commitshow 0.1.0

package/README.md

@@ -0,0 +1,129 @@
+# commitshow
+
+> Audit any vibe-coded project from your terminal.
+
+`commitshow` pulls the latest [commit.show](https://commit.show) audit report for
+a project and renders it inline — Audit / Scout / Community scores, 3 strengths
++ 2 concerns, current season rank, delta since the last snapshot. Local runs
+also save a `.commitshow/audit.md` file so your AI coding agent can read the
+report in the next turn and iterate.
+
+```bash
+npx commitshow audit
+# or audit any public project by URL — no cd required
+npx commitshow audit github.com/owner/repo
+```
+
+## Install
+
+```bash
+# one-shot
+npx commitshow audit <target>
+
+# or global
+npm i -g commitshow
+commitshow audit <target>
+```
+
+Node 20+.
+
+## Usage
+
+| Command | What it does |
+|---|---|
+| `commitshow audit [target]` | Fetch + render the latest audit, write `.commitshow/audit.md` in local mode |
+| `commitshow status [target]` | Same render, no re-run |
+| `commitshow submit [target]` | Audition a project (coming soon · needs login) |
+| `commitshow install <pack>` | Install a Library artifact (coming soon) |
+| `commitshow login` | Device-flow sign-in (coming soon) |
+| `commitshow whoami` | Print the linked account |
+
+### Target forms
+
+`audit` and `status` accept a positional target that auto-detects:
+
+| Form | Example |
+|---|---|
+| cwd (omitted) | `commitshow audit` · infers from `git remote get-url origin` |
+| Local path | `commitshow audit ./my-repo` |
+| Remote URL | `commitshow audit github.com/owner/repo` · `commitshow audit https://github.com/owner/repo` |
+| SSH remote | `commitshow audit git@github.com:owner/repo.git` (auto-converted) |
+| Shorthand | `commitshow audit owner/repo` |
+
+Remote-URL mode works from any directory, which makes one-line X posts
+(`npx commitshow audit <their-url>`) trivial.
+
+## The AI-coding loop
+
+`commitshow audit` in local mode writes to `.commitshow/audit.md` **and**
+`.commitshow/audit.json` after every run. Point your coding agent at them
+and it picks up exactly what the audit flagged, with no prompt engineering:
+
+```
+You are pairing on <repo>. Read .commitshow/audit.md before each turn.
+Pick the top concern and propose a minimal change; I'll run
+`commitshow audit` again to check the delta.
+```
+
+## For agents: `--json`
+
+`commitshow` is built on a simple idea — **CLI + stable JSON is the universal
+contract** between agent ecosystems. No SDK, no MCP server, no vendor lock.
+Any agent that can shell out to a subprocess can use commit.show.
+
+```bash
+# Human
+commitshow audit github.com/owner/repo
+
+# Agent
+commitshow audit github.com/owner/repo --json | jq '.concerns[].bullet'
+```
+
+### Example agent workflow
+
+> "Check my commit.show score and fix anything under 80."
+
+```
+score=$(commitshow audit --json | jq '.score.total')
+if [ "$score" -lt 80 ]; then
+  commitshow audit --json | jq -r '.concerns[0].bullet'
+  # → agent reads this concern, picks a fix, applies edits, re-audits
+fi
+```
+
+### JSON shape (v1 schema)
+
+Stable by contract — additive fields don't bump `schema_version`; breaking
+changes do. Known keys: `project`, `score`, `standing`, `strengths`, `concerns`,
+`snapshot`. See `commitshow audit --json` output for the canonical example.
+
+### Works with
+
+- **Claude Code**, **Cursor**, **Windsurf** — any agent with shell access
+- **GitHub Actions** — gate PRs on score band or axis scores
+- **n8n / Zapier** — trigger workflows when scores move
+- **AutoGPT / crewAI / LangChain** — subprocess tool node
+- **Your own script** — 10 lines of bash + jq is the whole integration
+
+## What's in the report
+
+- **Score** · total out of 100, colored by threshold (teal ≥ 75 · gold 50–74 · scarlet < 50)
+- **3-axis bars** · Audit / Scout / Community
+- **3 strengths + 2 concerns** · asymmetric by design — concerns don't dominate
+- **Rank + projected tier** · where you stand in the current season
+- **Δ** · movement since the parent snapshot
+
+## Roadmap
+
+- `0.1` — ✓ read-only audit · status · `--json` · target auto-detect · sidecar files
+- `0.2` — device-flow login · `commitshow submit` · `--watch` mode · CI exit-code gate
+- `0.3` — `commitshow install <pack>` with {{VARIABLE}} substitution
+- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly · §15-C.6)
+
+## Links
+
+- Home: <https://commit.show>
+- Source: <https://github.com/hans1329/vibe/tree/main/packages/cli>
+- Issues: <https://github.com/hans1329/vibe/issues>
+
+MIT © 2026 commit.show

package/bin/commitshow.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+import('../dist/index.js').then(m => m.main(process.argv.slice(2))).catch(err => {
+  console.error(err?.message ?? err)
+  process.exit(1)
+})

