npm - commitshow - Versions diffs - 0.3.25 → 0.3.27 - Mend

commitshow 0.3.25 → 0.3.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/commands/audit.js +11 -0
package/dist/commands/install.js +187 -6
package/dist/index.js +1 -1
package/dist/lib/ci-prompt.js +93 -0
package/package.json +2 -2

package/dist/commands/audit.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { findProjectByGithubUrl, fetchLatestSnapshot, fetchStanding, runPreviewA
 import { renderAudit, renderMarkdown, renderJson, renderUpsell, renderStarCta, renderQuotaFooter, renderRateLimitDeny, renderAuditError, writeAuditMarkdown, writeAuditJson, } from '../lib/render.js';
 import { c } from '../lib/colors.js';
 import { Spinner } from '../lib/spinner.js';
+import { maybeOfferCi } from '../lib/ci-prompt.js';
 export async function audit(args) {
     const asJson = args.includes('--json');
     const force = args.includes('--refresh') || args.includes('--force');
@@ -123,6 +124,12 @@ export async function audit(args) {
                 if (jsonPath)
                     console.log(c.dim(`  Saved → ${jsonPath}`));
             }
+            // Post-audit CI nudge · only in interactive non-JSON mode.
+            // Skipped silently if not in a git repo / no GitHub remote /
+            // workflow already exists.
+            if (!asJson && target.localPath) {
+                await maybeOfferCi(target.localPath);
+            }
         }
         return 0;
     }
@@ -248,6 +255,10 @@ export async function audit(args) {
             if (jsonPath)
                 console.log(c.dim(`  Saved → ${jsonPath}`));
         }
+        // Post-audit CI nudge · only in interactive non-JSON mode.
+        if (!asJson && target.localPath) {
+            await maybeOfferCi(target.localPath);
+        }
     }
     return 0;
 }

