periderm-cli 0.1.0

package/README.md

@@ -0,0 +1,13 @@
+# periderm
+
+A pre-launch checklist for every project.
+
+```bash
+periderm scan          # scan current directory, print verdict, write .periderm/last-report.md
+periderm scan --upload # also push to dashboard
+periderm watch         # rerun on file change
+periderm login         # authenticate the CLI
+periderm whoami        # show current token + plan
+```
+
+See full install + usage at the project `/docs` page.

package/dist/api.js

@@ -0,0 +1,60 @@
+import { readConfig } from "./config.js";
+export async function verifyToken(token) {
+    const { apiUrl } = readConfig();
+    try {
+        const res = await fetch(`${apiUrl}/api/public/verify-token`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ token }),
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            let errorStr = "Unknown server error";
+            try {
+                const json = JSON.parse(text);
+                if (json.error)
+                    errorStr = json.error;
+            }
+            catch {
+                errorStr = text.includes("<!") ? "Server returned an HTML error page." : text.slice(0, 100);
+            }
+            return { valid: false, error: `HTTP ${res.status}: ${errorStr}` };
+        }
+        return (await res.json());
+    }
+    catch (e) {
+        return { valid: false, error: e.message || "Failed to reach server" };
+    }
+}
+export async function uploadScan(token, result) {
+    const { apiUrl } = readConfig();
+    try {
+        const res = await fetch(`${apiUrl}/api/public/scan`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "x-periderm-token": token,
+            },
+            body: JSON.stringify({
+                project_name: result.projectName,
+                score: result.score,
+                reality_score: result.scores.reality,
+                perceived_score: result.scores.perceived,
+                verdict: result.verdict,
+                critical_count: result.counts.critical,
+                high_count: result.counts.high,
+                medium_count: result.counts.medium,
+                low_count: result.counts.low,
+                findings: result.findings,
+                markdown_report: result.markdown,
+            }),
+        });
+        if (!res.ok) {
+            return { error: `${res.status} ${await res.text()}` };
+        }
+        return (await res.json());
+    }
+    catch (e) {
+        return { error: e.message || "Network error: failed to reach server" };
+    }
+}

package/dist/config.js

@@ -0,0 +1,27 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import dotenv from "dotenv";
+// Try to load .env from the current working directory (useful for local development)
+dotenv.config({ path: path.resolve(process.cwd(), ".env") });
+const CONFIG_DIR = path.join(os.homedir(), ".periderm");
+const CONFIG_FILE = path.join(CONFIG_DIR, "config.json");
+// Read API URL purely from environment variables (local .env or Vercel config)
+const DEFAULT_API_URL = process.env.PERIDERM_API_URL;
+export function readConfig() {
+    try {
+        if (fs.existsSync(CONFIG_FILE)) {
+            const raw = JSON.parse(fs.readFileSync(CONFIG_FILE, "utf8"));
+            return { apiUrl: raw.apiUrl || DEFAULT_API_URL, token: raw.token };
+        }
+    }
+    catch (e) {
+        console.error("[periderm] Failed to read config file — using defaults.", e);
+        return { apiUrl: DEFAULT_API_URL };
+    }
+    return { apiUrl: DEFAULT_API_URL };
+}
+export function writeConfig(cfg) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(cfg, null, 2), { mode: 0o600 });
+}

package/dist/constants.js

@@ -0,0 +1,10 @@
+export const PERIDERM_ASCII = String.raw ` 
