periderm / cli — v0.1

Can your fast-moving app survive the real world ?

You build fast with AI. We make sure it doesn't lose users, drain your wallet, or become a legal nightmare. Run our CLI, get a report with fixes in seconds.

$curl -fsSL https://periderm-cli.vercel.app//install.sh | bash

$sudo npm install -g periderm-cli

see what it catches →

150+ deterministic checks·flow-graph mapping·ai senior-engineer review

 
 /$$$$$$$                     /$$       /$$                                  
| $$__  $$                   |__/      | $$                                  
| $$  \ $$ /$$$$$$   /$$$$$$  /$$  /$$$$$$$  /$$$$$$   /$$$$$$  /$$$$$$/$$$$ 
| $$$$$$$//$$__  $$ /$$__  $$| $$ /$$__  $$ /$$__  $$ /$$__  $$| $$_  $$_  $$
| $$____/| $$$$$$$$| $$  \__/| $$| $$  | $$| $$$$$$$$| $$  \__/| $$ \ $$ \ $$
| $$     | $$_____/| $$      | $$| $$  | $$| $$_____/| $$      | $$ | $$ | $$
| $$     |  $$$$$$$| $$      | $$|  $$$$$$$|  $$$$$$$| $$      | $$ | $$ | $$
|__/      \_______/|__/      |__/ \_______/ \_______/|__/      |__/ |__/ |__/

confidence

64/100

reality

42/100

perceived

58/100

▸ verdict: do not launch — 3 critical, 11 high

legal liability/destroyed user trust/runaway cloud bills/platform usage drain/database corruption/legal liability/destroyed user trust/runaway cloud bills/platform usage drain/database corruption/legal liability/destroyed user trust/runaway cloud bills/platform usage drain/database corruption/legal liability/destroyed user trust/runaway cloud bills/platform usage drain/database corruption/

unauthorized access/information disclosure/compliance exposure/credential leaks/infinite render loops/unauthorized access/information disclosure/compliance exposure/credential leaks/infinite render loops/unauthorized access/information disclosure/compliance exposure/credential leaks/infinite render loops/unauthorized access/information disclosure/compliance exposure/credential leaks/infinite render loops/

hostile ui experiences/navigation dead-ends/infrastructure exhaustion/silent data loss/embarrassment risks/hostile ui experiences/navigation dead-ends/infrastructure exhaustion/silent data loss/embarrassment risks/hostile ui experiences/navigation dead-ends/infrastructure exhaustion/silent data loss/embarrassment risks/hostile ui experiences/navigation dead-ends/infrastructure exhaustion/silent data loss/embarrassment risks/

legal liability/destroyed user trust/runaway cloud bills/platform usage drain/database corruption/unauthorized access/information disclosure/compliance exposure/credential leaks/infinite render loops/hostile ui experiences/navigation dead-ends/infrastructure exhaustion/silent data loss/embarrassment risks

§01 · philosophy

Every feature is a potential liability.

“Launch” isn’t the day you go live. It’s every feature you build. Periderm CLI turns the question “will this make me lose users, revenue or get into legal trouble?” into a check you run on autopilot.

▸scan · frontend codebase

⚠ Detected severe compliance exposure in user onboarding. High risk of regulatory fines.

▸scan · database schema

⚠ Identified fatal data integrity vulnerabilities. Malicious actors could silently corrupt records.

▸scan · api endpoints

⚠ Discovered critical infrastructure exhaustion traps. Infinite loops could drain platform quotas overnight.

▸scan · cloud storage

⚠ Found catastrophic information disclosure risks. Sensitive assets are exposed to public indexing.

§02 · the verdict

One command. A senior engineer’s opinion.

Run it locally in your terminal. You get three scores, the top embarrassment risks, and the exact files to open.

~/your-app · periderm scanv0.1.0

$ periderm scan

↳ traversing 412 files…

↳ building flow graph (37 routes, 11 server fns)…

↳ extracting evidence for AI reviewer…

Periderm CLI Verdict

Launch Confidence: 64/100

Reality Score: 42/100

Perceived Performance: 58/100

Recommendation: DO NOT LAUNCH

Top embarrassment risks:

1. User profiles crash when avatars are missing (no ?. on user?.avatar?.url || '/default-avatar.png')

2. Three forms fail silently on API errors — no UI feedback

3. Footer references /terms — route does not exist

4. Broken images render with no fallback UI

5. Stripe webhook handler does not verify the signature

6. No production monitoring (Sentry) detected

▸ 14 findings · open in dashboard: periderm-cli.vercel.app//r/8f3a…

§03 · what it catches

150+ checks across 12 categories.

Each check is an AST rule, a filesystem probe, or a flow-graph query. No guessing, no “let me just ask an LLM.” Evidence first, then interpretation.

critical high medium

§01critical

Routing & Navigation

Dead ends, ghost routes, broken CTAs, blank Suspense pages.

›dead-end routes
›missing 404
›circular redirects

§02critical

Runtime Stability

Unhandled promises, missing error boundaries, leaked listeners.

