pushci 1.7.4 → 1.8.0

package/README.md

@@ -1,16 +1,27 @@
 # PushCI
 
+[![npm version](https://img.shields.io/npm/v/pushci.svg)](https://www.npmjs.com/package/pushci)
+[![License: BUSL-1.1](https://img.shields.io/badge/License-BUSL--1.1-blue.svg)](LICENSE)
+[![CI](https://github.com/finsavvyai/pushci/actions/workflows/ci.yml/badge.svg)](https://github.com/finsavvyai/pushci/actions/workflows/ci.yml)
+[![MCP](https://img.shields.io/badge/MCP-compatible-purple.svg)](https://pushci.dev/ai)
+
 **Zero-config AI CI/CD. Runs on your machine. Free forever.**
 
+> 35 languages. 39 frameworks. 22 deploy targets. Zero YAML.
+> One command to set up CI. $0 to run it.
+
 ```bash
 npm install -g pushci   # one-time install
 pushci init             # AI detects your stack in 30 seconds
 git push                # tests run automatically
 ```
 
+<!-- TODO: Add 30-second demo GIF here -->
+<!-- ![PushCI Demo](assets/demo.gif) -->
+
 ## Why PushCI?
 
-In 2026, GitHub started charging $0.002/min for self-hosted runners that were previously free. PushCI never charges for local compute — ever.
+GitHub Actions charges $0.008/min for hosted runners and $0.002/min for self-hosted runners (as of March 2026). PushCI runs on your machine for $0 — always.
 
 | | PushCI | GitHub Actions | GitLab CI | Jenkins |
 |--|---------|---------------|-----------|---------|
@@ -26,7 +37,6 @@ In 2026, GitHub started charging $0.002/min for self-hosted runners that were pr
 # Install (pick one)
 npm install -g pushci                                          # npm (recommended)
 brew install finsavvyai/tap/pushci                             # Homebrew
-go install github.com/finsavvyai/pushci/cmd/pushci@latest     # Go
 curl -fsSL https://pushci.dev/install.sh | sh                  # Script
 
 # Auto-detect your stack
@@ -63,16 +73,17 @@ PushCI includes an MCP server for AI coding agents like **Claude Code**, **Curso
 
 ## Supported
 
-**33 Languages**: Go, Node/TS, Python, Rust, Java, C#,
+**35 Languages**: Go, Node/TS, Python, Rust, Java, C#,
 Ruby, PHP, Swift, Dart, Elixir, Zig, Scala, Haskell,
-Kotlin, Lua, Perl, R, Julia, OCaml, Nim, Crystal +more
+Kotlin, Lua, Perl, R, Julia, OCaml, Nim, Crystal, Bicep +more
 
-**40+ Frameworks**: Next.js, Nuxt, SvelteKit, Django, FastAPI,
+**39 Frameworks**: Next.js, Nuxt, SvelteKit, Django, FastAPI,
 Flask, Spring Boot, Rails, Laravel, Phoenix, Flutter +more
 
-**23 Deploy Targets**: Cloudflare, AWS (ECS/Lambda/S3),
-GCP (Cloud Run/App Engine), Azure, Vercel, Railway,
-Fly.io, Netlify, Docker, Kubernetes, SSH
+**22 Deploy Targets**: Cloudflare (Pages/Workers), AWS (ECS/Lambda/S3),
+GCP (Cloud Run/App Engine), Azure (App Service/Functions/Bicep),
+Vercel, Railway, Fly, Render, Netlify, Docker, K8s, SSH,
+Terraform, CloudFormation, Pulumi, Ansible
 