+ /$$$$$$$                     /$$       /$$                                  
+| $$__  $$                   |__/      | $$                                  
+| $$  \ $$ /$$$$$$   /$$$$$$  /$$  /$$$$$$$  /$$$$$$   /$$$$$$  /$$$$$$/$$$$ 
+| $$$$$$$//$$__  $$ /$$__  $$| $$ /$$__  $$ /$$__  $$ /$$__  $$| $$_  $$_  $$
+| $$____/| $$$$$$$$| $$  \__/| $$| $$  | $$| $$$$$$$$| $$  \__/| $$ \ $$ \ $$
+| $$     | $$_____/| $$      | $$| $$  | $$| $$_____/| $$      | $$ | $$ | $$
+| $$     |  $$$$$$$| $$      | $$|  $$$$$$$|  $$$$$$$| $$      | $$ | $$ | $$
+|__/      \_______/|__/      |__/ \_______/ \_______/|__/      |__/ |__/ |__/
+`;

package/dist/index.js

@@ -0,0 +1,406 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import chalk from "chalk";
+import fs from "node:fs/promises";
+import path from "node:path";
+import os from "node:os";
+import open from "open";
+import { scan } from "./scanner/index.js";
+import { runDeepReview } from "./review/deep.js";
+import { printTerminal } from "./report/terminal.js";
+import { readConfig, writeConfig } from "./config.js";
+import { verifyToken, uploadScan } from "./api.js";
+import http from "node:http";
+import ora from "ora";
+import { PERIDERM_ASCII } from "./constants.js";
+import { PRE_SCAN_MESSAGES, UPLOAD_MESSAGES, startRotatingMessages, finishRotatingMessages } from "./loading-messages.js";
+import { formatScanPath } from "./scanner/progress.js";
+const program = new Command();
+program
+    .name("periderm")
+    .description("A pre-launch checklist.")
+    .version("0.1.0");
+program
+    .command("scan")
+    .description("Scan the current directory and write a markdown report.")
+    .option("--upload", "Upload the scan to your Periderm dashboard")
+    .option("--cwd <dir>", "Directory to scan", process.cwd())
+    .action(async (opts) => {
+    const root = path.resolve(opts.cwd);
+    const cfg = readConfig();
+    if (!cfg.token) {
+        console.error(chalk.red("Error: You must be logged in to scan. Run `periderm login` first."));
+        process.exit(1);
+    }
+    const verifySpinner = ora({ text: PRE_SCAN_MESSAGES[0], color: "cyan" }).start();
+    const verifyStarted = Date.now();
+    const stopRotating = startRotatingMessages(verifySpinner, PRE_SCAN_MESSAGES);
+    const v = await verifyToken(cfg.token);
+    await finishRotatingMessages(stopRotating, verifyStarted);
+    if (!v.valid) {
+        verifySpinner.fail(`Couldn't connect — ${v.error}. Run \`periderm login\` again.`);
+        process.exit(1);
+    }
+    if (v.plan !== "unlimited" && (v.scans_remaining === undefined || v.scans_remaining <= 0)) {
+        verifySpinner.fail(`No scans left on your ${v.plan} plan.`);
+        console.info(chalk.yellow(`\nRenew or upgrade at ${cfg.apiUrl}/dashboard/billing\n`));
+        process.exit(1);
+    }
+    verifySpinner.stop();
+    const startTime = Date.now();
+    console.info(chalk.cyan("Discovering project files…"));
+    let scanSpinner = ora({ text: "Initializing...", color: "cyan" }).start();
+    let lastFileUpdate = 0;
+    // helper for ASCII progress bar
+    const makeBar = (curr, total) => {
+        const pct = total === 0 ? 0 : curr / total;
+        const filled = Math.round(pct * 20);
+        const empty = 20 - filled;
+        return `[${"█".repeat(filled)}${"░".repeat(empty)}] ${Math.round(pct * 100)}%`;
+    };
+    const result = await scan(root, {
+        onProgress: (ev) => {
+            switch (ev.type) {
+                case "discovering":
+                    scanSpinner.text = "Discovering project files…";
+                    break;
+                case "discovered":
+                    scanSpinner.stopAndPersist({ symbol: chalk.green("✔"), text: chalk.white(`Found ${ev.total} source files.`) });
