prodlint 0.2.0 → 0.2.2

package/README.md

@@ -20,6 +20,33 @@ prodlint catches what TypeScript and ESLint miss: **production readiness gaps**.
 npx prodlint
 ```
 
+## Example Output
+
+```
+  prodlint v0.2.1
+  Scanned 142 files in 87ms
+
+  src/app/api/users/route.ts
+    8:1  CRIT  API route has no authentication check              auth-checks
+    8:1  WARN  API route has no rate limiting                     rate-limiting
+
+  src/components/chat.tsx
+   24:5  CRIT  Hardcoded Stripe secret key detected               secrets
+
+  src/lib/db.ts
+   15:1  CRIT  SQL query built with template literal interpolation sql-injection
+
+  Scores
+  security        40 ████████░░░░░░░░░░░░
+  reliability     70 ██████████████░░░░░░
+  performance     95 ███████████████████░
+  ai-quality      88 ██████████████████░░
+
+  Overall: 73/100
+
+  3 critical · 4 warnings · 2 info
+```
+
 ## Usage
 
 ```bash
@@ -31,7 +58,7 @@ npx prodlint --ignore "*.test.ts" # Ignore patterns
 
 ## What It Checks
 
-prodlint runs **11 rules** across 4 categories:
+prodlint runs **11 rules** across 3 categories:
 
 ### Security
 | Rule | Severity | What it detects |
@@ -64,9 +91,7 @@ Each category starts at 100 points. Deductions:
 - **Warning**: -3 points
 - **Info**: -1 point
 
-Overall score = average of all 4 categories (security, reliability, performance, ai-quality).
-
-Exit code is `1` if any critical findings exist, `0` otherwise.
+Overall score = average of all category scores. Exit code is `1` if any critical findings exist, `0` otherwise.
 
 ## Smart Detection
 
@@ -77,6 +102,63 @@ prodlint avoids common false positives:
 - **TypeScript path aliases** — `@/`, `~/`, and custom tsconfig paths aren't flagged as hallucinated imports
 - **Route exemptions** — auth, webhook, health, and cron routes are exempt from auth/rate-limit checks
 
+## GitHub Action
+
+Add prodlint to your CI pipeline. It posts a score summary as a PR comment and can fail builds below a threshold.
+
+```yaml
+- uses: prodlint/prodlint@v1
+  with:
+    threshold: 70    # Fail if score < 70 (optional)
+    comment: true    # Post PR comment (default: true)
+    ignore: '*.test.ts, __mocks__/**'  # Ignore patterns (optional)
+```
+
+**Inputs:**
+| Input | Default | Description |
+|-------|---------|-------------|
+| `path` | `.` | Path to scan |
+| `threshold` | `0` | Minimum score to pass (0-100) |
+| `ignore` | `''` | Comma-separated glob patterns to ignore |
+| `comment` | `true` | Post a PR comment with results |
+
+**Outputs:**
+| Output | Description |
+|--------|-------------|
+| `score` | Overall score (0-100) |
+| `critical` | Number of critical findings |
+
+## MCP Server
+
+prodlint ships an MCP server for AI coding tools (Cursor, Claude Code, Windsurf, etc.).
+
+```bash
+npx prodlint-mcp
+```
+
+### Claude Code
+
+```bash
+claude mcp add prodlint npx prodlint-mcp
+```
+
+### Cursor / Windsurf
+
+Add to your MCP config:
+
+```json
+{
+  "mcpServers": {
+    "prodlint": {
+      "command": "npx",
+      "args": ["prodlint-mcp"]
+    }
+  }
+}
+```
+
+The MCP server exposes a single `scan` tool that accepts a project path and returns the full score breakdown with findings.
+
 ## Suppressing Findings
 
 Suppress a single line:

package/action.yml

@@ -41,38 +41,47 @@ runs:
     - name: Run prodlint
       id: scan
       shell: bash
+      env:
+        INPUT_PATH: ${{ inputs.path }}
+        INPUT_IGNORE: ${{ inputs.ignore }}
       run: |
-        ARGS="${{ inputs.path }}"
-        if [ -n "${{ inputs.ignore }}" ]; then
-          IFS=',' read -ra PATTERNS <<< "${{ inputs.ignore }}"
+        CMD_ARGS=("$INPUT_PATH" "--json")
+        if [ -n "$INPUT_IGNORE" ]; then
+          IFS=',' read -ra PATTERNS <<< "$INPUT_IGNORE"
           for p in "${PATTERNS[@]}"; do
-            ARGS="$ARGS --ignore \"$(echo $p | xargs)\""
+            trimmed=$(echo "$p" | xargs)
+            CMD_ARGS+=("--ignore" "$trimmed")
           done
         fi
 
