shardstitch 0.0.10 → 0.0.11

package/cli.js

@@ -1,334 +1,347 @@
-#!/usr/bin/env node
-// ShardStitch launcher — `shardstitch` or `shardstitch install <key>`
-// Finds a local install and starts the dashboard.
-// Run `shardstitch install <key>` after purchase to download the app.
-
-const { spawnSync, spawn } = require("child_process");
-const { existsSync, mkdirSync, createWriteStream, chmodSync, renameSync } = require("fs");
-const { join, dirname } = require("path");
-const { createHash } = require("crypto");
-const os = require("os");
-const https = require("https");
-const fs = require("fs");
-
-const POLAR_ORG_ID = "8e901881-4e3d-4356-98fb-2511337101b1";
-const INSTALL_DIR = join(os.homedir(), ".shardstitch", "app");
-const ACTIVATION_FILE = join(os.homedir(), ".shardstitch", "activation.json");
-const MACHINE_SALT = "shardstitch-activation/1";
-
-// --- Supply-chain hardening -------------------------------------------------
-// The binary is downloaded over HTTPS and its SHA-256 is verified against the
-// hashes EMBEDDED in this published package BEFORE it is ever made executable
-// or run. Embedding (rather than fetching a manifest from the same host that
-// serves the binary) means a compromised download origin cannot swap the
-// binary without also defeating npm's own package integrity — a strictly
-// stronger trust anchor. Downloads (and any redirects) are additionally
-// restricted to an allowlist of trusted hosts. See SECURITY.md.
-//
-// Keep in lockstep with packages/pypi/shardstitch/__init__.py _CHECKSUMS.
-// Regenerate with: python tools/gen_checksums.py. An empty string means "no
-// binary published for this platform yet" — cmdInstall fails CLOSED on it.
-const EMBEDDED_CHECKSUMS = {
-  windows: "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
-  linux: "",
-  mac: "",
-};
-const TRUSTED_DOWNLOAD_HOST_SUFFIXES = [
-  "shardstitch.com",
-  "polar.sh",
-  "polarsource.com",
-];
-
-function isTrustedHost(hostname) {
-  const h = (hostname || "").toLowerCase();
-  return TRUSTED_DOWNLOAD_HOST_SUFFIXES.some(
-    (suffix) => h === suffix || h.endsWith("." + suffix)
-  );
-}
-
-const PLATFORM = process.platform === "win32" ? "windows"
-               : process.platform === "darwin" ? "mac"
-               : "linux";
-
-const EXE_NAME = PLATFORM === "windows" ? "ShardStitch.exe" : "shardstitch";
-
-const CANDIDATE_DIRS = [
-  process.env.SHARDSTITCH_HOME,
-  INSTALL_DIR,
-  join(os.homedir(), "ShardStitch"),
-  PLATFORM === "windows" ? join(process.env.LOCALAPPDATA || "", "ShardStitch") : null,
-  PLATFORM === "windows" ? "C:\\Program Files\\ShardStitch" : "/opt/shardstitch",
-].filter(Boolean);
-
-function findExe() {
-  for (const dir of CANDIDATE_DIRS) {
-    const p = join(dir, EXE_NAME);
-    if (existsSync(p)) return p;
-  }
-  return null;
-}
-
-function pythonCmd() {
-  for (const cmd of ["python", "python3", "py"]) {
-    const r = spawnSync(cmd, ["--version"], { stdio: "ignore", shell: false });
-    if (r.status === 0) return cmd;
-  }
-  return null;
-}
-
-function machineFingerprint() {
-  const raw = `${MACHINE_SALT}|${process.env.COMPUTERNAME || ""}|${process.env.USERNAME || os.userInfo().username}`;
-  return createHash("sha256").update(raw).digest("hex").slice(0, 16);
-}
-
-function activationSignature(key, store) {
-  const raw = `${MACHINE_SALT}|${key}|${store}|${machineFingerprint()}`;
-  return createHash("sha256").update(raw).digest("hex");
-}
-
-function saveActivation(key) {
-  mkdirSync(dirname(ACTIVATION_FILE), { recursive: true });
-  const record = {
-    key,
-    store: "polar",
-    activatedAt: Math.floor(Date.now() / 1000),
-    signature: activationSignature(key, "polar"),
-  };
-  fs.writeFileSync(ACTIVATION_FILE, JSON.stringify(record, null, 2));
-}
-
-function isActivated() {
-  try {
-    const data = JSON.parse(fs.readFileSync(ACTIVATION_FILE, "utf8"));
-    return data.signature === activationSignature(data.key || "", data.store || "");
-  } catch {
-    return false;
-  }
-}
-
-function httpsPost(url, body) {
-  return new Promise((resolve, reject) => {
-    const u = new URL(url);
-    const data = JSON.stringify(body);
-    const req = https.request({
-      hostname: u.hostname,
-      path: u.pathname,
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Content-Length": Buffer.byteLength(data),
-        "User-Agent": "ShardStitch-Installer/1.0",
-      },
-    }, (res) => {
-      let body = "";