+                    scanSpinner = ora({ text: "Scanning...", color: "cyan" }).start();
+                    break;
+                case "file": {
+                    const now = Date.now();
+                    const isLast = ev.index === ev.total;
+                    if (!isLast && now - lastFileUpdate < 90)
+                        break;
+                    lastFileUpdate = now;
+                    const bar = makeBar(ev.index, ev.total);
+                    scanSpinner.text = `${bar} ${formatScanPath(ev.file)}`;
+                    break;
+                }
+                case "checks":
+                    scanSpinner.text = `Running deep checks [${ev.current}/${ev.total}]…`;
+                    break;
+                case "phase":
+                    scanSpinner.text = ev.label;
+                    break;
+            }
+        },
+    });
+    const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
+    const totalFindings = result.counts.critical +
+        result.counts.high +
+        result.counts.medium +
+        result.counts.low;
+    scanSpinner.succeed(`Scanned ${result.filesScanned} files · ${totalFindings} finding${totalFindings === 1 ? "" : "s"} · ${elapsed}s`);
+    printTerminal(result);
+    const outDir = path.join(root, ".periderm");
+    await fs.mkdir(outDir, { recursive: true });
+    await fs.writeFile(path.join(outDir, "last-report.md"), result.markdown, "utf8");
+    await fs.writeFile(path.join(outDir, "last-report.json"), JSON.stringify(result, null, 2), "utf8");
+    if (opts.upload) {
+        const cfg = readConfig();
+        if (!cfg.token) {
+            console.info(chalk.yellow("no token configured — run `periderm login` first to sync to dashboard."));
+        }
+        else {
+            const uploadSpinner = ora({ text: UPLOAD_MESSAGES[0], color: "cyan" }).start();
+            const uploadStarted = Date.now();
+            const stopUploadRotate = startRotatingMessages(uploadSpinner, UPLOAD_MESSAGES);
+            const res = await uploadScan(cfg.token, result);
+            await finishRotatingMessages(stopUploadRotate, uploadStarted);
+            if (res.error) {
+                uploadSpinner.fail(`upload failed: ${res.error}`);
+                if (res.error.includes("401") || res.error.includes("Invalid token") || res.error.includes("expired")) {
+                    writeConfig({ ...cfg, token: undefined });
+                    console.info(chalk.yellow("\nYour session expired or your token is invalid. Please run `periderm login` to authenticate again."));
+                }
+                // Throw so it gets caught by the crash reporter and sent to Formspree
+                throw new Error(`Upload failed: ${res.error}\nContext: Uploading scan for project ${result.projectName}`);
+            }
+            else {
+                uploadSpinner.succeed(`Uploaded! View it at: ${chalk.underline.blue(`${cfg.apiUrl}/dashboard/scans/${res.id ?? ""}`)}`);
+                if (v.plan !== "unlimited" && v.scans_remaining !== undefined) {
+                    const remaining = Math.max(0, v.scans_remaining - 1);
+                    console.info("");
+                    console.info(`${chalk.white("Quota:")} ${chalk.bold.white(`${remaining} scans remaining`)}`);
+                    if (remaining <= 3) {
+                        console.info(chalk.yellow(`⚠️  Almost exhausted! Renew or upgrade at `) + chalk.underline.cyan(`${cfg.apiUrl}/dashboard/billing`));
+                    }
+                }
+            }
+        }
+    }
+});
+program
+    .command("review")
+    .description("Run AI deep review on the last scan (Scale/Unlimited). Requires GROQ_API_KEY.")
