{
  "schemaVersion": "1",
  "tier": "free",
  "version": "0.4.0",
  "freeRuleCount": 33,
  "generated": "2026-06-26",
  "note": "This is the free-tier rule catalog bundled with @agenticcli/shipguard. Pro tier adds 200+ additional patterns fetched at scan time.",
  "modules": [
    {
      "id": "secrets",
      "name": "Secrets Detection",
      "purpose": "Detects hardcoded API keys and committed .env files",
      "ruleIds": [
        "hardcoded_secret",
        "secrets",
        "exposed_env"
      ],
      "patterns": [
        "OpenAI sk-proj-* keys",
        "Anthropic sk-ant-* keys",
        "Stripe sk_live_* keys",
        "AWS/GCP/GitHub tokens",
        "committed .env files"
      ]
    },
    {
      "id": "auth",
      "name": "Auth & Session Protection",
      "purpose": "Catches unprotected admin, dashboard, billing, and account routes",
      "ruleIds": [
        "auth",
        "public_admin_route",
        "auth_route_without_guard"
      ],
      "patterns": [
        "Next.js App Router unprotected sensitive paths",
        "Express/Fastify routes without auth middleware"
      ]
    },
    {
      "id": "payments",
      "name": "Payment & Webhook Security",
      "purpose": "Detects Stripe/Razorpay webhook vulnerabilities and missing idempotency/error handling",
      "ruleIds": [
        "payments",
        "payment_webhook_without_signature_check",
        "missing_idempotency",
        "missing_error_handling"
      ],
      "patterns": [
        "Stripe webhook without constructEvent",
        "missing stripe-signature header",
        "webhook missing idempotency",
        "missing error handling in payment flows"
      ]
    },
    {
      "id": "database",
      "name": "Database Migration Safety",
      "purpose": "Flags destructive SQL operations in migration files",
      "ruleIds": [
        "database",
        "db-drop-table",
        "db-drop-column",
        "db-truncate",
        "db-delete-without-where",
        "db-alter-drop",
        "db-push-in-scripts",
        "db-schema-without-migration"
      ],
      "patterns": [
        "DROP TABLE without transaction",
        "DELETE FROM without WHERE",
        "TRUNCATE statements",
        "drizzle-kit push in production scripts"
      ]
    },
    {
      "id": "deployment",
      "name": "Deployment Configuration",
      "purpose": "Catches CORS wildcards, exposed source maps, Docker misconfigurations, and missing security headers",
      "ruleIds": [
        "deployment",
        "deployment_cors_wildcard",
        "deployment_source_maps_exposed",
        "deployment_missing_x_frame_options",
        "deployment_missing_x_content_type",
        "deployment_docker_root_user",
        "deployment_docker_unpinned_image",
        "deployment_compose_unpinned_image",
        "deployment_vercel_broad_rewrite",
        "deployment_vercel_missing_headers",
        "deployment_netlify_missing_headers",
        "deployment_missing_env_example",
        "deployment_env_undocumented_keys",
        "deployment_config_cors_wildcard_origin",
        "deployment_config_debug_mode"
      ],
      "patterns": [
        "CORS Access-Control-Allow-Origin: *",
        "productionBrowserSourceMaps: true",
        "Docker USER root",
        "unpinned :latest images",
        "Vercel wildcard rewrites without auth",
        "missing X-Frame-Options / X-Content-Type-Options headers",
        "missing .env.example",
        "debug mode enabled in production config"
      ]
    }
  ]
}