komplian 0.1.0 → 0.3.0

package/README.md

@@ -1,23 +1,21 @@
 # komplian (npm CLI)
 
-**Developers:** from any machine with Node 18+ and GitHub CLI (`gh`):
+**Developers**
 
-```bash
-npx komplian onboard --yes
-```
+1. Install [GitHub CLI](https://cli.github.com) and **git** (one-time per machine).
+2. Browser login: `gh auth login -h github.com -s repo -s read:org -w`
+3. `npx komplian onboard --yes`
 
-This downloads the CLI from npm (no manual git clone), opens GitHub login if needed, and clones the repos your account can access (filtered by team in the bundled `komplian-team-repos.json`). Default workspace: `~/komplian` (Windows: `%USERPROFILE%\komplian`).
+No OAuth App registration — `gh` uses GitHub’s built-in flow. Default workspace: `~/komplian`.
 
-**Maintainers:** publish **from this folder** (the one that contains `package.json` — not the monorepo root):
+**Maintainers:** publish from **`scripts/`** (folder with `package.json`), not the monorepo root:
 
 ```bash
-cd path/to/monorepo/scripts   # e.g. cd ~/Desktop/temp/scripts
-npm login                     # once per machine
+cd path/to/monorepo/scripts
+npm login
 npm publish --access public
 ```
 
-Running `npm publish` from the repo root causes `ENOENT package.json` because the npm package lives only under `scripts/`.
-
-Bump `version` in `package.json` before each publish.
+Bump `version` before each publish.
 
-**If publish fails with `403` / “Two-factor authentication … required”:** enable **2FA** on your npm account (*npmjs.com → Account → Security*), then run `npm publish` again (npm may prompt for an OTP). For CI, create a **granular access token** (*Access Tokens → Granular token*) with **Publish** on the `komplian` package and “**Bypass two-factor authentication**” if your org allows it; set `NPM_TOKEN` in GitHub Actions.
+**If publish fails with `403` / 2FA:** enable **2FA** on npm (*Account → Security*) or use a **granular token** with publish rights; set `NPM_TOKEN` in CI (see `.github/workflows/publish-komplian-npm.yml`).

package/komplian-onboard.mjs

@@ -1,12 +1,11 @@
 #!/usr/bin/env node
 /**
- * Komplian onboard — one-command dev setup (GitHub CLI auth + clone + optional npm install).
- * Zero npm deps: Node 18+, git, gh, and komplian-team-repos.json beside this file.
+ * Komplian onboard — GitHub CLI (browser login) + clone. No OAuth App to register.
+ * Needs: Node 18+, git, gh (https://cli.github.com)
  *
  * Usage:
- *   npx komplian onboard --yes   # npm ships this package; no manual monorepo clone for developers
- *
- * Security: `gh` OAuth; active org membership verified via GitHub API before clones; repo ACLs enforced by GitHub. See ONBOARDING.md.
+ *   gh auth login -h github.com -s repo -s read:org -w   # once
+ *   npx komplian onboard --yes
  */
 
 import { spawnSync } from "node:child_process";
@@ -35,7 +34,6 @@ function log(s = "") {
 }
 
 function banner() {
-  // Block Unicode (cfonts "block"). Fourth letter is P: row 4 uses ██╔═══╝; R would use ██╔══██╗.
   log(
     [
       `${c.cyan}${c.bold}`,
@@ -46,7 +44,7 @@ function banner() {
       "██║  ██╗ ╚██████╔╝ ██║ ╚═╝ ██║ ██║      ███████╗ ██║ ██║  ██║ ██║ ╚████║",
       "╚═╝  ╚═╝  ╚═════╝  ╚═╝     ╚═╝ ╚═╝      ╚══════╝ ╚═╝ ╚═╝  ╚═╝ ╚═╝  ╚═══╝",
       `${c.reset}`,
-      `${c.dim}  Secure setup · GitHub CLI · HTTPS clones · No secrets stored by this CLI${c.reset}`,
+      `${c.dim}  Secure setup · GitHub CLI · git clone · Zero org OAuth setup${c.reset}`,
       "",
     ].join("\n")
   );
@@ -60,10 +58,9 @@ function ghOk() {
   return r.status === 0;
 }
 
