{"id":50595825,"url":"https://github.com/rogerchappel/cmdmap","last_synced_at":"2026-06-05T14:01:29.481Z","repository":{"id":362381782,"uuid":"1235351666","full_name":"rogerchappel/cmdmap","owner":"rogerchappel","description":"Local-first CLI that maps repo commands with evidence and safety classification.","archived":false,"fork":false,"pushed_at":"2026-06-03T23:15:56.000Z","size":47,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-04T02:09:52.693Z","etag":null,"topics":["agent-tools","cli","command-discovery","developer-tools","local-first","makefile","safety","typescript"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rogerchappel.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-11T08:38:54.000Z","updated_at":"2026-06-03T23:16:00.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rogerchappel/cmdmap","commit_stats":null,"previous_names":["rogerchappel/cmdmap"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/rogerchappel/cmdmap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogerchappel%2Fcmdmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogerchappel%2Fcmdmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogerchappel%2Fcmdmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogerchappel%2Fcmdmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rogerchappel","download_url":"https://codeload.github.com/rogerchappel/cmdmap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rogerchappel%2Fcmdmap/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33944671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-05T02:00:06.157Z","response_time":120,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-tools","cli","command-discovery","developer-tools","local-first","makefile","safety","typescript"],"created_at":"2026-06-05T14:01:28.343Z","updated_at":"2026-06-05T14:01:29.470Z","avatar_url":"https://github.com/rogerchappel.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cmdmap\n\n`cmdmap` turns a repo's scattered command surfaces into an agent-safe command map: what exists, why it was found, how risky it looks, and what to run first. It is a small local-first CLI for those \"new repo, no idea what is safe\" moments.\n\n## Quick start\n\n```bash\nnpm install\nnpm run build\nnode dist/src/cli.js scan . --out docs/COMMANDS.md\nnode dist/src/cli.js scan fixtures/polyrepo --format json\nnode dist/src/cli.js explain \"npm run release:check\"\n```\n\nOnce installed globally or through `npx`, use `cmdmap` directly:\n\n```bash\ncmdmap scan . --out docs/COMMANDS.md\ncmdmap scan . --format json --fail-on risky\ncmdmap rules\n```\n\n## What it discovers\n\nV1 scans these local files without executing project commands:\n\n- `package.json` scripts\n- `Makefile` targets\n- `Justfile` recipes\n- `Taskfile.yml` / `Taskfile.yaml` tasks\n- `pyproject.toml` scripts/tasks\n- `Cargo.toml` default cargo workflows\n- README command snippets\n- files under `scripts/`\n\nEvery finding includes file and line evidence so humans and agents can inspect the source.\n\n## Safety model\n\n`cmdmap` is conservative by design:\n\n- `test`, `build`, and `lint` commands are usually **safe** verification candidates.\n- dev servers and unknown commands are **caution** because they may hang or have unclear side effects.\n- release, publish, destructive, secret-related, and network-looking commands are **risky** by default.\n- `cmdmap scan` never runs discovered commands.\n- `--fail-on risky` exits with code `2` when risky commands are present, which is useful in CI.\n\nThis is heuristic static analysis, not a sandbox. Treat the output as a map, not permission.\n\n## Configuration\n\nAdd `.cmdmaprc.json` at the repo root:\n\n```json\n{\n  \"allowRisky\": [\"local-release-dry-run\"],\n  \"ignore\": [\"dev\"],\n  \"labels\": {\n    \"verify\": [\"test\", \"lint\"]\n  },\n  \"preferredSmokePath\": [\"lint\", \"test\", \"build\"]\n}\n```\n\n- `allowRisky`: known commands to downgrade after review.\n- `ignore`: command names or command strings to omit.\n- `labels`: custom command labels.\n- `preferredSmokePath`: names or commands to prefer in the recommended path.\n\n## Output examples\n\nMarkdown output is intended for docs and handoffs:\n\n```bash\ncmdmap scan . --out docs/COMMANDS.md\n```\n\nJSON output is stable enough for agents and CI artifacts:\n\n```bash\ncmdmap scan . --format json \u003e command-map.json\n```\n\nExplain one command without scanning a repo:\n\n```bash\ncmdmap explain \"npm publish\"\n```\n\n## CI usage\n\n```yaml\n- run: npm ci\n- run: npm run build\n- run: node dist/src/cli.js scan . --format json --fail-on risky \u003e command-map.json\n- uses: actions/upload-artifact@v4\n  with:\n    name: command-map\n    path: command-map.json\n```\n\n## Limitations\n\n- Does not execute or verify discovered commands.\n- YAML/TOML parsing is intentionally lightweight in V1.\n- Shell analysis is pattern-based and can miss indirect behavior.\n- Cargo commands are inferred defaults from `Cargo.toml`.\n- Risk allowlists should be reviewed by maintainers before automation relies on them.\n\n## Development\n\n```bash\nnpm test\nnpm run check\nnpm run build\nnpm run smoke\nbash scripts/validate.sh\n```\n\n`fixtures/polyrepo` contains a deliberately mixed repo surface for parser and smoke coverage.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frogerchappel%2Fcmdmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frogerchappel%2Fcmdmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frogerchappel%2Fcmdmap/lists"}