+    .option("--deep", "Run the AI agent deep review")
+    .option("--cwd <dir>", "Project directory", process.cwd())
+    .action(async (opts) => {
+    if (!opts.deep) {
+        console.error(chalk.yellow("Use `periderm review --deep` to run the AI agent review."));
+        process.exit(1);
+    }
+    const root = path.resolve(opts.cwd);
+    const cfg = readConfig();
+    if (!cfg.token) {
+        console.error(chalk.red("Error: You must be logged in. Run `periderm login` first."));
+        process.exit(1);
+    }
+    const apiKey = process.env.GROQ_API_KEY?.trim();
+    if (!apiKey) {
+        console.error(chalk.red("Error: Set GROQ_API_KEY in your environment to run deep review."));
+        process.exit(1);
+    }
+    const reportPath = path.join(root, ".periderm", "last-report.json");
+    let scanResult;
+    try {
+        scanResult = JSON.parse(await fs.readFile(reportPath, "utf8"));
+    }
+    catch {
+        console.error(chalk.red("No scan found. Run `periderm scan` first."));
+        process.exit(1);
+    }
+    const verifySpinner = ora({ text: "Verifying plan…", color: "cyan" }).start();
+    const v = await verifyToken(cfg.token);
+    if (!v.valid) {
+        verifySpinner.fail(`Couldn't connect — ${v.error}`);
+        process.exit(1);
+    }
+    if (v.plan !== "scale" && v.plan !== "unlimited") {
+        verifySpinner.fail("Deep review requires Scale or Unlimited plan.");
+        console.info(chalk.yellow(`\nUpgrade at ${cfg.apiUrl}/dashboard/billing\n`));
+        process.exit(1);
+    }
+    verifySpinner.succeed("Plan verified");
+    const reviewSpinner = ora({ text: "Starting deep review agent…", color: "cyan" }).start();
+    const { markdown, findings } = await runDeepReview(root, scanResult, apiKey, (msg) => {
+        reviewSpinner.text = msg;
+    });
+    scanResult.findings.push(...findings);
+    for (const f of findings)
+        scanResult.counts[f.severity]++;
+    const outDir = path.join(root, ".periderm");
+    const mdPath = path.join(outDir, "last-report.md");
+    const existingMd = await fs.readFile(mdPath, "utf8").catch(() => scanResult.markdown);
+    const combinedMd = `${existingMd}\n\n${markdown}`;
+    scanResult.markdown = combinedMd;
+    await fs.writeFile(mdPath, combinedMd, "utf8");
+    await fs.writeFile(reportPath, JSON.stringify(scanResult, null, 2), "utf8");
+    reviewSpinner.succeed(`Deep review complete · ${findings.length} additional finding${findings.length === 1 ? "" : "s"}`);
+    console.info(chalk.white(`\nAppended to ${mdPath}\n`));
+});
+program
+    .command("watch")
+    .description("Rerun the scan on file change.")
+    .option("--cwd <dir>", "Directory to watch", process.cwd())
+    .action(async (opts) => {
+    const root = path.resolve(opts.cwd);
+    console.info(chalk.white(`watching ${root}… (Ctrl-C to stop)`));
+    let scheduled = null;
+    const run = async () => {
+        const result = await scan(root);
+        console.clear();
+        printTerminal(result);
+    };
+    await run();
+    try {
+        const watcher = fs.watch(root, { recursive: true });
+        for await (const _ of watcher) {
+            if (scheduled)
+                clearTimeout(scheduled);
+            scheduled = setTimeout(run, 400);
+        }
+    }
+    catch (e) {
+        console.error(chalk.red("watch failed:"), e);
+        process.exitCode = 1;
+    }
+});
+program
+    .command("login")
+    .description("Open the dashboard to grab a CLI token, then paste it here.")
