githits 0.4.11 → 0.4.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1 @@
1
+ import{clearAutoLoginAuthSessionMetadata,createAuthCommandDependencies,createAuthStatusDependencies,createContainer,loadAutoLoginAuthSessionMetadata}from"./chunk-ancbjszp.js";import"./chunk-33j95qx6.js";export{loadAutoLoginAuthSessionMetadata,createContainer,createAuthStatusDependencies,createAuthCommandDependencies,clearAutoLoginAuthSessionMetadata};
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "githits",
3
- "version": "0.4.11",
3
+ "version": "0.4.13",
4
4
  "description": "Code examples from global open source for developers and AI assistants.",
5
5
  "mcpServers": {
6
6
  "githits": {
package/package.json CHANGED
@@ -1,8 +1,11 @@
1
1
  {
2
2
  "name": "githits",
3
3
  "description": "CLI companion for GitHits - code examples from global open source for developers and AI assistants",
4
- "version": "0.4.11",
4
+ "version": "0.4.13",
5
5
  "type": "module",
6
+ "workspaces": [
7
+ "packages/*"
8
+ ],
6
9
  "files": [
7
10
  "dist",
8
11
  "LICENSE",
@@ -30,7 +33,7 @@
30
33
  "githits": "dist/cli.js"
31
34
  },
32
35
  "scripts": {
33
- "build": "bunup --dts --target node --packages=external --exports && chmod +x dist/cli.js",
36
+ "build": "bunup && chmod +x dist/cli.js",
34
37
  "dev": "bun run ./src/cli.ts",
35
38
  "inspector": "npx @modelcontextprotocol/inspector bun run dev mcp",
36
39
  "smoke:cli": "bun run scripts/cli-smoke.ts",
@@ -75,7 +78,8 @@
75
78
  "access": "public"
76
79
  },
77
80
  "dependencies": {
78
- "@inquirer/prompts": "^8.4.3",
81
+ "@inquirer/core": "11.1.10",
82
+ "@inquirer/prompts": "8.4.3",
79
83
  "@modelcontextprotocol/sdk": "^1.29.0",
80
84
  "@napi-rs/keyring": "^1.3.0",
81
85
  "commander": "^14.0.2",
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "githits",
3
- "version": "0.4.11",
3
+ "version": "0.4.13",
4
4
  "description": "Code examples from global open source for developers and AI assistants",
5
5
  "author": {
6
6
  "name": "GitHits"
@@ -0,0 +1,119 @@
1
+ ---
2
+ name: onboarding
3
+ description: >-
4
+ Set up GitHits from Claude Code: detect supported tools, install GitHits MCP,
5
+ start sign-in/signup, verify auth, and recover from setup issues.
6
+ metadata:
7
+ internal: true
8
+ ---
9
+
10
+ Use this skill when the user asks to install, connect, set up, sign up for, or start using GitHits. This is a new-user onboarding skill: assume the user wants to create or connect a GitHits account and configure GitHits unless they explicitly say otherwise.
11
+
12
+ ## Current Boundary
13
+
14
+ - GitHits sign-in/signup currently uses browser OAuth. You can start and monitor login, but the user may need to approve GitHits in a browser tab.
15
+ - Never ask the user to paste passwords, OAuth codes, cookies, access tokens, refresh tokens, or API keys into chat.
16
+
17
+ ## Execution Mode
18
+
19
+ - Use `npx -y githits@latest ...` for every normal onboarding command. This guarantees the latest published GitHits CLI behavior for new users.
20
+ - Do not use a globally installed `githits` binary for onboarding unless the user explicitly asks to test a local, dev, or pinned CLI build.
21
+ - If the user explicitly asks for local/dev/pinned testing, preserve the command and environment they provide.
22
+ - Run onboarding commands inline in the current agent session.
23
+ - Do not use subagents, background agents, background terminals, or long-running background tasks for onboarding.
24
+ - Do not delegate `githits`, `npx`, `npm`, `codex`, `claude`, detection, login, or setup commands to subagents or background agents.
25
+ - Do not start `npx -y githits@latest init --detect-agents --json` as a background task. Wait for the result before continuing.
26
+ - Do not run `pkill`, `ps`, process inspection, or package-source inspection as part of normal onboarding.
27
+ - If `npx -y githits@latest ...` fails because of network, DNS, or package-fetch errors, stop and report that GitHits CLI is unavailable.
28
+ - If official detection fails or appears stuck, do not inspect package internals, manually probe tools to infer install IDs, or ask the user to type inferred IDs. Report the detection failure and offer to retry, switch setup scope, or stop.
