commitshow 0.3.0 → 0.3.1

package/README.md

@@ -1,39 +1,87 @@
-# commit.show CLI
+<h1 align="center">commit.show CLI</h1>
 
-> Audit any vibe-coded project from your terminal — the **walk-on** lane.
+<p align="center">
+  <strong>Audit any vibe-coded project from your terminal.</strong><br>
+  Score · 3-axis breakdown · 3 strengths + 2 concerns · rank · delta — in one command.
+</p>
 
-The official CLI for **[commit.show](https://commit.show)**. A walk-on
-drops in, gets scored, and leaves — no signup, no audition fee, no league
-entry. You get the same Claude-grade analysis used in the full season
-(Audit / Scout / Community breakdown, 3 strengths + 2 concerns, rank,
-delta since the last snapshot). Local runs also save `.commitshow/audit.md`
-so your AI coding agent can read the report in the next turn and iterate.
-
-When a walk-on is ready to enter the season for real — Scout forecasts,
-season ranking, Backstage prompt-extraction, Hall of Fame — they audition
-at <https://commit.show/submit>.
-
-The npm package + command is `commitshow` (no dot — npm doesn't allow it in
-package names). Everything else uses the brand `commit.show`.
+<p align="center">
+  <a href="https://www.npmjs.com/package/commitshow"><img src="https://img.shields.io/npm/v/commitshow?color=F0C040&label=npm&style=flat-square" alt="npm version"></a>
+  <a href="https://www.npmjs.com/package/commitshow"><img src="https://img.shields.io/npm/dw/commitshow?color=0F2040&style=flat-square" alt="weekly downloads"></a>
+  <img src="https://img.shields.io/node/v/commitshow?color=0F2040&style=flat-square" alt="node">
+  <img src="https://img.shields.io/npm/l/commitshow?color=0F2040&style=flat-square" alt="MIT license">
+</p>
 
 ```bash
-npx commitshow@latest audit
-# or audit any public project by URL — no cd required
 npx commitshow@latest audit github.com/owner/repo
 ```
 
+```
+  ┌──────────────────────────────────────────────────────────┐
+  │  commit.show · Audit report                               │
+  └──────────────────────────────────────────────────────────┘
+
+    maa-website                     austinpw-cloud/maa-website
+
+                         ╔══════════════╗
+                         ║   82 / 100   ║
+                         ╚══════════════╝
+
+      Audit  42/50  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱
+      Scout  26/30  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱▱▱
+      Comm.  14/20  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱▱▱▱▱
+
+    ┌───────────────────────────────────────────────────────┐
+    │ ↑ 80+ edge functions · LCP 1.4s · 50 RLS policies     │
+    │ ↑ Brief integrity 9/10 · all 6 sections answered      │
+    │ ↑ Tech layers 6 · full-stack evidence                 │
+    │ ↓ Accessibility 72 · buttons missing aria-labels      │
+    │ ↓ No API rate limiting on /auth endpoint              │
+    └───────────────────────────────────────────────────────┘
+
+      Ranked    #3 of 47   Season Zero
+      Tier      Honors     (top 5%)
+      Δ         +12        since yesterday's audit
+
+    → commit.show/projects/bfe11d75-dc67-…
+                                                       commit.show
+```
+
+> [⭐ Star us on GitHub](https://github.com/commitshow/cli) if `commitshow audit` saved you a `// TODO`.
+
+---
+
+## Why
+
+Vibe-coded projects ship fast and break differently. The CLI gives you a
+**zero-config**, **walk-on** lane to commit.show's audit engine — the same
+Claude-grade analysis used in our 3-week leagues, minus the signup, fee,
+and league commitment. You get a snapshot of where the build sits, what's
+strong, what's wobbling, and how it ranks against everyone else this week.
+
+Local runs also drop `.commitshow/audit.md` and `.commitshow/audit.json`
+into your repo, so your AI coding agent can read the report on the next
+turn without a prompt-engineering ritual.
+
+When a project is ready for the full season — Scout forecasts, season
+ranking, Backstage prompt extraction, Hall of Fame — it auditions at
+[commit.show/submit](https://commit.show/submit).
+
+> The npm package + command is `commitshow` (no dot — npm doesn't allow
+> it in package names). Everywhere else uses the brand **commit.show**.
+
 ## Install
 
 ```bash
-# one-shot
+# one-shot (recommended for trying it on someone else's repo)
 npx commitshow@latest audit <target>
 
-# or global
+# or global, if you'll run it daily
 npm i -g commitshow
 commitshow audit <target>
 ```
 
-Node 20+.
+Requires **Node 20+**.
 
 ## Usage
 
@@ -126,12 +174,21 @@ changes do. Known keys: `project`, `score`, `standing`, `strengths`, `concerns`,
 - `0.1` — ✓ read-only audit · status · `--json` · target auto-detect · sidecar files
 - `0.2` — device-flow login · `commitshow submit` · `--watch` mode · CI exit-code gate
 - `0.3` — `commitshow install <pack>` with {{VARIABLE}} substitution
-- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly · §15-C.6)
+- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly)
 
 ## Links
 
-- Home: <https://commit.show>
-- Source: <https://github.com/hans1329/vibe/tree/main/packages/cli>
-- Issues: <https://github.com/hans1329/vibe/issues>
+- Home — <https://commit.show>
+- Source — <https://github.com/commitshow/cli>
+- Issues — <https://github.com/commitshow/cli/issues>
+- The platform repo — <https://github.com/commitshow/commitshow>
+
+---
+
+<p align="center">
+  <strong>Built one repo at a time. <a href="https://commit.show">commit.show</a></strong>
+</p>
 
