claudekit-cli 1.3.0 → 1.4.0

package/.github/workflows/claude-code-review.yml

@@ -0,0 +1,57 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Please review this pull request and provide feedback on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security concerns
+            - Test coverage
+
+            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
+
+            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
+
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
+

package/.github/workflows/claude.yml

@@ -0,0 +1,50 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr:*)'
+

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [1.4.0](https://github.com/mrgoonie/claudekit-cli/compare/v1.3.0...v1.4.0) (2025-10-21)
+
+
+### Features
+
+* add --exclude flag to new and update commands ([8a0d7a0](https://github.com/mrgoonie/claudekit-cli/commit/8a0d7a00de70823d4fecac26d4c7e82c4df2ab0f))
+
 # [1.3.0](https://github.com/mrgoonie/claudekit-cli/compare/v1.2.2...v1.3.0) (2025-10-21)
 
 

package/README.md

@@ -79,6 +79,12 @@ ck new --dir my-project --kit engineer
 
 # Specific version
 ck new --kit engineer --version v1.0.0
+
+# With exclude patterns
+ck new --kit engineer --exclude "*.log" --exclude "temp/**"
+
+# Multiple patterns
+ck new --exclude "*.log" --exclude "*.tmp" --exclude "cache/**"
 ```
 
 ### Update Existing Project
@@ -94,6 +100,9 @@ ck update --kit engineer
 
 # Specific version
 ck update --kit engineer --version v1.0.0
+
+# With exclude patterns
+ck update --exclude "local-config/**" --exclude "*.local"
 ```
 
 ### List Available Versions
@@ -204,6 +213,95 @@ The following file patterns are protected and will not be overwritten during upd
 - `node_modules/**`, `.git/**`
 - `dist/**`, `build/**`
 
+## Excluding Files
+
+Use the `--exclude` flag to skip specific files or directories during download and extraction. This is useful for:
+
+- Excluding temporary or cache directories
+- Skipping log files or debug output
+- Omitting files you want to manage manually
+- Avoiding unnecessary large files
+
+### Basic Usage
+
+```bash
+# Exclude log files
+ck new --exclude "*.log"
+
+# Exclude multiple patterns
+ck new --exclude "*.log" --exclude "temp/**" --exclude "cache/**"
+
+# Common exclude patterns for updates
+ck update --exclude "node_modules/**" --exclude "dist/**" --exclude ".env.*"
+```
+
+### Supported Glob Patterns
+
+The `--exclude` flag accepts standard glob patterns:
+
+- `*` - Match any characters except `/` (e.g., `*.log` matches all log files)
+- `**` - Match any characters including `/` (e.g., `temp/**` matches all files in temp directory)
+- `?` - Match single character (e.g., `file?.txt` matches `file1.txt`, `file2.txt`)
+- `[abc]` - Match characters in brackets (e.g., `[Tt]emp` matches `Temp` or `temp`)
+- `{a,b}` - Match alternatives (e.g., `*.{log,tmp}` matches `*.log` and `*.tmp`)
+
+### Common Exclude Patterns
+
+```bash
+# Exclude all log files
+--exclude "*.log" --exclude "**/*.log"
+
+# Exclude temporary directories
+--exclude "tmp/**" --exclude "temp/**" --exclude ".tmp/**"
+
+# Exclude cache directories
+--exclude "cache/**" --exclude ".cache/**" --exclude "**/.cache/**"
+
+# Exclude build artifacts
+--exclude "dist/**" --exclude "build/**" --exclude "out/**"
+
+# Exclude local configuration
+--exclude "*.local" --exclude "local/**" --exclude ".env.local"
+
+# Exclude IDE/editor files
+--exclude ".vscode/**" --exclude ".idea/**" --exclude "*.swp"
+```
+
+### Important Notes
+
+**Additive Behavior:**
+- User exclude patterns are ADDED to the default protected patterns
+- They do not replace the built-in protections
+- All patterns work together to determine which files to skip
+
+**Security Restrictions:**
+- Absolute paths (starting with `/`) are not allowed
+- Path traversal patterns (containing `..`) are not allowed
+- Patterns must be between 1-500 characters
+- These restrictions prevent accidental or malicious file system access
+
+**Pattern Matching:**
+- Patterns are case-sensitive on Linux/macOS
+- Patterns are case-insensitive on Windows
+- Patterns are applied during both extraction and merge phases
+- Excluded files are never written to disk, saving time and space
+
+**Examples of Invalid Patterns:**
+
+```bash
+# ❌ Absolute paths not allowed
+ck new --exclude "/etc/passwd"
+
+# ❌ Path traversal not allowed
+ck new --exclude "../../secret"
+
+# ❌ Empty patterns not allowed
+ck new --exclude ""
+
+# ✅ Correct way to exclude root-level files
+ck new --exclude "secret.txt" --exclude "config.local.json"
+```
+
 ### Custom .claude Files
 
