create-mushi-mushi 0.4.0 → 0.5.1

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,51 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior:
+
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project team at **security@mushimushi.dev**.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/),
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.

package/CONTRIBUTING.md

@@ -0,0 +1,122 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Contributing to Mushi Mushi
+
+Thanks for wanting to help. Here's everything you need to get started.
+
+## Prerequisites
+
+- **Node.js >= 22** (see `.node-version`)
+- **pnpm >= 10** — install with `corepack enable`
+
+## Setup
+
+```bash
+git clone https://github.com/kensaurus/mushi-mushi.git
+cd mushi-mushi
+pnpm install
+pnpm build
+```
+
+## Development
+
+```bash
+pnpm dev          # Start all dev servers (admin on :6464)
+pnpm test         # Run Vitest across all packages
+pnpm typecheck    # TypeScript checks
+pnpm lint         # ESLint
+pnpm format       # Prettier
+```
+
+### Working on a single package
+
+```bash
+cd packages/core
+pnpm dev          # Watch mode
+pnpm test         # Tests for this package only
+```
+
+## Project Structure
+
+```
+packages/
+  core/          Types, API client, offline queue (MIT)
+  web/           Browser SDK — widget, capture (MIT)
+  react/         React bindings (MIT)
+  vue/           Vue 3 plugin (MIT)
+  svelte/        Svelte SDK (MIT)
+  angular/       Angular SDK (MIT)
+  react-native/  React Native SDK (MIT)
+  cli/           CLI tool (MIT)
+  mcp/           MCP server for coding agents (MIT)
+  server/        Supabase Edge Functions (BSL)
+  agents/        Agentic fix pipeline (BSL)
+  verify/        Fix verification (BSL)
+apps/
+  admin/         Admin dashboard (React + Tailwind)
+  docs/          Documentation site (planned)
+tooling/
+  eslint-config/ Shared ESLint flat config
+  tsconfig/      Shared TypeScript configs
+```
+
+## Making Changes
+
+1. Create a feature branch from `master`
+2. Make your changes
+3. Add tests for new functionality
+4. Run `pnpm typecheck && pnpm lint && pnpm test` to verify
+5. Create a changeset if your change affects published packages:
+   ```bash
+   pnpm changeset
+   ```
+6. Open a pull request
+
+## Changesets
+
+We use [Changesets](https://github.com/changesets/changesets) for versioning. If your PR modifies a published package (`core`, `web`, `react`, `vue`, `svelte`, `angular`, `react-native`, `cli`, `mcp`), add a changeset:
+
+```bash
+pnpm changeset
+```
+
+Select the affected packages, the semver bump type, and write a summary. The changeset file gets committed with your PR.
+
+## Code Style
+
+- **TypeScript strict mode** — no `any` unless absolutely necessary
+- **Prettier** formats everything — run `pnpm format` before committing
+- **ESLint** catches bugs — `pnpm lint` must pass
+- **No default exports** in library packages — use named exports
+- **Dual ESM/CJS** builds via tsup for all SDK packages
+
+## Commit Messages
+
+Use conventional commits:
+
+```
+feat(core): add batch report submission
+fix(web): prevent widget from opening during screenshot
+docs(react): update provider usage example
+chore: bump dependencies
+```
+
+## Tests
+
+- **Framework:** Vitest
+- **Location:** Co-located with source (`src/foo.test.ts`)
+- **Coverage:** Required for `core`, `web`, `react` — encouraged for all packages
+
+## License
+
+- SDK packages are MIT — your contributions will be MIT-licensed
+- Server/agents/verify are BSL 1.1 — contributions to those packages fall under BSL
+
+## Questions?
+
+Open an issue or start a discussion. We're happy to help.