29
+
30
+ ## Flow
31
+
32
+ 1. Choose setup scope with a structured choice. Do not ask the user to type a freeform response.
33
+
34
+ Ask: `Where should GitHits be configured?`
35
+
36
+ Options:
37
+
38
+ - `My user account (Recommended)` — configures detected tools globally/user-level on this machine so GitHits is available wherever the user works with those agents.
39
+ - `This project only` — writes project-local MCP files into this repo; files may be committed.
40
+
41
+ 2. Detect supported tools and current MCP state for the selected scope.
42
+
43
+ Project-level detection:
44
+
45
+ ```bash
46
+ npx -y githits@latest init --project --detect-agents --json
47
+ ```
48
+
49
+ User-level detection:
50
+
51
+ ```bash
52
+ npx -y githits@latest init --detect-agents --json
53
+ ```
54
+
55
+ Run detection inline, not in a background terminal. Wait for JSON before continuing.
56
+
57
+ Do not offer tools with `unsupported_project_config` for project-level setup.
58
+
59
+ 3. If `installableIds` is non-empty, use structured choices for tool selection. Do not ask the user to type comma-separated tool IDs unless no structured choice UI is available.
60
+
61
+ Present `Configure all detected tools (Recommended)` as the first option, then list individual tools for selective setup. Do not present "configure none" as a normal onboarding choice.
62
+
63
+ Ask before writing configuration: `I recommend configuring all detected tools so GitHits works wherever you use an agent. Proceed with all, or choose specific tools?`
64
+
65
+ Do not run `init -y` or `init --yes` unless the user explicitly asks to configure every detected tool.
66
+
67
+ 4. Install only approved IDs using the selected scope.
68
+
69
+ Project-level install:
70
+
71
+ ```bash
72
+ npx -y githits@latest init --project --install-agents <comma-separated-approved-ids> --json
73
+ ```
74
+
75
+ User-level install:
76
+
77
+ ```bash
78
+ npx -y githits@latest init --install-agents <comma-separated-approved-ids> --json
79
+ ```
80
+
81
+ 5. Start GitHits sign-in/signup as part of onboarding. Do not ask whether the user wants to log in; login creates or connects the GitHits account.
82
+
83
+ Check whether login can be skipped because auth is already active:
84
+
85
+ ```bash
86
+ npx -y githits@latest auth status
87
+ ```
88
+
89
+ If not authenticated or expired, ask before launching browser login, then run:
90
+
91
+ ```bash
92
+ npx -y githits@latest login
93
+ ```
94
+
95
+ Use this only when browser launch fails or the environment is headless:
96
+
97
+ ```bash
98
+ npx -y githits@latest login --no-browser
99
+ ```
100
+
101
+ With `--no-browser`, ask the user to open the printed URL. Do not ask them to paste secrets or OAuth codes back into chat.
102
+
103
+ 6. Verify with the selected scope.
104
+
105
+ Project-level verification:
106
+
107
+ ```bash
108
+ npx -y githits@latest auth status
109
+ npx -y githits@latest init --project --detect-agents --json
110
+ ```
111
+
112
+ User-level verification:
113
+
114
+ ```bash
115
+ npx -y githits@latest auth status
116
+ npx -y githits@latest init --detect-agents --json
117
+ ```
118
+
119
+ Report configured tools, auth state, failures, and whether the user should open a new Claude Code session so MCP config changes load.
@@ -0,0 +1,168 @@
1
+ ---
2
+ name: githits-onboarding
3
+ description: >-
4
+ Set up GitHits from an agent session: detect supported coding tools, install
5
+ GitHits MCP configuration, start account sign-in/signup, verify auth, and
6
+ recover from setup issues. Use when the user asks to install, connect, set up,
7
+ sign up for, or start using GitHits.
8
+ compatibility: Requires shell access, internet access, and npx. Use a local githits binary only for explicit local/dev/pinned testing.
9
+ ---
10
+
11
+ Use this skill when the user wants to start using GitHits from their agent.
12
+ This is a new-user onboarding skill: assume the user wants to create or connect
13
+ a GitHits account and configure GitHits unless they explicitly say otherwise.
14
+
15
+ ## Current Boundary
16
+
17
+ - GitHits account sign-in/signup currently uses browser OAuth. You can start and monitor the flow, but the user may need to approve GitHits in a browser tab.
18
+ - Do not promise browserless account creation or that everything happens inside chat.
