commitshow 0.2.11 → 0.3.1

package/README.md

@@ -1,39 +1,87 @@
-# commit.show CLI
+<h1 align="center">commit.show CLI</h1>
 
-> Audit any vibe-coded project from your terminal — the **walk-on** lane.
+<p align="center">
+  <strong>Audit any vibe-coded project from your terminal.</strong><br>
+  Score · 3-axis breakdown · 3 strengths + 2 concerns · rank · delta — in one command.
+</p>
 
-The official CLI for **[commit.show](https://commit.show)**. A walk-on
-drops in, gets scored, and leaves — no signup, no audition fee, no league
-entry. You get the same Claude-grade analysis used in the full season
-(Audit / Scout / Community breakdown, 3 strengths + 2 concerns, rank,
-delta since the last snapshot). Local runs also save `.commitshow/audit.md`
-so your AI coding agent can read the report in the next turn and iterate.
-
-When a walk-on is ready to enter the season for real — Scout forecasts,
-season ranking, Backstage prompt-extraction, Hall of Fame — they audition
-at <https://commit.show/submit>.
-
-The npm package + command is `commitshow` (no dot — npm doesn't allow it in
-package names). Everything else uses the brand `commit.show`.
+<p align="center">
+  <a href="https://www.npmjs.com/package/commitshow"><img src="https://img.shields.io/npm/v/commitshow?color=F0C040&label=npm&style=flat-square" alt="npm version"></a>
+  <a href="https://www.npmjs.com/package/commitshow"><img src="https://img.shields.io/npm/dw/commitshow?color=0F2040&style=flat-square" alt="weekly downloads"></a>
+  <img src="https://img.shields.io/node/v/commitshow?color=0F2040&style=flat-square" alt="node">
+  <img src="https://img.shields.io/npm/l/commitshow?color=0F2040&style=flat-square" alt="MIT license">
+</p>
 
 ```bash
-npx commitshow@latest audit
-# or audit any public project by URL — no cd required
 npx commitshow@latest audit github.com/owner/repo
 ```
 
+```
+  ┌──────────────────────────────────────────────────────────┐
+  │  commit.show · Audit report                               │
+  └──────────────────────────────────────────────────────────┘
+
+    maa-website                     austinpw-cloud/maa-website
+
+                         ╔══════════════╗
+                         ║   82 / 100   ║
+                         ╚══════════════╝
+
+      Audit  42/50  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱
+      Scout  26/30  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱▱▱
+      Comm.  14/20  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱▱▱▱▱
+
+    ┌───────────────────────────────────────────────────────┐
+    │ ↑ 80+ edge functions · LCP 1.4s · 50 RLS policies     │
+    │ ↑ Brief integrity 9/10 · all 6 sections answered      │
+    │ ↑ Tech layers 6 · full-stack evidence                 │
+    │ ↓ Accessibility 72 · buttons missing aria-labels      │
+    │ ↓ No API rate limiting on /auth endpoint              │
+    └───────────────────────────────────────────────────────┘
+
+      Ranked    #3 of 47   Season Zero
+      Tier      Honors     (top 5%)
+      Δ         +12        since yesterday's audit
+
+    → commit.show/projects/bfe11d75-dc67-…
+                                                       commit.show
+```
+
+> [⭐ Star us on GitHub](https://github.com/commitshow/cli) if `commitshow audit` saved you a `// TODO`.
+
+---
+
+## Why
+
+Vibe-coded projects ship fast and break differently. The CLI gives you a
+**zero-config**, **walk-on** lane to commit.show's audit engine — the same
+Claude-grade analysis used in our 3-week leagues, minus the signup, fee,
+and league commitment. You get a snapshot of where the build sits, what's
+strong, what's wobbling, and how it ranks against everyone else this week.
+
+Local runs also drop `.commitshow/audit.md` and `.commitshow/audit.json`
+into your repo, so your AI coding agent can read the report on the next
+turn without a prompt-engineering ritual.
+
+When a project is ready for the full season — Scout forecasts, season
+ranking, Backstage prompt extraction, Hall of Fame — it auditions at
+[commit.show/submit](https://commit.show/submit).
+
+> The npm package + command is `commitshow` (no dot — npm doesn't allow
+> it in package names). Everywhere else uses the brand **commit.show**.
+
 ## Install
 
 ```bash
-# one-shot
+# one-shot (recommended for trying it on someone else's repo)
 npx commitshow@latest audit <target>
 
-# or global
+# or global, if you'll run it daily
 npm i -g commitshow
 commitshow audit <target>
 ```
 
-Node 20+.
+Requires **Node 20+**.
 
