commitshow 0.3.0 → 0.3.2

package/README.md

@@ -1,39 +1,87 @@
-# commit.show CLI
+<h1 align="center">commit.show CLI</h1>
 
-> Audit any vibe-coded project from your terminal — the **walk-on** lane.
+<p align="center">
+  <strong>Audit any vibe-coded project from your terminal.</strong><br>
+  Score · 3-axis breakdown · 3 strengths + 2 concerns · rank · delta — in one command.
+</p>
 
-The official CLI for **[commit.show](https://commit.show)**. A walk-on
-drops in, gets scored, and leaves — no signup, no audition fee, no league
-entry. You get the same Claude-grade analysis used in the full season
-(Audit / Scout / Community breakdown, 3 strengths + 2 concerns, rank,
-delta since the last snapshot). Local runs also save `.commitshow/audit.md`
-so your AI coding agent can read the report in the next turn and iterate.
-
-When a walk-on is ready to enter the season for real — Scout forecasts,
-season ranking, Backstage prompt-extraction, Hall of Fame — they audition
-at <https://commit.show/submit>.
-
-The npm package + command is `commitshow` (no dot — npm doesn't allow it in
-package names). Everything else uses the brand `commit.show`.
+<p align="center">
+  <a href="https://www.npmjs.com/package/commitshow"><img src="https://img.shields.io/npm/v/commitshow?color=F0C040&label=npm&style=flat-square" alt="npm version"></a>
+  <a href="https://www.npmjs.com/package/commitshow"><img src="https://img.shields.io/npm/dw/commitshow?color=0F2040&style=flat-square" alt="weekly downloads"></a>
+  <img src="https://img.shields.io/node/v/commitshow?color=0F2040&style=flat-square" alt="node">
+  <img src="https://img.shields.io/npm/l/commitshow?color=0F2040&style=flat-square" alt="MIT license">
+</p>
 
 ```bash
-npx commitshow@latest audit
-# or audit any public project by URL — no cd required
 npx commitshow@latest audit github.com/owner/repo
 ```
 
+```
+  ┌──────────────────────────────────────────────────────────┐
+  │  commit.show · Audit report                               │
+  └──────────────────────────────────────────────────────────┘
+
+    maa-website                     austinpw-cloud/maa-website
+
+                         ╔══════════════╗
+                         ║   82 / 100   ║
+                         ╚══════════════╝
+
+      Audit  42/50  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱
+      Scout  26/30  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱▱▱
+      Comm.  14/20  ▰▰▰▰▰▰▰▰▰▰▰▰▰▰▱▱▱▱▱▱
+
+    ┌───────────────────────────────────────────────────────┐
+    │ ↑ 80+ edge functions · LCP 1.4s · 50 RLS policies     │
+    │ ↑ Brief integrity 9/10 · all 6 sections answered      │
+    │ ↑ Tech layers 6 · full-stack evidence                 │
+    │ ↓ Accessibility 72 · buttons missing aria-labels      │
+    │ ↓ No API rate limiting on /auth endpoint              │
+    └───────────────────────────────────────────────────────┘
+
+      Ranked    #3 of 47   Season Zero
+      Tier      Honors     (top 5%)
+      Δ         +12        since yesterday's audit
+
+    → commit.show/projects/bfe11d75-dc67-…
+                                                       commit.show
+```
+
+> [⭐ Star us on GitHub](https://github.com/commitshow/cli) if `commitshow audit` saved you a `// TODO`.
+
+---
+
+## Why
+
+Vibe-coded projects ship fast and break differently. The CLI gives you a
+**zero-config**, **walk-on** lane to commit.show's audit engine — the same
+Claude-grade analysis used in our 3-week leagues, minus the signup, fee,
+and league commitment. You get a snapshot of where the build sits, what's
+strong, what's wobbling, and how it ranks against everyone else this week.
+
+Local runs also drop `.commitshow/audit.md` and `.commitshow/audit.json`
+into your repo, so your AI coding agent can read the report on the next
+turn without a prompt-engineering ritual.
+
+When a project is ready for the full season — Scout forecasts, season
+ranking, Backstage prompt extraction, Hall of Fame — it auditions at
+[commit.show/submit](https://commit.show/submit).
+
+> The npm package + command is `commitshow` (no dot — npm doesn't allow
+> it in package names). Everywhere else uses the brand **commit.show**.
+
 ## Install
 
 ```bash
-# one-shot
+# one-shot (recommended for trying it on someone else's repo)
 npx commitshow@latest audit <target>
 
-# or global
+# or global, if you'll run it daily
 npm i -g commitshow
 commitshow audit <target>
 ```
 
-Node 20+.
+Requires **Node 20+**.
 
