commitshow 0.3.24 → 0.3.26

package/dist/commands/install.js

@@ -1,11 +1,192 @@
+// `commitshow install <slug>` — fetch a marketplace pack and run its
+// installer in the current working directory.
+//
+// Flow:
+//   1. Look up the listing by slug via PostgREST (md_library_feed)
+//   2. Download the bundle .tar.gz from Storage public URL
+//   3. Verify sha256 against the listing's bundle_sha256
+//   4. Untar to ~/.commitshow/cache/<slug>-<version>/
+//   5. Run scripts/install.sh from the untarred bundle, with $PWD set
+//      to the user's project directory. The installer itself prompts
+//      for inputs (osascript on macOS, stdin elsewhere) and runs ALL
+//      operations against the user's own credentials.
+//
+// commit.show is the bundle delivery channel only · no user secrets
+// pass through any of our infrastructure.
+import { spawn } from 'node:child_process';
+import { createWriteStream, mkdtempSync, mkdirSync, existsSync, readdirSync } from 'node:fs';
+import { mkdir, rm } from 'node:fs/promises';
+import { tmpdir, homedir } from 'node:os';
+import { join } from 'node:path';
+import { createHash } from 'node:crypto';
+import { Readable } from 'node:stream';
 import { c } from '../lib/colors.js';
-export async function install(_args) {
+const PUBLIC_BASE = 'https://tekemubwihsjdzittoqf.supabase.co';
+const ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InRla2VtdWJ3aWhzamR6aXR0b3FmIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzY0MzQ1NzUsImV4cCI6MjA5MjAxMDU3NX0.n2K-3lFVvlXQx-bV9evdNRSQCtG5oC4uQushxB2ja9Y';
+async function fetchListing(slug) {
+    const url = `${PUBLIC_BASE}/rest/v1/md_library_feed`
+        + `?slug=eq.${encodeURIComponent(slug)}`
+        + `&select=id,slug,title,description,author_name,bundle_url,bundle_sha256,bundle_size_bytes,bundle_version,manifest_version,target_format`
+        + `&limit=1`;
+    const res = await fetch(url, {
+        headers: {
+            apikey: ANON_KEY,
+            Authorization: `Bearer ${ANON_KEY}`,
+            Accept: 'application/json',
+        },
+    });
+    if (!res.ok) {
+        throw new Error(`Library lookup failed (HTTP ${res.status})`);
+    }
+    const rows = (await res.json());
+    return rows[0] ?? null;
+}
+async function downloadBundle(url, dest, expectedSha) {
+    const res = await fetch(url);
+    if (!res.ok)
+        throw new Error(`Bundle download failed (HTTP ${res.status})`);
+    if (!res.body)
+        throw new Error('Bundle download returned no body');
+    // Stream to disk while computing sha256 inline. Avoids holding the
+    // entire .tar.gz in memory, fast-fails on hash mismatch.
+    const out = createWriteStream(dest);
+    const hash = createHash('sha256');
+    await new Promise((resolve, reject) => {
+        const stream = Readable.fromWeb(res.body);
+        stream.on('data', (chunk) => hash.update(chunk));
+        stream.on('error', reject);
+        out.on('error', reject);
+        out.on('finish', () => resolve());
+        stream.pipe(out);
+    });
+    const got = hash.digest('hex');
+    if (got !== expectedSha) {
+        throw new Error(`Bundle integrity check failed.\n  expected: ${expectedSha}\n  got:      ${got}\n`
+            + `  Refusing to run an install script with a mismatched hash. `
+            + `Try again — if this persists report it to https://github.com/commitshow/cli/issues`);
+    }
+}
+function untar(tarball, into) {
+    return new Promise((resolve, reject) => {
+        mkdirSync(into, { recursive: true });
+        const child = spawn('tar', ['-xzf', tarball, '-C', into], { stdio: 'inherit' });
+        child.on('error', reject);
+        child.on('exit', code => code === 0 ? resolve() : reject(new Error(`tar exited ${code}`)));
+    });
+}
+function findInstallScript(extractRoot) {
+    // Bundles tar with the skill dir as the top-level entry, so after
+    // extraction we expect: <extractRoot>/<slug>/scripts/install.sh
+    // Handle both that shape and a flat shape where pack.yaml is at root.
+    const direct = join(extractRoot, 'scripts', 'install.sh');
+    if (existsSync(direct))
+        return direct;
+    // Find first child directory containing scripts/install.sh
+    for (const ent of readdirSync(extractRoot, { withFileTypes: true })) {
+        if (ent.isDirectory()) {
+            const cand = join(extractRoot, ent.name, 'scripts', 'install.sh');
+            if (existsSync(cand))
+                return cand;
+        }
+    }
+    return null;
+}
+function runInstallScript(scriptPath, projectDir) {
+    return new Promise(resolve => {
+        const child = spawn('bash', [scriptPath, projectDir], {
+            stdio: 'inherit',
+            env: { ...process.env },
