Inject production infrastructure into any Python or Node project in minutes. Framework-aware · AI-adaptive · Multi-provider with fallback · Git-branch rollback · BSL Licensed
pip install shadow-stack
shadow-stack scan ./myproject # health score + what's missing (FREE)
shadow-stack diff ./myproject # preview changes before inject (FREE)
shadow-stack cost ./myproject # estimate AI cost first (FREE)
shadow-stack audit ./myproject # security issues (FREE)
shadow-stack inject ./myproject # AI-adapted production modules (PAID)
shadow-stack rollback ./myproject # list/clean inject branches (FREE)| Feature | v4 | v5 |
|---|---|---|
| Framework-aware scanner (no false positives on JS/TS projects) | ❌ | ✅ |
| AI provider fallback chain (auto-retry on rate-limit / 5xx) | ❌ | ✅ |
| Git-branch rollback (every inject = its own branch) | ❌ | ✅ |
| Node/Express module pack (auth + security + monitoring + tests + docker) | ❌ | ✅ |
| GitHub Action for CI integration | ❌ | ✅ |
| Freemium model (free scans, paid inject) | ❌ | ✅ |
| pyproject.toml packaging | ❌ | ✅ |
scan · audit · diff · cost · frameworks · providers · explain · license
Run scans on any project, any time, no key required. This is the acquisition loop —
get a real production-readiness score before deciding if inject is worth paying for.
inject · recipe apply · upgrade · sync · fix-wiring · install
export SHADOW_STACK_LICENSE_KEY=solo_xxxxxxx
shadow-stack inject ./myproject --only auth payments monitoringTiers: solo_* ($29/mo) · team_* ($99/mo) · ent_* ($499/mo) · lifetime_* ($149)
| Framework | Detect | Inject | Modules |
|---|---|---|---|
| FastAPI | ✅ | ✅ | All 16 Python modules |
| Django | ✅ | ◑ | auth, monitoring, security, tests, docker, deployment |
| Flask | ✅ | ◑ | auth, monitoring, security, tests, docker |
| Express | ✅ | ✅ | v5 NEW — node_auth/security/monitoring/tests/docker |
| NestJS | ✅ | ✅ | v5 NEW — same Node module pack |
| Next.js | ✅ | ◑ | v5 NEW — node_auth, node_monitoring, node_tests |
| Fastify | ✅ | ○ | Detection only |
| React/Vite | ✅ | ◑ | node_tests |
| Go (Gin) | ○ | ○ | Planned v6 |
The scanner is framework-aware: a Next.js project no longer gets false-positive "missing password hashing" warnings just because the FastAPI checker doesn't know JS.
Every inject in a git repo creates a dedicated branch:
shadow-stack/inject-auth-monitoring-20260510-153022
Review the diff, then merge or rollback:
git checkout main && git merge --no-ff <branch> # accept
git checkout main && git branch -D <branch> # discardshadow-stack rollback ./myproject --cleanup 14 cleans up branches older than 14 days.
Default chain: anthropic → openai → gemini → groq → deepseek → ollama
If your primary rate-limits halfway through a 12-module inject, v5 auto-retries on the next available provider. v4 used to fail the whole run.
Set SHADOW_STACK_AI_PROVIDER=openai to pin a specific primary; the chain still
applies on failure.
# .github/workflows/health-score.yml
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: shadowhunter89/shadow-stack/.github/actions/scan@v5
with:
fail-below: 60 # fail the PR if score drops below 60
comment-on-pr: true # post score as a PR commentOn every pull request, the action posts a comment like this:
Framework fastapiMissing modules 6 Critical security issues 2 Run
shadow-stack injectlocally to fix the gaps. Get a license to enable inject.
Score emoji is colour-coded:
- 🟢 80+ — production-ready
- 🟡 60-79 — has gaps, but shippable
- 🔴 < 60 — needs work before launch
The action also writes a Job Summary visible in the run page:
## shadow-stack scan
| Metric | Value |
|--------|------:|
| Health Score | 62/100 |
| Framework | fastapi |
| Missing modules | 6 |
| Critical issues | 2 |
- uses: shadowhunter89/shadow-stack/.github/actions/scan@v5
id: scan
- run: echo "Health = ${{ steps.scan.outputs.health-score }}"
- run: echo "Framework = ${{ steps.scan.outputs.framework }}"Business Source License 1.1. You may use it on your projects (private or commercial). You may not sell it as a standalone product or build a hosted SaaS of it. Converts to Apache 2.0 four years after release.
Commercial licensing: [email protected] · © 2026 ShadowHunter89.