oss-signal 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog
+
+## 0.1.0
+
+- Initial CLI with Markdown and JSON output.
+- Added maintainer-readiness checks for community files, automation, and package hygiene.
+- Added tests and CI workflow.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 oss-signal contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,179 @@
+# oss-signal
+
+[![CI](https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml/badge.svg)](https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/oss-signal.svg)](https://www.npmjs.com/package/oss-signal)
+[![npm downloads](https://img.shields.io/npm/dm/oss-signal.svg)](https://www.npmjs.com/package/oss-signal)
+[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
+
+`oss-signal` is a dependency-light CLI for auditing open-source repository maintenance readiness.
+
+It checks the files and automation that reduce maintainer load: README, license, contributing guide, security policy, CI, tests, issue templates, pull request templates, Dependabot, and release notes. The output is a score plus concrete next steps in Markdown or JSON.
+
+![oss-signal example output](docs/assets/terminal-report.svg)
+
+## Why
+
+Open-source projects often fail quietly because the maintainer workflow is undocumented. `oss-signal` gives maintainers a repeatable checklist they can run locally, in CI, or before asking contributors to help.
+
+## Use Cases
+
+- Maintainers can run it before publishing a new project.
+- Contributors can attach a report to a cleanup issue or pull request.
+- Teams can gate release readiness with `--fail-under`.
+- Foundations and working groups can compare repository hygiene across many projects.
+
+## Install
+
+```bash
+npm install --global oss-signal
+```
+
+For local development:
+
+```bash
+git clone https://github.com/SalmonPlays/oss-signal.git
+cd oss-signal
+npm install
+npm test
+```
+
+## Usage
+
+Audit the current directory:
+
+```bash
+oss-signal
+```
+
+Write a Markdown report:
+
+```bash
+oss-signal /path/to/repo --format markdown --output oss-signal-report.md
+```
+
+Use JSON in automation:
+
+```bash
+oss-signal . --format json --fail-under 80
+```
+
+Generate a report that can be attached to an issue:
+
+```bash
+oss-signal . --format markdown --output docs/maintainer-readiness.md
+```
+
+## Checks
+
+`oss-signal` currently checks:
+
+- Community files: README, license, contributing guide, security policy, code of conduct, changelog, support policy
+- Automation: CI workflows, tests, issue templates, pull request template, Dependabot, CodeQL or similar security workflow
+- Package hygiene: package metadata and lockfile presence
+
+See [docs/rules.md](docs/rules.md) for rule details and scoring weights.
+
+## Real Output
+
+This repository audits itself at **100/100 (A)**:
+
+```text
+Score: 100/100 (A)
+
+Summary:
+- Passed: 15
+- Failed: 0
+- Total checks: 15
+```
+
+See [docs/self-audit.md](docs/self-audit.md) for the full self-audit report.
+
+## Field Audits
+
+`oss-signal` has been run against public repositories to produce maintainer-readiness reports and respectful issue drafts:
+
+- [platformatic/massimo report](docs/outreach/platformatic-massimo-report.md) and [issue #159](https://github.com/platformatic/massimo/issues/159)
+- [supermarkt/checkjebon report](docs/outreach/supermarkt-checkjebon-report.md) and [issue #22](https://github.com/supermarkt/checkjebon/issues/22)
+- [sammorrisdesign/interactive-feed report](docs/outreach/sammorrisdesign-interactive-feed-report.md) and [issue #14](https://github.com/sammorrisdesign/interactive-feed/issues/14)
+
+See [docs/outreach](docs/outreach) for the reports and draft issue text. Drafts are not posted automatically; maintainers should only receive specific, useful, and respectful suggestions.
+
+## Example Recommendation Output
+
+```text
+Score: 86/100 (B)
+
+Recommended next steps:
+- Static security analysis: Add a CodeQL or equivalent security scanning workflow.
+- Support policy: Add SUPPORT.md describing where to ask questions.
+```
+
+See [docs/examples/minimal-repo-report.md](docs/examples/minimal-repo-report.md) for a small repository example with missing maintainer files.
+
+## Exit Codes
+
+By default, `oss-signal` exits with `0` after writing a report.
+
+When `--fail-under <score>` is provided, it exits with `1` if the score is below the threshold:
+
+```bash
+oss-signal . --fail-under 80
+```
+
+## CI
+
+Add this to a GitHub Actions workflow:
+
+```yaml
+- run: npx oss-signal . --fail-under 80
+```
+
+Full workflow example:
+
+```yaml
+name: Repository health
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  oss-signal:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - run: npx oss-signal . --format markdown --output oss-signal-report.md --fail-under 80
+      - uses: actions/upload-artifact@v4
+        with:
+          name: oss-signal-report
+          path: oss-signal-report.md
+```
+
+## Current Limitations
+
+- It inspects local files only; GitHub URL mode is on the roadmap.
+- It checks deterministic maintenance signals, not code quality.
+- A high score does not prove a project is important. It proves the maintainer workflow is documented and automatable.
+
+## Roadmap
+
+- GitHub API mode for public repository URLs
+- Ecosystem-specific profiles for Python, Rust, Go, and JavaScript packages
+- SARIF output for code scanning dashboards
+- Rules for release automation and provenance metadata
+
+## Contributing
+
+Contributions are welcome. Please read [CONTRIBUTING.md](CONTRIBUTING.md) before opening a pull request.
+
+## Security
+
+Please report security issues privately. See [SECURITY.md](SECURITY.md).
+
+## License
+
+MIT

