prodlint 0.7.2 → 0.8.0

package/README.md

@@ -4,16 +4,16 @@
 [![npm downloads](https://img.shields.io/npm/dm/prodlint.svg)](https://www.npmjs.com/package/prodlint)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-The linter for vibe-coded apps.
+Production readiness for vibe-coded apps.
 
-Static analysis for vibe-coded apps. Catches the production bugs that Cursor, v0, Bolt, and Copilot write — hallucinated imports, missing auth, hardcoded secrets, unvalidated server actions, and more. Zero config, no LLM, 52 rules, under 100ms.
+Static analysis for vibe-coded apps. Flags the security, reliability, performance, and AI quality issues that Cursor, v0, Bolt, and Copilot create — hallucinated imports, missing auth, hardcoded secrets, unvalidated server actions, and more. Zero config, no LLM, 52 rules, under 100ms.
 
 ```bash
 npx prodlint
 ```
 
 ```
-  prodlint v0.7.1
+  prodlint v0.8.0
   Scanned 148 files · 3 critical · 5 warnings
 
   src/app/api/checkout/route.ts
@@ -40,9 +40,9 @@ npx prodlint
 
 ## Why?
 
-Vibe coding is the fastest way to build. It's also the fastest way to ship hardcoded secrets, hallucinated packages, missing auth, and XSS vectors to production. These pass type-checks and look correct — but they aren't.
+Vibe coding is the fastest way to build. Shipping fast means knowing your code is production-ready — not just that it compiles. Hardcoded secrets, hallucinated packages, missing auth, and XSS vectors pass type-checks and look correct — but they aren't ready for production.
 
-prodlint catches what TypeScript and ESLint miss: **the bugs AI coding tools consistently write**.
+prodlint checks what TypeScript and ESLint don't: **whether your vibe-coded app is ready for production**.
 
 ## Install
 
@@ -66,7 +66,7 @@ npm i -g prodlint     # Global install
 
 ### Security (27 rules)
 
-| Rule | What it catches |
+| Rule | What it checks |
 |------|----------------|
 | `secrets` | API keys, tokens, passwords hardcoded in source |
 | `auth-checks` | API routes with no authentication |
@@ -98,7 +98,7 @@ npm i -g prodlint     # Global install
 
 ### Reliability (11 rules)
 
-| Rule | What it catches |
+| Rule | What it checks |
 |------|----------------|
 | `hallucinated-imports` | Imports of packages not in package.json |
 | `error-handling` | Async operations without try/catch |
@@ -114,7 +114,7 @@ npm i -g prodlint     # Global install
 
 ### Performance (6 rules)
 
-| Rule | What it catches |
+| Rule | What it checks |
 |------|----------------|
 | `no-sync-fs` | `readFileSync` in API routes |
 | `no-n-plus-one` | Database calls inside loops |
@@ -125,7 +125,7 @@ npm i -g prodlint     # Global install
 
 ### AI Quality (8 rules)
 
-| Rule | What it catches |
+| Rule | What it checks |
 |------|----------------|
 | `ai-smells` | `any` types, `console.log`, TODO comments piling up |
 | `placeholder-content` | Lorem ipsum, example emails, "your-api-key-here" left in production code |
@@ -219,13 +219,49 @@ claude mcp add prodlint npx prodlint-mcp
 
 Ask your AI: *"Run prodlint on this project"* and it calls the `scan` tool directly.
 
+## Site Score
+
+Check any deployed website for AI agent-readiness — 14 checks covering emerging standards like llms.txt, TDMRep, AgentCard, AI-Disclosure, HTTP Signatures (RFC 9421), and more.
+
+```bash
+npx prodlint --web example.com
+npx prodlint --web example.com --json     # JSON output
+```
+
+```
+  prodlint site score
+  example.com · 14 checks
+
+  Score: 42 C  ████████░░░░░░░░░░░░
+
+  ✗ AI-Disclosure Header          0/10  No AI-Disclosure header found.
+  ✗ Content-Usage Directives      0/10  No Content-Usage directives found.
+  ✗ TDMRep                        0/10  No TDMRep found.
+  ✗ A2A AgentCard                  0/5  No agent-card.json found.
+  ✗ ai.txt                         0/5  No ai.txt found at site root.
+  ! llms.txt                       2/5  llms.txt found but missing key sections.
+  ✓ robots.txt                   10/10  robots.txt found with 15 rules.
+  ✓ Sitemap                      10/10  Valid sitemap with 42 URLs.
+  ✓ Structured Data              10/10  Found JSON-LD structured data.
+  ✓ OpenGraph                    10/10  Complete OpenGraph tags found.
+  ✓ Page Speed                    5/5   Loaded in 0.8s.
+  ✓ AI Bot Directives             5/5   AI-specific bot rules found.
+  ✓ WebMCP Tools                   0/5  No WebMCP tools detected.
+
+  7 passed · 5 failed · 1 warnings
+
+  Full results: https://prodlint.com/score?url=example.com
+```
+
+Or check your score interactively at [prodlint.com/score](https://prodlint.com/score).
+
 ## For AI Tools
 
 - **LLM-friendly docs**: [prodlint.com/llms.txt](https://prodlint.com/llms.txt) — concise project summary for LLMs
 - **Full reference**: [prodlint.com/llms-full.txt](https://prodlint.com/llms-full.txt) — all 52 rules with details
 - **MCP setup guide**: [prodlint.com/mcp](https://prodlint.com/mcp) — detailed editor setup for Claude Code, Cursor, Windsurf
 
-prodlint is designed specifically for AI-generated code patterns. Every rule targets bugs that AI coding tools consistently produce — not style nits.
+prodlint is designed specifically for AI-generated code patterns. Every rule checks for production issues that AI coding tools consistently create — not style nits.
