed.
-
-? Where would you like to set up TrikHub?
-❯ Global (~/.trikhub)      - Available to all projects
-  Local (./.trikhub)       - Project-specific configuration
-```
-
-### Global Configuration (Default)
-
-Triks are installed in your home directory and available to all projects:
-
-```
-~/.trikhub/
-├── config.json      # CLI configuration
-├── triks.lock       # Lockfile tracking installed versions
-└── triks/           # Installed triks
-    └── @scope/trik-name/
-```
-
-### Local Configuration
+## How Triks Work with npm
 
-Triks are installed in the current project directory. Useful for:
+Triks are installed as regular npm packages in your project's `node_modules/`. The CLI tracks which packages are triks in `.trikhub/config.json`.
 
-- Project-specific trik versions
-- Sharing trik configurations with your team (commit `.trikhub/` to git)
-- Isolated environments
+### Project Structure
 
 ```
 ./your-project/
+├── package.json           # Trik dependencies listed here
+├── node_modules/
+│   └── @scope/trik-name/  # Trik installed like any npm package
 └── .trikhub/
-    ├── config.json      # Project-specific configuration
-    ├── triks.lock       # Project lockfile
-    └── triks/           # Project-specific triks
-        └── @scope/trik-name/
+    └── config.json        # Lists which packages are triks
 ```
 
-### Switching Between Scopes
+### The Config File
 
-The CLI automatically detects which scope to use based on the presence of `.trikhub/config.json` in the current directory:
+`.trikhub/config.json` tracks which npm packages are triks:
 
-```bash
-# In a project with local config
-$ trik list
-Installed triks (2) (local: /path/to/project/.trikhub):
-  ● @acme/article-search v1.0.0
-
-# In a directory without local config (uses global)
-$ cd ~
-$ trik list
-Installed triks (5) (global):
-  ● @acme/other-trik v2.0.0
+```json
+{
+  "triks": ["@acme/article-search", "@acme/web-scraper"]
+}
 ```
 
-### Initializing a Local Config
+This file is used by the TrikHub Gateway to know which packages to load as triks.
 
-If you have a global config but want to set up a local one for a project:
+### TrikHub Registry Packages
 
-```bash
-$ trik install @scope/some-trik
-# When prompted "Use global configuration?", select "No"
-# This will initialize a local .trikhub/ directory
-```
+For packages not published to npm (GitHub-only), the CLI:
 
-## File Locations
+1. Downloads the tarball from GitHub Releases
+2. Extracts to `node_modules/`
+3. Adds the tarball URL to `package.json`
 
-### Global (Default)
+```json
+{
+  "dependencies": {
+    "@acme/article-search": "https://github.com/acme/article-search/releases/download/v1.0.0/article-search-1.0.0.tar.gz"
+  }
+}
+```
 
-| Path | Description |
-|------|-------------|
-| `~/.trikhub/config.json` | CLI configuration |
-| `~/.trikhub/triks.lock` | Lockfile tracking installed versions |
-| `~/.trikhub/triks/` | Installed triks directory |
+This means `npm install` works natively - npm fetches from the tarball URL.