-/** Scopes: repo (clone), read:org (verify org membership — required for private orgs). */
 function runGhAuth() {
   log(
-    `${c.yellow}→${c.reset} Opening ${c.bold}GitHub${c.reset} login in the browser (OAuth). We never see your password.`
+    `${c.yellow}→${c.reset} Abre ${c.bold}GitHub${c.reset} en el navegador (OAuth). No vemos tu contraseña.`
   );
   const r = spawnSync(
     "gh",
@@ -81,47 +78,39 @@ function ghApiJson(path) {
   return { status: r.status, stdout: r.stdout || "", stderr: r.stderr || "" };
 }
 
-/**
- * Ensures the authenticated user is an active member of the GitHub org (not just any GitHub account).
- * Relies on GitHub as source of truth; optional SAML/SSO is enforced by the org on github.com.
- */
 function verifyOrgMembership(org) {
   const enc = encodeURIComponent(org);
   const mem = ghApiJson(`user/memberships/orgs/${enc}`);
   if (mem.status === 200) {
     try {
       const j = JSON.parse(mem.stdout);
-      if (j.state === "active") {
-        return;
-      }
+      if (j.state === "active") return;
       log(
-        `${c.red}✗${c.reset} Organization ${c.bold}${org}${c.reset} membership is not active (state: ${j.state || "?"}).`
+        `${c.red}✗${c.reset} Membresía en ${c.bold}${org}${c.reset} no activa (state: ${j.state || "?"}).`
       );
       process.exit(1);
     } catch {
-      log(`${c.red}✗${c.reset} Invalid response verifying org membership.`);
+      log(`${c.red}✗${c.reset} Respuesta inválida al verificar la org.`);
       process.exit(1);
     }
   }
   if (mem.status === 404) {
     log(
-      `${c.red}✗${c.reset} This GitHub account is ${c.bold}not a member${c.reset} of org ${c.bold}${org}${c.reset}.`
+      `${c.red}✗${c.reset} Esta cuenta ${c.bold}no es miembro${c.reset} de la org ${c.bold}${org}${c.reset}.`
     );
     log(
-      `${c.dim}  Only invited org members can run this tool. Wrong account? Run: gh auth logout && gh auth login${c.reset}`
+      `${c.dim}  ¿Otra cuenta? gh auth logout && gh auth login -h github.com -s repo -s read:org -w${c.reset}`
     );
     process.exit(1);
   }
   const hint = (mem.stderr + mem.stdout).toLowerCase();
   if (mem.status === 403 || hint.includes("read:org") || hint.includes("scope")) {
-    log(`${c.red}✗${c.reset} Token cannot verify org membership (needs ${c.bold}read:org${c.reset} scope).`);
-    log(
-      `${c.dim}  Run: gh auth refresh -h github.com -s repo -s read:org${c.reset}`
-    );
+    log(`${c.red}✗${c.reset} Falta scope ${c.bold}read:org${c.reset} en gh.`);
+    log(`${c.dim}  gh auth refresh -h github.com -s repo -s read:org${c.reset}`);
     process.exit(1);
   }
   log(
-    `${c.red}✗${c.reset} Could not verify org membership (${mem.status}):\n${c.dim}${(mem.stderr || mem.stdout).trim()}${c.reset}`
+    `${c.red}✗${c.reset} No se pudo verificar la org (${mem.status}):\n${c.dim}${(mem.stderr || mem.stdout).trim()}${c.reset}`
   );
   process.exit(1);
 }
@@ -132,17 +121,17 @@ function logGhIdentity() {
   try {
     const j = JSON.parse(u.stdout);
     if (j.login) {
-      log(`${c.dim}  Signed in as ${c.bold}@${j.login}${c.reset}${c.dim} (github.com)${c.reset}`);
+      log(`${c.dim}  Sesión: ${c.bold}@${j.login}${c.reset}${c.dim} (github.com)${c.reset}`);
     }
   } catch {
     /* ignore */
   }
 }
 