package/README.md

@@ -10,9 +10,17 @@ yarn create mushi-mushi
 bun create mushi-mushi
 ```
 
-Auto-detects your framework (Next.js, Nuxt, SvelteKit, Angular, Expo, Capacitor, plain React/Vue/Svelte, vanilla JS), installs the right `@mushi-mushi/*` SDK, writes your env vars, and prints the snippet to drop into your app.
+## What it does
 
-This is a **scaffold for existing projects** — it does not generate a new app from scratch. To add Mushi to an app you already have, run it from the project root.
+1. **Detects your framework** — Next.js, Nuxt, SvelteKit, Angular, Expo, Capacitor, plain React/Vue/Svelte, or vanilla JS.
+2. **Picks the right SDK** — `@mushi-mushi/react`, `@mushi-mushi/vue`, `@mushi-mushi/svelte`, `@mushi-mushi/angular`, `@mushi-mushi/react-native`, `@mushi-mushi/capacitor`, or `@mushi-mushi/web`.
+3. **Detects your package manager** — uses `npm`, `pnpm`, `yarn`, or `bun` based on your lockfile.
+4. **Writes env vars** — `MUSHI_PROJECT_ID` and `MUSHI_API_KEY` land in `.env.local` with the right framework prefix (`NEXT_PUBLIC_`, `NUXT_PUBLIC_`, `VITE_`).
+5. **Warns about `.gitignore`** — won't ship secrets if your env file isn't ignored.
+6. **Prints the provider snippet** — framework-specific code to paste in.
+7. **Sends a test report** (opt-in) — closes the loop so you see your first classified bug immediately.
+
+This is a **scaffold for existing projects** — it does not generate a new app from scratch. Run it from the project root of an existing app.
 
 ## Flags
 
@@ -20,22 +28,42 @@ This is a **scaffold for existing projects** — it does not generate a new app
 npm create mushi-mushi -- --framework next
 npm create mushi-mushi -- --project-id proj_xxx --api-key mushi_xxx
 npm create mushi-mushi -- --skip-install
+npm create mushi-mushi -- --skip-test-report
+npm create mushi-mushi -- --cwd apps/web
+npm create mushi-mushi -- --endpoint https://mushi.your-company.com
 npm create mushi-mushi -- -y
 npm create mushi-mushi -- --help
 ```
 
-## Equivalent
+> `npm create` and `pnpm create` need the `--` separator before flags. Yarn 1 and Bun do not.
+
+## Equivalent commands
 
 ```bash
-npx mushi-mushi               # same wizard, shorter to type
-npx @mushi-mushi/cli init     # same wizard, scoped name
+npx mushi-mushi               # shorter
+npx @mushi-mushi/cli init     # scoped name
 ```
 
+## Troubleshooting
+
+- **Wrong framework detected?** Pass `--framework <id>` explicitly. Valid IDs: `next, react, vue, nuxt, svelte, sveltekit, angular, expo, react-native, capacitor, vanilla`.
+- **Running in a monorepo?** `cd` into the package you want Mushi in first, or pass `--cwd apps/web`.
+- **`npx` cache serving an old version?** Run `npm cache clean --force` or `npx mushi-mushi@latest`.
+- **Non-interactive (CI)?** Pass all of `--yes`, `--project-id`, and `--api-key`. The wizard exits with a clear error otherwise.
+- **Key pasted with quotes/whitespace?** The wizard strips them, but still validates against `mushi_[A-Za-z0-9_-]{10,}` / `proj_[A-Za-z0-9_-]{10,}`.
+
+## Security
+
+- Credentials accepted via `--api-key` flag leak into `ps -ef`. Prefer the interactive prompt on dev machines; on CI, pass them via the environment and an explicit `--api-key "$MUSHI_API_KEY"` at the boundary.
+- The `~/.mushirc` credentials cache is written with mode `0o600` (owner read/write only) on Unix.
+- All env-file writes strip CR/LF/NUL from secrets to prevent accidental `.env` injection.
+
 ## Links
 
-- 🌐 [Console](https://kensaur.us/mushi-mushi/)
-- 📦 [GitHub](https://github.com/kensaurus/mushi-mushi)
-- 📚 [Docs](https://github.com/kensaurus/mushi-mushi#readme)
+- [Console](https://kensaur.us/mushi-mushi/)
+- [GitHub](https://github.com/kensaurus/mushi-mushi)
+- [Docs](https://github.com/kensaurus/mushi-mushi#readme)
+- [Report a bug](https://github.com/kensaurus/mushi-mushi/issues)
 
