npm - shardstitch - Versions diffs - 0.0.8 → 0.0.10 - Mend

shardstitch 0.0.8 → 0.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/LICENSE.txt CHANGED Viewed

@@ -1,6 +1,6 @@
 ShardStitch — Proprietary License
-Copyright (c) 2026 Roshan Dixit. All rights reserved.
+Copyright (c) 2026 ShardStitch. All rights reserved.
 This placeholder package may be installed and executed. The ShardStitch
 product is licensed separately at https://shardstitch.com. Redistribution

package/README.md CHANGED Viewed

@@ -1,65 +1,71 @@
-# ShardStitch
-**"Rate limit reached." "Context window full." "VRAM out of memory."**
-Your code is half-written. Your plan is in your head. ShardStitch captures your entire session — git diff, changed files, dependency graph, intent — and stitches it into the next AI tool. One hotkey. Keep building like nothing happened.
-## Install
-```bash
-npm install shardstitch
-npx shardstitch
-```
-## What it does
-When Claude, Cursor, Codex, or Gemini locks you out mid-session, ShardStitch:
-1. **Scans your project** — git diff, changed files, recent commits, your notes
-2. **Builds a dependency graph** — impact radius, architecture communities — and warns the next AI what's dangerous to touch
-3. **Generates a continuation prompt** formatted for the target tool
-4. **Injects it** into the tool's pickup file (CLAUDE.md, AGENTS.md, GEMINI.md, .cursorrules) for automatic discovery
-Under 30 seconds, end to end.
-## Not just for switching tools
-The same trick fixes a bloated session in the *same* tool. Long AI chats accumulate a huge context tree — token burn climbs, responses slow down, and eventually you hit "Service is busy" even with quota left. ShardStitch is the clean-restart button: extract a compact context, open a fresh window of the same tool, paste, keep going.
-## 22 supported AI tools
-Claude Code, Claude Desktop, Cursor, Codex CLI, Gemini CLI, Windsurf, Aider, Kiro, Amazon Q Developer, DeepSeek, OpenCode, Trae, Factory Droid, OpenClaw, Amp, Cline, Roo Code, Kilo Code, Crush, Kimi, Qwen Code, and Antigravity.
-**Coming soon:** Cody, Continue, Replit Agent, JetBrains AI, Tabnine.
-## 7 surfaces
-- **Web dashboard** — scan, generate, copy, download
-- **VS Code / Cursor extension** — Alt+G hotkey
-- **MCP server** — Claude Code and Cursor call it directly
-- **CLI** — `npx shardstitch` or `shardstitch capture`
-- **Desktop app** — standalone Windows exe
-- **Autosave hooks** — auto-inject on session end
-- **Local LLM failover** — Ollama, vLLM, LM Studio (zero cloud)
-## Key features
-- **Per-agent formatting** — 22 format adapters, one for each tool
-- **AI task router** — semantic matching picks the best tool for each task
-- **Persistent memory** — project decisions survive across sessions
-- **Team coordination** — shared `.shardstitch/` directory
-- **Tamper-evident audit trail** — hash-chained timeline logs
-- **Dependency graph analysis** — impact radius, god nodes, architecture communities
-## 100% local
-Your code never leaves your machine. No cloud, no telemetry, no account required. All processing happens on your hardware.
-## Links
-- Website: https://shardstitch.com
-- GitHub: https://github.com/shardstitch/shardstitch
-- X / Twitter: https://x.com/ShardStitch
-- VS Code / Cursor Extension: https://marketplace.visualstudio.com/items?itemName=shardstitch.shardstitch
-- Changelog: https://github.com/shardstitch/shardstitch/releases
-- Support: support@shardstitch.com
+# ShardStitch
+**"Rate limit reached." "Context window full." "VRAM out of memory."**
+Your code is half-written. Your plan is in your head. ShardStitch captures your entire session — git diff, changed files, dependency graph, intent — and stitches it into the next AI tool. One hotkey. Keep building like nothing happened.
