@stupify/cli 0.0.15 → 0.1.0

package/.review/CORPUS.md

@@ -0,0 +1,73 @@
+# Good-code reference — YOUR curated exemplars (template)
+
+> This is a template. **Replace it with 3–6 files from your own codebase that you'd point a new hire at** —
+> the code you wish all your code looked like. The reviewer treats these as the standard and measures every
+> diff against them. Taste can't be auto-extracted: hand-pick these, and say *why* each is good. A vague
+> corpus produces vague reviews; a sharp one produces sharp ones.
+
+How to write an entry:
+- **Name the file** (a real path in this repo) and **one sentence on what makes it good** — the principle it
+  embodies (e.g. "complexity tamed by decomposition", "type makes illegal states unrepresentable",
+  "fail-fast at the boundary"). The reviewer opens the live file; the excerpt just shows the shape.
+- Keep a short code excerpt that captures the pattern. The point is the *principle*, not the lines.
+- Group loosely (e.g. "complex but readable", "clean service boundary") so the reviewer can cite the right one.
+
+Pick principles you actually care about. Common ones worth encoding:
+**dependency injection** (collaborators injected, never `new`d inline; config read only at a composition root),
+**type-system-first invariants** (`satisfies`, discriminated unions, schemas at boundaries — illegal states
+hard to represent), **fail fast and loud** (no silent fallback), **small single-responsibility units**,
+**declarative over imperative**, **readable signatures** (≤3 positional params → options object).
+
+---
+
+## A. Complex, kept readable
+
+### 1. `src/path/to/your-exemplar.ts` — one line on why it's good
+`src/path/to/your-exemplar.ts`
+
+Say what makes it the standard — e.g. the complexity (optimistic UI, retries, sync) is tamed by decomposition:
+the orchestrator only *coordinates*; every concern is a small focused unit, and every operation is the same
+shape, so N of them read like one.
+
+```ts
+// a short excerpt that shows the pattern — the shape, not the whole file
+export function handle(input: Input): Result {
+  const state = read()
+  const ops = compute(state, input)   // pure
+  return apply(ops)                   // effectful shell
+}
+```
+
+### 2. `src/path/to/another.ts` — composition + named pieces
+`src/path/to/another.ts`
+
+e.g. pure composition — each piece a named small component, conditions become named type-guards, not inline
+boolean soup.
+
+```ts
+function hasMeasuredWidth(width: number | undefined): width is number {
+  return width !== undefined && width > 0
+}
+```
+
+---
+
+## B. Clean boundary / DI
+
+### `src/path/to/service.ts` — injected collaborator + composition-root factory
+`src/path/to/service.ts`
+
+e.g. constructor injection — the collaborator is never `new`d inline; a small factory is the composition root;
+the method parses input at the boundary, logs with structured context, and **fails loud** (catch → log → rethrow).
+
+```ts
+export function createService() {
+  const scope = container.createChildContainer()
+  scope.register(CLIENT, { useValue: makeClient() })
+  return scope.resolve(Service)
+}
+```
+
+---
+
+> Add a "Fine — do NOT flag" set of your own here too, if there are patterns reviewers keep wrongly dinging.