-      res.on("data", (c) => body += c);
-      res.on("end", () => {
-        if (res.statusCode >= 400) reject(new Error(`HTTP ${res.statusCode}: ${body}`));
-        else resolve(JSON.parse(body));
-      });
-    });
-    req.on("error", reject);
-    req.write(data);
-    req.end();
-  });
-}
-
-function downloadFile(url, dest) {
-  return new Promise((resolve, reject) => {
-    mkdirSync(dirname(dest), { recursive: true });
-    const tmp = dest + ".tmp";
-    const file = createWriteStream(tmp);
-
-    function follow(rawUrl) {
-      let u;
-      try {
-        u = new URL(rawUrl);
-      } catch {
-        return reject(new Error(`Refusing to download: invalid URL`));
-      }
-      // Fail closed on protocol downgrade or untrusted host (blocks open-redirect
-      // / MITM from pointing the download at an attacker-controlled binary).
-      if (u.protocol !== "https:") {
-        return reject(new Error(`Refusing non-HTTPS download (${u.protocol})`));
-      }
-      if (!isTrustedHost(u.hostname)) {
-        return reject(new Error(`Refusing download from untrusted host: ${u.hostname}`));
-      }
-      https.get(rawUrl, { headers: { "User-Agent": "ShardStitch-Installer/1.0" } }, (res) => {
-        if (res.statusCode === 301 || res.statusCode === 302) {
-          return follow(res.headers.location);
-        }
-        const total = parseInt(res.headers["content-length"] || "0");
-        let done = 0;
-        res.on("data", (chunk) => {
-          file.write(chunk);
-          done += chunk.length;
-          if (total) {
-            const pct = Math.floor(done * 100 / total);
-            process.stdout.write(`\r  Downloading... ${pct}%`);
-          }
-        });
-        res.on("end", () => {
-          file.end();
-          process.stdout.write("\n");
-          renameSync(tmp, dest);
-          resolve();
-        });
-        res.on("error", reject);
-      }).on("error", reject);
-    }
-
-    follow(url);
-  });
-}
-
-function sha256File(path) {
-  return new Promise((resolve, reject) => {
-    const hash = createHash("sha256");
-    const stream = fs.createReadStream(path);
-    stream.on("data", (chunk) => hash.update(chunk));
-    stream.on("end", () => resolve(hash.digest("hex")));
-    stream.on("error", reject);
-  });
-}
-
-async function cmdInstall(key) {
-  key = key.trim();
-  console.log();
-  console.log("  ShardStitch — verifying license key...");
-
-  let data;
-  try {
-    data = await httpsPost("https://api.polar.sh/v1/customer-portal/license-keys/validate", {
-      key,
-      organization_id: POLAR_ORG_ID,
-    });
-  } catch (e) {
-    console.log(`  ✗ ${e.message.includes("404") ? "Key not found. Check for typos or email support@shardstitch.com." : "Network error: " + e.message}`);
-    process.exit(1);
-  }
-
-  if (!["granted", "active"].includes(data.status) && !data.id) {
-    console.log("  ✗ Invalid license key.");
-    process.exit(1);
-  }
-
-  console.log("  ✓ License valid.");
-  console.log();
-
-  // Find download URL from benefit grants
-  let downloadUrl = null;
-  for (const grant of data.benefit_grants || []) {
-    if (grant.benefit?.type === "downloadables") {
-      const files = grant.properties?.files || [];
-      for (const f of files) {
-        const name = (f.name || "").toLowerCase();
-        const url = f.url || f.download_url;
-        if (!url) continue;
-        if (PLATFORM === "windows" && name.includes(".exe")) { downloadUrl = url; break; }
-        if (PLATFORM === "linux" && name.includes("linux")) { downloadUrl = url; break; }
-        if (PLATFORM === "mac" && (name.includes("mac") || name.includes("darwin"))) { downloadUrl = url; break; }
-      }
-      if (!downloadUrl && files[0]) downloadUrl = files[0].url || files[0].download_url;
-    }
-    if (downloadUrl) break;
-  }
-
-  if (!downloadUrl) {
-    console.log("  ✗ No downloadable files found on this license.");
-    console.log("    Email support@shardstitch.com for help.");
-    process.exit(1);
-  }
-
-  const exePath = join(INSTALL_DIR, EXE_NAME);
-  console.log(`  Downloading ShardStitch for ${PLATFORM}...`);
-
-  try {
-    await downloadFile(downloadUrl, exePath);
-  } catch (e) {
-    console.log(`  ✗ Download failed: ${e.message}`);
-    process.exit(1);
-  }
-
-  // Integrity check — verify the downloaded binary's SHA-256 against the manifest
-  // on our pinned domain BEFORE making it executable or running it. Fails closed.
