# Gatekpr
A Rust-native platform that validates Shopify and WooCommerce apps against official approval requirements. Provides CLI, REST API, MCP server, and AI agent integration.
[](https://github.com/umerkhan95/shopify-app-approver/actions/workflows/ci.yml)
## Features
- **110+ Validation Rules** across webhooks, API usage, billing, security, OAuth, data protection, checkout, performance, and themes
- **Multi-Platform**: Shopify and WooCommerce support
- **Multi-Language Parsing**: JavaScript, TypeScript, Ruby, Python, PHP via tree-sitter
- **Semantic Search**: RAG-powered documentation search with Qdrant (17 collections)
- **LLM Analysis**: GLM 4.7 primary with Claude fallback, circuit breaker pattern
- **Multi-Tenant SaaS**: JWT auth, Stripe billing, email notifications
- **MCP Integration**: Tools for Claude Code, Windsurf, OpenCode
- **Production Ready**: Fly.io deployment, OpenTelemetry tracing, rate limiting
## Architecture
```
gatekpr/
├── crates/
│ ├── core/ # Shared types, traits, HTTP client, formatting
│ ├── config/ # Configuration management
│ ├── patterns/ # Reusable patterns (retry, circuit breaker)
│ ├── rate-limiter/ # Standalone rate limiting crate
│ ├── parsers/ # Multi-language code parsing (tree-sitter)
│ ├── validators/ # Rule engine with pattern matching
│ ├── vector/ # Qdrant client, embedding registry
│ ├── db/ # SQLite with SQLx + query helpers
│ ├── rig-agent/ # LLM orchestration with circuit breaker
│ ├── opencode/ # OpenCode CLI client for RAG enrichment
│ ├── email/ # SMTP email with MJML templates
│ ├── billing/ # Stripe billing integration
│ ├── monitoring/ # Health checks, deprecation tracking
│ ├── mcp-server/ # MCP protocol server for AI agents
│ ├── cli/ # Command-line interface
│ ├── api/ # REST API (Axum)
│ └── ingestion/ # Documentation crawler
├── rules/ # Validation rules (TOML)
├── migrations/ # SQLx database migrations
├── packages/ # Distribution wrappers (npm, PyPI, RubyGems, Composer)
├── HomebrewFormula/ # Homebrew formula
└── tests/ # Integration tests
```
## Installation
```bash
# From crates.io
cargo install gatekpr-cli
# From source
cargo install --git https://github.com/umerkhan95/gatekpr.git gatekpr-cli
```
## Quick Start
### Prerequisites
- Rust 1.75+
- SQLite 3.x (bundled via SQLx)
### Build from source
```bash
git clone https://github.com/umerkhan95/shopify-app-approver.git
cd shopify-app-approver
cargo build --release
```
### CLI
```bash
# Validate a Shopify app
cargo run -p gatekpr-cli -- check ./path/to/app
# Remote validation via API
cargo run -p gatekpr-cli -- check ./path/to/app --server https://gatekpr.fly.dev
# Search documentation
cargo run -p gatekpr-cli -- docs search "GDPR webhooks"
# List validation rules
cargo run -p gatekpr-cli -- rules list
```
### API Server
```bash
export JWT_SECRET="your-secret-key-at-least-32-characters"
cargo run -p gatekpr-api
# Server starts at http://localhost:3000
```
### MCP Server
```bash
cargo run -p gatekpr-mcp-server
# With RAG support
OPENAI_API_KEY=your-key QDRANT_URL=http://localhost:6333 cargo run -p gatekpr-mcp-server
```
Configure in Claude Code (`~/.claude/settings.json`):
```json
{
"mcpServers": {
"gatekpr": {
"command": "/path/to/gatekpr-mcp-server"
}
}
}
```
## API Endpoints
### Authentication
| POST | `/api/v1/auth/register` | No | Register user |
| POST | `/api/v1/auth/login` | No | Login, returns JWT |
| POST | `/api/v1/auth/refresh` | No | Refresh access token |
| POST | `/api/v1/auth/validate` | No | Validate API key (CLI) |
| GET | `/api/v1/auth/verify-email/:token` | No | Verify email |
| POST | `/api/v1/auth/forgot-password` | No | Request password reset |
| POST | `/api/v1/auth/reset-password` | No | Reset password |
