projscan
Local proof for AI-assisted engineering. projscan gives agents and engineers the repo context, risk checks, proof commands, and review gates they need before editing, handing off, or preparing a release candidate.
Install · Daily workflows · MCP Setup · Commands · Trust · Full Guide
<img src="docs/projscan-mission-control.png" alt="projscan Mission Control routing a saved mission into proof status, remaining work, outcome commands, and review gates" width="760"> </div>Use It For
Use projscan when an agent asks one of these questions:
- Which files should I read before changing this feature?
- Which proof commands should I run before handoff?
- Which risks need fixes, reviewer attention, or release sign-off?
- Which risk should I fix first?
- Did the agent stay inside the approved change boundary?
projscan runs core scans on your machine. It respects .gitignore, keeps .env values out of scans unless you opt in, and exposes the same evidence through a CLI and a 51-tool MCP server. The language layer uses 11 AST adapters covering 12 named languages.
Your agent / engineer
(Codex, Claude Code, Cursor, CI, your scripts)
| intent, diff, repo files, feedback, proof requests
v
+----------------------------------------------------------------+
| projscan (runs locally, source stays on this machine) |
| ------------------------------------------------------------ |
| Mission Control -> assess Cards -> simulate risk -> prove |
| | | | |
| | | +- allowed files
| | | +- forbidden files
| | | +- proof receipt
| | | +- change passport
| | | +- review gate
| | | +- live guard
| | +- bounded extraction |
| | +- regression test first |
| | +- leave unchanged |
| +- evidence strength |
| +- trust memory |
| +- AgentLoopKit handoff |
| |
| CLI + MCP tools, no account, telemetry off by default |
+----------------------------------------------------------------+
| next safe action, exact proof commands, handoff packet
v
Reviewer / CI / LLM provider
(only the evidence you choose to pass along)
Install
npm install -g projscan
projscan start
Run without a global install:
npx projscan start
Check the trust boundary first:
projscan privacy-check
projscan start --intent "what can projscan read?"
projscan start --intent "does projscan read .env values?"
Daily workflows
Use these four workflows before scanning the full command catalog.
Before editing a feature
projscan start --intent "what files do I need to change for auth?"
projscan start --intent "what should we build next?" # Routes to a before-edit implementation workplan
projscan start --intent "is my agent allowed to change billing retry logic?"
projscan understand --view change --intent "add auth token refresh" --format json
projscan prove --intent "is my agent allowed to change billing retry logic?"
projscan preflight --mode before_edit --format json
You get a cited change map, read-first files, likely touched files, blocked inputs, an executable Proof Contract, and a before-edit proof gate. Agent-permission intents route to projscan prove, so start can hand the next agent a contract path instead of a broad checklist.
Success criteria: the agent can name the files to read first, the likely files to touch, the forbidden files to avoid, and the proof commands to run before editing.
Verified change workflow
projscan start --intent "is my agent allowed to change billing retry logic?"
projscan prove --intent "is my agent allowed to change billing retry logic?" --save-contract .projscan/proof-contract.json
# Make the bounded edit, then run the proof command.
projscan prove --run -- npm test -- tests/billing/retry.test.ts
projscan prove --changed --contract .projscan/proof-contract.json --format markdown
projscan passport --contract .projscan/proof-contract.json --format markdown
projscan proof-broker --contract .projscan/proof-contract.json --pr-comment
projscan review-gate --contract .projscan/proof-contract.json --pr-comment
The command path is start -> prove -> run -> changed. Make the bounded edit after the contract exists and before prove --run. start chooses the contract workflow. prove --intent writes .projscan/proof-contract.json only when --save-contract is present. prove --run -- <command...> executes a local proof command, records the exit code, captures a redacted log, and fingerprints the current changed files. prove --record-command remains available for imported CI or external evidence when projscan did not run the command. prove --changed checks the current working tree against the contract and local ledger.
You get a Proof Contract before edits and a Proof Receipt after edits. The contract names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, safe change shape, rollback, confidence, reviewer guidance, and proofRequirements for each risk surface. The receipt checks the real working tree against that contract and classifies changed files as allowed production, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, or unexpected production. The receipt reports proof replay status, Proof Sufficiency, risk delta, commit readiness, and a reviewer checklist.
