npm - shardstitch - Versions diffs - 0.0.9 → 0.0.11 - Mend

shardstitch 0.0.9 → 0.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,65 +1,71 @@
-# ShardStitch
-**"Rate limit reached." "Context window full." "VRAM out of memory."**
-Your code is half-written. Your plan is in your head. ShardStitch captures your entire session — git diff, changed files, dependency graph, intent — and stitches it into the next AI tool. One hotkey. Keep building like nothing happened.
-## Install
-```bash
-npm install shardstitch
-npx shardstitch
-```
-## What it does
-When Claude, Cursor, Codex, or Gemini locks you out mid-session, ShardStitch:
-1. **Scans your project** — git diff, changed files, recent commits, your notes
-2. **Builds a dependency graph** — impact radius, architecture communities — and warns the next AI what's dangerous to touch
-3. **Generates a continuation prompt** formatted for the target tool
-4. **Injects it** into the tool's pickup file (CLAUDE.md, AGENTS.md, GEMINI.md, .cursorrules) for automatic discovery
-Under 30 seconds, end to end.
-## Not just for switching tools
-The same trick fixes a bloated session in the *same* tool. Long AI chats accumulate a huge context tree — token burn climbs, responses slow down, and eventually you hit "Service is busy" even with quota left. ShardStitch is the clean-restart button: extract a compact context, open a fresh window of the same tool, paste, keep going.
-## 22 supported AI tools
-Claude Code, Claude Desktop, Cursor, Codex CLI, Gemini CLI, Windsurf, Aider, Kiro, Amazon Q Developer, DeepSeek, OpenCode, Trae, Factory Droid, OpenClaw, Amp, Cline, Roo Code, Kilo Code, Crush, Kimi, Qwen Code, and Antigravity.
-**Coming soon:** Cody, Continue, Replit Agent, JetBrains AI, Tabnine.
-## 7 surfaces
-- **Web dashboard** — scan, generate, copy, download
-- **VS Code / Cursor extension** — Alt+G hotkey
-- **MCP server** — Claude Code and Cursor call it directly
-- **CLI** — `npx shardstitch` or `shardstitch capture`
-- **Desktop app** — standalone Windows exe
-- **Autosave hooks** — auto-inject on session end
-- **Local LLM failover** — Ollama, vLLM, LM Studio (zero cloud)
-## Key features
-- **Per-agent formatting** — 22 format adapters, one for each tool
-- **AI task router** — semantic matching picks the best tool for each task
-- **Persistent memory** — project decisions survive across sessions
-- **Team coordination** — shared `.shardstitch/` directory
-- **Tamper-evident audit trail** — hash-chained timeline logs
-- **Dependency graph analysis** — impact radius, god nodes, architecture communities
-## 100% local
-Your code never leaves your machine. No cloud, no telemetry, no account required. All processing happens on your hardware.
-## Links
-- Website: https://shardstitch.com
-- GitHub: https://github.com/shardstitch/shardstitch
-- X / Twitter: https://x.com/ShardStitch
-- VS Code / Cursor Extension: https://marketplace.visualstudio.com/items?itemName=shardstitch.shardstitch
-- Changelog: https://github.com/shardstitch/shardstitch/releases
-- Support: support@shardstitch.com
+# ShardStitch
+**"Rate limit reached." "Context window full." "VRAM out of memory."**
+Your code is half-written. Your plan is in your head. ShardStitch captures your entire session — git diff, changed files, dependency graph, intent — and stitches it into the next AI tool. One hotkey. Keep building like nothing happened.
+## Install
+```bash
+npm install -g shardstitch              # installs the launcher
+shardstitch install <your-license-key>  # after purchase — downloads & activates the app
+shardstitch                             # launch the dashboard
+```
+ShardStitch is a **one-time purchase** (no subscription). `npm install` gives you the
+installer; activate it with the license key from your purchase email. Get a key at
+[shardstitch.com](https://shardstitch.com).
