Verdict
Readiness verdict
Huge OSS traction (113k stars, active cadence) and built-in distribution via CLI, but zero monetization infrastructure and missing critical dimensions (auth, billing, tests, observability). Score reflects strong adoption surface but significant commercial gaps.
Primary risk
Community expectation of free forever may hinder conversion to paid; also, no test coverage undermines enterprise trust.
Audit items
Audit items
auth
missingEvidence: evidence_flags.auth: missing; no auth code in repo.
Remediation: Add NextAuth.js or Clerk to the hosted control plane (apps/v4) for team/organization authentication and SSO.
billing
missingEvidence: evidence_flags.billing: missing; no Stripe or payment integration.
Remediation: Integrate Stripe Checkout in the control plane for per-seat subscription billing and metered private registry usage.
multi_tenancy
partialEvidence: Registry concept exists (apps/v4/package.json has `registry:build`; registry additions in recent commits) but no tenant isolation.
Remediation: Implement workspace/team scoping in the hosted registry with row-level isolation for components and settings.
Evidence: evidence_flags.email: missing; no email sending code.
Remediation: Add Resend or Postmark for transactional emails (invitations, password resets, billing notifications) in the control plane.
observability
missingEvidence: evidence_flags.observability: missing; no logging, metrics, or tracing.
Remediation: Instrument the CLI and registry API with OpenTelemetry traces and structured logging to monitor usage and errors.
docs
partialEvidence: evidence_flags.docs: partial; README is thin (only 4 headings) and points to ui.shadcn.com/docs, but no commercial setup docs.
Remediation: Expand documentation with a 'shadcn Pro' section covering pricing, enterprise onboarding, and hosted registry API references.
privacy
missingEvidence: No privacy policy or GDPR artifacts in repo; env_example missing.
Remediation: Create a privacy policy page and implement data retention controls for user data in the hosted control plane.
security
partialEvidence: CI is present (ci: present) but no static analysis or vulnerability scanning detected.
Remediation: Add CodeQL static analysis and Dependabot vulnerability scanning to the CI pipeline for all packages.
deploy
presentEvidence: evidence_flags.deploy: present; apps/v4/package.json has `build` and `start` scripts, and CI exists.
Remediation: Containerize the control plane with Docker and provide a one-click deploy to Vercel or Railway.
unit_economics
missingEvidence: No billing or usage tracking; no infrastructure cost models (billing missing, no infra signals).
Remediation: Model infrastructure costs (compute, database, bandwidth) for the hosted registry and set per-seat pricing with a 70% margin target.
Fix first
Remediation priorities
Critical gaps
- No billing integration — cannot charge customers.
- No authentication — cannot secure team workspaces or user access.
- No test suite — undermines reliability and enterprise adoption.
- Thin documentation for commercial use — no pricing, onboarding, or API guides.
- No observability — cannot monitor usage or debug issues in a hosted service.
Quick wins
- Add Stripe Checkout and a simple pricing page inside apps/v4 within a day.
- Integrate NextAuth.js with GitHub OAuth for basic team login (2 days).
- Deploy the existing apps/v4 demo with added 'Go Pro' CTA on Vercel (1 hour).
- Add a CI step to run basic unit tests using Vitest on the CLI (3 days).
- Write a commercial README section with a link to a 'shadcn Pro' landing page (2 hours).
- Add Dockerfile and docker-compose for the control plane to enable self-host evaluation (1 day).