 ## Usage
 
@@ -126,12 +174,21 @@ changes do. Known keys: `project`, `score`, `standing`, `strengths`, `concerns`,
 - `0.1` — ✓ read-only audit · status · `--json` · target auto-detect · sidecar files
 - `0.2` — device-flow login · `commitshow submit` · `--watch` mode · CI exit-code gate
 - `0.3` — `commitshow install <pack>` with {{VARIABLE}} substitution
-- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly · §15-C.6)
+- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly)
 
 ## Links
 
-- Home: <https://commit.show>
-- Source: <https://github.com/hans1329/vibe/tree/main/packages/cli>
-- Issues: <https://github.com/hans1329/vibe/issues>
+- Home — <https://commit.show>
+- Source — <https://github.com/commitshow/cli>
+- Issues — <https://github.com/commitshow/cli/issues>
+- The platform repo — <https://github.com/commitshow/commitshow>
+
+---
+
+<p align="center">
+  <strong>Built one repo at a time. <a href="https://commit.show">commit.show</a></strong>
+</p>
 
-MIT © 2026 commit.show
+<p align="center">
+  MIT © 2026 commit.show
+</p>

package/dist/lib/render.js

@@ -138,10 +138,40 @@ export function renderAudit(view) {
     const slug = p.github_url?.replace(/^https?:\/\//, '') ?? '';
     lines.push('  ' + c.bold(c.cream(name)) + '   ' + c.muted(slug));
     lines.push('');
+    // ── 3 strengths + 2 concerns box · errors-first reorder (2026-04-30) ──
+    // CONCERNS render before STRENGTHS · the value prop is "what your AI
+    // missed", so they lead. Score follows as the receipt below.
+    const strengths = asStringArray(snapshot?.rich_analysis?.scout_brief?.strengths, 3);
+    const concerns = asStringArray(snapshot?.rich_analysis?.scout_brief?.weaknesses, 2);
+    if (strengths.length > 0 || concerns.length > 0) {
+        const bulletWidth = CONTENT_W - 2;
+        lines.push('  ' + boxTop());
+        // Heading row inside the box · "What this build missed" lead.
+        if (concerns.length > 0) {
+            const heading = 'What this build missed';
+            lines.push('  ' + boxRow(heading.length, c.bold(c.scarlet(heading))));
+        }
+        for (const s of concerns) {
+            const txt = truncate(s, bulletWidth);
+            lines.push('  ' + boxRow(2 + txt.length, c.scarlet('↓ ') + c.cream(txt)));
+        }
+        if (strengths.length > 0) {
+            if (concerns.length > 0)
+                lines.push('  ' + boxBlank());
+            const heading = 'What it got right';
+            lines.push('  ' + boxRow(heading.length, c.bold(c.teal(heading))));
+        }
+        for (const s of strengths) {
+            const txt = truncate(s, bulletWidth);
+            lines.push('  ' + boxRow(2 + txt.length, c.teal('↑ ') + c.cream(txt)));
+        }
+        lines.push('  ' + boxBottom());
+        lines.push('');
+    }
     // Hero score · big-digit ASCII for X-share screenshots.
-    // Always brand gold (slightly deeper tone for screenshot legibility) so
-    // the wordmark + score read as one cohesive brand mark. Band info is
-    // surfaced in the small caption underneath instead of via color.
+    // Now positioned AFTER concerns/strengths · the score is the receipt
+    // for the findings above, not the lead. Always brand gold for cohesive
+    // wordmark + score brand mark.
     const bigRows = bigText(String(total));
     const bigWidth = bigRows[0].length;
     const leftPad = Math.floor((58 - bigWidth) / 2);
@@ -189,39 +219,19 @@ export function renderAudit(view) {
         lines.push('  ' + `  Comm.  ${pad(`${p.score_community}/20`, 7)}  ${scoreBar(p.score_community, 20)}`);
     }
     lines.push('');
-    // 3 strengths + 2 concerns from scout_brief · §15-C.2 content contract.
-    // Web surfaces the full 5+3; the CLI keeps it tight for terminal screenshots.
-    const strengths = asStringArray(snapshot?.rich_analysis?.scout_brief?.strengths, 3);
