npm - commitshow - Versions diffs - 0.3.14 → 0.3.16 - Mend

commitshow 0.3.14 → 0.3.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -87,12 +87,46 @@ Requires **Node 20+**.
 | Command | What it does |
 |---|---|
-| `commitshow audit [target]` | Fetch + render the latest audit, write `.commitshow/audit.md` in local mode |
-| `commitshow status [target]` | Same render, no re-run |
+| `commitshow audit [target] [--json] [--refresh] [--source=<tag>]` | Fetch + render the latest audit, write `.commitshow/audit.{md,json}` |
+| `commitshow status [target]` | Same render as `audit`, no re-run |
+| `commitshow login [--no-open] [--token <jwt>]` | Device-flow sign-in via browser approval |
+| `commitshow whoami [--logout]` | Print the linked account · `--logout` clears the saved token |
 | `commitshow submit [target]` | Audition a project (coming soon · needs login) |
 | `commitshow install <pack>` | Install a Library artifact (coming soon) |
-| `commitshow login` | Device-flow sign-in (coming soon) |
-| `commitshow whoami` | Print the linked account |
+### Sign in for higher rate limits
+```bash
+npx commitshow@latest login
+```
+Opens `commit.show/cli/link?code=<6-hex>` in your browser. After you
+click Authorize there, the CLI receives a 90-day JWT and saves it to
+`~/.commitshow/config.json` (file mode 0600). Subsequent calls send
+the token in the Authorization header automatically.
+What changes once signed in:
+- Per-IP rate cap goes from **20 audits/day** to **50/day**
+- Newly audited preview projects auto-claim ownership (visible at
+  [commit.show/me](https://commit.show/me) → MY AUDITS)
+- `commitshow whoami` prints your member id + email
+Headless / CI? Use `--token <jwt>` to skip the browser handshake.
+### Telemetry source flag
+`--source=<tag>` lets you self-report how the call originated:
+```bash
+npx commitshow audit . --source=claude-code
+COMMITSHOW_SOURCE=cursor npx commitshow audit .
+```
+Common tags: `claude-code` · `cursor` · `gemini-cli` · `codex` ·
+`antigravity` · `production-audit-skill` · any 64-char string. Drops
+into the maintainer's admin breakdown so we can see which agent
+ecosystems are driving installs. Skip the flag to stay anonymous.
 ### Target forms
@@ -206,9 +240,9 @@ changes do. Known keys: `project`, `score`, `standing`, `strengths`, `concerns`,
 ## Roadmap
 - `0.1` — ✓ read-only audit · status · `--json` · target auto-detect · sidecar files
-- `0.2` — device-flow login · `commitshow submit` · `--watch` mode · CI exit-code gate
-- `0.3` — `commitshow install <pack>` with {{VARIABLE}} substitution
-- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly)
+- `0.3` — ✓ device-flow login · `--source` telemetry · User-Agent self-report · MCP server (`commitshow-mcp`)
+- `0.4` — `commitshow submit` · `--watch` mode · CI exit-code gate · refresh-token flow
+- `0.5` — `commitshow install <pack>` with {{VARIABLE}} substitution
 ## Links

package/dist/commands/audit.js CHANGED Viewed

@@ -11,8 +11,15 @@ export async function audit(args) {
     // the COMMITSHOW_SOURCE env var (used by IDE plugins that wrap the
     // CLI) and ultimately empty string. Surfaced in /admin > CLI 사용
     // tab as a distribution chart.
+    // --source X (space form): only consume args[idx+1] when --source actually
+    // appears. Old code used `args.indexOf('--source') + 1` unguarded, which
+    // returns 0 when --source is absent — making the FIRST positional arg
+    // (e.g. the target URL) get misread as the source value, then filtered
+    // out of `positional` below. Result: target URL silently dropped, CLI
+    // falls back to cwd and reports "no git remote".
+    const sourceIdx = args.indexOf('--source');
     const sourceFlag = args.find(a => a.startsWith('--source='))?.split('=')[1]
-        ?? args[args.indexOf('--source') + 1]?.replace(/^-/, '') // tolerate --source X
+        ?? (sourceIdx >= 0 ? args[sourceIdx + 1] : undefined)
         ?? process.env.COMMITSHOW_SOURCE
         ?? null;
     const positional = args.find(a => !a.startsWith('--') && a !== sourceFlag);