19
+ - Never ask the user to paste passwords, OAuth codes, cookies, access tokens, refresh tokens, or API keys into chat.
20
+
21
+ ## Command Style
22
+
23
+ - Use `npx -y githits@latest ...` for every normal onboarding command. This guarantees the latest published GitHits CLI behavior for new users.
24
+ - Do not use a globally installed `githits` binary for onboarding unless the user explicitly asks to test a local, dev, or pinned CLI build.
25
+ - If the user explicitly asks for local/dev/pinned testing, preserve the command and environment they provide.
26
+ - Prefer `--json` for staged `init` commands because agents need stable fields.
27
+ - Do not start `npx -y githits@latest` as a background task. If `npx` fails because of network, DNS, or package-fetch errors, stop and report that GitHits CLI is unavailable.
28
+
29
+ ## Execution Mode
30
+
31
+ - Run onboarding commands inline in the current agent session.
32
+ - For Codex and other agents with background/subagent capabilities, do not use subagents, background agents, background terminals, or long-running background tasks for onboarding.
33
+ - Do not delegate `githits`, `npx`, `npm`, `codex`, `claude`, detection, login, or setup commands to subagents or background agents.
34
+ - Do not start `npx -y githits@latest init --detect-agents --json` as a background task. Run it directly, wait for the result, and only continue after it returns.
35
+ - Do not run `pkill`, `ps`, process inspection, or package-source inspection as part of normal onboarding. If a command appears stuck, stop and report that official detection did not return.
36
+ - These are short setup probes and must stay visible and sequential so the user can approve side effects and failures are easy to diagnose.
37
+ - If official detection fails or appears stuck, do not inspect package internals, manually probe tools to infer install IDs, or ask the user to type inferred IDs. Report that official GitHits detection failed and offer to retry, switch setup scope, or stop.
38
+
39
+ ## Onboarding Flow
40
+
41
+ 1. Choose setup scope with a structured choice.
42
+
43
+ Use the agent's structured choice UI when available. Do not ask the user to type a freeform response for setup scope.
44
+
45
+ Ask: `Where should GitHits be configured?`
46
+
47
+ Options:
48
+
49
+ - `My user account (Recommended)` — configures detected tools globally/user-level on this machine. Best for onboarding because GitHits will be available wherever the user works with those agents.
50
+ - `This project only` — writes project-local MCP files into the current repo. Good for repo-specific or team setup. These files may be committed.
51
+
52
+ 2. Detect supported coding tools and GitHits MCP configuration state for the selected scope:
53
+
54
+ Project-level detection:
55
+
56
+ ```bash
57
+ npx -y githits@latest init --project --detect-agents --json
58
+ ```
59
+
60
+ User-level detection:
61
+
62
+ ```bash
63
+ npx -y githits@latest init --detect-agents --json
64
+ ```
65
+
66
+ Run detection inline, not in a background terminal. Wait for JSON before continuing.
67
+
68
+ Use the JSON fields to summarize detected tools. `agents[].status` can be `needs_setup`, `already_configured`, `unsupported_project_config`, or `not_detected`. `installableIds` lists detected tools that need setup for the selected scope.
69
+
70
+ For project-level setup, do not offer tools with `unsupported_project_config`. Explain only if needed: those detected tools do not have verified project-level MCP support.
71
+
72
+ 3. Recommend the simplest tool setup choice with structured options.
73
+
74
+ If `installableIds` is non-empty, use structured choices when available. Do not ask the user to type comma-separated tool IDs unless the current agent interface has no structured choice mechanism.
75
+
76
+ Ask: `Which tools should I configure?`
77
+
78
+ Options:
79
+
80
+ - `Configure all detected tools (Recommended)` — the recommended default option; use all `installableIds`.
81
+ - One selective setup option per installable detected tool, using the tool display name and ID.
82
+
83
+ Do not present "configure none" as a normal onboarding choice; if the user does not want any tool configured, pause and clarify whether they want to stop onboarding.
84
+
85
+ Ask before writing configuration. A good prompt is: `I recommend configuring all detected tools so GitHits works wherever you use an agent. Proceed with all, or choose specific tools?`
86
+
87
+ Only install user-approved IDs. Do not run `init -y` or `init --yes` unless the user explicitly asks to configure every detected tool.
88
+
89
+ 4. Install GitHits MCP for approved tools using the selected scope.