+## Install
+```bash
+npm install -g shardstitch              # installs the launcher
+shardstitch install <your-license-key>  # after purchase — downloads & activates the app
+shardstitch                             # launch the dashboard
+```
+ShardStitch is a **one-time purchase** (no subscription). `npm install` gives you the
+installer; activate it with the license key from your purchase email. Get a key at
+[shardstitch.com](https://shardstitch.com).
+## What it does
+When Claude, Cursor, Codex, or Gemini locks you out mid-session, ShardStitch:
+1. **Scans your project** — git diff, changed files, recent commits, your notes
+2. **Builds a dependency graph** — impact radius, architecture communities — and warns the next AI what's dangerous to touch
+3. **Generates a continuation prompt** formatted for the target tool
+4. **Injects it** into the tool's pickup file (CLAUDE.md, AGENTS.md, GEMINI.md, .cursorrules) for automatic discovery
+Under 30 seconds, end to end.
+## Not just for switching tools
+The same trick fixes a bloated session in the *same* tool. Long AI chats accumulate a huge context tree — token burn climbs, responses slow down, and eventually you hit "Service is busy" even with quota left. ShardStitch is the clean-restart button: extract a compact context, open a fresh window of the same tool, paste, keep going.
+## 23 supported AI tools
+Claude Code, Claude Desktop, Cursor, Codex CLI, Gemini CLI, Windsurf, Aider, Kiro, Amazon Q Developer, DeepSeek, OpenCode, Trae, Factory Droid, OpenClaw, Amp, Cline, Roo Code, Kilo Code, Crush, Kimi, Qwen Code, Antigravity, and Grok.
+## 7 surfaces
+- **Web dashboard** — scan, generate, copy, download
+- **VS Code / Cursor extension** — Alt+G hotkey
+- **MCP server** — Claude Code, Cursor, and Windsurf call it directly
+- **CLI** — `npx shardstitch` or `shardstitch capture`
+- **Desktop app** — standalone Windows exe
+- **Autosave hooks** — auto-inject on session end
+- **Local LLM failover** — Ollama, vLLM, LM Studio (zero cloud)
+## Key features
+- **Per-agent formatting** — 22 per-agent format adapters across the 23 supported tools
+- **AI task router** — semantic matching picks the best tool for each task
+- **Persistent memory** — project decisions survive across sessions
+- **Team coordination** — shared `.shardstitch/` directory
+- **Tamper-evident audit trail** — hash-chained timeline logs
+- **Dependency graph analysis** — impact radius, god nodes, architecture communities
+## Local-first
+Your code and conversations never leave your machine — no telemetry, no cloud
+processing. The **only** network call is a single HTTPS request at activation to
+validate your license key; everything else runs entirely on your hardware.
+Activation needs a license key, not an account.
+## Links
+- Website: https://shardstitch.com
+- GitHub: https://github.com/shardstitch/shardstitch
+- X / Twitter: https://x.com/ShardStitch
+- VS Code / Cursor Extension: https://marketplace.visualstudio.com/items?itemName=shardstitch.shardstitch
+- Changelog: https://github.com/shardstitch/shardstitch/releases
+- Support: support@shardstitch.com

package/cli.js CHANGED Viewed

@@ -1,327 +1,334 @@
-#!/usr/bin/env node
-// ShardStitch launcher — `shardstitch` or `shardstitch install <key>`
-// Finds a local install and starts the dashboard.
-// Run `shardstitch install <key>` after purchase to download the app.
-const { spawnSync, spawn } = require("child_process");
-const { existsSync, mkdirSync, createWriteStream, chmodSync, renameSync } = require("fs");
-const { join, dirname } = require("path");
-const { createHash } = require("crypto");
-const os = require("os");
-const https = require("https");
-const fs = require("fs");
-const POLAR_ORG_ID = "8e901881-4e3d-4356-98fb-2511337101b1";
-const INSTALL_DIR = join(os.homedir(), ".shardstitch", "app");
-const ACTIVATION_FILE = join(os.homedir(), ".shardstitch", "activation.json");
-const MACHINE_SALT = "shardstitch-activation/1";
-// --- Supply-chain hardening -------------------------------------------------
-// The binary SHA-256 is baked into this file at release time. No external
-// checksums.json needed — Polar delivers the file, we verify the hash locally.
-// Update these after every build before publishing.
