ai-saas-guard 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ai-saas-guard contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,285 @@
+<h1 align="center">ai-saas-guard</h1>
+
+<p align="center">
+  <strong>Local-first launch preflight for AI-built SaaS apps.</strong>
+</p>
+
+<p align="center">
+  Find the auth, billing, data-access, secret, MCP, and deploy surfaces a human should review before launch or merge.
+</p>
+
+<p align="center">
+  <a href="https://github.com/zr9959/ai-saas-guard/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/zr9959/ai-saas-guard/actions/workflows/ci.yml/badge.svg"></a>
+  <a href="LICENSE"><img alt="License: MIT" src="https://img.shields.io/badge/license-MIT-blue.svg"></a>
+  <a href="package.json"><img alt="Node.js >=20" src="https://img.shields.io/badge/node-%3E%3D20-339933.svg"></a>
+  <a href="docs/release-quality-knowledge-base.md"><img alt="Release gate documented" src="https://img.shields.io/badge/release%20gate-documented-0f766e.svg"></a>
+</p>
+
+---
+
+## What It Does
+
+`ai-saas-guard` is a command-line launch preflight for founders, solo builders, and reviewers shipping SaaS apps with AI coding tools.
+
+It answers one narrow question:
+
+> What changed in auth, billing, data access, secrets, MCP tools, or deploy config that deserves human review first?
+
+It is built for common AI-SaaS stacks:
+
+- Next.js and Vercel
+- Supabase row-level security and storage policies
+- Stripe checkout, subscriptions, and webhooks
+- Prisma or SQL migrations
+- MCP server configuration
+- AI-generated pull requests with large mixed diffs
+
+It is intentionally evidence-first. Findings include a rule ID, severity, file evidence, why it matters, how to verify it, and a fix direction.
+
+## Current Status
+
+This repository is public on GitHub.
+
+The first GitHub release and Action tag are `v0.1.0`; the npm-ready patch release is `v0.1.1`. The npm package is not published yet, so run the CLI from source for now. If you need stricter supply-chain pinning in CI, pin the GitHub Action to a reviewed commit SHA instead of a mutable tag.
+
+| Area | Status |
+| --- | --- |
+| Public GitHub repository | Available |
+| Local CLI from source | Available |
+| JSON and SARIF output | Available |
+| Composite GitHub Action | Available |
+| Versioned Action tags | `v0.1.1` |
+| npm package | Not published yet |
+
+## Quick Start From Source
+
+```bash
+git clone https://github.com/zr9959/ai-saas-guard.git
+cd ai-saas-guard
+npm ci
+npm run build
+node dist/cli.js scan --root /path/to/your-saas
+```
+
+Run focused checks:
+
+```bash
+node dist/cli.js pr-risk --root /path/to/your-saas --base origin/main
+node dist/cli.js check-supabase --root /path/to/your-saas
+node dist/cli.js check-stripe --root /path/to/your-saas
+node dist/cli.js check-mcp --root /path/to/your-saas
+```
+
+Machine-readable output:
+
+```bash
+node dist/cli.js scan --root /path/to/your-saas --json
+node dist/cli.js scan --root /path/to/your-saas --sarif > ai-saas-guard.sarif
+node dist/cli.js scan --root /path/to/your-saas --fail-on high
+```
+
+## Example Finding
+
+Terminal output is designed to be useful to a reviewer, not just a scanner dashboard.
+
+```text
+[HIGH] Stripe webhook lacks obvious duplicate event idempotency
+Rule: stripe.webhook.missing-idempotency
+Why: Stripe can retry and deliver duplicate events; without storing processed event IDs, access grants and revocations can drift.
+Verify: Replay the same Stripe event ID twice and confirm the second delivery does not create duplicate fulfillment or inconsistent state.
+Fix direction: Persist processed Stripe event IDs and make entitlement updates idempotent around event ID and subscription/customer IDs.
+Evidence:
+- app/api/stripe/webhook/route.ts:41 -> switch (event.type) {
+```
+
+## What It Checks
+
+| Surface | Examples of risks it flags |
+| --- | --- |
+| Secrets and env | Secret-like values, risky `NEXT_PUBLIC_*` exposure |
+| Stripe | Missing webhook route, unsigned webhook handling, parsed-body signature risk, missing idempotency, missing failure/cancel/update/refund paths |
+| Supabase | RLS disabled on sensitive tables, `USING (true)`, missing ownership filters, public storage hints |
+| API routes | Auth checks without obvious ownership guards, missing rate-limit hints on sensitive mutation routes |
+| MCP | Plaintext secrets, non-localhost binds, broad filesystem/write access, shell tools, raw SQL tools |
+| Deploy config | Next static export/runtime mismatches, Edge runtime with Node-only APIs, missing important env documentation |
+| PR risk | Auth, billing, RLS, env, deploy, API, storage, test-removal, and large mixed-diff classification |
+
+See [docs/rules.md](docs/rules.md) for the full rule map.
+
+## The Main Bet: PR Risk Triage
+
+Most scanners start with "scan the whole repository." `ai-saas-guard` can do that, but its sharper wedge is pull request review.
+
+AI-generated PRs often combine unrelated work:
+
+- UI polish
+- auth/session changes