package/.review/REVIEW-PROMPT.md

@@ -0,0 +1,52 @@
+# Review spec — corpus-grounded, anti-slop, with a personality
+
+You are reviewing a code diff for this repo. You're running in the repo with `gh` / `git` / file access and
+your own model — no API key needed. Run these steps:
+
+1. Read `RUBRIC.md` (the anti-slop rubric + finding taxonomy) and `CORPUS.md` (this team's curated "good code"
+   — the primitives it actually uses). Treat the corpus as the standard. Open the live files it points at.
+2. Get the diff for the target PR.
+3. Review every changed code file (skip lockfiles, generated/snapshot files, pure deletions). Catch BOTH
+   kinds from the rubric — the "just wrong" (bug / type-lie / dead-code / footgun) and the "taste / reuse"
+   (reinvents-primitive / slop). "Slop" is code RELATIVE to the simpler or already-existing way: does it
+   reinvent a corpus primitive, or is it bigger / more abstract / more speculative than the corpus pattern for
+   the same job? When you cite a fix, name the actual corpus file/primitive it should use.
+4. Format the review per the **Comment format** below. Report everything incl. low-confidence; don't self-filter.
+5. Post it with the `gh pr comment` command you were given (write the comment to the file, then post).
+
+## Prior reviews on this PR (your memory)
+
+If the runner hands you a **"Prior reviews on this PR"** block, it's the existing review conversation — your
+past reviews and the author's replies. You are CONTINUING that thread, not starting fresh. Treat it as memory:
+
+- **Don't re-raise what's settled.** If you already flagged something and it's now fixed, or the author
+  **declined it with a reason**, do not raise it again — unless the diff brings new evidence that actually
+  rebuts their reason. Re-litigating a reasoned decline is noise (and the fastest way to be ignored).
+- **Report only what's new.** Surface issues introduced since your last review, or ones you genuinely missed.
+  Do not manufacture marginal findings just to have something to say — a nit you wouldn't have raised on
+  round one doesn't become worth raising on round six.
+- **Converge — knowing when to stop is part of the job.** If there are no new issues and the prior ones are
+  addressed or reasonably declined, do NOT write a review. Post exactly this line and nothing else:
+  `no new blocking issues — prior items addressed ✅`
+
+(No prior-reviews block = this is the first review of this PR; ignore this section.)
+
+## Comment format (GitHub markdown — warm + scannable)
+
+- **Opening line — write it yourself: direct, genuinely silly, honest.** ONE short, lowercase-casual line —
+  goofy human noises, drawn-out exclamations, mild swears, the way someone reacts while scrolling code:
+  "uhhhh ummm", "shieeeeet", "oof", "ohhh boy", "ok so… yeah". NOT corporate, NOT clever-witty, NOT a linter
+  header, no praise-padding. Be a little dumb on purpose, then get to what you found. Vary it every run:
+  - nothing wrong → `yep. clean. no notes 🎉` and **stop** (no blocks).
+  - a few small things → `uhhhh ummm a couple things 👇`  ·  `shieeeeet, found some stuff:`  ·  `ok so. some stuff:`
+  - something real → `oh no. ok there's a real one in here:`  ·  `oof, yeah this'll break:`
+  Then a blank line. (Tune this register to your taste — or delete it for a dry tone.)
+- **Each finding** worst-first, as a 3-line block with a blank line between blocks:
+  - line 1: `<emoji> **`path:line`** · <kind> · conf <0–1>`
+  - line 2: what's wrong and why (1–2 sentences, plain — describe the code, don't scold)
+  - line 3: `**→ Fix:** <corpus primitive to reuse, or the correct approach> (`<reference file>`)`
+- Severity emoji: 🔴 high · 🟠 med · 🟡 low.
+- Close with a quiet attribution on its own line so it's clearly the auto-reviewer, not a person:
+  `_— stupify, against the good-code corpus_`
+- No tables, no nested bullets, no preamble before the opener. End the comment with the exact hidden marker
+  line you were given.

