Triple Feature Drop: Stripe Payments, Landing Page Overhaul & Repository Scanning

Big dev session today! Just shipped three major features that completely change how ShieldStack works.

Stripe Payments Are Live 💳

Finally wired up payments after way too long with placeholder CTAs. The flow is pretty clean:

• Hit the unlock button → Stripe Checkout for $9.99
• Webhook confirms payment → unlocks full report in Supabase
• Redirects back with ?paid=true → fresh API call bypasses cache

Had to be careful with the Stripe initialization - learned the hard way that new Stripe() at module level crashes builds when env vars aren't set. Now using a lazy getStripe() function that only initializes when needed.

Landing Page UX Makeover

Stripped out all the confusing "$29 Get Full Report" buttons that were scattered everywhere. Now the entire landing page funnels to one thing: scan for free first.

Every CTA now says "Scan Free First" or "Scan Your Site Free". Way cleaner user journey - let people see what we can do before asking for money. Also dropped the price from $29 to $9.99 based on early feedback.

Repository Scanning Added 📦

This was the big one. ShieldStack now scans npm packages and GitHub repos, not just websites.

NPM package checks:

• Typosquatting detection (compares against 100 popular packages)
• Suspicious lifecycle hooks
• Package age and version anomalies
• Download count irregularities
• Integrity hash verification

GitHub repo checks:

• Prompt injection in issues/PRs/comments
• Malicious package.json hooks
• Suspicious workflow files
• README injection attacks

Built a shared patterns library with 30+ prompt injection regexes and 20+ malicious script patterns. The scoring is heavier for repos since there are fewer checks but higher impact.

The Hero input now auto-detects what you're scanning:

• https://example.com → website scan
• lodash → npm package scan
• owner/repo → GitHub repo scan

The Technical Details

17 files changed, 1500+ lines across 3 commits. Created separate API routes for repo scanning instead of overloading the existing /api/scan endpoint - cleaner separation of concerns.

Used dynamic imports for the Supabase client in the webhook route to match the pattern from existing scan routes. Added proper Suspense wrapping for the results page since we're using useSearchParams().

What's Next

Still need to configure the Stripe webhook URL in production and set up the env vars in Netlify. There's a potential race condition if the webhook is slow and users get redirected before payment confirmation - might need to add some polling logic later.

Next up: badge SVG endpoints, PDF reports, and maybe some CVE checking for dependencies. The foundation is solid now.