threadlines 0.1.41 → 0.2.3

package/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2024 Threadlines
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -1,4 +1,4 @@
-# threadlines
+# Threadline
 
 Threadline CLI - AI-powered linter based on your natural language documentation.
 
@@ -14,13 +14,13 @@ Getting teams to follow consistent quality standards is **hard**. Really hard.
 
 ### What Makes Threadline Different?
 
-- **🎯 Focused Reviews** - Instead of one AI trying to check everything, Threadline runs multiple specialized AI reviewers in parallel. Each threadline focuses on one thing and does it well.
+- **Focused Reviews** - Instead of one AI trying to check everything, Threadline runs multiple specialized AI reviewers in parallel. Each threadline focuses on one thing and does it well.
 
-- **📝 Documentation That Lives With Your Code** - Your coding standards live in your repo, in a `/threadlines` folder. They're version-controlled, reviewable, and always in sync with your codebase.
+- **Documentation That Lives With Your Code** - Your coding standards live in your repo, in a `/threadlines` folder. They're version-controlled, reviewable, and always in sync with your codebase.
 
-- **🔍 Fully Auditable** - Every AI review decision is logged and traceable. You can see exactly what was checked, why it passed or failed, and have confidence in the results.
+- **Fully Auditable** - Every AI review decision is logged and traceable. You can see exactly what was checked, why it passed or failed, and have confidence in the results.
 
-- **⚡ Fast & Parallel** - Multiple threadlines run simultaneously, so you get comprehensive feedback in seconds, not minutes.
+- **Fast & Parallel** - Multiple threadlines run simultaneously, so you get comprehensive feedback in seconds, not minutes.
 
 ## Installation
 
@@ -48,19 +48,6 @@ npx --yes threadlines check
 
 The `--yes` flag auto-confirms package installation, preventing prompts that block automation.
 
-### Option 3: Local Project Dependency (Recommended for Teams)
-
-```bash
-npm install --save-dev threadlines
-```
-
-Then use:
-```bash
-npx threadlines check
-```
-
-This ensures everyone on your team uses the same version.
-
 ## Quick Start
 
 ### 1. Initialize Your First Threadline
@@ -95,26 +82,6 @@ Edit `threadlines/example.md` with your coding standards, then rename it to some
 ```bash
 npx threadlines check
 ```
-
-## Usage
-
-### Initialize Threadline Template
-
-```bash
-threadlines init
-```
-
-Creates a template threadline file to get you started. The command will:
-- Create the `/threadlines` directory if it doesn't exist
-- Generate `threadlines/example.md` with boilerplate content
-- Display instructions for API key configuration
-
-### Check Code Against Threadlines
-
-```bash
-threadlines check
-```
-
 By default, analyzes your staged/unstaged git changes against all threadlines in the `/threadlines` directory.
 
 **Common Use Cases:**
@@ -164,11 +131,15 @@ threadlines check --full
 
 ### Environment Variables
 
-- `THREADLINE_API_KEY` - **Required.** Your Threadline API key for authentication
-  - Can be set in `.env.local` file (recommended for local development)
-  - Or as an environment variable (required for CI/CD)
-- `THREADLINE_API_URL` - Server URL (default: http://localhost:3000)
-  - Can also be set with `--api-url` flag: `npx threadlines check --api-url http://your-server.com`
+| Variable | Purpose | Required |
+|----------|---------|----------|
+| `THREADLINE_API_KEY` | Authentication with Threadlines API | Yes |
+| `THREADLINE_ACCOUNT` | Your Threadlines account email | Yes |
+| `THREADLINE_API_URL` | Custom API endpoint (default: https://devthreadline.com) | No |
+
+Both required variables can be set in a `.env.local` file (recommended for local development) or as environment variables (required for CI/CD).
+
+The optional `THREADLINE_API_URL` allows you to point to a custom server if you want to intercept telemetry with your own endpoint. It can also be set with the `--api-url` flag.
 