Proof Replay records command, exit code, duration, changed-file fingerprint, redacted summary, log path, and source in .projscan/proof-ledger.jsonl. Executed proof logs stay under .projscan/proof-logs/. prove --changed marks proof as passed, missing, failed, partial, or stale. The receipt JSON includes proofReplay with a replay timeline, changedAfterProof, replay command, and local receipt fingerprint. If the agent edits new files after proof ran, the receipt says the proof is stale before a reviewer reads the diff.
Proof Sufficiency estimates whether the local ledger covers each changed surface. proofSufficiency marks rows as strong, adequate, weak, missing, stale, or failed, then lists the exact gaps reviewers need to resolve.
Team Proof Recipes let a repo encode required proof for sensitive paths in proofRecipes; when a matching recipe is configured, prove --intent adds that recipe's commands, reviewers, and forbidden files to the Proof Contract. prove --changed and projscan evidence-pack --pr-comment then show missing recipe proof, required reviewers, and recipe drift in the Proof Receipt. The recipe does not run proof commands by itself; use prove --run -- <command...> or prove --record-command to add evidence to the local ledger.
Saved contracts are the source of truth for prove --changed; update the contract when a team recipe changes.
Every prove report includes verifiedWorkflow, a compact JSON summary for agents and MCP clients. It names the phase, next action, next command, scope status, proof status, proof sufficiency status, risk delta direction, reviewer decision, and stale/missing/failed proof flags.
projscan passport turns the contract and receipt into one handoff artifact. It names allowed files, forbidden files, changed files, proof replay status, Proof Sufficiency, reviewer action, and next commands. Save it when a reviewer or another agent needs the whole change story in one JSON file:
projscan passport \
--intent "is my agent allowed to change billing retry logic?" \
--save-contract .projscan/proof-contract.json \
--output .projscan/passport.json
Use projscan proof-broker to build a PR Passport from the same passport evidence. It names required proof rows, missing or stale proof commands, required reviewers from Team Proof Recipes, risky changed files, and the next commands a reviewer should ask for:
projscan proof-broker --contract .projscan/proof-contract.json --pr-comment
Use projscan review-gate to produce a review decision from the PR Passport. It reports ready, needs-proof, drifted, or blocked, says whether review can proceed, itemizes proof debt, names the recontract command when scope moved, and can fail CI until the proof debt is gone:
projscan review-gate --contract .projscan/proof-contract.json --pr-comment
projscan review-gate --contract .projscan/proof-contract.json --ci --fail-on-needs-proof
projscan guard checks the current working tree against a saved Proof Contract. Use it after an agent edits files, or run --watch during a session:
projscan guard --contract .projscan/proof-contract.json
projscan guard --contract .projscan/proof-contract.json --watch
Success criteria: the reviewer sees scope, proof execution, proof freshness, sufficiency, and the exact proof debt blocking review for the changed risk surface.
Before handoff or commit
projscan start --intent "is this safe to commit?"
projscan assess --mode fix-first --format markdown
projscan preflight --mode before_commit --format json
projscan evidence-pack --pr-comment
You get changed-file risk, one or two ranked next actions, manual review gates, owner routing, baseline trend memory, and exact proof commands for the reviewer. Use projscan bug-hunt --format json when you want the raw fix queue behind the assessment.
Success criteria: the reviewer sees the top fix, the remaining proof, and any manual sign-off gate without reading the full scan output.
Before release-candidate review
projscan release-train --format json
projscan preflight --mode before_merge --format json
projscan evidence-pack --pr-comment
You get read-only readiness evidence. projscan reports fixes and sign-off gates; it does not tag, publish, deploy, or bump versions from these commands.
Success criteria: release review separates concrete defects from human approval gates before anyone tags or publishes.
Weekly proof-first assessment
projscan assess --goal "make this repo safer to ship this week"
projscan assess --mode fix-first --format markdown
projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules"
You get Proof Cards: each recommendation carries local evidence, impact, a safe change shape, verification commands, feedback or suppression guidance, and a risk delta. Add --baseline previous-assess.json to compare the current risk delta against a prior run. assess composes existing quality, bug-hunt, and preflight evidence; it does not release, tag, publish, or deploy.
