Command-line QA
curl tells you the server answered. Prufa loads the page
like a user, runs the flows, and returns a graded verdict with
evidence — from one command in your terminal.
No signup, no card. Public URL in, shareable report out.
We pointed this exact audit at 49 Show HN launches — 38 of 49 had a critical bug on day one.
A curl or wget one-liner returns an HTTP
status code. That's an uptime ping, not a test — a 200 OK can still
ship a broken signup form, a tracking tag that never fires, or a layout
that overflows 103px on a phone. None of that shows up in a status code.
Prufa is different by construction. Point it at a URL and an LLM-backed agent loop drives a real browser — clicking, navigating, filling forms — while a plain-code harness records every network request, console error, cookie, and response code and grades that captured evidence against a fixed spec. The model navigates; it never decides whether your site passed. That separation is why the verdict is reproducible: same input, same result, regression-tested against a golden fixture. (More on the split: the LLM navigates, plain code verifies.)
Three steps, no script to write. The same engine backs the dashboard, the MCP server, and how a flow run is verified end to end.
prufa audit https://yoursite.com — or skip the install entirely and POST the URL to the public API with curl. No key and no card for the anonymous audit.
A real browser session loads your public pages and walks them; the harness captures network traffic, console output, cookies, and status codes the whole time.
Findings come back tiered. Verified findings are machine-checked facts with a mono evidence line; advisory observations are kept separate and never phrased as “broken.” Only verified findings move the six section grades — there is no fake 0–100 score.
Two real, copy-pasteable paths. Path A is the proven zero-install route
— the public API. Path B is the prufa command for CI
ergonomics: JSON on stdout, exit codes you can gate on.
The prufa CLI is deliberately thin: every command is a typed
wrapper over the public HTTP API,
so anything the dashboard does, the CLI does. If you'd rather install a
package, the
MCP server
(pip install prufa-mcp) is the packaged agent surface today;
or run the free website audit
in a browser — the anonymous audit above needs nothing installed at all.
Findings come back in two tiers, kept strictly apart. Verified findings are the machine's voice — a green ✓ and a mono evidence line. Advisory observations are an LLM opinion, excluded from every severity count and grade, and never phrased as “broken.”
Verified — machine-checked facts
tracking.none_detected · / · 14:22:07Z
You can't see who converts or where they drop. The single most common critical in our June 2026 audit of 49 Show HN launches — 38 of 49 sites.
security.missing_csp · response headers · 14:22:09Z
Any injected script runs with full privileges. In a companion June 2026 audit, 11 of 14 launches shipped no CSP at all.
Advisory — an LLM opinion, never a verdict
Advisory — an LLM read of the page, excluded from every severity count and grade. Not a verdict.
No. curl confirms the server replied; Prufa renders the
page in a real browser and grades captured evidence — network beacons,
console errors, cookies, the DOM, six sections from performance to
compliance. Where curl wins: a bare uptime ping is faster,
has zero dependencies, and is the right tool if all you need is “is it up?”
Straight answer: the prufa command is v0.1.0.
The core verb — prufa audit — is solid, and the whole CLI
is a thin wrapper over a versioned, OpenAPI-published API, so it can't
drift from the product. The surface is small and growing. If you don't
want to install anything, the one curl call above does the
same audit today; the packaged agent surface is the MCP server
(pip install prufa-mcp).
It can gate on whether the run completed out of the box:
prufa audit exits 0 on success, 1 on failure/timeout, 2 on
a bot-wall, 3 on a bad URL. To fail on actual findings, pipe the JSON
report to jq and gate on the verified critical count
yourself. Where Playwright-in-CI wins: if you want to assert one exact
behavior you've already scripted, a hand-written test is more precise
than a full audit.
The questions CI engineers and agent operators ask before they wire a QA audit into the terminal.
Point the engine at a public URL. With zero install, one call does it: curl -X POST https://prufa.dev/api/v1/audits -H 'content-type: application/json' -d '{"url":"https://yoursite.com"}' returns a report URL and an SSE progress stream — no key, no card. For richer output and exit codes, the prufa audit <url> command wraps the same API and prints the JSON report to stdout.
Yes, with one honest caveat. prufa audit exits 0 when the run completes, 1 on failure or timeout, 2 when a bot-wall blocks it, and 3 on a bad URL — so the exit code tells you whether the audit ran, not whether your site is clean. To fail a build on actual bugs, parse the JSON report (pipe to jq) and gate on the verified critical count yourself.
curl returns an HTTP status code: it tells you the server answered, not that the page works. Prufa's CLI loads the URL in a real browser, captures network traffic, console errors, cookies and the DOM, and grades that evidence into six sections from performance to compliance. A 200 OK can still ship a broken signup, a dead analytics tag, or a 103px mobile overflow — curl sees none of that.
Yes. Prufa's architecture is agentic navigation plus deterministic verification: an LLM-backed agent loop drives the browser, and plain code records the traffic and grades it against a spec — the model never decides whether your site passed. prufa flow create <url> --test "..." compiles a plain-English test case into a reviewable spec, and prufa gremlin <url> runs a chaos persona that poke-tests the app while detectors verify what breaks.
Paste a public URL, get a shareable report. Free audits stay free. Monitors, plain-English flows, and Gremlin chaos runs are on the paid tiers.