 
 ## Suppression
 

package/action.yml

@@ -1,5 +1,5 @@
 name: 'Prodlint'
-description: 'The linter for vibe-coded apps — catch what AI coding tools miss'
+description: 'Production readiness for vibe-coded apps — check your AI code before you ship'
 branding:
   icon: 'shield'
   color: 'green'
@@ -101,7 +101,7 @@ runs:
           const d = JSON.parse(fs.readFileSync('/tmp/prodlint-result.json', 'utf8'));
           const esc = s => String(s).replace(/[[\]()\\*_\`<>]/g, c => '\\\\' + c);
           const lines = [];
-          lines.push('## ' + '$EMOJI' + ' Prodlint Score: **' + d.overallScore + '/100**');
+          lines.push('## ' + '$EMOJI' + ' Production Readiness: **' + d.overallScore + '/100**');
           lines.push('');
           lines.push('| Category | Score | Issues |');
           lines.push('|----------|-------|--------|');

package/dist/cli.js

@@ -720,7 +720,8 @@ var SECRET_PATTERNS = [
   { name: "AWS access key", pattern: /AKIA[0-9A-Z]{16}/ },
   { name: "AWS secret key", pattern: /(?:aws_secret_access_key|AWS_SECRET)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/ },
   { name: "Supabase service role key", pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{50,}\.[A-Za-z0-9_-]{20,}/ },
-  { name: "OpenAI API key", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key (legacy)", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key", pattern: /sk-proj-[a-zA-Z0-9_\-]{20,}/ },
   { name: "GitHub token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
   { name: "GitHub fine-grained token", pattern: /github_pat_[A-Za-z0-9_]{22,}/ },
   { name: "Generic API key assignment", pattern: /(?:api_key|apikey|api_secret|secret_key|private_key)\s*[=:]\s*['"][a-zA-Z0-9_\-]{20,}['"]/ },
@@ -4484,6 +4485,295 @@ function renderBar(score) {
   const color = scoreColor(score);
   return color("\u2588".repeat(filled)) + pc.dim("\u2591".repeat(empty));
 }
+var STATUS_ICONS = {
+  pass: pc.green,
+  fail: pc.red,
+  warn: pc.yellow,
+  info: pc.blue
+};
+var STATUS_SYMBOLS = {
+  pass: "\u2713",
+  fail: "\u2717",
+  warn: "!",
+  info: "i"
+};
+function reportWebPretty(result) {
+  const lines = [];
+  lines.push("");
+  lines.push(pc.bold("  prodlint site score"));
+  lines.push(pc.dim(`  ${result.domain} \xB7 ${result.summary.totalChecks} checks`));
+  lines.push("");
+  const overallColor = scoreColor(result.overallScore);
+  const bar = renderBar(result.overallScore);
+  lines.push(`  ${pc.bold("Score:")} ${overallColor(pc.bold(`${result.overallScore}`))} ${overallColor(result.grade)}  ${bar}`);
+  lines.push("");
+  const order = { fail: 0, warn: 1, info: 2, pass: 3 };
+  const sorted = [...result.checks].sort((a, b) => (order[a.status] ?? 9) - (order[b.status] ?? 9));
+  for (const check of sorted) {
+    const color = STATUS_ICONS[check.status] ?? pc.dim;
+    const symbol = STATUS_SYMBOLS[check.status] ?? "?";
+    const pts = `${check.points}/${check.maxPoints}`;
+    lines.push(`  ${color(symbol)} ${check.name.padEnd(28)} ${pc.dim(pts.padStart(6))}  ${pc.dim(check.details || "")}`);
+  }
+  lines.push("");
+  const parts = [];
+  if (result.summary.passed > 0) parts.push(pc.green(`${result.summary.passed} passed`));
+  if (result.summary.failed > 0) parts.push(pc.red(`${result.summary.failed} failed`));
+  if (result.summary.warnings > 0) parts.push(pc.yellow(`${result.summary.warnings} warnings`));
+  lines.push(`  ${parts.join(pc.dim(" \xB7 "))}`);
+  lines.push("");
+  lines.push(pc.dim(`  Full results: https://prodlint.com/score?url=${encodeURIComponent(result.domain)}`));
+  lines.push("");
+  return lines.join("\n");
+}
+
+// src/web-scanner/checks.ts
+function make(id, name, description, maxPoints, severity, status, details) {
+  return {
+    id,
+    name,
+    description,
+    status,
+    severity,
+    details,
+    points: status === "pass" ? maxPoints : status === "warn" ? Math.floor(maxPoints / 2) : 0,
+    maxPoints
+  };
+}
+function checkRobotsTxt(ctx) {
+  if (!ctx.robotsTxt) return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "fail", "No robots.txt found.");
+  return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "pass", "robots.txt found.");
+}
+function checkRobotsAiDirectives(ctx) {
+  if (!ctx.robotsTxt) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No robots.txt found. AI bots have no guidance.");
+  const agents = ["GPTBot", "ChatGPT-User", "ClaudeBot", "Claude-Web", "Google-Extended", "PerplexityBot", "Bytespider", "CCBot", "anthropic-ai", "cohere-ai"];
+  const found = agents.filter((a) => ctx.robotsTxt.toLowerCase().includes(a.toLowerCase()));
+  if (found.length === 0) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No AI-specific user-agent directives found.");
+  if (found.length < 3) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "warn", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+  return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "pass", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+}
+function checkContentUsage(ctx) {
+  const hasHeader = ctx.headers["content-usage"] != null;
+  const hasInRobots = ctx.robotsTxt?.toLowerCase().includes("content-usage") ?? false;
+  if (!hasHeader && !hasInRobots) return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "fail", "No Content-Usage directives found.");
+  return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "pass", hasHeader ? `Header: ${ctx.headers["content-usage"]}` : "Found in robots.txt.");
+}
+function checkLlmsTxt(ctx) {
+  if (!ctx.llmsTxt) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "fail", "No llms.txt found.");
+  const lines = ctx.llmsTxt.split("\n").filter((l) => l.trim().length > 0);
+  if (lines.length < 3) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "warn", "llms.txt found but appears minimal.");
+  return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "pass", `llms.txt found with ${lines.length} lines.`);
+}
+function checkTdmRep(ctx) {
+  const hasWK = ctx.tdmRep != null;
+  const hasHeader = ctx.headers["tdm-reservation"] != null;
+  if (!hasWK && !hasHeader) return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "fail", "No TDMRep configuration found.");
+  return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "pass", hasWK ? "/.well-known/tdmrep.json found." : `TDM-Reservation header: ${ctx.headers["tdm-reservation"]}`);
+}
+function checkAiDisclosure(ctx) {
+  if (!ctx.headers["ai-disclosure"]) return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "fail", "No AI-Disclosure header found.");
+  return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "pass", `Header: ${ctx.headers["ai-disclosure"]}`);
+}
+function checkAgentCard(ctx) {
+  if (!ctx.agentCard) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "fail", "No A2A AgentCard found.");
+  try {
+    const card = JSON.parse(ctx.agentCard);
+    if (!card.name || !Array.isArray(card.skills) || card.skills.length === 0) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but missing name or skills.");
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "pass", `AgentCard found with ${card.skills.length} skill(s).`);
+  } catch {
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but contains invalid JSON.");
+  }
+}