+    .action(async () => {
+    const { apiUrl } = readConfig();
+    const server = http.createServer(async (req, res) => {
+        const url = new URL(req.url || "", `http://127.0.0.1:${req.socket.localPort}`);
+        const token = url.searchParams.get("token");
+        if (token) {
+            res.writeHead(200, { "Content-Type": "text/html" });
+            const html = `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Periderm CLI Authenticated</title>
+  <style>
+    :root {
+      --bg: #FAFAFA;
+      --card: #FFFFFF;
+      --border: #EAEAEA;
+      --text: #111111;
+      --text-muted: #888888;
+      --ember: #FF4D00;
+      --ember-bg: rgba(255, 77, 0, 0.1);
+      --btn-bg: #111111;
+      --btn-text: #FFFFFF;
+      --btn-hover: #333333;
+    }
+    body { background-color: var(--bg); color: var(--text); font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; transition: background-color 0.2s, color 0.2s; }
+    .card { background-color: var(--card); border: 1px solid var(--border); border-radius: 12px; padding: 24px; text-align: center; max-width: 420px; box-shadow: 0 8px 32px rgba(0,0,0,0.08); }
+    h1 { margin-top: 0; font-size: 24px; font-weight: 600; letter-spacing: -0.02em; }
+    p { color: var(--text-muted); font-size: 14px; line-height: 1.6; }
+    .icon { width: 56px; height: 56px; border-radius: 12px; background-color: var(--ember-bg); color: var(--ember); display: inline-flex; align-items: center; justify-content: center; font-size: 28px; margin-bottom: 24px; border: 1px solid rgba(255, 77, 0, 0.2); }
+    .btn { display: block; width: 100%; padding: 12px 24px; background-color: var(--btn-bg); color: var(--btn-text); text-decoration: none; border-radius: 6px; font-size: 14px; font-weight: 500; transition: background-color 0.2s; box-sizing: border-box; }
+    .btn:hover { background-color: var(--btn-hover); }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none" width="56" height="56" style="margin: 0 auto 24px auto; display: block; box-shadow: 0 4px 12px rgba(0,0,0,0.1); border-radius: 12px;">
+      <rect width="32" height="32" rx="7" fill="#111111"/>
+      <text x="5" y="23" font-family="ui-monospace,monospace" font-size="16" font-weight="600" fill="#ffffff">▸_</text>
+      <g transform="translate(15, 6) scale(0.55)">
+        <path d="m9.03 21.69 2.33-1.96c.35-.3.93-.3 1.28 0l2.33 1.96c.54.27 1.2 0 1.4-.58l.44-1.33c.11-.32 0-.79-.24-1.03l-2.27-2.28c-.17-.16-.3-.48-.3-.71v-2.85c0-.42.31-.62.7-.46l4.91 2.12c.77.33 1.4-.08 1.4-.92v-1.29c0-.67-.5-1.44-1.12-1.7L14.3 8.25a.554.554 0 0 1-.3-.46v-3c0-.94-.69-2.05-1.53-2.48-.3-.15-.65-.15-.95 0-.84.43-1.53 1.55-1.53 2.49v3c0 .18-.14.39-.3.46l-5.58 2.41c-.62.25-1.12 1.02-1.12 1.69v1.29c0 .84.63 1.25 1.4.92l4.91-2.12c.38-.17.7.04.7.46v2.85c0 .23-.13.55-.29.71l-2.27 2.28c-.24.24-.35.7-.24 1.03l.44 1.33c.18.58.84.86 1.39.58Z" stroke="#ff4d00" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" transform="rotate(45, 12, 12)"/>
+      </g>
+    </svg>
+    <h1>Authentication Successful</h1>
+    <p>Periderm CLI is now securely linked to your account.</p>
+    <p style="margin-top: 24px; font-size: 12px; color: var(--text-muted); margin-bottom: 24px;">You can safely close this tab and return to your terminal.</p>
+    <a href="${apiUrl}/dashboard" class="btn">Go to Dashboard</a>
+  </div>
+  <script>setTimeout(() => window.close(), 5000);</script>
+</body>
+</html>`;
+            res.end(html);
+            const v = await verifyToken(token);
+            if (!v.valid) {
