▮ AgenticCLI — local-first business critical tooling for the agentic era
ShipGuard scans your code locally before every deploy. Secrets, broken auth, unverified webhooks, SQL injection, debug flags in production. Local checks are free, unlimited, and private — your code never leaves your machine.
Claude Code, Codex, Cursor — or any CLI, hook or CI. It reads exit codes natively, so your agent acts on the result.
live
The release gate for AI-built apps. Five deterministic checks for the mistakes Claude Code, Codex and Cursor actually make — run locally, in about two seconds, before anything ships.
Agents ship code faster than any human review can keep up. ShipGuard wraps the agent loop in a deterministic security gate — so the bugs never reach production.
without a harness
with ShipGuard
The places AI agents actually break production — tuned to the mistakes Claude Code, Codex and Cursor make most. Framework-aware, not just regex.
Hardcoded API keys, tokens and credentials — before they reach your git history.
Unprotected admin routes, missing guards and broken session checks.
Unverified webhooks and missing signature checks on Stripe & friends.
SQL injection, unsafe queries and destructive or exposed migrations.
Debug flags, source maps and dev config shipped to production.
What makes a security gate work for agents — and why each property is load-bearing.
agent-native
Your agent scans, reads structured findings, applies each fix, and re-scans until exit 0. No dashboard, no alert queue — the entire interface is stdout and a return code.
deterministic
Same code → same score → same exit code. Every time, on every machine. An LLM gives three different answers to the same question — ShipGuard gives one, and your agent can trust it enough to branch on it without asking a human.
local-first
Free scans are fully offline — no network, no account. Pro scans connect once to download rule bundles via an authenticated edge gateway, then scan locally. Either way, no code, file paths, or file contents are ever transmitted. Rules come down. Code never goes up.
framework-aware
ShipGuard understands Next.js App Router routes, Supabase RLS migrations, Stripe webhook handlers, and Firebase security rules. It knows that route.ts in app/api/ is a public endpoint — not just a file with a string in it.
one command
No config files. No account. No setup wizard. One npx command and ShipGuard scans your project — locally, privately, in seconds.
/loop
Every coding agent runs a loop: reason → act → observe → repeat. ShipGuard is the observe step — the deterministic checkpoint between "the agent wrote code" and "the code ships." It returns structured findings the agent can reason about and act on in the next iteration, closing the loop without a human in the middle.
hooks
A CLAUDE.md instruction is a hope. A hook is a guarantee. Wire ShipGuard as a PreToolUse hook or a pre-push git hook and it fires deterministically at the boundary between "agent wants to push" and "code leaves your machine." Exit 2 blocks. The agent doesn't get a vote.
/goal
Goal-based loops need an objective stop condition — not "does this look safe?" but a binary yes/no the agent can check deterministically. ShipGuard's exit 0 is that condition. The agent's goal becomes: "get to exit 0." It can iterate autonomously — scan, fix, re-scan — with a clear, machine-verifiable definition of done.
The free gate catches the obvious. Pro catches the rest — always-current detection rules, deep stack coverage, and cloud-delivered updates your agent gets automatically.
free — catches the common, high-severity mistakes agents make most: hardcoded secrets, unverified webhooks, unguarded routes
pro — catches the complex workflows, framework-specific patterns & more
always-current
live threat-intel corpus
Cloud-delivered rule bundles — updated continuously without a CLI upgrade. New AI-code attack class observed today, the rule that catches it is in your gate tomorrow. Free corpus lags by design; Pro is always current.
deep stack coverage
web · database · auth · secrets · supply chain
Rules that understand your tech stack — web frameworks, database ORMs and migrations, authentication providers, secret patterns, and supply chain dependencies. Pro goes deeper than the free modules into stack-specific failure modes that basic pattern matching can't reach.
shipguard.policy.yml
custom policy files
Define which findings block, which warn, and which paths to ignore — per project. Your policy travels with your repo and your agent respects it automatically.
No credit card. No account required for the free tier. Simple pricing — the local gates stay free forever.
$0 forever
Unlimited local scans on every push — for every solo builder and agent.
$19 /mo
month-to-month · no annual option
For the solo builder who wants cloud rules without a CI gate.
$29 /mo
The full gate — deep backend-as-a-service (Supabase, Firebase) checks and a CI gate, for shipping in earnest.