+function checkAiTxt(ctx) {
+  if (!ctx.aiTxt) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "fail", "No ai.txt found at site root.");
+  const lines = ctx.aiTxt.split("\n").filter((l) => l.trim().length > 0 && !l.trim().startsWith("#"));
+  if (lines.length < 2) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "warn", "ai.txt found but appears minimal.");
+  return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "pass", `ai.txt found with ${lines.length} directive(s).`);
+}
+function checkWebMCP(ctx) {
+  if (!ctx.html) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "info", "Could not check for WebMCP tools.");
+  const hasToolname = /toolname=/i.test(ctx.html);
+  const hasModelContext = /navigator\.modelContext/i.test(ctx.html) || /registerTool/i.test(ctx.html);
+  if (!hasToolname && !hasModelContext) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "fail", "No WebMCP tools detected.");
+  const count = (ctx.html.match(/toolname=/gi) || []).length;
+  return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "pass", hasToolname ? `${count} form(s) with toolname attributes.` : "registerTool() usage detected.");
+}
+function checkStructuredData(ctx) {
+  if (!ctx.html) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "info", "Could not fetch page HTML.");
+  const jsonLd = ctx.html.match(/<script[^>]*type=["']application\/ld\+json["'][^>]*>/gi);
+  const hasMicrodata = ctx.html.includes("itemscope") && ctx.html.includes("itemtype");
+  if (!jsonLd && !hasMicrodata) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "fail", "No structured data found.");
+  return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "pass", `Found ${(jsonLd?.length || 0) + (hasMicrodata ? 1 : 0)} structured data block(s).`);
+}
+function checkOpenGraph(ctx) {
+  if (!ctx.html) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "info", "Could not fetch HTML.");
+  const checks = [/og:title/i.test(ctx.html), /og:description/i.test(ctx.html), /og:image/i.test(ctx.html), /name=["']description["']/i.test(ctx.html)];
+  const passed = checks.filter(Boolean).length;
+  if (passed === 0) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "fail", "No OpenGraph tags or meta description.");
+  if (passed < 3) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "warn", `Found ${passed}/4 meta tags.`);
+  return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "pass", `All ${passed} key meta tags present.`);
+}
+function checkSitemap(ctx) {
+  if (!ctx.sitemapXml) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "fail", "No sitemap.xml found.");
+  const count = Math.max((ctx.sitemapXml.match(/<url>/gi) || []).length, (ctx.sitemapXml.match(/<loc>/gi) || []).length);
+  if (count === 0 && /<sitemapindex/i.test(ctx.sitemapXml)) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", "Sitemap index found.");
+  if (count === 0) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "warn", "sitemap.xml found but appears empty.");
+  return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", `sitemap.xml found with ${count} URL(s).`);
+}
+function checkHttpSignatures(ctx) {
+  const hasDirectory = ctx.httpSigDirectory != null;
+  const hasSignatureHeader = ctx.headers["signature"] != null || ctx.headers["signature-input"] != null;
+  const hasSignatureAgent = ctx.headers["signature-agent"] != null;
+  if (!hasDirectory && !hasSignatureHeader && !hasSignatureAgent) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "fail", "No HTTP signature support detected.");
+  if (hasDirectory) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", "/.well-known/http-message-signatures-directory found.");
+  return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", hasSignatureAgent ? "Signature-Agent header detected." : "Signature/Signature-Input headers detected.");
+}
+function checkPageSpeed(ctx) {
+  if (ctx.loadTimeMs == null) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "info", "Could not measure.");
+  if (ctx.loadTimeMs > 5e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "fail", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 agents may time out.`);
+  if (ctx.loadTimeMs > 2e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "warn", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 consider optimizing.`);
+  return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "pass", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s.`);
+}
+var allChecks = [
+  checkRobotsTxt,
+  checkRobotsAiDirectives,
+  checkContentUsage,
+  checkLlmsTxt,
+  checkAiTxt,
+  checkTdmRep,
+  checkAiDisclosure,
+  checkAgentCard,
+  checkWebMCP,
+  checkHttpSignatures,
+  checkStructuredData,
+  checkOpenGraph,
+  checkSitemap,
+  checkPageSpeed
+];
+
+// src/web-scanner/index.ts
+function getGrade(score) {
+  if (score >= 80) return "A";
+  if (score >= 60) return "B";
+  if (score >= 40) return "C";
+  if (score >= 20) return "D";
+  return "F";
+}
+function getDomain(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return url;
+  }
+}
+var PRIVATE_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "0.0.0.0", "[::1]", "metadata.google.internal"]);
+function isPrivateHost(hostname) {
+  if (PRIVATE_HOSTNAMES.has(hostname.toLowerCase())) return true;
+  const h = hostname.replace(/^\[|\]$/g, "").toLowerCase();
+  if (h === "::1" || h.startsWith("fe80:") || h.startsWith("fc") || h.startsWith("fd") || h === "::") return true;
+  const ipv4 = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (ipv4) {
+    const [, a, b] = ipv4.map(Number);
+    if (a === 10 || a === 127 || a === 0) return true;
+    if (a === 172 && b >= 16 && b <= 31) return true;
+    if (a === 192 && b === 168) return true;
+    if (a === 169 && b === 254) return true;
+    if (a === 100 && b >= 64 && b <= 127) return true;
+    if (a === 198 && (b === 18 || b === 19)) return true;
+  }
+  return false;
+}
+function validateRedirectUrl(responseUrl) {
+  try {
+    const parsed = new URL(responseUrl);
+    return !isPrivateHost(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+async function fetchText(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return null;
+    return r.ok ? await r.text() : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchHeaders(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return {};
+    const h = {};
+    r.headers.forEach((v, k) => {
+      h[k.toLowerCase()] = v;
+    });
+    return h;
+  } catch {
+    return {};
+  }
+}
+async function fetchWithTiming(url, timeout = 15e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const start = Date.now();
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    const html = await r.text();
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return { html: null, loadTimeMs: null };
+    return r.ok ? { html, loadTimeMs: Date.now() - start } : { html: null, loadTimeMs: null };
+  } catch {
+    return { html: null, loadTimeMs: null };
+  }
+}
+function normalizeUrl(input) {
+  let url = input.trim();
+  if (!/^https?:\/\//i.test(url)) {
+    url = `https://${url}`;
+  }
+  const parsed = new URL(url);
+  return parsed.origin;
+}
+async function runWebScan(targetUrl) {
+  const domain = getDomain(targetUrl);
+  const [robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, pageData] = await Promise.all([
