4 releases

0.2.3	Jan 27, 2026
0.2.2	Jan 27, 2026
0.2.1	Jan 27, 2026
0.2.0	Jan 27, 2026

#116 in Email

MIT license

630KB
14K SLoC

Gatekpr

A Rust-native platform that validates Shopify and WooCommerce apps against official approval requirements. Provides CLI, REST API, MCP server, and AI agent integration.

Features

110+ Validation Rules across webhooks, API usage, billing, security, OAuth, data protection, checkout, performance, and themes
Multi-Platform: Shopify and WooCommerce support
Multi-Language Parsing: JavaScript, TypeScript, Ruby, Python, PHP via tree-sitter
Semantic Search: RAG-powered documentation search with Qdrant (17 collections)
LLM Analysis: GLM 4.7 primary with Claude fallback, circuit breaker pattern
Multi-Tenant SaaS: JWT auth, Stripe billing, email notifications
MCP Integration: Tools for Claude Code, Windsurf, OpenCode
Production Ready: Fly.io deployment, OpenTelemetry tracing, rate limiting

Architecture

gatekpr/
├── crates/
│   ├── core/           # Shared types, traits, HTTP client, formatting
│   ├── config/         # Configuration management
│   ├── patterns/       # Reusable patterns (retry, circuit breaker)
│   ├── rate-limiter/   # Standalone rate limiting crate
│   ├── parsers/        # Multi-language code parsing (tree-sitter)
│   ├── validators/     # Rule engine with pattern matching
│   ├── vector/         # Qdrant client, embedding registry
│   ├── db/             # SQLite with SQLx + query helpers
│   ├── rig-agent/      # LLM orchestration with circuit breaker
│   ├── opencode/       # OpenCode CLI client for RAG enrichment
│   ├── email/          # SMTP email with MJML templates
│   ├── billing/        # Stripe billing integration
│   ├── monitoring/     # Health checks, deprecation tracking
│   ├── mcp-server/     # MCP protocol server for AI agents
│   ├── cli/            # Command-line interface
│   ├── api/            # REST API (Axum)
│   └── ingestion/      # Documentation crawler
├── rules/              # Validation rules (TOML)
├── migrations/         # SQLx database migrations
├── packages/           # Distribution wrappers (npm, PyPI, RubyGems, Composer)
├── HomebrewFormula/    # Homebrew formula
└── tests/              # Integration tests

Installation

# From crates.io
cargo install gatekpr-cli

# From source
cargo install --git https://github.com/umerkhan95/gatekpr.git gatekpr-cli

Quick Start

Prerequisites

Rust 1.75+
SQLite 3.x (bundled via SQLx)

Build from source

git clone https://github.com/umerkhan95/shopify-app-approver.git
cd shopify-app-approver
cargo build --release

CLI

# Validate a Shopify app
cargo run -p gatekpr-cli -- check ./path/to/app

# Remote validation via API
cargo run -p gatekpr-cli -- check ./path/to/app --server https://gatekpr.fly.dev

# Search documentation
cargo run -p gatekpr-cli -- docs search "GDPR webhooks"

# List validation rules
cargo run -p gatekpr-cli -- rules list

API Server

export JWT_SECRET="your-secret-key-at-least-32-characters"
cargo run -p gatekpr-api
# Server starts at http://localhost:3000

MCP Server

cargo run -p gatekpr-mcp-server

# With RAG support
OPENAI_API_KEY=your-key QDRANT_URL=http://localhost:6333 cargo run -p gatekpr-mcp-server

Configure in Claude Code (~/.claude/settings.json):

{
  "mcpServers": {
    "gatekpr": {
      "command": "/path/to/gatekpr-mcp-server"
    }
  }
}

API Endpoints

Authentication

Method	Endpoint	Auth	Description
POST	`/api/v1/auth/register`	No	Register user
POST	`/api/v1/auth/login`	No	Login, returns JWT
POST	`/api/v1/auth/refresh`	No	Refresh access token
POST	`/api/v1/auth/validate`	No	Validate API key (CLI)
GET	`/api/v1/auth/verify-email/:token`	No	Verify email
POST	`/api/v1/auth/forgot-password`	No	Request password reset
POST	`/api/v1/auth/reset-password`	No	Reset password
POST	`/api/v1/auth/api-key`	Yes	Generate API key