 ## Threadline Files
 

package/SECURITY.md

@@ -0,0 +1,47 @@
+# Security Policy
+
+## Environment Variables
+
+The Threadlines CLI reads the following environment variables:
+
+| Variable | Purpose | Required |
+|----------|---------|----------|
+| `THREADLINE_API_KEY` | Authentication with Threadlines API | Yes |
+| `THREADLINE_ACCOUNT` | Your Threadlines account email | Yes |
+| `THREADLINE_API_URL` | Custom API endpoint (default: https://devthreadline.com) | No |
+
+### What We Do NOT Read
+
+This CLI does **not** access, read, or transmit any other environment variables. We do not:
+
+- Enumerate `process.env` to discover other secrets
+- Read AWS, GCP, or other cloud credentials
+- Access database connection strings
+- Read any secrets beyond what's documented above
+
+## Data Transmission
+
+The CLI sends the following data to the Threadlines API:
+
+1. **Git diff content** - The code changes being analyzed
+2. **Threadline definitions** - Your markdown files from `/threadlines`
+3. **Metadata** - Repository name, branch, commit SHA, context files specified in your threadline definitions
+
+We do **not** send:
+- Your entire codebase
+- Environment variables or secrets
+
+## Auditing This Package
+
+To verify the published npm package matches this source:
+
+```bash
+# Compare published package to source
+npm pack threadlines
+tar -xzf threadlines-*.tgz
+diff -r package/dist dist/  # After building locally
+```
+
+All releases are published via GitHub Actions with npm provenance attestation,
+which cryptographically links each npm package to its source commit.
+

package/dist/commands/check.js

@@ -46,7 +46,7 @@ const github_1 = require("../git/github");
 const gitlab_1 = require("../git/gitlab");
 const vercel_1 = require("../git/vercel");
 const local_1 = require("../git/local");
-const git_diff_executor_1 = require("../utils/git-diff-executor");
+const diff_1 = require("../git/diff");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const chalk_1 = __importDefault(require("chalk"));
@@ -122,7 +122,6 @@ async function checkCommand(options) {
         }
         // 2. Detect environment and context
         const environment = (0, environment_1.detectEnvironment)();
-        let context;
         let gitDiff;
         let repoName;
         let branchName;
@@ -138,25 +137,18 @@ async function checkCommand(options) {
         if (options.file) {
             console.log(chalk_1.default.gray(`📝 Reading file: ${options.file}...`));
             gitDiff = await (0, file_1.getFileContent)(repoRoot, options.file);
-            context = { type: 'local' }; // File context doesn't need git context
-            // For file/folder/files, repo/branch are not available - skip them
         }
         else if (options.folder) {
             console.log(chalk_1.default.gray(`📝 Reading folder: ${options.folder}...`));
             gitDiff = await (0, file_1.getFolderContent)(repoRoot, options.folder);
-            context = { type: 'local' };
-            // For file/folder/files, repo/branch are not available - skip them
         }
         else if (options.files && options.files.length > 0) {
             console.log(chalk_1.default.gray(`📝 Reading ${options.files.length} file(s)...`));
             gitDiff = await (0, file_1.getMultipleFilesContent)(repoRoot, options.files);
-            context = { type: 'local' };
-            // For file/folder/files, repo/branch are not available - skip them
         }
         else if (options.branch) {
             console.log(chalk_1.default.gray(`📝 Collecting git changes for branch: ${options.branch}...`));
-            context = { type: 'branch', branchName: options.branch };
-            gitDiff = await (0, git_diff_executor_1.getDiffForContext)(context, repoRoot, environment);
+            gitDiff = await (0, diff_1.getBranchDiff)(repoRoot, options.branch);
             // Get repo/branch using environment-specific approach
             if (environment === 'github') {
                 const gitContext = await (0, github_1.getGitHubContext)(repoRoot);
@@ -207,8 +199,7 @@ async function checkCommand(options) {
         }
         else if (options.commit) {
             console.log(chalk_1.default.gray(`📝 Collecting git changes for commit: ${options.commit}...`));
-            context = { type: 'commit', commitSha: options.commit };
-            gitDiff = await (0, git_diff_executor_1.getDiffForContext)(context, repoRoot, environment);
+            gitDiff = await (0, diff_1.getCommitDiff)(repoRoot, options.commit);
             // Get repo/branch using environment-specific approach
             if (environment === 'github') {
                 const gitContext = await (0, github_1.getGitHubContext)(repoRoot);
@@ -283,7 +274,6 @@ async function checkCommand(options) {
             gitDiff = envContext.diff;
             repoName = envContext.repoName;
             branchName = envContext.branchName;
-            context = envContext.context;
             // Use metadata from environment context
             metadata = {
                 commitSha: envContext.commitSha,
@@ -294,9 +284,8 @@ async function checkCommand(options) {
             };
         }
         if (gitDiff.changedFiles.length === 0) {
-            console.error(chalk_1.default.red('❌ Error: No changes detected.'));
-            console.error(chalk_1.default.red('   Threadline check requires code changes to analyze.'));
-            process.exit(1);
+            console.error(chalk_1.default.bold('ℹ️ No changes detected.'));
+            process.exit(0);
         }
         // Check for zero diff (files changed but no actual code changes)
         if (!gitDiff.diff || gitDiff.diff.trim() === '') {