 When updating a project, the CLI automatically preserves your custom `.claude/` files that don't exist in the new release package. This allows you to maintain:

package/dist/index.js

@@ -6400,6 +6400,66 @@ class CAC extends EventEmitter {
   }
 }
 var cac = (name = "") => new CAC(name);
+// package.json
+var package_default = {
+  name: "claudekit-cli",
+  version: "1.3.0",
+  description: "CLI tool for bootstrapping and updating ClaudeKit projects",
+  type: "module",
+  bin: {
+    ck: "./dist/index.js"
+  },
+  scripts: {
+    dev: "bun run src/index.ts >> logs.txt 2>&1",
+    build: "bun build src/index.ts --outdir dist --target node --external keytar --external @octokit/rest >> logs.txt 2>&1",
+    compile: "bun build src/index.ts --compile --outfile ck >> logs.txt 2>&1",
+    test: "bun test >> logs.txt 2>&1",
+    "test:watch": "bun test --watch >> logs.txt 2>&1",
+    lint: "biome check . >> logs.txt 2>&1",
+    format: "biome format --write . >> logs.txt 2>&1",
+    typecheck: "tsc --noEmit >> logs.txt 2>&1"
+  },
+  keywords: [
+    "cli",
+    "claudekit",
+    "boilerplate",
+    "bootstrap",
+    "template"
+  ],
+  author: "ClaudeKit",
+  license: "MIT",
+  engines: {
+    bun: ">=1.0.0"
+  },
+  dependencies: {
+    "@clack/prompts": "^0.7.0",
+    "@octokit/rest": "^22.0.0",
+    cac: "^6.7.14",
+    "cli-progress": "^3.12.0",
+    "extract-zip": "^2.0.1",
+    "fs-extra": "^11.2.0",
+    ignore: "^5.3.2",
+    keytar: "^7.9.0",
+    ora: "^9.0.0",
+    picocolors: "^1.1.1",
+    tar: "^7.4.3",
+    tmp: "^0.2.3",
+    zod: "^3.23.8"
+  },
+  devDependencies: {
+    "@biomejs/biome": "^1.9.4",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/git": "^10.0.1",
+    "@types/bun": "latest",
+    "@types/cli-progress": "^3.11.6",
+    "@types/fs-extra": "^11.0.4",
+    "@types/node": "^22.10.1",
+    "@types/tar": "^6.1.13",
+    "@types/tmp": "^0.2.6",
+    "semantic-release": "^24.2.0",
+    typescript: "^5.7.2"
+  }
+};
 
