catylst 1.0.8 → 1.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "catylst",
-  "version": "1.0.8",
+  "version": "1.0.9",
   "description": "Generate customized Kotlin Multiplatform projects with an interactive wizard",
   "keywords": [
     "kotlin",

package/postinstall.js

@@ -4,20 +4,18 @@
 // 2. Clones (or updates) the Catylst template to ~/.catylst/template
 // 3. Downloads the CLI JAR to ~/.catylst/catylst-cli.jar
 
-// NOTE: all progress output goes to stderr.
-// npm buffers stdout during install and only shows it on error.
-// stderr is streamed to the terminal in real-time.
-
-const { spawnSync, spawn } = require("child_process");
-const https  = require("https");
+const { spawnSync } = require("child_process");
+const https = require("https");
 const crypto = require("crypto");
-const fs     = require("fs");
-const path   = require("path");
-const os     = require("os");
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
 
 const REPO_URL = "https://github.com/rohit-554/Catylst.git";
-const JAR_URL  = "https://github.com/rohit-554/Catylst/releases/latest/download/catylst-cli.jar";
+const JAR_URL =
+  "https://github.com/rohit-554/Catylst/releases/latest/download/catylst-cli.jar";
 
+// Trusted hosts for redirect following — no other host is allowed
 const TRUSTED_HOSTS = [
   "github.com",
   "objects.githubusercontent.com",
@@ -26,11 +24,9 @@ const TRUSTED_HOSTS = [
   "codeload.github.com",
 ];
 
-const CATYLST_DIR  = path.join(os.homedir(), ".catylst");
+const CATYLST_DIR = path.join(os.homedir(), ".catylst");
 const TEMPLATE_DIR = path.join(CATYLST_DIR, "template");
-const JAR_PATH     = path.join(CATYLST_DIR, "catylst-cli.jar");
-
-// ── colours ───────────────────────────────────────────────────────────────────
+const JAR_PATH = path.join(CATYLST_DIR, "catylst-cli.jar");
 
 const green  = (s) => `\x1b[32m${s}\x1b[0m`;
 const yellow = (s) => `\x1b[33m${s}\x1b[0m`;
@@ -39,160 +35,207 @@ const bold   = (s) => `\x1b[1m${s}\x1b[0m`;
 const dim    = (s) => `\x1b[2m${s}\x1b[0m`;
 const purple = (s) => `\x1b[35m${s}\x1b[0m`;
 
-const print = (s) => process.stderr.write(s + "\n");
-const printRaw = (s) => process.stderr.write(s);
-
-// ── tips & jokes ──────────────────────────────────────────────────────────────
+// ── Tips & jokes shown while cloning / downloading ───────────────────────────
 
 const MESSAGES = [
-  ["tip",  "Room 3.1 auto-generates all your DAO queries at compile time."],
-  ["tip",  "Navigation3 uses type-safe routes — no more string typos in nav graphs."],
-  ["tip",  "Swap AI providers by changing one line in AppModule.kt."],
-  ["tip",  "bloom-build scaffolds a full screen — Entity, DAO, ViewModel, UI — in seconds."],
-  ["tip",  "Material 3 Expressive ships spring-based motion out of the box."],
-  ["tip",  "Run ./gradlew :composeApp:kspAndroidMain after every Room Entity change."],
-  ["tip",  "Koin multiplatform means one DI graph for Android, iOS, and Desktop."],
-  ["tip",  "bloom-navigate cleanly removes any feature you do not need."],
-  ["tip",  "AGP 9 brings predictive back gesture support by default."],
-  ["tip",  "commonMain code compiles to all targets — write once, ship everywhere."],
-  ["joke", "Why do Kotlin developers stay calm? They know how to handle exceptions."],
-  ["joke", "A null pointer walks into a bar. Bartender: we don't serve your type here."],
-  ["joke", "Why did the Android dev quit? Too many fragments."],
-  ["joke", "Kotlin: where semicolons go to retire."],
-  ["joke", "iOS dev asks what Gradle is. Android dev weeps softly."],
-  ["joke", "There are 10 types of developers: those who get binary and those who don't."],
-  ["joke", "A git push a day keeps the merge conflicts away. Usually."],
-  ["joke", "My code works. I have no idea why. Shipping it anyway."],
+  "tip      Room 3.1 auto-generates all your DAO queries at compile time.",
+  "tip      Navigation3 uses type-safe routes — no more string typos in nav graphs.",
+  "tip      Swap AI providers by changing one line in AppModule.kt.",
+  "tip      bloom-build helps you scaffold a full feature in seconds with Claude Code.",
+  "tip      Material 3 Expressive ships spring-based motion out of the box.",
+  "tip      Run ./gradlew :composeApp:kspAndroidMain after every Entity change.",
+  "tip      Koin multiplatform means one DI graph for Android, iOS, and Desktop.",
+  "tip      Use bloom-navigate to cleanly remove any feature you do not need.",
+  "tip      AGP 9 brings predictive back gesture support by default.",
+  "tip      commonMain code compiles to all targets — write once, ship everywhere.",
+  "joke     Why do Kotlin developers stay calm? Because they know how to handle exceptions.",
+  "joke     A null pointer walks into a bar. The bartender says: we don't serve your type here.",
+  "joke     Why did the Android developer quit? Too many fragments.",
+  "joke     Kotlin: where semicolons go to retire.",
+  "joke     iOS dev asks: what is Gradle? Android dev weeps softly.",
+  "joke     There are only 10 types of developers: those who understand binary and those who do not.",
+  "joke     A git push a day keeps the merge conflicts away. Usually.",
+  "joke     My code works. I have no idea why. Shipping it anyway.",
 ];
 