package/dist/utils/git-diff-executor.js

@@ -7,9 +7,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getDiffForEnvironment = getDiffForEnvironment;
-exports.getDiffForContext = getDiffForContext;
 exports.getContextDescription = getContextDescription;
-const diff_1 = require("../git/diff");
 const vercel_diff_1 = require("../git/vercel-diff");
 const github_diff_1 = require("../git/github-diff");
 const local_diff_1 = require("../git/local-diff");
@@ -45,36 +43,6 @@ async function getDiffForEnvironment(environment, repoRoot, _context) {
             throw new Error(`Unknown environment: ${_exhaustive}`);
     }
 }
-/**
- * Legacy GitLab-specific diff function (deprecated).
- *
- * This function is kept for backward compatibility but should not be used.
- * GitLab now uses getDiffForEnvironment() which routes to getGitLabDiff().
- *
- * @deprecated Use getDiffForEnvironment('gitlab', repoRoot) instead
- */
-async function getDiffForContext(context, repoRoot, environment) {
-    // This should only be called for GitLab legacy code paths
-    if (environment !== 'gitlab') {
-        throw new Error(`getDiffForContext() is deprecated. Use getDiffForEnvironment('${environment}', repoRoot) instead.`);
-    }
-    switch (context.type) {
-        case 'pr':
-            return await (0, diff_1.getPRMRDiff)(repoRoot, context.sourceBranch, context.targetBranch);
-        case 'mr':
-            return await (0, diff_1.getPRMRDiff)(repoRoot, context.sourceBranch, context.targetBranch);
-        case 'branch':
-            return await (0, diff_1.getBranchDiff)(repoRoot, context.branchName);
-        case 'commit':
-            return await (0, diff_1.getCommitDiff)(repoRoot, context.commitSha);
-        case 'local':
-            throw new Error('Local context should use getDiffForEnvironment(), not getDiffForContext()');
-        default:
-            // TypeScript exhaustiveness check - should never reach here
-            const _exhaustive = context;
-            throw new Error(`Unknown context type: ${_exhaustive}`);
-    }
-}
 /**
  * Returns a human-readable description of the context for logging.
  */