+                console.info(chalk.red(`\nInvalid token: ${v.error}`));
+                process.exit(1);
+            }
+            writeConfig({ apiUrl, token });
+            console.clear();
+            const username = os.userInfo().username;
+            const hostname = os.hostname();
+            const header = `${username}@${hostname}`;
+            const formatEmail = v.email || v.user_id || "Unknown";
+            const formatPlan = v.plan || "starter";
+            const formatQuota = `${v.scans_remaining ?? "?"}`;
+            const actualLogoLines = PERIDERM_ASCII.split("\n");
+            // Print logo
+            console.info("");
+            for (const line of actualLogoLines) {
+                console.info(chalk.hex("#FF4D00")(line));
+            }
+            // Print info panel below logo
+            console.info("");
+            console.info(chalk.bold.cyan(header));
+            console.info(chalk.white("─".repeat(header.length)));
+            console.info(chalk.bold.green("✓ Successfully Authenticated"));
+            console.info("");
+            console.info(chalk.bold.white("Account : ") + chalk.white(formatEmail));
+            console.info(chalk.bold.white("Plan    : ") + chalk.magenta(formatPlan));
+            console.info(chalk.bold.white("Quota   : ") + chalk.yellow(`${formatQuota} scans`));
+            console.info("");
+            console.info(chalk.bold.white("[Next Steps]"));
+            console.info(chalk.white("  1. Local scan   ") + chalk.hex("#FF4D00")("$ periderm scan"));
+            console.info(chalk.white("  2. Cloud upload ") + chalk.hex("#FF4D00")("$ periderm scan --upload"));
+            console.info(chalk.white("  3. Log out      ") + chalk.hex("#FF4D00")("$ periderm logout"));
+            console.info("");
+            console.info(chalk.white("Need help? Visit ") + chalk.underline.cyan(`${apiUrl}/docs`) + chalk.white("\n"));
+            server.close();
+            process.exit(0);
+        }
+        else {
+            res.writeHead(400);
+            res.end("Bad Request: Missing token parameter");
+        }
+    });
+    server.listen(0, "127.0.0.1", async () => {
+        const address = server.address();
+        if (address && typeof address === "object") {
+            const port = address.port;
+            const loginUrl = `${apiUrl}/dashboard/cli-login?port=${port}&device=${encodeURIComponent(os.hostname())}`;
+            console.info(chalk.cyan("Waiting for authentication..."));
+            console.info(chalk.white("If your browser does not open automatically, click here: ") + chalk.underline.cyan(loginUrl));
+            try {
+                await open(loginUrl);
+            }
+            catch (e) {
+                console.error("[periderm] Could not open browser automatically.", e);
+                process.exitCode = 1;
+            }
+        }
+    });
+});
+program
+    .command("whoami")
+    .description("Verify the current token.")
+    .action(async () => {
+    const cfg = readConfig();
+    if (!cfg.token) {
+        console.info(chalk.white("not logged in"));
+        return;
+    }
+    const r = await verifyToken(cfg.token);
+    if (!r.valid) {
+        console.info(chalk.red(`token invalid: ${r.error}`));
+        return;
+    }
+    console.info(`api:   ${cfg.apiUrl}`);
+    console.info(`user:  ${r.user_id}`);
+    console.info(`plan:  ${r.plan}`);
+    console.info(`quota: ${r.scans_remaining} scans remaining`);
+});
+program
+    .command("logout")
+    .description("Log out of the CLI by clearing your token.")
