cmdmap turns a repo's scattered command surfaces into an agent-safe command map: what exists, why it was found, how risky it looks, and what to run first. It is a small local-first CLI for those "new repo, no idea what is safe" moments.
npm install
npm run build
node dist/src/cli.js scan . --out docs/COMMANDS.md
node dist/src/cli.js scan fixtures/polyrepo --format json
node dist/src/cli.js explain "npm run release:check"Once installed globally or through npx, use cmdmap directly:
cmdmap --help
cmdmap --version
cmdmap scan . --out docs/COMMANDS.md
cmdmap scan . --format json --fail-on risky
cmdmap rulesV1 scans these local files without executing project commands:
package.jsonscriptsMakefiletargetsJustfilerecipesTaskfile.yml/Taskfile.yamltaskspyproject.tomlscripts/tasksCargo.tomldefault cargo workflows- README command snippets
- files under
scripts/
Every finding includes file and line evidence so humans and agents can inspect the source.
cmdmap is conservative by design:
test,build, andlintcommands are usually safe verification candidates.- dev servers and unknown commands are caution because they may hang or have unclear side effects.
- release, publish, destructive, secret-related, and network-looking commands are risky by default.
cmdmap scannever runs discovered commands.--fail-on riskyexits with code2when risky commands are present, which is useful in CI.
This is heuristic static analysis, not a sandbox. Treat the output as a map, not permission.
Add .cmdmaprc.json at the repo root:
{
"allowRisky": ["local-release-dry-run"],
"ignore": ["dev"],
"labels": {
"verify": ["test", "lint"]
},
"preferredSmokePath": ["lint", "test", "build"]
}allowRisky: known commands to downgrade after review.ignore: command names or command strings to omit.labels: custom command labels.preferredSmokePath: names or commands to prefer in the recommended path.
Markdown output is intended for docs and handoffs:
cmdmap scan . --out docs/COMMANDS.mdThe checked-in polyrepo demo generates both Markdown and JSON artifacts:
bash demo/run-polyrepo-scan.shFor a CI-style JSON artifact plus an expected risky-command gate failure:
bash demo/run-ci-risk-gate.shUse docs/tutorials/triage-command-surface.md for the walkthrough and docs/promo/video-brief-polyrepo-command-map.md for a short recording outline. The CI gate recipe is in docs/tutorials/ci-risk-gate-artifact.md, with a focused recording brief in docs/promo/ci-risk-gate-video-brief.md.
To turn the scanner's recommendedPath into a Markdown handoff brief, run:
bash demo/run-recommended-path.shSee docs/tutorials/recommended-path-brief.md and docs/promo/recommended-path-social-pack.md.
JSON output is stable enough for agents and CI artifacts:
cmdmap scan . --format json > command-map.jsonExplain one command without scanning a repo:
cmdmap explain "npm publish"For a copied-command review workflow, see docs/tutorials/review-a-copied-command.md.
Run the polyrepo walkthrough to generate both Markdown and JSON artifacts from the checked-in mixed command fixture:
bash demo/run-polyrepo-scan.shThe companion tutorial is docs/tutorials/triage-command-surface.md, and promotion hooks are in docs/promo/social-hooks.md.
- run: npm ci
- run: npm run build
- run: node dist/src/cli.js scan . --format json --fail-on risky > command-map.json
- uses: actions/upload-artifact@v4
with:
name: command-map
path: command-map.jsonFor a runnable local version of the risk-gate flow, use
demo/run-ci-risk-gate.sh. The companion tutorial is
docs/tutorials/ci-risk-gate.md.
- Does not execute or verify discovered commands.
- YAML/TOML parsing is intentionally lightweight in V1.
- Shell analysis is pattern-based and can miss indirect behavior.
- Cargo commands are inferred defaults from
Cargo.toml. - Risk allowlists should be reviewed by maintainers before automation relies on them.
npm test
npm run check
npm run build
npm run smoke
npm run package:smoke
npm run release:check
bash scripts/validate.shfixtures/polyrepo contains a deliberately mixed repo surface for parser and smoke coverage.
Before publishing or tagging a release, run the same verification path used by CI:
npm run release:checknpm run package:smoke
See docs/release-readiness.md for the package surface, CLI bins, and reviewer checklist.