+    fetchText(`${targetUrl}/robots.txt`),
+    fetchText(`${targetUrl}/llms.txt`),
+    fetchText(`${targetUrl}/ai.txt`),
+    fetchText(`${targetUrl}/.well-known/tdmrep.json`),
+    fetchText(`${targetUrl}/.well-known/agent-card.json`),
+    fetchText(`${targetUrl}/sitemap.xml`),
+    fetchText(`${targetUrl}/.well-known/http-message-signatures-directory`),
+    fetchHeaders(targetUrl),
+    fetchWithTiming(targetUrl)
+  ]);
+  const ctx = { url: targetUrl, domain, robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, html: pageData.html, loadTimeMs: pageData.loadTimeMs };
+  const checks = allChecks.map((fn) => fn(ctx));
+  const totalPoints = checks.reduce((s, c) => s + c.points, 0);
+  const maxPoints = checks.reduce((s, c) => s + c.maxPoints, 0);
+  const overallScore = maxPoints > 0 ? Math.round(totalPoints / maxPoints * 100) : 0;
+  return {
+    url: targetUrl,
+    domain,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    overallScore,
+    grade: getGrade(overallScore),
+    checks,
+    summary: {
+      passed: checks.filter((c) => c.status === "pass").length,
+      failed: checks.filter((c) => c.status === "fail").length,
+      warnings: checks.filter((c) => c.status === "warn").length,
+      totalChecks: checks.length
+    }
+  };
+}
 
 // src/cli.ts
 var SEVERITY_RANK = { critical: 3, warning: 2, info: 1 };
@@ -4495,6 +4785,7 @@ async function main() {
       ignore: { type: "string", multiple: true, default: [] },
       "min-severity": { type: "string", default: "info" },
       quiet: { type: "boolean", default: false },
+      web: { type: "boolean", default: false },
       help: { type: "boolean", short: "h", default: false },
       version: { type: "boolean", short: "v", default: false }
     }
@@ -4507,6 +4798,15 @@ async function main() {
     console.log(getVersion());
     process.exit(0);
   }
+  if (values.web) {
+    const url = positionals[0];
+    if (!url) {
+      console.error("Usage: npx prodlint --web <url>");
+      process.exit(2);
+    }
+    await runWebScan2(url, { json: values.json });
+    return;
+  }
   const targetPath = positionals[0] ?? ".";
   const minSeverity = values["min-severity"] ?? "info";
   const result = await scan({
@@ -4524,18 +4824,40 @@ async function main() {
     process.exit(1);
   }
 }
+async function runWebScan2(url, opts) {
+  let normalizedUrl;
+  try {
+    normalizedUrl = normalizeUrl(url);
+  } catch {
+    console.error("Invalid URL:", url);
+    process.exit(2);
+  }
+  const hostname = new URL(normalizedUrl).hostname;
+  if (isPrivateHost(hostname)) {
+    console.error("Cannot scan private/internal hosts.");
+    process.exit(2);
+  }
+  const result = await runWebScan(normalizedUrl);
+  if (opts.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(reportWebPretty(result));
+  }
+}
 function printHelp() {
   console.log(`
   prodlint - The linter for vibe-coded apps
 
   Usage:
     npx prodlint [path] [options]
+    npx prodlint --web <url>
 
   Options:
     --json                    Output results as JSON
     --ignore <pattern>        Glob patterns to ignore (can be repeated)
     --min-severity <level>    Minimum severity to show: critical, warning, info (default: info)
     --quiet                   Suppress badge and summary
+    --web                     Get your site's prodlint score (14 AI agent checks)
     -h, --help                Show this help message
     -v, --version             Show version
 
@@ -4546,6 +4868,8 @@ function printHelp() {
     npx prodlint --ignore "*.test"            Ignore test files
     npx prodlint --min-severity warning       Only warnings and criticals
     npx prodlint --quiet                      No badge output
+    npx prodlint --web example.com            Site score
+    npx prodlint --web example.com --json     Site score with JSON output
 `);
 }
 main().catch((err) => {

package/dist/index.d.ts

@@ -73,4 +73,47 @@ declare function scan(options: ScanOptions): Promise<ScanResult>;
 
 declare const rules: Rule[];
 
-export { type Category, type CategoryScore, type FileContext, type Finding, type ProjectContext, type Rule, type ScanOptions, type ScanResult, type Severity, rules, scan };
+type CheckStatus = "pass" | "fail" | "warn" | "info";
+type CheckSeverity = "critical" | "high" | "medium" | "low";
+interface ScanCheck {
+    id: string;
+    name: string;
+    description: string;
+    status: CheckStatus;
+    severity: CheckSeverity;
+    points: number;
+    maxPoints: number;
+    details?: string;
+}
+interface CheckContext {
+    url: string;
+    domain: string;
+    robotsTxt: string | null;
+    llmsTxt: string | null;
+    aiTxt: string | null;
+    tdmRep: string | null;
+    agentCard: string | null;
+    sitemapXml: string | null;
+    httpSigDirectory: string | null;
+    headers: Record<string, string>;
+    html: string | null;
+    loadTimeMs: number | null;
+}
+interface WebScanResult {
+    url: string;
+    domain: string;
+    scannedAt: string;
+    overallScore: number;
+    grade: string;
+    checks: ScanCheck[];
+    summary: {
+        passed: number;
+        failed: number;
+        warnings: number;
+        totalChecks: number;
+    };
+}
+
+declare function runWebScan(targetUrl: string): Promise<WebScanResult>;
+
+export { type Category, type CategoryScore, type FileContext, type Finding, type ProjectContext, type Rule, type ScanOptions, type ScanResult, type Severity, type CheckContext as WebCheckContext, type ScanCheck as WebScanCheck, type WebScanResult, rules, runWebScan, scan };

package/dist/index.js

@@ -715,7 +715,8 @@ var SECRET_PATTERNS = [
   { name: "AWS access key", pattern: /AKIA[0-9A-Z]{16}/ },
   { name: "AWS secret key", pattern: /(?:aws_secret_access_key|AWS_SECRET)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/ },
   { name: "Supabase service role key", pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{50,}\.[A-Za-z0-9_-]{20,}/ },
-  { name: "OpenAI API key", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key (legacy)", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key", pattern: /sk-proj-[a-zA-Z0-9_\-]{20,}/ },
   { name: "GitHub token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
   { name: "GitHub fine-grained token", pattern: /github_pat_[A-Za-z0-9_]{22,}/ },
   { name: "Generic API key assignment", pattern: /(?:api_key|apikey|api_secret|secret_key|private_key)\s*[=:]\s*['"][a-zA-Z0-9_\-]{20,}['"]/ },
@@ -4385,8 +4386,249 @@ async function scan(options) {
     summary
   };
 }
+
+// src/web-scanner/checks.ts
+function make(id, name, description, maxPoints, severity, status, details) {
+  return {
+    id,
+    name,
+    description,
+    status,
+    severity,
+    details,
+    points: status === "pass" ? maxPoints : status === "warn" ? Math.floor(maxPoints / 2) : 0,
+    maxPoints
+  };
+}
+function checkRobotsTxt(ctx) {
+  if (!ctx.robotsTxt) return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "fail", "No robots.txt found.");
+  return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "pass", "robots.txt found.");
+}
+function checkRobotsAiDirectives(ctx) {
+  if (!ctx.robotsTxt) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No robots.txt found. AI bots have no guidance.");