package/docs/assets/terminal-report.svg

@@ -0,0 +1,22 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="920" height="520" viewBox="0 0 920 520" role="img" aria-labelledby="title desc">
+  <title id="title">oss-signal terminal output</title>
+  <desc id="desc">Example terminal output showing an OSS Signal repository health score of 100 out of 100.</desc>
+  <rect width="920" height="520" rx="18" fill="#0d1117"/>
+  <rect x="0" y="0" width="920" height="48" rx="18" fill="#161b22"/>
+  <circle cx="30" cy="24" r="7" fill="#ff5f56"/>
+  <circle cx="54" cy="24" r="7" fill="#ffbd2e"/>
+  <circle cx="78" cy="24" r="7" fill="#27c93f"/>
+  <text x="110" y="31" fill="#8b949e" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="14">oss-signal</text>
+  <text x="34" y="86" fill="#7ee787" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="16">$ oss-signal . --format markdown</text>
+  <text x="34" y="130" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="24" font-weight="700">OSS Signal Report</text>
+  <text x="34" y="174" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="18">Score: </text>
+  <text x="108" y="174" fill="#7ee787" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="18" font-weight="700">100/100 (A)</text>
+  <text x="34" y="222" fill="#8b949e" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="15">Summary</text>
+  <text x="34" y="252" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="15">PASS  README</text>
+  <text x="34" y="280" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="15">PASS  License</text>
+  <text x="34" y="308" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="15">PASS  Contributing guide</text>
+  <text x="34" y="336" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="15">PASS  Security policy</text>
+  <text x="34" y="364" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="15">PASS  Continuous integration</text>
+  <text x="34" y="392" fill="#f0f6fc" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="15">PASS  Tests</text>
+  <text x="34" y="442" fill="#7ee787" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="16">No missing checks. Keep the report current as the repository evolves.</text>
+</svg>

package/docs/examples/minimal-repo-report.md

@@ -0,0 +1,21 @@
+# Example Report: Minimal Repository
+
+This is representative output for a tiny repository that only has a README.
+
+```text
+Score: 12/100 (F)
+
+Summary:
+- Passed: 1
+- Failed: 14
+- Total checks: 15
+
+Recommended next steps:
+- Continuous integration (12 pts): Add a GitHub Actions workflow that runs linting and tests on pushes and pull requests.
+- License (10 pts): Add an OSI-approved license file such as MIT, Apache-2.0, BSD-3-Clause, or MPL-2.0.
+- Tests (10 pts): Add focused tests for public behavior and document the test command.
+- Contributing guide (9 pts): Add CONTRIBUTING.md with local setup, test commands, review expectations, and release notes guidance.
+- Security policy (9 pts): Add SECURITY.md with supported versions, reporting instructions, and response expectations.
+```
+
+The goal is not to shame small projects. The goal is to turn implicit maintainer expectations into a short, reviewable checklist.

package/docs/outreach/README.md

@@ -0,0 +1,20 @@
+# Field Audits
+
+This directory contains public-repository audit reports generated with `oss-signal`.
+
+These reports are examples of how maintainers or contributors can use the tool before opening a cleanup issue or pull request. They are based on local repository contents plus a manual check of GitHub community profile signals where needed.
+
+Important notes:
+
+- These projects are not affiliated with `oss-signal`.
+- A low score does not mean the project is low quality.
+- Missing files may be intentional or handled outside the repository.
+- Any external issue or pull request should be respectful, specific, and easy for the maintainer to close.
+
+## Audited Repositories
+
+| Repository | Local score | Draft | Posted issue |
+| --- | ---: | --- | --- |
+| `platformatic/massimo` | 58/100 | [issue draft](platformatic-massimo-issue-draft.md) | [#159](https://github.com/platformatic/massimo/issues/159) |
+| `supermarkt/checkjebon` | 21/100 | [issue draft](supermarkt-checkjebon-issue-draft.md) | [#22](https://github.com/supermarkt/checkjebon/issues/22) |
+| `sammorrisdesign/interactive-feed` | 31/100 | [issue draft](sammorrisdesign-interactive-feed-issue-draft.md) | [#14](https://github.com/sammorrisdesign/interactive-feed/issues/14) |

package/docs/outreach/platformatic-massimo-issue-draft.md

@@ -0,0 +1,24 @@
+# Issue Draft: platformatic/massimo
+
+Posted as [platformatic/massimo#159](https://github.com/platformatic/massimo/issues/159).
+
+Title:
+
+```text
+Add issue and pull request templates for contributor triage
+```
+
+Body:
+
+```markdown
+Hi maintainers. I ran a local maintainer-readiness audit with `oss-signal` against this repository and noticed two small GitHub workflow files that may help contributor triage:
+
+- `.github/ISSUE_TEMPLATE/bug_report.md`
+- `.github/PULL_REQUEST_TEMPLATE.md`
+
+GitHub's community profile endpoint shows this repository already has a README, license, contributing guide, and organization-level code of conduct, so this is not a broad cleanup request. The highest-signal next step looks like adding templates that ask for reproduction steps, expected behavior, test coverage, and release-note impact.
+
+I am happy to open a small PR with template files if that would be useful. If this is intentionally handled elsewhere, feel free to close.
+```
+
+Local report: [platformatic-massimo-report.md](platformatic-massimo-report.md)