-function needCmd(name) {
+function needCmd(name, hint = "") {
   const r = spawnSync("command", ["-v", name], { shell: true, stdio: "ignore" });
   if (r.status !== 0) {
-    log(`${c.red}✗${c.reset} Missing ${c.bold}${name}${c.reset}. Install it and retry.`);
+    log(`${c.red}✗${c.reset} Falta ${c.bold}${name}${c.reset} en el PATH.${hint ? ` ${hint}` : ""}`);
     process.exit(1);
   }
 }
@@ -158,7 +147,7 @@ function ghRepoList(org) {
     { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] }
   );
   if (r.status !== 0) {
-    log(`${c.red}✗${c.reset} gh repo list failed:\n${r.stderr || r.stdout}`);
+    log(`${c.red}✗${c.reset} gh repo list falló:\n${r.stderr || r.stdout}`);
     process.exit(1);
   }
   const rows = JSON.parse(r.stdout || "[]");
@@ -188,7 +177,7 @@ function resolveRepos(cfg, org, teamArg, allRepos) {
   const teams = cfg.teams || {};
   if (!teams[team]) {
     log(
-      `${c.red}✗${c.reset} Unknown team ${c.bold}${team}${c.reset}. Valid: ${Object.keys(teams).sort().join(", ")}`
+      `${c.red}✗${c.reset} Equipo desconocido ${c.bold}${team}${c.reset}. Válidos: ${Object.keys(teams).sort().join(", ")}`
     );
     process.exit(2);
   }
@@ -197,7 +186,7 @@ function resolveRepos(cfg, org, teamArg, allRepos) {
   const out = [];
   for (const name of [...allowed].sort()) {
     if (!visible.has(name)) {
-      log(`${c.dim}○ skip ${org}/${name} (no access or not in org)${c.reset}`);
+      log(`${c.dim}○ omito ${org}/${name} (sin acceso o no está en la org)${c.reset}`);
       continue;
     }
     out.push(name);
@@ -214,15 +203,15 @@ function isSafeTargetDir(abs) {
 function cloudLine(org, name, status) {
   const cloud = `${c.blue}☁${c.reset}`;
   if (status === "ok") {
-    return `  ${cloud}  ${c.green}✓${c.reset} ${c.bold}${org}/${name}${c.reset} ${c.dim}cloned${c.reset}`;
+    return `  ${cloud}  ${c.green}✓${c.reset} ${c.bold}${org}/${name}${c.reset} ${c.dim}clonado${c.reset}`;
   }
   if (status === "skip") {
-    return `  ${cloud}  ${c.yellow}○${c.reset} ${org}/${name} ${c.dim}(already there)${c.reset}`;
+    return `  ${cloud}  ${c.yellow}○${c.reset} ${org}/${name} ${c.dim}(ya existe)${c.reset}`;
   }
   if (status === "fail") {
-    return `  ${cloud}  ${c.red}✗${c.reset} ${org}/${name} ${c.dim}failed${c.reset}`;
+    return `  ${cloud}  ${c.red}✗${c.reset} ${org}/${name} ${c.dim}falló${c.reset}`;
   }
-  return `  ${cloud}  ${c.cyan}…${c.reset} ${org}/${name} ${c.dim}cloning…${c.reset}`;
+  return `  ${cloud}  ${c.cyan}…${c.reset} ${org}/${name} ${c.dim}clonando…${c.reset}`;
 }
 
 function cloneOne(org, name, workspace, useSsh) {
@@ -256,7 +245,7 @@ function copyCursorPack(workspace, cursorRepoUrl) {
   if (cursorRepoUrl && String(cursorRepoUrl).trim()) {
     const tmp = join(workspace, ".cursor-bootstrap-tmp");
     rmSync(tmp, { recursive: true, force: true });
-    log(`${c.dim}→${c.reset} Shallow clone Cursor pack…`);
+    log(`${c.dim}→${c.reset} Cursor pack (clone superficial)…`);
     const r = spawnSync("git", ["clone", "--depth", "1", String(cursorRepoUrl).trim(), tmp], {
       cwd: workspace,
       stdio: ["ignore", "pipe", "pipe"],
@@ -270,33 +259,30 @@ function copyCursorPack(workspace, cursorRepoUrl) {
       return;
     }
     rmSync(tmp, { recursive: true, force: true });
-    log(`${c.yellow}○${c.reset} KOMPLIAN_CURSOR_REPO clone failed or missing .cursor/ at repo root`);
-  }
-
-  const aiToolsCursor = join(workspace, "ai-tools", ".cursor");
-  if (existsSync(aiToolsCursor)) {
-    rmSync(rootCursor, { recursive: true, force: true });
-    cpSync(aiToolsCursor, rootCursor, { recursive: true });
-    log(`${c.green}✓${c.reset} ${c.bold}.cursor${c.reset} ${c.dim}← ai-tools${c.reset}`);
-    return;
+    log(`${c.yellow}○${c.reset} KOMPLIAN_CURSOR_REPO: falló el clone o no hay .cursor/ en la raíz`);
   }
   log(
-    `${c.dim}○ No workspace .cursor/ (add ai-tools to your team or set KOMPLIAN_CURSOR_REPO).${c.reset}`
+    `${c.dim}○ Sin .cursor/ en el workspace (opcional: KOMPLIAN_CURSOR_REPO=<url git>).${c.reset}`
   );
 }
 