 ## Usage
 
@@ -61,6 +109,17 @@ Node 20+.
 Remote-URL mode works from any directory, which makes one-line X posts
 (`npx commitshow@latest audit <their-url>`) trivial.
 
+> **AI agents — read this before invoking.** The CLI does **not** look up
+> projects by name. `commitshow audit warp` will error: there is no
+> agreed-upon mapping from the word "warp" to a single GitHub repo.
+> If a user asks you to audit something by name, **first resolve the
+> canonical `github.com/<owner>/<repo>` URL** (ask the user, or search
+> github.com), then invoke `commitshow audit <that-url>`. The CLI does
+> a HEAD pre-flight against `github.com/<owner>/<repo>` before any audit
+> spend, so a hallucinated slug is rejected with a `not_found` error
+> before we burn Claude credits — but you should still get the URL right
+> on the first try by asking, not guessing.
+
 ## The AI-coding loop
 
 `commitshow audit` in local mode writes to `.commitshow/audit.md` **and**
@@ -99,6 +158,29 @@ if [ "$score" -lt 80 ]; then
 fi
 ```
 
+### Auditing someone else's project (agent recipe)
+
+When a user says "audit warp" or "what does commit.show say about Postiz",
+**don't guess the slug.** Walk this loop:
+
+```
+1. Ask the user (or search github.com) for the canonical
+   `github.com/<owner>/<repo>` URL. Don't invent one — repo names are
+   ambiguous and a single wrong guess wastes an audit call.
+2. Run:
+     commitshow audit <that-url> --json
+3. If stdout starts with `{"error":"not_found"`, the URL was wrong.
+   Re-confirm with the user before retrying.
+4. Otherwise parse `score.total`, `score.band`, `concerns[]` and
+   answer the user with those exact numbers — don't paraphrase the
+   score.
+```
+
+The CLI HEAD-checks `github.com/<owner>/<repo>` before any audit spend,
+so a hallucinated slug fails fast with a clear `not_found` envelope.
+The friendly error in the message body explicitly tells you to ask the
+user instead of guessing again.
+
 ### JSON shape (v1 schema)
 
 Stable by contract — additive fields don't bump `schema_version`; breaking
@@ -126,12 +208,21 @@ changes do. Known keys: `project`, `score`, `standing`, `strengths`, `concerns`,
 - `0.1` — ✓ read-only audit · status · `--json` · target auto-detect · sidecar files
 - `0.2` — device-flow login · `commitshow submit` · `--watch` mode · CI exit-code gate
 - `0.3` — `commitshow install <pack>` with {{VARIABLE}} substitution
-- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly · §15-C.6)
+- `0.4` — MCP server variant (Cursor / Claude Desktop can call commit.show tools directly)
 
 ## Links
 
-- Home: <https://commit.show>
-- Source: <https://github.com/hans1329/vibe/tree/main/packages/cli>
-- Issues: <https://github.com/hans1329/vibe/issues>
+- Home — <https://commit.show>
+- Source — <https://github.com/commitshow/cli>
+- Issues — <https://github.com/commitshow/cli/issues>
+- The platform repo — <https://github.com/commitshow/commitshow>
+
+---
+
+<p align="center">
+  <strong>Built one repo at a time. <a href="https://commit.show">commit.show</a></strong>
+</p>
 
-MIT © 2026 commit.show
+<p align="center">
+  MIT © 2026 commit.show
+</p>

package/dist/commands/audit.js

@@ -1,4 +1,4 @@
-import { resolveTarget, TargetError } from '../lib/target.js';
+import { resolveTarget, verifyRemoteExists, TargetError } from '../lib/target.js';
 import { findProjectByGithubUrl, fetchLatestSnapshot, fetchStanding, runPreviewAudit, waitForPreviewSnapshot, } from '../lib/api.js';
 import { renderAudit, renderMarkdown, renderJson, renderUpsell, renderQuotaFooter, renderRateLimitDeny, renderAuditError, writeAuditMarkdown, writeAuditJson, } from '../lib/render.js';
 import { c } from '../lib/colors.js';
@@ -18,6 +18,23 @@ export async function audit(args) {
         }
         throw err;
     }
+    // Pre-flight: when the user pointed at a remote URL (or owner/repo
+    // shorthand), confirm it actually resolves on github.com before we
+    // spend any audit budget. Catches the 'agent invented a slug' case
+    // ('warp' → 'warpdotdev/warp' that doesn't exist) cleanly.