+        });
+        child.on('exit', code => resolve(code ?? 1));
+        child.on('error', err => {
+            console.error(c.scarlet(`  install.sh failed to launch: ${err.message}`));
+            resolve(1);
+        });
+    });
+}
+export async function install(args) {
+    const slug = args.find(a => !a.startsWith('-'));
+    if (!slug) {
+        console.error(c.scarlet('  usage: commitshow install <slug>'));
+        console.error(c.muted('  e.g.   commitshow install supabase-resend-auth'));
+        return 2;
+    }
     console.log('');
-    console.log(c.cream('Install is not yet available in CLI 0.1.'));
+    console.log(c.muted(`→ Looking up `) + c.gold(slug) + c.muted(` in commit.show Library...`));
+    let listing;
+    try {
+        listing = await fetchListing(slug);
+    }
+    catch (e) {
+        console.error(c.scarlet(`  ${e.message}`));
+        return 1;
+    }
+    if (!listing) {
+        console.error(c.scarlet(`  No published pack with slug '${slug}'.`));
+        console.error(c.muted(`  Browse https://commit.show/library to find the right slug.`));
+        return 1;
+    }
+    if (!listing.bundle_url || !listing.bundle_sha256) {
+        console.error(c.scarlet(`  '${slug}' is listed but has no installable bundle yet.`));
+        console.error(c.muted(`  This pack may be content-only (Apply-to-my-repo on the web).`));
+        return 1;
+    }
+    const sizeKb = listing.bundle_size_bytes ? (listing.bundle_size_bytes / 1024).toFixed(1) : '?';
     console.log('');
-    console.log(c.muted('  `commitshow install <pack>` will write MCP / IDE rule files directly into'));
-    console.log(c.muted('  the cwd. Requires login + GitHub OAuth for Apply-to-my-repo PRs.'));
+    console.log(c.cream(`  ${listing.title}`) + c.muted(`  v${listing.bundle_version ?? '?'}`));
+    if (listing.description) {
+        console.log(c.muted(`  ${listing.description.split('\n')[0]}`));
+    }
+    console.log(c.dim(`  by ${listing.author_name ?? 'unknown'} · ${sizeKb} KB · sha256 ${listing.bundle_sha256.slice(0, 12)}…`));
     console.log('');
-    console.log(c.dim('  Use Apply-to-my-repo on the web → https://commit.show/library'));
-    return 1;
+    // Cache layout: ~/.commitshow/cache/<slug>-<version>/
+    const cacheRoot = join(homedir(), '.commitshow', 'cache');
+    const stagingDir = mkdtempSync(join(tmpdir(), `commitshow-${slug}-`));
+    const versionTag = listing.bundle_version || 'unversioned';
+    const finalDir = join(cacheRoot, `${slug}-${versionTag}`);
+    try {
+        await mkdir(cacheRoot, { recursive: true });
+        // If already cached with the right hash, skip download
+        const cachedScript = existsSync(finalDir) ? findInstallScript(finalDir) : null;
+        let installScript = null;
+        if (cachedScript) {
+            console.log(c.muted(`  using cached bundle at ${finalDir}`));
+            installScript = cachedScript;
+        }
+        else {
+            const tarball = join(stagingDir, 'bundle.tar.gz');
+            console.log(c.muted(`→ Downloading bundle...`));
+            await downloadBundle(listing.bundle_url, tarball, listing.bundle_sha256);
+            console.log(c.muted(`  ✓ sha256 verified`));
+            console.log(c.muted(`→ Extracting to ${finalDir}`));
+            // Clear any old version of this slug+version dir
+            await rm(finalDir, { recursive: true, force: true });
+            await untar(tarball, finalDir);
+            installScript = findInstallScript(finalDir);
+        }
+        if (!installScript) {
+            console.error(c.scarlet(`  Bundle extracted but no scripts/install.sh found.`));
+            console.error(c.muted(`  Pack may be malformed · please report to the publisher.`));
+            return 1;
+        }
+        console.log(c.muted(`→ Running installer in ${process.cwd()}`));
+        console.log(c.dim(`  (the script prompts for YOUR Supabase + Resend credentials below)`));
+        const exitCode = await runInstallScript(installScript, process.cwd());
+        if (exitCode === 0) {
+            console.log('');
+            console.log(c.gold('✓ ') + c.cream(`${listing.title} installed`));
+            console.log('');
+        }
+        else {
+            console.error('');
+            console.error(c.scarlet(`✗ Installer exited with code ${exitCode}`));
+            console.error(c.muted(`  See the messages above. The bundle is cached at:`));
+            console.error(c.muted(`    ${finalDir}`));
+            console.error(c.muted(`  · re-run with: bash ${installScript}`));
+        }
+        return exitCode;
+    }
+    finally {
+        await rm(stagingDir, { recursive: true, force: true }).catch(() => { });
+    }
 }