package/dist/commands/audit.js

@@ -0,0 +1,115 @@
+import { resolveTarget, TargetError } from '../lib/target.js';
+import { findProjectByGithubUrl, fetchLatestSnapshot, fetchStanding, runPreviewAudit, waitForPreviewSnapshot, } from '../lib/api.js';
+import { renderAudit, renderMarkdown, renderJson, renderUpsell, writeAuditMarkdown, writeAuditJson, } from '../lib/render.js';
+import { c } from '../lib/colors.js';
+export async function audit(args) {
+    const asJson = args.includes('--json');
+    const positional = args.find(a => !a.startsWith('--'));
+    let target;
+    try {
+        target = resolveTarget(positional);
+    }
+    catch (err) {
+        if (err instanceof TargetError) {
+            emitError(asJson, 'bad_target', err.message, positional);
+            return 2;
+        }
+        throw err;
+    }
+    if (!asJson)
+        console.log(c.dim(`Auditing ${target.slug}…`));
+    // 1. Try cached/registered flow first — avoid re-running Claude if we
+    // already have the snapshot. Covers all full-audition projects.
+    const project = await findProjectByGithubUrl(target.github_url);
+    if (project) {
+        const [snapshot, standing] = await Promise.all([
+            fetchLatestSnapshot(project.id),
+            fetchStanding(project.id),
+        ]);
+        const view = { project, snapshot, standing };
+        if (asJson) {
+            process.stdout.write(renderJson(view) + '\n');
+        }
+        else {
+            console.log('');
+            console.log(renderAudit(view));
+            if (project.status === 'preview') {
+                console.log('');
+                console.log(renderUpsell());
+            }
+            console.log('');
+        }
+        if (target.kind === 'local') {
+            const mdPath = writeAuditMarkdown(target.localPath, renderMarkdown(view));
+            const jsonPath = writeAuditJson(target.localPath, renderJson(view));
+            if (!asJson) {
+                if (mdPath)
+                    console.log(c.dim(`  Saved → ${mdPath}`));
+                if (jsonPath)
+                    console.log(c.dim(`  Saved → ${jsonPath}`));
+            }
+        }
+        return 0;
+    }
+    // 2. Unregistered repo — kick off a preview audit. Full Claude depth,
+    // no season entry. Rate-limited server-side.
+    if (!asJson)
+        console.log(c.dim('First time on commit.show for this repo — running a preview audit…'));
+    const result = await runPreviewAudit(target.github_url);
+    // Error envelope
+    if ('error' in result) {
+        const err = result;
+        if (err.error === 'rate_limited') {
+            emitError(asJson, 'rate_limited', err.message ?? 'Rate limit hit. Try again tomorrow or sign in.', target.github_url);
+            return 1;
+        }
+        emitError(asJson, err.error, err.message ?? 'Preview audit failed.', target.github_url);
+        return 1;
+    }
+    // Background job — poll until the snapshot lands.
+    let envelope;
+    if ('status' in result && result.status === 'running') {
+        const pending = result;
+        if (!asJson)
+            console.log(c.dim('  This runs the full Claude audit · ~60-90 seconds. Hang tight.'));
+        const waited = await waitForPreviewSnapshot(pending.project_id);
+        if (!waited) {
+            emitError(asJson, 'timeout', 'Preview audit is taking longer than expected. Try `commitshow status <repo>` in a minute.', target.github_url);
+            return 1;
+        }
+        envelope = waited;
+    }
+    else {
+        envelope = result;
+    }
+    const view = { project: envelope.project, snapshot: envelope.snapshot, standing: null };
+    if (asJson) {
+        process.stdout.write(renderJson(view) + '\n');
+    }
+    else {
+        console.log('');
+        console.log(renderAudit(view));
+        console.log('');
+        console.log(renderUpsell());
+        console.log('');
+    }
+    if (target.kind === 'local') {
+        const mdPath = writeAuditMarkdown(target.localPath, renderMarkdown(view));
+        const jsonPath = writeAuditJson(target.localPath, renderJson(view));
+        if (!asJson) {
+            if (mdPath)
+                console.log(c.dim(`  Saved → ${mdPath}`));
+            if (jsonPath)
+                console.log(c.dim(`  Saved → ${jsonPath}`));
+        }
+    }
+    return 0;
+}
+function emitError(asJson, code, message, target) {
+    if (asJson) {
+        process.stdout.write(JSON.stringify({ error: code, message, target: target ?? null }) + '\n');
+    }
+    else {
+        console.error(c.scarlet(message));
+    }
+}

package/dist/commands/install.js

@@ -0,0 +1,11 @@
+import { c } from '../lib/colors.js';
+export async function install(_args) {
+    console.log('');
+    console.log(c.cream('Install is not yet available in CLI 0.1.'));
+    console.log('');
+    console.log(c.muted('  `commitshow install <pack>` will write MCP / IDE rule files directly into'));
+    console.log(c.muted('  the cwd. Requires login + GitHub OAuth for Apply-to-my-repo PRs.'));
+    console.log('');
+    console.log(c.dim('  Use Apply-to-my-repo on the web → https://commit.show/library'));
+    return 1;
+}

package/dist/commands/login.js

@@ -0,0 +1,16 @@
+// Device flow placeholder. Needs the /cli/link web page + token-exchange
+// Edge Function on the server side (V1 backend work · see CLAUDE.md §15-C.4
+// rollout). Until that lands, we fail fast with a clear message so the user
+// knows their audit/status commands still work read-only.
+import { c } from '../lib/colors.js';
+export async function login(_args) {
+    console.log('');
+    console.log(c.cream('Login is not yet available in 0.1.'));
+    console.log('');
+    console.log(c.muted('  Read-only commands (audit, status, whoami) already work against public data.'));
+    console.log(c.muted('  Write commands (submit, re-audit, install) unlock once the device-flow'));
+    console.log(c.muted('  endpoint ships — tracked as a V1 item in the roadmap.'));
+    console.log('');
+    console.log(c.dim('  Sign in on the web for now → https://commit.show'));
+    return 1;
+}