+## What it does
+When Claude, Cursor, Codex, or Gemini locks you out mid-session, ShardStitch:
+1. **Scans your project** — git diff, changed files, recent commits, your notes
+2. **Builds a dependency graph** — impact radius, architecture communities — and warns the next AI what's dangerous to touch
+3. **Generates a continuation prompt** formatted for the target tool
+4. **Injects it** into the tool's pickup file (CLAUDE.md, AGENTS.md, GEMINI.md, .cursorrules) for automatic discovery
+Under 30 seconds, end to end.
+## Not just for switching tools
+The same trick fixes a bloated session in the *same* tool. Long AI chats accumulate a huge context tree — token burn climbs, responses slow down, and eventually you hit "Service is busy" even with quota left. ShardStitch is the clean-restart button: extract a compact context, open a fresh window of the same tool, paste, keep going.
+## 23 supported AI tools
+Claude Code, Claude Desktop, Cursor, Codex CLI, Gemini CLI, Windsurf, Aider, Kiro, Amazon Q Developer, DeepSeek, OpenCode, Trae, Factory Droid, OpenClaw, Amp, Cline, Roo Code, Kilo Code, Crush, Kimi, Qwen Code, Antigravity, and Grok.
+## 7 surfaces
+- **Web dashboard** — scan, generate, copy, download
+- **VS Code / Cursor extension** — Alt+G hotkey
+- **MCP server** — Claude Code, Cursor, and Windsurf call it directly
+- **CLI** — `npx shardstitch` or `shardstitch capture`
+- **Desktop app** — standalone Windows exe
+- **Autosave hooks** — auto-inject on session end
+- **Local LLM failover** — Ollama, vLLM, LM Studio (zero cloud)
+## Key features
+- **Per-agent formatting** — 22 per-agent format adapters across the 23 supported tools
+- **AI task router** — semantic matching picks the best tool for each task
+- **Persistent memory** — project decisions survive across sessions
+- **Team coordination** — shared `.shardstitch/` directory
+- **Tamper-evident audit trail** — hash-chained timeline logs
+- **Dependency graph analysis** — impact radius, god nodes, architecture communities
+## Local-first
+Your code and conversations never leave your machine — no telemetry, no cloud
+processing. The **only** network call is a single HTTPS request at activation to
+validate your license key; everything else runs entirely on your hardware.
+Activation needs a license key, not an account.
+## Links
+- Website: https://shardstitch.com
+- GitHub: https://github.com/shardstitch/shardstitch
+- X / Twitter: https://x.com/ShardStitch
+- VS Code / Cursor Extension: https://marketplace.visualstudio.com/items?itemName=shardstitch.shardstitch
+- Changelog: https://github.com/shardstitch/shardstitch/releases
+- Support: support@shardstitch.com

package/cli.js CHANGED Viewed

@@ -1,327 +1,347 @@
-#!/usr/bin/env node
-// ShardStitch launcher — `shardstitch` or `shardstitch install <key>`
-// Finds a local install and starts the dashboard.
-// Run `shardstitch install <key>` after purchase to download the app.
-const { spawnSync, spawn } = require("child_process");
-const { existsSync, mkdirSync, createWriteStream, chmodSync, renameSync } = require("fs");
-const { join, dirname } = require("path");
-const { createHash } = require("crypto");
-const os = require("os");
-const https = require("https");
-const fs = require("fs");
-const POLAR_ORG_ID = "8e901881-4e3d-4356-98fb-2511337101b1";
-const INSTALL_DIR = join(os.homedir(), ".shardstitch", "app");
-const ACTIVATION_FILE = join(os.homedir(), ".shardstitch", "activation.json");
-const MACHINE_SALT = "shardstitch-activation/1";
-// --- Supply-chain hardening -------------------------------------------------
-// The binary SHA-256 is baked into this file at release time. No external
-// checksums.json needed — Polar delivers the file, we verify the hash locally.
-// Update these after every build before publishing.
