* fix: V-001 security vulnerability Automated security fix generated by Orbis Security AI * feat(cli): add optional GitHub token support with proper UX and docs - Rename env var from GITHUB_TOKEN to UI_PRO_MAX_GITHUB_TOKEN (primary), with GITHUB_TOKEN as fallback — avoids silently attaching CI workflow credentials that GitHub Actions injects automatically - Add whitespace trim guard to prevent malformed Authorization headers - Add getGitHubTokenGuidance() helper exported from github.ts so rate-limit errors and spinner warnings tell users exactly how to fix the problem - Thread optional token param through fetchReleases, getLatestRelease, downloadRelease signatures - Add --token flag to init, versions, update commands (Commander.js wiring) - Update rate-limit catch in tryGitHubInstall to show token guidance - Document token options (flag, env var, fallback) in cli/README.md with CI warning about GITHUB_TOKEN scope Supersedes the narrower env-only approach in PR #294 and incorporates the safeguards requested during review of closed PR #186. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
uipro-cli
CLI to install UI/UX Pro Max skill for AI coding assistants.
Installation
npm install -g uipro-cli
Usage
# Install for specific AI assistant
uipro init --ai claude # Claude Code
uipro init --ai cursor # Cursor
uipro init --ai windsurf # Windsurf
uipro init --ai antigravity # Antigravity
uipro init --ai copilot # GitHub Copilot
uipro init --ai kiro # Kiro
uipro init --ai codex # Codex (Skills)
uipro init --ai roocode # Roo Code
uipro init --ai qoder # Qoder
uipro init --ai gemini # Gemini CLI
uipro init --ai trae # Trae
uipro init --ai opencode # OpenCode
uipro init --ai continue # Continue (Skills)
uipro init --ai all # All assistants
# Options
uipro init --offline # Skip GitHub download, use bundled assets only
uipro init --force # Overwrite existing files
# Other commands
uipro versions # List available versions
uipro update # Update to latest version
GitHub Authentication
GitHub's unauthenticated API allows 60 requests/hour per IP. If you hit rate limits, you can provide a GitHub Personal Access Token (PAT) to raise the limit to 5,000 requests/hour.
Options (in order of precedence):
# 1. Pass directly as a flag (one-off use)
uipro init --token ghp_yourtoken
uipro versions --token ghp_yourtoken
uipro update --token ghp_yourtoken
# 2. Set as a project-scoped environment variable (recommended)
export UI_PRO_MAX_GITHUB_TOKEN=ghp_yourtoken
uipro init
# 3. Fallback: GITHUB_TOKEN is also read if UI_PRO_MAX_GITHUB_TOKEN is not set
export GITHUB_TOKEN=ghp_yourtoken
uipro init
Creating a token: Go to https://github.com/settings/tokens, click Generate new token (classic), and select no scopes — public repo access requires no permissions. Copy the token and store it as an environment secret; never hardcode it in source files.
Warning:
GITHUB_TOKENis automatically injected by GitHub Actions with broad repo permissions. PreferUI_PRO_MAX_GITHUB_TOKENin CI to avoid accidentally attaching workflow credentials to release download requests.
How It Works
By default, uipro init tries to download the latest release from GitHub to ensure you get the most up-to-date version. If the download fails (network error, rate limit), it automatically falls back to the bundled assets included in the CLI package.
Use --offline to skip the GitHub download and use bundled assets directly.
Development
# Install dependencies
bun install
# Run locally
bun run src/index.ts --help
# Build
bun run build
# Link for local testing
bun link
License
CC-BY-NC-4.0