package/docs/outreach/platformatic-massimo-report.md

@@ -0,0 +1,43 @@
+# OSS Signal Report
+
+Repository: `https://github.com/platformatic/massimo`
+Generated: 2026-06-01T05:32:40.366Z
+
+Score: **58/100** (F)
+
+## Summary
+
+- Passed: 7
+- Failed: 8
+- Total checks: 15
+
+## Checks
+
+| Status | Check | Why it matters |
+| --- | --- | --- |
+| PASS | README | A clear README is the front door for users and contributors. |
+| PASS | License | A license tells downstream users what they may legally do with the code. |
+| PASS | Contributing guide | Maintainers get better issues and pull requests when expectations are documented. |
+| FAIL | Security policy | Responsible disclosure needs a private, documented path. |
+| FAIL | Code of conduct | Community norms reduce ambiguity during difficult interactions. |
+| FAIL | Changelog | Users need a durable place to understand release impact. |
+| FAIL | Support policy | Support boundaries help maintainers avoid turning every request into unpaid consulting. |
+| PASS | Continuous integration | CI catches regressions before maintainers merge changes. |
+| PASS | Tests | Tests make review safer and lower the cost of outside contributions. |
+| FAIL | Issue templates | Issue templates collect the facts maintainers need to reproduce and triage. |
+| FAIL | Pull request template | PR templates nudge contributors to include tests, docs, and review context. |
+| FAIL | Dependency update automation | Automated dependency updates reduce security and compatibility drift. |
+| FAIL | Static security analysis | Static analysis finds common vulnerability patterns before releases. |
+| PASS | Node package metadata | Package metadata makes installation, testing, and release automation discoverable. |
+| PASS | Dependency lockfile | Lockfiles make CI and contributor setup reproducible. |
+
+## Recommended Next Steps
+
+- **Security policy** (9 pts): Add SECURITY.md with supported versions, reporting instructions, and response expectations.
+- **Code of conduct** (6 pts): Add CODE_OF_CONDUCT.md, for example the Contributor Covenant.
+- **Changelog** (6 pts): Keep CHANGELOG.md with dated release entries and migration notes.
+- **Issue templates** (5 pts): Add bug report and feature request templates under .github/ISSUE_TEMPLATE/.
+- **Pull request template** (5 pts): Add .github/PULL_REQUEST_TEMPLATE.md with a short checklist.
+- **Dependency update automation** (5 pts): Add .github/dependabot.yml for the package ecosystems used in the repository.
+- **Support policy** (4 pts): Add SUPPORT.md describing where to ask questions, what is in scope, and expected response times.
+- **Static security analysis** (4 pts): Add a CodeQL or equivalent security scanning workflow.

package/docs/outreach/sammorrisdesign-interactive-feed-issue-draft.md

@@ -0,0 +1,28 @@
+# Issue Draft: sammorrisdesign/interactive-feed
+
+Posted as [sammorrisdesign/interactive-feed#14](https://github.com/sammorrisdesign/interactive-feed/issues/14).
+
+Title:
+
+```text
+Clarify license and contributor workflow
+```
+
+Body:
+
+```markdown
+Hi maintainers. I ran a local maintainer-readiness audit with `oss-signal` and noticed that GitHub's community profile does not currently detect a license file for this repository.
+
+Because license choice has to come from the maintainer, I do not want to guess one in a PR. It may be worth adding an explicit `LICENSE` file if you intend others to reuse, fork, or contribute to the project.
+
+The same audit also flagged a few optional maintainer-workflow files that could help if you want outside contributions:
+
+- `CONTRIBUTING.md`
+- `SECURITY.md`
+- `.github/ISSUE_TEMPLATE/bug_report.md`
+- `.github/PULL_REQUEST_TEMPLATE.md`
+
+I can open a small PR for the non-license templates if that would be useful. If this project is not intended for outside contribution, feel free to close.
+```
+
+Local report: [sammorrisdesign-interactive-feed-report.md](sammorrisdesign-interactive-feed-report.md)

package/docs/outreach/sammorrisdesign-interactive-feed-report.md

@@ -0,0 +1,46 @@
+# OSS Signal Report
+
+Repository: `https://github.com/sammorrisdesign/interactive-feed`
+Generated: 2026-06-01T05:32:40.592Z
+
+Score: **31/100** (F)
+
+## Summary
+
+- Passed: 4
+- Failed: 11
+- Total checks: 15
+
+## Checks
+
+| Status | Check | Why it matters |
+| --- | --- | --- |
+| PASS | README | A clear README is the front door for users and contributors. |
+| FAIL | License | A license tells downstream users what they may legally do with the code. |
+| FAIL | Contributing guide | Maintainers get better issues and pull requests when expectations are documented. |
+| FAIL | Security policy | Responsible disclosure needs a private, documented path. |
+| FAIL | Code of conduct | Community norms reduce ambiguity during difficult interactions. |
+| FAIL | Changelog | Users need a durable place to understand release impact. |
+| FAIL | Support policy | Support boundaries help maintainers avoid turning every request into unpaid consulting. |
+| PASS | Continuous integration | CI catches regressions before maintainers merge changes. |
+| FAIL | Tests | Tests make review safer and lower the cost of outside contributions. |
+| FAIL | Issue templates | Issue templates collect the facts maintainers need to reproduce and triage. |
+| FAIL | Pull request template | PR templates nudge contributors to include tests, docs, and review context. |
+| FAIL | Dependency update automation | Automated dependency updates reduce security and compatibility drift. |
+| FAIL | Static security analysis | Static analysis finds common vulnerability patterns before releases. |
+| PASS | Node package metadata | Package metadata makes installation, testing, and release automation discoverable. |
+| PASS | Dependency lockfile | Lockfiles make CI and contributor setup reproducible. |
+
+## Recommended Next Steps
+
+- **License** (10 pts): Add an OSI-approved license file such as MIT, Apache-2.0, BSD-3-Clause, or MPL-2.0.
+- **Tests** (10 pts): Add focused tests for public behavior and document the test command.
+- **Contributing guide** (9 pts): Add CONTRIBUTING.md with local setup, test commands, review expectations, and release notes guidance.
+- **Security policy** (9 pts): Add SECURITY.md with supported versions, reporting instructions, and response expectations.
+- **Code of conduct** (6 pts): Add CODE_OF_CONDUCT.md, for example the Contributor Covenant.
+- **Changelog** (6 pts): Keep CHANGELOG.md with dated release entries and migration notes.
+- **Issue templates** (5 pts): Add bug report and feature request templates under .github/ISSUE_TEMPLATE/.
+- **Pull request template** (5 pts): Add .github/PULL_REQUEST_TEMPLATE.md with a short checklist.
+- **Dependency update automation** (5 pts): Add .github/dependabot.yml for the package ecosystems used in the repository.
+- **Support policy** (4 pts): Add SUPPORT.md describing where to ask questions, what is in scope, and expected response times.
+- **Static security analysis** (4 pts): Add a CodeQL or equivalent security scanning workflow.