-const CHECKSUMS = {
-  windows: "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
-  linux:   "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
-  mac:     "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
-};
-const TRUSTED_DOWNLOAD_HOST_SUFFIXES = [
-  "shardstitch.com",
-  "polar.sh",
-  "polarsource.com",
-];
-function isTrustedHost(hostname) {
-  const h = (hostname || "").toLowerCase();
-  return TRUSTED_DOWNLOAD_HOST_SUFFIXES.some(
-    (suffix) => h === suffix || h.endsWith("." + suffix)
-  );
-}
-const PLATFORM = process.platform === "win32" ? "windows"
-               : process.platform === "darwin" ? "mac"
-               : "linux";
-const EXE_NAME = PLATFORM === "windows" ? "ShardStitch.exe" : "shardstitch";
-const CANDIDATE_DIRS = [
-  process.env.SHARDSTITCH_HOME,
-  INSTALL_DIR,
-  join(os.homedir(), "ShardStitch"),
-  PLATFORM === "windows" ? join(process.env.LOCALAPPDATA || "", "ShardStitch") : null,
-  PLATFORM === "windows" ? "C:\\Program Files\\ShardStitch" : "/opt/shardstitch",
-].filter(Boolean);
-function findExe() {
-  for (const dir of CANDIDATE_DIRS) {
-    const p = join(dir, EXE_NAME);
-    if (existsSync(p)) return p;
-  }
-  return null;
-}
-function pythonCmd() {
-  for (const cmd of ["python", "python3", "py"]) {
-    const r = spawnSync(cmd, ["--version"], { stdio: "ignore", shell: false });
-    if (r.status === 0) return cmd;
-  }
-  return null;
-}
-function machineFingerprint() {
-  const raw = `${MACHINE_SALT}|${process.env.COMPUTERNAME || ""}|${process.env.USERNAME || os.userInfo().username}`;
-  return createHash("sha256").update(raw).digest("hex").slice(0, 16);
-}
-function activationSignature(key, store) {
-  const raw = `${MACHINE_SALT}|${key}|${store}|${machineFingerprint()}`;
-  return createHash("sha256").update(raw).digest("hex");
-}
-function saveActivation(key) {
-  mkdirSync(dirname(ACTIVATION_FILE), { recursive: true });
-  const record = {
-    key,
-    store: "polar",
-    activatedAt: Math.floor(Date.now() / 1000),
-    signature: activationSignature(key, "polar"),
-  };
-  fs.writeFileSync(ACTIVATION_FILE, JSON.stringify(record, null, 2));
-}
-function isActivated() {
-  try {
-    const data = JSON.parse(fs.readFileSync(ACTIVATION_FILE, "utf8"));
-    return data.signature === activationSignature(data.key || "", data.store || "");
-  } catch {
-    return false;
-  }
-}
-function httpsPost(url, body) {
-  return new Promise((resolve, reject) => {
-    const u = new URL(url);
-    const data = JSON.stringify(body);
-    const req = https.request({
-      hostname: u.hostname,
-      path: u.pathname,
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Content-Length": Buffer.byteLength(data),
-        "User-Agent": "ShardStitch-Installer/1.0",
-      },
-    }, (res) => {
-      let body = "";
-      res.on("data", (c) => body += c);
-      res.on("end", () => {
-        if (res.statusCode >= 400) reject(new Error(`HTTP ${res.statusCode}: ${body}`));
-        else resolve(JSON.parse(body));
-      });
-    });
-    req.on("error", reject);
-    req.write(data);
-    req.end();
-  });
-}
-function downloadFile(url, dest) {
-  return new Promise((resolve, reject) => {
-    mkdirSync(dirname(dest), { recursive: true });
-    const tmp = dest + ".tmp";
-    const file = createWriteStream(tmp);
-    function follow(rawUrl) {
-      let u;
-      try {
-        u = new URL(rawUrl);
-      } catch {
-        return reject(new Error(`Refusing to download: invalid URL`));
-      }
-      // Fail closed on protocol downgrade or untrusted host (blocks open-redirect
-      // / MITM from pointing the download at an attacker-controlled binary).