-  const allowUnverified = process.argv.includes("--allow-unverified");
-  try {
-    const expected = (EMBEDDED_CHECKSUMS[PLATFORM] || "").toLowerCase();
-    const actual = (await sha256File(exePath)).toLowerCase();
-    if (!expected) {
-      throw new Error(`no published checksum for platform "${PLATFORM}"`);
-    }
-    if (actual !== expected) {
-      try { fs.unlinkSync(exePath); } catch {}
-      console.log("  ✗ Integrity check FAILED — the downloaded file does not match");
-      console.log("    the published checksum and was deleted. Do NOT run it.");
-      console.log(`    expected ${expected}`);
-      console.log(`    actual   ${actual}`);
-      console.log("    Report this to support@shardstitch.com.");
-      process.exit(1);
-    }
-    console.log("  ✓ Integrity verified (SHA-256).");
-  } catch (e) {
-    if (!allowUnverified) {
-      try { fs.unlinkSync(exePath); } catch {}
-      console.log(`  ✗ Could not verify download integrity: ${e.message}`);
-      console.log("    Aborting for safety. Re-run with --allow-unverified to override");
-      console.log("    (not recommended), or contact support@shardstitch.com.");
-      process.exit(1);
-    }
-    console.log(`  ! Skipping integrity check (--allow-unverified): ${e.message}`);
-  }
-
-  if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
-
-  saveActivation(key);
-
-  console.log(`  ✓ Installed to ${exePath}`);
-  console.log();
-  console.log("  Run `shardstitch` to launch the dashboard.");
-  console.log();
-}
-
-function cmdLaunch() {
-  const exe = findExe();
-  if (exe) {
-    console.log("  Starting ShardStitch...");
-    spawn(exe, [], { detached: true, stdio: "ignore" }).unref();
-    console.log("  Dashboard: http://127.0.0.1:8765");
-    process.exit(0);
-  }
-
-  console.log();
-  console.log("  ShardStitch — move your AI coding session between tools.");
-  console.log();
-  if (isActivated()) {
-    console.log("  App file not found. Re-run: shardstitch install <your-key>");
-  } else {
-    console.log("  Not installed. After purchase run:");
-    console.log("    shardstitch install <your-license-key>");
-    console.log();
-    console.log("  Get ShardStitch at: https://shardstitch.com");
-    console.log("  Launch week: $19 — lifetime license, zero cloud.");
-  }
-  console.log();
-  process.exit(1);
-}
-
-const args = process.argv.slice(2);
-if (args[0] === "install") {
-  if (!args[1]) {
-    console.log();
-    console.log("  Usage: shardstitch install <your-license-key>");
-    console.log();
-    console.log("  Get your key at: https://shardstitch.com");
-    console.log();
-    process.exit(1);
-  }
-  cmdInstall(args[1]).catch((e) => {
-    console.log("  ✗ Unexpected error:", e.message);
-    process.exit(1);
-  });
-} else {
-  cmdLaunch();
-}
+#!/usr/bin/env node
+// ShardStitch launcher — `shardstitch` or `shardstitch install <key>`
+// Finds a local install and starts the dashboard.
+// Run `shardstitch install <key>` after purchase to download the app.