+- database migrations
+- Stripe checkout edits
+- Supabase policies
+- Vercel config
+- removed or weakened tests
+
+`pr-risk` classifies the current diff and returns:
+
+- top risky files to review first
+- sensitive categories touched by the PR
+- review-first checklist
+- suggested PR split
+- required tests or manual verification
+
+```bash
+node dist/cli.js pr-risk --root /path/to/your-saas --base origin/main --json
+```
+
+## Commands
+
+| Command | Purpose |
+| --- | --- |
+| `scan` | Broad local launch preflight across secrets, Stripe, Supabase, MCP, API routes, and deploy config |
+| `pr-risk` | Classify the current git diff or a base branch diff for review priority |
+| `check-supabase` | Inspect migrations and policy files for RLS and ownership risks |
+| `check-stripe` | Inspect webhook handlers and billing lifecycle coverage |
+| `check-mcp` | Inventory MCP configs and classify side effects |
+
+## GitHub Action
+
+The repo includes a composite Action. Use the latest release tag or pin a reviewed commit SHA for stricter supply-chain control:
+
+```yaml
+name: ai-saas-guard
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  preflight:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6.0.2
+        with:
+          fetch-depth: 0
+      - uses: zr9959/ai-saas-guard@v0.1.1
+        with:
+          command: pr-risk
+          root: ${{ github.workspace }}
+          base: origin/main
+          fail-on: high
+```
+
+For SARIF upload:
+
+```yaml
+      - uses: zr9959/ai-saas-guard@v0.1.1
+        with:
+          command: scan
+          format: sarif
+          output: ai-saas-guard.sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ai-saas-guard.sarif
+```
+
+For maximum reproducibility, replace `v0.1.1` with the full commit SHA from the release notes.
+
+## Ignore File
+
+Add `.ai-saas-guardignore` at the repository root to suppress generated fixtures, snapshots, vendored output, or known noisy paths:
+
+```gitignore
+fixtures/**
+snapshots/**
+vendor/generated/**
+```
+
+Use this sparingly. The goal is not to hide launch blockers; it is to keep reports focused enough that reviewers act on them.
+
+## Privacy Model
+
+`ai-saas-guard` is designed to be safe to run against private local repositories.
+
+- Runs locally.
+- Reads repository files and git diffs.
+- Makes no network calls during scan commands.
+- Does not upload code.
+- Requires no account or login.
+- Does not modify scanned repositories.
+- Redacts matched secret-like evidence.
+
+## What This Is Not
+
+This project deliberately avoids broad security claims.
+
+- It is not a pentest.
+- It is not a full SAST platform.
+- It does not prove your app is secure.
+- It does not replace manual two-account authorization testing.
+- It does not execute Stripe, Supabase, Vercel, or browser flows.
+- It does not inspect production settings unless they are represented locally.
+- It does not try to replace Semgrep, Gitleaks, TruffleHog, Bearer, CodeQL, or human review.
+
+## When To Use It
+
+Use `ai-saas-guard` when:
+
+- you are about to launch an AI-built SaaS MVP
+- you are reviewing a large AI-generated pull request
+- you added checkout, subscriptions, RLS, MCP tools, or deploy config
+- you want a local, readable checklist before asking a human to review
+- you need JSON or SARIF output for automation
+
+Do not use it as the only launch approval signal. Treat it as a preflight that helps you decide where to spend review time.
+
+## Development
+
+```bash
+npm ci
+npm test
+npm run build
+node dist/cli.js scan --root .
+```
+
+Before publishing a CLI update, GitHub Action update, npm package, plugin, or public repository change, follow [docs/release-quality-knowledge-base.md](docs/release-quality-knowledge-base.md).
+
+## Roadmap
+
+Open-source core:
+
+- local CLI
+- deterministic scanner rules
+- vulnerable and safe fixtures
+- JSON and SARIF output
+- GitHub Action wrapper
+- rule documentation
+
+Near-term priorities:
+
+- npm trusted publishing and provenance
+- PR comment summary mode
+- configurable severity and rule toggles
+- expanded Supabase RLS fixtures
+- Stripe webhook replay cookbook
+- SARIF upload workflow example
+
+Potential paid layer later:
+
+- hosted GitHub App
+- saved and shareable reports
+- PR comments and review-first annotations
+- scan history
+- team policy settings
+- deeper Stripe, Supabase, Vercel, and MCP integrations
+- optional human launch-readiness review
+
+The open-source CLI should remain useful on its own. Paid features should save time, preserve history, and integrate with team workflows.
+
+## Security
+
+Please read [SECURITY.md](SECURITY.md) before reporting vulnerabilities. Do not post real API keys, customer data, private source code, or production URLs in public issues.
+
+## npm Publishing
+
+The package name is prepared but not published yet. See [docs/npm-publishing.md](docs/npm-publishing.md) for the GitHub Actions provenance workflow and the required `NPM_TOKEN` or trusted-publisher setup.