package/dist/commands/status.js

@@ -0,0 +1,48 @@
+// Same render as `audit`, but never re-runs analysis — just reads the latest
+// cached snapshot. Cheap · offline-ish · safe to poll. Honors --json the
+// same way audit does.
+import { resolveTarget, TargetError } from '../lib/target.js';
+import { findProjectByGithubUrl, fetchLatestSnapshot, fetchStanding } from '../lib/api.js';
+import { renderAudit, renderJson } from '../lib/render.js';
+import { c } from '../lib/colors.js';
+export async function status(args) {
+    const asJson = args.includes('--json');
+    const positional = args.find(a => !a.startsWith('--'));
+    let target;
+    try {
+        target = resolveTarget(positional);
+    }
+    catch (err) {
+        if (err instanceof TargetError) {
+            emitError(asJson, 'bad_target', err.message, positional);
+            return 2;
+        }
+        throw err;
+    }
+    const project = await findProjectByGithubUrl(target.github_url);
+    if (!project) {
+        emitError(asJson, 'not_found', `No audition yet for ${target.slug}.`, target.github_url);
+        return 1;
+    }
+    const [snapshot, standing] = await Promise.all([
+        fetchLatestSnapshot(project.id),
+        fetchStanding(project.id),
+    ]);
+    const view = { project, snapshot, standing };
+    if (asJson) {
+        process.stdout.write(renderJson(view) + '\n');
+    }
+    else {
+        console.log('');
+        console.log(renderAudit(view));
+    }
+    return 0;
+}
+function emitError(asJson, code, message, target) {
+    if (asJson) {
+        process.stdout.write(JSON.stringify({ error: code, message, target: target ?? null }) + '\n');
+    }
+    else {
+        console.error(c.scarlet(message));
+    }
+}

package/dist/commands/submit.js

@@ -0,0 +1,11 @@
+import { c } from '../lib/colors.js';
+export async function submit(_args) {
+    console.log('');
+    console.log(c.cream('Submit is not yet available in CLI 0.1.'));
+    console.log('');
+    console.log(c.muted('  Core Intent + screenshots + Brief upload needs login,'));
+    console.log(c.muted('  which ships alongside the device-flow endpoint.'));
+    console.log('');
+    console.log(c.dim('  Submit on the web for now → https://commit.show/submit'));
+    return 1;
+}

package/dist/commands/whoami.js

@@ -0,0 +1,14 @@
+import { readConfig } from '../lib/config.js';
+import { c } from '../lib/colors.js';
+export async function whoami(_args) {
+    const cfg = readConfig();
+    if (!cfg.token || !cfg.display_name) {
+        console.log(c.muted('Not signed in.'));
+        console.log(c.dim('  Read-only commands still work. Login coming in the next CLI release.'));
+        return 1;
+    }
+    console.log(c.cream(cfg.display_name));
+    if (cfg.member_id)
+        console.log(c.muted(`  ${cfg.member_id}`));
+    return 0;
+}

package/dist/index.js

@@ -0,0 +1,86 @@
+import { audit } from './commands/audit.js';
+import { submit } from './commands/submit.js';
+import { install } from './commands/install.js';
+import { status } from './commands/status.js';
+import { login } from './commands/login.js';
+import { whoami } from './commands/whoami.js';
+import { c } from './lib/colors.js';
+const VERSION = '0.1.0';
+const USAGE = `
+${c.bold(c.gold('commitshow'))} ${c.dim(`v${VERSION}`)}  ${c.muted('—')} ${c.cream('audit any vibe-coded project from your terminal.')}
+
+${c.muted('USAGE')}
+  ${c.cream('commitshow')} ${c.gold('<command>')} [target] [flags]
+
+${c.muted('COMMANDS')}
+  ${c.gold('audit')}    [target]    run audit and render the report
+  ${c.gold('status')}   [target]    latest score, no re-run
+  ${c.gold('submit')}   [target]    audition a project (requires login · coming soon)
+  ${c.gold('install')}  <pack>      install a library artifact (coming soon)
+  ${c.gold('login')}                device-flow sign-in (coming soon)
+  ${c.gold('whoami')}                who am I signed in as
+
+${c.muted('FLAGS')}
+  ${c.gold('--json')}     stable machine-readable output (for agents · CI · jq pipes)
+
+${c.muted('TARGET FORMS')}  ${c.dim('(default: cwd)')}
+  ${c.cream('commitshow audit')}                          ${c.dim('# cwd · git remote origin')}
+  ${c.cream('commitshow audit ./my-repo')}                ${c.dim('# local path')}
+  ${c.cream('commitshow audit github.com/owner/repo')}    ${c.dim('# remote shorthand')}
+  ${c.cream('commitshow audit https://github.com/o/r')}   ${c.dim('# full URL')}
+  ${c.cream('commitshow audit owner/repo')}               ${c.dim('# last-ditch shorthand')}
+
+${c.muted('FOR AGENTS')}
+  ${c.cream('commitshow audit github.com/owner/repo --json | jq .concerns')}
+  ${c.dim(' → agent reads concerns, picks a fix target, applies edits, re-audits')}
+
+${c.muted('LEARN MORE')}
+  https://commit.show
+`;
+export async function main(argv) {
+    const [cmd, ...rest] = argv;
+    let code = 0;
+    try {
+        switch (cmd) {
+            case 'audit':
+                code = await audit(rest);
+                break;
+            case 'status':
+                code = await status(rest);
+                break;
+            case 'submit':
+                code = await submit(rest);
+                break;
+            case 'install':
+                code = await install(rest);
+                break;
+            case 'login':
+                code = await login(rest);
+                break;
+            case 'whoami':
+                code = await whoami(rest);
+                break;
+            case '-v':
+            case '--version':
+                console.log(VERSION);
+                code = 0;
+                break;
+            case undefined:
+            case '-h':
+            case '--help':
+                console.log(USAGE);
+                code = 0;
+                break;
+            default:
+                console.error(c.scarlet(`Unknown command: ${cmd}`));
+                console.error(USAGE);
+                code = 2;
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(c.scarlet(`\n  ${msg}`));
+        code = 1;
+    }
+    process.exit(code);
+}

