Skip to main content

Boundary contract

Static scan for mass-assignment and sensitive field exposure in API handlers.

What it catches

  • Spreading req.body into ORM updates with forbidden fields (plan, is_admin, stripe_customer_id)
  • Returning sensitive columns (password_hash, reset_token) in API responses

Example config

version: 1
contracts:
- type: boundary
forbidden_write: [is_admin, plan, stripe_customer_id]
forbidden_response: [password_hash, reset_token]
scan_paths: [src/**/*.ts, src/**/*.tsx, app/api/**]
severity: high

CLI

npx prodverdict check boundary --config prodverdict.yml

Runs on every PR. No live credentials required.