package/action.yml

@@ -0,0 +1,100 @@
+name: AI SaaS Guard
+description: Run repo-local launch-readiness checks for AI-built SaaS apps.
+author: ai-saas-guard
+
+inputs:
+  command:
+    description: "Command to run: scan, check-supabase, check-stripe, check-mcp, or pr-risk."
+    required: false
+    default: scan
+  root:
+    description: Repository path to scan.
+    required: false
+    default: ${{ github.workspace }}
+  format:
+    description: "Output format: terminal, json, or sarif."
+    required: false
+    default: terminal
+  fail-on:
+    description: "Fail the workflow when findings meet this severity: critical, high, medium, low, info, or none."
+    required: false
+    default: none
+  base:
+    description: Base ref for pr-risk.
+    required: false
+    default: ""
+  output:
+    description: Optional path to write output while also keeping the command exit code.
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Install ai-saas-guard action dependencies
+      shell: bash
+      run: npm ci
+      working-directory: ${{ github.action_path }}
+
+    - name: Build ai-saas-guard
+      shell: bash
+      run: npm run build
+      working-directory: ${{ github.action_path }}
+
+    - name: Run ai-saas-guard
+      shell: bash
+      env:
+        INPUT_COMMAND: ${{ inputs.command }}
+        INPUT_ROOT: ${{ inputs.root }}
+        INPUT_FORMAT: ${{ inputs.format }}
+        INPUT_FAIL_ON: ${{ inputs.fail-on }}
+        INPUT_BASE: ${{ inputs.base }}
+        INPUT_OUTPUT: ${{ inputs.output }}
+      run: |
+        set -o pipefail
+
+        case "${INPUT_COMMAND}" in
+          scan|check-supabase|check-stripe|check-mcp|pr-risk) ;;
+          *)
+            echo "Invalid command input: ${INPUT_COMMAND}" >&2
+            exit 2
+            ;;
+        esac
+
+        case "${INPUT_FORMAT}" in
+          terminal|json|sarif) ;;
+          *)
+            echo "Invalid format input: ${INPUT_FORMAT}" >&2
+            exit 2
+            ;;
+        esac
+
+        case "${INPUT_FAIL_ON}" in
+          none|critical|high|medium|low|info) ;;
+          *)
+            echo "Invalid fail-on input: ${INPUT_FAIL_ON}" >&2
+            exit 2
+            ;;
+        esac
+
+        args=("${INPUT_COMMAND}" "--root" "${INPUT_ROOT}")
+
+        if [ "${INPUT_FORMAT}" = "json" ]; then
+          args+=("--json")
+        elif [ "${INPUT_FORMAT}" = "sarif" ]; then
+          args+=("--sarif")
+        fi
+
+        if [ "${INPUT_FAIL_ON}" != "none" ]; then
+          args+=("--fail-on" "${INPUT_FAIL_ON}")
+        fi
+
+        if [ -n "${INPUT_BASE}" ]; then
+          args+=("--base" "${INPUT_BASE}")
+        fi
+
+        if [ -n "${INPUT_OUTPUT}" ]; then
+          node "${GITHUB_ACTION_PATH}/dist/cli.js" "${args[@]}" | tee -- "${INPUT_OUTPUT}"
+        else
+          node "${GITHUB_ACTION_PATH}/dist/cli.js" "${args[@]}"
+        fi