 ## License
 

package/SECURITY.md

@@ -0,0 +1,50 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.x     | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly.
+
+**Do NOT open a public GitHub issue.**
+
+Instead, email: **security@mushimushi.dev**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Impact assessment
+- Suggested fix (if any)
+
+We will acknowledge receipt within 48 hours and aim to release a patch within 7 days for critical issues.
+
+## Scope
+
+- All `@mushi-mushi/*` npm packages
+- Supabase Edge Functions (server-side)
+- Admin console application
+- CLI tool
+
+## Out of Scope
+
+- Self-hosted deployments configured by the user
+- Third-party integrations (Jira, Linear, PagerDuty)
+- Vulnerabilities requiring physical access
+
+## Security Best Practices for Users
+
+- **Never commit your API keys** — use environment variables
+- **Rotate API keys** regularly via the admin console
+- **Enable SSO** for team projects (Enterprise tier)
+- **Review audit logs** periodically for suspicious activity

package/dist/index.js

@@ -2,44 +2,46 @@
 
 // src/index.ts
 import { runInit } from "@mushi-mushi/cli/init";
+import { FRAMEWORK_IDS, isFrameworkId } from "@mushi-mushi/cli/detect";
+var VERSION = true ? "0.5.1" : "0.0.0-dev";
+var MIN_NODE_MAJOR = 18;
+var ISSUES_URL = "https://github.com/kensaurus/mushi-mushi/issues";
 var HELP = `create-mushi-mushi \u2014 add Mushi Mushi to your existing project
 
 Usage:
   npm create mushi-mushi              run the setup wizard
   npm create mushi-mushi -- --help    show all flags
 
+Note: \`npm create\` requires the \`--\` separator before flags.
+      \`yarn create mushi-mushi --help\` works without it on Yarn 1.
+      \`pnpm create mushi-mushi -- --help\` mirrors npm.
+      \`bun create mushi-mushi --help\` works without it.
+
 Flags (forwarded to the wizard):
   --project-id <id>            skip the project ID prompt
-  --api-key <key>              skip the API key prompt
-  --framework <id>             force a framework (next, react, vue, nuxt,
-                               svelte, sveltekit, angular, expo,
-                               react-native, capacitor, vanilla)
+  --api-key <key>              skip the API key prompt (CI only)
+  --framework <id>             force a framework (${FRAMEWORK_IDS.join(", ")})
   --skip-install               print the install command instead of running it
+  --skip-test-report           don't offer to send a test report at the end
+  --cwd <path>                 run in a different directory
+  --endpoint <url>             override the Mushi API endpoint (self-hosted)
   -y, --yes                    accept the detected framework without prompting
+  -v, --version                print the version and exit
 
