commitshow 0.3.15 → 0.3.17

package/README.md

@@ -87,12 +87,46 @@ Requires **Node 20+**.
 
 | Command | What it does |
 |---|---|
-| `commitshow audit [target]` | Fetch + render the latest audit, write `.commitshow/audit.md` in local mode |
-| `commitshow status [target]` | Same render, no re-run |
+| `commitshow audit [target] [--json] [--refresh] [--source=<tag>]` | Fetch + render the latest audit, write `.commitshow/audit.{md,json}` |
+| `commitshow status [target]` | Same render as `audit`, no re-run |
+| `commitshow login [--no-open] [--token <jwt>]` | Device-flow sign-in via browser approval |
+| `commitshow whoami [--logout]` | Print the linked account · `--logout` clears the saved token |
 | `commitshow submit [target]` | Audition a project (coming soon · needs login) |
 | `commitshow install <pack>` | Install a Library artifact (coming soon) |
-| `commitshow login` | Device-flow sign-in (coming soon) |
-| `commitshow whoami` | Print the linked account |
+
+### Sign in for higher rate limits
+
+```bash
+npx commitshow@latest login
+```
+
+Opens `commit.show/cli/link?code=<6-hex>` in your browser. After you
+click Authorize there, the CLI receives a 90-day JWT and saves it to
+`~/.commitshow/config.json` (file mode 0600). Subsequent calls send
+the token in the Authorization header automatically.
+
+What changes once signed in:
+
+- Per-IP rate cap goes from **20 audits/day** to **50/day**
+- Newly audited preview projects auto-claim ownership (visible at
+  [commit.show/me](https://commit.show/me) → MY AUDITS)
+- `commitshow whoami` prints your member id + email
+
+Headless / CI? Use `--token <jwt>` to skip the browser handshake.
+
+### Telemetry source flag
+
+`--source=<tag>` lets you self-report how the call originated:
+
+```bash
+npx commitshow audit . --source=claude-code
+COMMITSHOW_SOURCE=cursor npx commitshow audit .
+```
+
+Common tags: `claude-code` · `cursor` · `gemini-cli` · `codex` ·
+`antigravity` · `production-audit-skill` · any 64-char string. Drops
+into the maintainer's admin breakdown so we can see which agent
+ecosystems are driving installs. Skip the flag to stay anonymous.
 
 ### Target forms
 
@@ -206,9 +240,9 @@ changes do. Known keys: `project`, `score`, `standing`, `strengths`, `concerns`,
 ## Roadmap
 
 - `0.1` — ✓ read-only audit · status · `--json` · target auto-detect · sidecar files
-- `0.2` — device-flow login · `commitshow submit` · `--watch` mode · CI exit-code gate
-- `0.3` — `commitshow install <pack>` with {{VARIABLE}} substitution
-- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly)
+- `0.3` — ✓ device-flow login · `--source` telemetry · User-Agent self-report · MCP server (`commitshow-mcp`)
+- `0.4` — `commitshow submit` · `--watch` mode · CI exit-code gate · refresh-token flow
+- `0.5` — `commitshow install <pack>` with {{VARIABLE}} substitution
 
 ## Links
 

package/dist/commands/audit.js

@@ -11,8 +11,15 @@ export async function audit(args) {
     // the COMMITSHOW_SOURCE env var (used by IDE plugins that wrap the
     // CLI) and ultimately empty string. Surfaced in /admin > CLI 사용
     // tab as a distribution chart.
+    // --source X (space form): only consume args[idx+1] when --source actually
+    // appears. Old code used `args.indexOf('--source') + 1` unguarded, which
+    // returns 0 when --source is absent — making the FIRST positional arg
+    // (e.g. the target URL) get misread as the source value, then filtered
+    // out of `positional` below. Result: target URL silently dropped, CLI
+    // falls back to cwd and reports "no git remote".
+    const sourceIdx = args.indexOf('--source');
     const sourceFlag = args.find(a => a.startsWith('--source='))?.split('=')[1]
-        ?? args[args.indexOf('--source') + 1]?.replace(/^-/, '') // tolerate --source X
+        ?? (sourceIdx >= 0 ? args[sourceIdx + 1] : undefined)
         ?? process.env.COMMITSHOW_SOURCE
         ?? null;
     const positional = args.find(a => !a.startsWith('--') && a !== sourceFlag);

package/dist/index.js

@@ -1,3 +1,6 @@
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
 import { audit } from './commands/audit.js';
 import { submit } from './commands/submit.js';
 import { install } from './commands/install.js';
@@ -6,7 +9,20 @@ import { login } from './commands/login.js';
 import { whoami } from './commands/whoami.js';
 import { c } from './lib/colors.js';
 import { checkLatestVersion, formatUpdateBanner } from './lib/version-check.js';
-const VERSION = '0.2.11';
+// Read version from package.json at runtime so a hardcoded constant
+// can't go stale across publishes. (Previous incident: source said
+// '0.2.11' while npm shipped 0.3.x — every binary nagged users to
+// upgrade to a version they were already on.)
+const VERSION = (() => {
+    try {
+        const here = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(readFileSync(join(here, '..', 'package.json'), 'utf8'));
+        return pkg.version ?? '0.0.0';
+    }
+    catch {
+        return '0.0.0';
+    }
+})();
 const USAGE = `
 ${c.bold(c.gold('commit.show'))} ${c.dim(`v${VERSION}`)}  ${c.muted('—')} ${c.cream('audit any vibe-coded project from your terminal.')}
 ${c.muted('the')} ${c.gold('walk-on')} ${c.muted('lane: drop in, get scored, leave · no signup, no audition, no league entry.')}

package/dist/lib/colors.js

@@ -17,7 +17,12 @@ export const c = {
     // matched the Claude Code logo too literally — CEO pulled it back to
     // brand on 2026-05-02.)
     pixelInk: rgb(0xF0, 0xC0, 0x40),
-    cream: rgb(0xF8, 0xF5, 0xEE),
+    // `cream` was originally truecolor #F8F5EE (near-white), which is
+    // invisible on light-background terminals. Use the terminal's default
+    // foreground color (no escape) so body text reads on both light and
+    // dark backgrounds. The brand cream is preserved for accents (gold ·
+    // scarlet · teal) which stay readable on both.
+    cream: (s) => s,
     teal: rgb(0x00, 0xD4, 0xAA),
     scarlet: rgb(0xC8, 0x10, 0x2E),
     muted: rgb(0x6B, 0x72, 0x80),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "commitshow",
-  "version": "0.3.15",
+  "version": "0.3.17",
   "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
   "type": "module",
   "bin": {