 let tipTimer = null;
+let tipIndex  = 0;
 
 function startTips() {
+  // Shuffle so order is different each install
   const msgs = [...MESSAGES].sort(() => Math.random() - 0.5);
-  let i = 0;
-  function next() {
-    const [kind, text] = msgs[i++ % msgs.length];
-    const label = kind === "joke" ? purple("joke") : cyan("tip ");
-    printRaw(`\r  ${label}  ${dim(text)}${" ".repeat(6)}`);
-    tipTimer = setTimeout(next, 3200);
+  tipIndex = 0;
+
+  function showNext() {
+    const msg  = msgs[tipIndex % msgs.length];
+    const kind = msg.startsWith("joke") ? purple("joke ") : cyan("tip  ");
+    const text = msg.replace(/^(tip|joke)\s+/, "");
+    process.stderr.write(`\r  ${kind}  ${dim(text)}${" ".repeat(10)}`);
+    tipIndex++;
+    tipTimer = setTimeout(showNext, 3000);
   }
-  next();
+
+  showNext();
 }
 
-function stopTips(line) {
+function stopTips(finalLine) {
   if (tipTimer) { clearTimeout(tipTimer); tipTimer = null; }
-  printRaw(`\r${line}${" ".repeat(40)}\n`);
+  process.stderr.write(`\r${finalLine}${" ".repeat(30)}\n`);
 }
 
-// ── helpers ───────────────────────────────────────────────────────────────────
-
-// Async wrapper for spawn — keeps event loop alive so timers fire during git ops
-function runAsync(cmd, args, opts = {}) {
-  return new Promise((resolve, reject) => {
-    const child = spawn(cmd, args, { stdio: "pipe", ...opts });
-    const stderr = [];
-    child.stderr && child.stderr.on("data", (d) => stderr.push(d));
-    child.on("close", (code) => resolve({ status: code, stderr: Buffer.concat(stderr) }));
-    child.on("error", reject);
-  });
-}
+// ── Header ───────────────────────────────────────────────────────────────────
 
-function isTrustedHost(urlString) {
-  try {
-    const { hostname } = new URL(urlString);
-    return TRUSTED_HOSTS.some((h) => hostname === h || hostname.endsWith("." + h));
-  } catch { return false; }
-}
+process.stderr.write("" + "\n");
+process.stderr.write(bold("  Catylst KMP Project Generator") + "\n");
+process.stderr.write(dim("  ────────────────────────────────────────") + "\n");
+process.stderr.write("" + "\n");
 
-// ── 1. Check Java ─────────────────────────────────────────────────────────────
+// ── 1. Check Java ────────────────────────────────────────────────────────────
 
 function checkJava() {
   const result = spawnSync("java", ["-version"], { encoding: "utf8" });
   const output = result.stderr || result.stdout || "";
-  const match  = output.match(/version "(\d+)/);
+  const match = output.match(/version "(\d+)/);
   if (!match) {
-    print(yellow("  x  Java not found. Install JDK 17+ from https://adoptium.net"));
+    console.error(yellow("  ✗  Java not found. Install JDK 17+ from https://adoptium.net"));
     process.exit(1);
   }
   const major = parseInt(match[1], 10);
   if (major < 17) {
-    print(yellow(`  x  JDK 17+ required (found ${major}). https://adoptium.net`));
+    console.error(
+      yellow(`  ✗  JDK 17+ required (found ${major}). Install from https://adoptium.net`)
+    );
     process.exit(1);
   }
-  print(green(`  ok  Java ${major}`));
+  process.stderr.write(green(`  ✓  Java ${major}`) + "\n");
 }
 