Proof Cards also show evidence strength, confidence reason, ranking reasons, trust memory, evidence gaps, and an AgentLoopKit handoff packet. Add --feedback .projscan-feedback.json when accepted recommendations, noisy findings, false positives, or suppressions should affect future ranking.
Use the risk delta simulator before a refactor or extraction. It predicts likely touched files, affected tests, contract surfaces, rollout steps, proof commands, and before/after risk from local evidence. It compares bounded extraction, test-first, and leave-unchanged alternatives, then names the recommended option. It is read-only: it does not edit files, run the plan, release, tag, publish, or deploy.
<img src="docs/projscan-proof-cards.png" alt="projscan assess showing a Proof Card with evidence, impact, safe change shape, verification commands, feedback path, and risk delta" width="760">Success criteria: the team sees the one or two highest-value fixes, why they matter, how to prove them, and whether ship-readiness still needs caution or review.
Baseframe Suite assessment artifact
ProjScan finds the risk. AgentLoopKit controls the work. AgentFlight proves the result.
When a Baseframe Suite task needs a stable local artifact, run:
projscan assess \
--intent "Implement password reset" \
--task-id auth-password-reset-20260626-01 \
--emit-baseframe
ProjScan writes .baseframe/evidence/<task-id>/projscan-assessment.json and
updates .baseframe/agent-workflow.json without writing AgentLoopKit or
AgentFlight artifacts. See Baseframe Suite Integration v1.
Mission Control
projscan start --intent "<goal>" turns a plain-language goal into an execution plan:
- current command
- blocked inputs
- follow-up commands
- proof queue
- done criteria
- review gate
Save a mission when work may pass between agents:
projscan start --save-mission .projscan/mission --intent "is it safe to commit this change?"
projscan mission-proof --mission .projscan/mission --format markdown
projscan start --mission .projscan/mission
Mission bundles include a runbook, task card, handoff prompt, proof scripts, review gate JSON, reviewer replies, and proof logs. mission-proof summarizes passed proof, failed gates, reruns, reviewer decisions, and optional manual baseline data.
Regenerate README media:
npm run docs:screenshots
npm run docs:demos
4.18.0 Notes
4.18.0 adds Proof Broker, PR Passport, and Review Gate:
projscan review-gate --contract .projscan/proof-contract.json --pr-commentprints PR-comment Markdown with status, allow-review decision, proof debt, recontract guidance, required reviewers, next commands, and artifact paths.projscan review-gate --contract .projscan/proof-contract.json --ci --fail-on-needs-proofprints a compact CI summary and exits non-zero until the gate isready.- JSON output returns
kind: "review-gate",decision,proofDebt,recontract,requiredReviewers,nextCommands,prComment, and the embedded Proof Broker report. - ProjScan writes Review Gate artifacts to
.projscan/review-gate.jsonor.projscan/review-gates/<name>.json; it rejects traversal, symlink targets, and unrelated overwrite targets. - MCP now includes
projscan_review_gate, bringing the MCP surface to 51 tools. The tool returns gate evidence and PR-comment Markdown without running proof commands. - The package exports
computeReviewGate()plus Review Gate report, decision, proof-debt, recontract, artifact, and PR-comment types. projscan proof-broker --intent "<task>" --save-contract .projscan/proof-contract.jsoncreates a Proof Contract, reads the current Proof Receipt, and brokers the reviewer decision from the Agent Change Passport.projscan proof-broker --contract .projscan/proof-contract.json --pr-commentprints PR Passport Markdown with status, reviewer action, approved boundary, changed files, required proof, required reviewers, proof gaps, next commands, and.projscan/passport.jsonwhen you write the passport artifact.- JSON output returns
kind: "proof-broker",requiredProof,requiredReviewers,scope.riskyChangedFiles,gaps,nextCommands,prPassport, and the underlying Agent Change Passport. - MCP includes
projscan_proof_broker. The tool returns broker evidence and PR Passport Markdown without running proof commands. - The package exports
computeProofBroker()plus Proof Broker report, proof row, gap, and PR Passport types.
