DACIP DACIP

CLI reference

All commands accept a global --repo <path> (default .), placed before the subcommand: dacip --repo ~/work/app scan. dacip version prints the version.

Shared scan flags

scan, investigate, diff, baseline, verify, and the agent-facing commands all take:

Flag Meaning
--scope {all,backend,frontend} Limit analysis side. Default all.
--include <glob> Only analyze matching paths. Repeatable.
--exclude <glob> Skip matching paths. Repeatable.
--client <name> Extra frontend HTTP-client name (e.g. _data) whose .get/.post/… calls count as API calls. Repeatable.
--fast Faster, shallower scan.
--quiet Suppress progress messages on stderr.

Analysis commands

scan

dacip scan [repository]

Snapshot the repo and run all analyzers. Prints JSON: snapshot id, file/symbol/route/API-call counts, and coverage — read it; anything DACIP couldn't parse is listed there, not silently dropped. The optional positional repository overrides --repo.

investigate

dacip investigate "<objective>" [--max-findings N] [--command CMD] [--openapi PATH] [--serializers] [--deep-types]

Full analysis against an objective. --max-findings defaults to 5. --command (repeatable) runs a shell command and records its output as evidence. --openapi supplies a schema for payload/auth comparison; --serializers derives backend schemas from DRF serializers when no schema exists. --deep-types resolves frontend payload/response types via the TS type checker (slower). Writes report.md under .dacip/ and prints its path. Objective is required (exit 2 without one).

diff

dacip diff <base_ref> [--format {json,github,sarif}] [--max-findings N] [--openapi PATH] [--serializers]

Analyze both the working tree and base_ref, report only findings introduced between them. --format defaults to json; github emits workflow annotations, sarif emits SARIF for code-scanning upload. Findings are capped at --max-findings (default 5); introduced_total in the JSON is the uncapped count. If a lockfile changed, the JSON carries a note: base analysis ran against the head toolchain, so extraction-instability diagnostics may stem from dependency skew.

baseline

dacip baseline write

Record all current findings as accepted. investigate and diff suppress baselined findings and warn about stale entries that no longer derive.

verify

dacip verify <finding_id>

Run a finding's stored reproduction (a unique id prefix is enough). Reproducing promotes a high-confidence finding to proven. Findings whose repro is a curl template can't be run automatically — DACIP prints the command for you to run manually and exits 2.

Account

Command Does
dacip login GitHub device-flow sign-in; unlocks analysis of 1 private repo on the free tier. Exit 1 on failure.
dacip logout Clear the session.
dacip whoami Print {"login": ...} as JSON.
dacip license Print license state, path, and detail as JSON. Exit 0 for valid/expiring/grace, 3 otherwise. Never gated itself.

Public repos need no account. See the FAQ for tiers.

Setup

Command Does
dacip init Create .dacip/ and add it to .gitignore. Analysis commands also do this implicitly.
dacip install Write the Claude Code integration (MCP server + PreToolUse hook) into the repo. Restart Claude Code after.
dacip toolchain install-ts npm-install typescript@5 into ~/.cache/dacip/toolchain as a fallback compiler. DACIP never npm-installs implicitly; without a usable TypeScript, frontend calls are not extracted and cross-stack findings are incomplete — DACIP says so on stderr rather than reporting a clean pass.
dacip mcp Run the MCP stdio server (normally launched by Claude Code, not by hand).
dacip hook PreToolUse gate: reads Claude Code hook JSON on stdin, prints an allow/deny decision. Fail-open — no store or no approved plan means allow, with the reason stated.

Agent-facing commands

Used by the agent loop; all print JSON.

  • dacip workorder <finding_id> — build a work order and plan skeleton for a finding.
  • dacip validate-plan <plan_file> — validate an ExecutionPlan; a valid plan becomes the active scope the hook enforces. Exit 1 if invalid.
  • dacip validate-patch — check the working tree against the active plan. Exit 1 if invalid, 2 if no plan.
  • dacip prove <finding_id> — gate + repro after a fix; marks the finding resolved, writes a proof, retires the plan.
  • dacip context "<objective>" — deterministic facts (symbols, routes, calls) filtered by objective keywords.
  • dacip impact <symbol> — impact query from the snapshot; skips full analysis.
  • dacip plan {show,clear} — show or clear the active plan.
  • dacip gc [--keep N] — prune old snapshots, keeping N per repo/scope (default 5); the active plan's snapshot is pinned.

Exit codes

Code Meaning
0 Clean (no new/recurring findings on investigate, nothing introduced on diff, repro succeeded on verify).
1 Defects found, repro failed, or plan/patch invalid.
2 Usage error: missing objective, unresolvable ref, no unique finding, no active plan.
3 Cancelled (Ctrl-C), analysis/toolchain failure, or license/login gate.
4 Internal DACIP error — please report it.

See /proof/ for what these results look like on real repos.