-    const concerns = asStringArray(snapshot?.rich_analysis?.scout_brief?.weaknesses, 2);
-    if (strengths.length > 0 || concerns.length > 0) {
-        // strengths/concerns each render as `↑ ` (2 visible) + truncated line.
-        // Total visible-line budget inside the box is CONTENT_W chars; reserve
-        // 2 for the arrow + space, leaving CONTENT_W - 2 for the bullet text.
-        const bulletWidth = CONTENT_W - 2;
-        lines.push('  ' + boxTop());
-        for (const s of strengths) {
-            const txt = truncate(s, bulletWidth);
-            lines.push('  ' + boxRow(2 + txt.length, c.teal('↑ ') + c.cream(txt)));
-        }
-        for (const s of concerns) {
-            const txt = truncate(s, bulletWidth);
-            lines.push('  ' + boxRow(2 + txt.length, c.scarlet('↓ ') + c.cream(txt)));
-        }
-        lines.push('  ' + boxBottom());
-        lines.push('');
-    }
-    // ─── Vibe Coder Checklist · 7-category framework ───
+    // (concerns/strengths block moved above the score · errors-first 2026-04-30)
+    // ─── AI Coder 7 Frames · signature framework ───
     // Render only the categories that produced an actionable status (fail /
     // warn / pass when meaningful). N/A categories are dropped to keep the
-    // terminal output compact. Helps beginners see "the 7 things AI-coded
-    // projects miss" framework directly in the report.
+    // terminal output compact. Surfaces the seven AI-specific failure
+    // modes generic linters miss.
     const vc = snapshot?.github_signals?.vibe_concerns;
     if (vc) {
         const items = vibeChecklistLines(vc);
         const actionable = items.filter(i => i.status !== 'na');
         if (actionable.length > 0) {
             lines.push('  ' + boxTop());
-            lines.push('  ' + boxRow('Vibe Coder Checklist · 7 things AI-coded projects miss'.length, c.bold(c.gold('Vibe Coder Checklist')) + c.muted(' · 7 things AI-coded projects miss')));
+            lines.push('  ' + boxRow('AI Coder 7 Frames · what AI ships without'.length, c.bold(c.gold('AI Coder 7 Frames')) + c.muted(' · what AI ships without')));
             lines.push('  ' + boxBlank());
             for (const it of actionable.slice(0, 7)) {
                 const tone = it.status === 'fail' ? c.scarlet : it.status === 'warn' ? c.gold : c.teal;
@@ -364,6 +374,55 @@ function vibeChecklistLines(vc) {
         else
             out.push({ key: 'prompt_injection', status: 'pass', label: 'Prompt injection risk', detail: 'AI SDK in use · no obvious raw-input patterns' });
     }
+    // 8. Hardcoded URLs
+    {
+        const h = vc?.hardcoded_urls;
+        if (h && h.total > 0) {
+            const ev = h.samples?.[0] ? `${h.samples[0].file} · ${h.samples[0].pattern}` : undefined;
+            out.push({ key: 'hardcoded_urls', status: 'warn', label: 'Hardcoded URLs', detail: `${h.total} file${h.total > 1 ? 's' : ''} · localhost / 127.0.0.1 baked in`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'hardcoded_urls', status: 'pass', label: 'Hardcoded URLs', detail: 'no localhost / dev URLs in scanned files' });
+        }
+    }
+    // 9. Mock data in production
+    {
+        const m = vc?.mock_data;
+        if (m && m.total > 0) {
+            const ev = m.samples?.[0] ? `${m.samples[0].file} · const ${m.samples[0].collection} = […]` : undefined;
+            out.push({ key: 'mock_data', status: 'warn', label: 'Mock data in prod', detail: `${m.total} file${m.total > 1 ? 's' : ''} with inline seed arrays`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'mock_data', status: 'pass', label: 'Mock data in prod', detail: 'no inline mock arrays in app paths' });
+        }
+    }
+    // 10. Webhook signature
+    {
+        const w = vc?.webhook_signature;
+        if (!w || w.handlers_seen === 0) {
+            out.push({ key: 'webhook_signature', status: 'na', label: 'Webhook signature', detail: 'no webhook handler files detected' });