 
-### Local (Project-Level)
+## File Locations
 
 | Path | Description |
 |------|-------------|
-| `./.trikhub/config.json` | Project-specific configuration |
-| `./.trikhub/triks.lock` | Project lockfile |
-| `./.trikhub/triks/` | Project-specific triks |
+| `~/.trikhub/config.json` | Global CLI configuration (auth tokens, registry URL) |
+| `./.trikhub/config.json` | Project trik registry (list of trik package names) |
+| `./package.json` | Trik dependencies (managed by npm) |
+| `./node_modules/` | Installed triks (managed by npm) |
 
 ## Validation
 
@@ -322,26 +300,39 @@ Triks that fail validation are rejected to prevent prompt injection vulnerabilit
 
 ### Registry URL
 
-By default, the CLI connects to `https://api.trikhub.com`. For development, you can override this:
+The registry URL is determined by environment:
+
+| Environment | Registry URL |
+| ----------- | ------------ |
+| Production (default) | `https://api.trikhub.com` |
+| Development (`--dev` flag) | `http://localhost:3001` |
+
+Use the `--dev` flag for local development:
 
 ```bash
-# Environment variable (highest priority)
-export TRIKHUB_REGISTRY=http://localhost:3000
+trik --dev search article
+trik --dev install @scope/name
+```
 
-# Or edit your config.json (local or global)
-{
-  "registry": "http://localhost:3000"
-}
+Alternatively, set `NODE_ENV=development`:
+
+```bash
+export NODE_ENV=development
+trik search article
 ```
 
-### Config File
+You can also override the registry URL with an environment variable:
 
-The `config.json` file (either local `.trikhub/config.json` or global `~/.trikhub/config.json`) stores:
+```bash
+export TRIKHUB_REGISTRY=http://localhost:3000
+```
+
+### Global Config File (`~/.trikhub/config.json`)
+
+Stores authentication and CLI settings:
 
 ```json
 {
-  "registry": "https://api.trikhub.com",
-  "triksDirectory": ".trikhub/triks",
   "analytics": true,
   "authToken": "...",
   "authExpiresAt": "2026-03-09T11:24:12.401Z",
@@ -351,13 +342,29 @@ The `config.json` file (either local `.trikhub/config.json` or global `~/.trikhu
 
 | Field | Description |
 | ----- | ----------- |
-| `registry` | TrikHub registry URL |
-| `triksDirectory` | Where triks are installed (relative to config location for local) |
 | `analytics` | Whether to send anonymous download analytics |
 | `authToken` | Authentication token (set by `trik login`) |
 | `authExpiresAt` | Token expiration timestamp |
 | `publisherUsername` | Authenticated GitHub username |
 
+### Project Config File (`.trikhub/config.json`)
+
+Tracks which npm packages are triks:
+
+```json
+{
+  "triks": ["@acme/article-search", "@acme/web-scraper"],
+  "trikhub": {
+    "@acme/article-search": "1.0.0"
+  }
+}
+```
+
+| Field | Description |
+| ----- | ----------- |
+| `triks` | List of npm package names that are triks |
+| `trikhub` | Packages installed from TrikHub registry (version tracking) |
+
 ## Development
 
 ```bash

package/dist/cli.js

@@ -5,6 +5,7 @@
  * Command-line interface for managing AI triks.
  */
 import { Command } from 'commander';
+import { createRequire } from 'module';
 import { installCommand } from './commands/install.js';
 import { listCommand } from './commands/list.js';
 import { searchCommand } from './commands/search.js';
@@ -14,11 +15,21 @@ import { loginCommand, logoutCommand, whoamiCommand } from './commands/login.js'
 import { publishCommand } from './commands/publish.js';
 import { upgradeCommand, upgradeAllCommand } from './commands/upgrade.js';
 import { syncCommand } from './commands/sync.js';
+// Read version from package.json
+const require = createRequire(import.meta.url);
+const pkg = require('../package.json');
 const program = new Command();
 program
     .name('trik')
     .description('TrikHub CLI - Teaching AI new triks')
-    .version('0.1.0');
+    .version(pkg.version)
+    .option('--dev', 'Use development registry (localhost:3001)')
+    .hook('preAction', () => {
+    // Set NODE_ENV before any command runs if --dev flag is passed
+    if (program.opts().dev) {
+        process.env.NODE_ENV = 'development';
+    }
+});
 // Install command
 program
     .command('install <trik>')
@@ -75,7 +86,6 @@ program
     .description('Publish a trik to the registry')
     .option('-d, --directory <path>', 'Trik directory to publish', '.')