90
+
91
+ Project-level install:
92
+
93
+ ```bash
94
+ npx -y githits@latest init --project --install-agents <comma-separated-approved-ids> --json
95
+ ```
96
+
97
+ User-level install:
98
+
99
+ ```bash
100
+ npx -y githits@latest init --install-agents <comma-separated-approved-ids> --json
101
+ ```
102
+
103
+ Treat `success` and `already_configured` outcomes as usable. Report any `failed` outcome with the tool name and message. For project-level setup, remind the user that project-local MCP files may be committed.
104
+
105
+ 5. Start GitHits sign-in/signup during onboarding.
106
+
107
+ Do not ask whether the user wants to log in. Login creates or connects the GitHits account, so it is part of onboarding. Ask before launching browser OAuth, then run login unless `auth status` already shows an active session.
108
+
109
+ Check auth state:
110
+
111
+ ```bash
112
+ npx -y githits@latest auth status
113
+ ```
114
+
115
+ Treat `Authenticated.` and `Authenticated via environment variable.` as already signed in and skip launching login. Treat `Not authenticated.` and `Token expired.` as requiring login.
116
+
117
+ Explain: `I can start GitHits sign-in now. It may open a browser tab where you approve or create your GitHits account. I will not ask you to paste secrets into chat.`
118
+
119
+ Then run:
120
+
121
+ ```bash
122
+ npx -y githits@latest login
123
+ ```
124
+
125
+ If the browser cannot open automatically, or the session appears to be SSH/container/headless, use:
126
+
127
+ ```bash
128
+ npx -y githits@latest login --no-browser
129
+ ```
130
+
131
+ With `--no-browser`, ask the user to open the printed URL. Do not ask them to paste passwords, tokens, cookies, or OAuth codes back into chat.
132
+
133
+ 6. Verify setup after login and installation.
134
+
135
+ Project-level verification:
136
+
137
+ ```bash
138
+ npx -y githits@latest auth status
139
+ npx -y githits@latest init --project --detect-agents --json
140
+ ```
141
+
142
+ User-level verification:
143
+
144
+ ```bash
145
+ npx -y githits@latest auth status
146
+ npx -y githits@latest init --detect-agents --json
147
+ ```
148
+
149
+ Confirm auth is active and selected tools are `already_configured` for the selected scope. If MCP configuration changed, tell the user to open a new agent session in the project or user environment so the tool reloads its MCP config.
150
+
151
+ ## Completion Response
152
+
153
+ Report:
154
+
155
+ - Which tools were configured or already configured.
156
+ - Whether GitHits auth is active, requires browser approval, or could not be verified.
157
+ - Whether the user needs to restart/open a new agent session.
158
+ - Any failed tool setup with the exact tool name and error message.
159
+
160
+ ## Safety Rules
161
+
162
+ - Do not collect or display secrets.
163
+ - Do not write secrets into MCP config.
164
+ - Do not ask the user to run commands manually unless you lack shell access.
165
+ - Do not retry broad setup with `init --yes` after a failure; use the staged JSON flow and approved IDs.
166
+ - If auth storage fails, read `references/troubleshooting.md` before suggesting recovery.
167
+
168
+ Read `references/troubleshooting.md` for recovery paths when setup, login, storage, or verification fails.
@@ -0,0 +1,58 @@
1
+ # GitHits Onboarding Troubleshooting
2
+
3
+ Use these recovery paths only when the main onboarding flow fails or the environment prevents normal setup.
4
+
5
+ ## No Shell Access
6
+
7
+ If you cannot run shell commands, explain that you cannot complete setup directly from the agent. Provide commands only if the user asks for manual steps.
8
+
9
+ ## npx Unavailable
10
+
11
+ `npx -y githits@latest` requires Node/npm tooling. If `npx` is unavailable, try an already installed `githits` binary. Otherwise explain that Node/npm or the GitHits CLI is required before agent-driven setup can continue.
12
+
13
+ ## No Supported Tools Detected
14
+
15
+ `init --detect-agents --json` detects supported coding tools and their GitHits MCP state. If no supported tools are detected, report that GitHits can still be used through the CLI where available, but automatic MCP setup needs a supported agent installed or detectable on this machine.
16
+
17
+ ## Browser Does Not Open
18
+
19
+ Retry login with:
20
+
21
+ ```bash
22
+ npx -y githits@latest login --no-browser
23
+ ```
24
+
25
+ Ask the user to open the printed URL. Do not ask them to paste passwords, tokens, cookies, or OAuth codes into chat.
26
+
27
+ ## Authentication Timeout
28
+
29
+ The login link expires after the timeout. Run a fresh login command to create a new link:
30
+
31
+ ```bash
32
+ npx -y githits@latest login
33
+ ```
34
+
35
+ Use `--no-browser` only if browser launch failed or the environment is headless.