 Docs:    https://github.com/kensaurus/mushi-mushi
 Console: https://kensaur.us/mushi-mushi/`;
-var VALID_FRAMEWORKS = [
-  "next",
-  "react",
-  "vue",
-  "nuxt",
-  "svelte",
-  "sveltekit",
-  "angular",
-  "expo",
-  "react-native",
-  "capacitor",
-  "vanilla"
-];
 function parseArgs(args) {
-  const out = { showHelp: false };
+  const out = { showHelp: false, showVersion: false };
   for (let i = 0; i < args.length; i++) {
     const a = args[i];
     if (a === "-h" || a === "--help") {
       out.showHelp = true;
       continue;
     }
+    if (a === "-v" || a === "--version") {
+      out.showVersion = true;
+      continue;
+    }
     if (a === "-y" || a === "--yes") {
       out.yes = true;
       continue;
@@ -48,6 +50,10 @@ function parseArgs(args) {
       out.skipInstall = true;
       continue;
     }
+    if (a === "--skip-test-report") {
+      out.skipTestReport = true;
+      continue;
+    }
     if (a === "--project-id") {
       out.projectId = args[++i];
       continue;
@@ -56,10 +62,18 @@ function parseArgs(args) {
       out.apiKey = args[++i];
       continue;
     }
+    if (a === "--cwd") {
+      out.cwd = args[++i];
+      continue;
+    }
+    if (a === "--endpoint") {
+      out.endpoint = args[++i];
+      continue;
+    }
     if (a === "--framework") {
       const fw = args[++i];
-      if (!VALID_FRAMEWORKS.includes(fw)) {
-        throw new Error(`Unknown framework: ${fw}. Valid: ${VALID_FRAMEWORKS.join(", ")}`);
+      if (!isFrameworkId(fw)) {
+        throw new Error(`Unknown framework: ${fw}. Valid: ${FRAMEWORK_IDS.join(", ")}`);
       }
       out.framework = fw;
       continue;
@@ -70,16 +84,33 @@ function parseArgs(args) {
   }
   return out;
 }
+function assertNodeVersion() {
+  const major = Number(process.versions.node.split(".")[0]);
+  if (!Number.isFinite(major) || major < MIN_NODE_MAJOR) {
+    process.stderr.write(
+      `create-mushi-mushi requires Node.js ${MIN_NODE_MAJOR} or newer. You are on ${process.versions.node}.
+Upgrade Node (https://nodejs.org/) and try again.
+`
+    );
+    process.exit(1);
+  }
+}
 async function main() {
+  assertNodeVersion();
   let parsed;
   try {
     parsed = parseArgs(process.argv.slice(2));
   } catch (err) {
-    console.error(err instanceof Error ? err.message : String(err));
+    process.stderr.write(`${err instanceof Error ? err.message : String(err)}
+`);
     process.exit(1);
   }
   if (parsed.showHelp) {
-    console.log(HELP);
+    process.stdout.write(HELP + "\n");
+    return;
+  }
+  if (parsed.showVersion) {
+    process.stdout.write(VERSION + "\n");
     return;
   }
   await runInit({
@@ -87,10 +118,22 @@ async function main() {
     apiKey: parsed.apiKey,
     framework: parsed.framework,
     skipInstall: parsed.skipInstall,
-    yes: parsed.yes
+    yes: parsed.yes,
+    cwd: parsed.cwd,
+    endpoint: parsed.endpoint,
+    sendTestReport: parsed.skipTestReport ? false : void 0
   });
 }
 main().catch((err) => {
-  console.error(err instanceof Error ? err.message : String(err));
+  const message = err instanceof Error ? err.message : String(err);
+  process.stderr.write(`
+create-mushi-mushi: ${message}
+`);
+  if (process.env.DEBUG?.includes("mushi") && err instanceof Error && err.stack) {
+    process.stderr.write(err.stack + "\n");
+  }
+  process.stderr.write(`
+If this is a bug, please report it at ${ISSUES_URL}
+`);
   process.exit(1);
 });

package/package.json

@@ -1,19 +1,20 @@
 {
   "name": "create-mushi-mushi",
-  "version": "0.4.0",
+  "version": "0.5.1",
   "license": "MIT",
   "description": "Run `npm create mushi-mushi` to add the Mushi Mushi bug-reporting SDK to your existing project — the wizard auto-detects your framework (React, Vue, Svelte, Angular, React Native, Expo, Capacitor) and installs the right package.",
   "bin": {
     "create-mushi-mushi": "./dist/index.js"
   },
   "dependencies": {
-    "@mushi-mushi/cli": "^0.4.0"
+    "@mushi-mushi/cli": "^0.5.1"
   },
   "devDependencies": {
     "@types/node": "^22.15.3",
     "eslint": "^10.2.0",
     "tsup": "^8.5.1",
     "typescript": "^6.0.2",
+    "vitest": "^4.1.4",
     "@mushi-mushi/eslint-config": "0.0.0"
   },
   "author": "Kenji Sakuramoto",
@@ -26,13 +27,21 @@
   "bugs": {
     "url": "https://github.com/kensaurus/mushi-mushi/issues"
   },
+  "funding": {
+    "type": "github",
+    "url": "https://github.com/sponsors/kensaurus"
+  },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "files": [
     "dist",
     "README.md",
-    "LICENSE"
+    "LICENSE",
+    "CONTRIBUTING.md",
+    "CODE_OF_CONDUCT.md",
+    "SECURITY.md"
   ],
   "sideEffects": false,
   "keywords": [
@@ -66,6 +75,7 @@
   "scripts": {
     "build": "tsup",
     "lint": "eslint src/",
+    "test": "vitest run",
     "typecheck": "tsc --noEmit"
   }
 }