CLI reference
All commands accept a global --repo <path> (default .), placed before the subcommand: dacip --repo ~/work/app scan. dacip version prints the version.
Shared scan flags
scan, investigate, diff, baseline, verify, and the agent-facing commands all take:
| Flag | Meaning |
|---|---|
--scope {all,backend,frontend} |
Limit analysis side. Default all. |
--include <glob> |
Only analyze matching paths. Repeatable. |
--exclude <glob> |
Skip matching paths. Repeatable. |
--client <name> |
Extra frontend HTTP-client name (e.g. _data) whose .get/.post/… calls count as API calls. Repeatable. |
--fast |
Faster, shallower scan. |
--quiet |
Suppress progress messages on stderr. |
Analysis commands
scan
dacip scan [repository]
Snapshot the repo and run all analyzers. Prints JSON: snapshot id, file/symbol/route/API-call counts, and coverage — read it; anything DACIP couldn't parse is listed there, not silently dropped. The optional positional repository overrides --repo.
investigate
dacip investigate "<objective>" [--max-findings N] [--command CMD] [--openapi PATH] [--serializers] [--deep-types]
Full analysis against an objective. --max-findings defaults to 5. --command (repeatable) runs a shell command and records its output as evidence. --openapi supplies a schema for payload/auth comparison; --serializers derives backend schemas from DRF serializers when no schema exists. --deep-types resolves frontend payload/response types via the TS type checker (slower). Writes report.md under .dacip/ and prints its path. Objective is required (exit 2 without one).
diff
dacip diff <base_ref> [--format {json,github,sarif}] [--max-findings N] [--openapi PATH] [--serializers]
Analyze both the working tree and base_ref, report only findings introduced between them. --format defaults to json; github emits workflow annotations, sarif emits SARIF for code-scanning upload. Findings are capped at --max-findings (default 5); introduced_total in the JSON is the uncapped count. If a lockfile changed, the JSON carries a note: base analysis ran against the head toolchain, so extraction-instability diagnostics may stem from dependency skew.
baseline
dacip baseline write
Record all current findings as accepted. investigate and diff suppress baselined findings and warn about stale entries that no longer derive.
verify
dacip verify <finding_id>
Run a finding's stored reproduction (a unique id prefix is enough). Reproducing promotes a high-confidence finding to proven. Findings whose repro is a curl template can't be run automatically — DACIP prints the command for you to run manually and exits 2.
Account
| Command | Does |
|---|---|
dacip login |
GitHub device-flow sign-in; unlocks analysis of 1 private repo on the free tier. Exit 1 on failure. |
dacip logout |
Clear the session. |
dacip whoami |
Print {"login": ...} as JSON. |
dacip license |
Print license state, path, and detail as JSON. Exit 0 for valid/expiring/grace, 3 otherwise. Never gated itself. |
Public repos need no account. See the FAQ for tiers.
Setup
| Command | Does |
|---|---|
dacip init |
Create .dacip/ and add it to .gitignore. Analysis commands also do this implicitly. |
dacip install |
Write the Claude Code integration (MCP server + PreToolUse hook) into the repo. Restart Claude Code after. |
dacip toolchain install-ts |
npm-install typescript@5 into ~/.cache/dacip/toolchain as a fallback compiler. DACIP never npm-installs implicitly; without a usable TypeScript, frontend calls are not extracted and cross-stack findings are incomplete — DACIP says so on stderr rather than reporting a clean pass. |
dacip mcp |
Run the MCP stdio server (normally launched by Claude Code, not by hand). |
dacip hook |
PreToolUse gate: reads Claude Code hook JSON on stdin, prints an allow/deny decision. Fail-open — no store or no approved plan means allow, with the reason stated. |
Agent-facing commands
Used by the agent loop; all print JSON.
dacip workorder <finding_id>— build a work order and plan skeleton for a finding.dacip validate-plan <plan_file>— validate an ExecutionPlan; a valid plan becomes the active scope the hook enforces. Exit 1 if invalid.dacip validate-patch— check the working tree against the active plan. Exit 1 if invalid, 2 if no plan.dacip prove <finding_id>— gate + repro after a fix; marks the finding resolved, writes a proof, retires the plan.dacip context "<objective>"— deterministic facts (symbols, routes, calls) filtered by objective keywords.dacip impact <symbol>— impact query from the snapshot; skips full analysis.dacip plan {show,clear}— show or clear the active plan.dacip gc [--keep N]— prune old snapshots, keeping N per repo/scope (default 5); the active plan's snapshot is pinned.
Exit codes
| Code | Meaning |
|---|---|
| 0 | Clean (no new/recurring findings on investigate, nothing introduced on diff, repro succeeded on verify). |
| 1 | Defects found, repro failed, or plan/patch invalid. |
| 2 | Usage error: missing objective, unresolvable ref, no unique finding, no active plan. |
| 3 | Cancelled (Ctrl-C), analysis/toolchain failure, or license/login gate. |
| 4 | Internal DACIP error — please report it. |
See /proof/ for what these results look like on real repos.