-      if (u.protocol !== "https:") {
-        return reject(new Error(`Refusing non-HTTPS download (${u.protocol})`));
-      }
-      if (!isTrustedHost(u.hostname)) {
-        return reject(new Error(`Refusing download from untrusted host: ${u.hostname}`));
-      }
-      https.get(rawUrl, { headers: { "User-Agent": "ShardStitch-Installer/1.0" } }, (res) => {
-        if (res.statusCode === 301 || res.statusCode === 302) {
-          return follow(res.headers.location);
-        }
-        const total = parseInt(res.headers["content-length"] || "0");
-        let done = 0;
-        res.on("data", (chunk) => {
-          file.write(chunk);
-          done += chunk.length;
-          if (total) {
-            const pct = Math.floor(done * 100 / total);
-            process.stdout.write(`\r  Downloading... ${pct}%`);
-          }
-        });
-        res.on("end", () => {
-          file.end();
-          process.stdout.write("\n");
-          renameSync(tmp, dest);
-          resolve();
-        });
-        res.on("error", reject);
-      }).on("error", reject);
-    }
-    follow(url);
-  });
-}
-function sha256File(path) {
-  return new Promise((resolve, reject) => {
-    const hash = createHash("sha256");
-    const stream = fs.createReadStream(path);
-    stream.on("data", (chunk) => hash.update(chunk));
-    stream.on("end", () => resolve(hash.digest("hex")));
-    stream.on("error", reject);
-  });
-}
-async function cmdInstall(key) {
-  key = key.trim();
-  console.log();
-  console.log("  ShardStitch — verifying license key...");
-  let data;
-  try {
-    data = await httpsPost("https://api.polar.sh/v1/customer-portal/license-keys/validate", {
-      key,
-      organization_id: POLAR_ORG_ID,
-    });
-  } catch (e) {
-    console.log(`  ✗ ${e.message.includes("404") ? "Key not found. Check for typos or email support@shardstitch.com." : "Network error: " + e.message}`);
-    process.exit(1);
-  }
-  if (!["granted", "active"].includes(data.status) && !data.id) {
-    console.log("  ✗ Invalid license key.");
-    process.exit(1);
-  }
-  console.log("  ✓ License valid.");
-  console.log();
-  // Find download URL from benefit grants
-  let downloadUrl = null;
-  for (const grant of data.benefit_grants || []) {
-    if (grant.benefit?.type === "downloadables") {
-      const files = grant.properties?.files || [];
-      for (const f of files) {
-        const name = (f.name || "").toLowerCase();
-        const url = f.url || f.download_url;
-        if (!url) continue;
-        if (PLATFORM === "windows" && name.includes(".exe")) { downloadUrl = url; break; }
-        if (PLATFORM === "linux" && name.includes("linux")) { downloadUrl = url; break; }
-        if (PLATFORM === "mac" && (name.includes("mac") || name.includes("darwin"))) { downloadUrl = url; break; }
-      }
-      if (!downloadUrl && files[0]) downloadUrl = files[0].url || files[0].download_url;
-    }
-    if (downloadUrl) break;
-  }
-  if (!downloadUrl) {
-    console.log("  ✗ No downloadable files found on this license.");
-    console.log("    Email support@shardstitch.com for help.");
-    process.exit(1);
-  }
-  const exePath = join(INSTALL_DIR, EXE_NAME);
-  console.log(`  Downloading ShardStitch for ${PLATFORM}...`);
-  try {
-    await downloadFile(downloadUrl, exePath);
-  } catch (e) {
-    console.log(`  ✗ Download failed: ${e.message}`);
-    process.exit(1);
-  }
-  // Integrity check — verify the downloaded binary's SHA-256 against the manifest
-  // on our pinned domain BEFORE making it executable or running it. Fails closed.