+    .action(async () => {
+    const cfg = readConfig();
+    writeConfig({ ...cfg, token: undefined });
+    console.info("");
+    console.info(chalk.bold.hex("#FF4D00")("▸_ Periderm CLI"));
+    console.info(chalk.white("──────────────────────────────────────────"));
+    console.info(chalk.bold.green("✓ Successfully logged out."));
+    console.info("");
+    console.info(chalk.white("Run ") + chalk.white("$ periderm login") + chalk.white(" to re-authenticate."));
+    console.info("");
+});
+program.parseAsync().catch(async (e) => {
+    console.error(e);
+    try {
+        const formData = new FormData();
+        formData.append("name", "Periderm CLI Crash Reporter");
+        formData.append("_replyto", "support@periderm.dev");
+        const marker = "\n\n---\n[System Info: Sent from Periderm CLI]";
+        const errMsg = e instanceof Error ? `${e.message}\n${e.stack}` : String(e);
+        formData.append("message", `CLI Crash:\n\n${errMsg}${marker}`);
+        await fetch("https://formspree.io/f/mqakppnn", {
+            method: "POST",
+            body: formData,
+            headers: { Accept: "application/json" }
+        });
+    }
+    catch (err) {
+        // silently fail
+    }
+    process.exit(1);
+});
+function readLine() {
+    return new Promise((resolve) => {
+        let data = "";
+        process.stdin.setEncoding("utf8");
+        const onData = (chunk) => {
+            data += chunk;
+            if (data.includes("\n")) {
+                process.stdin.removeListener("data", onData);
+                process.stdin.pause();
+                resolve(data.split("\n")[0]);
+            }
+        };
+        process.stdin.on("data", onData);
+        process.stdin.resume();
+    });
+}

package/dist/loading-messages.js

@@ -0,0 +1,36 @@
+/** Rotating CLI status lines — never expose internal ops like "checking quota". */
+export const PRE_SCAN_MESSAGES = [
+    "Calibrating reality score sensors…",
+    "Loading deterministic chaos gremlins…",
+    "Syncing with mission control…",
+    "Checking if your app is launch-ready or launch-regret…",
+    "Spinning up the pre-launch checklist…",
+    "Consulting the launch gods…",
+    "Measuring the gap between vibes and production…",
+    "Warming up the embarrassment detector…",
+];
+export const UPLOAD_MESSAGES = [
+    "Beaming report to your dashboard…",
+    "Uploading findings to mission control…",
+    "Syncing scan results…",
+    "Transmitting embarrassment risk data…",
+];
+const DEFAULT_ROTATE_MS = 4000;
+const MIN_MESSAGE_VISIBLE_MS = 3500;
+export function startRotatingMessages(spinner, pool, intervalMs = DEFAULT_ROTATE_MS) {
+    let idx = 0;
+    spinner.text = pool[0] ?? pool[Math.floor(Math.random() * pool.length)];
+    const id = setInterval(() => {
+        idx = (idx + 1) % pool.length;
+        spinner.text = pool[idx];
+    }, intervalMs);
+    return () => clearInterval(id);
+}
+/** Keep the current line visible long enough to read before stopping the spinner. */
+export async function finishRotatingMessages(stop, startedAt, minVisibleMs = MIN_MESSAGE_VISIBLE_MS) {
+    const elapsed = Date.now() - startedAt;
+    if (elapsed < minVisibleMs) {
+        await new Promise((resolve) => setTimeout(resolve, minVisibleMs - elapsed));
+    }
+    stop();
+}

package/dist/report/markdown.js

@@ -0,0 +1,111 @@
+/** Escape angle brackets so fix text like `<Link to="/x">` doesn't break HTML rendering. */
+export function escapeMdText(text) {
+    return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+export function renderMarkdown(r) {
+    const verdictLabel = r.verdict === "launch_ready" ? "LAUNCH READY" : r.verdict === "hold" ? "HOLD" : "DO NOT LAUNCH";
+    const lines = [];
+    lines.push(`# Periderm CLI report — ${r.projectName}`);
+    lines.push("");
+    lines.push(`> **${verdictLabel}** · ${r.filesScanned} files scanned · ${new Date(r.scannedAt).toUTCString()}`);
+    lines.push("");
+    if (r.meta) {
+        lines.push("## Scan audit");
+        lines.push("");
+        lines.push(`- **Deterministic checks run:** ${r.meta.totalChecksRun.toLocaleString()} (${r.meta.perFileCheckCount} per source file + repo/SEO/policy passes)`);
+        lines.push(`- **Privacy policy cross-reference:** ${r.meta.policySignalsChecked} tracking/legal signals compared against your policy pages`);
