Until yesterday, using Whet meant going to the site, pasting a prompt, reading the output. A tool you visit. You remember when you remember. Starting today, you run npx @trywhet/cli prompt.txt from anywhere. Small surface difference. I think it's a big difference in nature.

Products live in tabs. Tools live in workflows.

A prompt linter on a website teaches when a user remembers to visit it. Even with a good site, that's not much. The thing that breaks this pattern is the same thing that broke it for code quality twenty years ago: stop depending on human memory, let the check run on its own rhythm.

Think back to 2005 running a linter on code. Nobody did. The people who did were seen as neurotic. Today it's default — runs on save, runs on pre-commit, runs in CI. Adoption went total because the cost of integrating dropped to near zero. One command and it's there.

My bet is prompts follow the same curve. We haven't normalized it yet, but the signal is there — every serious agent pipeline has someone thinking "what if this instruction is misoriented." The obvious answer is to automate the question. That's what @trywhet/cli is trying to be.

The details that matter: exit code 0 for score ≥ 90, 1 for 60–89, 2 below 60. Wire it into a pre-commit hook and only clean prompts ship. The --json flag returns full structured analysis. Pipe it into CI, into a workflow, wherever.

And yes, npm in 2026 is a bit weird

I tried to publish and got 403 — Two-factor authentication required. Went to check: my account didn't have 2FA enabled. I turned it on. npm gave me recovery codes and nothing else — no option to configure an authenticator app. I thought I'd done something wrong.

I hadn't. In September 2025 npm deprecated TOTP (Google Authenticator, Authy, and similar) for new setups. It only accepts passkeys now — Windows Hello, Touch ID, physical keys like YubiKey. This wasn't announced with much fanfare. If you're publishing something to npm in 2026 and never set up 2FA before, you're in for that surprise.

I used a recovery code as OTP to unblock the publish. It works — recovery codes double as single-use OTPs. Burns one of the five you get, regenerate when empty. Inelegant, but it resolves.

The useful takeaway: if you have a recurring publish workflow, generate a granular access token with "Bypass 2FA" scoped to your package. That's the clean route for CI and automation without OTP drama on every release.

The side effect I didn't plan for

Agents can also use Whet now, with no extra work on my side. The JSON output parses in any language. A Python agent can run subprocess.run(["npx", "@trywhet/cli", "--json", "-"]), grab the score, decide whether to rewrite the prompt before handing it to another model. An MCP server is the natural next step for Claude/Cursor, but the CLI already covers a solid chunk of the use case.

When I started Whet, I pictured humans pasting prompts and reading suggestions. The idea that the same interface serves AI agents auditing their own prompts wasn't in the original plan. It's the kind of usage that only surfaces once you expose the thing in programmatic form.

End

npx @trywhet/cli prompt.txt. That's it.

If you want to try it quickly:

echo "You are the world's best lawyer. ALWAYS cite sources." | npx @trywhet/cli -

Paste that into your terminal (one line — works the same in bash, zsh, PowerShell, and cmd). It returns the prompt diagnosis plus a meta-prompt for rewriting, ready to paste into any LLM. Free, analysis runs offline, no signup.

If it works as a CI check on your team, tell me at hello@trywhet.com. If it doesn't, tell me too.