package/.review/RUBRIC.md

@@ -0,0 +1,46 @@
+# Anti-slop rubric — the single source of truth for taste
+
+This is what the reviewer judges against, alongside `CORPUS.md`. Edit it to match your team. A reviewer
+catches two kinds of problem. Tag every finding with its `kind`.
+
+## Just wrong — flag regardless of the corpus
+- `kind: bug` — correctness bugs; off-by-one; broken null/empty handling; wrong condition.
+- `kind: type-lie` — a type/annotation that does not match what the code actually returns
+  (e.g. annotated `T | null` but every path returns a non-null value cast to `T`).
+- `kind: dead-code` — unreachable or dead branches; a declared-and-unused const/import/function.
+- `kind: footgun` — swallowed errors / catch-and-continue with no owned degraded state; silent fallbacks;
+  test-only special-casing (`NODE_ENV === 'test'`, env-name string checks) leaking into production code.
+
+## Taste / reuse — relative to the corpus and the simpler way
+- `kind: reinvents-primitive` — a NEW abstraction/layer/wrapper/facade/shim/fallback-reader when a corpus
+  primitive already does it (name the primitive). Or hand-rolling what a corpus file does.
+- `kind: slop` — bigger / more abstract / more speculative than the corpus pattern for the same job:
+  - speculative `unknown` in hand-authored types; `TResult = unknown` generic defaults;
+    `z.unknown()` / `z.array(z.unknown())`
+  - generic-parameter explosion on a call site that is not actually reused generically
+  - `let best*/latest*` imperative argmax/latest accumulator loops
+  - throwaway one-call helpers, or wrapper functions that add no value — a pure pass-through to another fn
+    with the same signature; inline it / call the inner directly
+  - a defensive `?.` / `??` fallback on a value the type or schema already guarantees — e.g. `x?.foo ?? x.y.foo`
+    when `x` is required (or should be). Drop the optional chain and the fallback (it's `x.foo`); if `x` is
+    wrongly optional, fix the schema/type, don't paper over it at the call site
+  - denormalized parallel constants or hardcoded membership lists (derive a Set/Record from ONE `as const` array)
+  - speculative config seams / unused `mode` switches / injectable-override defaults nothing needs yet
+  - additive churn on a cleanup; code that "looks productive" over the minimal change
+
+## Fine — do NOT flag
+- `unknown` at a real parse boundary fed into a normalizer; `Record<string, unknown>` context bags
+- Set/Map-building or dedupe loops (not argmax accumulators)
+- a single choke-point helper its owner reuses
+
+## Weigh the fix against the owner
+Right-size the remedy to the code that owns it. Don't prescribe a heavier primitive than the context warrants:
+a one-off script shouldn't grow a schema library, glue code shouldn't sprout an interface, a guaranteed-shape
+boundary doesn't need the validation an untrusted one does, and an unattended job usually wants a loud default
+over a hard exit. Demanding more rigor than the owner needs is its own slop. If the minimal fix is a one-liner,
+the fix is the one-liner — propose that, not an architecture.
+
+## Output per finding
+`path:line` — [kind] — what's wrong and why — **fix:** the corpus primitive to reuse OR (for a bug) the
+correct approach — severity(high|med|low) · confidence(0–1). Sort worst-first. Report everything incl.
+low-confidence — do not self-filter; a downstream ranker (and your own memory) handles that.

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Stupify contributors
+Copyright (c) 2026 Noah Lindner
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,58 +1,60 @@
-# @stupify/cli
+# stupify
 
-Local-only diagnostic CLI for checking whether AI is making you dumber.
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 
-Released under the MIT License.
+**A code reviewer that talks like an idiot and catches real bugs.**
 
-Stupify has one analysis path:
+> uhhhh ummm a couple things 👇
+>
+> 🔴 **`src/checkout/session.ts:88`** · footgun · conf 0.9
+> if `stripe.retrieve()` throws, the `catch` returns an empty cart — a transient blip looks like an empty order.
+> **→ Fix:** rethrow with context, like the fail-loud boundary in `payment-service.ts`.
+>
+> _— stupify, against the good-code corpus_
 
-```text
-sem diff -> counter scout -> Repomix context -> local search model
-```
-
-It emits search `matches`, not audit findings.
+Reviews your PRs on [Codex](https://github.com/openai/codex), against a corpus of code **you** picked:
 
-```sh
-npx @stupify/cli --staged
-npx @stupify/cli --since "2 weeks ago"
-npx @stupify/cli --commit HEAD
-npx @stupify/cli --commits 20
-git diff HEAD~1..HEAD | npx @stupify/cli --stdin
-```
+- 🎯 **Your taste.** Hand-pick your best files into `CORPUS.md`; it judges diffs against *that*, and cites them.
+- 🧹 **Anti-slop.** `RUBRIC.md` defines slop for your team, and it right-sizes the fix to the owner.
+- 🧠 **Remembers + converges.** Fed the PR's thread, so it won't re-raise what you fixed or declined — and posts `no new blocking issues ✅` and stops.
+- 😂 **A personality.** `oof, yeah this'll break:` … then gets to the point. (Tunable.)
 
-Install the warn-only pre-commit hook:
+A finder, not a gatekeeper — it comments, it doesn't block merges.
 