›fetch without catch
›no error boundary
›memory leaks

§03critical

Auth & Authorization

Protected routes you forgot to protect. Logout you forgot to ship.

›unprotected admin
›no session check
›open password reset

§04critical

Legal & Compliance

You can be sued, fined, or taken down for compliance gaps you don't even know exist in your app.

›unseen compliance traps
›silent legal liabilities
›regulatory blind spots

§05high

Reality & Resilience

Empty arrays, missing avatars, offline users, double-clicks.

›items[0] with no guard
›no img onError
›no offline UI

§06high

Loading & Transitions

Pages that feel frozen, infinite spinners, layout shift.

›no skeleton
›stuck Suspense
›CLS on data load

§07high

Observability

You can’t fix what you can’t see. Sentry, logs, analytics.

›no Sentry init
›console.log in prod
›no uptime ping

§08high

Data Integrity

Silent corruption: missing validation, races, double submits.

›client-only validation
›no idempotency
›no delete confirm

§09critical

Security

Headers, secrets, dangerous HTML, CSRF, open redirects.

›hardcoded keys
›missing CSP
›no webhook signature check

§10medium

SEO & Discoverability

Sitemaps, OG tags, duplicate titles, placeholder content left behind.

›missing og:image
›no sitemap
›placeholder text

§11high

Accessibility

Real humans use keyboards, screen readers, and contrast.

›no alt text
›div onClick
›keyboard traps

§12critical

Runaway Cloud Costs

The financial DDoS. An infinite loop in a serverless function quietly bills you for a weekend.

›unbounded recursion
›no rate limit
›log spam

§04 · supported stacks

Built for JS, JSX, TS, and TSX codebases.

Periderm CLI parses your source with Babel — TypeScript, JSX, modern syntax, and CommonJS/ESM modules. If you ship JavaScript or TypeScript, we can scan it.

React.jsx · .tsx

hooks, routes, error boundaries

Next.js.js · .ts

app router, API routes, metadata

TanStack Start.tsx

server fns, loaders, routing

Vite + React.jsx · .tsx

SPA flows, env vars, assets

Node APIs.js · .mjs

webhooks, cron, serverless traps

Plain JS/TS.js · .ts

libraries, scripts, monorepos

▸ also scans .mjs and .cjs — use periderm scan --local-only when you don't need a dashboard upload.

§05 · how it works

ESLint uses ASTs. Cursor uses AI. Periderm CLI uses both — in the right order.

layer L1ast · fs

Deterministic Engine

AST + filesystem analysis. The boring, reliable layer that finds missing alt text, dead links, hardcoded secrets, absent error boundaries, and 100+ other patterns.

layer L2graph

Relationship Engine

We build a graph of your app — pages → buttons → handlers → APIs → outcomes. That graph finds dead ends, missing recovery paths, and broken flows no linter can see.

layer L3ai · evidence-first

AI Reviewer

We don't dump your codebase into an LLM. We send structured findings and ask: would this frustrate users? You get a senior-engineer summary, not a wall of warnings.

▸ the moat isn’t a secret prompt — it’s knowing what to observe before AI starts thinking.

§06 · the loop

Change → scan → fix → repeat.

Wire Periderm CLI into your CLI, your CI, or your editor save hook. Every change gets reviewed like a senior engineer just glanced over your shoulder.

$ periderm watch$ periderm scan$ periderm scan --local-only$ periderm review --deep

⌘ periderm-bot commented on PR #482 · 12s ago

Launch Confidence

62/100 -9

Reality

48/100 -14

Perceived Performance

71/100 +3

critical
src/components/ProfileCard.tsx · L42
user.avatar.url accessed without a fallback. Users without a photo will see a broken image.
high
src/routes/dashboard.tsx · loader
Fetching data without a loading state. Users may perceive the page as frozen on slow networks.
critical
src/lib/jobs/sync.ts · L78
Recursive call has no termination condition behind a feature flag — potential runaway invocation cost.

§07 · faq

Questions before you scan.

§08 · pricing

Cheaper than one embarrassing launch.

Starter

$0/forever

For makers who want a sanity check before shipping.

✓Run the CLI locally, unlimited
✓15 cloud scans / month
✓Local report dashboard
✓All 150+ deterministic checks
✓Live scan progress + check counters
✓Privacy policy vs codebase cross-check

install free

Scale

popular

$29/1000 scans

For people shipping fast with AI, on real users.

✓Everything in Starter
✓AI reviewer (senior-engineer mode)
✓CLI deep review agent (`periderm review --deep`)
✓Automated CLI reporting
✓Scan history + diff between scans

start 14-day trial

Unlimited

$99/month

For teams where every release is a launch.

✓Unlimited cloud scans
✓Deep review agent + dashboard AI reviewer
✓Org-wide scan dashboard
✓Custom rules + ignore policies
✓SSO + audit log
✓Priority support

Stop shipping ideal-conditions software.

Your next feature is a launch. Make sure it doesn’t lose you the users you don’t know about yet.