 // src/commands/new.ts
 var import_fs_extra2 = __toESM(require_lib(), 1);
@@ -10922,16 +10982,19 @@ var coerce = {
 var NEVER = INVALID;
 // src/types.ts
 var KitType = exports_external.enum(["engineer", "marketing"]);
+var ExcludePatternSchema = exports_external.string().trim().min(1, "Exclude pattern cannot be empty").max(500, "Exclude pattern too long").refine((val) => !val.startsWith("/"), "Absolute paths not allowed in exclude patterns").refine((val) => !val.includes(".."), "Path traversal not allowed in exclude patterns");
 var NewCommandOptionsSchema = exports_external.object({
   dir: exports_external.string().default("."),
   kit: KitType.optional(),
   version: exports_external.string().optional(),
-  force: exports_external.boolean().default(false)
+  force: exports_external.boolean().default(false),
+  exclude: exports_external.array(ExcludePatternSchema).optional().default([])
 });
 var UpdateCommandOptionsSchema = exports_external.object({
   dir: exports_external.string().default("."),
   kit: KitType.optional(),
-  version: exports_external.string().optional()
+  version: exports_external.string().optional(),
+  exclude: exports_external.array(ExcludePatternSchema).optional().default([])
 });
 var VersionCommandOptionsSchema = exports_external.object({
   kit: KitType.optional(),
@@ -21213,9 +21276,21 @@ class DownloadManager {
     "*.log"
   ];
   totalExtractedSize = 0;
+  ig;
+  userExcludePatterns = [];
+  constructor() {
+    this.ig = import_ignore.default().add(DownloadManager.EXCLUDE_PATTERNS);
+  }
+  setExcludePatterns(patterns) {
+    this.userExcludePatterns = patterns;
+    this.ig = import_ignore.default().add([...DownloadManager.EXCLUDE_PATTERNS, ...this.userExcludePatterns]);
+    if (patterns.length > 0) {
+      logger.info(`Added ${patterns.length} custom exclude pattern(s)`);
+      patterns.forEach((p) => logger.debug(`  - ${p}`));
+    }
+  }
   shouldExclude(filePath) {
-    const ig = import_ignore.default().add(DownloadManager.EXCLUDE_PATTERNS);
-    return ig.ignores(filePath);
+    return this.ig.ignores(filePath);
   }
   isPathSafe(basePath, targetPath) {
     const resolvedBase = resolve(basePath);
@@ -21950,6 +22025,9 @@ async function newCommand(options) {
     logger.info(`Download source: ${downloadInfo.type}`);
     logger.debug(`Download URL: ${downloadInfo.url}`);
     const downloadManager = new DownloadManager;
+    if (validOptions.exclude && validOptions.exclude.length > 0) {
+      downloadManager.setExcludePatterns(validOptions.exclude);
+    }
     const tempDir = await downloadManager.createTempDir();
     const { token } = await AuthManager.getToken();
     let archivePath;
@@ -21985,6 +22063,9 @@ async function newCommand(options) {
     await downloadManager.extractArchive(archivePath, extractDir);
     await downloadManager.validateExtraction(extractDir);
     const merger = new FileMerger;
+    if (validOptions.exclude && validOptions.exclude.length > 0) {
+      merger.addIgnorePatterns(validOptions.exclude);
+    }
     await merger.merge(extractDir, resolvedDir, true);
     prompts.outro(`✨ Project created successfully at ${resolvedDir}`);
     prompts.note(`cd ${targetDir !== "." ? targetDir : "into the directory"}
@@ -22107,6 +22188,9 @@ async function updateCommand(options) {
     logger.info(`Download source: ${downloadInfo.type}`);
     logger.debug(`Download URL: ${downloadInfo.url}`);
     const downloadManager = new DownloadManager;
+    if (validOptions.exclude && validOptions.exclude.length > 0) {
+      downloadManager.setExcludePatterns(validOptions.exclude);
+    }
     const tempDir = await downloadManager.createTempDir();
     const { token } = await AuthManager.getToken();
     let archivePath;
@@ -22148,6 +22232,9 @@ async function updateCommand(options) {
       merger.addIgnorePatterns(customClaudeFiles);
       logger.success(`Protected ${customClaudeFiles.length} custom .claude file(s)`);
     }
+    if (validOptions.exclude && validOptions.exclude.length > 0) {
+      merger.addIgnorePatterns(validOptions.exclude);
+    }
     await merger.merge(extractDir, resolvedDir, false);
     prompts.outro(`✨ Project updated successfully at ${resolvedDir}`);
     const protectedNote = customClaudeFiles.length > 0 ? `Your project has been updated with the latest version.
@@ -22354,10 +22441,6 @@ class Logger2 {
   }
 }
 var logger2 = new Logger2;
-// src/version.json
-var version_default = {
-  version: "1.2.1"
-};
 
