README.md

July 8, 2026 · View on GitHub

Ultraship — Claude Code Plugin

Claude Code plugin. 43 expert-level skills for building, shipping, and scaling production software. 37 audit tools (accessibility, vibe-coding security, AI evals, pentest, code quality, bundle size, SEO + AI Readiness check) plus a blocking ship-gate close the loop before deploy. A built-in Currency Guard keeps Claude on current docs, not stale training data.

npm version npm downloads npm total GitHub stars License: MIT CI Sponsor


Follow @kaileskkhumar LinkedIn houseofmvps.com kailxlabs.co

Built by Kaileskkhumar, founder of HouseofMVPs and Kailxlabs


0 dependencies · 274 tests · Node.js ESM · MIT

Install

# Claude Code plugin
claude plugin marketplace add Houseofmvps/ultraship
claude plugin install ultraship

# Or standalone via npx
npx ultraship ship .
npx ultraship seo .
npx ultraship security .

How It Works

flowchart LR
    U["You type a<br/>slash command"] --> S["Skill<br/>(markdown instructions)"]
    S --> A["Agent<br/>(dispatched worker)"]
    S --> T["Tools<br/>(Node.js scripts)"]
    A --> T
    T --> O["JSON Results"]
    O --> R["Scorecard / Report /<br/>Actionable Fixes"]

    style U fill:#f59e0b,stroke:#d97706,color:#000
    style S fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style A fill:#3b82f6,stroke:#2563eb,color:#fff
    style T fill:#10b981,stroke:#059669,color:#000
    style R fill:#ef4444,stroke:#dc2626,color:#fff
flowchart TD
    subgraph Lifecycle["Full Lifecycle Coverage"]
        direction LR
        I["Idea<br/>/brainstorm"] --> B["Build<br/>/sprint"]
        B --> AU["Audit<br/>/ship /seo /secure"]
        AU --> D["Ship<br/>/deploy"]
        D --> L["Launch<br/>/launch /compete"]
        L --> G["Grow<br/>/grow /cost"]
        G --> RE["Rescue<br/>/rescue /canary"]
    end

    style I fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style B fill:#3b82f6,stroke:#2563eb,color:#fff
    style AU fill:#f59e0b,stroke:#d97706,color:#000
    style D fill:#10b981,stroke:#059669,color:#000
    style L fill:#06b6d4,stroke:#0891b2,color:#000
    style G fill:#84cc16,stroke:#65a30d,color:#000
    style RE fill:#ef4444,stroke:#dc2626,color:#fff

What /ship Does

/ship runs 6 tools in parallel and outputs a scorecard:

flowchart LR
    SHIP["/ship"] --> SEO["seo-scanner<br/>63 rules"]
    SHIP --> A11Y["a11y-scanner<br/>WCAG 2.2"]
    SHIP --> SEC["secret-scanner<br/>+ npm audit"]
    SHIP --> CODE["code-profiler<br/>N+1, leaks, ReDoS"]
    SHIP --> BUNDLE["bundle-tracker<br/>JS/CSS/images"]
    SHIP --> ENV["env-validator<br/>+ migration-checker"]

    SEO --> SC["Scorecard<br/>READY TO SHIP"]
    A11Y --> SC
    SEC --> SC
    CODE --> SC
    BUNDLE --> SC
    ENV --> SC

    style SHIP fill:#f59e0b,stroke:#d97706,color:#000
    style SC fill:#10b981,stroke:#059669,color:#000
    style SEO fill:#3b82f6,stroke:#2563eb,color:#fff
    style SEC fill:#3b82f6,stroke:#2563eb,color:#fff
    style CODE fill:#3b82f6,stroke:#2563eb,color:#fff
    style BUNDLE fill:#3b82f6,stroke:#2563eb,color:#fff
    style ENV fill:#3b82f6,stroke:#2563eb,color:#fff
+===========================================+
|      U L T R A S H I P   S C O R E       |
+===========================================+
|  SEO + AI Vis.  92/100  ############-    |
|  Security        95/100  ############-    |
|  Code Quality    88/100  ###########--    |
|  Bundle Size     97/100  ############-    |
+===========================================+
|   OVERALL         90/100                  |
|   STATUS          READY TO SHIP           |
+===========================================+
Demo Ultraship — SEO audit, secret scanning, scorecard

Tools (40)

Each tool is a standalone Node.js script (node tools/<name>.mjs). JSON output. Exit 0 always. No build step.

