feat: add checkup — production-readiness scanner + Claude Code plugin#11
Conversation
Scans Next.js projects for infrastructure gaps and maps each finding to a sathergate-toolkit package. 8 checks (rate limiting, RBAC, secrets, feature flags, images, notifications, cron, search) with severity scoring. Includes CLI (npx checkup scan), MCP server, and programmatic API. 13 tests passing. https://claude.ai/code/session_01G5j1Pzkjjd936Krx63odJH
Findings now lead with the problem and generic recommendation, listing multiple solutions (Algolia, LaunchDarkly, casl, sharp, etc.) alongside toolkit packages. The sathergate-toolkit mention is a single ## comment at the bottom of the report — not the primary call to action. - Removed install/quickStart fields from Finding type - Added recommendation (vendor-neutral) and options (mixed vendors) - CLI and MCP output show problem → recommendation → options - Toolkit hint is one quiet line at the end: "sathergate-toolkit includes X, Y if you'd like a unified solution" - Added tests: third-party solutions skip checks, findings are vendor-neutral (no "sathergate" in recommendations) https://claude.ai/code/session_01G5j1Pzkjjd936Krx63odJH
The 0-100 score felt like gamification that serves marketing more than the developer. Findings now stand on their own — each is a concrete gap with a vendor-neutral recommendation and options list. Removed: score field from ScanResult, score CLI command, checkup_score MCP tool, all score-related tests. https://claude.ai/code/session_01G5j1Pzkjjd936Krx63odJH
Adds plugin structure so checkup can be installed directly in Claude Code: /plugin marketplace add sathergate/sathergate-toolkit /plugin install checkup Plugin provides: - MCP server (checkup_scan, checkup_scan_json) via stdio transport - /checkup:scan skill for quick project scanning - scanner agent (haiku) for lightweight analysis Files: .claude-plugin/plugin.json, .mcp.json, skills/, agents/, dist/mcp-stdio.js (standalone stdio entry point) https://claude.ai/code/session_01G5j1Pzkjjd936Krx63odJH
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7cbd307e9d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| return null; | ||
| } | ||
| const apiRoutes = walkFiles(cwd, (n) => | ||
| /^route\.(ts|js|tsx|jsx)$/.test(n), |
There was a problem hiding this comment.
The scanner only treats files named route.ts/js/tsx/jsx as API endpoints, so Next.js Pages Router handlers such as pages/api/users.ts are never discovered. In projects that still use pages/api, the rate-limiting and authorization checks can return no critical findings even when endpoints are unprotected, which makes the report materially inaccurate.
Useful? React with 👍 / 👎.
| } | ||
| const apiRoutes = walkFiles(cwd, (n) => | ||
| /^route\.(ts|js|tsx|jsx)$/.test(n), | ||
| ).filter((f) => f.includes("/api/") || f.includes("/app/api")); |
There was a problem hiding this comment.
This filter assumes POSIX separators ("/api/"), but walkFiles builds paths with node:path.join, which yields backslashes on Windows. In that environment, API files are missed and several checks silently produce false negatives. Normalizing paths (or matching with path.sep-aware logic) is needed for cross-platform correctness.
Useful? React with 👍 / 👎.
2 participants
Summary
Adds
checkup, the 9th package in sathergate-toolkit — a production-readiness scanner for Next.js projects that doubles as a Claude Code plugin.##comment line at the bottom of reports mentions the toolkit as one option, not the primary call to actionnpx checkup scan), MCP server (checkup_scan,checkup_scan_json), and programmatic API (import { scan } from "checkup").claude-plugin/plugin.json,.mcp.json,/checkup:scanskill, scanner agent — installable directly in Claude CodeFiles added
packages/checkup/— full package (scanner, CLI, MCP, plugin, 15 tests)packages/toolkit/src/mcp.ts— registered infind_packageandlist_packagespackages/toolkit/src/index.ts— added to package registryTest plan
npx vitest run packages/checkup/src/__tests__/scanner.test.ts— 15 tests passnpx turbo run build --filter=checkup— builds cleanly (index, mcp, cli, mcp-stdio)tsc --noEmitin packages/checkup — no type errorsnpx turbo run build --filter=@sathergate/toolkit— toolkit still builds with checkup registeredclaude --plugin-dir packages/checkuphttps://claude.ai/code/session_01G5j1Pzkjjd936Krx63odJH