Ultraship

<div align="center"> <img src="assets/hero-banner.jpg" alt="Ultraship — Claude Code Plugin" width="100%"/>

Claude Code plugin. 39 expert-level skills for building, shipping, and scaling production software. 33 audit tools (security, pentest, code quality, bundle size, SEO + AI Readiness check) close the loop before deploy.

---

Built by Kaileskkhumar, solo founder of houseofmvps.com

</div>

---

1 dependency (htmlparser2) · 180 tests · Node.js ESM · MIT

Install

# Claude Code plugin
claude plugin marketplace add Houseofmvps/ultraship
claude plugin install ultraship

# Or standalone via npx
npx ultraship ship .
npx ultraship seo .
npx ultraship security .

What it does

/ship runs 5 tools in parallel and outputs a scorecard:

+===========================================+
|      U L T R A S H I P   S C O R E       |
+===========================================+
|  SEO + AI Vis.  92/100  ############-    |
|  Security        95/100  ############-    |
|  Code Quality    88/100  ###########--    |
|  Bundle Size     97/100  ############-    |
+===========================================+
|   OVERALL         90/100                  |
|   STATUS          READY TO SHIP           |
+===========================================+

<details> <summary>Demo</summary> <img src="assets/demo.gif" alt="Ultraship — SEO audit, secret scanning, scorecard" width="100%"/> </details>

Tools (36)

Each tool is a standalone Node.js script (node tools/<name>.mjs). JSON output. Exit 0 always. No build step.

Auditing

| Tool | What it checks | |---|---| | seo-scanner | 63 rules: 39 SEO (meta tags, canonicals, headings, OG tags, structured data, sitemap, cross-page duplicate/orphan detection), 20 GEO (AI bot access in robots.txt, snippet restrictions, llms.txt, structured data for AI extraction), 4 AEO (FAQPage/HowTo/speakable schema) | | secret-scanner | AWS keys, Stripe keys, JWT secrets, database URLs, private keys. Redacts values in output. | | code-profiler | N+1 queries, sync I/O in handlers, unbounded queries, missing indexes, memory leaks, sequential awaits, ReDoS risk | | bundle-tracker | JS/CSS/image sizes in build output. Detects heavy deps (moment→dayjs, lodash→native). History for before/after. Monorepo-aware. | | dep-doctor | Unused dependencies via import graph analysis (not just grep). Dead wrapper files. Outdated packages. | | content-scorer | Flesch-Kincaid readability, keyword density, thin content detection, GEO heading analysis | | lighthouse-runner | Lighthouse via headless Chrome. Core Web Vitals, render-blocking resources, diagnostics. |

Validation

| Tool | What it checks | |---|---| | health-check | HTTP status, response time, SSL certificate (issuer, expiry), 6 security headers | | env-validator | Compares .env.example against actual .env. Catches missing/empty/placeholder vars. | | migration-checker | Pending DB migrations for Drizzle, Prisma, Knex | | og-validator | Open Graph tags, image reachability, size validation | | redirect-checker | Redirect chains, loops, mixed HTTP/HTTPS. Sitemap-based bulk check. | | api-smoke-test | Hit API endpoints, check status codes, response times, CORS headers |

Generators

| Tool | What it creates | |---|---| | sitemap-generator | sitemap.xml from HTML files and routes | | robots-generator | AI-friendly robots.txt (allows GPTBot, PerplexityBot, ClaudeBot) | | llms-txt-generator | llms.txt for AI assistant discoverability | | structured-data-generator | JSON-LD schema markup |

Competitive & Launch

| Tool | What it does | |---|---| | compete-analyzer | Compares two URLs: tech stack, SEO score, security headers, response time. ASCII comparison card. | | launch-prep | Reads project, generates PH/Twitter/LinkedIn/HN copy, 14-item checklist, press kit | | demo-prep | Finds console.logs, TODOs, placeholder text, missing favicons. Scores demo readiness. |