package/dist/commands/login.js CHANGED Viewed

@@ -1,16 +1,125 @@
-// Device flow placeholder. Needs the /cli/link web page + token-exchange
-// Edge Function on the server side (V1 backend work · see CLAUDE.md §15-C.4
-// rollout). Until that lands, we fail fast with a clear message so the user
-// knows their audit/status commands still work read-only.
+// commitshow login — device-flow authorization.
+//
+// Default flow:
+//   1. POST /functions/v1/cli-link-init · receive { code, poll_token, verification_url }
+//   2. Print the code + URL · open the URL in the user's browser (unless --no-open)
+//   3. Poll /functions/v1/cli-link-poll every 2s until 'ok' (token returned),
+//      'expired', or timeout (10 min).
+//   4. Save the api_token + member info to ~/.commitshow/config.json
+//
+// --token mode: skip the browser handshake and accept a pre-minted JWT
+//   (useful for headless / CI environments).
+//
+// --no-open: don't auto-launch the browser, just print the URL.
+import { readConfig, writeConfig } from '../lib/config.js';
 import { c } from '../lib/colors.js';
-export async function login(_args) {
+const POLL_INTERVAL_MS = 2000;
+const POLL_TIMEOUT_MS = 10 * 60 * 1000;
+const DEFAULT_BASE_URL = 'https://tekemubwihsjdzittoqf.supabase.co';
+const DEFAULT_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InRla2VtdWJ3aWhzamR6aXR0b3FmIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzY0MzQ1NzUsImV4cCI6MjA5MjAxMDU3NX0.n2K-3lFVvlXQx-bV9evdNRSQCtG5oC4uQushxB2ja9Y';
+function baseUrl() {
+    return readConfig().base_url ?? DEFAULT_BASE_URL;
+}
+function tryOpen(url) {
+    // Best-effort cross-platform open. Failure is silent — user still has
+    // the URL printed and can copy/paste manually.
+    const cmd = process.platform === 'darwin' ? 'open'
+        : process.platform === 'win32' ? 'cmd'
+            : 'xdg-open';
+    const args = process.platform === 'win32' ? ['/c', 'start', '', url] : [url];
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const { spawn } = require('node:child_process');
+        spawn(cmd, args, { stdio: 'ignore', detached: true }).unref();
+    }
+    catch { /* ignore */ }
+}
+async function fetchUser(token) {
+    try {
+        const res = await fetch(`${baseUrl()}/auth/v1/user`, {
+            headers: { apikey: DEFAULT_ANON_KEY, Authorization: `Bearer ${token}` },
+        });
+        if (!res.ok)
+            return null;
+        const j = await res.json();
+        return { id: j.id, email: j.email ?? null };
+    }
+    catch {
+        return null;
+    }
+}
+export async function login(args) {
+    const noOpen = args.includes('--no-open');
+    const tokenIdx = args.indexOf('--token');
+    const presetToken = tokenIdx >= 0 ? args[tokenIdx + 1] : null;
+    // Headless / CI path · skip the browser handshake.
+    if (presetToken) {
+        const user = await fetchUser(presetToken);
+        if (!user) {
+            console.error(c.scarlet('✗ Token rejected · invalid or expired.'));
+            return 1;
+        }
+        writeConfig({ ...readConfig(), token: presetToken, member_id: user.id, display_name: user.email ?? undefined });
+        console.log(c.gold('✓ Logged in · token saved to ~/.commitshow/config.json'));
+        return 0;
+    }
+    // 1. Init the device-flow.
+    let init;
+    try {
+        const res = await fetch(`${baseUrl()}/functions/v1/cli-link-init`, {
+            method: 'POST',
+            headers: { apikey: DEFAULT_ANON_KEY, Authorization: `Bearer ${DEFAULT_ANON_KEY}`, 'Content-Type': 'application/json' },
+            body: '{}',
+        });
+        init = await res.json();
+        if (!res.ok || !init.code || !init.poll_token) {
+            console.error(c.scarlet(`✗ Init failed: ${init.error ?? `HTTP ${res.status}`}`));
+            return 1;
+        }
+    }
+    catch (e) {
+        console.error(c.scarlet(`✗ Init network error: ${e?.message ?? e}`));
+        return 1;
+    }
+    console.log('');
+    console.log(c.cream('  Authorize commitshow CLI to act on your account.'));
     console.log('');
-    console.log(c.cream('Login is not yet available in 0.1.'));
+    console.log(`  Verification code:  ${c.gold(init.code)}`);
+    console.log(`  Approve at:         ${init.verification_url}`);
     console.log('');
-    console.log(c.muted('  Read-only commands (audit, status, whoami) already work against public data.'));
-    console.log(c.muted('  Write commands (submit, re-audit, install) unlock once the device-flow'));
-    console.log(c.muted('  endpoint ships — tracked as a V1 item in the roadmap.'));
+    console.log(c.dim('  Waiting for approval (10 min timeout)…'));
     console.log('');
-    console.log(c.dim('  Sign in on the web for now → https://commit.show'));
+    if (!noOpen && init.verification_url)
+        tryOpen(init.verification_url);
+    // 2. Poll until approved / expired / timeout.
+    const deadline = Date.now() + POLL_TIMEOUT_MS;
+    while (Date.now() < deadline) {
+        await new Promise(r => setTimeout(r, POLL_INTERVAL_MS));
+        try {
+            const res = await fetch(`${baseUrl()}/functions/v1/cli-link-poll`, {
+                method: 'POST',
+                headers: { apikey: DEFAULT_ANON_KEY, Authorization: `Bearer ${DEFAULT_ANON_KEY}`, 'Content-Type': 'application/json' },
+                body: JSON.stringify({ poll_token: init.poll_token }),
+            });
+            const resp = await res.json();
+            if (resp.status === 'ok' && resp.api_token) {
+                writeConfig({ ...readConfig(), token: resp.api_token, member_id: resp.user_id ?? undefined });
+                console.log(c.gold('  ✓ Authorized · token saved to ~/.commitshow/config.json'));
+                const user = await fetchUser(resp.api_token);
+                if (user?.email)
+                    writeConfig({ ...readConfig(), display_name: user.email });
+                return 0;
+            }
+            if (resp.status === 'expired' || resp.status === 'consumed') {
+                console.error(c.scarlet(`  ✗ ${resp.message ?? resp.status}`));
+                return 1;
+            }
+            // status === 'pending' · keep polling.
+        }
+        catch {
+            // transient · keep polling.
+        }
+    }
+    console.error(c.scarlet('  ✗ Timed out waiting for approval (10 min). Re-run commitshow login.'));
     return 1;
 }