-// ── 2. Clone / update template ────────────────────────────────────────────────
+// ── 2. Clone / update template ───────────────────────────────────────────────
 
-async function setupTemplate() {
+function setupTemplate() {
   fs.mkdirSync(CATYLST_DIR, { recursive: true });
 
-  if (fs.existsSync(path.join(TEMPLATE_DIR, ".git"))) {
+  const isGitRepo = fs.existsSync(path.join(TEMPLATE_DIR, ".git"));
+
+  if (isGitRepo) {
     startTips();
-    const r = await runAsync("git", ["pull", "--quiet", "--rebase"], { cwd: TEMPLATE_DIR });
-    stopTips(r.status === 0
-      ? green("  ok  Template updated")
-      : yellow("  !!  Could not update template (offline?). Using existing."));
+    const result = spawnSync("git", ["pull", "--quiet", "--rebase"], {
+      cwd: TEMPLATE_DIR,
+      stdio: "pipe",
+    });
+    if (result.status === 0) {
+      stopTips(green("  ✓  Template updated"));
+    } else {
+      stopTips(yellow("  ⚠  Could not update template (offline?). Using existing."));
+    }
   } else {
-    print(dim("  ..  Cloning template\n"));
+    process.stderr.write(dim("  ↓  Cloning template — hang tight...\n"));
     startTips();
     fs.rmSync(TEMPLATE_DIR, { recursive: true, force: true });
-    const r = await runAsync("git", ["clone", "--depth", "1", "--quiet", REPO_URL, TEMPLATE_DIR]);
-    if (r.status !== 0) {
+    const result = spawnSync(
+      "git",
+      ["clone", "--depth", "1", "--quiet", REPO_URL, TEMPLATE_DIR],
+      { stdio: "pipe" }
+    );
+    if (result.status !== 0) {
       stopTips("");
-      print(yellow("  x  Failed to clone. Is git installed?"));
-      print(dim("     " + r.stderr.toString().trim()));
+      const msg = result.stderr ? result.stderr.toString().trim() : "unknown error";
+      console.error(yellow("  ✗  Failed to clone template. Is git installed?"));
+      console.error(dim(`     ${msg}`));
       process.exit(1);
     }
-    stopTips(green("  ok  Template ready"));
+    stopTips(green("  ✓  Template ready"));
   }
 }
 
-// ── 3. Download JAR ───────────────────────────────────────────────────────────
+// ── 3. Download JAR ──────────────────────────────────────────────────────────
+
+function isTrustedHost(urlString) {
+  try {
+    const { hostname } = new URL(urlString);
+    return TRUSTED_HOSTS.some((h) => hostname === h || hostname.endsWith("." + h));
+  } catch {
+    return false;
+  }
+}
 
 function downloadJar() {
-  const localJar = path.join(TEMPLATE_DIR, "cli-generator", "build", "libs", "cli-generator-1.0.0.jar");
+  // Dev mode — use local build if available
+  const localJar = path.join(
+    TEMPLATE_DIR,
+    "cli-generator",
+    "build",
+    "libs",
+    "cli-generator-1.0.0.jar"
+  );
   if (fs.existsSync(localJar)) {
     fs.copyFileSync(localJar, JAR_PATH);
-    print(green("  ok  Using local build"));
+    process.stderr.write(green("  ✓  Using local build") + "\n");
     return Promise.resolve();
   }
 
   return new Promise((resolve, reject) => {
-    print(dim("  ..  Downloading CLI\n"));
+    process.stderr.write(dim("  ↓  Downloading CLI — almost there...\n"));
     startTips();
+
+    // Write to a temp file first — atomic rename prevents race conditions
     const tmpPath = JAR_PATH + ".tmp." + process.pid;
 