Operations

| Tool | What it does | |---|---| | incident-commander | Health check + git culprit analysis + error patterns + rollback commands + post-mortem template | | growth-tracker | Uptime, git velocity, SEO trajectory, dep health. Stores snapshots for week-over-week comparison. | | cost-tracker | Log AI token usage per feature/model. Built-in pricing for Claude, GPT-4o, Gemini. Daily trends. | | pentest-scanner | Automated penetration testing: XSS, SQLi, SSTI, command injection, path traversal, CORS, JWT, GraphQL introspection, prototype pollution, race conditions, request smuggling. Zero false positives, every finding has proof-of-concept. | | canary-monitor | Post-deploy canary monitoring: HTTP status, response time, error patterns, baseline regression detection. Auto-saves baselines for future comparison. | | retro-analyzer | Sprint retrospective: git velocity, commit patterns (features vs fixes), test health, hot files, shipping cadence. Generates insights and recommendations. | | learnings-manager | Project learnings CRUD: save, search, list, prune, export. Structured knowledge that compounds across sessions. |

Project Analysis

| Tool | What it does | |---|---| | onboard-generator | Auto-generates developer guide: stack, directory tree, routes, schema, env vars, Mermaid diagram | | architecture-mapper | 4 Mermaid diagrams: system overview, route tree, DB ER, data flow. Circular dependency + orphan detection. | | pattern-analyzer | Analyzes testing, error handling, TypeScript usage, CI/CD, git practices. Cross-repo comparison. | | audit-history | Saves/compares audit scores over time |

Integrations (optional)

| Tool | What it does | |---|---| | gsc-client | Google Search Console: submit sitemaps, inspect URLs, query rankings (requires ULTRASHIP_GSC_CREDENTIALS) | | bing-webmaster | Bing Webmaster: submit sitemaps/URLs, IndexNow instant push, keyword research, backlinks, site-scan, URL inspection (requires ULTRASHIP_BING_KEY). Powers ChatGPT Search + Microsoft Copilot. | | ga4-client | Google Analytics 4: overview, top-pages, landing-pages, traffic-sources, conversions, user-journey, devices, realtime, ai-traffic (ChatGPT/Perplexity/Copilot tracking), organic (search-only). --organic flag. | | keyword-intelligence | 12-command keyword engine: analyze, quick-wins, cannibalization, content-gaps, intent-map, trending, high-intent, page-keywords, content-decay, difficulty, anomalies (CTR anomalies), cross-reference (GSC↔GA4). --brand flag for non-brand filtering. | | index-doctor | Index diagnosis: inspect URLs via GSC URL Inspection API, diagnose 15+ coverage states, auto-fix and submit to Bing. |

Commands (36)

Slash commands available inside Claude Code after installing the plugin:

| Command | Description | |---|---| | /sprint | Sprint workflow. Structured pipeline from plan → build → test → review → ship → verify | | /investigate | Root cause investigation. Structured debugging with module freeze, no fixes without evidence | | /learn | Project learnings. Save, search, prune, export knowledge that compounds across sessions | | /guard | Safety guardrails. Blocks destructive commands, optionally restricts edits to a directory | | /retro | Sprint retrospective. Git velocity, commit patterns, test health, shipping cadence | | /canary | Post-deploy canary. Verify production health, detect regressions after deployment | | /pentest | Penetration testing. Hack-test your app (web, API, browser, GitHub, local code) | | /ship | Pre-deploy scorecard. Runs 5 tools, scores 4 categories | | /seo | SEO audit (63 rules) + AI visibility checks (bot access, snippet restrictions, schema) | | /secure | Secret scanning + OWASP patterns + npm audit | | /perf | Lighthouse + bundle size | | /deploy | Env check → migration check → build → deploy → health check | | /review | Code review with confidence-scored findings | | /health | Production health check | | /compete | Compare your site vs a competitor | | /launch | Generate launch copy + checklist + press kit | | /rescue | Incident diagnostics + rollback commands | | /grow | Growth metrics over time | | /cost | AI build cost tracking | | /onboard | Generate developer onboarding guide | | /architecture | Ge