package/docs/outreach/supermarkt-checkjebon-issue-draft.md

@@ -0,0 +1,26 @@
+# Issue Draft: supermarkt/checkjebon
+
+Posted as [supermarkt/checkjebon#22](https://github.com/supermarkt/checkjebon/issues/22).
+
+Title:
+
+```text
+Document contributor and security reporting workflow
+```
+
+Body:
+
+```markdown
+Hi maintainers. I ran a local maintainer-readiness audit with `oss-signal` and noticed a few lightweight repository-health files that could make future contributions easier to triage:
+
+- `CONTRIBUTING.md` for local setup, tests, and review expectations
+- `SECURITY.md` for private vulnerability reporting
+- `.github/ISSUE_TEMPLATE/bug_report.md` for reproducible bug reports
+- `.github/PULL_REQUEST_TEMPLATE.md` for test and docs checklists
+
+GitHub's community profile already detects the README and license, so this would mainly document maintainer workflow rather than change product code.
+
+I can open a focused PR with starter templates if that would be welcome. If these files are intentionally omitted, no problem; feel free to close.
+```
+
+Local report: [supermarkt-checkjebon-report.md](supermarkt-checkjebon-report.md)

package/docs/outreach/supermarkt-checkjebon-report.md

@@ -0,0 +1,48 @@
+# OSS Signal Report
+
+Repository: `https://github.com/supermarkt/checkjebon`
+Generated: 2026-06-01T05:32:40.484Z
+
+Score: **21/100** (F)
+
+## Summary
+
+- Passed: 2
+- Failed: 13
+- Total checks: 15
+
+## Checks
+
+| Status | Check | Why it matters |
+| --- | --- | --- |
+| PASS | README | A clear README is the front door for users and contributors. |
+| PASS | License | A license tells downstream users what they may legally do with the code. |
+| FAIL | Contributing guide | Maintainers get better issues and pull requests when expectations are documented. |
+| FAIL | Security policy | Responsible disclosure needs a private, documented path. |
+| FAIL | Code of conduct | Community norms reduce ambiguity during difficult interactions. |
+| FAIL | Changelog | Users need a durable place to understand release impact. |
+| FAIL | Support policy | Support boundaries help maintainers avoid turning every request into unpaid consulting. |
+| FAIL | Continuous integration | CI catches regressions before maintainers merge changes. |
+| FAIL | Tests | Tests make review safer and lower the cost of outside contributions. |
+| FAIL | Issue templates | Issue templates collect the facts maintainers need to reproduce and triage. |
+| FAIL | Pull request template | PR templates nudge contributors to include tests, docs, and review context. |
+| FAIL | Dependency update automation | Automated dependency updates reduce security and compatibility drift. |
+| FAIL | Static security analysis | Static analysis finds common vulnerability patterns before releases. |
+| FAIL | Node package metadata | Package metadata makes installation, testing, and release automation discoverable. |
+| FAIL | Dependency lockfile | Lockfiles make CI and contributor setup reproducible. |
+
+## Recommended Next Steps
+
+- **Continuous integration** (12 pts): Add a GitHub Actions workflow that runs linting and tests on pushes and pull requests.
+- **Tests** (10 pts): Add focused tests for public behavior and document the test command.
+- **Contributing guide** (9 pts): Add CONTRIBUTING.md with local setup, test commands, review expectations, and release notes guidance.
+- **Security policy** (9 pts): Add SECURITY.md with supported versions, reporting instructions, and response expectations.
+- **Code of conduct** (6 pts): Add CODE_OF_CONDUCT.md, for example the Contributor Covenant.
+- **Changelog** (6 pts): Keep CHANGELOG.md with dated release entries and migration notes.
+- **Issue templates** (5 pts): Add bug report and feature request templates under .github/ISSUE_TEMPLATE/.
+- **Pull request template** (5 pts): Add .github/PULL_REQUEST_TEMPLATE.md with a short checklist.
+- **Dependency update automation** (5 pts): Add .github/dependabot.yml for the package ecosystems used in the repository.
+- **Node package metadata** (5 pts): Add package.json with name, description, license, scripts, repository, and engines fields.
+- **Support policy** (4 pts): Add SUPPORT.md describing where to ask questions, what is in scope, and expected response times.
+- **Static security analysis** (4 pts): Add a CodeQL or equivalent security scanning workflow.
+- **Dependency lockfile** (4 pts): Commit the lockfile for application-style projects, or document why this library intentionally omits one.