Validation

Method	Endpoint	Description
POST	`/api/v1/validate/file`	Validate single file
POST	`/api/v1/validate/webhooks`	Check GDPR webhooks
POST	`/api/v1/validate/api`	Check API compliance
POST	`/api/v1/validate/billing`	Check billing compliance
POST	`/api/v1/validate/security`	Security scan
POST	`/api/v1/validate/codebase`	Full codebase validation
GET	`/api/v1/validate/codebase/:id`	Get validation status
POST	`/api/v1/validate/github`	GitHub CI/CD validation

Reviews

Method	Endpoint	Description
GET	`/api/v1/reviews`	List reviews (paginated)
POST	`/api/v1/reviews`	Create review
GET	`/api/v1/reviews/:id`	Get review details
DELETE	`/api/v1/reviews/:id`	Delete review
GET	`/api/v1/reviews/:id/findings`	Get findings

Billing (Stripe)

Method	Endpoint	Description
GET	`/api/v1/billing/plans`	List plans
POST	`/api/v1/billing/checkout`	Create checkout session
GET	`/api/v1/billing/subscription`	Get subscription status
POST	`/api/v1/billing/subscription/cancel`	Cancel subscription
POST	`/api/v1/billing/subscription/reactivate`	Reactivate
POST	`/api/v1/billing/portal`	Billing portal
GET	`/api/v1/billing/usage`	Usage stats
POST	`/api/v1/billing/webhooks`	Stripe webhook

Documentation

Method	Endpoint	Description
GET	`/api/v1/docs/search?q=query`	Semantic search
GET	`/api/v1/docs/rules`	List validation rules
GET	`/api/v1/docs/rules/:id`	Get rule details

Validation Rules

Category	Rules	Description
Webhooks	WH001-WH004	GDPR webhook compliance
API	API001-API003	GraphQL vs REST, scope validation
Billing	BIL001-BIL002	Shopify Billing API
Security	SEC001-SEC005	HTTPS, HMAC, secrets, eval, SSL
OAuth	OAUTH001-OAUTH003	OAuth flow validation
Data	DATA001-DATA003	Customer data protection
Embedded	EMB001-EMB005	App Bridge, session tokens
Checkout	CHECKOUT001-CHECKOUT006	Checkout extensions
Performance	PERF001-PERF006	Bundle size, Core Web Vitals
Theme	THEME001-THEME006	Theme app extensions

Environment Variables

Variable	Required	Description
`JWT_SECRET`	Yes	JWT signing secret (min 32 chars)
`DATABASE_URL`	No	SQLite path (default: `sqlite:./data/approver.db`)
`API_HOST`	No	Server host (default: `0.0.0.0`)
`API_PORT`	No	Server port (default: `3000`)
`ALLOWED_ORIGINS`	No	CORS origins
`STRIPE_SECRET_KEY`	No	Stripe secret key (enables billing)
`STRIPE_PUBLISHABLE_KEY`	No	Stripe publishable key
`STRIPE_WEBHOOK_SECRET`	No	Stripe webhook signing secret
`EMAIL_SMTP_HOST`	No	SMTP host (enables email)
`EMAIL_SMTP_PASSWORD`	No	SMTP password
`EMAIL_FROM_ADDRESS`	No	Sender email
`OPENAI_API_KEY`	No	OpenAI embeddings
`QDRANT_URL`	No	Qdrant server URL
`GLM_API_KEY`	No	GLM 4.7 API key
`ANTHROPIC_API_KEY`	No	Claude API key (fallback)

Deployment

Production runs on Fly.io. See DEPLOYMENT.md for full details.

# Deploy API
flyctl deploy --config fly.production.toml --app gatekpr

# Deploy Qdrant
flyctl deploy --config fly.qdrant.production.toml --app gatekpr-qdrant

# Health check
curl https://gatekpr.fly.dev/health

Development

# Run tests
cargo test --workspace

# Format
cargo fmt --all

# Lint
cargo clippy --workspace -- -D warnings

CI Pipeline

CI runs on every push to main:

Format - cargo fmt --check
Check - cargo check --workspace
Clippy - cargo clippy -- -D warnings
Test - cargo test --workspace

Release builds and Docker images are produced by release.yml on version tags (v*).

License

MIT

Dependencies

~138MB
~3M SLoC