 function npmInstallEach(workspace) {
   log("");
-  log(`${c.cyan}━━ npm install per repo ━━${c.reset}`);
+  log(`${c.cyan}━━ npm install por repo ━━${c.reset}`);
+  const r = spawnSync("command", ["-v", "npm"], { shell: true, stdio: "ignore" });
+  if (r.status !== 0) {
+    log(`${c.yellow}○${c.reset} npm no está en PATH — omito installs`);
+    return;
+  }
   for (const ent of readdirSync(workspace)) {
     const d = join(workspace, ent);
     if (!statSync(d).isDirectory()) continue;
     const pkg = join(d, "package.json");
     if (!existsSync(pkg)) continue;
     log(`${c.dim}→${c.reset} ${ent}`);
-    const r = spawnSync("npm", ["install"], { cwd: d, stdio: "inherit" });
-    if (r.status !== 0) {
-      log(`${c.yellow}○${c.reset} npm install had issues in ${ent}`);
+    const ir = spawnSync("npm", ["install"], { cwd: d, stdio: "inherit" });
+    if (ir.status !== 0) {
+      log(`${c.yellow}○${c.reset} npm install con avisos en ${ent}`);
     } else {
       log(`${c.green}✓${c.reset} ${ent}`);
     }
@@ -304,18 +290,21 @@ function npmInstallEach(workspace) {
 }
 
 function usage() {
-  log(`Usage: komplian onboard [options] [dir]`);
-  log(`  npx komplian onboard --yes        clones + npm install (default dir: ~/komplian)`);
+  log(`Uso: komplian onboard [opciones] [carpeta]`);
+  log(`  npx komplian onboard --yes`);
   log(``);
-  log(`  Subcommand onboard implies --install; add --no-install to skip npm install.`);
-  log(`  -y, --yes          Non-interactive (default team from JSON)`);
-  log(`  -t, --team <slug>  Team from komplian-team-repos.json`);
-  log(`  -i, --install      npm install (on by default with onboard; optional without subcommand)`);
-  log(`  --no-install       Skip npm install (only after onboard)`);
-  log(`  --all-repos        Clone all visible org repos (minus exclude list)`);
-  log(`  --ssh              Use SSH URLs (git@github.com:...)`);
-  log(`  --list-teams       Print team slugs and exit`);
-  log(`  -h, --help         This help`);
+  log(`  Antes (una vez): gh auth login -h github.com -s repo -s read:org -w`);
+  log(`  Requisitos: Node 18+, git, GitHub CLI (gh)`);
+  log(``);
+  log(`  onboard implica --install salvo --no-install`);
+  log(`  -y, --yes          Sin menú interactivo (equipo por defecto del JSON)`);
+  log(`  -t, --team <slug>  Equipo en komplian-team-repos.json`);
+  log(`  -i, --install      npm install en cada repo con package.json`);
+  log(`  --no-install       No ejecutar npm install`);
+  log(`  --all-repos        Todos los repos visibles (menos exclude_from_all)`);
+  log(`  --ssh              Clonar con git@github.com:…`);
+  log(`  --list-teams       Lista slugs de equipo (solo JSON) y sale`);
+  log(`  -h, --help`);
 }
 
