Add OSS essentials: README, LICENSE, CONTRIBUTING, and metadata

.gitignore

@@ -1,3 +1,23 @@
 node_modules/
 dist/
 .serena/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Editor
+*.swp
+*.swo
+*~
+.idea/
+.vscode/
+*.sublime-project
+*.sublime-workspace
+
+# Environment
+.env
+.env.local
+
+# Coverage
+coverage/

CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# Contributing to lgtmit
+
+Thanks for your interest in contributing!
+
+## Development setup
+
+```bash
+git clone https://github.com/mitsuru/lgtmit.git
+cd lgtmit
+npm install
+npm run build
+```
+
+## Scripts
+
+| Command | Description |
+|---|---|
+| `npm run build` | Compile TypeScript to `dist/` |
+| `npm run dev` | Watch mode for development |
+| `npm test` | Run unit tests |
+
+## Code style
+
+- TypeScript with strict mode
+- ESM (`"type": "module"`)
+- Zero external runtime dependencies — Node.js built-ins only
+- `.js` extensions in imports (required for ESM)
+
+## Pull requests
+
+1. Fork the repo and create a feature branch
+2. Make your changes
+3. Run `npm test` and `npx tsc --noEmit` to verify
+4. Submit a PR with a clear description of the change
+
+## Reporting bugs
+
+Open an issue on GitHub with:
+- What you expected to happen
+- What actually happened
+- Steps to reproduce

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mitsuru Hayasaka
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,66 @@
+# lgtmit
+
+Make `curl | bash` installations safe with AI-powered script review.
+
+## What is this?
+
+`lgtmit` is a CLI stdout filter that sits between `curl` and `bash`, using Claude to review installation scripts before execution.
+
+```bash
+npx lgtmit -- curl https://example.com/install -fsS | bash
+```
+
+**Without lgtmit:** You blindly pipe remote scripts into your shell.
+
+**With lgtmit:** Claude reviews the script first. If it's safe, the script passes through. If not, a warning script with `exit 1` is output instead — so `bash` never runs anything dangerous.
+
+## How it works
+
+```
+user command → lgtmit fetches script → Claude reviews it
+  → safe:   original script → stdout → bash executes it
+  → unsafe: warning script (exit 1) → stdout → bash exits safely
+```
+
+All logs go to stderr. Only the script (or warning) goes to stdout. This keeps the pipe clean.
+
+## Install
+
+```bash
+npm install -g lgtmit
+```
+
+Requires [Claude Code](https://docs.anthropic.com/en/docs/claude-code) (`claude`) to be installed and authenticated.
+
+## Usage
+
+```bash
+# Review and execute an install script
+npx lgtmit -- curl https://example.com/install -fsS | bash
+
+# Dry-run: fetch and display the script without review
+npx lgtmit --dry-run -- curl https://example.com/install -fsS
+```
+
+### Options
+
+| Option | Description |
+|---|---|
+| `--dry-run` | Fetch and output script without review |
+| `--` | Separator between lgtmit options and the fetch command |
+
+## Requirements
+
+- Node.js 18+
+- [Claude Code](https://docs.anthropic.com/en/docs/claude-code) installed and authenticated
+
+## Design principles
+
+- **Fail-safe:** Any review failure (timeout, parse error, missing CLI) is treated as unsafe
+- **Zero external deps:** Node.js built-in modules only
+- **stdout/stderr separation:** stdout carries only the script; all logs go to stderr
+- **lgtmit always exits 0:** Never breaks the pipe — safety is communicated through the output script
+
+## License
+
+[MIT](LICENSE)

package.json

@@ -11,7 +11,30 @@
     "build": "tsc",
     "dev": "tsc --watch",
     "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "security",
+    "curl",
+    "bash",
+    "script-review",
+    "ai",
+    "claude",
+    "cli",
+    "install-safety"
+  ],
+  "author": "Mitsuru Hayasaka",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mitsuru/lgtmit.git"
+  },
+  "homepage": "https://github.com/mitsuru/lgtmit",
+  "bugs": {
+    "url": "https://github.com/mitsuru/lgtmit/issues"
+  },
+  "engines": {
+    "node": ">=18"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",