-  const allowUnverified = process.argv.includes("--allow-unverified");
-  try {
-    const expected = (CHECKSUMS[PLATFORM] || "").toLowerCase();
-    const actual = (await sha256File(exePath)).toLowerCase();
-    if (!expected) {
-      throw new Error(`no published checksum for platform "${PLATFORM}"`);
-    }
-    if (actual !== expected) {
-      try { fs.unlinkSync(exePath); } catch {}
-      console.log("  ✗ Integrity check FAILED — the downloaded file does not match");
-      console.log("    the published checksum and was deleted. Do NOT run it.");
-      console.log(`    expected ${expected}`);
-      console.log(`    actual   ${actual}`);
-      console.log("    Report this to support@shardstitch.com.");
-      process.exit(1);
-    }
-    console.log("  ✓ Integrity verified (SHA-256).");
-  } catch (e) {
-    if (!allowUnverified) {
-      try { fs.unlinkSync(exePath); } catch {}
-      console.log(`  ✗ Could not verify download integrity: ${e.message}`);
-      console.log("    Aborting for safety. Re-run with --allow-unverified to override");
-      console.log("    (not recommended), or contact support@shardstitch.com.");
-      process.exit(1);
-    }
-    console.log(`  ! Skipping integrity check (--allow-unverified): ${e.message}`);
-  }
-  if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
-  saveActivation(key);
-  console.log(`  ✓ Installed to ${exePath}`);
-  console.log();
-  console.log("  Run `shardstitch` to launch the dashboard.");
-  console.log();
-}
-function cmdLaunch() {
-  const exe = findExe();
-  if (exe) {
-    console.log("  Starting ShardStitch...");
-    spawn(exe, [], { detached: true, stdio: "ignore" }).unref();
-    console.log("  Dashboard: http://127.0.0.1:8765");
-    process.exit(0);
-  }
-  console.log();
-  console.log("  ShardStitch — move your AI coding session between tools.");
-  console.log();
-  if (isActivated()) {
-    console.log("  App file not found. Re-run: shardstitch install <your-key>");
-  } else {
-    console.log("  Not installed. After purchase run:");
-    console.log("    shardstitch install <your-license-key>");
-    console.log();
-    console.log("  Get ShardStitch at: https://shardstitch.com");
-    console.log("  Launch week: $19 — lifetime license, zero cloud.");
-  }
-  console.log();
-  process.exit(1);
-}
-const args = process.argv.slice(2);
-if (args[0] === "install") {
-  if (!args[1]) {
-    console.log();
-    console.log("  Usage: shardstitch install <your-license-key>");
-    console.log();
-    console.log("  Get your key at: https://shardstitch.com");
-    console.log();
-    process.exit(1);
-  }
-  cmdInstall(args[1]).catch((e) => {
-    console.log("  ✗ Unexpected error:", e.message);
-    process.exit(1);
-  });
-} else {
-  cmdLaunch();
-}
+#!/usr/bin/env node
+// ShardStitch launcher — `shardstitch` or `shardstitch install <key>`
+// Finds a local install and starts the dashboard.
+// Run `shardstitch install <key>` after purchase to download the app.
+const { spawnSync, spawn } = require("child_process");
+const { existsSync, mkdirSync, createWriteStream, chmodSync, renameSync } = require("fs");
+const { join, dirname } = require("path");
+const { createHash } = require("crypto");
+const os = require("os");
+const https = require("https");
+const fs = require("fs");
+const POLAR_ORG_ID = "8e901881-4e3d-4356-98fb-2511337101b1";
+const INSTALL_DIR = join(os.homedir(), ".shardstitch", "app");
+const ACTIVATION_FILE = join(os.homedir(), ".shardstitch", "activation.json");
+const MACHINE_SALT = "shardstitch-activation/1";
+// --- Supply-chain hardening -------------------------------------------------
+// The binary is downloaded over HTTPS and its SHA-256 is verified against the
+// hashes EMBEDDED in this published package BEFORE it is ever made executable
+// or run. Embedding (rather than fetching a manifest from the same host that
+// serves the binary) means a compromised download origin cannot swap the
+// binary without also defeating npm's own package integrity — a strictly
+// stronger trust anchor. Downloads (and any redirects) are additionally
+// restricted to an allowlist of trusted hosts. See SECURITY.md.
+//
+// Keep in lockstep with packages/pypi/shardstitch/__init__.py _CHECKSUMS.
+// Regenerate with: python tools/gen_checksums.py. An empty string means "no
+// binary published for this platform yet" — cmdInstall fails CLOSED on it.