 function parseArgs(argv) {
@@ -343,7 +332,7 @@ function parseArgs(argv) {
     else if (a === "-t" || a === "--team") {
       out.team = argv[++i] || "";
     } else if (a.startsWith("-")) {
-      log(`${c.red}✗${c.reset} Unknown option: ${a}`);
+      log(`${c.red}✗${c.reset} Opción desconocida: ${a}`);
       usage();
       process.exit(1);
     } else rest.push(a);
@@ -355,14 +344,14 @@ function parseArgs(argv) {
 async function pickTeam(cfg) {
   const teams = Object.keys(cfg.teams || {}).sort();
   const def = (cfg.default_team || "").trim();
-  log(`${c.cyan}Teams:${c.reset}`);
+  log(`${c.cyan}Equipos:${c.reset}`);
   teams.forEach((t, i) => {
-    const mark = t === def ? ` ${c.dim}(default)${c.reset}` : "";
+    const mark = t === def ? ` ${c.dim}(por defecto)${c.reset}` : "";
     log(`  ${i + 1}. ${t}${mark}`);
   });
   const rl = createInterface({ input, output });
   const ans = await rl.question(
-    `\n${c.bold}Choose number or name${c.reset} [${def}]: `
+    `\n${c.bold}Número o nombre${c.reset} [${def}]: `
   );
   rl.close();
   const trimmed = (ans || "").trim();
@@ -396,52 +385,47 @@ async function main() {
     return;
   }
 
-  if (args.listTeams) {
-    if (!existsSync(configPath)) {
-      log(`${c.red}✗${c.reset} Missing ${configPath}`);
-      process.exit(1);
-    }
-    needCmd("gh");
-    if (!ghOk()) {
-      log(`${c.red}✗${c.reset} Not logged in to GitHub. Run: ${c.bold}gh auth login -h github.com -s repo -s read:org -w${c.reset}`);
-      process.exit(1);
-    }
-    const cfg = loadConfig(configPath);
-    const orgList = process.env.KOMPLIAN_ORG || cfg.org || "Komplian";
-    verifyOrgMembership(orgList);
-    log(Object.keys(cfg.teams || {}).sort().join("\n"));
-    return;
-  }
-
   if (!existsSync(configPath)) {
-    log(`${c.red}✗${c.reset} Missing config: ${configPath}`);
+    log(`${c.red}✗${c.reset} Falta la config: ${configPath}`);
     process.exit(1);
   }
 
-  needCmd("git");
-  needCmd("gh");
+  const cfg = loadConfig(configPath);
+
+  if (args.listTeams) {
+    log(Object.keys(cfg.teams || {}).sort().join("\n"));
+    return;
+  }
 
   const nodeMajor = Number(process.versions.node.split(".")[0], 10);
   if (nodeMajor < 18) {
-    log(`${c.red}✗${c.reset} Need Node 18+. You have ${process.versions.node}.`);
+    log(`${c.red}✗${c.reset} Hace falta Node 18+. Tienes ${process.versions.node}.`);
     process.exit(1);
   }
 
+  needCmd(
+    "git",
+    `${c.dim}https://git-scm.com${c.reset}`
+  );
+  needCmd(
+    "gh",
+    `${c.dim}https://cli.github.com${c.reset}`
+  );
+
   if (!ghOk()) {
+    log(`${c.red}✗${c.reset} No hay sesión en GitHub CLI.`);
     if (!runGhAuth()) {
-      log(`${c.red}✗${c.reset} GitHub authentication did not complete.`);
+      log(`${c.red}✗${c.reset} Autenticación cancelada.`);
       process.exit(1);
     }
   }
-  log(`${c.green}✓${c.reset} GitHub CLI session OK`);
+  log(`${c.green}✓${c.reset} GitHub CLI OK`);
 
-  const cfg = loadConfig(configPath);
   const org = process.env.KOMPLIAN_ORG || cfg.org || "Komplian";
-
   verifyOrgMembership(org);
   logGhIdentity();
   log(
-    `${c.green}✓${c.reset} Org ${c.bold}${org}${c.reset}: ${c.dim}active membership verified (GitHub API)${c.reset}`
+    `${c.green}✓${c.reset} Org ${c.bold}${org}${c.reset}: ${c.dim}membresía activa${c.reset}`
   );
 
   banner();
@@ -453,7 +437,7 @@ async function main() {
 
   const repos = resolveRepos(cfg, org, team, args.allRepos);
   if (repos.length === 0) {
-    log(`${c.red}✗${c.reset} No repositories to clone (permissions / team / org).`);
+    log(`${c.red}✗${c.reset} No hay repos que clonar (permisos / equipo / org).`);
     process.exit(1);
   }
 