package/docs/rules.md

@@ -0,0 +1,43 @@
+# Rules
+
+`oss-signal` uses weighted checks. Missing high-weight items are the most likely to increase maintainer load or create downstream risk.
+
+## Community Files
+
+| Rule | Weight | Signal |
+| --- | ---: | --- |
+| README | 12 | `README.md` or `README` |
+| License | 10 | `LICENSE`, `LICENSE.md`, or `COPYING` |
+| Contributing guide | 9 | `CONTRIBUTING.md`, `.github/CONTRIBUTING.md`, or `docs/CONTRIBUTING.md` |
+| Security policy | 9 | `SECURITY.md` or `.github/SECURITY.md` |
+| Code of conduct | 6 | `CODE_OF_CONDUCT.md` or `.github/CODE_OF_CONDUCT.md` |
+| Changelog | 6 | `CHANGELOG.md`, `HISTORY.md`, or `RELEASES.md` |
+| Support policy | 4 | `SUPPORT.md` or `.github/SUPPORT.md` |
+
+## Automation
+
+| Rule | Weight | Signal |
+| --- | ---: | --- |
+| Continuous integration | 12 | Any YAML workflow under `.github/workflows/` |
+| Tests | 10 | Common test directories or `*.test.*` / `*.spec.*` files |
+| Issue templates | 5 | `.github/ISSUE_TEMPLATE/` or `.github/ISSUE_TEMPLATE.md` |
+| Pull request template | 5 | `.github/PULL_REQUEST_TEMPLATE.md` or `PULL_REQUEST_TEMPLATE.md` |
+| Dependency update automation | 5 | `.github/dependabot.yml` or `.github/dependabot.yaml` |
+| Static security analysis | 4 | Workflow filename containing `codeql` or `security` |
+
+## Package Hygiene
+
+| Rule | Weight | Signal |
+| --- | ---: | --- |
+| Node package metadata | 5 | `package.json` |
+| Dependency lockfile | 4 | Common lockfiles such as `package-lock.json`, `pnpm-lock.yaml`, `poetry.lock`, `Cargo.lock`, or `go.sum` |
+
+## Scoring
+
+The score is the percentage of available weighted points that pass. Grades are:
+
+- A: 90-100
+- B: 80-89
+- C: 70-79
+- D: 60-69
+- F: below 60

package/docs/self-audit.md

@@ -0,0 +1,37 @@
+# OSS Signal Report
+
+Repository: `/Users/amon/Documents/Codex/2026-06-01/openai-s/outputs/oss-signal`
+Generated: 2026-06-02T01:40:56.294Z
+
+Score: **100/100** (A)
+
+## Summary
+
+- Passed: 15
+- Failed: 0
+- Total checks: 15
+
+## Checks
+
+| Status | Check | Why it matters |
+| --- | --- | --- |
+| PASS | README | A clear README is the front door for users and contributors. |
+| PASS | License | A license tells downstream users what they may legally do with the code. |
+| PASS | Contributing guide | Maintainers get better issues and pull requests when expectations are documented. |
+| PASS | Security policy | Responsible disclosure needs a private, documented path. |
+| PASS | Code of conduct | Community norms reduce ambiguity during difficult interactions. |
+| PASS | Changelog | Users need a durable place to understand release impact. |
+| PASS | Support policy | Support boundaries help maintainers avoid turning every request into unpaid consulting. |
+| PASS | Continuous integration | CI catches regressions before maintainers merge changes. |
+| PASS | Tests | Tests make review safer and lower the cost of outside contributions. |
+| PASS | Issue templates | Issue templates collect the facts maintainers need to reproduce and triage. |
+| PASS | Pull request template | PR templates nudge contributors to include tests, docs, and review context. |
+| PASS | Dependency update automation | Automated dependency updates reduce security and compatibility drift. |
+| PASS | Static security analysis | Static analysis finds common vulnerability patterns before releases. |
+| PASS | Node package metadata | Package metadata makes installation, testing, and release automation discoverable. |
+| PASS | Dependency lockfile | Lockfiles make CI and contributor setup reproducible. |
+
+## Recommended Next Steps
+
+No missing checks. Keep the report current as the repository evolves.
+

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "oss-signal",
+  "version": "0.1.0",
+  "description": "A dependency-light CLI that audits open-source repository maintenance readiness.",
+  "type": "module",
+  "bin": {
+    "oss-signal": "./src/cli.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/SalmonPlays/oss-signal.git"
+  },
+  "bugs": {
+    "url": "https://github.com/SalmonPlays/oss-signal/issues"
+  },
+  "homepage": "https://github.com/SalmonPlays/oss-signal#readme",
+  "files": [
+    "src",
+    "docs",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "scripts": {
+    "test": "node --test",
+    "lint": "node --check src/*.js test/*.test.js",
+    "audit:self": "node src/cli.js . --format markdown --output docs/self-audit.md",
+    "audit:check": "node src/cli.js . --format json --fail-under 100 > /dev/null",
+    "check": "npm run lint && npm test && npm run audit:check",
+    "prepublishOnly": "npm run check"
+  },
+  "keywords": [
+    "open-source",
+    "maintainer",
+    "audit",
+    "repository",
+    "cli"
+  ],
+  "author": "SalmonPlays",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}