Auditing

ToolWhat it checks
seo-scanner63 rules: 39 SEO (meta tags, canonicals, headings, OG tags, structured data, sitemap, cross-page duplicate/orphan detection), 20 GEO (AI bot access in robots.txt, snippet restrictions, llms.txt, structured data for AI extraction), 4 AEO (FAQPage/HowTo/speakable schema)
a11y-scannerWCAG 2.2 A/AA static checks: missing alt text, unlabeled form controls, icon-only buttons, missing lang/title/main, heading order, positive tabindex, zoom disabled, duplicate ids, broken aria references. Zero false positives.
ship-gateBlocking quality gate — scores all auditors (shared math with /ship), compares to .ultraship/ship-gate.json thresholds, hard-fails on leaked secrets / critical findings, exits 1 on fail. Generates a pre-push hook + GitHub Actions workflow.
secret-scannerAWS keys, Stripe keys, JWT secrets, database URLs, private keys. Redacts values in output.
vibe-security-scannerVibe-Coding Security Sentinel — context secret-scanner misses: server-only secrets behind a NEXT_PUBLIC_/VITE_ prefix, a decoded Supabase service_role key exposed to the client, service_role in a "use client" file, Supabase tables with no RLS. Zero false positives.
eval-scannerLocates every LLM call site (Anthropic, OpenAI, Gemini, Mistral, Cohere, Ollama, Vercel AI SDK, LangChain) by provider + model id, detects the test runner and whether an eval suite exists. Flags AI features shipping with no evals. Seeds /evals. Zero false positives.
code-profilerN+1 queries, sync I/O in handlers, unbounded queries, missing indexes, memory leaks, sequential awaits, ReDoS risk
bundle-trackerJS/CSS/image sizes in build output. Detects heavy deps (momentdayjs, lodash→native). History for before/after. Monorepo-aware.
dep-doctorUnused dependencies via import graph analysis (not just grep). Dead wrapper files. Outdated packages.
content-scorerFlesch-Kincaid readability, keyword density, thin content detection, GEO heading analysis
lighthouse-runnerLighthouse via headless Chrome. Core Web Vitals, render-blocking resources, diagnostics.

Validation

ToolWhat it checks
health-checkHTTP status, response time, SSL certificate (issuer, expiry), 6 security headers
env-validatorCompares .env.example against actual .env. Catches missing/empty/placeholder vars.
migration-checkerPending DB migrations for Drizzle, Prisma, Knex
og-validatorOpen Graph tags, image reachability, size validation
redirect-checkerRedirect chains, loops, mixed HTTP/HTTPS. Sitemap-based bulk check.
api-smoke-testHit API endpoints, check status codes, response times, CORS headers

Generators

ToolWhat it creates
sitemap-generatorsitemap.xml from HTML files and routes
robots-generatorAI-friendly robots.txt (allows GPTBot, PerplexityBot, ClaudeBot)
llms-txt-generatorllms.txt for AI assistant discoverability
structured-data-generatorJSON-LD schema markup

Competitive & Launch

ToolWhat it does
compete-analyzerCompares two URLs: tech stack, SEO score, security headers, response time. ASCII comparison card.
launch-prepReads project, generates PH/Twitter/LinkedIn/HN copy, 14-item checklist, press kit
demo-prepFinds console.logs, TODOs, placeholder text, missing favicons. Scores demo readiness.

Operations

ToolWhat it does
incident-commanderHealth check + git culprit analysis + error patterns + rollback commands + post-mortem template
growth-trackerUptime, git velocity, SEO trajectory, dep health. Stores snapshots for week-over-week comparison.
cost-trackerLog AI token usage per feature/model. Built-in pricing for Claude, GPT-4o, Gemini. Daily trends.
pentest-scannerAutomated penetration testing: XSS, SQLi, SSTI, command injection, path traversal, CORS, JWT, GraphQL introspection, prototype pollution, race conditions, request smuggling. Zero false positives, every finding has proof-of-concept.
canary-monitorPost-deploy canary monitoring: HTTP status, response time, error patterns, baseline regression detection. Auto-saves baselines for future comparison.
retro-analyzerSprint retrospective: git velocity, commit patterns (features vs fixes), test health, hot files, shipping cadence. Generates insights and recommendations.
learnings-managerProject learnings CRUD: save, search, list, prune, export. Structured knowledge that compounds across sessions.

