@api-doctor/cli 0.0.1 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,9 +1,45 @@
1
1
  {
2
2
  "name": "@api-doctor/cli",
3
- "version": "0.0.1",
4
- "description": "Oxlint-powered checks for AI-generated API integrations. Catch silent bugs before they ship.",
3
+ "version": "0.0.4",
4
+ "description": "Deterministic verification rules for AI-generated API integrations",
5
+ "keywords": [
6
+ "api",
7
+ "lint",
8
+ "oxlint",
9
+ "resend",
10
+ "supabase",
11
+ "ai",
12
+ "claude",
13
+ "cursor",
14
+ "codex",
15
+ "integration"
16
+ ],
17
+ "type": "module",
18
+ "private": false,
5
19
  "license": "MIT",
6
- "author": "Reuben Santoso",
20
+ "bin": {
21
+ "api-doctor": "dist/cli.mjs"
22
+ },
23
+ "main": "./dist/cli.cjs",
24
+ "module": "./dist/cli.mjs",
25
+ "exports": {
26
+ ".": {
27
+ "types": "./dist/cli.d.ts",
28
+ "import": "./dist/cli.mjs",
29
+ "require": "./dist/cli.cjs"
30
+ },
31
+ "./plugin": {
32
+ "types": "./dist/plugin.d.ts",
33
+ "import": "./dist/plugin.js",
34
+ "require": "./dist/plugin.js"
35
+ }
36
+ },
37
+ "files": [
38
+ "dist",
39
+ "skills",
40
+ "README.md",
41
+ "LICENSE.md"
42
+ ],
7
43
  "repository": {
8
44
  "type": "git",
9
45
  "url": "git+https://github.com/qualtyco/api-doctor.git"
@@ -12,15 +48,28 @@
12
48
  "bugs": {
13
49
  "url": "https://github.com/qualtyco/api-doctor/issues"
14
50
  },
15
- "keywords": [
16
- "api",
17
- "linter",
18
- "oxlint",
19
- "verification",
20
- "ai",
21
- "agent",
22
- "cursor",
23
- "claude-code",
24
- "static-analysis"
25
- ]
26
- }
51
+ "engines": {
52
+ "node": ">=18"
53
+ },
54
+ "scripts": {
55
+ "build": "tsup",
56
+ "dev": "tsup --watch",
57
+ "test": "vitest run",
58
+ "prepublishOnly": "npm run build"
59
+ },
60
+ "publishConfig": {
61
+ "access": "public"
62
+ },
63
+ "dependencies": {
64
+ "commander": "^13.1.0",
65
+ "picocolors": "^1.1.1"
66
+ },
67
+ "devDependencies": {
68
+ "@types/eslint": "^9.6.1",
69
+ "@types/node": "^22.13.10",
70
+ "oxlint": "^1.68.0",
71
+ "tsup": "^8.4.0",
72
+ "typescript": "^5.8.2",
73
+ "vitest": "^3.0.9"
74
+ }
75
+ }
@@ -0,0 +1,113 @@
1
+ ---
2
+ name: api-doctor
3
+ description: Check AI-generated API integration code for silent bugs before shipping. Use after writing or editing code that calls a third-party API SDK such as Resend or Supabase.
4
+ ---
5
+
6
+ # api-doctor
7
+
8
+ Run api-doctor after writing or editing code that calls a third-party API SDK
9
+ (Resend, Supabase, and more). It checks integration code for hardcoded keys,
10
+ missing webhook verification, unchecked `{ data, error }` Supabase mutations,
11
+ missing Realtime filters, and similar issues that compile fine but fail silently
12
+ in production.
13
+
14
+ Provider rule catalogs are listed in the [api-doctor GitHub repo](https://github.com/qualtyco/api-doctor/tree/main/src/providers) under `src/providers/<name>/README.md`.
15
+
16
+ ## Run a scan
17
+
18
+ ```bash
19
+ npx @api-doctor/cli .