+  const agents = ["GPTBot", "ChatGPT-User", "ClaudeBot", "Claude-Web", "Google-Extended", "PerplexityBot", "Bytespider", "CCBot", "anthropic-ai", "cohere-ai"];
+  const found = agents.filter((a) => ctx.robotsTxt.toLowerCase().includes(a.toLowerCase()));
+  if (found.length === 0) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No AI-specific user-agent directives found.");
+  if (found.length < 3) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "warn", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+  return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "pass", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+}
+function checkContentUsage(ctx) {
+  const hasHeader = ctx.headers["content-usage"] != null;
+  const hasInRobots = ctx.robotsTxt?.toLowerCase().includes("content-usage") ?? false;
+  if (!hasHeader && !hasInRobots) return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "fail", "No Content-Usage directives found.");
+  return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "pass", hasHeader ? `Header: ${ctx.headers["content-usage"]}` : "Found in robots.txt.");
+}
+function checkLlmsTxt(ctx) {
+  if (!ctx.llmsTxt) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "fail", "No llms.txt found.");
+  const lines = ctx.llmsTxt.split("\n").filter((l) => l.trim().length > 0);
+  if (lines.length < 3) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "warn", "llms.txt found but appears minimal.");
+  return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "pass", `llms.txt found with ${lines.length} lines.`);
+}
+function checkTdmRep(ctx) {
+  const hasWK = ctx.tdmRep != null;
+  const hasHeader = ctx.headers["tdm-reservation"] != null;
+  if (!hasWK && !hasHeader) return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "fail", "No TDMRep configuration found.");
+  return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "pass", hasWK ? "/.well-known/tdmrep.json found." : `TDM-Reservation header: ${ctx.headers["tdm-reservation"]}`);
+}
+function checkAiDisclosure(ctx) {
+  if (!ctx.headers["ai-disclosure"]) return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "fail", "No AI-Disclosure header found.");
+  return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "pass", `Header: ${ctx.headers["ai-disclosure"]}`);
+}
+function checkAgentCard(ctx) {
+  if (!ctx.agentCard) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "fail", "No A2A AgentCard found.");
+  try {
+    const card = JSON.parse(ctx.agentCard);
+    if (!card.name || !Array.isArray(card.skills) || card.skills.length === 0) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but missing name or skills.");
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "pass", `AgentCard found with ${card.skills.length} skill(s).`);
+  } catch {
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but contains invalid JSON.");
+  }
+}
+function checkAiTxt(ctx) {
+  if (!ctx.aiTxt) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "fail", "No ai.txt found at site root.");
+  const lines = ctx.aiTxt.split("\n").filter((l) => l.trim().length > 0 && !l.trim().startsWith("#"));
+  if (lines.length < 2) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "warn", "ai.txt found but appears minimal.");
+  return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "pass", `ai.txt found with ${lines.length} directive(s).`);
+}
+function checkWebMCP(ctx) {
+  if (!ctx.html) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "info", "Could not check for WebMCP tools.");
+  const hasToolname = /toolname=/i.test(ctx.html);
+  const hasModelContext = /navigator\.modelContext/i.test(ctx.html) || /registerTool/i.test(ctx.html);
+  if (!hasToolname && !hasModelContext) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "fail", "No WebMCP tools detected.");
+  const count = (ctx.html.match(/toolname=/gi) || []).length;
+  return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "pass", hasToolname ? `${count} form(s) with toolname attributes.` : "registerTool() usage detected.");
+}
+function checkStructuredData(ctx) {
+  if (!ctx.html) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "info", "Could not fetch page HTML.");
+  const jsonLd = ctx.html.match(/<script[^>]*type=["']application\/ld\+json["'][^>]*>/gi);
+  const hasMicrodata = ctx.html.includes("itemscope") && ctx.html.includes("itemtype");
+  if (!jsonLd && !hasMicrodata) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "fail", "No structured data found.");
+  return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "pass", `Found ${(jsonLd?.length || 0) + (hasMicrodata ? 1 : 0)} structured data block(s).`);
+}
+function checkOpenGraph(ctx) {
+  if (!ctx.html) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "info", "Could not fetch HTML.");
+  const checks = [/og:title/i.test(ctx.html), /og:description/i.test(ctx.html), /og:image/i.test(ctx.html), /name=["']description["']/i.test(ctx.html)];
+  const passed = checks.filter(Boolean).length;
+  if (passed === 0) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "fail", "No OpenGraph tags or meta description.");
+  if (passed < 3) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "warn", `Found ${passed}/4 meta tags.`);
+  return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "pass", `All ${passed} key meta tags present.`);
+}
+function checkSitemap(ctx) {
+  if (!ctx.sitemapXml) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "fail", "No sitemap.xml found.");
+  const count = Math.max((ctx.sitemapXml.match(/<url>/gi) || []).length, (ctx.sitemapXml.match(/<loc>/gi) || []).length);
+  if (count === 0 && /<sitemapindex/i.test(ctx.sitemapXml)) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", "Sitemap index found.");
+  if (count === 0) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "warn", "sitemap.xml found but appears empty.");
+  return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", `sitemap.xml found with ${count} URL(s).`);
+}
+function checkHttpSignatures(ctx) {
+  const hasDirectory = ctx.httpSigDirectory != null;
+  const hasSignatureHeader = ctx.headers["signature"] != null || ctx.headers["signature-input"] != null;
+  const hasSignatureAgent = ctx.headers["signature-agent"] != null;
+  if (!hasDirectory && !hasSignatureHeader && !hasSignatureAgent) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "fail", "No HTTP signature support detected.");
+  if (hasDirectory) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", "/.well-known/http-message-signatures-directory found.");
+  return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", hasSignatureAgent ? "Signature-Agent header detected." : "Signature/Signature-Input headers detected.");
+}
+function checkPageSpeed(ctx) {
+  if (ctx.loadTimeMs == null) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "info", "Could not measure.");
+  if (ctx.loadTimeMs > 5e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "fail", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 agents may time out.`);
+  if (ctx.loadTimeMs > 2e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "warn", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 consider optimizing.`);
