From 054cb5886378d6478b2b29b515966b49a8fb1911 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 2 Jun 2026 21:08:17 +0000
Subject: [PATCH] docs: correct README/launch-post to match actual CLI and
 score semantics
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two user-facing documentation bugs where the docs contradicted the code:

- The SARIF example used `--output=sarif`, but the CLI only accepts
  `--format=`. The documented command errors with `Unknown flag
  "--output=sarif"` and exits 2. Fixed to `--format=sarif` in both
  README.md and dev-to/launch-post.md.

- The README's programmatic example described `report.score` as
  "0–100 risk score (lower = riskier)", which is inverted. The code is
  unambiguous: scorer.ts ("Higher score = more risk"), types.ts ("0
  (safest) – 100 (most risk)"), and scanner.ts (`passed = score < 50`).
  A CI gate built from the old comment would invert pass/fail logic.
  Verified: vulnerable example -> score 100/failed, secure -> 0/passed.

Docs-only; no production code changed.
---
 README.md             | 4 ++--
 dev-to/launch-post.md | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e240bfe..60f7940 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ npx @hailbytes/mcp-security-scanner ./mcp-config.json
 npx @hailbytes/mcp-security-scanner https://my-mcp-server.example.com
 
 # Output SARIF for GitHub Code Scanning + fail on findings
-npx @hailbytes/mcp-security-scanner ./config.json --output=sarif --exit-code
+npx @hailbytes/mcp-security-scanner ./config.json --format=sarif --exit-code
 ```
 
 ### Programmatic
@@ -49,7 +49,7 @@ import { scan } from "@hailbytes/mcp-security-scanner";
 const report = await scan({ configPath: "./mcp-config.json" });
 
 console.log(report.findings);  // Finding[] — individual security issues
-console.log(report.score);     // 0–100 risk score (lower = riskier)
+console.log(report.score);     // 0–100 risk score (higher = riskier; 0 is safest)
 console.log(report.passed);    // boolean — use as CI gate
 ```
 
diff --git a/dev-to/launch-post.md b/dev-to/launch-post.md
index b173bee..60a9b83 100644
--- a/dev-to/launch-post.md
+++ b/dev-to/launch-post.md
@@ -41,7 +41,7 @@ npx @hailbytes/mcp-security-scanner ./mcp-config.json
 npx @hailbytes/mcp-security-scanner https://my-mcp-server.example.com
 
 # SARIF output + fail the build
-npx @hailbytes/mcp-security-scanner ./config.json --output=sarif --exit-code
+npx @hailbytes/mcp-security-scanner ./config.json --format=sarif --exit-code
 ```
 
 ## Programmatic