package/dist/lib/api.js

@@ -0,0 +1,111 @@
+// Minimal Supabase REST client — no SDK, no dependencies.
+//
+// Design choice (CLAUDE.md §15-C.4): ship as a thin fetch wrapper to stay
+// under the 1 MB bundle budget. We only hit PostgREST + Edge Functions, so
+// the full @supabase/supabase-js isn't worth the weight.
+//
+// Anon-key access is enough for V0.1:
+//   · projects (public read)
+//   · analysis_snapshots (public read)
+//   · season_standings view (public read)
+// Write paths (submit / link / install with PR) require a member JWT and
+// will be enabled when the device-flow endpoint lands.
+import { readConfig } from './config.js';
+// Baked-in defaults for the official commit.show instance. Self-hosters can
+// override via `base_url` in ~/.commitshow/config.json.
+const DEFAULT_BASE_URL = 'https://tekemubwihsjdzittoqf.supabase.co';
+const DEFAULT_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InRla2VtdWJ3aWhzamR6aXR0b3FmIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzY0MzQ1NzUsImV4cCI6MjA5MjAxMDU3NX0.n2K-3lFVvlXQx-bV9evdNRSQCtG5oC4uQushxB2ja9Y';
+function baseUrl() {
+    return readConfig().base_url ?? DEFAULT_BASE_URL;
+}
+function headers(extra = {}) {
+    const cfg = readConfig();
+    return {
+        apikey: DEFAULT_ANON_KEY,
+        Authorization: `Bearer ${cfg.token ?? DEFAULT_ANON_KEY}`,
+        'Content-Type': 'application/json',
+        ...extra,
+    };
+}
+async function rest(path, init = {}) {
+    const res = await fetch(`${baseUrl()}/rest/v1${path}`, {
+        ...init,
+        headers: { ...headers(), ...(init.headers ?? {}) },
+    });
+    if (!res.ok)
+        throw new Error(`API ${res.status} on ${path}: ${await res.text()}`);
+    return res.json();
+}
+// ── Lookups ──────────────────────────────────────────────────────────
+// PostgREST rejects `SELECT *` when anon has per-column grants (our email-privacy
+// migration · §18.2). We enumerate the public columns we actually render.
+const PROJECT_COLS = 'id,project_name,github_url,live_url,score_total,score_auto,score_forecast,' +
+    'score_community,status,creator_name,creator_grade,last_analysis_at';
+/** Find a project by its canonical GitHub URL. Returns the first match or null. */
+export async function findProjectByGithubUrl(url) {
+    // DB stores some URLs with .git or trailing slash · match loosely with ilike on owner/repo.
+    const canonical = url.replace(/\.git$/, '').replace(/\/+$/, '');
+    const ilikePattern = `${canonical.replace(/\*/g, '')}%`;
+    const rows = await rest(`/projects?select=${PROJECT_COLS}&github_url=ilike.${encodeURIComponent(ilikePattern)}&limit=1`);
+    return rows[0] ?? null;
+}
+export async function findProjectById(id) {
+    const rows = await rest(`/projects?select=${PROJECT_COLS}&id=eq.${id}&limit=1`);
+    return rows[0] ?? null;
+}
+export async function fetchLatestSnapshot(projectId) {
+    const rows = await rest(`/analysis_snapshots?project_id=eq.${projectId}&order=created_at.desc&limit=1`);
+    return rows[0] ?? null;
+}
+export async function fetchStanding(projectId) {
+    const rows = await rest(`/season_standings?project_id=eq.${projectId}&limit=1`);
+    return rows[0] ?? null;
+}
+/** Kicks off (or returns cached) a preview audit. 202 → poll; 200 → done. */
+export async function runPreviewAudit(githubUrl, liveUrl) {
+    const res = await fetch(`${baseUrl()}/functions/v1/audit-preview`, {
+        method: 'POST',
+        headers: headers(),
+        body: JSON.stringify({ github_url: githubUrl, live_url: liveUrl }),
+    });
+    const body = await res.json().catch(() => ({ error: 'invalid_json' }));
+    if (res.status === 202)
+        return body;
+    if (!res.ok)
+        return body;
+    return body;
+}
+/** Poll a preview job until the snapshot lands or we time out. */
+export async function waitForPreviewSnapshot(projectId, timeoutMs = 180_000, intervalMs = 4_000) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        const project = await findProjectById(projectId);
+        if (project && project.last_analysis_at) {
+            const snapshot = await fetchLatestSnapshot(projectId);
+            return {
+                project,
+                snapshot,
+                standing: null,
+                is_preview: project.status === 'preview',
+                cache_hit: false,
+            };
+        }
+        await new Promise(r => setTimeout(r, intervalMs));
+    }
+    return null;
+}
+// ── Trigger reaudit (requires member token · V1 backend) ─────────────
+export async function triggerReaudit(projectId) {
+    const cfg = readConfig();
+    if (!cfg.token) {
+        throw new Error('Re-audit requires login. Run `commitshow login` once device-flow is available.');
+    }
+    const res = await fetch(`${baseUrl()}/functions/v1/analyze-project`, {
+        method: 'POST',
+        headers: headers(),
+        body: JSON.stringify({ project_id: projectId, trigger_type: 'resubmit' }),
+    });
+    if (!res.ok)
+        throw new Error(`Re-audit failed: ${res.status} · ${await res.text()}`);
+    return res.json();
+}