package/dist/commands/install.js CHANGED Viewed

@@ -1,11 +1,192 @@
+// `commitshow install <slug>` — fetch a marketplace pack and run its
+// installer in the current working directory.
+//
+// Flow:
+//   1. Look up the listing by slug via PostgREST (md_library_feed)
+//   2. Download the bundle .tar.gz from Storage public URL
+//   3. Verify sha256 against the listing's bundle_sha256
+//   4. Untar to ~/.commitshow/cache/<slug>-<version>/
+//   5. Run scripts/install.sh from the untarred bundle, with $PWD set
+//      to the user's project directory. The installer itself prompts
+//      for inputs (osascript on macOS, stdin elsewhere) and runs ALL
+//      operations against the user's own credentials.
+//
+// commit.show is the bundle delivery channel only · no user secrets
+// pass through any of our infrastructure.
+import { spawn } from 'node:child_process';
+import { createWriteStream, mkdtempSync, mkdirSync, existsSync, readdirSync } from 'node:fs';
+import { mkdir, rm } from 'node:fs/promises';
+import { tmpdir, homedir } from 'node:os';
+import { join } from 'node:path';
+import { createHash } from 'node:crypto';
+import { Readable } from 'node:stream';
 import { c } from '../lib/colors.js';
-export async function install(_args) {
+const PUBLIC_BASE = 'https://tekemubwihsjdzittoqf.supabase.co';
+const ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InRla2VtdWJ3aWhzamR6aXR0b3FmIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzY0MzQ1NzUsImV4cCI6MjA5MjAxMDU3NX0.n2K-3lFVvlXQx-bV9evdNRSQCtG5oC4uQushxB2ja9Y';
+async function fetchListing(slug) {
+    const url = `${PUBLIC_BASE}/rest/v1/md_library_feed`
+        + `?slug=eq.${encodeURIComponent(slug)}`
+        + `&select=id,slug,title,description,author_name,bundle_url,bundle_sha256,bundle_size_bytes,bundle_version,manifest_version,target_format`
+        + `&limit=1`;
+    const res = await fetch(url, {
+        headers: {
+            apikey: ANON_KEY,
+            Authorization: `Bearer ${ANON_KEY}`,
+            Accept: 'application/json',
+        },
+    });
+    if (!res.ok) {
+        throw new Error(`Library lookup failed (HTTP ${res.status})`);
+    }
+    const rows = (await res.json());
+    return rows[0] ?? null;
+}
+async function downloadBundle(url, dest, expectedSha) {
+    const res = await fetch(url);
+    if (!res.ok)
+        throw new Error(`Bundle download failed (HTTP ${res.status})`);
+    if (!res.body)
+        throw new Error('Bundle download returned no body');
+    // Stream to disk while computing sha256 inline. Avoids holding the
+    // entire .tar.gz in memory, fast-fails on hash mismatch.
+    const out = createWriteStream(dest);
+    const hash = createHash('sha256');
+    await new Promise((resolve, reject) => {
+        const stream = Readable.fromWeb(res.body);
+        stream.on('data', (chunk) => hash.update(chunk));
+        stream.on('error', reject);
+        out.on('error', reject);
+        out.on('finish', () => resolve());
+        stream.pipe(out);
+    });
+    const got = hash.digest('hex');
+    if (got !== expectedSha) {
+        throw new Error(`Bundle integrity check failed.\n  expected: ${expectedSha}\n  got:      ${got}\n`
+            + `  Refusing to run an install script with a mismatched hash. `
+            + `Try again — if this persists report it to https://github.com/commitshow/cli/issues`);
+    }
+}
+function untar(tarball, into) {
+    return new Promise((resolve, reject) => {
+        mkdirSync(into, { recursive: true });
+        const child = spawn('tar', ['-xzf', tarball, '-C', into], { stdio: 'inherit' });
+        child.on('error', reject);
+        child.on('exit', code => code === 0 ? resolve() : reject(new Error(`tar exited ${code}`)));
+    });
+}
+function findInstallScript(extractRoot) {
+    // Bundles tar with the skill dir as the top-level entry, so after
+    // extraction we expect: <extractRoot>/<slug>/scripts/install.sh
+    // Handle both that shape and a flat shape where pack.yaml is at root.
+    const direct = join(extractRoot, 'scripts', 'install.sh');
+    if (existsSync(direct))
+        return direct;
+    // Find first child directory containing scripts/install.sh
+    for (const ent of readdirSync(extractRoot, { withFileTypes: true })) {
+        if (ent.isDirectory()) {
+            const cand = join(extractRoot, ent.name, 'scripts', 'install.sh');
+            if (existsSync(cand))
+                return cand;
+        }
+    }
+    return null;
+}
+function runInstallScript(scriptPath, projectDir) {
+    return new Promise(resolve => {
+        const child = spawn('bash', [scriptPath, projectDir], {
+            stdio: 'inherit',
+            env: { ...process.env },
+        });