     .option('-t, --tag <version>', 'Version tag (default: from manifest)')
-    .option('--skip-release', 'Skip creating GitHub release (for manual upload)')
     .action(publishCommand);
 // Upgrade command
 program

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,MAAM,CAAC;KACZ,WAAW,CAAC,qCAAqC,CAAC;KAClD,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,kBAAkB;AAClB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,KAAK,CAAC,GAAG,CAAC;KACV,WAAW,CAAC,0DAA0D,CAAC;KACvE,MAAM,CAAC,yBAAyB,EAAE,4BAA4B,CAAC;KAC/D,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,oBAAoB;AACpB,OAAO;KACJ,OAAO,CAAC,kBAAkB,CAAC;KAC3B,KAAK,CAAC,IAAI,CAAC;KACX,KAAK,CAAC,QAAQ,CAAC;KACf,WAAW,CAAC,kBAAkB,CAAC;KAC/B,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAE5B,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,KAAK,CAAC,IAAI,CAAC;KACX,WAAW,CAAC,sBAAsB,CAAC;KACnC,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,KAAK,CAAC,GAAG,CAAC;KACV,WAAW,CAAC,kCAAkC,CAAC;KAC/C,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,sBAAsB,EAAE,eAAe,EAAE,IAAI,CAAC;KACrD,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,aAAa,CAAC;KACtB,WAAW,CAAC,wCAAwC,CAAC;KACrD,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,gBAAgB;AAChB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,0BAA0B,CAAC;KACvC,MAAM,CAAC,YAAY,CAAC,CAAC;AAExB,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,iCAAiC,CAAC;KAC9C,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,kBAAkB;AAClB,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,gCAAgC,CAAC;KAC7C,MAAM,CAAC,wBAAwB,EAAE,2BAA2B,EAAE,GAAG,CAAC;KAClE,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,CAAC;KACrE,MAAM,CAAC,gBAAgB,EAAE,kDAAkD,CAAC;KAC5E,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,kBAAkB;AAClB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,KAAK,CAAC,IAAI,CAAC;KACX,WAAW,CAAC,4DAA4D,CAAC;KACzE,MAAM,CAAC,aAAa,EAAE,oCAAoC,CAAC;KAC3D,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,OAA4B,EAAE,EAAE;IACvE,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,MAAM,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,0CAA0C;AAC1C,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,kDAAkD,CAAC;KAC/D,MAAM,CAAC,eAAe,EAAE,oDAAoD,CAAC;KAC7E,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,0BAA0B;AAC1B,wEAAwE;AACxE,uEAAuE;AAEvE,OAAO,CAAC,KAAK,EAAE,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,iCAAiC;AACjC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,MAAM,CAAC;KACZ,WAAW,CAAC,qCAAqC,CAAC;KAClD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;KACpB,MAAM,CAAC,OAAO,EAAE,2CAA2C,CAAC;KAC5D,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE;IACtB,+DAA+D;IAC/D,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,aAAa,CAAC;IACvC,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,kBAAkB;AAClB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,KAAK,CAAC,GAAG,CAAC;KACV,WAAW,CAAC,0DAA0D,CAAC;KACvE,MAAM,CAAC,yBAAyB,EAAE,4BAA4B,CAAC;KAC/D,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,oBAAoB;AACpB,OAAO;KACJ,OAAO,CAAC,kBAAkB,CAAC;KAC3B,KAAK,CAAC,IAAI,CAAC;KACX,KAAK,CAAC,QAAQ,CAAC;KACf,WAAW,CAAC,kBAAkB,CAAC;KAC/B,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAE5B,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,KAAK,CAAC,IAAI,CAAC;KACX,WAAW,CAAC,sBAAsB,CAAC;KACnC,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,KAAK,CAAC,GAAG,CAAC;KACV,WAAW,CAAC,kCAAkC,CAAC;KAC/C,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,sBAAsB,EAAE,eAAe,EAAE,IAAI,CAAC;KACrD,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,aAAa,CAAC;KACtB,WAAW,CAAC,wCAAwC,CAAC;KACrD,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,gBAAgB;AAChB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,0BAA0B,CAAC;KACvC,MAAM,CAAC,YAAY,CAAC,CAAC;AAExB,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,iCAAiC,CAAC;KAC9C,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,kBAAkB;AAClB,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,gCAAgC,CAAC;KAC7C,MAAM,CAAC,wBAAwB,EAAE,2BAA2B,EAAE,GAAG,CAAC;KAClE,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,CAAC;KACrE,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,kBAAkB;AAClB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,KAAK,CAAC,IAAI,CAAC;KACX,WAAW,CAAC,4DAA4D,CAAC;KACzE,MAAM,CAAC,aAAa,EAAE,oCAAoC,CAAC;KAC3D,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,OAA4B,EAAE,EAAE;IACvE,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,MAAM,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,0CAA0C;AAC1C,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,kDAAkD,CAAC;KAC/D,MAAM,CAAC,eAAe,EAAE,oDAAoD,CAAC;KAC7E,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC;KACtC,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,0BAA0B;AAC1B,wEAAwE;AACxE,uEAAuE;AAEvE,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/commands/install.d.ts