@@ -463,7 +447,7 @@ async function main() {
   }
   const abs = resolve(workspace.replace(/^~(?=$|[/\\])/, homedir()));
   if (!isSafeTargetDir(abs)) {
-    log(`${c.red}✗${c.reset} Refusing unsafe target directory: ${abs}`);
+    log(`${c.red}✗${c.reset} Carpeta destino no segura: ${abs}`);
     process.exit(1);
   }
 
@@ -471,7 +455,7 @@ async function main() {
   log("");
   log(`${c.cyan}━━ Workspace ━━${c.reset} ${c.bold}${abs}${c.reset}`);
   log(`${c.cyan}━━ Org ━━${c.reset} ${c.bold}${org}${c.reset}`);
-  if (team) log(`${c.cyan}━━ Team ━━${c.reset} ${c.bold}${team}${c.reset}`);
+  if (team) log(`${c.cyan}━━ Equipo ━━${c.reset} ${c.bold}${team}${c.reset}`);
   log(`${c.cyan}━━ Repos (${repos.length}) ━━${c.reset}`);
   log("");
 
@@ -484,17 +468,16 @@ async function main() {
   copyCursorPack(abs, process.env.KOMPLIAN_CURSOR_REPO);
 
   if (args.install) {
-    needCmd("npm");
     npmInstallEach(abs);
   }
 
   log("");
-  log(`${c.cyan}━━ Done ━━${c.reset}`);
+  log(`${c.cyan}━━ Listo ━━${c.reset}`);
   if (failed > 0) {
-    log(`${c.yellow}○${c.reset} ${failed} repo(s) failed — check access and retry.`);
+    log(`${c.yellow}○${c.reset} ${failed} repo(s) fallaron — revisa acceso y reintenta.`);
   }
-  log(`${c.green}✓${c.reset} Open in Cursor: ${c.bold}File → Open Folder → ${abs}${c.reset}`);
-  log(`${c.dim}  Copy .env.example → .env per project; secrets via 1Password — never commit.${c.reset}`);
+  log(`${c.green}✓${c.reset} Cursor: ${c.bold}File → Open Folder → ${abs}${c.reset}`);
+  log(`${c.dim}  .env.example → .env por proyecto; secretos en 1Password — nunca commit.${c.reset}`);
 }
 
 main().catch((e) => {

package/komplian-team-repos.json

@@ -1,14 +1,14 @@
 {
-  "_comment": "Map team slug (-t) → repo names in org. Align slugs with GitHub Team names or internal labels. Adjust when teams/repos change.",
+  "_comment": "Teams = solo repos de producto (app, api, web, admin, docs). exclude_from_all evita ai-tools, scripts, infra, odoo-module en --all-repos.",
   "org": "Komplian",
   "default_team": "platform",
-  "exclude_from_all": [],
+  "exclude_from_all": ["ai-tools", "scripts", "infra", "odoo-module"],
   "teams": {
-    "platform": ["app", "api", "web", "admin", "docs", "ai-tools"],
-    "backend": ["api", "ai-tools"],
-    "frontend": ["app", "web", "docs", "ai-tools"],
-    "admin": ["admin", "api", "ai-tools"],
-    "docs": ["docs", "web", "ai-tools"],
-    "growth": ["web", "docs", "ai-tools"]
+    "platform": ["app", "api", "web", "admin", "docs"],
+    "backend": ["api"],
+    "frontend": ["app", "web", "docs"],
+    "admin": ["admin", "api"],
+    "docs": ["docs", "web"],
+    "growth": ["web", "docs"]
   }
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "komplian",
-  "version": "0.1.0",
-  "description": "Komplian developer workspace setup: GitHub CLI auth + clone repos by team (zero manual repo clone for developers — use npx).",
+  "version": "0.3.0",
+  "description": "Komplian developer workspace setup: GitHub CLI (browser login) + git clone by team. Node 18+, git, gh — no OAuth App to register.",
   "type": "module",
   "engines": {
     "node": ">=18"