+
+const { spawn } = require("child_process");
+const { existsSync, mkdirSync, createWriteStream, chmodSync, renameSync } = require("fs");
+const { join, dirname } = require("path");
+const { createHash } = require("crypto");
+const os = require("os");
+const https = require("https");
+const fs = require("fs");
+
+// The installer never talks to Polar or any storage host directly. It POSTs the
+// license key to a gated endpoint on our own domain (a Cloudflare Worker; see
+// cloudflare/download-worker/). That gate validates the key server-side, fetches
+// the paid binary from Polar on the customer's behalf, and streams it back with
+// the file's real SHA-256 in the X-Checksum-Sha256 header. The binary therefore
+// has no public URL and only a valid paid key can trigger a download.
+const GATE_URL = process.env.SHARDSTITCH_GATE_URL || "https://shardstitch.com/api/download";
+
+// Hard ceiling on the download so a misbehaving or impersonating gate cannot
+// fill the disk before the integrity check runs.
+const MAX_DOWNLOAD_BYTES = 500 * 1024 * 1024;
+
+const INSTALL_DIR = join(os.homedir(), ".shardstitch", "app");
+const ACTIVATION_FILE = join(os.homedir(), ".shardstitch", "activation.json");
+const MACHINE_SALT = "shardstitch-activation/1";
+
+// --- Supply-chain hardening -------------------------------------------------
+// Primary integrity anchor: the gate streams the binary together with its real
+// SHA-256 (the checksum Polar computed for the uploaded file) in the
+// X-Checksum-Sha256 header. We hash the bytes we wrote and require an exact
+// match before the file is ever made executable or run. Fails CLOSED.
+//
+// Optional second anchor: a hash baked into this published package. Because npm
+// guarantees this file's integrity independently, a populated value here means
+// even a compromised gate cannot swap the binary. Leave it EMPTY to rely solely
+// on the gate/Polar checksum (no republish needed when the binary is rebuilt);
+// populate it (python tools/gen_checksums.py) to add the registry anchor at the
+// cost of republishing on every rebuild. Keep in lockstep with
+// packages/pypi/shardstitch/__init__.py _CHECKSUMS.
+const EMBEDDED_CHECKSUMS = {
+  windows: "",
+  linux: "",
+  mac: "",
+};
+
+// Downloads (and any redirect) are restricted to our own gate host.
+const TRUSTED_DOWNLOAD_HOST_SUFFIXES = [
+  "shardstitch.com",
+];
+
+function isTrustedHost(hostname) {
+  const h = (hostname || "").toLowerCase();
+  return TRUSTED_DOWNLOAD_HOST_SUFFIXES.some(
+    (suffix) => h === suffix || h.endsWith("." + suffix)
+  );
+}
+
+const PLATFORM = process.platform === "win32" ? "windows"
+               : process.platform === "darwin" ? "mac"
+               : "linux";
+
+const EXE_NAME = PLATFORM === "windows" ? "ShardStitch.exe" : "shardstitch";
+
+const CANDIDATE_DIRS = [
+  process.env.SHARDSTITCH_HOME,
+  INSTALL_DIR,
+  join(os.homedir(), "ShardStitch"),
+  PLATFORM === "windows" ? join(process.env.LOCALAPPDATA || "", "ShardStitch") : null,
+  PLATFORM === "windows" ? "C:\\Program Files\\ShardStitch" : "/opt/shardstitch",
+].filter(Boolean);
+
+function findExe() {
+  for (const dir of CANDIDATE_DIRS) {
+    const p = join(dir, EXE_NAME);
+    if (existsSync(p)) return p;
+  }
+  return null;
+}
+
+function machineFingerprint() {
+  const raw = `${MACHINE_SALT}|${process.env.COMPUTERNAME || ""}|${process.env.USERNAME || os.userInfo().username}`;
+  return createHash("sha256").update(raw).digest("hex").slice(0, 16);
+}
+
+function activationSignature(key, store) {
+  const raw = `${MACHINE_SALT}|${key}|${store}|${machineFingerprint()}`;
+  return createHash("sha256").update(raw).digest("hex");
+}
+
+function saveActivation(key) {
+  mkdirSync(dirname(ACTIVATION_FILE), { recursive: true });
+  const record = {
+    key,
+    store: "polar",
+    activatedAt: Math.floor(Date.now() / 1000),
+    signature: activationSignature(key, "polar"),
+  };
+  fs.writeFileSync(ACTIVATION_FILE, JSON.stringify(record, null, 2));
+}
+
+function isActivated() {
+  try {
+    const data = JSON.parse(fs.readFileSync(ACTIVATION_FILE, "utf8"));
+    return data.signature === activationSignature(data.key || "", data.store || "");
+  } catch {
+    return false;
+  }
+}
+
+// POST the key to the gate; stream the binary to dest; resolve with the
+// server-provided SHA-256 (X-Checksum-Sha256, lower-case) or "". Rejects with
+// the gate's JSON error code (e.g. "invalid_key") or "HTTP <status>".
