Boundary contract
Static scan for mass-assignment and sensitive field exposure in API handlers.
What it catches
- Spreading
req.bodyinto ORM updates with forbidden fields (plan,is_admin,stripe_customer_id) - Returning sensitive columns (
password_hash,reset_token) in API responses
Example config
version: 1
contracts:
- type: boundary
forbidden_write: [is_admin, plan, stripe_customer_id]
forbidden_response: [password_hash, reset_token]
scan_paths: [src/**/*.ts, src/**/*.tsx, app/api/**]
severity: high
CLI
npx prodverdict check boundary --config prodverdict.yml
Runs on every PR. No live credentials required.