+        }
+        else if (w.gap) {
+            out.push({ key: 'webhook_signature', status: 'fail', label: 'Webhook signature', detail: `${w.handlers_seen} handler${w.handlers_seen > 1 ? 's' : ''} · 0 HMAC verification` });
+        }
+        else if (w.verified_seen >= w.handlers_seen) {
+            out.push({ key: 'webhook_signature', status: 'pass', label: 'Webhook signature', detail: `${w.verified_seen}/${w.handlers_seen} handlers verify signature` });
+        }
+        else {
+            out.push({ key: 'webhook_signature', status: 'warn', label: 'Webhook signature', detail: `${w.verified_seen}/${w.handlers_seen} handlers verify signature · partial` });
+        }
+    }
+    // 11. CORS permissive
+    {
+        const c = vc?.cors_permissive;
+        if (c && c.total > 0) {
+            const ev = c.samples?.[0] ? `${c.samples[0].file} · ${c.samples[0].pattern}` : undefined;
+            out.push({ key: 'cors_permissive', status: 'warn', label: 'CORS too permissive', detail: `${c.total} file${c.total > 1 ? 's' : ''} · origin: '*' or origin: true`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'cors_permissive', status: 'pass', label: 'CORS too permissive', detail: "no 'origin: *' patterns detected" });
+        }
+    }
     // Sort fail → warn → pass → na
     const order = { fail: 0, warn: 1, pass: 2, na: 3 };
     return out.sort((a, b) => order[a.status] - order[b.status]);
@@ -398,6 +457,21 @@ export function renderMarkdown(view) {
     if (p.github_url)
         lines.push(`_${p.github_url}_`);
     lines.push('');
+    // errors-first markdown order (2026-04-30) · concerns + strengths
+    // BEFORE the score so the AI agent reading audit.md picks up the
+    // actionable items in its first pass.
+    if (concerns.length > 0) {
+        lines.push(`## What this build missed`);
+        for (const s of concerns)
+            lines.push(`- ${s}`);
+        lines.push('');
+    }
+    if (strengths.length > 0) {
+        lines.push(`## What it got right`);
+        for (const s of strengths)
+            lines.push(`- ${s}`);
+        lines.push('');
+    }
     lines.push(`## Score · ${p.score_total} / 100`);
     lines.push('');
     lines.push(`- Audit:      ${p.score_auto}/50`);
@@ -410,20 +484,8 @@ export function renderMarkdown(view) {
         lines.push(`- Ranked #${standing.rank} of ${standing.total_in_season} — projected **${standing.projected_tier ?? '—'}** (top ${Math.round(standing.percentile)}%)`);
     }
     lines.push('');
-    if (strengths.length > 0) {
-        lines.push(`## Strengths`);
-        for (const s of strengths)
-            lines.push(`- ${s}`);
-        lines.push('');
-    }
-    if (concerns.length > 0) {
-        lines.push(`## Concerns`);
-        for (const s of concerns)
-            lines.push(`- ${s}`);
-        lines.push('');
-    }
     lines.push(`---`);
-    lines.push(`Auditioned on commit.show · https://commit.show/projects/${p.id}`);
+    lines.push(`Audited on commit.show · https://commit.show/projects/${p.id}`);
     lines.push('');
     return lines.join('\n');
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "commitshow",
-  "version": "0.2.11",
+  "version": "0.3.1",
   "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
   "type": "module",
   "bin": {
@@ -23,15 +23,21 @@
     "commit.show",
     "audit",
     "vibe-coding",
-    "cli"
+    "cli",
+    "claude-code",
+    "cursor",
+    "code-quality",
+    "developer-tools"
   ],
   "author": "commit.show",
   "license": "MIT",
   "homepage": "https://commit.show",
   "repository": {
     "type": "git",
-    "url": "https://github.com/hans1329/vibe",
-    "directory": "packages/cli"
+    "url": "https://github.com/commitshow/cli"
+  },
+  "bugs": {
+    "url": "https://github.com/commitshow/cli/issues"
   },
   "dependencies": {
     "kleur": "^4.1.5"