feat: TUI visual overhaul, community files and demo animation (v1.4.0)

.github/instructions/release.instructions.md

@@ -0,0 +1,108 @@
+---
+applyTo: "**"
+excludeAgent: "code-review"
+---
+
+# Release — instructions for Copilot coding agent
+
+Follow these steps when cutting a new release of `github-code-search`.
+
+## 1. Determine the version bump
+
+This project follows [Semantic Versioning](https://semver.org/):
+
+| Change type                                    | Bump    | Example       |
+| ---------------------------------------------- | ------- | ------------- |
+| Bug fix only (no new behaviour, no API change) | `patch` | 1.2.4 → 1.2.5 |
+| New feature, backward-compatible               | `minor` | 1.2.4 → 1.3.0 |
+| Breaking change (CLI flag removed/renamed)     | `major` | 1.2.4 → 2.0.0 |
+
+## 2. Bump the version
+
+```bash
+bun pm version patch   # or minor / major
+```
+
+If the working tree is dirty (staged or unstaged changes), `bun pm version` will refuse. In that case bump directly in `package.json`, then commit the version bump as the first commit on the release branch.
+
+## 3. Write the blog post
+
+**Required for minor and major releases. Optional (but encouraged) for patch releases.**
+
+1. Create `docs/blog/release-v<X-Y-Z>.md` — use existing posts as format reference:
+   - `docs/blog/release-v1-3-0.md` (minor, feature-focused)
+   - `docs/blog/release-v1-4-0.md` (minor, TUI/community-focused)
+   - Front-matter: `title`, `description`, `date` (ISO 8601).
+   - Structure: `## Highlights` → one `###` section per major change group → `## Upgrade` at the bottom.
+   - The upgrade section must include the `github-code-search upgrade` command and a link to the GitHub Releases page.
+
+2. Update `docs/blog/index.md` — prepend a row to the `## v1 series` table:
+
+   ```markdown
+   | [vX.Y.Z](./release-vX-Y-Z) | One-line summary of highlights |
+   ```
+
+3. Update `CHANGELOG.md` — update (or add) the matching row in the table:
+   ```markdown
+   | [vX.Y.Z](https://fulll.github.io/github-code-search/blog/release-vX-Y-Z) | One-line summary |
+   ```
+   Never leave a row with `_pending_` in `CHANGELOG.md` when cutting the release.
+
+## 4. Create the release branch and commit
+
+```bash
+VERSION=$(jq -r .version package.json)
+git checkout -b release/$VERSION
+git add package.json docs/blog/release-v*.md docs/blog/index.md CHANGELOG.md
+git commit -S -m "v$VERSION"
+```
+
+> **All commits must be signed** — use `git commit -S` or `git config --global commit.gpgsign true`.
+
+## 5. Tag and push
+
+```bash
+VERSION=$(jq -r .version package.json)
+git tag v$VERSION
+git push origin release/$VERSION --tags
+```
+
+The tag push triggers **`cd.yaml`**:
+
+1. Builds self-contained binaries for all six targets.
+2. Creates a GitHub Release with all binaries attached.
+3. For major tags (`vX.0.0`): triggers `docs.yml` → docs snapshot + `versions.json` update.
+
+Do **not** create the GitHub Release manually — the CD pipeline handles it.
+
+## 6. Required validation before tagging
+
+```bash
+bun test               # full suite green
+bun run lint           # oxlint — zero errors
+bun run format:check   # oxfmt — no diff
+bun run knip           # no unused exports
+bun run build.ts       # binary compiles
+```
+
+## 7. Post-release checklist
+
+- [ ] GitHub Release created automatically by CD pipeline (verify within ~5 min after tag push)
+- [ ] Blog post live at `https://fulll.github.io/github-code-search/blog/release-vX-Y-Z`
+- [ ] `bun run docs:build` succeeds locally (spot-check the new blog entry)
+- [ ] `CHANGELOG.md` has no `_pending_` entries
+- [ ] For **major** releases: versioned docs snapshot available at `/github-code-search/vX/`
+
+## 8. Module map — what to document per release type
+
+| Changed area              | Cover in the blog post                                          |
+| ------------------------- | --------------------------------------------------------------- |
+| `src/tui.ts`              | UX / interaction changes (keyboard shortcuts, new modes)        |
+| `src/render/`             | Visual changes (colours, layout, new components)                |
+| `src/aggregate.ts`        | New filter or exclusion options                                 |
+| `src/group.ts`            | Team-grouping behaviour changes                                 |
+| `src/output.ts`           | New output formats or structural changes to existing ones       |
+| `src/api.ts`              | New GitHub API features, pagination changes, scope requirements |
+| `src/upgrade.ts`          | Upgrade command improvements                                    |
+| `github-code-search.ts`   | New CLI flags, subcommands, breaking option renames             |
+| Community / project files | SECURITY, CODE_OF_CONDUCT, CONTRIBUTING changes worth surfacing |

CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+
+Release notes and changelogs are published on the **[project blog](https://fulll.github.io/github-code-search/blog/)**.
+
+Each release entry covers the motivation, new features, breaking changes (if any), and upgrade notes.
+
+| Version                                                                  | Blog post                                            |
+| ------------------------------------------------------------------------ | ---------------------------------------------------- |
+| [v1.4.0](https://fulll.github.io/github-code-search/blog/release-v1-4-0) | TUI visual overhaul, community files, demo animation |
+| [v1.3.0](https://fulll.github.io/github-code-search/blog/release-v1-3-0) | Team-prefix grouping, replay command, JSON output    |
+| [v1.0.0](https://fulll.github.io/github-code-search/blog/release-v1-0-0) | Initial release                                      |
+
+> For the full list of commits between releases, see the
+> [GitHub Releases page](https://github.com/fulll/github-code-search/releases).

CODE_OF_CONDUCT.md

@@ -0,0 +1,132 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official email address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[admin@fulll.fr](mailto:admin@fulll.fr).
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

CONTRIBUTING.md

@@ -83,7 +83,8 @@ Compiled binaries require no runtime dependencies and can be distributed as a si
 - TypeScript throughout.
 - Pure functions wherever possible (makes unit testing straightforward).
 - Side-effectful code (CLI parsing, API calls, TTY interaction) is isolated in `github-code-search`, `src/api.ts`, and `src/tui.ts`.
-- No linter is configured yet; keep diffs small and consistent with the surrounding code.
+- Run `bun run lint` (oxlint) — must pass with zero errors before submitting.
+- Run `bun run format:check` (oxfmt) — auto-fix locally with `bun run format`.
 
 ## Submitting a pull request
 

README.md

@@ -10,10 +10,82 @@ keyboard-driven TUI, fine-grained extract selection, markdown/JSON output.
 