 // src/index.ts
 if (process.stdout.setEncoding) {
@@ -22366,14 +22449,20 @@ if (process.stdout.setEncoding) {
 if (process.stderr.setEncoding) {
   process.stderr.setEncoding("utf8");
 }
-var packageVersion = version_default.version;
+var packageVersion = package_default.version;
 var cli = cac("ck");
 cli.option("--verbose, -v", "Enable verbose logging for debugging");
 cli.option("--log-file <path>", "Write logs to file");
-cli.command("new", "Bootstrap a new ClaudeKit project").option("--dir <dir>", "Target directory (default: .)").option("--kit <kit>", "Kit to use (engineer, marketing)").option("--version <version>", "Specific version to download (default: latest)").option("--force", "Overwrite existing files without confirmation").action(async (options) => {
+cli.command("new", "Bootstrap a new ClaudeKit project").option("--dir <dir>", "Target directory (default: .)").option("--kit <kit>", "Kit to use (engineer, marketing)").option("--version <version>", "Specific version to download (default: latest)").option("--force", "Overwrite existing files without confirmation").option("--exclude <pattern>", "Exclude files matching glob pattern (can be used multiple times)").action(async (options) => {
+  if (options.exclude && !Array.isArray(options.exclude)) {
+    options.exclude = [options.exclude];
+  }
   await newCommand(options);
 });
-cli.command("update", "Update existing ClaudeKit project").option("--dir <dir>", "Target directory (default: .)").option("--kit <kit>", "Kit to use (engineer, marketing)").option("--version <version>", "Specific version to download (default: latest)").action(async (options) => {
+cli.command("update", "Update existing ClaudeKit project").option("--dir <dir>", "Target directory (default: .)").option("--kit <kit>", "Kit to use (engineer, marketing)").option("--version <version>", "Specific version to download (default: latest)").option("--exclude <pattern>", "Exclude files matching glob pattern (can be used multiple times)").action(async (options) => {
+  if (options.exclude && !Array.isArray(options.exclude)) {
+    options.exclude = [options.exclude];
+  }
   await updateCommand(options);
 });
 cli.command("versions", "List available versions of ClaudeKit repositories").option("--kit <kit>", "Filter by specific kit (engineer, marketing)").option("--limit <limit>", "Number of releases to show (default: 30)").option("--all", "Show all releases including prereleases").action(async (options) => {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "claudekit-cli",
-	"version": "1.3.0",
+	"version": "1.4.0",
 	"description": "CLI tool for bootstrapping and updating ClaudeKit projects",
 	"type": "module",
 	"bin": {

package/src/commands/new.ts

@@ -110,6 +110,12 @@ export async function newCommand(options: NewCommandOptions): Promise<void> {
 
 		// Download asset
 		const downloadManager = new DownloadManager();
+
+		// Apply user exclude patterns if provided
+		if (validOptions.exclude && validOptions.exclude.length > 0) {
+			downloadManager.setExcludePatterns(validOptions.exclude);
+		}
+
 		const tempDir = await downloadManager.createTempDir();
 
 		// Get authentication token for API requests
@@ -157,6 +163,12 @@ export async function newCommand(options: NewCommandOptions): Promise<void> {
 
 		// Copy files to target directory
 		const merger = new FileMerger();
+
+		// Apply user exclude patterns if provided
+		if (validOptions.exclude && validOptions.exclude.length > 0) {
+			merger.addIgnorePatterns(validOptions.exclude);
+		}
+
 		await merger.merge(extractDir, resolvedDir, true); // Skip confirmation for new projects
 
 		prompts.outro(`✨ Project created successfully at ${resolvedDir}`);

package/src/commands/update.ts

@@ -83,6 +83,12 @@ export async function updateCommand(options: UpdateCommandOptions): Promise<void
 
 		// Download asset
 		const downloadManager = new DownloadManager();
+
+		// Apply user exclude patterns if provided
+		if (validOptions.exclude && validOptions.exclude.length > 0) {
+			downloadManager.setExcludePatterns(validOptions.exclude);
+		}
+
 		const tempDir = await downloadManager.createTempDir();
 
 		// Get authentication token for API requests
@@ -141,6 +147,11 @@ export async function updateCommand(options: UpdateCommandOptions): Promise<void
 			logger.success(`Protected ${customClaudeFiles.length} custom .claude file(s)`);
 		}
 
+		// Apply user exclude patterns if provided
+		if (validOptions.exclude && validOptions.exclude.length > 0) {
+			merger.addIgnorePatterns(validOptions.exclude);
+		}
+
 		await merger.merge(extractDir, resolvedDir, false); // Show confirmation for updates
 
 		prompts.outro(`✨ Project updated successfully at ${resolvedDir}`);

package/src/index.ts

@@ -1,11 +1,11 @@
 #!/usr/bin/env bun
 
 import { cac } from "cac";
+import packageInfo from "../package.json" assert { type: "json" };
 import { newCommand } from "./commands/new.js";
 import { updateCommand } from "./commands/update.js";
 import { versionCommand } from "./commands/version.js";
 import { logger } from "./utils/logger.js";
-import versionInfo from "./version.json" assert { type: "json" };
 