package/dist/lib/colors.js

@@ -0,0 +1,38 @@
+// Brand palette — mirrors src/index.css tokens.
+// Uses kleur (no dependencies) for terminal coloring with graceful fallback.
+import kleur from 'kleur';
+// Hex reference (for 24-bit terminals):
+//   navy-900  #060C1A     gold-500 #F0C040     cream    #F8F5EE
+//   teal-500  #00D4AA     scarlet  #C8102E     muted    #6B7280
+// True-color escapes — kleur doesn't expose setRgb, so we wrap manually.
+// Terminals without truecolor still see readable ANSI (dim fallback chain).
+function rgb(r, g, b) {
+    return (s) => `\x1b[38;2;${r};${g};${b}m${s}\x1b[0m`;
+}
+export const c = {
+    gold: rgb(0xF0, 0xC0, 0x40),
+    cream: rgb(0xF8, 0xF5, 0xEE),
+    teal: rgb(0x00, 0xD4, 0xAA),
+    scarlet: rgb(0xC8, 0x10, 0x2E),
+    muted: rgb(0x6B, 0x72, 0x80),
+    blue: rgb(0x60, 0xA5, 0xFA),
+    violet: rgb(0xA7, 0x8B, 0xFA),
+    dim: kleur.dim,
+    bold: kleur.bold,
+};
+/** Pick a color based on a 0–100 score, matching web UI thresholds. */
+export function scoreTone(score) {
+    if (score >= 75)
+        return c.teal;
+    if (score >= 50)
+        return c.gold;
+    return c.scarlet;
+}
+/** Pick a color for delta (+/- vs parent snapshot). */
+export function deltaTone(delta) {
+    if (delta > 0)
+        return c.teal;
+    if (delta < 0)
+        return c.scarlet;
+    return c.muted;
+}

package/dist/lib/config.js

@@ -0,0 +1,29 @@
+// Local CLI config — ~/.commitshow/config.json
+//
+// Holds the Supabase JWT once login lands (V1 backend work). For now the
+// file mostly stores cached preferences, but we keep the path stable so the
+// device-flow (when added) can drop tokens without migration.
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+const CONFIG_DIR = join(homedir(), '.commitshow');
+const CONFIG_PATH = join(CONFIG_DIR, 'config.json');
+export function readConfig() {
+    if (!existsSync(CONFIG_PATH))
+        return {};
+    try {
+        const raw = readFileSync(CONFIG_PATH, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+}
+export function writeConfig(next) {
+    if (!existsSync(CONFIG_DIR))
+        mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    writeFileSync(CONFIG_PATH, JSON.stringify(next, null, 2), { mode: 0o600 });
+}
+export function clearConfig() {
+    writeConfig({});
+}