package/dist/index.js

@@ -34,7 +34,7 @@ ${c.muted('COMMANDS')}
   ${c.gold('audit')}    [target]    run audit and render the report
   ${c.gold('status')}   [target]    latest score, no re-run
   ${c.gold('submit')}   [target]    audition a project (requires login · coming soon)
-  ${c.gold('install')}  <pack>      install a library artifact (coming soon)
+  ${c.gold('install')}  <slug>      install a library pack (e.g. supabase-resend-auth)
   ${c.gold('login')}                device-flow sign-in (coming soon)
   ${c.gold('whoami')}                who am I signed in as
 

package/dist/lib/render.js

@@ -471,19 +471,34 @@ export function renderAudit(view) {
     const isWalkOn = p.status === 'preview';
     const total = p.score_total ?? 0;
     const lines = [];
-    // Big COMMIT.SHOW ANSI Shadow banner. The wordmark needs ~105 cells
-    // including indent — show it whenever the terminal can fit it. Falls
-    // back to the small Claude-style strip below on narrow terminals so
-    // the brand still lands. COLUMNS env var is a fallback when stdout
-    // isn't a TTY (CI logs · piped output).
+    // Big COMMIT.SHOW ANSI Shadow banner. Three-tier fallback by width:
+    //   · cols ≥ 99      → single-line "COMMIT.SHOW"
+    //   · cols ≥ 50      → stacked two-line "COMMIT." / "SHOW" so the
+    //                       brand still lands at standard 80-col terminals
+    //   · cols < 50      → fall through to the Claude-style strip only
+    // COLUMNS env var is the fallback when stdout isn't a TTY (CI logs ·
+    // piped output).
     const cols = process.stdout.columns
         ?? (process.env.COLUMNS ? Number(process.env.COLUMNS) : 80);
-    const bannerRows = bigText('COMMIT.SHOW');
-    if (cols >= bannerRows[0].length + 2) {
-        for (const r of bannerRows)
+    const single = bigText('COMMIT.SHOW');
+    const singleW = single[0].length;
+    if (cols >= singleW + 2) {
+        for (const r of single)
             lines.push('  ' + c.gold(r));
         lines.push('');
     }
+    else {
+        const top = bigText('COMMIT.');
+        const bot = bigText('SHOW');
+        const stackedW = Math.max(top[0].length, bot[0].length);
+        if (cols >= stackedW + 2) {
+            for (const r of top)
+                lines.push('  ' + c.gold(r));
+            for (const r of bot)
+                lines.push('  ' + c.gold(r));
+            lines.push('');
+        }
+    }
     // Claude Code-style welcome strip · rounded corners + ✻ glyph. Always
     // shown so the brand mark lands even when the big banner doesn't fit.
     const roundTop = c.muted('╭' + '─'.repeat(INSIDE_W) + '╮');

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "commitshow",
-  "version": "0.3.24",
-  "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
+  "version": "0.3.26",
+  "description": "commit.show CLI \u2014 audit any vibe-coded project from your terminal.",
   "type": "module",
   "bin": {
     "commitshow": "./bin/commitshow.js"