 // Set proper output encoding to prevent unicode rendering issues
 if (process.stdout.setEncoding) {
@@ -15,7 +15,7 @@ if (process.stderr.setEncoding) {
 	process.stderr.setEncoding("utf8");
 }
 
-const packageVersion = versionInfo.version;
+const packageVersion = packageInfo.version;
 
 const cli = cac("ck");
 
@@ -30,7 +30,12 @@ cli
 	.option("--kit <kit>", "Kit to use (engineer, marketing)")
 	.option("--version <version>", "Specific version to download (default: latest)")
 	.option("--force", "Overwrite existing files without confirmation")
+	.option("--exclude <pattern>", "Exclude files matching glob pattern (can be used multiple times)")
 	.action(async (options) => {
+		// Normalize exclude to always be an array (CAC may pass string for single value)
+		if (options.exclude && !Array.isArray(options.exclude)) {
+			options.exclude = [options.exclude];
+		}
 		await newCommand(options);
 	});
 
@@ -40,7 +45,12 @@ cli
 	.option("--dir <dir>", "Target directory (default: .)")
 	.option("--kit <kit>", "Kit to use (engineer, marketing)")
 	.option("--version <version>", "Specific version to download (default: latest)")
+	.option("--exclude <pattern>", "Exclude files matching glob pattern (can be used multiple times)")
 	.action(async (options) => {
+		// Normalize exclude to always be an array (CAC may pass string for single value)
+		if (options.exclude && !Array.isArray(options.exclude)) {
+			options.exclude = [options.exclude];
+		}
 		await updateCommand(options);
 	});
 

package/src/lib/download.ts

@@ -41,12 +41,45 @@ export class DownloadManager {
 	 */
 	private totalExtractedSize = 0;
 
+	/**
+	 * Instance-level ignore object with combined default and user patterns
+	 */
+	private ig: ReturnType<typeof ignore>;
+
+	/**
+	 * Store user-defined exclude patterns
+	 */
+	private userExcludePatterns: string[] = [];
+
+	/**
+	 * Initialize DownloadManager with default exclude patterns
+	 */
+	constructor() {
+		// Initialize ignore with default patterns
+		this.ig = ignore().add(DownloadManager.EXCLUDE_PATTERNS);
+	}
+
+	/**
+	 * Set additional user-defined exclude patterns
+	 * These are added to (not replace) the default EXCLUDE_PATTERNS
+	 */
+	setExcludePatterns(patterns: string[]): void {
+		this.userExcludePatterns = patterns;
+		// Reinitialize ignore with both default and user patterns
+		this.ig = ignore().add([...DownloadManager.EXCLUDE_PATTERNS, ...this.userExcludePatterns]);
+
+		if (patterns.length > 0) {
+			logger.info(`Added ${patterns.length} custom exclude pattern(s)`);
+			patterns.forEach((p) => logger.debug(`  - ${p}`));
+		}
+	}
+
 	/**
 	 * Check if file path should be excluded
+	 * Uses instance-level ignore with both default and user patterns
 	 */
 	private shouldExclude(filePath: string): boolean {
-		const ig = ignore().add(DownloadManager.EXCLUDE_PATTERNS);
-		return ig.ignores(filePath);
+		return this.ig.ignores(filePath);
 	}
 
 	/**

package/src/types.ts

@@ -4,12 +4,22 @@ import { z } from "zod";
 export const KitType = z.enum(["engineer", "marketing"]);
 export type KitType = z.infer<typeof KitType>;
 
+// Exclude pattern validation schema
+export const ExcludePatternSchema = z
+	.string()
+	.trim()
+	.min(1, "Exclude pattern cannot be empty")
+	.max(500, "Exclude pattern too long")
+	.refine((val) => !val.startsWith("/"), "Absolute paths not allowed in exclude patterns")
+	.refine((val) => !val.includes(".."), "Path traversal not allowed in exclude patterns");
+
 // Command options schemas
 export const NewCommandOptionsSchema = z.object({
 	dir: z.string().default("."),
 	kit: KitType.optional(),
 	version: z.string().optional(),
 	force: z.boolean().default(false),
+	exclude: z.array(ExcludePatternSchema).optional().default([]),
 });
 export type NewCommandOptions = z.infer<typeof NewCommandOptionsSchema>;
 