package/dist/lib/render.js

@@ -0,0 +1,307 @@
+// Terminal render — the canonical output spec from CLAUDE.md §15-C.2.
+//
+// Two output modes:
+//   · Pretty (default) — fixed-width 58-col terminal screenshot layout with
+//     ANSI colors, brand palette, strengths/concerns box. Human target.
+//   · JSON (`--json`) — stable machine-readable shape with `schema_version`.
+//     Agent target: Claude Code, AutoGPT, n8n, Zapier, GitHub Actions, etc.
+//     The JSON shape is the universal contract — no SDK or MCP needed to
+//     integrate. Agent workflow: shell out to commitshow, pipe to jq, act.
+//
+// Both modes share:
+//   · 3 strengths + 2 concerns asymmetry (§15-C.2 content contract)
+//   · self-delta only (no peer-vs-peer drama in V0.1)
+//   · `.commitshow/audit.{md,json}` side-effect for AI re-read loop
+import { writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { c, scoreTone, deltaTone } from './colors.js';
+const BAR_WIDTH = 20;
+/** Single filled/empty bar for a 0..max score. */
+function scoreBar(value, max) {
+    const filled = Math.max(0, Math.min(BAR_WIDTH, Math.round((value / max) * BAR_WIDTH)));
+    const empty = BAR_WIDTH - filled;
+    const tone = scoreTone(Math.round((value / max) * 100));
+    return tone('▰'.repeat(filled)) + c.muted('▱'.repeat(empty));
+}
+function pad(s, w) {
+    return s.length >= w ? s.slice(0, w) : s + ' '.repeat(w - s.length);
+}
+function centerPad(s, w) {
+    if (s.length >= w)
+        return s.slice(0, w);
+    const total = w - s.length;
+    const left = Math.floor(total / 2);
+    return ' '.repeat(left) + s + ' '.repeat(total - left);
+}
+/** Strip ANSI for width math on colored strings. */
+function visibleLength(s) {
+    // eslint-disable-next-line no-control-regex
+    return s.replace(/\x1b\[[0-9;]*m/g, '');
+}
+function asStringArray(raw, take) {
+    if (!Array.isArray(raw))
+        return [];
+    return raw.slice(0, take).map(row => {
+        if (typeof row === 'string')
+            return row;
+        if (row && typeof row === 'object') {
+            const r = row;
+            return String(r.bullet ?? r.finding ?? r.text ?? r.summary ?? r.title ?? '');
+        }
+        return '';
+    }).filter(Boolean);
+}
+export function renderAudit(view) {
+    const { project: p, snapshot, standing } = view;
+    const total = p.score_total ?? 0;
+    // Header
+    const bar = '─'.repeat(58);
+    const lines = [];
+    lines.push(c.muted('┌' + bar + '┐'));
+    lines.push(c.muted('│ ') + c.bold(c.gold('commit.show')) + c.muted(' · ') + c.cream('Audit report') + ' '.repeat(58 - 29) + c.muted('│'));
+    lines.push(c.muted('└' + bar + '┘'));
+    lines.push('');
+    // Project title line
+    const name = p.project_name ?? 'untitled';
+    const slug = p.github_url?.replace(/^https?:\/\//, '') ?? '';
+    lines.push('  ' + c.bold(c.cream(name)) + '   ' + c.muted(slug));
+    lines.push('');
+    // Hero score card
+    const scoreText = `${total} / 100`;
+    const scoreTinted = scoreTone(total)(scoreText);
+    const cardW = 14;
+    lines.push('  ' + ' '.repeat(20) + c.muted('╔' + '═'.repeat(cardW) + '╗'));
+    lines.push('  ' + ' '.repeat(20) + c.muted('║') + centerPadAnsi(scoreTinted, cardW) + c.muted('║'));
+    lines.push('  ' + ' '.repeat(20) + c.muted('╚' + '═'.repeat(cardW) + '╝'));
+    lines.push('');
+    // 3-axis bars
+    const auditLine = `  Audit  ${pad(`${p.score_auto}/50`, 7)}  ${scoreBar(p.score_auto, 50)}`;
+    const scoutLine = `  Scout  ${pad(`${p.score_forecast}/30`, 7)}  ${scoreBar(p.score_forecast, 30)}`;
+    const communityLine = `  Comm.  ${pad(`${p.score_community}/20`, 7)}  ${scoreBar(p.score_community, 20)}`;
+    lines.push('  ' + auditLine);
+    lines.push('  ' + scoutLine);
+    lines.push('  ' + communityLine);
+    lines.push('');
+    // 3 strengths + 2 concerns from scout_brief · §15-C.2 content contract.
+    // Web surfaces the full 5+3; the CLI keeps it tight for terminal screenshots.
+    const strengths = asStringArray(snapshot?.rich_analysis?.scout_brief?.strengths, 3);
+    const concerns = asStringArray(snapshot?.rich_analysis?.scout_brief?.weaknesses, 2);
+    if (strengths.length > 0 || concerns.length > 0) {
+        lines.push('  ' + c.muted('┌' + '─'.repeat(56) + '┐'));
+        for (const s of strengths) {
+            lines.push('  ' + c.muted('│ ') + c.teal('↑ ') + truncate(s, 52) + fill(s, 52) + c.muted(' │'));
+        }
+        for (const s of concerns) {
+            lines.push('  ' + c.muted('│ ') + c.scarlet('↓ ') + truncate(s, 52) + fill(s, 52) + c.muted(' │'));
+        }
+        lines.push('  ' + c.muted('└' + '─'.repeat(56) + '┘'));
+        lines.push('');
+    }
+    // Standings + delta
+    if (standing) {
+        const rank = `#${standing.rank} of ${standing.total_in_season}`;
+        const tier = standing.projected_tier ?? '—';
+        const pct = `(top ${Math.max(1, Math.round(standing.percentile))}%)`;
+        lines.push('  ' + c.muted('Ranked   ') + c.cream(pad(rank, 12)) + c.muted(`  season`));
+        lines.push('  ' + c.muted('Tier     ') + c.gold(pad(tier, 12)) + c.muted(`  ${pct}`));
+    }
+    if (snapshot?.score_total_delta != null && snapshot.score_total_delta !== 0) {
+        const d = snapshot.score_total_delta;
+        const sign = d > 0 ? '+' : '';
+        lines.push('  ' + c.muted('Δ        ') + deltaTone(d)(pad(`${sign}${d}`, 12)) + c.muted(`  since last audit`));
+    }
+    lines.push('');
+    // Footer URLs
+    const url = `https://commit.show/projects/${p.id}`;
+    lines.push('  ' + c.muted('→ ') + c.cream(url));
+    const footerPad = Math.max(0, 58 - 'commit.show'.length - 2);
+    lines.push(' '.repeat(footerPad) + c.gold('commit.show'));
+    return lines.join('\n');
+}
+function truncate(s, w) {
+    const vl = s.length;
+    if (vl <= w)
+        return s;
+    return s.slice(0, w - 1) + '…';
+}
+function fill(s, w) {
+    return ' '.repeat(Math.max(0, w - Math.min(w, s.length)));
+}
+function centerPadAnsi(s, w) {
+    const vl = visibleLength(s).length;
+    if (vl >= w)
+        return s;
+    const total = w - vl;
+    const left = Math.floor(total / 2);
+    return ' '.repeat(left) + s + ' '.repeat(total - left);
+}
+// ─────────── Markdown sibling for .commitshow/audit.md ───────────
+export function renderMarkdown(view) {
+    const { project: p, snapshot, standing } = view;