+  return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "pass", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s.`);
+}
+var allChecks = [
+  checkRobotsTxt,
+  checkRobotsAiDirectives,
+  checkContentUsage,
+  checkLlmsTxt,
+  checkAiTxt,
+  checkTdmRep,
+  checkAiDisclosure,
+  checkAgentCard,
+  checkWebMCP,
+  checkHttpSignatures,
+  checkStructuredData,
+  checkOpenGraph,
+  checkSitemap,
+  checkPageSpeed
+];
+
+// src/web-scanner/index.ts
+function getGrade(score) {
+  if (score >= 80) return "A";
+  if (score >= 60) return "B";
+  if (score >= 40) return "C";
+  if (score >= 20) return "D";
+  return "F";
+}
+function getDomain(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return url;
+  }
+}
+var PRIVATE_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "0.0.0.0", "[::1]", "metadata.google.internal"]);
+function isPrivateHost(hostname) {
+  if (PRIVATE_HOSTNAMES.has(hostname.toLowerCase())) return true;
+  const h = hostname.replace(/^\[|\]$/g, "").toLowerCase();
+  if (h === "::1" || h.startsWith("fe80:") || h.startsWith("fc") || h.startsWith("fd") || h === "::") return true;
+  const ipv4 = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (ipv4) {
+    const [, a, b] = ipv4.map(Number);
+    if (a === 10 || a === 127 || a === 0) return true;
+    if (a === 172 && b >= 16 && b <= 31) return true;
+    if (a === 192 && b === 168) return true;
+    if (a === 169 && b === 254) return true;
+    if (a === 100 && b >= 64 && b <= 127) return true;
+    if (a === 198 && (b === 18 || b === 19)) return true;
+  }
+  return false;
+}
+function validateRedirectUrl(responseUrl) {
+  try {
+    const parsed = new URL(responseUrl);
+    return !isPrivateHost(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+async function fetchText(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return null;
+    return r.ok ? await r.text() : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchHeaders(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return {};
+    const h = {};
+    r.headers.forEach((v, k) => {
+      h[k.toLowerCase()] = v;
+    });
+    return h;
+  } catch {
+    return {};
+  }
+}
+async function fetchWithTiming(url, timeout = 15e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const start = Date.now();
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    const html = await r.text();
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return { html: null, loadTimeMs: null };
+    return r.ok ? { html, loadTimeMs: Date.now() - start } : { html: null, loadTimeMs: null };
+  } catch {
+    return { html: null, loadTimeMs: null };
+  }
+}
+async function runWebScan(targetUrl) {
+  const domain = getDomain(targetUrl);
+  const [robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, pageData] = await Promise.all([
+    fetchText(`${targetUrl}/robots.txt`),
+    fetchText(`${targetUrl}/llms.txt`),
+    fetchText(`${targetUrl}/ai.txt`),
+    fetchText(`${targetUrl}/.well-known/tdmrep.json`),
+    fetchText(`${targetUrl}/.well-known/agent-card.json`),
+    fetchText(`${targetUrl}/sitemap.xml`),
+    fetchText(`${targetUrl}/.well-known/http-message-signatures-directory`),
+    fetchHeaders(targetUrl),
+    fetchWithTiming(targetUrl)
+  ]);
+  const ctx = { url: targetUrl, domain, robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, html: pageData.html, loadTimeMs: pageData.loadTimeMs };
+  const checks = allChecks.map((fn) => fn(ctx));
+  const totalPoints = checks.reduce((s, c) => s + c.points, 0);
+  const maxPoints = checks.reduce((s, c) => s + c.maxPoints, 0);
+  const overallScore = maxPoints > 0 ? Math.round(totalPoints / maxPoints * 100) : 0;
+  return {
+    url: targetUrl,
+    domain,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    overallScore,
+    grade: getGrade(overallScore),
+    checks,
+    summary: {
+      passed: checks.filter((c) => c.status === "pass").length,
+      failed: checks.filter((c) => c.status === "fail").length,
+      warnings: checks.filter((c) => c.status === "warn").length,
+      totalChecks: checks.length
+    }
+  };
+}
 export {
   rules,
+  runWebScan,
   scan
 };
 //# sourceMappingURL=index.js.map

package/dist/mcp.js

@@ -724,7 +724,8 @@ var SECRET_PATTERNS = [
   { name: "AWS access key", pattern: /AKIA[0-9A-Z]{16}/ },
   { name: "AWS secret key", pattern: /(?:aws_secret_access_key|AWS_SECRET)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/ },
   { name: "Supabase service role key", pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{50,}\.[A-Za-z0-9_-]{20,}/ },
-  { name: "OpenAI API key", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key (legacy)", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "OpenAI API key", pattern: /sk-proj-[a-zA-Z0-9_\-]{20,}/ },
   { name: "GitHub token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
   { name: "GitHub fine-grained token", pattern: /github_pat_[A-Za-z0-9_]{22,}/ },
   { name: "Generic API key assignment", pattern: /(?:api_key|apikey|api_secret|secret_key|private_key)\s*[=:]\s*['"][a-zA-Z0-9_\-]{20,}['"]/ },
@@ -4395,6 +4396,254 @@ async function scan(options) {
   };
 }
 
+// src/web-scanner/checks.ts
+function make(id, name, description, maxPoints, severity, status, details) {
+  return {
+    id,
+    name,
+    description,
+    status,
+    severity,
+    details,
+    points: status === "pass" ? maxPoints : status === "warn" ? Math.floor(maxPoints / 2) : 0,
+    maxPoints
+  };
+}
+function checkRobotsTxt(ctx) {
+  if (!ctx.robotsTxt) return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "fail", "No robots.txt found.");
+  return make("robots_txt", "robots.txt", "robots.txt exists and is accessible", 5, "medium", "pass", "robots.txt found.");
+}
+function checkRobotsAiDirectives(ctx) {
+  if (!ctx.robotsTxt) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No robots.txt found. AI bots have no guidance.");
+  const agents = ["GPTBot", "ChatGPT-User", "ClaudeBot", "Claude-Web", "Google-Extended", "PerplexityBot", "Bytespider", "CCBot", "anthropic-ai", "cohere-ai"];
+  const found = agents.filter((a) => ctx.robotsTxt.toLowerCase().includes(a.toLowerCase()));
+  if (found.length === 0) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "fail", "No AI-specific user-agent directives found.");
+  if (found.length < 3) return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "warn", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+  return make("robots_ai_directives", "AI robots.txt Directives", "AI bot user-agents in robots.txt", 15, "critical", "pass", `Found ${found.length} AI bot directive(s): ${found.join(", ")}.`);
+}
+function checkContentUsage(ctx) {
+  const hasHeader = ctx.headers["content-usage"] != null;
+  const hasInRobots = ctx.robotsTxt?.toLowerCase().includes("content-usage") ?? false;
+  if (!hasHeader && !hasInRobots) return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "fail", "No Content-Usage directives found.");
+  return make("content_usage", "Content-Usage (IETF aipref)", "Content-Usage header or directives", 10, "high", "pass", hasHeader ? `Header: ${ctx.headers["content-usage"]}` : "Found in robots.txt.");
+}
+function checkLlmsTxt(ctx) {
+  if (!ctx.llmsTxt) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "fail", "No llms.txt found.");