+const EMBEDDED_CHECKSUMS = {
+  windows: "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
+  linux: "",
+  mac: "",
+};
+const TRUSTED_DOWNLOAD_HOST_SUFFIXES = [
+  "shardstitch.com",
+  "polar.sh",
+  "polarsource.com",
+];
+function isTrustedHost(hostname) {
+  const h = (hostname || "").toLowerCase();
+  return TRUSTED_DOWNLOAD_HOST_SUFFIXES.some(
+    (suffix) => h === suffix || h.endsWith("." + suffix)
+  );
+}
+const PLATFORM = process.platform === "win32" ? "windows"
+               : process.platform === "darwin" ? "mac"
+               : "linux";
+const EXE_NAME = PLATFORM === "windows" ? "ShardStitch.exe" : "shardstitch";
+const CANDIDATE_DIRS = [
+  process.env.SHARDSTITCH_HOME,
+  INSTALL_DIR,
+  join(os.homedir(), "ShardStitch"),
+  PLATFORM === "windows" ? join(process.env.LOCALAPPDATA || "", "ShardStitch") : null,
+  PLATFORM === "windows" ? "C:\\Program Files\\ShardStitch" : "/opt/shardstitch",
+].filter(Boolean);
+function findExe() {
+  for (const dir of CANDIDATE_DIRS) {
+    const p = join(dir, EXE_NAME);
+    if (existsSync(p)) return p;
+  }
+  return null;
+}
+function pythonCmd() {
+  for (const cmd of ["python", "python3", "py"]) {
+    const r = spawnSync(cmd, ["--version"], { stdio: "ignore", shell: false });
+    if (r.status === 0) return cmd;
+  }
+  return null;
+}
+function machineFingerprint() {
+  const raw = `${MACHINE_SALT}|${process.env.COMPUTERNAME || ""}|${process.env.USERNAME || os.userInfo().username}`;
+  return createHash("sha256").update(raw).digest("hex").slice(0, 16);
+}
+function activationSignature(key, store) {
+  const raw = `${MACHINE_SALT}|${key}|${store}|${machineFingerprint()}`;
+  return createHash("sha256").update(raw).digest("hex");
+}
+function saveActivation(key) {
+  mkdirSync(dirname(ACTIVATION_FILE), { recursive: true });
+  const record = {
+    key,
+    store: "polar",
+    activatedAt: Math.floor(Date.now() / 1000),
+    signature: activationSignature(key, "polar"),
+  };
+  fs.writeFileSync(ACTIVATION_FILE, JSON.stringify(record, null, 2));
+}
+function isActivated() {
+  try {
+    const data = JSON.parse(fs.readFileSync(ACTIVATION_FILE, "utf8"));
+    return data.signature === activationSignature(data.key || "", data.store || "");
+  } catch {
+    return false;
+  }
+}
+function httpsPost(url, body) {
+  return new Promise((resolve, reject) => {
+    const u = new URL(url);
+    const data = JSON.stringify(body);
+    const req = https.request({
+      hostname: u.hostname,
+      path: u.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(data),
+        "User-Agent": "ShardStitch-Installer/1.0",
+      },
+    }, (res) => {
+      let body = "";
+      res.on("data", (c) => body += c);
+      res.on("end", () => {
+        if (res.statusCode >= 400) reject(new Error(`HTTP ${res.statusCode}: ${body}`));
+        else resolve(JSON.parse(body));
+      });
+    });
+    req.on("error", reject);
+    req.write(data);
+    req.end();
+  });
+}
+function downloadFile(url, dest) {
+  return new Promise((resolve, reject) => {
+    mkdirSync(dirname(dest), { recursive: true });
+    const tmp = dest + ".tmp";
+    const file = createWriteStream(tmp);
+    function follow(rawUrl) {
+      let u;
+      try {
+        u = new URL(rawUrl);
+      } catch {
+        return reject(new Error(`Refusing to download: invalid URL`));
+      }
+      // Fail closed on protocol downgrade or untrusted host (blocks open-redirect
+      // / MITM from pointing the download at an attacker-controlled binary).