4.17.0 Notes
4.17.0 ships the Agent Change Passport and Live Guard:
projscan passport --intent "<task>" --save-contract .projscan/proof-contract.jsoncreates a Proof Contract, checks the current working tree, and returns one local passport with boundary, receipt, proof replay, Proof Sufficiency, reviewer action, and next commands.projscan passport --contract .projscan/proof-contract.json --output .projscan/passport.jsonwrites a JSON handoff artifact. ProjScan writes to.projscan/passport.jsonor.projscan/passports/<name>.json, rejects traversal, checks symlink paths, and refuses to overwrite unrelated files.projscan guard --contract .projscan/proof-contract.jsonreports whether the current diff stayed inside the approved boundary.--watchpolls during an agent session, and--fail-on-driftexits non-zero when the guard sees drift.- MCP now includes
projscan_passport, bringing the MCP surface to 49 tools. The tool returns passport evidence for agents without adding proof-command execution to MCP. - Passport can attach Baseframe assessment evidence with
--task-id <id> --emit-baseframe, while ProjScan limits ownership to its assessment artifact and shared manifest update.
4.16.0 Notes
4.16.0 ships Baseframe Suite assessment export:
projscan assess --intent "<task>" --task-id <id> --emit-baseframewrites.baseframe/evidence/<task-id>/projscan-assessment.json.- ProjScan updates
.baseframe/agent-workflow.jsonwith its own status while preserving AgentLoopKit, AgentFlight, and unknown manifest fields. - The package exports
createBaseframeAssessment()plus Baseframe v1 assessment and workflow manifest types. - Artifact writes are local, atomic, task-ID validated, and protected against traversal and symlink output paths.
4.15.0 Notes
4.15.0 strengthens the proof-first change loop:
projscan prove --intent "<change>"creates a local Proof Contract before editing. It names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, rollback, confidence, Trust Memory signals, evidence gaps, reviewer guidance, andproofRequirementsfor each risk surface.projscan start --intent "is my agent allowed to change billing retry logic?"routes directly toprojscan prove, so agent-permission prompts start with a bounded contract instead of a broad checklist.projscan prove --run -- <command...>executes an explicit local proof command with shell execution disabled, writes a redacted log under.projscan/proof-logs/, appends aprove-runledger row, and letsprove --changedreplay executed proof instead of self-reported evidence.projscan prove --changedvalidates the current working tree against a saved contract and emits a Proof Receipt for PRs, agents, and CI. Its changed-file classes separate allowed production edits, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, and unexpected production changes before giving a copyable reviewer decision. The receipt also includesproofReplaywith replay status, timeline events,changedAfterProof, replay command, and receipt fingerprint. Proof Sufficiency shows whether eachproofRequirementsrow has strong, adequate, weak, missing, stale, or failed proof.- Team Proof Recipes let a repo add path-matched
proofRecipesto.projscanrc.json. Matching recipes add required commands, reviewers, and forbidden drift to the Proof Contract and Proof Receipt. projscan prove --record-command "<command>" --exit-code <code>appends a local Proof Ledger row with command, duration, changed-file fingerprint, redacted output summary, and optional log path when importing proof from CI or another runner.- Every
proveJSON report includesverifiedWorkflow, so agents can read the next action, next command, scope status, proof status,proofSufficiencystatus, reviewer decision, and stale/missing/failed proof flags without parsing Markdown. - Saved Mission Control bundles append Proof Ledger rows while
mission.shruns the existing proof queue. The script still writes proof logs and status JSONL for humans. projscan evidence-pack --pr-commentincludes the latest Proof Receipt summary when a contract and ledger are available, so PR comments show proof status, proof replay, reviewer decision, scope, stale proof, failed proof, proof sufficiency, recipe gaps, required reviewers, changed-after-proof files, receipt fingerprint, and the replay command.- Proof artifacts are harder to spoof: Proof Contract and Proof Ledger reads reject symlink escapes, proof logs redact more standalone token/key shapes, and generated mission scripts reject shell control syntax before running.
- The codebase behind the proof workflow is smaller and easier to review: source hotspots in Mission Control, bug-hunt, quality-scorecard, workplan, adoption, start-mode routing, and intent routing were split into focused helpers with architecture tests.
- MCP now includes
projscan_prove, bringing the MCP surface to 48 tools.
