prodverdict
v0.14.1
Published
CLI for ProdVerdict - deterministic production contract checks for AI-assisted SaaS
Downloads
1,245
Maintainers
Readme
ProdVerdict
Your billing says paid. Your app might disagree.
ProdVerdict checks production contracts — the billing, access, config, migration, webhook, and recovery rules your SaaS must not break after AI-assisted changes. Rules only. No LLM in the evaluation path; missing credentials fail closed.
Website: prodverdict.com / Docs: prodverdict.com/docs
60-second demo
No credentials required:
npx prodverdict demoYou should see a FAIL verdict: a canceled subscription still has paid access in the bundled
fixture (wrongful-access scenario). Try the inverse with --scenario revenue-leak.
Agent setup
Tell your AI agent: "Set up ProdVerdict for this repo."
npx prodverdict setup --yes --format agent --from-envWrites prodverdict.yml, scheduled workflow, Cursor MCP config, and agent skills. Wires credentials
from .env.local when present.
Install skills globally (optional):
npx skills add prodv-dev/prodverdict-sdk@prodverdict-setup -g -y
npx skills add prodv-dev/prodverdict-sdk@prodverdict-verify -g -yMCP tool: bootstrap_prodverdict. See AI agent setup.
Schedule Access verification
Access is strongest for custom Stripe, Paddle, or Postgres billing state where webhooks, database rows, and app access gates can disagree after production events.
npx prodverdict scheduled --installSet repo secrets: STRIPE_SECRET_KEY or PADDLE_API_KEY, DATABASE_URL, and optionally
SLACK_WEBHOOK_URL.
See scheduled vs PR.
Contracts
| Contract | Role |
|----------|------|
| Access | First shipped money-path contract for custom Stripe/Paddle/Postgres billing state |
| Config | Env var drift (process.env vs .env.example) |
| Migration | Schema migration safety |
| Boundary | Mass-assignment / sensitive field scan |
| Webhook | Signature verification + idempotency lint |
| Restore | Backup/restore smoke in CI |
| Entitlements migration | Stripe Entitlements migration verifier |
| Clerk Gates | Clerk Billing plan/feature gates in money-path routes |
npx prodverdict check access --config prodverdict.yml
npx prodverdict check all --format agentUsage limits, credits, seats, and deeper permission contracts are roadmap validation areas. Do not configure them as shipped contract types today.
Managed billing and Clerk
Pure Clerk Billing apps are not the main current Access ICP because Clerk manages plans and
subscriptions separately from Stripe Billing. Use clerk-gates for Clerk Billing plan/feature gate
verification. Use Access where your app owns custom billing state or access rows. Usage limits,
credits, seats, and deeper permissions remain planned validation targets.
Integrations
CLI - npx prodverdict check [contract] / demo / scan / setup / status / doctor
The CLI sends anonymous command telemetry for npm/npx usage: command name, version, package-manager
hint, CI flag, platform, exit code, and safe option metadata such as contract, stack, and
format. It does not send raw args, cwd, env values, secrets, findings, billing rows, or customer
PII. Disable it with PRODVERDICT_TELEMETRY=0, PRODVERDICT_DISABLE_TELEMETRY=1, or
DO_NOT_TRACK=1.
GitHub Action - Marketplace
- uses: prodv-dev/[email protected]
with:
config: ./prodverdict.yml
contract: access # access | config | migration | boundary | webhook | restore | entitlements-migration | clerk-gates | all
env:
STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
DATABASE_URL: ${{ secrets.DATABASE_URL }}Local MCP - npx @prodverdict/mcp with billing and database secrets in env. Tools:
bootstrap_prodverdict, doctor, check_all_contracts, check_access_contract, and per-contract
checks.
Remote MCP (Pro) - prodverdict.com/api/mcp for config/migration/boundary/webhook without billing secrets on cloud. Access stays local only.
Examples
npx prodverdict scan| Example | Stack | |---------|-------| | nextjs-stripe | Next.js + Stripe | | supabase-stripe | Supabase + Stripe | | paddle-stripe | Paddle + Postgres | | rails-stripe | Rails + Stripe |
Fixture demos: node examples/nextjs-stripe/run-demo.mjs after npm run build.
Development
npm install && npm test && npm run buildDocker test env (no Stripe account): see test-env/README.md.
Documentation
- Quickstart
- Money-path contracts
- Managed Billing & Clerk
- AI SaaS Money-Path Audit
- CLI reference
- GitHub Action
- AI agent setup
- Agent skills
- Concept / Design / Implementation guide
- Changelog / GitHub Releases
License
MIT - see LICENSE.