 → **Full documentation: https://fulll.github.io/github-code-search/**
 
+![Demo](demo/demo.gif)
+
 ## Quick start
 
 ```bash
 export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxx
 curl -fsSL https://raw.githubusercontent.com/fulll/github-code-search/main/install.sh | bash
 github-code-search query "TODO" --org my-org
 ```
+
+## Features
+
+- **Org-wide search** — queries all repositories in a GitHub organization in one command, with automatic pagination up to 1 000 results
+- **Per-repository aggregation** — results grouped by repo, not as a flat list; fold/unfold each repo to focus on what matters
+- **Keyboard-driven TUI** — navigate with arrow keys, toggle selections, filter by file path, confirm with Enter — without leaving the terminal
+- **Fine-grained selection** — pick exactly the repos and extracts you want; deselected items are recorded as exclusions in the replay command
+- **Structured output** — clean Markdown lists with GitHub links, or machine-readable JSON — ready to paste into docs, issues or scripts
+- **Team-prefix grouping** — group results by team prefix (e.g. `platform/`, `data/`) using `--group-by-team-prefix`
+- **Replay command** — every session produces a one-liner you can run in CI to reproduce the exact same selection without the UI
+- **Syntax highlighting** — code fragments rendered with language-aware coloring (TypeScript, Python, Go, Rust, YAML, JSON and more)
+
+## Use cases
+
+**Audit a dependency across the org**
+
+```bash
+github-code-search query "from 'lodash'" --org my-org
+```
+
+Instantly see every repo still importing lodash, select the ones to migrate, and get a Markdown checklist to paste in your migration issue.
+
+**Hunt down TODOs before a release**
+
+```bash
+github-code-search query "TODO" --org my-org --exclude-repositories sandbox,archived-repo
+```
+
+Surfaces all in-code TODOs, lets you triage interactively, and outputs a linked list for your release notes.
+
+**Verify a breaking-change rollout**
+
+```bash
+github-code-search query "oldApiClient" --org my-org --output-type repo-only --format json
+```
+
+Use JSON output in a CI script to assert that no repository still references the deprecated client after your migration deadline.
+
+**Security sweep — find hardcoded secret patterns**
+
+```bash
+github-code-search query "process.env.SECRET" --org my-org
+```
+
+Cross-repo scan for risky patterns; export results to Markdown to attach to a security audit report.
+
+**Onboarding — understand how an internal library is used**
+
+```bash
+github-code-search query "useFeatureFlag" --org my-org --group-by-team-prefix platform/
+```
+
+Get a team-scoped view of every usage site before refactoring a shared hook or utility.
+
+## Why not `gh search code`?
+
+The official [`gh` CLI](https://cli.github.com/) does support `gh search code`, but it returns a **flat paginated list** — one result per line, no grouping, no interactive selection, no structured output.
+
+|                                            | `gh search code` | `github-code-search` |
+| ------------------------------------------ | :--------------: | :------------------: |
+| Results grouped by repo                    |        ✗         |          ✓           |
+| Interactive TUI (navigate, select, filter) |        ✗         |          ✓           |
+| Fine-grained extract selection             |        ✗         |          ✓           |
+| Markdown / JSON output                     |        ✗         |          ✓           |
+| Replay / CI command                        |        ✗         |          ✓           |
+| Team-prefix grouping                       |        ✗         |          ✓           |
+| Syntax highlighting in terminal            |        ✗         |          ✓           |
+| Pagination (up to 1 000 results)           |        ✓         |          ✓           |
+
+`github-code-search` is purpose-built for **org-wide code audits and interactive triage** — not just a search wrapper.

SECURITY.md

@@ -0,0 +1,34 @@
+## Security
+
+We take the security of our software products and components seriously, which includes all source code repositories managed through our [Fulll's GitHub organization](https://github.com/fulll).
+
+If you believe you have found a security vulnerability in any Fulll's repository that meets Wikipedia's definition of a security vulnerability ([English version](<https://en.wikipedia.org/wiki/Vulnerability_(computing)>), [French version](<https://fr.wikipedia.org/wiki/Vuln%C3%A9rabilit%C3%A9_(informatique)>)), please report it to us as described below.
+
+## Reporting security vulnerabilities
+
+:warning: **Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, **please report them by email** to [rssi@fulll.fr](mailto:rssi@fulll.fr).
+
+You should receive a response as soon as possible. If for some reason you do not, please follow up via email to our [Administrator Team](mailto:admin@fulll.fr) to ensure we received your original message.
+
+For private repositories, you can also send an email or directly use the dedicated issue template for security vulnerability.
+
+:bulb: In any case, please include the requested information listed below (**as much as you can provide**) to help us better understand the nature and scope of the possible issue:
+
+- Type of issue (e.g. Denial of service, Elevation of privilege, Information disclosure, Remote Code Execution, Security feature bypass, buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Step-by-step instructions to reproduce the issue, including any special configuration required to reproduce
+- (if possible) Proof-of-concept or exploit code
+- Description and Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English, but if you are not comfortable, French is acceptable too.
+
+## Policy
+
+Fulll follows the principle of [Microsoft's Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).