4.14.0 Notes
4.14.0 ships the Verified Change Workflow and Executed Proof Runner:
projscan prove --intent "<change>"creates a local Proof Contract before editing.projscan prove --run -- <command...>executes an explicit local proof command with shell execution disabled and writes a redacted Proof Ledger row.projscan prove --changedemits a Proof Receipt for PRs, agents, and CI.projscan evidence-pack --pr-commentincludes the latest Proof Receipt summary when a contract and ledger are available.- MCP includes
projscan_prove, bringing the MCP surface to 48 tools.
4.12.1 Notes
4.12.1 is the simulator precision patch for the Proof Cards V2 release:
projscan simulate --planno longer treats one-letter filenames such ass.tsas matches for broad plan text.- Simulator term-overlap evidence now filters generated agent/cache paths and weak planning terms, so logs or proof artifacts do not become likely files when the plan names no concrete repo target.
4.12.0 Notes
4.12.0 is the Proof Cards V2 daily trust loop release:
- Proof Cards now show evidence strength, confidence reason, evidence gaps, ranking reasons, Trust Memory context, and AgentLoopKit handoff packets.
projscan assess --feedback <path>applies local reviewer feedback to ranking and confidence.projscan start --intent "is this safe to commit?"now starts withprojscan assess --mode fix-firstand keeps preflight as proof.projscan simulate --plan "<change plan>"compares bounded extraction, regression test first, and leave unchanged alternatives before recommending the safest option.
4.11.1 Notes
4.11.1 is a public README media refresh for the proof-first release:
- Added a dedicated Proof Cards screenshot for
projscan assessandprojscan simulate. - Regenerated README screenshots so public media showed the 47-tool MCP surface.
- Updated website handoff guidance to use immutable
v4.11.1media URLs.
4.11.0 Notes
4.11.0 is the proof-first engineering command center release:
projscan assessturns quality, bug-hunt, and preflight evidence into Proof Cards with fix-first guidance and risk delta.projscan simulate --plan "<change plan>"predicts likely files, tests, contracts, rollout, proof commands, and before/after risk before editing.- MCP now exposes 47 tools, including
projscan_assessandprojscan_simulate.
MCP Setup
Use MCP when an agent should call projscan during a coding session.
Claude Code:
claude mcp add projscan -- npx -y projscan mcp
Codex CLI:
[mcp_servers.projscan]
command = "npx"
args = ["-y", "projscan", "mcp"]
Cursor, Windsurf, Cline, Continue, Zed, and other MCP clients can launch the same command:
npx -y projscan mcp
Add --watch if the client supports notifications/file_changed:
npx -y projscan mcp --watch
Agent Questions
| Agent question | CLI or MCP route |
|---|---|
| Which files implement auth? | projscan search "auth" --format json |
| Who imports this file? | projscan semantic-graph --query importers --file src/auth/jwt.ts --format json |
| What breaks if I rename this symbol? | projscan impact --symbol buildCodeGraph --format json |
| What should I fix first? | projscan bug-hunt --format json |
| What is risky and worth fixing this week? | projscan assess --goal "make this repo safer to ship this week" |
| Is this refactor worth doing? | projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules" |
| Is my agent allowed to make this change? | projscan start --intent "is my agent allowed to change billing retry logic?" |
| Did the change stay inside scope? | projscan prove --changed --contract .projscan/proof-contract.json --format markdown |
| Can a reviewer trust this agent handoff? | projscan passport --contract .projscan/proof-contract.json --format markdown |
| Which proof belongs in the PR? | projscan proof-broker --contract .projscan/proof-contract.json --pr-comment |
| Is this PR ready for review? | projscan review-gate --contract .projscan/proof-contract.json --ci --fail-on-needs-proof |
| Is the agent drifting from the contract? | projscan guard --contract .projscan/proof-contract.json |
| Which files have high risk and low coverage? | projscan coverage --format json |
| What should my agent do next? | projscan workplan --format json |
| Which proof belongs in this PR? | projscan evidence-pack --pr-comment |
| Is this branch ready to merge? | projscan preflight --mode before_merge --format json |
Command Map