package/src/cli.js

@@ -0,0 +1,123 @@
+#!/usr/bin/env node
+import { promises as fs } from "node:fs";
+import { auditRepository, renderMarkdown } from "./index.js";
+
+const VERSION = "0.1.0";
+
+async function main(argv) {
+  const options = parseArgs(argv);
+
+  if (options.help) {
+    process.stdout.write(helpText());
+    return;
+  }
+  if (options.version) {
+    process.stdout.write(`${VERSION}\n`);
+    return;
+  }
+
+  const report = await auditRepository(options.path, { maxFiles: options.maxFiles });
+  const body = options.format === "json" ? `${JSON.stringify(report, null, 2)}\n` : renderMarkdown(report);
+
+  if (options.output) {
+    await fs.writeFile(options.output, body, "utf8");
+  } else {
+    process.stdout.write(body);
+  }
+
+  if (typeof options.failUnder === "number" && report.score < options.failUnder) {
+    process.stderr.write(`oss-signal: score ${report.score} is below --fail-under ${options.failUnder}\n`);
+    process.exitCode = 1;
+  }
+}
+
+function parseArgs(argv) {
+  const options = {
+    path: ".",
+    format: "markdown",
+    output: undefined,
+    failUnder: undefined,
+    maxFiles: 20000,
+    help: false,
+    version: false
+  };
+
+  const positionals = [];
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === "--help" || arg === "-h") {
+      options.help = true;
+    } else if (arg === "--version" || arg === "-v") {
+      options.version = true;
+    } else if (arg === "--format") {
+      options.format = requireValue(argv, ++index, "--format");
+    } else if (arg.startsWith("--format=")) {
+      options.format = arg.slice("--format=".length);
+    } else if (arg === "--output" || arg === "-o") {
+      options.output = requireValue(argv, ++index, arg);
+    } else if (arg.startsWith("--output=")) {
+      options.output = arg.slice("--output=".length);
+    } else if (arg === "--fail-under") {
+      options.failUnder = parseNumber(requireValue(argv, ++index, "--fail-under"), "--fail-under");
+    } else if (arg.startsWith("--fail-under=")) {
+      options.failUnder = parseNumber(arg.slice("--fail-under=".length), "--fail-under");
+    } else if (arg === "--max-files") {
+      options.maxFiles = parseNumber(requireValue(argv, ++index, "--max-files"), "--max-files");
+    } else if (arg.startsWith("--max-files=")) {
+      options.maxFiles = parseNumber(arg.slice("--max-files=".length), "--max-files");
+    } else if (arg.startsWith("-")) {
+      throw new Error(`Unknown option: ${arg}`);
+    } else {
+      positionals.push(arg);
+    }
+  }
+
+  if (positionals.length > 1) {
+    throw new Error(`Expected at most one repository path, got ${positionals.length}`);
+  }
+  if (positionals.length === 1) {
+    options.path = positionals[0];
+  }
+  if (!["markdown", "json"].includes(options.format)) {
+    throw new Error("--format must be either markdown or json");
+  }
+  return options;
+}
+
+function requireValue(argv, index, optionName) {
+  const value = argv[index];
+  if (!value || value.startsWith("-")) {
+    throw new Error(`${optionName} requires a value`);
+  }
+  return value;
+}
+
+function parseNumber(value, optionName) {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed)) {
+    throw new Error(`${optionName} must be a number`);
+  }
+  return parsed;
+}
+
+function helpText() {
+  return `oss-signal audits open-source repository maintenance readiness.
+
+Usage:
+  oss-signal [path] [--format markdown|json] [--output file] [--fail-under score]
+
+Options:
+  --format       Output format. Defaults to markdown.
+  --output, -o   Write the report to a file instead of stdout.
+  --fail-under   Exit with code 1 when the score is below this value.
+  --max-files    Maximum files to inspect. Defaults to 20000.
+  --version, -v  Show the CLI version.
+  --help, -h     Show this help message.
+`;
+}
+
+main(process.argv.slice(2)).catch((error) => {
+  process.stderr.write(`oss-signal: ${error.message}\n`);
+  process.exitCode = 1;
+});