20
+ ```
21
+
22
+ Findings are written to `.api-doctor/report.json`. Re-run after fixing issues
23
+ until all `error` findings are gone.
24
+
25
+ ## Read the report
26
+
27
+ Open `.api-doctor/report.json`. Key fields:
28
+
29
+ | Field | Meaning |
30
+ | --- | --- |
31
+ | `summary.score` | 0–100 health score |
32
+ | `summary.errors` / `warnings` / `info` | Counts by severity |
33
+ | `findings[]` | Actionable issues |
34
+
35
+ Each finding includes:
36
+
37
+ - `severity` — `error`, `warning`, or `info`
38
+ - `message` — what is wrong
39
+ - `fix` — what to change
40
+ - `location.file` / `location.line` — where to edit
41
+ - `docsUrl` — provider documentation (when available)
42
+ - `codeSnippet` — surrounding source lines
43
+
44
+ ## Fix findings — severity protocol
45
+
46
+ ### `error` (always fix)
47
+
48
+ Errors indicate real bugs: data leakage, missing auth, silent failures, security
49
+ holes. Fix all errors before considering the task done. Do not mark the task
50
+ complete while any `error` finding remains.
51
+
52
+ ### `warning` (judgment required — ask before restructuring)
53
+
54
+ Warnings indicate a real concern but may have legitimate exceptions. Before
55
+ fixing a warning, ask yourself:
56
+
57
+ **Is the fix a substantive change or a style change?**
58
+
59
+ - **Substantive** — the fix adds missing logic, changes behavior, prevents a
60
+ real failure mode (e.g. adding a missing idempotency key, adding an env var
61
+ check that didn't exist). Fix it without asking.
62
+
63
+ - **Style / restructuring** — the fix only reorganizes existing logic into a
64
+ different shape without changing behavior (e.g. splitting one compound
65
+ validation condition into multiple `if` blocks, reordering checks, renaming
66
+ variables). **Do not silently apply style changes.** Instead, summarize the
67
+ warning and ask the user:
68
+
69
+ > "api-doctor flagged [finding]. The fix would restructure [X] into [Y]. The
70
+ > logic is equivalent — this is a style preference, not a behavior change.
71
+ > Want me to apply it?"
72
+
73
+ Apply only if the user confirms.
74
+
75
+ This matters because api-doctor's AST detection sometimes can't parse certain
76
+ valid patterns (nested ternaries, complex conditionals), causing it to flag
77
+ correct code. Treat warnings as advisory, not as ground truth.
78
+
79
+ ### `info` (suggestions only)
80
+
81
+ Informational findings are low-priority suggestions. Read them, consider
82
+ whether they're relevant to this project, and address them only if they
83
+ genuinely improve the integration. Do not restructure code to clear `info`
84
+ findings without explicit user direction.
85
+
86
+ Never treat clearing all `info` findings as a task requirement.
87
+
88
+ ## Fix workflow
89
+
90
+ 1. Read `.api-doctor/report.json` in full before making any changes.
91
+ 2. Identify which findings are substantive vs. style.
92
+ 3. Fix all `error` findings.
93
+ 4. For each `warning`: apply substantive fixes; ask the user about style fixes.
94
+ 5. Re-run `npx @api-doctor/cli .` and confirm errors are resolved.
95
+ 6. If warnings remain after your fixes, explain which ones and why you left them.
96
+
97
+ Do not loop indefinitely trying to reach 100/100. A score of 85–100 with no
98
+ errors is a clean result. Residual warnings that would require style-only
99
+ changes are acceptable.
100
+
101
+ ## Interpreting score vs. findings
102
+
103
+ The score drops more steeply for errors than warnings. A codebase with zero
104
+ errors and two style-only warnings may score 88/100. That is a good result —
105
+ do not treat it as incomplete work that requires further changes.
106
+
107
+ ## Optional: markdown handoff
108
+
109
+ To paste findings into a chat or another agent:
110
+
111
+ ```bash
112
+ npx @api-doctor/cli . --format markdown > issues.md
113
+ ```