@agenticcli/shipguard

CLI-first release gate for AI-built apps.

Catches secrets leaks, auth gaps, payment webhook risks, destructive migrations, and deployment misconfigurations — before your code ships.

30-second quickstart

# Zero install — scan right now
npx @agenticcli/shipguard scan

# Or install globally
npm install -g @agenticcli/shipguard

# Then run from any project directory
shipguard scan

PATH gotcha: npm install (without -g) does NOT put shipguard on your PATH. Use npx @agenticcli/shipguard scan or install with npm install -g @agenticcli/shipguard.

Usage

shipguard scan            # Scan current project (rich output)
shipguard scan --strict   # CI mode: exit 1 on blocking findings
shipguard scan --json     # Machine-readable output for agents/CI
shipguard scan --quiet    # One-line verdict only
shipguard scan --pro      # Pro rules — requires login
shipguard login           # Authenticate for Pro rules
shipguard init            # Generate .shipguard.yml policy file

Exit codes

| Code | Meaning | |------|---------| | 0 | Safe — no blocking findings | | 1 | Blocked — --strict mode + blocking findings | | 2 | Config error / degraded scan | | 3 | Runtime error |

Telemetry

ShipGuard sends an anonymous usage ping on each scan (verdict bucket, duration, CLI version, CI flag — never file contents, paths, or user identity). Opt out: SHIPGUARD_TELEMETRY=0 or DO_NOT_TRACK=1.

Details: agenticcli.dev/docs#telemetry

Documentation

See full docs for policy configuration, CI setup, and agent integration.

Testing notes

Cross-impl crypto-compatibility test (CLI↔backend) lives in the private backend repo post-split; CLI repo verifies against signed-bundle fixtures. Drift risk low (stable Ed25519 scheme).

License

MIT