package/src/index.js

@@ -0,0 +1,326 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+
+const COMMUNITY_FILES = [
+  {
+    id: "readme",
+    label: "README",
+    weight: 12,
+    paths: ["README.md", "README"],
+    why: "A clear README is the front door for users and contributors.",
+    fix: "Add setup, usage, contribution, support, and project status sections to README.md."
+  },
+  {
+    id: "license",
+    label: "License",
+    weight: 10,
+    paths: ["LICENSE", "LICENSE.md", "COPYING"],
+    why: "A license tells downstream users what they may legally do with the code.",
+    fix: "Add an OSI-approved license file such as MIT, Apache-2.0, BSD-3-Clause, or MPL-2.0."
+  },
+  {
+    id: "contributing",
+    label: "Contributing guide",
+    weight: 9,
+    paths: ["CONTRIBUTING.md", ".github/CONTRIBUTING.md", "docs/CONTRIBUTING.md"],
+    why: "Maintainers get better issues and pull requests when expectations are documented.",
+    fix: "Add CONTRIBUTING.md with local setup, test commands, review expectations, and release notes guidance."
+  },
+  {
+    id: "security",
+    label: "Security policy",
+    weight: 9,
+    paths: ["SECURITY.md", ".github/SECURITY.md"],
+    why: "Responsible disclosure needs a private, documented path.",
+    fix: "Add SECURITY.md with supported versions, reporting instructions, and response expectations."
+  },
+  {
+    id: "code-of-conduct",
+    label: "Code of conduct",
+    weight: 6,
+    paths: ["CODE_OF_CONDUCT.md", ".github/CODE_OF_CONDUCT.md"],
+    why: "Community norms reduce ambiguity during difficult interactions.",
+    fix: "Add CODE_OF_CONDUCT.md, for example the Contributor Covenant."
+  },
+  {
+    id: "changelog",
+    label: "Changelog",
+    weight: 6,
+    paths: ["CHANGELOG.md", "HISTORY.md", "RELEASES.md"],
+    why: "Users need a durable place to understand release impact.",
+    fix: "Keep CHANGELOG.md with dated release entries and migration notes."
+  },
+  {
+    id: "support",
+    label: "Support policy",
+    weight: 4,
+    paths: ["SUPPORT.md", ".github/SUPPORT.md"],
+    why: "Support boundaries help maintainers avoid turning every request into unpaid consulting.",
+    fix: "Add SUPPORT.md describing where to ask questions, what is in scope, and expected response times."
+  }
+];
+
+const AUTOMATION_FILES = [
+  {
+    id: "ci",
+    label: "Continuous integration",
+    weight: 12,
+    matcher: (tree) => tree.some((file) => file.startsWith(".github/workflows/") && /\.ya?ml$/i.test(file)),
+    why: "CI catches regressions before maintainers merge changes.",
+    fix: "Add a GitHub Actions workflow that runs linting and tests on pushes and pull requests."
+  },
+  {
+    id: "tests",
+    label: "Tests",
+    weight: 10,
+    matcher: (tree) => tree.some((file) => /(^|\/)(test|tests|spec|__tests__)\//i.test(file) || /\.(test|spec)\.[cm]?[jt]sx?$/i.test(file)),
+    why: "Tests make review safer and lower the cost of outside contributions.",
+    fix: "Add focused tests for public behavior and document the test command."
+  },
+  {
+    id: "issue-templates",
+    label: "Issue templates",
+    weight: 5,
+    matcher: (tree) => tree.some((file) => file.startsWith(".github/ISSUE_TEMPLATE/") || file === ".github/ISSUE_TEMPLATE.md"),
+    why: "Issue templates collect the facts maintainers need to reproduce and triage.",
+    fix: "Add bug report and feature request templates under .github/ISSUE_TEMPLATE/."
+  },
+  {
+    id: "pull-request-template",
+    label: "Pull request template",
+    weight: 5,
+    matcher: (tree) => tree.includes(".github/PULL_REQUEST_TEMPLATE.md") || tree.includes("PULL_REQUEST_TEMPLATE.md"),
+    why: "PR templates nudge contributors to include tests, docs, and review context.",
+    fix: "Add .github/PULL_REQUEST_TEMPLATE.md with a short checklist."
+  },
+  {
+    id: "dependabot",
+    label: "Dependency update automation",
+    weight: 5,
+    matcher: (tree) => tree.includes(".github/dependabot.yml") || tree.includes(".github/dependabot.yaml"),
+    why: "Automated dependency updates reduce security and compatibility drift.",
+    fix: "Add .github/dependabot.yml for the package ecosystems used in the repository."
+  },
+  {
+    id: "codeql",
+    label: "Static security analysis",
+    weight: 4,
+    matcher: (tree) => tree.some((file) => file.startsWith(".github/workflows/") && /codeql|security/i.test(file)),
+    why: "Static analysis finds common vulnerability patterns before releases.",
+    fix: "Add a CodeQL or equivalent security scanning workflow."
+  }
+];
+
+const PACKAGE_FILES = [
+  {
+    id: "package-json",
+    label: "Node package metadata",
+    weight: 5,
+    matcher: (tree) => tree.includes("package.json"),
+    why: "Package metadata makes installation, testing, and release automation discoverable.",
+    fix: "Add package.json with name, description, license, scripts, repository, and engines fields."
+  },
+  {
+    id: "lockfile",
+    label: "Dependency lockfile",
+    weight: 4,
+    matcher: (tree) => tree.some((file) => ["package-lock.json", "npm-shrinkwrap.json", "pnpm-lock.yaml", "yarn.lock", "uv.lock", "poetry.lock", "Pipfile.lock", "Cargo.lock", "go.sum"].includes(file)),
+    why: "Lockfiles make CI and contributor setup reproducible.",
+    fix: "Commit the lockfile for application-style projects, or document why this library intentionally omits one."
+  }
+];
+
+const DEFAULT_IGNORE_DIRS = new Set([
+  ".git",
+  "node_modules",
+  "vendor",
+  "dist",
+  "build",
+  "coverage",
+  ".next",
+  ".turbo",
+  ".venv",
+  "__pycache__"
+]);
+