+function downloadFromGate(key, platform, dest) {
+  return new Promise((resolve, reject) => {
+    let u;
+    try {
+      u = new URL(GATE_URL);
+    } catch {
+      return reject(new Error("Invalid gate URL"));
+    }
+    if (u.protocol !== "https:") {
+      return reject(new Error(`Refusing non-HTTPS gate (${u.protocol})`));
+    }
+    if (!isTrustedHost(u.hostname)) {
+      return reject(new Error(`Refusing untrusted gate host: ${u.hostname}`));
+    }
+
+    const payload = JSON.stringify({ key, platform });
+    mkdirSync(dirname(dest), { recursive: true });
+    const tmp = dest + ".tmp";
+    const file = createWriteStream(tmp);
+    let settled = false;
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      try { file.destroy(); } catch {}
+      try { fs.unlinkSync(tmp); } catch {}
+      reject(err);
+    };
+    // A mid-download disk failure emits 'error' on the write stream; route it
+    // through fail() so the partial .tmp is cleaned up instead of crashing.
+    file.on("error", fail);
+
+    const req = https.request({
+      hostname: u.hostname,
+      port: u.port || 443,
+      path: u.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+        "User-Agent": "ShardStitch-Installer/1.0",
+        "Accept": "application/octet-stream",
+      },
+    }, (res) => {
+      // The gate returns the binary on 200 and a JSON error otherwise. It does
+      // not redirect; treat any non-200 as an error.
+      if (res.statusCode !== 200) {
+        let b = "";
+        res.on("data", (c) => (b += c));
+        res.on("end", () => {
+          let code = "";
+          try { code = JSON.parse(b).error || ""; } catch {}
+          fail(new Error(code || `HTTP ${res.statusCode}`));
+        });
+        res.on("error", fail);
+        return;
+      }
+      const checksum = (res.headers["x-checksum-sha256"] || "").toLowerCase();
+      const total = parseInt(res.headers["content-length"] || "0", 10);
+      let done = 0;
+      res.on("data", (chunk) => {
+        done += chunk.length;
+        if (done > MAX_DOWNLOAD_BYTES) {
+          res.destroy();
+          return fail(new Error("download exceeded size limit"));
+        }
+        // Honor backpressure so a fast gate + slow disk doesn't buffer in memory.
+        if (!file.write(chunk)) {
+          res.pause();
+          file.once("drain", () => res.resume());
+        }
+        if (total) {
+          process.stdout.write(`\r  Downloading... ${Math.floor(done * 100 / total)}%`);
+        }
+      });
+      res.on("end", () => {
+        file.end(() => {
+          if (settled) return;
+          if (total) process.stdout.write("\n");
+          try {
+            renameSync(tmp, dest);
+          } catch (e) {
+            return fail(e);
+          }
+          settled = true;
+          resolve(checksum);
+        });
+      });
+      res.on("error", fail);
+    });
+    req.setTimeout(120000, () => req.destroy(new Error("gate timeout")));
+    req.on("error", fail);
+    req.write(payload);
+    req.end();
+  });
+}
+
+function sha256File(path) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash("sha256");
+    const stream = fs.createReadStream(path);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+
+async function cmdInstall(key) {
+  key = key.trim();
+  console.log();
+  console.log("  ShardStitch — verifying license key & downloading...");
+  console.log();
+
+  const exePath = join(INSTALL_DIR, EXE_NAME);
+
+  let checksumHeader = "";
+  try {
+    checksumHeader = await downloadFromGate(key, PLATFORM, exePath);
+  } catch (e) {
+    const msg = String((e && e.message) || e);
+    if (msg.includes("invalid_key") || msg.includes("key_not_granted") ||
+        msg.includes("key_expired") || msg.includes("no_customer") || msg.includes("403")) {
+      console.log("  ✗ License key not valid or not active.");
+      console.log("    Check for typos, or email support@shardstitch.com.");
+    } else if (msg.includes("no_file_for_platform") || msg.includes("404")) {
+      console.log(`  ✗ No ${PLATFORM} build is available for this license yet.`);
+      console.log("    Email support@shardstitch.com.");
+    } else if (msg.includes("missing_key") || msg.includes("bad_platform") || msg.includes("bad_request")) {
+      console.log("  ✗ The installer sent a bad request. Update and retry:");
+      console.log("    npm install -g shardstitch@latest");
+    } else if (msg.includes("_failed") || msg.includes("server_misconfigured") ||
+               msg.includes("gate timeout") || msg.includes("size limit") ||
+               msg.includes("500") || msg.includes("502")) {
+      console.log("  ✗ The download service is temporarily unavailable.");
+      console.log("    Try again in a few minutes, or email support@shardstitch.com.");
+    } else {
+      console.log(`  ✗ Download failed: ${msg}`);
+      console.log("    Try again in a moment, or email support@shardstitch.com.");
+    }
+    process.exit(1);
+  }
+
+  // Integrity — verify the bytes we wrote against the gate's checksum (Polar's
+  // real SHA-256) and, if present, the embedded registry anchor. Fails closed.