-const CHECKSUMS = {
-  windows: "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
-  linux:   "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
-  mac:     "14642911d2f2fee8baf92ad30948b96e01dbd66167bab3ab0cbf443a33ea58a6",
-};
-const TRUSTED_DOWNLOAD_HOST_SUFFIXES = [
-  "shardstitch.com",
-  "polar.sh",
-  "polarsource.com",
-];
-function isTrustedHost(hostname) {
-  const h = (hostname || "").toLowerCase();
-  return TRUSTED_DOWNLOAD_HOST_SUFFIXES.some(
-    (suffix) => h === suffix || h.endsWith("." + suffix)
-  );
-}
-const PLATFORM = process.platform === "win32" ? "windows"
-               : process.platform === "darwin" ? "mac"
-               : "linux";
-const EXE_NAME = PLATFORM === "windows" ? "ShardStitch.exe" : "shardstitch";
-const CANDIDATE_DIRS = [
-  process.env.SHARDSTITCH_HOME,
-  INSTALL_DIR,
-  join(os.homedir(), "ShardStitch"),
-  PLATFORM === "windows" ? join(process.env.LOCALAPPDATA || "", "ShardStitch") : null,
-  PLATFORM === "windows" ? "C:\\Program Files\\ShardStitch" : "/opt/shardstitch",
-].filter(Boolean);
-function findExe() {
-  for (const dir of CANDIDATE_DIRS) {
-    const p = join(dir, EXE_NAME);
-    if (existsSync(p)) return p;
-  }
-  return null;
-}
-function pythonCmd() {
-  for (const cmd of ["python", "python3", "py"]) {
-    const r = spawnSync(cmd, ["--version"], { stdio: "ignore", shell: false });
-    if (r.status === 0) return cmd;
-  }
-  return null;
-}
-function machineFingerprint() {
-  const raw = `${MACHINE_SALT}|${process.env.COMPUTERNAME || ""}|${process.env.USERNAME || os.userInfo().username}`;
-  return createHash("sha256").update(raw).digest("hex").slice(0, 16);
-}
-function activationSignature(key, store) {
-  const raw = `${MACHINE_SALT}|${key}|${store}|${machineFingerprint()}`;
-  return createHash("sha256").update(raw).digest("hex");
-}
-function saveActivation(key) {
-  mkdirSync(dirname(ACTIVATION_FILE), { recursive: true });
-  const record = {
-    key,
-    store: "polar",
-    activatedAt: Math.floor(Date.now() / 1000),
-    signature: activationSignature(key, "polar"),
-  };
-  fs.writeFileSync(ACTIVATION_FILE, JSON.stringify(record, null, 2));
-}
-function isActivated() {
-  try {
-    const data = JSON.parse(fs.readFileSync(ACTIVATION_FILE, "utf8"));
-    return data.signature === activationSignature(data.key || "", data.store || "");
-  } catch {
-    return false;
-  }
-}
-function httpsPost(url, body) {
-  return new Promise((resolve, reject) => {
-    const u = new URL(url);
-    const data = JSON.stringify(body);
-    const req = https.request({
-      hostname: u.hostname,
-      path: u.pathname,
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Content-Length": Buffer.byteLength(data),
-        "User-Agent": "ShardStitch-Installer/1.0",
-      },
-    }, (res) => {
-      let body = "";
-      res.on("data", (c) => body += c);
-      res.on("end", () => {
-        if (res.statusCode >= 400) reject(new Error(`HTTP ${res.statusCode}: ${body}`));
-        else resolve(JSON.parse(body));
-      });
-    });
-    req.on("error", reject);
-    req.write(data);
-    req.end();
-  });
-}
-function downloadFile(url, dest) {
-  return new Promise((resolve, reject) => {
-    mkdirSync(dirname(dest), { recursive: true });
-    const tmp = dest + ".tmp";
-    const file = createWriteStream(tmp);
-    function follow(rawUrl) {
-      let u;
-      try {
-        u = new URL(rawUrl);
-      } catch {
-        return reject(new Error(`Refusing to download: invalid URL`));
-      }
-      // Fail closed on protocol downgrade or untrusted host (blocks open-redirect
-      // / MITM from pointing the download at an attacker-controlled binary).