+    const strengths = asStringArray(snapshot?.rich_analysis?.scout_brief?.strengths, 3);
+    const concerns = asStringArray(snapshot?.rich_analysis?.scout_brief?.weaknesses, 2);
+    const delta = snapshot?.score_total_delta;
+    const lines = [];
+    lines.push(`# commit.show · Audit report`);
+    lines.push('');
+    lines.push(`**${p.project_name}**`);
+    if (p.github_url)
+        lines.push(`_${p.github_url}_`);
+    lines.push('');
+    lines.push(`## Score · ${p.score_total} / 100`);
+    lines.push('');
+    lines.push(`- Audit:      ${p.score_auto}/50`);
+    lines.push(`- Scout:      ${p.score_forecast}/30`);
+    lines.push(`- Community:  ${p.score_community}/20`);
+    if (delta != null && delta !== 0) {
+        lines.push(`- **Δ ${delta > 0 ? '+' : ''}${delta}** since last audit`);
+    }
+    if (standing) {
+        lines.push(`- Ranked #${standing.rank} of ${standing.total_in_season} — projected **${standing.projected_tier ?? '—'}** (top ${Math.round(standing.percentile)}%)`);
+    }
+    lines.push('');
+    if (strengths.length > 0) {
+        lines.push(`## Strengths`);
+        for (const s of strengths)
+            lines.push(`- ${s}`);
+        lines.push('');
+    }
+    if (concerns.length > 0) {
+        lines.push(`## Concerns`);
+        for (const s of concerns)
+            lines.push(`- ${s}`);
+        lines.push('');
+    }
+    lines.push(`---`);
+    lines.push(`Auditioned on commit.show · https://commit.show/projects/${p.id}`);
+    lines.push('');
+    return lines.join('\n');
+}
+/** Persist markdown side-effect to .commitshow/audit.md in the target dir. */
+export function writeAuditMarkdown(dir, md) {
+    if (!dir)
+        return null;
+    try {
+        const cshow = join(dir, '.commitshow');
+        if (!existsSync(cshow))
+            mkdirSync(cshow, { recursive: true });
+        const path = join(cshow, 'audit.md');
+        writeFileSync(path, md, 'utf8');
+        return path;
+    }
+    catch {
+        return null;
+    }
+}
+function bandFor(score) {
+    if (score >= 75)
+        return 'strong';
+    if (score >= 50)
+        return 'mid';
+    return 'weak';
+}
+function asObjectArray(raw, take) {
+    if (!Array.isArray(raw))
+        return [];
+    const out = [];
+    for (const row of raw.slice(0, take)) {
+        if (typeof row === 'string' && row.trim().length > 0) {
+            out.push({ axis: null, bullet: row });
+        }
+        else if (row && typeof row === 'object') {
+            const r = row;
+            const bullet = String(r.bullet ?? r.finding ?? r.text ?? r.summary ?? r.title ?? '').trim();
+            if (bullet)
+                out.push({ axis: r.axis ?? null, bullet });
+        }
+    }
+    return out;
+}
+export function toAgentShape(view) {
+    const { project: p, snapshot, standing } = view;
+    return {
+        schema_version: '1',
+        generated_at: new Date().toISOString(),
+        project: {
+            id: p.id,
+            name: p.project_name,
+            github_url: p.github_url,
+            live_url: p.live_url,
+            status: p.status,
+            creator: { name: p.creator_name, grade: p.creator_grade },
+            url: `https://commit.show/projects/${p.id}`,
+        },
+        score: {
+            total: p.score_total,
+            total_max: 100,
+            audit: p.score_auto,
+            audit_max: 50,
+            scout: p.score_forecast,
+            scout_max: 30,
+            community: p.score_community,
+            community_max: 20,
+            delta_since_last: snapshot?.score_total_delta ?? null,
+            band: bandFor(p.score_total),
+        },
+        standing: standing
+            ? {
+                rank: standing.rank,
+                total_in_season: standing.total_in_season,
+                percentile: standing.percentile,
+                projected_tier: standing.projected_tier,
+                live_url_ok: standing.live_url_ok ?? null,
+                snapshots_ok: standing.snapshots_ok ?? null,
+                brief_ok: standing.brief_ok ?? null,
+            }
+            : null,
+        strengths: asObjectArray(snapshot?.rich_analysis?.scout_brief?.strengths, 3),
+        concerns: asObjectArray(snapshot?.rich_analysis?.scout_brief?.weaknesses, 2),
+        snapshot: snapshot
+            ? { id: snapshot.id, created_at: snapshot.created_at, trigger_type: snapshot.trigger_type }
+            : null,
+    };
+}
+export function renderJson(view) {
+    return JSON.stringify(toAgentShape(view), null, 2);
+}
+// ── Upsell panel (CLI-only · appended to preview audits) ─────────────
+// Shown after a preview audit render so Creator sees what a real audition
+// unlocks. Intentionally NOT shown for registered projects — they already
+// have access to everything listed here.
+export function renderUpsell() {
+    const lines = [];
+    const bar = '─'.repeat(58);
+    lines.push('  ' + c.muted('┌' + bar + '┐'));
+    lines.push('  ' + c.muted('│ ') + c.bold(c.gold('Preview')) + c.muted(' · ') + c.cream('not entered in the season') + ' '.repeat(58 - 35) + c.muted('│'));
+    lines.push('  ' + c.muted('│' + ' '.repeat(58) + '│'));
+    lines.push('  ' + c.muted('│ ') + c.cream('Audition to unlock:') + ' '.repeat(58 - 20) + c.muted('│'));
+    const items = [
+        'Scout forecasts · human verdicts (30% of score)',
+        'Season ranking  · top 20% graduate each 3-week cycle',
+        'Hall of Fame    · permanent archive + public badge',
+        'Live applauds   · notifications when reviewers react',
+        'Recommit loop   · weekly delta + trajectory share card',
+    ];
+    for (const it of items) {
+        lines.push('  ' + c.muted('│ ') + c.teal('→ ') + c.cream(pad(it, 54)) + c.muted('│'));
+    }
+    lines.push('  ' + c.muted('│' + ' '.repeat(58) + '│'));
+    lines.push('  ' + c.muted('│ ') + c.gold('→ https://commit.show/submit') + ' '.repeat(58 - 30) + c.muted('│'));
+    lines.push('  ' + c.muted('└' + bar + '┘'));
+    return lines.join('\n');
+}
+export function writeAuditJson(dir, json) {
+    if (!dir)
+        return null;
+    try {
+        const cshow = join(dir, '.commitshow');
+        if (!existsSync(cshow))
+            mkdirSync(cshow, { recursive: true });
+        const path = join(cshow, 'audit.json');
+        writeFileSync(path, json, 'utf8');
+        return path;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/lib/target.js

