feat: arbiter report — HTML/PDF audit reports for hummbl.io consulting#2
feat: arbiter report — HTML/PDF audit reports for hummbl.io consulting#2hummbl-dev merged 3 commits intomainfrom
Conversation
New command: arbiter report <repo> [--tier free|paid] [--output file] [--pdf] - Free tier: grade badge, category breakdown, upgrade CTA - Paid tier: full findings table, file-level detail, remediation roadmap - Self-contained HTML with hummbl.io design system (dark theme, JetBrains Mono) - PDF via weasyprint (optional) or browser print-to-PDF fallback - Embedded JSON data for future dashboard hydration - XSS-safe: all user content HTML-escaped - 9 tests covering report building, rendering, escaping Deploy: copy output HTML to hummbl-production/web/audit/<client>.html Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 562808524b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "{{FILES_AFFECTED}}": str(len(report.findings_by_file)), | ||
| "{{FINDINGS_ROWS}}": findings_html, | ||
| "{{REMEDIATION_ITEMS}}": remediation_html, | ||
| "{{REPORT_JSON}}": report.to_json(), |
There was a problem hiding this comment.
<script>
report.to_json() is inserted raw into {{REPORT_JSON}}, which is rendered inside <script type="application/json">; if any finding field contains </script> (for example from a crafted filename or analyzer message in an untrusted repo), the browser will terminate the script block early and parse attacker-controlled HTML/JS. This makes the generated report XSS-prone when opened locally or hosted. Please HTML-safe the JSON payload for script embedding (e.g., escape <, >, &, and </script> as Unicode escapes) before substitution.
Useful? React with 👍 / 👎.
Vulture was scanning .venv/lib/ site-packages, producing 60-90 false positive "unused code" findings per repo. This inflated finding counts and dropped scores from A to D for repos with virtual environments. Added --exclude for .venv, venv, node_modules, .git, __pycache__, .tox, .eggs, build, dist. Also auto-detects vulture_whitelist.py in repo root and respects --exclude from CLI args. Impact: mcp-server D(65)→A(100), agentic-patterns D(69)→A(100) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Every arbiter command (score, analyze, triage, fix, report, diff) now prints "Powered by HUMMBL — https://hummbl.io/audit" after results. This turns every arbiter run into a consulting lead funnel. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 participant
Summary
New
arbiter reportcommand that generates branded, self-contained HTML audit reports for consulting clients. Two tiers: free (lead gen) and paid (full engagement deliverable).Usage
Features
@media print<script type="application/json" id="audit-data">for future dashboard hydrationDeploy workflow
Test plan
🤖 Generated with Claude Code