-      if (u.protocol !== "https:") {
-        return reject(new Error(`Refusing non-HTTPS download (${u.protocol})`));
-      }
-      if (!isTrustedHost(u.hostname)) {
-        return reject(new Error(`Refusing download from untrusted host: ${u.hostname}`));
-      }
-      https.get(rawUrl, { headers: { "User-Agent": "ShardStitch-Installer/1.0" } }, (res) => {
-        if (res.statusCode === 301 || res.statusCode === 302) {
-          return follow(res.headers.location);
-        }
-        const total = parseInt(res.headers["content-length"] || "0");
-        let done = 0;
-        res.on("data", (chunk) => {
-          file.write(chunk);
-          done += chunk.length;
-          if (total) {
-            const pct = Math.floor(done * 100 / total);
-            process.stdout.write(`\r  Downloading... ${pct}%`);
-          }
-        });
-        res.on("end", () => {
-          file.end();
-          process.stdout.write("\n");
-          renameSync(tmp, dest);
-          resolve();
-        });
-        res.on("error", reject);
-      }).on("error", reject);
-    }
-    follow(url);
-  });
-}
-function sha256File(path) {
-  return new Promise((resolve, reject) => {
-    const hash = createHash("sha256");
-    const stream = fs.createReadStream(path);
-    stream.on("data", (chunk) => hash.update(chunk));
-    stream.on("end", () => resolve(hash.digest("hex")));
-    stream.on("error", reject);
-  });
-}
-async function cmdInstall(key) {
-  key = key.trim();
-  console.log();
-  console.log("  ShardStitch — verifying license key...");
-  let data;
-  try {
-    data = await httpsPost("https://api.polar.sh/v1/customer-portal/license-keys/validate", {
-      key,
-      organization_id: POLAR_ORG_ID,
-    });
-  } catch (e) {
-    console.log(`  ✗ ${e.message.includes("404") ? "Key not found. Check for typos or email support@shardstitch.com." : "Network error: " + e.message}`);
-    process.exit(1);
-  }
-  if (!["granted", "active"].includes(data.status) && !data.id) {
-    console.log("  ✗ Invalid license key.");
-    process.exit(1);
-  }
-  console.log("  ✓ License valid.");
-  console.log();
-  // Find download URL from benefit grants
-  let downloadUrl = null;
-  for (const grant of data.benefit_grants || []) {
-    if (grant.benefit?.type === "downloadables") {
-      const files = grant.properties?.files || [];
-      for (const f of files) {
-        const name = (f.name || "").toLowerCase();
-        const url = f.url || f.download_url;
-        if (!url) continue;
-        if (PLATFORM === "windows" && name.includes(".exe")) { downloadUrl = url; break; }
-        if (PLATFORM === "linux" && name.includes("linux")) { downloadUrl = url; break; }
-        if (PLATFORM === "mac" && (name.includes("mac") || name.includes("darwin"))) { downloadUrl = url; break; }
-      }
-      if (!downloadUrl && files[0]) downloadUrl = files[0].url || files[0].download_url;
-    }
-    if (downloadUrl) break;
-  }
-  if (!downloadUrl) {
-    console.log("  ✗ No downloadable files found on this license.");
-    console.log("    Email support@shardstitch.com for help.");
-    process.exit(1);
-  }
-  const exePath = join(INSTALL_DIR, EXE_NAME);
-  console.log(`  Downloading ShardStitch for ${PLATFORM}...`);
-  try {
-    await downloadFile(downloadUrl, exePath);
-  } catch (e) {
-    console.log(`  ✗ Download failed: ${e.message}`);
-    process.exit(1);
-  }
-  // Integrity check — verify the downloaded binary's SHA-256 against the manifest
-  // on our pinned domain BEFORE making it executable or running it. Fails closed.