@@ -0,0 +1,87 @@
+// Target detection — turns the CLI positional arg into a canonical
+// { kind: 'remote-url', github_url } or { kind: 'local', path, github_url? }.
+//
+// Accepted inputs (all resolve to a GitHub HTTPS URL):
+//   · (omitted)                         → cwd · read `git remote get-url origin`
+//   · ./my-repo · /abs/path             → local dir · same remote inference
+//   · github.com/owner/repo             → bare host shorthand
+//   · https://github.com/owner/repo     → full URL
+//   · git@github.com:owner/repo.git     → ssh form (common in `git remote`)
+//   · owner/repo                        → last-ditch shorthand (2 segments, no dot)
+import { execSync } from 'node:child_process';
+import { existsSync, statSync } from 'node:fs';
+import { resolve } from 'node:path';
+export class TargetError extends Error {
+}
+const GITHUB_URL_RE = /^https?:\/\/github\.com\/([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i;
+const GITHUB_HOST_RE = /^github\.com\/([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i;
+const GITHUB_SSH_RE = /^git@github\.com:([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i;
+const SLUG_RE = /^([A-Za-z0-9][\w.-]*)\/([A-Za-z0-9][\w.-]*)$/;
+function canonical(owner, repo) {
+    return `https://github.com/${owner}/${repo.replace(/\.git$/, '')}`;
+}
+function matchUrl(raw) {
+    const s = raw.trim();
+    const urlMatch = s.match(GITHUB_URL_RE) ?? s.match(GITHUB_HOST_RE) ?? s.match(GITHUB_SSH_RE);
+    if (urlMatch)
+        return { owner: urlMatch[1], repo: urlMatch[2] };
+    const slug = s.match(SLUG_RE);
+    if (slug && !slug[2].includes('.'))
+        return { owner: slug[1], repo: slug[2] };
+    return null;
+}
+function gitRemoteOrigin(cwd) {
+    try {
+        const out = execSync('git remote get-url origin', {
+            cwd,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+        if (!out)
+            return null;
+        // Strip embedded userinfo (credentials) before parsing — safer and matches
+        // how the canonical URL should look. e.g. https://x-access-token:ghp_…@github.com/foo/bar
+        return out.replace(/^(https?:\/\/)[^@\/]+@/, '$1');
+    }
+    catch {
+        return null;
+    }
+}
+export function resolveTarget(rawArg) {
+    // 1 · Explicit URL forms
+    if (rawArg) {
+        const m = matchUrl(rawArg);
+        if (m) {
+            return {
+                kind: 'remote-url',
+                github_url: canonical(m.owner, m.repo),
+                slug: `${m.owner}/${m.repo.replace(/\.git$/, '')}`,
+            };
+        }
+    }
+    // 2 · Local path (arg resolves to a directory) or cwd
+    const path = resolve(rawArg ?? '.');
+    if (!existsSync(path) || !statSync(path).isDirectory()) {
+        throw new TargetError(`Not a repo I can audit: "${rawArg ?? path}".\n` +
+            `  Expected: github URL, owner/repo shorthand, or a local git repo path.`);
+    }
+    const remote = gitRemoteOrigin(path);
+    if (!remote) {
+        throw new TargetError(`No git remote found in ${path}.\n` +
+            `  Either run this inside a git repo with a GitHub remote, or pass the URL directly:\n` +
+            `    commitshow audit github.com/owner/repo`);
+    }
+    const m = matchUrl(remote);
+    if (!m) {
+        // Don't echo `remote` — it may contain credentials. Ask for explicit target instead.
+        throw new TargetError(`Couldn't parse the git remote for ${path} as a GitHub repo.\n` +
+            `  commitshow currently supports GitHub-hosted projects only.\n` +
+            `  Try passing the URL directly: commitshow audit github.com/owner/repo`);
+    }
+    return {
+        kind: 'local',
+        github_url: canonical(m.owner, m.repo),
+        localPath: path,
+        slug: `${m.owner}/${m.repo.replace(/\.git$/, '')}`,
+    };
+}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "commitshow",
+  "version": "0.1.0",
+  "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
+  "type": "module",
+  "bin": {
+    "commitshow": "./bin/commitshow.js"
+  },
+  "files": [
+    "bin",
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -p .",
+    "dev": "tsc -p . --watch",
+    "prepare": "npm run build"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "keywords": [
+    "commit.show",
+    "audit",
+    "vibe-coding",
+    "cli"
+  ],
+  "author": "commit.show",
+  "license": "MIT",
+  "homepage": "https://commit.show",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hans1329/vibe",
+    "directory": "packages/cli"
+  },
+  "dependencies": {
+    "kleur": "^4.1.5"
+  },
+  "devDependencies": {
+    "@types/node": "^20.19.39",
+    "typescript": "^5.9.3"
+  }
+}