| Command | Use it when you need |
|---|---|
projscan start | first-60-seconds orientation, routing, and Mission Control |
projscan understand | cited repo map, runtime flows, public contracts, and change readiness |
projscan preflight | proceed, caution, or block gate for edit, commit, or merge |
projscan assess | proof-first assessment with Proof Cards, risk delta, and fix-first guidance |
projscan simulate | risk delta simulator for a proposed change plan before editing |
projscan prove | executable Proof Contracts, Verified Workflow JSON, and Proof Receipts |
projscan passport | local change passport with boundary, receipt, proof, and reviewer action |
projscan proof-broker | PR Passport with required proof, proof gaps, reviewers, and next commands |
projscan review-gate | reviewer-readiness gate with proof debt, recontract guidance, and CI exits |
projscan guard | current working tree check against a saved Proof Contract |
projscan evidence-pack | review evidence with risks, owners, proof receipts, and next commands |
projscan bug-hunt | ranked fix queue from health, hotspots, session, and preflight evidence |
projscan workplan | ordered agent tasks with proof and handoff text |
projscan doctor | project health, tooling gaps, dead code, and supply-chain signals |
projscan review | one-call PR review from structural diff, risk, cycles, functions, and deps |
projscan impact | blast radius for a file or symbol before rename, delete, or upgrade |
projscan semantic-graph | imports, exports, importers, symbol definitions, and package importers |
projscan dataflow | framework-aware source-to-sink risks |
projscan hotspots | churn, complexity, ownership, and coverage risk ranking |
projscan coverage | high-risk files with weak test coverage |
projscan dependencies | dependency inventory, license summary, and risk notes |
projscan upgrade <pkg> | offline upgrade impact from changelog and importer evidence |
projscan audit | normalized npm audit findings and SARIF |
projscan coordinate | collisions, claims, and merge-risk across worktrees |
projscan plugin | local analyzer and reporter plugin workflow |
projscan privacy-check | local scan boundary, telemetry, ignore rules, and network-capable paths |
projscan mcp | MCP server over stdio |
Run the generated command help when you need flags:
projscan help
projscan <command> --help
Output Formats
Commands support console, json, markdown, sarif, and html where those formats fit the command.
projscan analyze --format json
projscan doctor --format markdown
projscan ci --format sarif > projscan.sarif
projscan evidence-pack --pr-comment
projscan mission-proof --write reports/mission-proof.md
Use scoped and redacted reports when evidence leaves the repo:
projscan analyze --report-scope src/api --redact-paths --format json
projscan analyze --report-scope "src/api,packages/backend" --redact-paths --format json
projscan doctor --report-policy apiEvidence --format markdown
Configuration
Create a .projscanrc.json when repo defaults should live in source control:
{
"minScore": 80,
"failOn": "warning",
"baseRef": "origin/main",
"ignore": ["**/fixtures/**", "**/generated/**"],
"scan": {
"includeIgnored": false,
"scanEnvValues": false,
"offline": false
},
"disableRules": ["large-*"],
"suppress": {
"hardcoded-secret": ["src/firebase.ts"]
},
"severityOverrides": {
"missing-prettier": "info"
},
"proofRecipes": [
{
"id": "billing-critical",
"matches": ["src/billing/**"],
"requiredCommands": ["npm test -- tests/billing/retry.test.ts"],
"requiredReviewers": ["@platform"],
"forbiddenFiles": ["src/auth/**"]
}
],
"reportPolicies": {
"apiEvidence": {
"reportScope": ["src/api", "packages/backend"],
"redactPaths": true
}
}
}
Use suppress for a known false positive in a specific path without disabling
the rule everywhere. For one line, add an inline directive next to the value:
const firebaseKey = 'AIza...'; // projscan-ignore-line hardcoded-secret -- Firebase web keys are public identifiers
Use proofRecipes when a path needs team-specific proof; when a matching recipe
is configured, projscan prove adds its proof commands, reviewers, and forbidden
files to the contract and receipt. It does not run proof commands by itself.
Recipes without requiredCommands are skipped, and duplicate recipe IDs keep the
first valid recipe.
Config docs live in docs/GUIDE.md.