+      if (u.protocol !== "https:") {
+        return reject(new Error(`Refusing non-HTTPS download (${u.protocol})`));
+      }
+      if (!isTrustedHost(u.hostname)) {
+        return reject(new Error(`Refusing download from untrusted host: ${u.hostname}`));
+      }
+      https.get(rawUrl, { headers: { "User-Agent": "ShardStitch-Installer/1.0" } }, (res) => {
+        if (res.statusCode === 301 || res.statusCode === 302) {
+          return follow(res.headers.location);
+        }
+        const total = parseInt(res.headers["content-length"] || "0");
+        let done = 0;
+        res.on("data", (chunk) => {
+          file.write(chunk);
+          done += chunk.length;
+          if (total) {
+            const pct = Math.floor(done * 100 / total);
+            process.stdout.write(`\r  Downloading... ${pct}%`);
+          }
+        });
+        res.on("end", () => {
+          file.end();
+          process.stdout.write("\n");
+          renameSync(tmp, dest);
+          resolve();
+        });
+        res.on("error", reject);
+      }).on("error", reject);
+    }
+    follow(url);
+  });
+}
+function sha256File(path) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash("sha256");
+    const stream = fs.createReadStream(path);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+async function cmdInstall(key) {
+  key = key.trim();
+  console.log();
+  console.log("  ShardStitch — verifying license key...");
+  let data;
+  try {
+    data = await httpsPost("https://api.polar.sh/v1/customer-portal/license-keys/validate", {
+      key,
+      organization_id: POLAR_ORG_ID,
+    });
+  } catch (e) {
+    console.log(`  ✗ ${e.message.includes("404") ? "Key not found. Check for typos or email support@shardstitch.com." : "Network error: " + e.message}`);
+    process.exit(1);
+  }
+  if (!["granted", "active"].includes(data.status) && !data.id) {
+    console.log("  ✗ Invalid license key.");
+    process.exit(1);
+  }
+  console.log("  ✓ License valid.");
+  console.log();
+  // Find download URL from benefit grants
+  let downloadUrl = null;
+  for (const grant of data.benefit_grants || []) {
+    if (grant.benefit?.type === "downloadables") {
+      const files = grant.properties?.files || [];
+      for (const f of files) {
+        const name = (f.name || "").toLowerCase();
+        const url = f.url || f.download_url;
+        if (!url) continue;
+        if (PLATFORM === "windows" && name.includes(".exe")) { downloadUrl = url; break; }
+        if (PLATFORM === "linux" && name.includes("linux")) { downloadUrl = url; break; }
+        if (PLATFORM === "mac" && (name.includes("mac") || name.includes("darwin"))) { downloadUrl = url; break; }
+      }
+      if (!downloadUrl && files[0]) downloadUrl = files[0].url || files[0].download_url;
+    }
+    if (downloadUrl) break;
+  }
+  if (!downloadUrl) {
+    console.log("  ✗ No downloadable files found on this license.");
+    console.log("    Email support@shardstitch.com for help.");
+    process.exit(1);
+  }
+  const exePath = join(INSTALL_DIR, EXE_NAME);
+  console.log(`  Downloading ShardStitch for ${PLATFORM}...`);
+  try {
+    await downloadFile(downloadUrl, exePath);
+  } catch (e) {
+    console.log(`  ✗ Download failed: ${e.message}`);
+    process.exit(1);
+  }
+  // Integrity check — verify the downloaded binary's SHA-256 against the manifest
+  // on our pinned domain BEFORE making it executable or running it. Fails closed.