-```sh
-stupify hook install
-```
+## Quickstart
 
-The hook runs `stupify --staged` and exits 0.
+Stupify runs on an always-on box, so it rides [exe.dev](https://exe.dev). From your laptop, **one command provisions everything** — it detects your repo, wires the GitHub integration, and spins up a VM that installs itself. No keys, no tokens, you never SSH anywhere:
 
-Check local setup:
+```bash
+bunx github:Octember/stupif.ai
+```
 
-```sh
-stupify doctor
+```
+┌  stupify  — provision a reviewer on exe.dev
+◇  using integration acme-widgets
+◇  VM stupify-acme-widgets created
+└  stupify is provisioned for acme/widgets 👀
 ```
 
-Default search enables the checks that currently pass the local hook-safety
-bench: `duplicated_schema`, `unnecessary_complexity`, `over_commenting`,
-`lint_bypass`, and `reinvented_utils`. Other registry patterns can be opted in
-with `--checks`.
+First time on exe.dev? `ssh exe.dev` to onboard, link GitHub at [exe.dev/integrations](https://exe.dev/integrations). Then give it your taste — copy [`.review/`](.review) into your repo and point `CORPUS.md` at your best files. Label a PR `codex-review` (or add [`autolabel.yml`](.github/workflows/autolabel.yml)) → a review in ~60s.
 
-```sh
-stupify --staged --checks over_commenting
+```bash
+bunx github:Octember/stupif.ai <owner/repo>   # provision for a specific repo
+ssh exe.dev rm stupify-<owner>-<repo>         # tear it down
+bunx github:Octember/stupif.ai setup          # install on this machine instead of a VM
 ```
 
-Large search inputs are skipped rather than truncated:
+## How it works
 
-```sh
-stupify --staged --max-search-input-tokens 24000
 ```
+cron (~60s) → review-sweep.ts → codex exec → gh pr comment
+  refresh checkout · list labelled PRs · skip already-reviewed heads
+  feed the PR's thread back as memory · review against .review/* · post
+```
+
+The CLI (`src/cli.ts`) provisions; the engine (`src/review-sweep.ts`, dependency-free Bun) sweeps; the taste
+(`.review/`) lives in the repo it judges. Details in [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md).
 
-The package is prepared for the public `@stupify` npm scope. Publishing should
-use the repository release workflow so npm receives Trusted Publishing
-provenance. See the repository release docs.
+## License
 
-This iteration intentionally does not run findings audit, validators, judges,
-baselines, hosted LLM APIs, GitHub integration, dashboards, or repo-wide
-crawling.
+[MIT](LICENSE) © Noah Lindner. `stupif.ai` — read it "stupify".

package/package.json

@@ -1,53 +1,52 @@
 {
   "name": "@stupify/cli",
-  "version": "0.0.15",
-  "description": "Local-only diagnostic CLI for checking whether AI is making you dumber.",
-  "private": false,
+  "version": "0.1.0",
+  "description": "A code reviewer that talks like an idiot and catches real bugs — corpus-grounded, anti-slop, runs on Codex.",
   "type": "module",
   "bin": {
-    "stupify": "dist/stupify.js"
+    "stupify": "src/cli.ts"
   },
+  "files": [
+    "src",
+    ".review",
+    "README.md",
+    "LICENSE"
+  ],
+  "license": "MIT",
+  "homepage": "https://stupif.ai",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/Octember/stupif.ai.git",
-    "directory": "packages/cli"
+    "url": "git+https://github.com/Octember/stupif.ai.git"
   },
-  "homepage": "https://stupif.ai",
   "bugs": {
     "url": "https://github.com/Octember/stupif.ai/issues"
   },
   "keywords": [
+    "code-review",
+    "codex",
     "ai",
-    "cli",
+    "pull-request",
     "developer-tools",
-    "local-first",
-    "code-review"
+    "anti-slop"
   ],
-  "license": "MIT",
   "engines": {
-    "node": ">=20"
+    "bun": ">=1.3"
   },
   "publishConfig": {
     "access": "public",
     "provenance": true
   },
-  "files": [
-    "dist",
-    "src",
-    "LICENSE",
-    "README.md",
-    "package.json"
-  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
-    "prepack": "bun run build",
     "typecheck": "tsc -p tsconfig.json",
-    "smoke": "bun run build && node ./dist/stupify.js --help"
+    "cli": "bun src/cli.ts"
   },
   "dependencies": {
-    "@ataraxy-labs/sem": "^0.3.24",
     "@clack/prompts": "^1.2.0",
-    "picocolors": "^1.1.1",
-    "repomix": "^1.14.0"
+    "picocolors": "^1.1.1"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.3.14",
+    "@types/node": "^22.10.2",
+    "typescript": "^5.7.2"
   }
 }