-        OUTPUT=$(npx -y prodlint@latest $ARGS --json 2>&1) || true
+        OUTPUT=$(npx -y prodlint@latest "${CMD_ARGS[@]}" 2>&1) || true
 
         SCORE=$(echo "$OUTPUT" | node -e "
           const d = JSON.parse(require('fs').readFileSync(0, 'utf8'));
-          console.log(d.overallScore);
+          console.log(Number(d.overallScore) || 0);
         " 2>/dev/null || echo "0")
+        SCORE=$(echo "$SCORE" | tr -cd '0-9')
 
         CRITICAL=$(echo "$OUTPUT" | node -e "
           const d = JSON.parse(require('fs').readFileSync(0, 'utf8'));
-          console.log(d.summary.critical);
+          console.log(Number(d.summary.critical) || 0);
         " 2>/dev/null || echo "0")
+        CRITICAL=$(echo "$CRITICAL" | tr -cd '0-9')
 
-        echo "score=$SCORE" >> $GITHUB_OUTPUT
-        echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
+        echo "score=${SCORE:-0}" >> "$GITHUB_OUTPUT"
+        echo "critical=${CRITICAL:-0}" >> "$GITHUB_OUTPUT"
         echo "$OUTPUT" > /tmp/prodlint-result.json
 
     - name: Generate comment body
       if: inputs.comment == 'true' && github.event_name == 'pull_request'
       id: comment
       shell: bash
+      env:
+        SCAN_SCORE: ${{ steps.scan.outputs.score }}
+        INPUT_THRESHOLD: ${{ inputs.threshold }}
       run: |
-        SCORE="${{ steps.scan.outputs.score }}"
-        THRESHOLD="${{ inputs.threshold }}"
+        SCORE="$SCAN_SCORE"
+        THRESHOLD="$INPUT_THRESHOLD"
 
         if [ "$SCORE" -ge 80 ]; then
           EMOJI="✅"
@@ -85,10 +94,12 @@ runs:
           COLOR="red"
         fi
 
-        # Build comment from JSON
-        BODY=$(node -e "
+        # Build comment from JSON with markdown sanitization
+        TMPFILE=$(mktemp "${RUNNER_TEMP:-/tmp}/prodlint-comment-XXXXXX.md")
+        node -e "
           const fs = require('fs');
           const d = JSON.parse(fs.readFileSync('/tmp/prodlint-result.json', 'utf8'));
+          const esc = s => String(s).replace(/[[\]()\\*_\`<>]/g, c => '\\\\' + c);
           const lines = [];
           lines.push('## ' + '$EMOJI' + ' Prodlint Score: **' + d.overallScore + '/100**');
           lines.push('');
@@ -96,7 +107,7 @@ runs:
           lines.push('|----------|-------|--------|');
           for (const c of d.categoryScores) {
             const icon = c.score >= 80 ? '🟢' : c.score >= 60 ? '🟡' : '🔴';
-            lines.push('| ' + icon + ' ' + c.category + ' | ' + c.score + '/100 | ' + c.findingCount + ' |');
+            lines.push('| ' + icon + ' ' + esc(c.category) + ' | ' + c.score + '/100 | ' + c.findingCount + ' |');
           }
           if (d.summary.critical > 0) {
             lines.push('');
@@ -104,7 +115,7 @@ runs:
             lines.push('');
             const crits = d.findings.filter(f => f.severity === 'critical');
             for (const f of crits.slice(0, 10)) {
-              lines.push('- **' + f.ruleId + '** ' + f.file + ':' + f.line + ' — ' + f.message);
+              lines.push('- \`' + esc(f.ruleId) + '\` \`' + esc(f.file) + ':' + f.line + '\` — ' + esc(f.message));
             }
             if (crits.length > 10) {
               lines.push('- ...and ' + (crits.length - 10) + ' more');
@@ -113,11 +124,11 @@ runs:
           lines.push('');
           lines.push('---');
           lines.push('*Scanned ' + d.filesScanned + ' files in ' + d.scanDurationMs + 'ms · [prodlint](https://prodlint.com)*');
-          console.log(lines.join('\n'));
-        ")
+          fs.writeFileSync('$TMPFILE', lines.join('\n'));
+        "
 