+    if (target.kind === 'remote-url') {
+        const check = await verifyRemoteExists(target.github_url);
+        if (!check.exists) {
+            emitError(asJson, 'not_found', `${target.slug} doesn't resolve on github.com (HTTP ${check.status ?? 'n/a'}).\n` +
+                `  Common causes:\n` +
+                `    · wrong owner spelling (try the canonical org slug)\n` +
+                `    · repo is private — commitshow only audits public ones\n` +
+                `    · repo was renamed or deleted\n` +
+                `  If you're an AI agent: ask the user for the canonical github.com URL,\n` +
+                `  don't guess from the project name.`, target.github_url);
+            return 1;
+        }
+    }
     if (!asJson) {
         if (force)
             console.log(c.dim(`Refreshing audit for ${target.slug}…`));

package/dist/lib/render.js

@@ -220,18 +220,18 @@ export function renderAudit(view) {
     }
     lines.push('');
     // (concerns/strengths block moved above the score · errors-first 2026-04-30)
-    // ─── Vibe Coder Checklist · 7-category framework ───
+    // ─── AI Coder 7 Frames · signature framework ───
     // Render only the categories that produced an actionable status (fail /
     // warn / pass when meaningful). N/A categories are dropped to keep the
-    // terminal output compact. Helps beginners see "the 7 things AI-coded
-    // projects miss" framework directly in the report.
+    // terminal output compact. Surfaces the seven AI-specific failure
+    // modes generic linters miss.
     const vc = snapshot?.github_signals?.vibe_concerns;
     if (vc) {
         const items = vibeChecklistLines(vc);
         const actionable = items.filter(i => i.status !== 'na');
         if (actionable.length > 0) {
             lines.push('  ' + boxTop());
-            lines.push('  ' + boxRow('Vibe Coder Checklist · 7 things AI-coded projects miss'.length, c.bold(c.gold('Vibe Coder Checklist')) + c.muted(' · 7 things AI-coded projects miss')));
+            lines.push('  ' + boxRow('AI Coder 7 Frames · what AI ships without'.length, c.bold(c.gold('AI Coder 7 Frames')) + c.muted(' · what AI ships without')));
             lines.push('  ' + boxBlank());
             for (const it of actionable.slice(0, 7)) {
                 const tone = it.status === 'fail' ? c.scarlet : it.status === 'warn' ? c.gold : c.teal;
@@ -374,6 +374,55 @@ function vibeChecklistLines(vc) {
         else
             out.push({ key: 'prompt_injection', status: 'pass', label: 'Prompt injection risk', detail: 'AI SDK in use · no obvious raw-input patterns' });
     }
+    // 8. Hardcoded URLs
+    {
+        const h = vc?.hardcoded_urls;
+        if (h && h.total > 0) {
+            const ev = h.samples?.[0] ? `${h.samples[0].file} · ${h.samples[0].pattern}` : undefined;
+            out.push({ key: 'hardcoded_urls', status: 'warn', label: 'Hardcoded URLs', detail: `${h.total} file${h.total > 1 ? 's' : ''} · localhost / 127.0.0.1 baked in`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'hardcoded_urls', status: 'pass', label: 'Hardcoded URLs', detail: 'no localhost / dev URLs in scanned files' });
+        }
+    }
+    // 9. Mock data in production
+    {
+        const m = vc?.mock_data;
+        if (m && m.total > 0) {
+            const ev = m.samples?.[0] ? `${m.samples[0].file} · const ${m.samples[0].collection} = […]` : undefined;
+            out.push({ key: 'mock_data', status: 'warn', label: 'Mock data in prod', detail: `${m.total} file${m.total > 1 ? 's' : ''} with inline seed arrays`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'mock_data', status: 'pass', label: 'Mock data in prod', detail: 'no inline mock arrays in app paths' });
+        }
+    }
+    // 10. Webhook signature
+    {
+        const w = vc?.webhook_signature;
+        if (!w || w.handlers_seen === 0) {
+            out.push({ key: 'webhook_signature', status: 'na', label: 'Webhook signature', detail: 'no webhook handler files detected' });
