What happened
Apple shipped a new App Store web build with source maps still enabled in production. A researcher downloaded the .map files and reconstructed the full front-end source; Apple issued DMCA takedowns and GitHub removed thousands of forks.
Would Stateward catch it? Yes.
Yes — at the source. The leak’s root cause is a build configured to emit production source maps, which Stateward flags in the pull request that introduces it (Vite/webpack/Next/CRA/Vue/Rollup). A runtime "is the .map actually served" probe is on our roadmap, but the config that causes it is caught before deploy.
Stateward’s source-map detector flags it in the pull request, before it ever ships: a committed *.map artifact, a stray //# sourceMappingURL= in a shipped bundle, and build configs that emit production maps across Vite, webpack, Next.js, Create React App, Vue and Rollup. It skips disabled maps and .d.ts.map files, so it doesn’t cry wolf.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.