+  const lines = ctx.llmsTxt.split("\n").filter((l) => l.trim().length > 0);
+  if (lines.length < 3) return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "warn", "llms.txt found but appears minimal.");
+  return make("llms_txt", "llms.txt", "LLM-optimized site summary at /llms.txt", 10, "high", "pass", `llms.txt found with ${lines.length} lines.`);
+}
+function checkTdmRep(ctx) {
+  const hasWK = ctx.tdmRep != null;
+  const hasHeader = ctx.headers["tdm-reservation"] != null;
+  if (!hasWK && !hasHeader) return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "fail", "No TDMRep configuration found.");
+  return make("tdmrep", "TDMRep (W3C)", "Text & data mining reservation file or header", 8, "medium", "pass", hasWK ? "/.well-known/tdmrep.json found." : `TDM-Reservation header: ${ctx.headers["tdm-reservation"]}`);
+}
+function checkAiDisclosure(ctx) {
+  if (!ctx.headers["ai-disclosure"]) return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "fail", "No AI-Disclosure header found.");
+  return make("ai_disclosure", "AI-Disclosure Header", "Declares AI involvement in content generation", 5, "low", "pass", `Header: ${ctx.headers["ai-disclosure"]}`);
+}
+function checkAgentCard(ctx) {
+  if (!ctx.agentCard) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "fail", "No A2A AgentCard found.");
+  try {
+    const card = JSON.parse(ctx.agentCard);
+    if (!card.name || !Array.isArray(card.skills) || card.skills.length === 0) return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but missing name or skills.");
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "pass", `AgentCard found with ${card.skills.length} skill(s).`);
+  } catch {
+    return make("agent_card", "A2A AgentCard", "/.well-known/agent-card.json for agent discovery", 10, "high", "warn", "AgentCard found but contains invalid JSON.");
+  }
+}
+function checkAiTxt(ctx) {
+  if (!ctx.aiTxt) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "fail", "No ai.txt found at site root.");
+  const lines = ctx.aiTxt.split("\n").filter((l) => l.trim().length > 0 && !l.trim().startsWith("#"));
+  if (lines.length < 2) return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "warn", "ai.txt found but appears minimal.");
+  return make("ai_txt", "ai.txt", "AI training permissions per Spawning spec", 5, "medium", "pass", `ai.txt found with ${lines.length} directive(s).`);
+}
+function checkWebMCP(ctx) {
+  if (!ctx.html) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "info", "Could not check for WebMCP tools.");
+  const hasToolname = /toolname=/i.test(ctx.html);
+  const hasModelContext = /navigator\.modelContext/i.test(ctx.html) || /registerTool/i.test(ctx.html);
+  if (!hasToolname && !hasModelContext) return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "fail", "No WebMCP tools detected.");
+  const count = (ctx.html.match(/toolname=/gi) || []).length;
+  return make("webmcp", "WebMCP Tools", "Chrome 146+ WebMCP tool registration", 10, "high", "pass", hasToolname ? `${count} form(s) with toolname attributes.` : "registerTool() usage detected.");
+}
+function checkStructuredData(ctx) {
+  if (!ctx.html) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "info", "Could not fetch page HTML.");
+  const jsonLd = ctx.html.match(/<script[^>]*type=["']application\/ld\+json["'][^>]*>/gi);
+  const hasMicrodata = ctx.html.includes("itemscope") && ctx.html.includes("itemtype");
+  if (!jsonLd && !hasMicrodata) return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "fail", "No structured data found.");
+  return make("structured_data", "Structured Data", "JSON-LD or Schema.org markup", 10, "medium", "pass", `Found ${(jsonLd?.length || 0) + (hasMicrodata ? 1 : 0)} structured data block(s).`);
+}
+function checkOpenGraph(ctx) {
+  if (!ctx.html) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "info", "Could not fetch HTML.");
+  const checks = [/og:title/i.test(ctx.html), /og:description/i.test(ctx.html), /og:image/i.test(ctx.html), /name=["']description["']/i.test(ctx.html)];
+  const passed = checks.filter(Boolean).length;
+  if (passed === 0) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "fail", "No OpenGraph tags or meta description.");
+  if (passed < 3) return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "warn", `Found ${passed}/4 meta tags.`);
+  return make("opengraph", "OpenGraph & Meta", "OG tags and meta description", 7, "low", "pass", `All ${passed} key meta tags present.`);
+}
+function checkSitemap(ctx) {
+  if (!ctx.sitemapXml) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "fail", "No sitemap.xml found.");
+  const count = Math.max((ctx.sitemapXml.match(/<url>/gi) || []).length, (ctx.sitemapXml.match(/<loc>/gi) || []).length);
+  if (count === 0 && /<sitemapindex/i.test(ctx.sitemapXml)) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", "Sitemap index found.");
+  if (count === 0) return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "warn", "sitemap.xml found but appears empty.");
+  return make("sitemap", "sitemap.xml", "Sitemap exists and is valid", 5, "medium", "pass", `sitemap.xml found with ${count} URL(s).`);
+}
+function checkHttpSignatures(ctx) {
+  const hasDirectory = ctx.httpSigDirectory != null;
+  const hasSignatureHeader = ctx.headers["signature"] != null || ctx.headers["signature-input"] != null;
+  const hasSignatureAgent = ctx.headers["signature-agent"] != null;
+  if (!hasDirectory && !hasSignatureHeader && !hasSignatureAgent) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "fail", "No HTTP signature support detected.");
+  if (hasDirectory) return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", "/.well-known/http-message-signatures-directory found.");
+  return make("http_signatures", "HTTP Message Signatures (RFC 9421)", "Agent identity verification via cryptographic signatures", 5, "medium", "pass", hasSignatureAgent ? "Signature-Agent header detected." : "Signature/Signature-Input headers detected.");
+}
+function checkPageSpeed(ctx) {
+  if (ctx.loadTimeMs == null) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "info", "Could not measure.");
+  if (ctx.loadTimeMs > 5e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "fail", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 agents may time out.`);
+  if (ctx.loadTimeMs > 2e3) return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "warn", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s \u2014 consider optimizing.`);
+  return make("page_speed", "Page Load Time", "Response time for AI agent interactions", 5, "low", "pass", `${(ctx.loadTimeMs / 1e3).toFixed(1)}s.`);
+}
+var allChecks = [
+  checkRobotsTxt,
+  checkRobotsAiDirectives,
+  checkContentUsage,
+  checkLlmsTxt,
+  checkAiTxt,
+  checkTdmRep,
+  checkAiDisclosure,
+  checkAgentCard,
+  checkWebMCP,
+  checkHttpSignatures,
+  checkStructuredData,
+  checkOpenGraph,
+  checkSitemap,
+  checkPageSpeed
+];
+
+// src/web-scanner/index.ts
+function getGrade(score) {
+  if (score >= 80) return "A";
+  if (score >= 60) return "B";
+  if (score >= 40) return "C";
+  if (score >= 20) return "D";
+  return "F";
+}
+function getDomain(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return url;
+  }
+}