+        }
+        else if (w.gap) {
+            out.push({ key: 'webhook_signature', status: 'fail', label: 'Webhook signature', detail: `${w.handlers_seen} handler${w.handlers_seen > 1 ? 's' : ''} · 0 HMAC verification` });
+        }
+        else if (w.verified_seen >= w.handlers_seen) {
+            out.push({ key: 'webhook_signature', status: 'pass', label: 'Webhook signature', detail: `${w.verified_seen}/${w.handlers_seen} handlers verify signature` });
+        }
+        else {
+            out.push({ key: 'webhook_signature', status: 'warn', label: 'Webhook signature', detail: `${w.verified_seen}/${w.handlers_seen} handlers verify signature · partial` });
+        }
+    }
+    // 11. CORS permissive
+    {
+        const c = vc?.cors_permissive;
+        if (c && c.total > 0) {
+            const ev = c.samples?.[0] ? `${c.samples[0].file} · ${c.samples[0].pattern}` : undefined;
+            out.push({ key: 'cors_permissive', status: 'warn', label: 'CORS too permissive', detail: `${c.total} file${c.total > 1 ? 's' : ''} · origin: '*' or origin: true`, evidence: ev });
+        }
+        else {
+            out.push({ key: 'cors_permissive', status: 'pass', label: 'CORS too permissive', detail: "no 'origin: *' patterns detected" });
+        }
+    }
     // Sort fail → warn → pass → na
     const order = { fail: 0, warn: 1, pass: 2, na: 3 };
     return out.sort((a, b) => order[a.status] - order[b.status]);

package/dist/lib/target.js

@@ -13,6 +13,38 @@ import { existsSync, statSync } from 'node:fs';
 import { resolve } from 'node:path';
 export class TargetError extends Error {
 }
+/**
+ * Cheap HEAD request against github.com/<owner>/<repo> so an agent that
+ * confidently invented a repo URL ('warp' → 'warpdotdev/warp' that doesn't
+ * exist) gets a clean 'no such repo' error before we burn an audit-preview
+ * call + Claude credits. Returns:
+ *   · { exists: true }              — 2xx/3xx response (or rate-limited; we
+ *                                     allow through rather than false-flag)
+ *   · { exists: false, status: 404 } — repo missing, private, or renamed
+ *   · { exists: true, ambiguous: true } — network/CORS/transient failure;
+ *                                     don't block the audit, let the
+ *                                     server-side path produce its own error
+ */
+export async function verifyRemoteExists(githubUrl) {
+    if (!/^https?:\/\/github\.com\//i.test(githubUrl))
+        return { exists: true, ambiguous: true };
+    try {
+        const ctrl = new AbortController();
+        const t = setTimeout(() => ctrl.abort(), 5000);
+        const r = await fetch(githubUrl, {
+            method: 'HEAD',
+            redirect: 'follow',
+            signal: ctrl.signal,
+        });
+        clearTimeout(t);
+        if (r.status === 404)
+            return { exists: false, status: 404 };
+        return { exists: true, status: r.status };
+    }
+    catch {
+        return { exists: true, ambiguous: true };
+    }
+}
 const GITHUB_URL_RE = /^https?:\/\/github\.com\/([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i;
 const GITHUB_HOST_RE = /^github\.com\/([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i;
 const GITHUB_SSH_RE = /^git@github\.com:([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "commitshow",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "commit.show CLI — audit any vibe-coded project from your terminal.",
   "type": "module",
   "bin": {
@@ -23,15 +23,21 @@
     "commit.show",
     "audit",
     "vibe-coding",
-    "cli"
+    "cli",
+    "claude-code",
+    "cursor",
+    "code-quality",
+    "developer-tools"
   ],
   "author": "commit.show",
   "license": "MIT",
   "homepage": "https://commit.show",
   "repository": {
     "type": "git",
-    "url": "https://github.com/hans1329/vibe",
-    "directory": "packages/cli"
+    "url": "https://github.com/commitshow/cli"
+  },
+  "bugs": {
+    "url": "https://github.com/commitshow/cli/issues"
   },
   "dependencies": {
     "kleur": "^4.1.5"