portka-tools 1.5.0
Triage of the DedTxt dogfood feedback #79 — app-website-evaluator's first real --dir run on a
shipping static site (DedTxt scored A* 100/100 over 82% of weight). app-website-evaluator →
1.4.0 (video-bug-analyzer stays 1.4.1; repo-bootstrap and tab-chord-formatter unchanged at
1.2.0). MINOR: a new pre-fetched input mode + a source-visible Security sub-score, both
backward-compatible.
Added (app-website-evaluator → 1.4.0, #79)
--html <file|-> [--headers <file|->]— score already-fetched HTML without curl reaching the
origin. The primary--urlmode needscurlto hit the origin, but web/remote Claude Code runs
behind an egress proxy that 403s arbitrary hosts (DedTxt was blocked outright), so the whole live
path was unavailable. Now an agent that fetched the page another way — an MCP tool, a headless
browser,web_fetch— can pipe it in (… | evaluate-site.sh --html -) or pass a file, and pair
--headers(e.g.curl -sSIoutput) to still score the live HSTS / CSP / X-Content-Type-Options
/ Referrer-Policy header checks. Exactly one of--url/--dir/--html;--headersrequires
--html;--html -and--headers -can't both read stdin.- Source-visible Security sub-score — Security is no longer a blanket
n/aoff the network (18% of
weight). A static host can't set HTTP headers, but it ships controls that are visible in the
build: a<meta http-equiv="Content-Security-Policy">, a/.well-known/security.txt, and its
third-party<script>posture.--dir/--htmlnow score these — a<meta>CSP and a shipped
security.txtare credited, and zero third-party<script>origins (all scripts same-origin /
relative) is scored as the real minimal-supply-chain-surface win it is; third-party origins are
listed with a "pin with SRI" nudge. Header CSP still wins when present (the<meta>check stands
down to avoid double-counting). A truly control-free static page still readsn/a— honest. --dirsource-tree foot-gun guard. Many sites generaterobots.txt/sitemap.xml/
.well-known/security.txtat build time, so pointing--diratsrc/false-negatives Crawlability
and Security. When--dirlooks like a source tree (apackage.jsonbuild script, or asrc/
with no root robots.txt/sitemap.xml), the tool now prints a NOTE to target the built/deployed output
(dist/,build/,out/).- The scorecard's partial-coverage footnote now says source-visible Security is scored and only the
live signals (HTTPS / response headers, real perf numbers) need the origin — via--url,
--html --headers, or Lighthouse.
Docs
SKILL.mdandreference.mddocument the three input sources, call out the build-vs-source
gotcha explicitly (generated robots/sitemap/security.txt), and explain the source-visible Security
signals; README gains a--html/proxy example and the plugin-table copy is refreshed.
Tests
- New coverage:
--htmlscores a pre-fetched page (file and stdin) with no origin fetch;--headers
drives the security-header checks in--htmlmode; the argument guards (--headerswithout
--html, both-stdin) exit 2; a<meta>-CSP +security.txt+ no-third-party-scripts build makes
Security a scored dimension; third-party<script>origins are flagged while same-originsrcs are
ignored; and a source-tree--dirwarns to point at the build. The existing dir-mode star / #63
coverage tests still hold (a control-free page keeps Securityn/a).