+        lines.push(`- **Files analyzed:** ${r.filesScanned}`);
+        lines.push("");
+    }
+    lines.push(`| Metric | Score |`);
+    lines.push(`| --- | --- |`);
+    lines.push(`| Launch Confidence | **${r.scores.confidence} / 100** |`);
+    lines.push(`| Reality Score | **${r.scores.reality} / 100** |`);
+    lines.push(`| Perceived Performance | **${r.scores.perceived} / 100** |`);
+    lines.push("");
+    lines.push(`| Severity | Count |`);
+    lines.push(`| --- | --- |`);
+    lines.push(`| critical | ${r.counts.critical} |`);
+    lines.push(`| high | ${r.counts.high} |`);
+    lines.push(`| medium | ${r.counts.medium} |`);
+    lines.push(`| low | ${r.counts.low} |`);
+    lines.push("");
+    if (r.findings.length === 0) {
+        lines.push("No findings. Ship it.");
+        return lines.join("\n");
+    }
+    lines.push("## How to use this report");
+    lines.push("");
+    lines.push("Each finding below has a **Why it matters**, an **Exact fix**, and an **AI prompt** you can paste directly into your coding assistant. Fix the criticals first, then the highs, then re-run `periderm scan`.");
+    lines.push("");
+    const bySeverity = { critical: [], high: [], medium: [], low: [] };
+    for (const f of r.findings)
+        bySeverity[f.severity].push(f);
+    for (const sev of ["critical", "high", "medium", "low"]) {
+        const items = bySeverity[sev];
+        if (items.length === 0)
+            continue;
+        // Group by message
+        const grouped = new Map();
+        for (const f of items) {
+            if (!grouped.has(f.message))
+                grouped.set(f.message, []);
+            grouped.get(f.message).push(f);
+        }
+        lines.push(`## ${sev.toUpperCase()} (${items.length})`);
+        lines.push("");
+        let i = 1;
+        for (const [message, groupItems] of grouped.entries()) {
+            const f = groupItems[0];
+            lines.push(`### ${sev.toUpperCase()} #${i++} — ${escapeMdText(message)}`);
+            lines.push("");
+            if (groupItems.length === 1) {
+                lines.push(`- **File:** \`${f.file}\``);
+                lines.push(`- **Line:** ${f.line}`);
+            }
+            else {
+                lines.push(`<details>`);
+                lines.push(`<summary><strong>Found in ${groupItems.length} locations (click to expand)</strong></summary>`);
+                lines.push("");
+                groupItems.forEach((gi) => {
+                    lines.push(`- \`${gi.file}\` (Line: ${gi.line})`);
+                });
+                lines.push("");
+                lines.push(`</details>`);
+                lines.push("");
+            }
+            lines.push(`- **Category:** ${f.category}`);
+            lines.push(`- **Check id:** \`${f.id}\``);
+            lines.push("");
+            lines.push(`**Why it matters**`);
+            lines.push("");
+            lines.push(escapeMdText(f.why));
+            lines.push("");
+            lines.push(`**Exact fix**`);
+            lines.push("");
+            lines.push(escapeMdText(f.fix));
+            lines.push("");
+            lines.push(`**Paste into your AI assistant**`);
+            lines.push("");
+            lines.push("```");
+            if (groupItems.length > 1) {
+                lines.push(f.aiPrompt.replace(`in ${f.file}`, `in the affected files`));
+            }
+            else {
+                lines.push(f.aiPrompt);
+            }
+            lines.push("```");
+            lines.push("");
+            lines.push("---");
+            lines.push("");
+        }
+    }
+    lines.push("## One-shot prompt for the whole report");
+    lines.push("");
+    lines.push("```");
+    lines.push(`You are reviewing a Periderm CLI scan: Launch Confidence ${r.scores.confidence}/100, Reality ${r.scores.reality}/100, Perceived ${r.scores.perceived}/100 — verdict ${verdictLabel}.`);
+    lines.push(`There are ${r.counts.critical} critical, ${r.counts.high} high, ${r.counts.medium} medium, ${r.counts.low} low findings.`);
+    lines.push(`Fix them in priority order. For each finding, open the listed file, apply the Exact fix, and keep the change minimal.`);
+    lines.push("```");
+    return lines.join("\n");
+}