+        child.on('exit', code => resolve(code ?? 1));
+        child.on('error', err => {
+            console.error(c.scarlet(`  install.sh failed to launch: ${err.message}`));
+            resolve(1);
+        });
+    });
+}
+export async function install(args) {
+    const slug = args.find(a => !a.startsWith('-'));
+    if (!slug) {
+        console.error(c.scarlet('  usage: commitshow install <slug>'));
+        console.error(c.muted('  e.g.   commitshow install supabase-resend-auth'));
+        return 2;
+    }
     console.log('');
-    console.log(c.cream('Install is not yet available in CLI 0.1.'));
+    console.log(c.muted(`→ Looking up `) + c.gold(slug) + c.muted(` in commit.show Library...`));
+    let listing;
+    try {
+        listing = await fetchListing(slug);
+    }
+    catch (e) {
+        console.error(c.scarlet(`  ${e.message}`));
+        return 1;
+    }
+    if (!listing) {
+        console.error(c.scarlet(`  No published pack with slug '${slug}'.`));
+        console.error(c.muted(`  Browse https://commit.show/library to find the right slug.`));
+        return 1;
+    }
+    if (!listing.bundle_url || !listing.bundle_sha256) {
+        console.error(c.scarlet(`  '${slug}' is listed but has no installable bundle yet.`));
+        console.error(c.muted(`  This pack may be content-only (Apply-to-my-repo on the web).`));
+        return 1;
+    }
+    const sizeKb = listing.bundle_size_bytes ? (listing.bundle_size_bytes / 1024).toFixed(1) : '?';
     console.log('');
-    console.log(c.muted('  `commitshow install <pack>` will write MCP / IDE rule files directly into'));
-    console.log(c.muted('  the cwd. Requires login + GitHub OAuth for Apply-to-my-repo PRs.'));
+    console.log(c.cream(`  ${listing.title}`) + c.muted(`  v${listing.bundle_version ?? '?'}`));
+    if (listing.description) {
+        console.log(c.muted(`  ${listing.description.split('\n')[0]}`));
+    }
+    console.log(c.dim(`  by ${listing.author_name ?? 'unknown'} · ${sizeKb} KB · sha256 ${listing.bundle_sha256.slice(0, 12)}…`));
     console.log('');
-    console.log(c.dim('  Use Apply-to-my-repo on the web → https://commit.show/library'));
-    return 1;
+    // Cache layout: ~/.commitshow/cache/<slug>-<version>/
+    const cacheRoot = join(homedir(), '.commitshow', 'cache');
+    const stagingDir = mkdtempSync(join(tmpdir(), `commitshow-${slug}-`));
+    const versionTag = listing.bundle_version || 'unversioned';
+    const finalDir = join(cacheRoot, `${slug}-${versionTag}`);
+    try {
+        await mkdir(cacheRoot, { recursive: true });
+        // If already cached with the right hash, skip download
+        const cachedScript = existsSync(finalDir) ? findInstallScript(finalDir) : null;
+        let installScript = null;
+        if (cachedScript) {
+            console.log(c.muted(`  using cached bundle at ${finalDir}`));
+            installScript = cachedScript;
+        }
+        else {
+            const tarball = join(stagingDir, 'bundle.tar.gz');
+            console.log(c.muted(`→ Downloading bundle...`));
+            await downloadBundle(listing.bundle_url, tarball, listing.bundle_sha256);
+            console.log(c.muted(`  ✓ sha256 verified`));
+            console.log(c.muted(`→ Extracting to ${finalDir}`));
+            // Clear any old version of this slug+version dir
+            await rm(finalDir, { recursive: true, force: true });
+            await untar(tarball, finalDir);
+            installScript = findInstallScript(finalDir);
+        }
+        if (!installScript) {
+            console.error(c.scarlet(`  Bundle extracted but no scripts/install.sh found.`));
+            console.error(c.muted(`  Pack may be malformed · please report to the publisher.`));
+            return 1;
+        }
+        console.log(c.muted(`→ Running installer in ${process.cwd()}`));
+        console.log(c.dim(`  (the script prompts for YOUR Supabase + Resend credentials below)`));
+        const exitCode = await runInstallScript(installScript, process.cwd());
+        if (exitCode === 0) {
+            console.log('');
+            console.log(c.gold('✓ ') + c.cream(`${listing.title} installed`));
+            console.log('');
+        }
+        else {
+            console.error('');
+            console.error(c.scarlet(`✗ Installer exited with code ${exitCode}`));
+            console.error(c.muted(`  See the messages above. The bundle is cached at:`));
+            console.error(c.muted(`    ${finalDir}`));
+            console.error(c.muted(`  · re-run with: bash ${installScript}`));
+        }
+        return exitCode;
+    }
+    finally {
+        await rm(stagingDir, { recursive: true, force: true }).catch(() => { });
+    }
 }