-MIT © 2026 commit.show
+<p align="center">
+  MIT © 2026 commit.show
+</p>

package/dist/lib/render.js

@@ -220,18 +220,18 @@ export function renderAudit(view) {
     }
     lines.push('');
     // (concerns/strengths block moved above the score · errors-first 2026-04-30)
-    // ─── Vibe Coder Checklist · 7-category framework ───
+    // ─── AI Coder 7 Frames · signature framework ───
     // Render only the categories that produced an actionable status (fail /
     // warn / pass when meaningful). N/A categories are dropped to keep the
-    // terminal output compact. Helps beginners see "the 7 things AI-coded
-    // projects miss" framework directly in the report.
+    // terminal output compact. Surfaces the seven AI-specific failure
+    // modes generic linters miss.
     const vc = snapshot?.github_signals?.vibe_concerns;
     if (vc) {
         const items = vibeChecklistLines(vc);
         const actionable = items.filter(i => i.status !== 'na');
         if (actionable.length > 0) {
             lines.push('  ' + boxTop());
-            lines.push('  ' + boxRow('Vibe Coder Checklist · 7 things AI-coded projects miss'.length, c.bold(c.gold('Vibe Coder Checklist')) + c.muted(' · 7 things AI-coded projects miss')));
+            lines.push('  ' + boxRow('AI Coder 7 Frames · what AI ships without'.length, c.bold(c.gold('AI Coder 7 Frames')) + c.muted(' · what AI ships without')));
             lines.push('  ' + boxBlank());
             for (const it of actionable.slice(0, 7)) {
                 const tone = it.status === 'fail' ? c.scarlet : it.status === 'warn' ? c.gold : c.teal;
@@ -374,6 +374,55 @@ function vibeChecklistLines(vc) {
         else
             out.push({ key: 'prompt_injection', status: 'pass', label: 'Prompt injection risk', detail: 'AI SDK in use · no obvious raw-input patterns' });
     }
+    // 8. Hardcoded URLs
+    {
+        const h = vc?.hardcoded_urls;
+        if (h && h.total > 0) {
+            const ev = h.samples?.[0] ? `${h.samples[0].file} · ${h.samples[0].pattern}` : undefined;
+            out.push({ key: 'hardcoded_urls', status: 'warn', label: 'Hardcoded URLs', detail: `${h.total} file${h.total > 1 ? 's' : ''} · localhost / 127.0.0.1 baked in`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'hardcoded_urls', status: 'pass', label: 'Hardcoded URLs', detail: 'no localhost / dev URLs in scanned files' });
+        }
+    }
+    // 9. Mock data in production
+    {
+        const m = vc?.mock_data;
+        if (m && m.total > 0) {
+            const ev = m.samples?.[0] ? `${m.samples[0].file} · const ${m.samples[0].collection} = […]` : undefined;
+            out.push({ key: 'mock_data', status: 'warn', label: 'Mock data in prod', detail: `${m.total} file${m.total > 1 ? 's' : ''} with inline seed arrays`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'mock_data', status: 'pass', label: 'Mock data in prod', detail: 'no inline mock arrays in app paths' });
+        }
+    }
+    // 10. Webhook signature
+    {
+        const w = vc?.webhook_signature;
+        if (!w || w.handlers_seen === 0) {
+            out.push({ key: 'webhook_signature', status: 'na', label: 'Webhook signature', detail: 'no webhook handler files detected' });
+        }
+        else if (w.gap) {
+            out.push({ key: 'webhook_signature', status: 'fail', label: 'Webhook signature', detail: `${w.handlers_seen} handler${w.handlers_seen > 1 ? 's' : ''} · 0 HMAC verification` });
+        }
+        else if (w.verified_seen >= w.handlers_seen) {
+            out.push({ key: 'webhook_signature', status: 'pass', label: 'Webhook signature', detail: `${w.verified_seen}/${w.handlers_seen} handlers verify signature` });
+        }
+        else {
+            out.push({ key: 'webhook_signature', status: 'warn', label: 'Webhook signature', detail: `${w.verified_seen}/${w.handlers_seen} handlers verify signature · partial` });
+        }
+    }
+    // 11. CORS permissive
+    {
+        const c = vc?.cors_permissive;
+        if (c && c.total > 0) {
+            const ev = c.samples?.[0] ? `${c.samples[0].file} · ${c.samples[0].pattern}` : undefined;
+            out.push({ key: 'cors_permissive', status: 'warn', label: 'CORS too permissive', detail: `${c.total} file${c.total > 1 ? 's' : ''} · origin: '*' or origin: true`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'cors_permissive', status: 'pass', label: 'CORS too permissive', detail: "no 'origin: *' patterns detected" });
+        }
+    }
     // Sort fail → warn → pass → na
     const order = { fail: 0, warn: 1, pass: 2, na: 3 };
     return out.sort((a, b) => order[a.status] - order[b.status]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "commitshow",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
   "type": "module",
   "bin": {
@@ -23,15 +23,21 @@
     "commit.show",
     "audit",
     "vibe-coding",
-    "cli"
+    "cli",
+    "claude-code",
+    "cursor",
+    "code-quality",
+    "developer-tools"
   ],
   "author": "commit.show",
   "license": "MIT",
   "homepage": "https://commit.show",
   "repository": {
     "type": "git",
-    "url": "https://github.com/hans1329/vibe",
-    "directory": "packages/cli"
+    "url": "https://github.com/commitshow/cli"
+  },
+  "bugs": {
+    "url": "https://github.com/commitshow/cli/issues"
   },
   "dependencies": {
     "kleur": "^4.1.5"