@@ -5,9 +5,11 @@
  *
  * Workflow:
  * 1. Try npm registry first
- * 2. If not found, fall back to TrikHub registry (GitHub releases)
- * 3. Download and install
- * 4. Update .trikhub/config.json with the trik
+ * 2. If not found, fall back to TrikHub registry (uses git URLs)
+ * 3. Verify commit SHA for security
+ * 4. Add to package.json as github:owner/repo#tag
+ * 5. Run package manager install
+ * 6. Update .trikhub/config.json with the trik
  */
 interface InstallOptions {
     version?: string;

package/dist/commands/install.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../../src/commands/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgBH,UAAU,cAAc;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAyUD,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CA0Ff"}
+{"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../../src/commands/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAaH,UAAU,cAAc;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAiVD,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CA2Ff"}

package/dist/commands/install.js

@@ -5,20 +5,19 @@
  *
  * Workflow:
  * 1. Try npm registry first
- * 2. If not found, fall back to TrikHub registry (GitHub releases)
- * 3. Download and install
- * 4. Update .trikhub/config.json with the trik
+ * 2. If not found, fall back to TrikHub registry (uses git URLs)
+ * 3. Verify commit SHA for security
+ * 4. Add to package.json as github:owner/repo#tag
+ * 5. Run package manager install
+ * 6. Update .trikhub/config.json with the trik
  */
-import { existsSync, createWriteStream, rmSync, mkdirSync } from 'node:fs';
+import { existsSync, mkdirSync } from 'node:fs';
 import { readFile, writeFile, mkdir } from 'node:fs/promises';
 import { join, dirname } from 'node:path';
 import { spawn } from 'node:child_process';
-import { pipeline } from 'node:stream/promises';
-import { Readable } from 'node:stream';
 import chalk from 'chalk';
 import ora from 'ora';
 import * as semver from 'semver';
-import * as tar from 'tar';
 import { validateManifest } from '@trikhub/manifest';
 import { registry } from '../lib/registry.js';
 const NPM_CONFIG_DIR = '.trikhub';
@@ -78,6 +77,7 @@ async function readNpmConfig(baseDir) {
         const config = JSON.parse(content);
         return {
             triks: Array.isArray(config.triks) ? config.triks : [],
+            trikhub: config.trikhub ?? {},
         };
     }
     catch {
@@ -115,44 +115,67 @@ async function isTrikPackage(packagePath) {
 }
 /**
  * Add a trik to the config
+ * @param trikhubVersion - If provided, marks this as a TrikHub-only package (not on npm)
  */
-async function addTrikToConfig(packageName, baseDir) {
+async function addTrikToConfig(packageName, baseDir, trikhubVersion) {
     const config = await readNpmConfig(baseDir);
     if (!config.triks.includes(packageName)) {
         config.triks = [...config.triks, packageName].sort();
-        await writeNpmConfig(config, baseDir);
     }
+    // Track TrikHub source for reinstallation
+    if (trikhubVersion) {
+        if (!config.trikhub) {
+            config.trikhub = {};
+        }
+        config.trikhub[packageName] = trikhubVersion;
+    }
+    await writeNpmConfig(config, baseDir);
 }
 /**
- * Download a file from a URL
+ * Verify that a GitHub tag points to the expected commit SHA
  */
-async function downloadFile(url, destPath) {
-    const response = await fetch(url);
-    if (!response.ok) {
-        throw new Error(`Failed to download: ${response.status} ${response.statusText}`);
-    }
-    if (!response.body) {
-        throw new Error('No response body');
+async function verifyGitHubTagSha(githubRepo, gitTag, expectedSha) {
+    try {
+        // Use GitHub API to get the tag reference
