@ydecide/cli
v0.2.6
Published
yDecide CLI - interact with decisions from the command line
Readme
yDecide CLI & MCP Server
@ydecide/cli — interact with yDecide decisions from the command line, and an
MCP server that exposes the same operations to AI agents.
⚠️ PRIVATE ALPHA — access is gated by login, not by the package
The CLI package is published on npm so testers can install it easily, but yDecide itself is in a closed private alpha. The package is useless without an account on the alpha server.
- This release connects to the yDecide alpha (dev) environment. It is a development backend, not production.
- Do not put important data into the app yet. Alpha data may be reset, migrated, or wiped without notice. Treat everything you create as throwaway until general availability.
- The server is the gate. Every command authenticates against the yDecide backend (
ydecide auth login). Without an account that the yDecide team has granted, the CLI can do nothing beyond--help. Installing the package does not grant access.- The code is proprietary (
license: UNLICENSED).- No uptime, data-retention, or backwards-compatibility guarantees apply during alpha.
What's in the box
ydecide— oclif-based CLI (bin/run.js) for decisions, alternatives, criteria, AHP pairwise/scores, Pros & Cons, collaborators, tags, sharing.ydecide-mcp— MCP server (bin/mcp.js) over stdio, HTTP, or OAuth-gated HTTP, exposing the same operations as MCP tools for AI agents.
Install (alpha testers)
npm install -g @ydecide/cli
ydecide auth login # requires an account granted by the yDecide teamYou will only be able to do anything once the team has provisioned your account on the alpha server. Until then, login will fail.
Build & packaging
The distributed CLI must ship obfuscated JavaScript only — no TypeScript
source, no .d.ts, and no source maps (the repo's root tsconfig enables
inlineSourceMap, which would otherwise embed the full TS source as base64 in
every .js).
| Command | Use | Output |
|---------|-----|--------|
| pnpm build | local dev / quick compile | readable JS, no env baked in (falls back to localhost). Not for distribution. |
| pnpm build:publish | release build | audit gate → inject env → tsc → terser --compress --mangle --comments false → restore env. Mangled JS, no source maps, env baked in. |
⚠️ Do NOT use a bare
npm pack/pnpm packfor distribution. The repo's.npmrcsetsignore-scripts=true(a supply-chain safeguard), which skips theprepackhook — so a bare pack ships a plain, un-injected build (empty Supabase key → users hitError: supabaseKey is requiredatauth login). Always build first, then pack with scripts disabled:
# make a distributable tarball (local testing / hand-off):
pnpm build:publish
npm pack --ignore-scripts # dist is already the correct injected+obfuscated buildTo verify a tarball before distributing:
tar -xzf ydecide-cli-*.tgz -C /tmp/verify
tar -tzf ydecide-cli-*.tgz | grep -E '\.ts$|\.map$|\.sql$|\.d\.ts' # must be empty
grep -rl sourceMappingURL /tmp/verify/package --include='*.js' # must be empty
wc -l /tmp/verify/package/dist/mcp/tools.js # ~1 line = mangled
# supabase URL + key actually baked in:
grep -oE "https://[a-z0-9-]+\.supabase\.co" /tmp/verify/package/dist/lib/supabase.js
grep -oE "eyJ[A-Za-z0-9_.-]{50,}|sb_publishable_[A-Za-z0-9]+" /tmp/verify/package/dist/lib/supabase.js | head -1Publishing to npm
The package is published publicly as @ydecide/cli (scoped packages need
publishConfig.access = "public", already set). The package is public for easy
install; access to yDecide is gated entirely by the server login, not by the
package.
One-time setup:
- Create the
@ydecideorg on npmjs.com (the@ydecidescope must exist and you must own it before you can publish@ydecide/*). npm loginas a member of that org.
Each release (from apps/cli, bump the version first if needed):
pnpm publish:npm # build:publish (audit+inject+obfuscate) -> sbom -> npm publish --ignore-scripts --access publicBecause .npmrc has ignore-scripts=true, do not rely on npm publish
firing prepack. The publish:npm script runs the obfuscated/injected build
explicitly first, then publishes with --ignore-scripts, so what ships is
always the correct artifact regardless of the .npmrc setting.
Build-time env (.env.build)
build:publish bakes YDECIDE_SUPABASE_URL / YDECIDE_SUPABASE_ANON_KEY into
the CLI so end users don't need to set env vars. Copy .env.build.example to
.env.build and fill in the alpha project's URL + anon key (the anon key is
public-safe by design; never put a service-role key here). .env.build is
git-ignored.
License & source
Proprietary — all rights reserved. license: UNLICENSED (npm's value for
closed-source packages: you may not use, copy, modify, or distribute this
software without permission). The npm package is published publicly for ease of
install, but the source is not open: it is built from the private yDecide
monorepo and shipped obfuscated, and there is no public source repository for
the CLI.
Organisation: https://github.com/yDecide
For access, issues, or questions during the alpha, contact the yDecide team.