+  const allowUnverified = process.argv.includes("--allow-unverified");
+  try {
+    const expected = (EMBEDDED_CHECKSUMS[PLATFORM] || "").toLowerCase();
+    const actual = (await sha256File(exePath)).toLowerCase();
+    if (!expected) {
+      throw new Error(`no published checksum for platform "${PLATFORM}"`);
+    }
+    if (actual !== expected) {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log("  ✗ Integrity check FAILED — the downloaded file does not match");
+      console.log("    the published checksum and was deleted. Do NOT run it.");
+      console.log(`    expected ${expected}`);
+      console.log(`    actual   ${actual}`);
+      console.log("    Report this to support@shardstitch.com.");
+      process.exit(1);
+    }
+    console.log("  ✓ Integrity verified (SHA-256).");
+  } catch (e) {
+    if (!allowUnverified) {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log(`  ✗ Could not verify download integrity: ${e.message}`);
+      console.log("    Aborting for safety. Re-run with --allow-unverified to override");
+      console.log("    (not recommended), or contact support@shardstitch.com.");
+      process.exit(1);
+    }
+    console.log(`  ! Skipping integrity check (--allow-unverified): ${e.message}`);
+  }
+  if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
+  saveActivation(key);
+  console.log(`  ✓ Installed to ${exePath}`);
+  console.log();
+  console.log("  Run `shardstitch` to launch the dashboard.");
+  console.log();
+}
+function cmdLaunch() {
+  const exe = findExe();
+  if (exe) {
+    console.log("  Starting ShardStitch...");
+    spawn(exe, [], { detached: true, stdio: "ignore" }).unref();
+    console.log("  Dashboard: http://127.0.0.1:8765");
+    process.exit(0);
+  }
+  console.log();
+  console.log("  ShardStitch — move your AI coding session between tools.");
+  console.log();
+  if (isActivated()) {
+    console.log("  App file not found. Re-run: shardstitch install <your-key>");
+  } else {
+    console.log("  Not installed. After purchase run:");
+    console.log("    shardstitch install <your-license-key>");
+    console.log();
+    console.log("  Get ShardStitch at: https://shardstitch.com");
+    console.log("  Launch week: $19 — lifetime license, zero cloud.");
+  }
+  console.log();
+  process.exit(1);
+}
+const args = process.argv.slice(2);
+if (args[0] === "install") {
+  if (!args[1]) {
+    console.log();
+    console.log("  Usage: shardstitch install <your-license-key>");
+    console.log();
+    console.log("  Get your key at: https://shardstitch.com");
+    console.log();
+    process.exit(1);
+  }
+  cmdInstall(args[1]).catch((e) => {
+    console.log("  ✗ Unexpected error:", e.message);
+    process.exit(1);
+  });
+} else {
+  cmdLaunch();
+}

package/package.json CHANGED Viewed

@@ -1,37 +1,37 @@
-{
-  "name": "shardstitch",
-  "version": "0.0.8",
-  "description": "ShardStitch — capture your AI coding session (git diff, dependency graph, intent) and stitch it into the next tool. 22 AI tools supported. 100% local, zero telemetry. https://shardstitch.com",
-  "homepage": "https://shardstitch.com",
-  "bugs": {
-    "url": "https://github.com/shardstitch/shardstitch/issues"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/shardstitch/shardstitch.git"
-  },
-  "funding": {
-    "url": "https://shardstitch.com"
-  },
-  "keywords": [
-    "ai",
-    "claude",
-    "cursor",
-    "codex",
-    "gemini",
-    "context",
-    "handoff",
-    "rate-limit",
-    "developer-tools"
-  ],
-  "author": "ShardStitch <support@shardstitch.com>",
-  "license": "SEE LICENSE IN LICENSE.txt",
-  "bin": {
-    "shardstitch": "cli.js"
-  },
-  "files": [
-    "cli.js",
-    "LICENSE.txt",
-    "README.md"
-  ]
-}
+{
+  "name": "shardstitch",
+  "version": "0.0.10",
+  "description": "ShardStitch — capture your AI coding session (git diff, dependency graph, intent) and stitch it into the next tool. 23 AI tools supported. Local-first, no telemetry. https://shardstitch.com",
+  "homepage": "https://shardstitch.com",
+  "bugs": {
+    "url": "https://github.com/shardstitch/shardstitch/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/shardstitch/shardstitch.git"
+  },
+  "funding": {
+    "url": "https://shardstitch.com"
+  },
+  "keywords": [
+    "ai",
+    "claude",
+    "cursor",
+    "codex",
+    "gemini",
+    "context",
+    "handoff",
+    "rate-limit",
+    "developer-tools"
+  ],
+  "author": "ShardStitch <support@shardstitch.com>",
+  "license": "SEE LICENSE IN LICENSE.txt",
+  "bin": {
+    "shardstitch": "cli.js"
+  },
+  "files": [
+    "cli.js",
+    "LICENSE.txt",
+    "README.md"
+  ]
+}