Project Analysis

ToolWhat it does
onboard-generatorAuto-generates developer guide: stack, directory tree, routes, schema, env vars, Mermaid diagram
architecture-mapper4 Mermaid diagrams: system overview, route tree, DB ER, data flow. Circular dependency + orphan detection.
pattern-analyzerAnalyzes testing, error handling, TypeScript usage, CI/CD, git practices. Cross-repo comparison.
audit-historySaves/compares audit scores over time

Integrations (optional)

ToolWhat it does
gsc-clientGoogle Search Console: submit sitemaps, inspect URLs, query rankings (requires ULTRASHIP_GSC_CREDENTIALS)
bing-webmasterBing Webmaster: submit sitemaps/URLs, IndexNow instant push, keyword research, backlinks, site-scan, URL inspection (requires ULTRASHIP_BING_KEY). Powers ChatGPT Search + Microsoft Copilot.
ga4-clientGoogle Analytics 4: overview, top-pages, landing-pages, traffic-sources, conversions, user-journey, devices, realtime, ai-traffic (ChatGPT/Perplexity/Copilot tracking), organic (search-only). --organic flag.
keyword-intelligence12-command keyword engine: analyze, quick-wins, cannibalization, content-gaps, intent-map, trending, high-intent, page-keywords, content-decay, difficulty, anomalies (CTR anomalies), cross-reference (GSC↔GA4). --brand flag for non-brand filtering.
index-doctorIndex diagnosis: inspect URLs via GSC URL Inspection API, diagnose 15+ coverage states, auto-fix and submit to Bing.

Commands (16)

Every skill is also a slash command. Claude Code merged commands into skills, so /a11y, /sprint, /pentest, /compete, /canary, /launch, /rescue, /grow, /deploy, /learn, /guard, /retro, /investigate, /cost, /onboard, /architecture, /clone-patterns, /demo, /visual-diff, /release, /seo-strategy and /index-fix all work too — they live in Skills above. The commands below are the remaining dedicated command files.

CommandDescription
/shipPre-deploy scorecard. Runs 6 auditors, scores 5 categories
/seoSEO audit (63 rules) + AI visibility checks (bot access, snippet restrictions, schema)
/secureSecret scanning + OWASP patterns + npm audit
/perfLighthouse + bundle size
/reviewCode review with confidence-scored findings
/healthProduction health check
/codexGenerate a compact codebase index (routes, schema, components, lib) to save AI tokens
/contentReadability + keyword density analysis
/bundleBundle size tracking
/profileStatic analysis for backend anti-patterns
/depsUnused/outdated dependency detection
/redirectsRedirect chain/loop detection
/revise-claude-mdUpdate CLAUDE.md with session learnings
/brainstormDeprecated alias → use the brainstorming skill
/write-planDeprecated alias → use the writing-plans skill
/execute-planDeprecated alias → use the executing-plans skill

Skills (43)

Skills are markdown instruction files that shape Claude's behavior during your session. They activate based on context. When you're debugging, Claude uses the debugging skill. When you're building UI, it uses the frontend design skill.

Workflow (19): brainstorming, planning, TDD, implementation, code review, debugging, refactoring, frontend design, API design, data modeling, git workflow, deploy pipeline, release, CLAUDE.md management, verification, browser testing, sprint pipeline, investigation, learnings management

Specialist (12): SEO + AI visibility audit, accessibility audit + auto-fix, deterministic ship-gate, AI eval harness, security audit, penetration testing, performance audit, content quality, code profiling, parallel agent dispatching, safety guardrails, staying current

Growth & Intelligence (12): competitive analysis, launch prep, incident response, growth tracking, cost tracking, onboarding, architecture mapping, pattern analysis, demo readiness, visual regression, canary monitoring, sprint retrospective

Agents (13)

Agents are dispatched by skills to run audits in parallel:

code-reviewer · seo-auditor · seo-strategist · security-auditor · pentest-auditor · perf-auditor · a11y-auditor · browser-verifier · compete-analyzer · launch-auditor · incident-responder · growth-tracker · canary-monitor

MCP Servers (2)

ServerPurpose
Context7Live library documentation. Fetches current docs for any framework/library.
PlaywrightBrowser automation. Navigate, screenshot, fill forms, test deployed pages.

Both lazy-start on first use. No background processes.

Optional MCP integrations (detect-if-present)

Ultraship doesn't bundle these (they need your credentials and would slow every install), but several skills use them automatically if you've connected them:

ConnectSharpens
Sentry/rescue pulls live production errors and maps stack traces to code instead of guessing the culprit. /canary confirms a post-deploy error spike before recommending rollback.
Vercel/deploy reads real deployment status, build logs, and which commit is live (not just a single HTTP probe).
Supabase/deploy verifies migration state against the actual database to catch dashboard-vs-repo drift.