36
+
37
+ ## Keychain Or Storage Failure
38
+
39
+ If the CLI reports it cannot persist OAuth credentials, ask the user to unlock their system keychain and retry login.
40
+
41
+ For automation or CI, the user can provide `GITHITS_API_TOKEN` in the environment outside chat. Do not ask them to paste the token into chat.
42
+
43
+ As a last resort, the user can set `GITHITS_AUTH_STORAGE=file`, but warn that file storage is plaintext on disk.
44
+
45
+ ## Install-Agent Failures
46
+
47
+ For `init --install-agents <ids> --json`, inspect `outcomes`. Report each failed tool by `name` and `message`. Do not retry with `init -y` or `init --yes` unless the user explicitly approves configuring every detected tool.
48
+
49
+ ## Verification Fails
50
+
51
+ After setup, run:
52
+
53
+ ```bash
54
+ npx -y githits@latest auth status
55
+ npx -y githits@latest init --detect-agents --json
56
+ ```
57
+
58
+ If auth is active but selected tools are not `already_configured`, report the specific mismatch and failed tool state. If tools are configured, tell the user to open a new agent session so MCP config changes are loaded.
@@ -36,7 +36,7 @@ githits pkg vulns npm:lodash@4.17.21 --scope non_affecting
36
36
 
37
37
  githits pkg deps npm:express
38
38
  githits pkg deps npm:express --lifecycle all
39
- githits pkg deps npm:express --transitive --depth 3 --json
39
+ githits pkg deps npm:express --depth 3 --json
40
40
 
41
41
  githits pkg changelog npm:express --limit 3
42
42
  githits pkg changelog npm:express --from 4.18.0 --to 4.19.0
@@ -51,7 +51,7 @@ githits pkg upgrade-review --package npm:zod@4.3.6..4.4.3 --package npm:lint-sta
51
51
  - Need current package health: start with `githits pkg info <registry:name>`.
52
52
  - Need security status for a specific installed version: use `githits pkg vulns <registry:name@version>`.
53
53
  - Need historical advisories that do not affect the inspected version: use `pkg vulns --scope non_affecting`; use `--scope all` for affected plus historical rows.
54
- - Need dependency footprint: start with `pkg deps`; add `--lifecycle all` for non-runtime groups and `--transitive` for aggregate transitive graph data.
54
+ - Need dependency footprint: start with `pkg deps`; add `--lifecycle all` for non-runtime groups and `--depth <n>` for aggregate transitive graph data.
55
55
  - Need upgrade evidence for dependency updates, outdated package bumps, or lockfile changes: prefer `pkg upgrade-review` because it compares current vs target vulnerabilities, changelog range evidence, deprecation metadata, peer changes, dependency changes, and optional transitive evidence. It reports facts only; you still own the final assessment.
56
56
  - Need release notes without a current-to-target comparison: use `pkg changelog`; use `--from`/`--to` for ranges and `--no-body` for compact timelines.
57
57
 
@@ -18,9 +18,9 @@ Supported registries: npm, PyPI, Hex, Crates, NuGet, Maven, Packagist, RubyGems,
18
18
 
19
19
  `githits pkg deps <registry:name[@version]>` lists direct runtime dependencies by default.
20
20
 
21
- Flags: `--lifecycle runtime|development|build|peer|optional|all`, `--transitive`, `--depth 1-10`, `--verbose`, `--json`.
21
+ Flags: `--lifecycle runtime|development|build|peer|optional|all`, `--depth 1-10`, `--verbose`, `--json`.
22
22
 
23
- Use `--transitive` before `--depth`; `--depth` without transitive traversal is invalid.
23
+ Use `--depth` to request transitive output capped to that traversal depth. Omit it for direct dependencies only.
24
24
 
25
25
  ## Changelog
26
26
 
@@ -1,15 +0,0 @@
1
- import {
2
- clearAutoLoginAuthSessionMetadata,
3
- createAuthCommandDependencies,
4
- createAuthStatusDependencies,
5
- createContainer,
6
- loadAutoLoginAuthSessionMetadata
7
- } from "./chunk-5xd5rcm9.js";
8
- import"./chunk-agpezzpd.js";
9
- export {
10
- loadAutoLoginAuthSessionMetadata,
11
- createContainer,
12
- createAuthStatusDependencies,
13
- createAuthCommandDependencies,
14
- clearAutoLoginAuthSessionMetadata
15
- };