-  const allowUnverified = process.argv.includes("--allow-unverified");
-  try {
-    const expected = (CHECKSUMS[PLATFORM] || "").toLowerCase();
-    const actual = (await sha256File(exePath)).toLowerCase();
-    if (!expected) {
-      throw new Error(`no published checksum for platform "${PLATFORM}"`);
-    }
-    if (actual !== expected) {
-      try { fs.unlinkSync(exePath); } catch {}
-      console.log("  ✗ Integrity check FAILED — the downloaded file does not match");
-      console.log("    the published checksum and was deleted. Do NOT run it.");
-      console.log(`    expected ${expected}`);
-      console.log(`    actual   ${actual}`);
-      console.log("    Report this to support@shardstitch.com.");
-      process.exit(1);
-    }
-    console.log("  ✓ Integrity verified (SHA-256).");
-  } catch (e) {
-    if (!allowUnverified) {
-      try { fs.unlinkSync(exePath); } catch {}
-      console.log(`  ✗ Could not verify download integrity: ${e.message}`);
-      console.log("    Aborting for safety. Re-run with --allow-unverified to override");
-      console.log("    (not recommended), or contact support@shardstitch.com.");
-      process.exit(1);
-    }
-    console.log(`  ! Skipping integrity check (--allow-unverified): ${e.message}`);
-  }
-  if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
-  saveActivation(key);
-  console.log(`  ✓ Installed to ${exePath}`);
-  console.log();
-  console.log("  Run `shardstitch` to launch the dashboard.");
-  console.log();
-}
-function cmdLaunch() {
-  const exe = findExe();
-  if (exe) {
-    console.log("  Starting ShardStitch...");
-    spawn(exe, [], { detached: true, stdio: "ignore" }).unref();
-    console.log("  Dashboard: http://127.0.0.1:8765");
-    process.exit(0);
-  }
-  console.log();
-  console.log("  ShardStitch — move your AI coding session between tools.");
-  console.log();
-  if (isActivated()) {
-    console.log("  App file not found. Re-run: shardstitch install <your-key>");
-  } else {
-    console.log("  Not installed. After purchase run:");
-    console.log("    shardstitch install <your-license-key>");
-    console.log();
-    console.log("  Get ShardStitch at: https://shardstitch.com");
-    console.log("  Launch week: $19 — lifetime license, zero cloud.");
-  }
-  console.log();
-  process.exit(1);
-}
-const args = process.argv.slice(2);
-if (args[0] === "install") {
-  if (!args[1]) {
-    console.log();
-    console.log("  Usage: shardstitch install <your-license-key>");
-    console.log();
-    console.log("  Get your key at: https://shardstitch.com");
-    console.log();
-    process.exit(1);
-  }
-  cmdInstall(args[1]).catch((e) => {
-    console.log("  ✗ Unexpected error:", e.message);
-    process.exit(1);
-  });
-} else {
-  cmdLaunch();
-}
+#!/usr/bin/env node
+// ShardStitch launcher — `shardstitch` or `shardstitch install <key>`
+// Finds a local install and starts the dashboard.
+// Run `shardstitch install <key>` after purchase to download the app.
+const { spawn } = require("child_process");
+const { existsSync, mkdirSync, createWriteStream, chmodSync, renameSync } = require("fs");
+const { join, dirname } = require("path");
+const { createHash } = require("crypto");
+const os = require("os");
+const https = require("https");
+const fs = require("fs");
+// The installer never talks to Polar or any storage host directly. It POSTs the
+// license key to a gated endpoint on our own domain (a Cloudflare Worker; see
+// cloudflare/download-worker/). That gate validates the key server-side, fetches
+// the paid binary from Polar on the customer's behalf, and streams it back with
+// the file's real SHA-256 in the X-Checksum-Sha256 header. The binary therefore
+// has no public URL and only a valid paid key can trigger a download.
+const GATE_URL = process.env.SHARDSTITCH_GATE_URL || "https://shardstitch.com/api/download";
+// Hard ceiling on the download so a misbehaving or impersonating gate cannot
+// fill the disk before the integrity check runs.
+const MAX_DOWNLOAD_BYTES = 500 * 1024 * 1024;
+const INSTALL_DIR = join(os.homedir(), ".shardstitch", "app");
+const ACTIVATION_FILE = join(os.homedir(), ".shardstitch", "activation.json");
+const MACHINE_SALT = "shardstitch-activation/1";
+// --- Supply-chain hardening -------------------------------------------------
+// Primary integrity anchor: the gate streams the binary together with its real
+// SHA-256 (the checksum Polar computed for the uploaded file) in the
+// X-Checksum-Sha256 header. We hash the bytes we wrote and require an exact
+// match before the file is ever made executable or run. Fails CLOSED.