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,156 @@
+#!/usr/bin/env node
+import { resolve } from "node:path";
+import { checkMcp, checkStripe, checkSupabase, classifyPrRisk, scanRepository } from "./index.js";
+import { formatJsonReport } from "./report/json.js";
+import { formatSarifReport } from "./report/sarif.js";
+import { formatTerminalReport } from "./report/terminal.js";
+async function main(argv) {
+    const args = parseArgs(argv);
+    if (!args.command || args.command === "help") {
+        process.stdout.write(helpText());
+        return 0;
+    }
+    let report;
+    switch (args.command) {
+        case "scan":
+            report = await scanRepository({ rootDir: args.rootDir });
+            break;
+        case "check-supabase":
+            report = await checkSupabase({ rootDir: args.rootDir });
+            break;
+        case "check-stripe":
+            report = await checkStripe({ rootDir: args.rootDir });
+            break;
+        case "check-mcp":
+            report = await checkMcp({ rootDir: args.rootDir });
+            break;
+        case "pr-risk":
+            report = await classifyPrRisk({ rootDir: args.rootDir, base: args.base });
+            break;
+        default:
+            process.stderr.write(`Unknown command: ${String(args.command)}\n\n${helpText()}`);
+            return 2;
+    }
+    process.stdout.write(formatReport(report, args.format));
+    if (shouldFail(report, args.failOn)) {
+        process.stderr.write(`Failing because findings met --fail-on ${args.failOn}\n`);
+        return 1;
+    }
+    return 0;
+}
+function parseArgs(argv) {
+    const result = {
+        rootDir: process.cwd(),
+        format: "terminal"
+    };
+    for (let index = 0; index < argv.length; index += 1) {
+        const arg = argv[index];
+        if (index === 0 && !arg.startsWith("-")) {
+            result.command = arg;
+            continue;
+        }
+        if (arg === "--json") {
+            result.format = "json";
+            continue;
+        }
+        if (arg === "--sarif") {
+            result.format = "sarif";
+            continue;
+        }
+        if (arg === "--format") {
+            const value = argv[index + 1];
+            if (value !== "terminal" && value !== "json" && value !== "sarif") {
+                throw new Error("--format requires terminal, json, or sarif");
+            }
+            result.format = value;
+            index += 1;
+            continue;
+        }
+        if (arg === "--root" || arg === "--path") {
+            const value = argv[index + 1];
+            if (!value)
+                throw new Error(`${arg} requires a path`);
+            result.rootDir = resolve(value);
+            index += 1;
+            continue;
+        }
+        if (arg === "--fail-on") {
+            const value = argv[index + 1];
+            if (!isFailOnValue(value))
+                throw new Error("--fail-on requires critical, high, medium, low, info, or none");
+            result.failOn = value;
+            index += 1;
+            continue;
+        }
+        if (arg === "--base") {
+            const value = argv[index + 1];
+            if (!value)
+                throw new Error("--base requires a branch or ref");
+            result.base = value;
+            index += 1;
+            continue;
+        }
+        if (arg === "-h" || arg === "--help") {
+            result.command = "help";
+            continue;
+        }
+        if (!result.command) {
+            result.command = arg;
+            continue;
+        }
+        throw new Error(`Unknown argument: ${arg}`);
+    }
+    result.rootDir = resolve(result.rootDir);
+    return result;
+}
+function formatReport(report, format) {
+    if (format === "json")
+        return formatJsonReport(report);
+    if (format === "sarif")
+        return formatSarifReport(report);
+    return `${formatTerminalReport(report)}\n`;
+}
+function shouldFail(report, failOn) {
+    if (!failOn || failOn === "none")
+        return false;
+    const threshold = severityRank(failOn);
+    return report.findings.some((finding) => severityRank(finding.severity) <= threshold);
+}
+function severityRank(severity) {
+    return {
+        critical: 0,
+        high: 1,
+        medium: 2,
+        low: 3,
+        info: 4
+    }[severity];
+}
+function isFailOnValue(value) {
+    return value === "critical" || value === "high" || value === "medium" || value === "low" || value === "info" || value === "none";
+}
+function helpText() {
+    return `ai-saas-guard
+
+Repo-local launch-readiness scanner for AI-built SaaS apps.
+
+Usage:
+  ai-saas-guard scan [--root <repo>] [--json|--sarif] [--fail-on <severity>]
+  ai-saas-guard check-supabase [--root <repo>] [--json|--sarif] [--fail-on <severity>]
+  ai-saas-guard check-stripe [--root <repo>] [--json|--sarif] [--fail-on <severity>]
+  ai-saas-guard check-mcp [--root <repo>] [--json|--sarif] [--fail-on <severity>]
+  ai-saas-guard pr-risk [--root <repo>] [--base <branch>] [--json|--sarif] [--fail-on <severity>]
+
+Defaults:
+  - read-only
+  - no network calls
+  - no account or login required
+  - terminal output by default, JSON with --json
+  - SARIF output for GitHub code scanning with --sarif
+`;
+}
+main(process.argv.slice(2)).then((code) => {
+    process.exitCode = code;
+}, (error) => {
+    process.stderr.write(`${error instanceof Error ? error.message : String(error)}\n`);
+    process.exitCode = 1;
+});