-    function get(url, hops = 0) {
-      if (hops > 5) return reject(new Error("Too many redirects"));
-      if (!isTrustedHost(url)) return reject(new Error(`Blocked redirect to: ${url}`));
-
-      https.get(url, { headers: { "User-Agent": "catylst-npm-installer" } }, (res) => {
-        if (res.statusCode === 301 || res.statusCode === 302) {
-          const loc = res.headers.location;
-          if (!loc) return reject(new Error("Redirect missing Location header"));
-          return get(loc, hops + 1);
-        }
-        if (res.statusCode !== 200) return reject(new Error(`HTTP ${res.statusCode}`));
-
-        const file = fs.createWriteStream(tmpPath, { mode: 0o600 });
-        const hash = crypto.createHash("sha256");
-
-        res.on("data", (chunk) => hash.update(chunk));
-        res.pipe(file);
-
-        file.on("finish", () => {
-          file.close(() => {
-            try { fs.renameSync(tmpPath, JAR_PATH); }
-            catch (e) { fs.unlink(tmpPath, () => {}); return reject(e); }
-            stopTips(green("  ok  CLI ready"));
-            print(dim(`     sha256: ${hash.digest("hex")}`));
-            resolve();
+    function get(url, redirectCount = 0) {
+      if (redirectCount > 5) return reject(new Error("Too many redirects"));
+
+      // Validate redirect destination stays on trusted hosts
+      if (!isTrustedHost(url)) {
+        return reject(new Error(`Redirect to untrusted host blocked: ${url}`));
+      }
+
+      https
+        .get(url, { headers: { "User-Agent": "catylst-npm-installer" } }, (res) => {
+          if (res.statusCode === 301 || res.statusCode === 302) {
+            const location = res.headers.location;
+            if (!location) return reject(new Error("Redirect with no Location header"));
+            return get(location, redirectCount + 1);
+          }
+          if (res.statusCode !== 200) {
+            return reject(new Error(`HTTP ${res.statusCode}`));
+          }
+
+          // Stream to temp file with restricted permissions (owner read/write only)
+          const file = fs.createWriteStream(tmpPath, { mode: 0o600 });
+          const hash = crypto.createHash("sha256");
+
+          res.on("data", (chunk) => hash.update(chunk));
+          res.pipe(file);
+
+          file.on("finish", () => {
+            file.close(() => {
+              // Atomic rename — prevents TOCTOU race where another process
+              // could read a partially-written file
+              try {
+                fs.renameSync(tmpPath, JAR_PATH);
+              } catch (e) {
+                fs.unlinkSync(tmpPath);
+                return reject(e);
+              }
+
+              const digest = hash.digest("hex");
+              stopTips(green("  ✓  CLI ready"));
+              process.stderr.write(dim(`     SHA-256: ${digest}`) + "\n");
+              resolve();
+            });
           });
-        });
 
-        file.on("error", (e) => { stopTips(""); fs.unlink(tmpPath, () => {}); reject(e); });
-      }).on("error", (e) => { stopTips(""); fs.unlink(tmpPath, () => {}); reject(e); });
+          file.on("error", (err) => {
+            stopTips("");
+            fs.unlink(tmpPath, () => {});
+            reject(err);
+          });
+        })
+        .on("error", (err) => {
+          stopTips("");
+          fs.unlink(tmpPath, () => {});
+          reject(err);
+        });
     }
 
     get(JAR_URL);
@@ -202,21 +245,17 @@ function downloadJar() {
 // ── run ───────────────────────────────────────────────────────────────────────
 
 (async () => {
-  print("");
-  print(bold("  Catylst KMP Project Generator"));
-  print(dim("  ──────────────────────────────────────"));
-  print("");
-
   checkJava();
-  await setupTemplate();
+  setupTemplate();
   await downloadJar();
 
-  print("");
-  print(dim("  ──────────────────────────────────────"));
-  print("  " + green(bold("Done.")) + "  Start your project:");
-  print("");
-  print("  " + cyan("catylst --interactive"));
-  print("");
-  print("  " + dim("catylst --package com.example.app --name MyApp"));
-  print("");
+  process.stderr.write("" + "\n");
+  process.stderr.write(dim("  ────────────────────────────────────────") + "\n");
+  process.stderr.write("  " + green(bold("All done!")) + " Start your project:" + "\n");
+  process.stderr.write("" + "\n");
+  process.stderr.write("  " + cyan("catylst --interactive") + "\n");
+  process.stderr.write("" + "\n");
+  process.stderr.write("  " + dim("Or non-interactive:") + "\n");
+  process.stderr.write("  " + dim("catylst --package com.example.app --name MyApp") + "\n");
+  process.stderr.write("" + "\n");
 })();