+//
+// Optional second anchor: a hash baked into this published package. Because npm
+// guarantees this file's integrity independently, a populated value here means
+// even a compromised gate cannot swap the binary. Leave it EMPTY to rely solely
+// on the gate/Polar checksum (no republish needed when the binary is rebuilt);
+// populate it (python tools/gen_checksums.py) to add the registry anchor at the
+// cost of republishing on every rebuild. Keep in lockstep with
+// packages/pypi/shardstitch/__init__.py _CHECKSUMS.
+const EMBEDDED_CHECKSUMS = {
+  windows: "",
+  linux: "",
+  mac: "",
+};
+// Downloads (and any redirect) are restricted to our own gate host.
+const TRUSTED_DOWNLOAD_HOST_SUFFIXES = [
+  "shardstitch.com",
+];
+function isTrustedHost(hostname) {
+  const h = (hostname || "").toLowerCase();
+  return TRUSTED_DOWNLOAD_HOST_SUFFIXES.some(
+    (suffix) => h === suffix || h.endsWith("." + suffix)
+  );
+}
+const PLATFORM = process.platform === "win32" ? "windows"
+               : process.platform === "darwin" ? "mac"
+               : "linux";
+const EXE_NAME = PLATFORM === "windows" ? "ShardStitch.exe" : "shardstitch";
+const CANDIDATE_DIRS = [
+  process.env.SHARDSTITCH_HOME,
+  INSTALL_DIR,
+  join(os.homedir(), "ShardStitch"),
+  PLATFORM === "windows" ? join(process.env.LOCALAPPDATA || "", "ShardStitch") : null,
+  PLATFORM === "windows" ? "C:\\Program Files\\ShardStitch" : "/opt/shardstitch",
+].filter(Boolean);
+function findExe() {
+  for (const dir of CANDIDATE_DIRS) {
+    const p = join(dir, EXE_NAME);
+    if (existsSync(p)) return p;
+  }
+  return null;
+}
+function machineFingerprint() {
+  const raw = `${MACHINE_SALT}|${process.env.COMPUTERNAME || ""}|${process.env.USERNAME || os.userInfo().username}`;
+  return createHash("sha256").update(raw).digest("hex").slice(0, 16);
+}
+function activationSignature(key, store) {
+  const raw = `${MACHINE_SALT}|${key}|${store}|${machineFingerprint()}`;
+  return createHash("sha256").update(raw).digest("hex");
+}
+function saveActivation(key) {
+  mkdirSync(dirname(ACTIVATION_FILE), { recursive: true });
+  const record = {
+    key,
+    store: "polar",
+    activatedAt: Math.floor(Date.now() / 1000),
+    signature: activationSignature(key, "polar"),
+  };
+  fs.writeFileSync(ACTIVATION_FILE, JSON.stringify(record, null, 2));
+}
+function isActivated() {
+  try {
+    const data = JSON.parse(fs.readFileSync(ACTIVATION_FILE, "utf8"));
+    return data.signature === activationSignature(data.key || "", data.store || "");
+  } catch {
+    return false;
+  }
+}
+// POST the key to the gate; stream the binary to dest; resolve with the
+// server-provided SHA-256 (X-Checksum-Sha256, lower-case) or "". Rejects with
+// the gate's JSON error code (e.g. "invalid_key") or "HTTP <status>".
+function downloadFromGate(key, platform, dest) {
+  return new Promise((resolve, reject) => {
+    let u;
+    try {
+      u = new URL(GATE_URL);
+    } catch {
+      return reject(new Error("Invalid gate URL"));
+    }
+    if (u.protocol !== "https:") {
+      return reject(new Error(`Refusing non-HTTPS gate (${u.protocol})`));
+    }
+    if (!isTrustedHost(u.hostname)) {
+      return reject(new Error(`Refusing untrusted gate host: ${u.hostname}`));
+    }
+    const payload = JSON.stringify({ key, platform });
+    mkdirSync(dirname(dest), { recursive: true });
+    const tmp = dest + ".tmp";
+    const file = createWriteStream(tmp);
+    let settled = false;
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      try { file.destroy(); } catch {}
+      try { fs.unlinkSync(tmp); } catch {}
+      reject(err);
+    };
+    // A mid-download disk failure emits 'error' on the write stream; route it
+    // through fail() so the partial .tmp is cleaned up instead of crashing.