+        const response = await fetch(`https://api.github.com/repos/${githubRepo}/git/refs/tags/${gitTag}`);
+        if (!response.ok) {
+            if (response.status === 404) {
+                return { valid: false };
+            }
+            throw new Error(`GitHub API error: ${response.status}`);
+        }
+        const data = await response.json();
+        let currentSha = data.object.sha;
+        // If it's an annotated tag, we need to dereference it
+        if (data.object.type === 'tag') {
+            const tagResponse = await fetch(`https://api.github.com/repos/${githubRepo}/git/tags/${currentSha}`);
+            if (tagResponse.ok) {
+                const tagData = await tagResponse.json();
+                currentSha = tagData.object.sha;
+            }
+        }
+        return {
+            valid: currentSha === expectedSha,
+            currentSha,
+        };
     }
-    const dir = dirname(destPath);
-    if (!existsSync(dir)) {
-        await mkdir(dir, { recursive: true });
+    catch {
+        // If we can't verify, proceed with caution
+        return { valid: true };
     }
-    const fileStream = createWriteStream(destPath);
-    await pipeline(Readable.fromWeb(response.body), fileStream);
 }
 /**
- * Add a dependency to package.json
+ * Add a dependency to package.json using git URL format
  */
-async function addToPackageJson(packageName, version, baseDir) {
+async function addToPackageJson(packageName, githubRepo, gitTag, baseDir) {
     const packageJsonPath = join(baseDir, 'package.json');
     const content = await readFile(packageJsonPath, 'utf-8');
     const pkg = JSON.parse(content);
     if (!pkg.dependencies) {
         pkg.dependencies = {};
     }
-    // Use a special prefix to indicate it's a TrikHub package
-    pkg.dependencies[packageName] = `trikhub:${version}`;
+    // Use GitHub shorthand format - clean and npm/pnpm compatible
+    pkg.dependencies[packageName] = `github:${githubRepo}#${gitTag}`;
     await writeFile(packageJsonPath, JSON.stringify(pkg, null, 2) + '\n', 'utf-8');
 }
 /**
@@ -172,10 +195,9 @@ async function tryNpmInstall(pm, packageSpec, baseDir) {
     return { success: false, notFound: isNotFound };
 }
 /**
- * Install from TrikHub registry (GitHub releases)
- * Extracts directly to node_modules since TrikHub tarballs may not be npm-compatible
+ * Install from TrikHub registry using git URLs
  */
-async function installFromTrikhub(packageName, requestedVersion, baseDir, spinner) {
+async function installFromTrikhub(packageName, requestedVersion, baseDir, pm, spinner) {
     // Fetch trik info from TrikHub registry
     spinner.text = `Fetching ${chalk.cyan(packageName)} from TrikHub registry...`;
     const trikInfo = await registry.getTrik(packageName);
@@ -212,66 +234,33 @@ async function installFromTrikhub(packageName, requestedVersion, baseDir, spinne
         spinner.fail(`Version ${chalk.red(versionToInstall)} not found for ${packageName}`);
         return { success: false };
     }
-    // Download the tarball
-    spinner.text = `Downloading ${chalk.cyan(packageName)}@${versionToInstall}...`;
-    const tempDir = join(baseDir, '.trikhub', '.tmp');
-    const tarballPath = join(tempDir, `${packageName.replace('/', '-')}-${versionToInstall}.tgz`);
-    try {
-        await downloadFile(versionInfo.tarballUrl, tarballPath);
-        // Extract directly to node_modules
-        spinner.text = `Installing ${chalk.cyan(packageName)}@${versionToInstall}...`;
-        // Create the target directory in node_modules
-        const nodeModulesPath = join(baseDir, 'node_modules');
-        const packagePath = join(nodeModulesPath, ...packageName.split('/'));
-        // Ensure parent directories exist (for scoped packages)
-        if (packageName.startsWith('@')) {
-            const scopeDir = join(nodeModulesPath, packageName.split('/')[0]);
-            if (!existsSync(scopeDir)) {
-                mkdirSync(scopeDir, { recursive: true });
-            }
-        }
-        // Remove existing installation if present
-        if (existsSync(packagePath)) {
-            rmSync(packagePath, { recursive: true, force: true });
+    // Verify the commit SHA hasn't changed (security check)
+    spinner.text = `Verifying ${chalk.cyan(packageName)}@${versionToInstall}...`;