+  const allowUnverified = process.argv.includes("--allow-unverified");
+  try {
+    const actual = (await sha256File(exePath)).toLowerCase();
+    const embedded = (EMBEDDED_CHECKSUMS[PLATFORM] || "").toLowerCase();
+    const mismatch = (label, expected) => {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log("  ✗ Integrity check FAILED — the downloaded file does not match");
+      console.log(`    the ${label} checksum and was deleted. Do NOT run it.`);
+      console.log(`    expected ${expected}`);
+      console.log(`    actual   ${actual}`);
+      console.log("    Report this to support@shardstitch.com.");
+      process.exit(1);
+    };
+    let verified = false;
+    if (checksumHeader) {
+      if (actual !== checksumHeader) mismatch("server (Polar)", checksumHeader);
+      verified = true;
+    }
+    if (embedded) {
+      if (actual !== embedded) mismatch("published package", embedded);
+      verified = true;
+    }
+    if (!verified) {
+      throw new Error("the server did not provide a checksum to verify against");
+    }
+    console.log("  ✓ Integrity verified (SHA-256).");
+  } catch (e) {
+    if (!allowUnverified) {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log(`  ✗ Could not verify download integrity: ${e.message}`);
+      console.log("    Aborting for safety. Re-run with --allow-unverified to override");
+      console.log("    (not recommended), or contact support@shardstitch.com.");
+      process.exit(1);
+    }
+    console.log(`  ! Skipping integrity check (--allow-unverified): ${e.message}`);
+  }
+
+  if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
+
+  saveActivation(key);
+
+  console.log(`  ✓ Installed to ${exePath}`);
+  console.log();
+  console.log("  Run `shardstitch` to launch the dashboard.");
+  console.log();
+}
+
+function cmdLaunch() {
+  const exe = findExe();
+  if (exe) {
+    console.log("  Starting ShardStitch...");
+    spawn(exe, [], { detached: true, stdio: "ignore" }).unref();
+    console.log("  Dashboard: http://127.0.0.1:8765");
+    process.exit(0);
+  }
+
+  console.log();
+  console.log("  ShardStitch — move your AI coding session between tools.");
+  console.log();
+  if (isActivated()) {
+    console.log("  App file not found. Re-run: shardstitch install <your-key>");
+  } else {
+    console.log("  Not installed. After purchase run:");
+    console.log("    shardstitch install <your-license-key>");
+    console.log();
+    console.log("  Get ShardStitch at: https://shardstitch.com");
+    console.log("  Launch week: $19 — lifetime license, zero cloud.");
+  }
+  console.log();
+  process.exit(1);
+}
+
+const args = process.argv.slice(2);
+if (args[0] === "install") {
+  if (!args[1]) {
+    console.log();
+    console.log("  Usage: shardstitch install <your-license-key>");
+    console.log();
+    console.log("  Get your key at: https://shardstitch.com");
+    console.log();
+    process.exit(1);
+  }
+  cmdInstall(args[1]).catch((e) => {
+    console.log("  ✗ Unexpected error:", e.message);
+    process.exit(1);
+  });
+} else {
+  cmdLaunch();
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shardstitch",
-  "version": "0.0.10",
+  "version": "0.0.11",
   "description": "ShardStitch — capture your AI coding session (git diff, dependency graph, intent) and stitch it into the next tool. 23 AI tools supported. Local-first, no telemetry. https://shardstitch.com",
   "homepage": "https://shardstitch.com",
   "bugs": {