CI
Use projscan ci to gate pull requests:
projscan ci --min-score 80
projscan ci --changed-only
projscan ci --format json
projscan ci --format sarif > projscan.sarif
ci --format json keeps ci.issues[] annotation-ready: each issue includes
ruleId, severity, message, location, locations, and remediation
when projscan has that data.
doctor --format json and ci --format json also include scoreBreakdown,
which shows the base score, severity weights, category penalties, total penalty,
final score, and grade.
By default, ci only fails a below-threshold score when there is a warning or
error. Set "failOn": "info" for legacy strictness or "failOn": "error" for
error-only blocking.
GitHub Actions example:
name: ProjScan
on:
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: actions/setup-node@v4
with: { node-version: 24 }
- uses: abhiyoheswaran1/projscan@v1
with:
min-score: '80'
changed-only: 'true'
Plugins
Local plugins let teams add project-specific analyzer rules and custom human reports without changing projscan core.
Load local plugins
projscan plugin list
projscan plugin validate .projscan-plugins/team-radar.projscan-plugin.json
projscan plugin test .projscan-plugins/team-radar.projscan-plugin.json
PROJSCAN_PLUGINS_PREVIEW=1 projscan doctor --reporter team-radar
Run projscan help for the generated command-by-command support matrix.
Plugin docs:
Supported Repos
projscan reads TypeScript, JavaScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++ with AST-aware adapters where available. It also detects file-level signals for C, Shell, CSS, HTML, SQL, Dart, Lua, Scala, R, and related project files.
Framework signals cover React, Next.js, Vue, Nuxt, Svelte, Angular, Express, Fastify, NestJS, Vite, Tailwind CSS, Prisma, Remix, SvelteKit, Astro, Hono, Koa, and common monorepo layouts.
JavaScript and TypeScript use @babel/parser. Non-JS languages use packaged tree-sitter WASM grammars. The published package has 7 direct runtime dependencies; optional semantic search uses the peer dependency @xenova/transformers.
Trust Model
| Area | projscan behavior |
|---|---|
| Source code | Core scans read local files and keep results on your machine. |
.gitignore | Ignored files stay out of scans unless you pass --include-ignored. |
.env | projscan reports paths by default. It reads values after --scan-env-values. |
| Network | audit, registry checks, opt-in telemetry, and optional semantic model download can contact the network. |
| Telemetry | Off until you run projscan telemetry enable or accept the init team prompt. |
| Plugins | Local plugin code runs after PROJSCAN_PLUGINS_PREVIEW=1 and an execution path such as doctor, ci, analyze, or plugin test --execute. |
| Repo writes | Source writes require explicit fix commands. Caches, saved missions, Proof Contracts, Proof Ledger rows, and proof logs stay under .projscan* local directories. |
Audit helpers:
projscan privacy-check
projscan telemetry status
projscan telemetry explain
projscan doctor --offline
Supply-chain scanners may flag package strings or APIs used by git, npm audit, web-tree-sitter, optional plugins, and optional semantic search. The runtime paths above describe when those capabilities run.
Install Notes
projscan@4.18.0 has seven direct runtime dependencies:
@babel/parser@babel/typeschalkcommanderfast-globoraweb-tree-sitter
If npm prints allow-scripts warnings during a global install, check which package names it lists. projscan core does not need node-gyp grammar builds at runtime in 4.18.0. Open an issue with the warning text if npm reports install scripts from projscan@latest, or run projscan feedback intake --text "<warning text>" --format json to turn it into a focused setup-trust task.
The grammar packages are build-time sources, not global-install dependencies. Published grammar assets include tree-sitter-python.wasm and tree-sitter-c_sharp.wasm.
Deeper Docs
- Full guide
- First 10 minutes
- Roadmap
- Adoption workflows
- Swarm coordination
- Stability policy
- Telemetry policy
- Security policy
Contributing
Read CONTRIBUTING.md before opening a PR. Contributions use the MIT License and the DCO 1.1 certification described there.
Legal
- License: MIT
- Disclaimer: DISCLAIMER.md
- Security policy: SECURITY.md
- Privacy notice: PRIVACY.md
- Telemetry policy: TELEMETRY.md
- Trademark and brand policy: TRADEMARKS.md
- Third-party notices: THIRD-PARTY-NOTICES.md