+    const verification = await verifyGitHubTagSha(trikInfo.githubRepo, versionInfo.gitTag, versionInfo.commitSha);
+    if (!verification.valid) {
+        spinner.fail(`Security warning: Tag ${versionInfo.gitTag} has been modified!`);
+        console.log(chalk.red('\nThe git tag no longer points to the same commit as when it was published.'));
+        console.log(chalk.dim(`  Expected SHA: ${versionInfo.commitSha}`));
+        if (verification.currentSha) {
+            console.log(chalk.dim(`  Current SHA:  ${verification.currentSha}`));
         }
-        // Create target directory
-        mkdirSync(packagePath, { recursive: true });
-        // Extract tarball to the package directory
-        await tar.extract({
-            file: tarballPath,
-            cwd: packagePath,
-        });
-        // Create a minimal package.json if one doesn't exist
-        const pkgJsonPath = join(packagePath, 'package.json');
-        if (!existsSync(pkgJsonPath)) {
-            const minimalPkg = {
-                name: packageName,
-                version: versionToInstall,
-                description: trikInfo.description || `TrikHub package: ${packageName}`,
-            };
-            await writeFile(pkgJsonPath, JSON.stringify(minimalPkg, null, 2) + '\n', 'utf-8');
-        }
-        // Add to package.json dependencies
-        await addToPackageJson(packageName, versionToInstall, baseDir);
-        // Report download for analytics
-        registry.reportDownload(packageName, versionToInstall);
-        return { success: true, version: versionToInstall };
+        console.log(chalk.red('\nThis could indicate tampering. Aborting installation.'));
+        return { success: false };
     }
-    finally {
-        // Clean up tarball
-        if (existsSync(tarballPath)) {
-            rmSync(tarballPath, { force: true });
-        }
-        // Clean up temp dir if empty
-        if (existsSync(tempDir)) {
-            try {
-                rmSync(tempDir, { recursive: true, force: true });
-            }
-            catch {
-                // Ignore cleanup errors
-            }
-        }
+    // Add to package.json using git URL format
+    spinner.text = `Adding ${chalk.cyan(packageName)}@${versionToInstall} to package.json...`;
+    await addToPackageJson(packageName, trikInfo.githubRepo, versionInfo.gitTag, baseDir);
+    // Run package manager install
+    spinner.text = `Installing ${chalk.cyan(packageName)}@${versionToInstall}...`;
+    const installResult = await runCommand(pm, ['install'], baseDir, { silent: true });
+    if (installResult.code !== 0) {
+        spinner.fail(`Failed to install ${packageName}`);
+        console.log(chalk.dim(installResult.stderr));
+        return { success: false };
     }
+    // Report download for analytics
+    registry.reportDownload(packageName, versionToInstall);
+    return { success: true, version: versionToInstall };
 }
 export async function installCommand(trikInput, options) {
     const spinner = ora();
@@ -314,7 +303,7 @@ export async function installCommand(trikInput, options) {
         else if (npmResult.notFound) {
             // Not on npm, try TrikHub registry
             spinner.text = `Not found on npm, checking TrikHub registry...`;
-            const trikhubResult = await installFromTrikhub(packageName, versionSpec, baseDir, spinner);
+            const trikhubResult = await installFromTrikhub(packageName, versionSpec, baseDir, pm, spinner);
             if (trikhubResult.success) {
                 spinner.succeed(`Installed ${chalk.green(packageName)}@${trikhubResult.version} from TrikHub`);
                 installed = true;
@@ -334,7 +323,8 @@ export async function installCommand(trikInput, options) {
         spinner.start('Checking if package is a trik...');
         const packagePath = join(baseDir, 'node_modules', ...packageName.split('/'));
         if (await isTrikPackage(packagePath)) {
-            await addTrikToConfig(packageName, baseDir);
+            // Pass version for TrikHub packages (for sync/upgrade tracking)
+            await addTrikToConfig(packageName, baseDir, installedVersion);
             spinner.succeed(`Registered ${chalk.green(packageName)} as a trik`);
             console.log();
             console.log(chalk.dim(`  Added to: package.json`));