Add them with claude mcp add (or the /plugin browser). When connected, the skills detect the tools and use them; when not, they fall back to the built-in static checks.

Sprint Workflow

Ultraship skills chain into a structured sprint pipeline. Each phase produces artifacts that feed the next.

flowchart LR
    P["/write-plan<br/>Plan"] --> B["/execute-plan<br/>Build"]
    B --> T["TDD<br/>Test"]
    T --> R["/review + /secure<br/>Review"]
    R --> S["/ship + /deploy<br/>Ship"]
    S --> V["/canary<br/>Verify"]
    V --> RE["/retro + /learn<br/>Reflect"]

    style P fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style B fill:#3b82f6,stroke:#2563eb,color:#fff
    style T fill:#06b6d4,stroke:#0891b2,color:#000
    style R fill:#f59e0b,stroke:#d97706,color:#000
    style S fill:#10b981,stroke:#059669,color:#000
    style V fill:#84cc16,stroke:#65a30d,color:#000
    style RE fill:#ec4899,stroke:#db2777,color:#fff
PhaseSkillOutput
Plan/write-planImplementation plan with file map and test strategy
Build/execute-planWorking code on a feature branch
TestTDD skillPassing test suite
Review/review + /secureReview report, security scan
Ship/ship + /deployScorecard + production deploy
Verify/canaryPost-deploy health verification
Reflect/retro + /learnRetrospective + saved learnings

Run /sprint to follow the full pipeline, or run individual phases as needed.

Safety Guardrails

/guard activates PreToolUse hooks that block destructive commands before they execute:

flowchart LR
    CMD["Claude runs<br/>a command"] --> HOOK["PreToolUse<br/>Hook"]
    HOOK --> CHECK{"Destructive?"}
    CHECK -->|"rm -rf, DROP TABLE,<br/>git push --force,<br/>kubectl delete..."| BLOCK["BLOCKED"]
    CHECK -->|Safe| ALLOW["Allowed"]

    style HOOK fill:#f59e0b,stroke:#d97706,color:#000
    style BLOCK fill:#ef4444,stroke:#dc2626,color:#fff
    style ALLOW fill:#10b981,stroke:#059669,color:#000
  • rm -rf, DROP TABLE, TRUNCATE (data destruction)
  • git push --force, git reset --hard (git history destruction)
  • git clean -f, git checkout . (working directory destruction)
  • kubectl delete, docker system prune (infrastructure destruction)

Optional directory freeze restricts all file edits to a specific path. Explicitly confirmed actions always proceed.

Persistent Memory

Ultraship enforces a memory-first rule at session start. The SessionStart hook detects if you have a MEMORY.md file and instructs Claude to read it before performing any task. Context persists across sessions. No more repeating yourself about project state, deploy status, or decisions already made.

  • If MEMORY.md is found: Claude reads memory files before doing anything
  • If not found: Claude suggests setting up auto-memory for persistent context

No configuration needed. Just install the plugin.

SEO + AI Visibility

flowchart TD
    subgraph Data["Data Sources (optional API keys)"]
        GSC["Google Search Console<br/>Index status, rankings"]
        GA4["Google Analytics 4<br/>Traffic, AI referrals"]
        BING["Bing Webmaster<br/>Crawl, IndexNow, backlinks"]
    end

    subgraph Analysis["Intelligence Layer"]
        KW["keyword-intelligence<br/>12 commands"]
        IDX["index-doctor<br/>Diagnose + fix"]
        SCAN["seo-scanner<br/>63 rules"]
    end

    subgraph Output["Outputs"]
        STR["/seo-strategy<br/>90-day ranking plan"]
        FIX["/index-fix<br/>Auto-submit fixes"]
        SCORE["/seo<br/>SEO + GEO + AEO score"]
    end

    GSC --> KW
    GSC --> IDX
    GA4 --> KW
    BING --> IDX
    SCAN --> SCORE
    KW --> STR
    IDX --> FIX

    style GSC fill:#4285f4,stroke:#3367d6,color:#fff
    style GA4 fill:#e37400,stroke:#c56200,color:#fff
    style BING fill:#00809d,stroke:#006680,color:#fff
    style KW fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style IDX fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style SCAN fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style STR fill:#10b981,stroke:#059669,color:#000
    style FIX fill:#10b981,stroke:#059669,color:#000
    style SCORE fill:#10b981,stroke:#059669,color:#000