+    file.on("error", fail);
+    const req = https.request({
+      hostname: u.hostname,
+      port: u.port || 443,
+      path: u.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+        "User-Agent": "ShardStitch-Installer/1.0",
+        "Accept": "application/octet-stream",
+      },
+    }, (res) => {
+      // The gate returns the binary on 200 and a JSON error otherwise. It does
+      // not redirect; treat any non-200 as an error.
+      if (res.statusCode !== 200) {
+        let b = "";
+        res.on("data", (c) => (b += c));
+        res.on("end", () => {
+          let code = "";
+          try { code = JSON.parse(b).error || ""; } catch {}
+          fail(new Error(code || `HTTP ${res.statusCode}`));
+        });
+        res.on("error", fail);
+        return;
+      }
+      const checksum = (res.headers["x-checksum-sha256"] || "").toLowerCase();
+      const total = parseInt(res.headers["content-length"] || "0", 10);
+      let done = 0;
+      res.on("data", (chunk) => {
+        done += chunk.length;
+        if (done > MAX_DOWNLOAD_BYTES) {
+          res.destroy();
+          return fail(new Error("download exceeded size limit"));
+        }
+        // Honor backpressure so a fast gate + slow disk doesn't buffer in memory.
+        if (!file.write(chunk)) {
+          res.pause();
+          file.once("drain", () => res.resume());
+        }
+        if (total) {
+          process.stdout.write(`\r  Downloading... ${Math.floor(done * 100 / total)}%`);
+        }
+      });
+      res.on("end", () => {
+        file.end(() => {
+          if (settled) return;
+          if (total) process.stdout.write("\n");
+          try {
+            renameSync(tmp, dest);
+          } catch (e) {
+            return fail(e);
+          }
+          settled = true;
+          resolve(checksum);
+        });
+      });
+      res.on("error", fail);
+    });
+    req.setTimeout(120000, () => req.destroy(new Error("gate timeout")));
+    req.on("error", fail);
+    req.write(payload);
+    req.end();
+  });
+}
+function sha256File(path) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash("sha256");
+    const stream = fs.createReadStream(path);
+    stream.on("data", (chunk) => hash.update(chunk));
+    stream.on("end", () => resolve(hash.digest("hex")));
+    stream.on("error", reject);
+  });
+}
+async function cmdInstall(key) {
+  key = key.trim();
+  console.log();
+  console.log("  ShardStitch — verifying license key & downloading...");
+  console.log();
+  const exePath = join(INSTALL_DIR, EXE_NAME);
+  let checksumHeader = "";
+  try {
+    checksumHeader = await downloadFromGate(key, PLATFORM, exePath);
+  } catch (e) {
+    const msg = String((e && e.message) || e);
+    if (msg.includes("invalid_key") || msg.includes("key_not_granted") ||
+        msg.includes("key_expired") || msg.includes("no_customer") || msg.includes("403")) {
+      console.log("  ✗ License key not valid or not active.");
+      console.log("    Check for typos, or email support@shardstitch.com.");
+    } else if (msg.includes("no_file_for_platform") || msg.includes("404")) {
+      console.log(`  ✗ No ${PLATFORM} build is available for this license yet.`);
+      console.log("    Email support@shardstitch.com.");
+    } else if (msg.includes("missing_key") || msg.includes("bad_platform") || msg.includes("bad_request")) {
+      console.log("  ✗ The installer sent a bad request. Update and retry:");
+      console.log("    npm install -g shardstitch@latest");
+    } else if (msg.includes("_failed") || msg.includes("server_misconfigured") ||
+               msg.includes("gate timeout") || msg.includes("size limit") ||
+               msg.includes("500") || msg.includes("502")) {
+      console.log("  ✗ The download service is temporarily unavailable.");
+      console.log("    Try again in a few minutes, or email support@shardstitch.com.");
+    } else {
+      console.log(`  ✗ Download failed: ${msg}`);
+      console.log("    Try again in a moment, or email support@shardstitch.com.");
+    }
+    process.exit(1);
+  }
+  // Integrity — verify the bytes we wrote against the gate's checksum (Polar's
+  // real SHA-256) and, if present, the embedded registry anchor. Fails closed.