+export async function auditRepository(root, options = {}) {
+  const absoluteRoot = path.resolve(root ?? ".");
+  const tree = await listRepositoryFiles(absoluteRoot, options);
+  const fileSet = new Set(tree);
+  const checks = [
+    ...COMMUNITY_FILES.map((rule) => checkPathRule(rule, fileSet)),
+    ...AUTOMATION_FILES.map((rule) => checkMatcherRule(rule, tree)),
+    ...PACKAGE_FILES.map((rule) => checkMatcherRule(rule, tree))
+  ];
+
+  const totalWeight = checks.reduce((sum, check) => sum + check.weight, 0);
+  const earnedWeight = checks.filter((check) => check.passed).reduce((sum, check) => sum + check.weight, 0);
+  const score = totalWeight === 0 ? 0 : Math.round((earnedWeight / totalWeight) * 100);
+
+  return {
+    tool: "oss-signal",
+    version: "0.1.0",
+    root: absoluteRoot,
+    generatedAt: new Date().toISOString(),
+    score,
+    grade: gradeForScore(score),
+    summary: summarizeChecks(checks),
+    checks,
+    recommendations: checks
+      .filter((check) => !check.passed)
+      .sort((a, b) => b.weight - a.weight)
+      .map(({ id, label, weight, why, fix }) => ({ id, label, weight, why, fix }))
+  };
+}
+
+export function renderMarkdown(report) {
+  const lines = [
+    "# OSS Signal Report",
+    "",
+    `Repository: \`${report.root}\``,
+    `Generated: ${report.generatedAt}`,
+    "",
+    `Score: **${report.score}/100** (${report.grade})`,
+    "",
+    "## Summary",
+    "",
+    `- Passed: ${report.summary.passed}`,
+    `- Failed: ${report.summary.failed}`,
+    `- Total checks: ${report.summary.total}`,
+    "",
+    "## Checks",
+    "",
+    "| Status | Check | Why it matters |",
+    "| --- | --- | --- |"
+  ];
+
+  for (const check of report.checks) {
+    lines.push(`| ${check.passed ? "PASS" : "FAIL"} | ${escapeTable(check.label)} | ${escapeTable(check.why)} |`);
+  }
+
+  lines.push("", "## Recommended Next Steps", "");
+  if (report.recommendations.length === 0) {
+    lines.push("No missing checks. Keep the report current as the repository evolves.");
+  } else {
+    for (const recommendation of report.recommendations) {
+      lines.push(`- **${recommendation.label}** (${recommendation.weight} pts): ${recommendation.fix}`);
+    }
+  }
+
+  lines.push("");
+  return `${lines.join("\n")}\n`;
+}
+
+export async function listRepositoryFiles(root, options = {}) {
+  const maxFiles = options.maxFiles ?? 20000;
+  const files = [];
+
+  async function walk(currentDir, relativeDir = "") {
+    if (files.length >= maxFiles) {
+      return;
+    }
+
+    let entries;
+    try {
+      entries = await fs.readdir(currentDir, { withFileTypes: true });
+    } catch (error) {
+      if (error.code === "EACCES" || error.code === "ENOENT") {
+        return;
+      }
+      throw error;
+    }
+
+    entries.sort((a, b) => a.name.localeCompare(b.name));
+
+    for (const entry of entries) {
+      if (files.length >= maxFiles) {
+        return;
+      }
+      const relativePath = path.posix.join(relativeDir, entry.name);
+      const fullPath = path.join(currentDir, entry.name);
+
+      if (entry.isDirectory()) {
+        if (!DEFAULT_IGNORE_DIRS.has(entry.name)) {
+          await walk(fullPath, relativePath);
+        }
+      } else if (entry.isFile()) {
+        files.push(relativePath);
+      }
+    }
+  }
+
+  await walk(root);
+  return files;
+}
+
+function checkPathRule(rule, fileSet) {
+  const matchedPath = rule.paths.find((candidate) => fileSet.has(candidate));
+  return {
+    id: rule.id,
+    label: rule.label,
+    weight: rule.weight,
+    passed: Boolean(matchedPath),
+    evidence: matchedPath ? [matchedPath] : [],
+    why: rule.why,
+    fix: rule.fix
+  };
+}
+
+function checkMatcherRule(rule, tree) {
+  const passed = rule.matcher(tree);
+  return {
+    id: rule.id,
+    label: rule.label,
+    weight: rule.weight,
+    passed,
+    evidence: passed ? findEvidence(rule.id, tree) : [],
+    why: rule.why,
+    fix: rule.fix
+  };
+}
+
+function findEvidence(id, tree) {
+  if (id === "ci" || id === "codeql") {
+    return tree.filter((file) => file.startsWith(".github/workflows/")).slice(0, 5);
+  }
+  if (id === "tests") {
+    return tree.filter((file) => /(^|\/)(test|tests|spec|__tests__)\//i.test(file) || /\.(test|spec)\.[cm]?[jt]sx?$/i.test(file)).slice(0, 5);
+  }
+  if (id === "issue-templates") {
+    return tree.filter((file) => file.startsWith(".github/ISSUE_TEMPLATE/") || file === ".github/ISSUE_TEMPLATE.md").slice(0, 5);
+  }
+  if (id === "pull-request-template") {
+    return tree.filter((file) => file === ".github/PULL_REQUEST_TEMPLATE.md" || file === "PULL_REQUEST_TEMPLATE.md").slice(0, 5);
+  }
+  if (id === "dependabot") {
+    return tree.filter((file) => file === ".github/dependabot.yml" || file === ".github/dependabot.yaml").slice(0, 5);
+  }
+  if (id === "package-json") {
+    return tree.includes("package.json") ? ["package.json"] : [];
+  }
+  if (id === "lockfile") {
+    return tree.filter((file) => ["package-lock.json", "npm-shrinkwrap.json", "pnpm-lock.yaml", "yarn.lock", "uv.lock", "poetry.lock", "Pipfile.lock", "Cargo.lock", "go.sum"].includes(file)).slice(0, 5);
+  }
+  return [];
+}
+
+function summarizeChecks(checks) {
+  const passed = checks.filter((check) => check.passed).length;
+  return {
+    total: checks.length,
+    passed,
+    failed: checks.length - passed
+  };
+}
+
+function gradeForScore(score) {
+  if (score >= 90) return "A";
+  if (score >= 80) return "B";
+  if (score >= 70) return "C";
+  if (score >= 60) return "D";
+  return "F";
+}
+
+function escapeTable(value) {
+  return String(value).replaceAll("|", "\\|");
+}