package/dist/commands/whoami.js CHANGED Viewed

@@ -1,14 +1,56 @@
-import { readConfig } from '../lib/config.js';
+import { readConfig, writeConfig } from '../lib/config.js';
 import { c } from '../lib/colors.js';
-export async function whoami(_args) {
+const DEFAULT_BASE_URL = 'https://tekemubwihsjdzittoqf.supabase.co';
+const DEFAULT_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InRla2VtdWJ3aWhzamR6aXR0b3FmIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzY0MzQ1NzUsImV4cCI6MjA5MjAxMDU3NX0.n2K-3lFVvlXQx-bV9evdNRSQCtG5oC4uQushxB2ja9Y';
+async function verifyToken(token) {
+    try {
+        const res = await fetch(`${DEFAULT_BASE_URL}/auth/v1/user`, {
+            headers: { apikey: DEFAULT_ANON_KEY, Authorization: `Bearer ${token}` },
+        });
+        if (!res.ok)
+            return null;
+        const j = await res.json();
+        return { id: j.id, email: j.email ?? null };
+    }
+    catch {
+        return null;
+    }
+}
+export async function whoami(args) {
     const cfg = readConfig();
-    if (!cfg.token || !cfg.display_name) {
+    // --logout · convenience flag · clears token from local config.
+    if (args.includes('--logout')) {
+        if (!cfg.token) {
+            console.log(c.dim('Already signed out.'));
+            return 0;
+        }
+        const next = { ...cfg };
+        delete next.token;
+        delete next.member_id;
+        delete next.display_name;
+        delete next.refresh_token;
+        writeConfig(next);
+        console.log(c.gold('✓ Signed out · token cleared from ~/.commitshow/config.json'));
+        return 0;
+    }
+    if (!cfg.token) {
         console.log(c.muted('Not signed in.'));
-        console.log(c.dim('  Read-only commands still work. Login coming in the next CLI release.'));
+        console.log(c.dim('  Run `commitshow login` to authorize a 90-day API token.'));
+        return 1;
+    }
+    // Verify the saved token is still valid (not expired or revoked).
+    const user = await verifyToken(cfg.token);
+    if (!user) {
+        console.log(c.scarlet('✗ Token rejected (expired or revoked).'));
+        console.log(c.dim('  Re-run `commitshow login`.'));
         return 1;
     }
-    console.log(c.cream(cfg.display_name));
-    if (cfg.member_id)
-        console.log(c.muted(`  ${cfg.member_id}`));
+    console.log('');
+    if (cfg.display_name)
+        console.log(`  ${c.cream(cfg.display_name)}`);
+    if (user.email && user.email !== cfg.display_name)
+        console.log(`  email:      ${user.email}`);
+    console.log(`  member id:  ${user.id}`);
+    console.log('');
     return 0;
 }

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,6 @@
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
 import { audit } from './commands/audit.js';
 import { submit } from './commands/submit.js';
 import { install } from './commands/install.js';
@@ -6,7 +9,20 @@ import { login } from './commands/login.js';
 import { whoami } from './commands/whoami.js';
 import { c } from './lib/colors.js';
 import { checkLatestVersion, formatUpdateBanner } from './lib/version-check.js';
-const VERSION = '0.2.11';
+// Read version from package.json at runtime so a hardcoded constant
+// can't go stale across publishes. (Previous incident: source said
+// '0.2.11' while npm shipped 0.3.x — every binary nagged users to
+// upgrade to a version they were already on.)
+const VERSION = (() => {
+    try {
+        const here = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(readFileSync(join(here, '..', 'package.json'), 'utf8'));
+        return pkg.version ?? '0.0.0';
+    }
+    catch {
+        return '0.0.0';
+    }
+})();
 const USAGE = `
 ${c.bold(c.gold('commit.show'))} ${c.dim(`v${VERSION}`)}  ${c.muted('—')} ${c.cream('audit any vibe-coded project from your terminal.')}
 ${c.muted('the')} ${c.gold('walk-on')} ${c.muted('lane: drop in, get scored, leave · no signup, no audition, no league entry.')}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "commitshow",
-  "version": "0.3.14",
+  "version": "0.3.16",
   "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
   "type": "module",
   "bin": {