package/dist/commands/checkMcp.d.ts

@@ -0,0 +1,2 @@
+import type { McpReport, ScanOptions } from "../types.js";
+export declare function checkMcp(options: ScanOptions): Promise<McpReport>;

package/dist/commands/checkMcp.js

@@ -0,0 +1,4 @@
+import { checkMcp as runMcpScanner } from "../scanners/mcp.js";
+export function checkMcp(options) {
+    return runMcpScanner(options.rootDir);
+}

package/dist/commands/checkStripe.d.ts

@@ -0,0 +1,2 @@
+import type { ScanOptions, StripeReport } from "../types.js";
+export declare function checkStripe(options: ScanOptions): Promise<StripeReport>;

package/dist/commands/checkStripe.js

@@ -0,0 +1,4 @@
+import { checkStripe as runStripeScanner } from "../scanners/stripe.js";
+export function checkStripe(options) {
+    return runStripeScanner(options.rootDir);
+}

package/dist/commands/checkSupabase.d.ts

@@ -0,0 +1,2 @@
+import type { ScanOptions, SupabaseReport } from "../types.js";
+export declare function checkSupabase(options: ScanOptions): Promise<SupabaseReport>;

package/dist/commands/checkSupabase.js

@@ -0,0 +1,4 @@
+import { checkSupabase as runSupabaseScanner } from "../scanners/supabase.js";
+export function checkSupabase(options) {
+    return runSupabaseScanner(options.rootDir);
+}

