`crimes@0.9.2` — Emoji Severity Glyphs
Draft release notes for the GitHub Release tagged
v0.9.2. The body below is what should go in the Releases page when you cut the tag — that triggers.github/workflows/release.ymland publishes to npm via Trusted Publishing.
crimes@0.9.2 is a UX-only patch that adds a single emoji severity
glyph to the start of each finding in the human-readable report, plus
the metadata housekeeping after the repository moved from
andrewfantastic/crimes to ortomate/crimes.
- Severity glyphs in the human report. 🚨 high · ⚠️ medium · 🔎 low
prefix every finding’s title line and the matching severity
heading. ✅ / ❌ on the
--fail-ongate line. ✨ on the “No crimes detected” empty-state line. Suppressed when stdout isn’t a TTY, whenNO_COLORis set, or when--no-coloris passed — JSON output, CI logs, and piped invocations stay emoji-free. - Repository moved to
ortomate/crimes.repository.urlandbugs.urlin the publishedcrimespackage now point at the new GitHub org; every documentation deep link follows. The npm Trusted Publisher config was updated to the new org in the same cut-over — this release is the OIDC handoff verification.
No new detectors. No schema change. Finding wire format
byte-identical to 0.9.1.
What shipped
Section titled “What shipped”Severity glyphs
Section titled “Severity glyphs”The human report’s severity heading and each finding’s title line now
lead with a single glyph chosen by finding.severity:
🚨 HIGH severity (4) 🚨 1. src/billing.ts:50-253 (generateInvoice) Charge: God Function Summary: …
⚠️ MEDIUM severity (8) ⚠️ 1. src/components/PageHeader.tsx Charge: …
🔎 LOW severity (12) 🔎 1. …The --fail-on gate line gets ✅ on pass and ❌ on fail:
✅ OK: no findings at or above "high" severity in the changed set.❌ FAILED: at least one finding at or above "medium" severity in the changed set.And the empty case gets ✨:
✨ No crimes detected. Suspiciously clean.Glyphs are chosen for severity, not decoration. The mapping is fixed
across all reports that go through renderFinding — crimes scan,
crimes context, crimes diff, crimes verdict, crimes baseline check, crimes audit-suppressions. JSON output never goes through
this renderer, so the structured contract is unaffected.
Suppression — when glyphs do not appear
Section titled “Suppression — when glyphs do not appear”The emoji layer follows the same gate as ANSI colour. All three of these turn glyphs off:
--no-coloron the command line.NO_COLOR=1in the environment.- Stdout is not a TTY (piped output, redirected to a file, captured by another process, CI logs).
This means crimes scan | tee and crimes scan > report.txt produce
the same plain text as 0.9.1, and CI log captures stay diff-clean
against pre-0.9.2 baselines.
Repository moved to ortomate/crimes
Section titled “Repository moved to ortomate/crimes”The repo transferred from
github.com/andrewfantastic/crimes
to
github.com/ortomate/crimes.
GitHub installs an automatic redirect, so existing links keep
working — but three follow-ups landed:
repository.urlandbugs.urlinpackages/cli/package.jsonnow point at the new URL. The npm “Repository” sidebar link andnpm bugs crimesfollow on this release.- Every documentation deep link across
README.md,packages/cli/README.md(the npm-rendered README),CLAUDE.md,CONTRIBUTING.md,docs/,apps/website/landing/index.html, andapps/website/landing/llms.txtwas rewritten in one sweep. - npm Trusted Publisher config was updated to the new org. Trusted Publishing matches OIDC subjects on exact repo path, so the first release after the transfer is the verification the handoff worked. This release is that test.
Two frozen eval-result JSONs
(evals/results/0.7.4/codex/refactor-01-large-file.json and
evals/results/0.7.8/codex/context-01-locale-drift.json) still
contain the old URL — inside agent-produced strings. Those are
deliberately not rewritten so the historical record of what the
agent actually said stays intact.
Release checklist gap closed
Section titled “Release checklist gap closed”docs/releasing.md Step 2 (“Update changelogs
and docs”) previously listed docs/roadmap.md and the JSON schema
files but not the two READMEs. That gap is why 0.9.0 and 0.9.1
shipped with the root README still showing 0.8.1 status. Step 2
now explicitly requires README.md,
packages/cli/README.md, docs/roadmap.md,
docs/releases/vX.Y.Z.md, apps/website/landing/llms.txt, and
apps/website/landing/index.html to reflect the new version
before the GitHub Release is cut.
What’s not in 0.9.2
Section titled “What’s not in 0.9.2”- No
schema_versionbump. TheFindingwire format is byte-identical to0.9.1. - No new detectors. Detector count unchanged at 48.
- No new commands. No new flags.
- No package dependency changes.
- No eval baseline change. Emoji affect only human render;
findings, scores, and JSON output are untouched, so the eval
scorer reads the same inputs as
0.9.1.
Upgrading
Section titled “Upgrading”npm install -g crimes@0.9.2crimes --version # 0.9.2crimes scan . # see the glyphs in an interactive terminalNo action needed for existing users. Scripts that scrape the human
report should already be on --format json; if any read the
rendered text, the single-glyph prefix at the start of severity
headings and finding title lines is the only line-level change. The
gate line (“OK” / “FAILED”) and the empty-state line each gain a
two-character glyph prefix.
To opt out: any one of --no-color, NO_COLOR=1, or piping output
to a non-TTY consumer suppresses the entire emoji layer.
Notable links
Section titled “Notable links”docs/releases/v0.9.1.md— the previous release.packages/reporter/src/human/shared.ts—SEVERITY_GLYPHmap,severityGlyph()helper, and the suppression gate.packages/reporter/src/human/scan.ts— severity heading +formatScanFailOnLineglyph wiring.docs/releasing.md— release checklist with the closed README gap.