-        # Write to file for the comment step
-        echo "$BODY" > /tmp/prodlint-comment.md
+        # Use the generated file for the comment step
+        cp "$TMPFILE" /tmp/prodlint-comment.md
 
     - name: Post PR comment
       if: inputs.comment == 'true' && github.event_name == 'pull_request'
@@ -129,9 +140,12 @@ runs:
     - name: Check threshold
       if: inputs.threshold != '0'
       shell: bash
+      env:
+        SCAN_SCORE: ${{ steps.scan.outputs.score }}
+        INPUT_THRESHOLD: ${{ inputs.threshold }}
       run: |
-        SCORE="${{ steps.scan.outputs.score }}"
-        THRESHOLD="${{ inputs.threshold }}"
+        SCORE="$SCAN_SCORE"
+        THRESHOLD="$INPUT_THRESHOLD"
         if [ "$SCORE" -lt "$THRESHOLD" ]; then
           echo "::error::Prodlint score ($SCORE) is below threshold ($THRESHOLD)"
           exit 1

package/dist/cli.js

@@ -5,8 +5,8 @@ import { parseArgs } from "util";
 
 // src/utils/file-walker.ts
 import fg from "fast-glob";
-import { readFile, stat } from "fs/promises";
-import { resolve, extname } from "path";
+import { readFile, stat, realpath } from "fs/promises";
+import { resolve, extname, sep } from "path";
 
 // src/utils/patterns.ts
 function isApiRoute(relativePath) {
@@ -153,17 +153,21 @@ async function walkFiles(root, extraIgnores = []) {
     cwd: root,
     ignore: [...DEFAULT_IGNORES, ...extraIgnores],
     absolute: false,
-    dot: true
+    dot: true,
+    followSymbolicLinks: false
   });
   return files.sort();
 }
 async function readFileContext(root, relativePath) {
   try {
     const absolutePath = resolve(root, relativePath);
+    const realRoot = await realpath(root);
+    const realFile = await realpath(absolutePath);
+    if (!realFile.startsWith(realRoot + sep) && realFile !== realRoot) return null;
     const fileStats = await stat(absolutePath);
     if (fileStats.size > MAX_FILE_SIZE) return null;
     const content = await readFile(absolutePath, "utf-8");
-    const lines = content.split("\n");
+    const lines = content.split(/\r?\n|\r/);
     return {
       absolutePath,
       relativePath,
@@ -1023,7 +1027,7 @@ async function scan(options) {
   const summary = summarizeFindings(findings);
   return {
     version: getVersion(),
-    scannedPath: root,
+    scannedPath: options.path,
     filesScanned: filePaths.length,
     scanDurationMs: Math.round(performance.now() - start),
     findings,
@@ -1172,7 +1176,7 @@ function printHelp() {
 `);
 }
 main().catch((err) => {
-  console.error(err);
+  console.error("prodlint error:", err instanceof Error ? err.message : "Unknown error");
   process.exit(2);
 });
 //# sourceMappingURL=cli.js.map

package/dist/index.js

@@ -1,7 +1,7 @@
 // src/utils/file-walker.ts
 import fg from "fast-glob";
-import { readFile, stat } from "fs/promises";
-import { resolve, extname } from "path";
+import { readFile, stat, realpath } from "fs/promises";
+import { resolve, extname, sep } from "path";
 
 // src/utils/patterns.ts
 function isApiRoute(relativePath) {
@@ -148,17 +148,21 @@ async function walkFiles(root, extraIgnores = []) {
     cwd: root,
     ignore: [...DEFAULT_IGNORES, ...extraIgnores],
     absolute: false,
-    dot: true
+    dot: true,
+    followSymbolicLinks: false
   });
   return files.sort();
 }
 async function readFileContext(root, relativePath) {
   try {
     const absolutePath = resolve(root, relativePath);
+    const realRoot = await realpath(root);
+    const realFile = await realpath(absolutePath);
+    if (!realFile.startsWith(realRoot + sep) && realFile !== realRoot) return null;
     const fileStats = await stat(absolutePath);
     if (fileStats.size > MAX_FILE_SIZE) return null;
     const content = await readFile(absolutePath, "utf-8");
-    const lines = content.split("\n");
+    const lines = content.split(/\r?\n|\r/);
     return {
       absolutePath,
       relativePath,
@@ -1018,7 +1022,7 @@ async function scan(options) {
   const summary = summarizeFindings(findings);
   return {
     version: getVersion(),
-    scannedPath: root,
+    scannedPath: options.path,
     filesScanned: filePaths.length,
     scanDurationMs: Math.round(performance.now() - start),
     findings,