package/dist/commands/prRisk.d.ts

@@ -0,0 +1,2 @@
+import type { PrRiskOptions, PrRiskReport } from "../types.js";
+export declare function classifyPrRisk(options: PrRiskOptions): Promise<PrRiskReport>;

package/dist/commands/prRisk.js

@@ -0,0 +1,4 @@
+import { classifyPrRisk as runPrRiskScanner } from "../scanners/gitDiff.js";
+export function classifyPrRisk(options) {
+    return runPrRiskScanner(options);
+}

package/dist/commands/scan.d.ts

@@ -0,0 +1,2 @@
+import type { BaseReport, ScanOptions } from "../types.js";
+export declare function scanRepository(options: ScanOptions): Promise<BaseReport>;

package/dist/commands/scan.js

@@ -0,0 +1,29 @@
+import { createScanContext } from "../context.js";
+import { createReport, uniqueFindings } from "../report/findings.js";
+import { scanApiRoutes } from "../scanners/apiRoutes.js";
+import { scanDeployConfig } from "../scanners/deploy.js";
+import { checkMcp } from "../scanners/mcp.js";
+import { scanNextPublicEnv, scanSecrets } from "../scanners/secrets.js";
+import { checkStripe } from "../scanners/stripe.js";
+import { checkSupabase } from "../scanners/supabase.js";
+export async function scanRepository(options) {
+    const context = await createScanContext(options.rootDir);
+    const [secretFindings, nextPublicFindings, stripeReport, supabaseReport, mcpReport, apiFindings, deployFindings] = await Promise.all([
+        scanSecrets(context),
+        scanNextPublicEnv(context),
+        checkStripe(context),
+        checkSupabase(context),
+        checkMcp(context),
+        scanApiRoutes(context),
+        scanDeployConfig(context)
+    ]);
+    return createReport("scan", options.rootDir, uniqueFindings([
+        ...secretFindings,
+        ...nextPublicFindings,
+        ...stripeReport.findings,
+        ...supabaseReport.findings,
+        ...mcpReport.findings,
+        ...apiFindings,
+        ...deployFindings
+    ]), {});
+}

package/dist/context.d.ts

@@ -0,0 +1,10 @@
+import { type TextFile } from "./utils/files.js";
+export interface ScanContext {
+    rootDir: string;
+    files: readonly TextFile[];
+    filesByPath: ReadonlyMap<string, TextFile>;
+    getFiles: (predicate?: (file: TextFile) => boolean) => TextFile[];
+}
+export type ScanInput = string | ScanContext;
+export declare function createScanContext(rootDir: string): Promise<ScanContext>;
+export declare function resolveScanContext(input: ScanInput): Promise<ScanContext>;

package/dist/context.js

@@ -0,0 +1,16 @@
+import { collectTextFiles } from "./utils/files.js";
+export async function createScanContext(rootDir) {
+    const files = await collectTextFiles(rootDir);
+    const filesByPath = new Map(files.map((file) => [file.path, file]));
+    return {
+        rootDir,
+        files,
+        filesByPath,
+        getFiles(predicate) {
+            return predicate ? files.filter(predicate) : [...files];
+        }
+    };
+}
+export async function resolveScanContext(input) {
+    return typeof input === "string" ? createScanContext(input) : input;
+}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { scanRepository } from "./commands/scan.js";
+export { checkStripe } from "./commands/checkStripe.js";
+export { checkSupabase } from "./commands/checkSupabase.js";
+export { checkMcp } from "./commands/checkMcp.js";
+export { classifyPrRisk } from "./commands/prRisk.js";
+export { createScanContext } from "./context.js";
+export { getRuleMetadata, RULE_CATALOG } from "./rules/catalog.js";
+export type { BaseReport, CommandName, Evidence, Finding, McpReport, McpServerInventory, PrRiskFile, PrRiskReport, ScanOptions, StripeReport, SupabaseReport } from "./types.js";
+export type { ScanContext, ScanInput } from "./context.js";
+export type { RuleMetadata, RuleStability } from "./rules/catalog.js";