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "threadlines",
-  "version": "0.1.41",
-  "description": "Threadline CLI - AI-powered linter based on your natural language documentation",
+  "version": "0.2.3",
+  "description": "Threadlines CLI - AI-powered linter based on your natural language documentation",
   "main": "dist/index.js",
   "bin": {
     "threadline": "./bin/threadline"
@@ -9,7 +9,9 @@
   "files": [
     "dist",
     "bin",
-    "README.md"
+    "README.md",
+    "LICENSE",
+    "SECURITY.md"
   ],
   "keywords": [
     "code-quality",
@@ -17,15 +19,20 @@
     "ai",
     "code-review",
     "threadline",
-    "code-standards"
+    "code-standards",
+    "documentation",
+    "llm"
   ],
-  "author": "",
+  "author": "Threadlines",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/ngrootscholten/threadline.git",
-    "directory": "packages/cli"
+    "url": "git+https://github.com/ngrootscholten/threadline-cli.git"
   },
+  "bugs": {
+    "url": "https://github.com/ngrootscholten/threadline-cli/issues"
+  },
+  "homepage": "https://devthreadline.com/",
   "scripts": {
     "build": "npm run check && tsc",
     "dev": "tsc --watch",
@@ -34,10 +41,10 @@
     "lint": "eslint src/**/*.ts",
     "lint:fix": "eslint src/**/*.ts --fix",
     "typecheck": "tsc --noEmit",
-    "check": "npm run lint && npm run typecheck",
-    "threadlines": "npx -y threadlines check",
-    "threadlines:local": "npx -y threadlines check || exit 0",
-    "check:all": "npm run check && npm run threadlines"
+    "check": "npm run lint && npm run typecheck"
+  },
+  "engines": {
+    "node": ">=18.0.0"
   },
   "dependencies": {
     "axios": "^1.7.9",

package/dist/utils/ci-detection.js

@@ -1,52 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getAutoReviewTarget = getAutoReviewTarget;
-function getAutoReviewTarget() {
-    // 1. PR/MR context
-    if (process.env.GITHUB_EVENT_NAME === 'pull_request') {
-        const targetBranch = process.env.GITHUB_BASE_REF;
-        const sourceBranch = process.env.GITHUB_HEAD_REF;
-        const prNumber = process.env.GITHUB_EVENT_PULL_REQUEST_NUMBER || process.env.GITHUB_EVENT_NUMBER;
-        // Log PR detection for verification (remove after confirming it works)
-        console.log(`[PR Detection] GITHUB_BASE_REF=${targetBranch || 'NOT SET'}, GITHUB_HEAD_REF=${sourceBranch || 'NOT SET'}, PR_NUMBER=${prNumber || 'NOT SET'}`);
-        if (targetBranch && sourceBranch && prNumber) {
-            return {
-                type: 'pr',
-                value: prNumber,
-                sourceBranch,
-                targetBranch
-            };
-        }
-    }
-    if (process.env.CI_MERGE_REQUEST_IID) {
-        const targetBranch = process.env.CI_MERGE_REQUEST_TARGET_BRANCH_NAME;
-        const sourceBranch = process.env.CI_MERGE_REQUEST_SOURCE_BRANCH_NAME;
-        const mrNumber = process.env.CI_MERGE_REQUEST_IID;
-        const mrTitle = process.env.CI_MERGE_REQUEST_TITLE;
-        if (targetBranch && sourceBranch && mrNumber) {
-            return {
-                type: 'mr',
-                value: mrNumber,
-                sourceBranch,
-                targetBranch,
-                prTitle: mrTitle || undefined
-            };
-        }
-    }
-    // 2. Branch name
-    const branch = process.env.GITHUB_REF_NAME ||
-        process.env.CI_COMMIT_REF_NAME ||
-        process.env.VERCEL_GIT_COMMIT_REF;
-    if (branch) {
-        return { type: 'branch', value: branch };
-    }
-    // 3. Commit SHA
-    const commit = process.env.GITHUB_SHA ||
-        process.env.CI_COMMIT_SHA ||
-        process.env.VERCEL_GIT_COMMIT_SHA;
-    if (commit) {
-        return { type: 'commit', value: commit };
-    }
-    // 4. Local development
-    return null;
-}