package/dist/index.js CHANGED Viewed

@@ -34,7 +34,7 @@ ${c.muted('COMMANDS')}
   ${c.gold('audit')}    [target]    run audit and render the report
   ${c.gold('status')}   [target]    latest score, no re-run
   ${c.gold('submit')}   [target]    audition a project (requires login · coming soon)
-  ${c.gold('install')}  <pack>      install a library artifact (coming soon)
+  ${c.gold('install')}  <slug>      install a library pack (e.g. supabase-resend-auth)
   ${c.gold('login')}                device-flow sign-in (coming soon)
   ${c.gold('whoami')}                who am I signed in as

package/dist/lib/ci-prompt.js ADDED Viewed

@@ -0,0 +1,93 @@
+// Post-audit nudge · ask the user whether to wire the audit into CI
+// by writing .github/workflows/audit.yml in their repo. Highest-intent
+// moment (they just saw their score and concerns) and the cheapest
+// possible install path (one file, one commit).
+//
+// Skipped silently when:
+//   · stdout/stdin isn't a TTY (CI, scripted use)
+//   · target isn't a git repo
+//   · the repo has no github.com remote
+//   · the workflow file already exists (don't overwrite)
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { createInterface } from 'node:readline/promises';
+import { c } from './colors.js';
+const WORKFLOW_REL_PATH = '.github/workflows/audit.yml';
+const WORKFLOW_BODY = `name: audit
+on:
+  pull_request:
+permissions:
+  pull-requests: write
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: commitshow/audit-action@v1
+`;
+function isGitRepo(path) {
+    return existsSync(join(path, '.git'));
+}
+function hasGithubRemote(path) {
+    try {
+        const cfg = readFileSync(join(path, '.git', 'config'), 'utf8');
+        return /url\s*=\s*[^\n]*github\.com/i.test(cfg);
+    }
+    catch {
+        return false;
+    }
+}
+function existingWorkflow(path) {
+    return existsSync(join(path, WORKFLOW_REL_PATH));
+}
+async function ask(question, defaultYes = true) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        const raw = await rl.question(question + ' ');
+        const ans = raw.trim().toLowerCase();
+        if (ans === '')
+            return defaultYes;
+        return ans === 'y' || ans === 'yes';
+    }
+    finally {
+        rl.close();
+    }
+}
+export async function maybeOfferCi(localPath) {
+    if (!process.stdin.isTTY || !process.stdout.isTTY)
+        return;
+    if (!isGitRepo(localPath))
+        return;
+    if (!hasGithubRemote(localPath))
+        return;
+    if (existingWorkflow(localPath))
+        return;
+    console.log('');
+    console.log(c.muted('  Want this audit to run on every pull request?'));
+    console.log(c.muted(`  Drops a single file at ${WORKFLOW_REL_PATH} that uses commitshow/audit-action@v1.`));
+    console.log(c.muted('  The action posts a sticky comment on each PR so regressions surface in review.'));
+    let yes;
+    try {
+        yes = await ask(c.gold('  Add the workflow? [Y/n]'), true);
+    }
+    catch {
+        // Reading from stdin can throw on unusual terminal states (e.g. piped
+        // input that closes mid-read). Treat as "no" rather than crashing.
+        return;
+    }
+    if (!yes) {
+        console.log(c.dim('  Skipped. Run again later or copy the YAML from https://github.com/commitshow/audit-action.'));
+        return;
+    }
+    try {
+        const dir = join(localPath, '.github', 'workflows');
+        mkdirSync(dir, { recursive: true });
+        writeFileSync(join(localPath, WORKFLOW_REL_PATH), WORKFLOW_BODY, 'utf8');
+        console.log(c.gold(`  ✓ Wrote ${WORKFLOW_REL_PATH}`));
+        console.log(c.muted('  Next: commit and push, then open a pull request — the score will post automatically.'));
+    }
+    catch (e) {
+        console.log(c.scarlet(`  Could not write ${WORKFLOW_REL_PATH}: ${e.message}`));
+    }
+}

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "commitshow",
-  "version": "0.3.25",
-  "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
+  "version": "0.3.27",
+  "description": "commit.show CLI \u2014 audit any vibe-coded project from your terminal.",
   "type": "module",
   "bin": {
     "commitshow": "./bin/commitshow.js"