| POST | `/api/v1/auth/api-key` | Yes | Generate API key |
### Validation
| POST | `/api/v1/validate/file` | Validate single file |
| POST | `/api/v1/validate/webhooks` | Check GDPR webhooks |
| POST | `/api/v1/validate/api` | Check API compliance |
| POST | `/api/v1/validate/billing` | Check billing compliance |
| POST | `/api/v1/validate/security` | Security scan |
| POST | `/api/v1/validate/codebase` | Full codebase validation |
| GET | `/api/v1/validate/codebase/:id` | Get validation status |
| POST | `/api/v1/validate/github` | GitHub CI/CD validation |
### Reviews
| GET | `/api/v1/reviews` | List reviews (paginated) |
| POST | `/api/v1/reviews` | Create review |
| GET | `/api/v1/reviews/:id` | Get review details |
| DELETE | `/api/v1/reviews/:id` | Delete review |
| GET | `/api/v1/reviews/:id/findings` | Get findings |
### Billing (Stripe)
| GET | `/api/v1/billing/plans` | List plans |
| POST | `/api/v1/billing/checkout` | Create checkout session |
| GET | `/api/v1/billing/subscription` | Get subscription status |
| POST | `/api/v1/billing/subscription/cancel` | Cancel subscription |
| POST | `/api/v1/billing/subscription/reactivate` | Reactivate |
| POST | `/api/v1/billing/portal` | Billing portal |
| GET | `/api/v1/billing/usage` | Usage stats |
| POST | `/api/v1/billing/webhooks` | Stripe webhook |
### Documentation
| GET | `/api/v1/docs/search?q=query` | Semantic search |
| GET | `/api/v1/docs/rules` | List validation rules |
| GET | `/api/v1/docs/rules/:id` | Get rule details |
## Validation Rules
| Webhooks | WH001-WH004 | GDPR webhook compliance |
| API | API001-API003 | GraphQL vs REST, scope validation |
| Billing | BIL001-BIL002 | Shopify Billing API |
| Security | SEC001-SEC005 | HTTPS, HMAC, secrets, eval, SSL |
| OAuth | OAUTH001-OAUTH003 | OAuth flow validation |
| Data | DATA001-DATA003 | Customer data protection |
| Embedded | EMB001-EMB005 | App Bridge, session tokens |
| Checkout | CHECKOUT001-CHECKOUT006 | Checkout extensions |
| Performance | PERF001-PERF006 | Bundle size, Core Web Vitals |
| Theme | THEME001-THEME006 | Theme app extensions |
## Environment Variables
| `JWT_SECRET` | Yes | JWT signing secret (min 32 chars) |
| `DATABASE_URL` | No | SQLite path (default: `sqlite:./data/approver.db`) |
| `API_HOST` | No | Server host (default: `0.0.0.0`) |
| `API_PORT` | No | Server port (default: `3000`) |
| `ALLOWED_ORIGINS` | No | CORS origins |
| `STRIPE_SECRET_KEY` | No | Stripe secret key (enables billing) |
| `STRIPE_PUBLISHABLE_KEY` | No | Stripe publishable key |
| `STRIPE_WEBHOOK_SECRET` | No | Stripe webhook signing secret |
| `EMAIL_SMTP_HOST` | No | SMTP host (enables email) |
| `EMAIL_SMTP_PASSWORD` | No | SMTP password |
| `EMAIL_FROM_ADDRESS` | No | Sender email |
| `OPENAI_API_KEY` | No | OpenAI embeddings |
| `QDRANT_URL` | No | Qdrant server URL |
| `GLM_API_KEY` | No | GLM 4.7 API key |
| `ANTHROPIC_API_KEY` | No | Claude API key (fallback) |
## Deployment
Production runs on Fly.io. See [DEPLOYMENT.md](DEPLOYMENT.md) for full details.
```bash
# Deploy API
flyctl deploy --config fly.production.toml --app gatekpr
# Deploy Qdrant
flyctl deploy --config fly.qdrant.production.toml --app gatekpr-qdrant
# Health check
curl https://gatekpr.fly.dev/health
```
## Development
```bash
# Run tests
cargo test --workspace
# Format
cargo fmt --all
# Lint
cargo clippy --workspace -- -D warnings
```
## CI Pipeline
CI runs on every push to `main`:
- **Format** - `cargo fmt --check`
- **Check** - `cargo check --workspace`
- **Clippy** - `cargo clippy -- -D warnings`
- **Test** - `cargo test --workspace`
Release builds and Docker images are produced by `release.yml` on version tags (`v*`).
## License
MIT