 ## Messaging Channels
 
@@ -127,12 +138,104 @@ pushci troubleshoot Diagnose issues with actionable fixes
 pushci trace        View Perfetto performance traces
 pushci release      Build & publish release locally ($0)
 pushci promote      Register with AI registries
+pushci voice        TTS narration for runs (curb / office / deadpan-tech)
 pushci uninstall    Remove hooks, config, and .pushci
 pushci version      Print version
 ```
 
 See [docs/CLI.md](docs/CLI.md) for the full CLI reference with flags, examples, and plan requirements.
 
+## Voice
+
+PushCI narrates your pipeline. Pick a persona, run your pipeline, hear it. Phrases are pre-canned by default; with an AI key you get fresh in-character lines per run.
+
+```bash
+pushci voice list                              # show built-in personas
+pushci voice say "deploying" --persona curb-style
+pushci voice test --persona office-style       # demo all 6 lifecycle events
+pushci voice joke --diff main                  # AI riffs on the diff vs main
+pushci run --voice                             # auto-narrate pipeline events
+```
+
+Built-in personas:
+
+| Persona | Style |
+|---|---|
+| `curb-style` | Petty frustration, awkward incredulity |
+| `office-style` | Oblivious enthusiasm, motivational confusion |
+| `deadpan-tech` | Sysadmin superiority, dark contempt |
+| `deadpan-narrator` | Neutral, no character |
+
+Defaults are zero-config: macOS `say` backend, no API keys, no network. Add `--ai` (or `PUSHCI_VOICE_AI=1` for `pushci run`) to switch on AI commentary via any of the 7 supported providers (`ANTHROPIC_API_KEY` / `GROQ_API_KEY` / `DEEPSEEK_API_KEY` / `OPENAI_API_KEY` / `GEMINI_API_KEY` / local llamafile / PushCI proxy).
+
+Safety: every utterance passes through a redactor (JWTs, AWS ARNs, account IDs, API keys, IPs, internal hostnames, emails are masked) and AI output runs through a content filter (rejects profanity + prompt-injection echo). Mute everything with `PUSHCI_VOICE_OFF=1`.
+
+Bring your own personas via `~/.pushci/voices.yml` — user entries appear in `pushci voice list` alongside the built-ins and override on name collision:
+
+```yaml
+personas:
+  - name: pirate-style
+    voice: Daniel        # macOS voice; run `say -v ?` to enumerate
+    description: Pirate-themed deploy commentary
+    phrases:
+      start: ["Aye, hoist the colors. Deploying."]
+      pass:  ["Ye scurvy tests passed."]
+      fail:  ["Avast, the build hath sunk."]
+```
+
+## Secrets
+
+PushCI resolves secret references inline in `pushci.yml` env blocks.
+Three schemes are supported today; PushCI never writes a plaintext
+secret to disk it didn't already encrypt.
+
+| Scheme | Backed by | Best for |
+|---|---|---|
+| `keychain://service[#account]` | macOS Keychain / Windows Credential Manager / Linux Secret Service, with AES-encrypted fallback at `~/.pushci/keychain.enc` for headless CI | Local dev, individual machines |
+| `vault://path#field` | HashiCorp Vault AppRole (`VAULT_ADDR` + `VAULT_ROLE_ID` + `VAULT_SECRET_ID`) | Teams, audited environments |
+| `pushci secrets set KEY VAL` | Per-project AES file at `.pushci/secrets.enc`, machine-bound | Quick one-offs, throwaway scripts |
+
+```yaml
+# pushci.yml
+stages:
+  - name: publish
+    env:
+      NPM_TOKEN: keychain://npm-publish-token
+      DEPLOY_KEY: keychain://deploy-bot#prod
+      DB_PASSWORD: vault://secret/data/prod/db#password
+    checks:
+      - name: publish
+        run: npm publish
+```
+
+**Managing keychain entries from the CLI:**
+
+```bash
+pushci secrets keychain set npm-publish-token npm_xxxxxxxxxxxx
+pushci secrets keychain set deploy-bot#prod  s3cr3t
+pushci secrets keychain get npm-publish-token
+pushci secrets keychain list      # fallback-file entries only
+pushci secrets keychain rm  npm-publish-token
+```
+
+On macOS the storage layout matches the `security` CLI verbatim, so the
+common `.zshrc` helper functions work side-by-side:
+
+```bash
+secret()     { security find-generic-password -a "$USER" -s "$1" -w 2>/dev/null; }
+secret-set() { security add-generic-password    -a "$USER" -s "$1" -w "$2" -U; }
+```
+
+Entries written by `secret-set` are readable by `pushci secrets keychain
+get`, and vice versa — no `go-keyring-base64:` prefix gymnastics.
+
+**Headless Linux CI:** when D-Bus and Secret Service aren't running,
+PushCI falls back transparently to an AES-encrypted file at
+`~/.pushci/keychain.enc` with a machine-bound key. A one-time stderr
+warning fires the first time a fallback read or write happens, so the
+behavior is never silent. Override account default with the `#account`
+suffix; the current OS user is used when omitted.
+
 ## Configuration
 
 `pushci.yml` is optional — `pushci init` generates one that works, and
@@ -347,12 +450,12 @@ The hook is designed to never block your workflow:
 
 ## Pricing
 
-| Free | Pro $9/mo | Team $29/mo |
-|------|-----------|-------------|
-| 1 repo | Unlimited | Unlimited |
-| Self-hosted | Dashboard | Shared runners |
-| Unlimited runs | Slack/Discord | SSO + audit |
-| AI detection | Analytics | SLA guarantee |
+| Free | Pro $9/mo | Team $29/seat/mo | Enterprise |
+|------|-----------|-------------------|------------|
+| Unlimited local runs | Unlimited repos | Everything in Pro | Everything in Team |
+| AI stack detection | AI diagnosis (100/mo) | 2000 cloud minutes | Unlimited cloud minutes |
+| 2 deploy targets | 22 deploy targets | SSO / SAML | SCIM + 7-year audit |
+| Community support | Dashboard + analytics | Audit logs + governance | Dedicated tenant option |
 
 ## Links
 
@@ -361,6 +464,22 @@ The hook is designed to never block your workflow:
 - **Cost Calculator**: https://pushci.dev/tools/cost-calculator
 - **Compare**: [vs GitHub Actions](https://pushci.dev/vs/github-actions) | [vs GitLab CI](https://pushci.dev/vs/gitlab-ci) | [vs CircleCI](https://pushci.dev/vs/circleci) | [vs Jenkins](https://pushci.dev/vs/jenkins)
 
+## Contributing
+
+We welcome contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for setup instructions and contribution guidelines.
+
+**Good first issues:**
+- Add a framework detector (`internal/detect/`)
+- Add a deploy target (`internal/deploy/`)
+- Improve CLI error messages
+- Add tests
+
+Please read our [Code of Conduct](CODE_OF_CONDUCT.md) before contributing.
+
+## Security
+
+Found a vulnerability? See [SECURITY.md](SECURITY.md) for our disclosure policy.
+
 ## License
 
 [BSL 1.1](LICENSE) (Business Source License). Free to use for any purpose except

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pushci",
-  "version": "1.7.4",
-  "description": "AI-native CI/CD that runs on your machine. Zero config, zero cost. Works inside AI agent sandboxes (Claude, Cursor, Windsurf). 33 languages, 40+ frameworks, 20 deploy targets, 25 installable skills, Tailscale mesh, blast radius analysis.",
+  "version": "1.8.0",
+  "description": "AI-native CI/CD that runs on your machine. Zero config, zero cost. Works inside AI agent sandboxes (Claude, Cursor, Windsurf). 33 languages, 40+ frameworks, 22 deploy targets, 25 installable skills, Tailscale mesh, blast radius analysis.",
   "bin": {
     "pushci": "bin/pushci.js"
   },