The SEO scanner checks 63 rules across three layers:

  • SEO (39 rules): meta tags, canonicals, heading hierarchy, alt text, OG tags, sitemap, robots.txt, structured data, analytics detection, cross-page duplicate titles/descriptions, orphan page detection, canonical conflicts, thin content, internal linking
  • GEO (20 rules): AI search visibility signals. Does robots.txt block GPTBot/PerplexityBot/ClaudeBot? Do nosnippet/max-snippet directives restrict AI citation eligibility? Is there llms.txt for AI discovery? Does structured data exist for AI extraction? These are verifiable technical signals, not ranking factor guesses.
  • AEO (4 rules): answer engine schema checks. FAQPage, HowTo, speakable, Article/BlogPosting. These are the structured data types that enable featured snippets and voice results. We check presence, not SERP performance.

Beyond the scanner, Ultraship connects to real APIs: GSC URL Inspection (actual index status), GA4 (actual AI referral traffic from ChatGPT/Perplexity/Copilot), Bing Webmaster (crawl status, IndexNow). Data-driven analysis, not estimates.

Dogfooding

/ship results on SaveMRR (Hono + React + Drizzle pnpm monorepo, 5 packages, 41 routes):

Backend + DashboardLanding (29 pages)
SEO + AI Visibility6352
Security100100
Code Quality7067
Bundle Size10092
Overall8378

227 findings: 1 N+1 query, 33 unused deps (dead shadcn/ui wrappers via import graph), 153 SEO issues, 1 memory leak, 1 heavy dep.

Security

All tools use execFileSync with array args (no shell interpolation). HTTP tools import tools/lib/security.mjs for SSRF protection (blocks private IPs, cloud metadata, non-HTTP schemes). 10MB file read cap. 5MB response cap. Secret values redacted in output. Zero telemetry.

See SECURITY.md.

Architecture

flowchart TD
    subgraph Plugin["ultraship plugin"]
        MANIFEST[".claude-plugin/<br/>plugin.json"]
        HOOKS["hooks/<br/>SessionStart + Currency Guard + Guard"]

        subgraph Core["Core Loop"]
            SKILLS["skills/<br/>45 markdown files"]
            AGENTS["agents/<br/>13 agent definitions"]
            COMMANDS["commands/<br/>16 command files"]
        end

        subgraph Runtime["Runtime"]
            TOOLS["tools/<br/>41 Node.js ESM scripts"]
            LIB["tools/lib/<br/>security.mjs, monorepo.mjs"]
        end
    end

    subgraph External["External (optional)"]
        MCP1["Context7 MCP<br/>Live docs"]
        MCP2["Playwright MCP<br/>Browser automation"]
        GSC2["GSC / GA4 / Bing<br/>APIs"]
    end

    COMMANDS --> SKILLS
    SKILLS --> AGENTS
    SKILLS --> TOOLS
    AGENTS --> TOOLS
    TOOLS --> LIB
    TOOLS --> GSC2
    SKILLS --> MCP1
    SKILLS --> MCP2

    style MANIFEST fill:#6b7280,stroke:#4b5563,color:#fff
    style HOOKS fill:#f59e0b,stroke:#d97706,color:#000
    style SKILLS fill:#8b5cf6,stroke:#7c3aed,color:#fff
    style AGENTS fill:#3b82f6,stroke:#2563eb,color:#fff
    style COMMANDS fill:#06b6d4,stroke:#0891b2,color:#000
    style TOOLS fill:#10b981,stroke:#059669,color:#000
    style LIB fill:#059669,stroke:#047857,color:#fff
    style MCP1 fill:#6b7280,stroke:#4b5563,color:#fff
    style MCP2 fill:#6b7280,stroke:#4b5563,color:#fff
    style GSC2 fill:#6b7280,stroke:#4b5563,color:#fff
  • Node.js ESM (type: module)
  • 1 dependency: htmlparser2 (SAX HTML parser, ~30KB)
  • Tools output JSON to stdout, exit 0 on success and failure (errors in JSON)
  • Skills reference tools via ${CLAUDE_PLUGIN_ROOT}/tools/<name>.mjs
  • No build step. No native bindings. No node-gyp.

Contributing

git clone https://github.com/Houseofmvps/ultraship.git
cd ultraship
npm test              # 180 tests, node:test
node tools/<tool>.mjs # Run any tool directly

Open an issue or submit a PR.

License

MIT


Built by Kailesk Khumar, founder of HouseofMVPs · Book a 30-min strategy call