@@ -17,6 +27,7 @@ export const UpdateCommandOptionsSchema = z.object({
 	dir: z.string().default("."),
 	kit: KitType.optional(),
 	version: z.string().optional(),
+	exclude: z.array(ExcludePatternSchema).optional().default([]),
 });
 export type UpdateCommandOptions = z.infer<typeof UpdateCommandOptionsSchema>;
 

package/tests/types.test.ts

@@ -5,6 +5,7 @@ import {
 	ClaudeKitError,
 	ConfigSchema,
 	DownloadError,
+	ExcludePatternSchema,
 	ExtractionError,
 	GitHubError,
 	GitHubReleaseAssetSchema,
@@ -29,6 +30,44 @@ describe("Types and Schemas", () => {
 		});
 	});
 
+	describe("ExcludePatternSchema", () => {
+		test("should accept valid glob patterns", () => {
+			const validPatterns = ["*.log", "**/*.tmp", "temp/**", "logs/*.txt", "cache/**/*"];
+			validPatterns.forEach((pattern) => {
+				expect(() => ExcludePatternSchema.parse(pattern)).not.toThrow();
+			});
+		});
+
+		test("should reject absolute paths", () => {
+			expect(() => ExcludePatternSchema.parse("/etc/passwd")).toThrow("Absolute paths not allowed");
+			expect(() => ExcludePatternSchema.parse("/var/log/**")).toThrow("Absolute paths not allowed");
+		});
+
+		test("should reject path traversal", () => {
+			expect(() => ExcludePatternSchema.parse("../../etc/passwd")).toThrow(
+				"Path traversal not allowed",
+			);
+			expect(() => ExcludePatternSchema.parse("../../../secret")).toThrow(
+				"Path traversal not allowed",
+			);
+		});
+
+		test("should reject empty patterns", () => {
+			expect(() => ExcludePatternSchema.parse("")).toThrow("Exclude pattern cannot be empty");
+			expect(() => ExcludePatternSchema.parse("   ")).toThrow("Exclude pattern cannot be empty");
+		});
+
+		test("should reject overly long patterns", () => {
+			const longPattern = "a".repeat(501);
+			expect(() => ExcludePatternSchema.parse(longPattern)).toThrow("Exclude pattern too long");
+		});
+
+		test("should trim whitespace", () => {
+			const result = ExcludePatternSchema.parse("  *.log  ");
+			expect(result).toBe("*.log");
+		});
+	});
+
 	describe("NewCommandOptionsSchema", () => {
 		test("should validate correct options", () => {
 			const result = NewCommandOptionsSchema.parse({
@@ -46,6 +85,7 @@ describe("Types and Schemas", () => {
 			expect(result.dir).toBe(".");
 			expect(result.kit).toBeUndefined();
 			expect(result.version).toBeUndefined();
+			expect(result.exclude).toEqual([]);
 		});
 
 		test("should accept optional fields", () => {
@@ -53,6 +93,23 @@ describe("Types and Schemas", () => {
 			expect(result.dir).toBe("./custom");
 			expect(result.kit).toBeUndefined();
 		});
+
+		test("should validate exclude patterns", () => {
+			const result = NewCommandOptionsSchema.parse({
+				dir: "./test",
+				exclude: ["*.log", "temp/**"],
+			});
+			expect(result.exclude).toEqual(["*.log", "temp/**"]);
+		});
+
+		test("should reject invalid exclude patterns", () => {
+			expect(() =>
+				NewCommandOptionsSchema.parse({
+					dir: "./test",
+					exclude: ["/etc/passwd"],
+				}),
+			).toThrow();
+		});
 	});
 
 	describe("UpdateCommandOptionsSchema", () => {
@@ -70,6 +127,24 @@ describe("Types and Schemas", () => {
 		test("should use default values", () => {
 			const result = UpdateCommandOptionsSchema.parse({});
 			expect(result.dir).toBe(".");
+			expect(result.exclude).toEqual([]);
+		});
+
+		test("should validate exclude patterns", () => {
+			const result = UpdateCommandOptionsSchema.parse({
+				dir: "./test",
+				exclude: ["*.log", "**/*.tmp"],
+			});
+			expect(result.exclude).toEqual(["*.log", "**/*.tmp"]);
+		});
+
+		test("should reject invalid exclude patterns", () => {
+			expect(() =>
+				UpdateCommandOptionsSchema.parse({
+					dir: "./test",
+					exclude: ["../../../etc"],
+				}),
+			).toThrow();
 		});
 	});