+  const allowUnverified = process.argv.includes("--allow-unverified");
+  try {
+    const actual = (await sha256File(exePath)).toLowerCase();
+    const embedded = (EMBEDDED_CHECKSUMS[PLATFORM] || "").toLowerCase();
+    const mismatch = (label, expected) => {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log("  ✗ Integrity check FAILED — the downloaded file does not match");
+      console.log(`    the ${label} checksum and was deleted. Do NOT run it.`);
+      console.log(`    expected ${expected}`);
+      console.log(`    actual   ${actual}`);
+      console.log("    Report this to support@shardstitch.com.");
+      process.exit(1);
+    };
+    let verified = false;
+    if (checksumHeader) {
+      if (actual !== checksumHeader) mismatch("server (Polar)", checksumHeader);
+      verified = true;
+    }
+    if (embedded) {
+      if (actual !== embedded) mismatch("published package", embedded);
+      verified = true;
+    }
+    if (!verified) {
+      throw new Error("the server did not provide a checksum to verify against");
+    }
+    console.log("  ✓ Integrity verified (SHA-256).");
+  } catch (e) {
+    if (!allowUnverified) {
+      try { fs.unlinkSync(exePath); } catch {}
+      console.log(`  ✗ Could not verify download integrity: ${e.message}`);
+      console.log("    Aborting for safety. Re-run with --allow-unverified to override");
+      console.log("    (not recommended), or contact support@shardstitch.com.");
+      process.exit(1);
+    }
+    console.log(`  ! Skipping integrity check (--allow-unverified): ${e.message}`);
+  }
+  if (PLATFORM !== "windows") chmodSync(exePath, 0o755);
+  saveActivation(key);
+  console.log(`  ✓ Installed to ${exePath}`);
+  console.log();
+  console.log("  Run `shardstitch` to launch the dashboard.");
+  console.log();
+}
+function cmdLaunch() {
+  const exe = findExe();
+  if (exe) {
+    console.log("  Starting ShardStitch...");
+    spawn(exe, [], { detached: true, stdio: "ignore" }).unref();
+    console.log("  Dashboard: http://127.0.0.1:8765");
+    process.exit(0);
+  }
+  console.log();
+  console.log("  ShardStitch — move your AI coding session between tools.");
+  console.log();
+  if (isActivated()) {
+    console.log("  App file not found. Re-run: shardstitch install <your-key>");
+  } else {
+    console.log("  Not installed. After purchase run:");
+    console.log("    shardstitch install <your-license-key>");
+    console.log();
+    console.log("  Get ShardStitch at: https://shardstitch.com");
+    console.log("  Launch week: $19 — lifetime license, zero cloud.");
+  }
+  console.log();
+  process.exit(1);
+}
+const args = process.argv.slice(2);
+if (args[0] === "install") {
+  if (!args[1]) {
+    console.log();
+    console.log("  Usage: shardstitch install <your-license-key>");
+    console.log();
+    console.log("  Get your key at: https://shardstitch.com");
+    console.log();
+    process.exit(1);
+  }
+  cmdInstall(args[1]).catch((e) => {
+    console.log("  ✗ Unexpected error:", e.message);
+    process.exit(1);
+  });
+} else {
+  cmdLaunch();
+}

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "shardstitch",
-  "version": "0.0.9",
-  "description": "ShardStitch — capture your AI coding session (git diff, dependency graph, intent) and stitch it into the next tool. 22 AI tools supported. 100% local, zero telemetry. https://shardstitch.com",
+  "version": "0.0.11",
+  "description": "ShardStitch — capture your AI coding session (git diff, dependency graph, intent) and stitch it into the next tool. 23 AI tools supported. Local-first, no telemetry. https://shardstitch.com",
   "homepage": "https://shardstitch.com",
   "bugs": {
     "url": "https://github.com/shardstitch/shardstitch/issues"