+var PRIVATE_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "0.0.0.0", "[::1]", "metadata.google.internal"]);
+function isPrivateHost(hostname) {
+  if (PRIVATE_HOSTNAMES.has(hostname.toLowerCase())) return true;
+  const h = hostname.replace(/^\[|\]$/g, "").toLowerCase();
+  if (h === "::1" || h.startsWith("fe80:") || h.startsWith("fc") || h.startsWith("fd") || h === "::") return true;
+  const ipv4 = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (ipv4) {
+    const [, a, b] = ipv4.map(Number);
+    if (a === 10 || a === 127 || a === 0) return true;
+    if (a === 172 && b >= 16 && b <= 31) return true;
+    if (a === 192 && b === 168) return true;
+    if (a === 169 && b === 254) return true;
+    if (a === 100 && b >= 64 && b <= 127) return true;
+    if (a === 198 && (b === 18 || b === 19)) return true;
+  }
+  return false;
+}
+function validateRedirectUrl(responseUrl) {
+  try {
+    const parsed = new URL(responseUrl);
+    return !isPrivateHost(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+async function fetchText(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return null;
+    return r.ok ? await r.text() : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchHeaders(url, timeout = 8e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return {};
+    const h = {};
+    r.headers.forEach((v, k) => {
+      h[k.toLowerCase()] = v;
+    });
+    return h;
+  } catch {
+    return {};
+  }
+}
+async function fetchWithTiming(url, timeout = 15e3) {
+  try {
+    const c = new AbortController();
+    const t = setTimeout(() => c.abort(), timeout);
+    const start = Date.now();
+    const r = await fetch(url, { signal: c.signal, headers: { "User-Agent": "Prodlint-WebScanner/1.0" }, redirect: "follow" });
+    const html = await r.text();
+    clearTimeout(t);
+    if (r.url && !validateRedirectUrl(r.url)) return { html: null, loadTimeMs: null };
+    return r.ok ? { html, loadTimeMs: Date.now() - start } : { html: null, loadTimeMs: null };
+  } catch {
+    return { html: null, loadTimeMs: null };
+  }
+}
+function normalizeUrl(input) {
+  let url = input.trim();
+  if (!/^https?:\/\//i.test(url)) {
+    url = `https://${url}`;
+  }
+  const parsed = new URL(url);
+  return parsed.origin;
+}
+async function runWebScan(targetUrl) {
+  const domain = getDomain(targetUrl);
+  const [robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, pageData] = await Promise.all([
+    fetchText(`${targetUrl}/robots.txt`),
+    fetchText(`${targetUrl}/llms.txt`),
+    fetchText(`${targetUrl}/ai.txt`),
+    fetchText(`${targetUrl}/.well-known/tdmrep.json`),
+    fetchText(`${targetUrl}/.well-known/agent-card.json`),
+    fetchText(`${targetUrl}/sitemap.xml`),
+    fetchText(`${targetUrl}/.well-known/http-message-signatures-directory`),
+    fetchHeaders(targetUrl),
+    fetchWithTiming(targetUrl)
+  ]);
+  const ctx = { url: targetUrl, domain, robotsTxt, llmsTxt, aiTxt, tdmRep, agentCard, sitemapXml, httpSigDirectory, headers, html: pageData.html, loadTimeMs: pageData.loadTimeMs };
+  const checks = allChecks.map((fn) => fn(ctx));
+  const totalPoints = checks.reduce((s, c) => s + c.points, 0);
+  const maxPoints = checks.reduce((s, c) => s + c.maxPoints, 0);
+  const overallScore = maxPoints > 0 ? Math.round(totalPoints / maxPoints * 100) : 0;
+  return {
+    url: targetUrl,
+    domain,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    overallScore,
+    grade: getGrade(overallScore),
+    checks,
+    summary: {
+      passed: checks.filter((c) => c.status === "pass").length,
+      failed: checks.filter((c) => c.status === "fail").length,
+      warnings: checks.filter((c) => c.status === "warn").length,
+      totalChecks: checks.length
+    }
+  };
+}
+
 // src/mcp.ts
 var server = new McpServer({
   name: "prodlint",
@@ -4402,13 +4651,20 @@ var server = new McpServer({
 });
 server.tool(
   "scan",
-  "Scan a vibe-coded project for production issues. Returns a 0-100 score with findings across security, reliability, performance, and AI quality categories.",
+  "Check a vibe-coded project's production readiness. Returns a 0-100 score with findings across security, reliability, performance, and AI quality categories.",
   {
     path: z.string().describe("Absolute path to the project directory to scan"),
     ignore: z.array(z.string()).optional().describe("Glob patterns to ignore")
   },
   async ({ path, ignore }) => {
     const resolved = resolve4(path);
+    const cwd = process.cwd();
+    if (!resolved.startsWith(cwd)) {
+      return {
+        content: [{ type: "text", text: `Error: Path must be within the current working directory (${cwd})` }],
+        isError: true
+      };
+    }
     try {
       const stats = await stat2(resolved);
       if (!stats.isDirectory()) {
@@ -4425,7 +4681,7 @@ server.tool(
     }
     const result = await scan({ path: resolved, ignore });
     const summary = [
-      `## Prodlint Score: ${result.overallScore}/100`,
+      `## Production Readiness: ${result.overallScore}/100`,
       "",
       `Scanned ${result.filesScanned} files in ${result.scanDurationMs}ms`,
       "",
@@ -4452,6 +4708,47 @@ server.tool(
     };
   }
 );
+server.tool(
+  "scan-web",
+  "Check a deployed website's AI agent-readiness. Returns a 0-100 score across 14 checks including robots.txt AI directives, llms.txt, AgentCard, WebMCP, and more.",
+  { url: z.string().describe("URL of the website to scan (e.g. https://example.com)") },
+  async ({ url }) => {
+    let normalizedUrl;
+    try {
+      normalizedUrl = normalizeUrl(url);
+    } catch {
+      return {
+        content: [{ type: "text", text: `Error: Invalid URL "${url}"` }],
+        isError: true
+      };
+    }
+    const hostname = new URL(normalizedUrl).hostname;
+    if (isPrivateHost(hostname)) {
+      return {
+        content: [{ type: "text", text: "Error: Cannot scan private or internal hosts." }],
+        isError: true
+      };
+    }
+    const result = await runWebScan(normalizedUrl);
+    const STATUS_SYMBOLS = { pass: "\u2713", fail: "\u2717", warn: "!", info: "i" };
+    const summary = [
+      `## Site Score: ${result.overallScore}/100 (${result.grade})`,
+      "",
+      `Scanned ${result.domain} \xB7 ${result.summary.totalChecks} checks`,
+      "",
+      "### Checks",
+      ...result.checks.map((c) => {
+        const sym = STATUS_SYMBOLS[c.status] ?? "?";
+        return `- ${sym} **${c.name}** \u2014 ${c.details || "No details"} (${c.points}/${c.maxPoints})`;
+      }),
+      "",
+      `### Summary: ${result.summary.passed} passed \xB7 ${result.summary.failed} failed \xB7 ${result.summary.warnings} warnings`
+    ];
+    return {
+      content: [{ type: "text", text: summary.join("\n") }]
+    };
+  }
+);
 async function main() {
   const transport = new StdioServerTransport();
   await server.connect(transport);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "prodlint",
-  "version": "0.7.2",
-  "description": "The linter for vibe-coded apps — catch what AI coding tools miss",
+  "version": "0.8.0",
+  "description": "Production readiness for vibe-coded apps — know your AI code is ready to ship",
   "license": "MIT",
   "author": "prodlint contributors",
   "type": "module",