Quickstart
DACIP runs against any public GitHub repo clone with no sign-up and no license. Analysis happens entirely on your machine; your source never leaves it.
Run it without installing
Pick whichever launcher you already have:
uvx dacip investigate "api contract audit"
# or
npx dacip investigate "api contract audit"
Both are small MIT launchers that download the DACIP engine binary for your platform, verify its SHA256, cache it, and run it. Subsequent runs on public repos are fully offline.
Or install the binary
curl -fsSL https://dacip.dev/install.sh | sh
The installer detects your platform, downloads the trial binary, verifies its SHA256 against the published checksum (and refuses to run it on a mismatch), and installs to ~/.local/bin/dacip.
It also provisions the TypeScript analyzer once via dacip toolchain install-ts. This needs Node.js: without it, TypeScript/JavaScript call extraction is unavailable and cross-stack findings lose the frontend side. DACIP will say so in its output rather than pass silently — the run emits a TS_ANALYZER_UNAVAILABLE diagnostic instead of pretending the frontend was checked.
Your first finding
Clone any public GitHub repo (or use one you already have), then:
cd <public repo clone>
dacip investigate "api contract audit"
A cold run takes seconds on a mid-size repo — 2s on redash, ~15s median across the nine repos on the proof dashboard, ~131s on the posthog monorepo (25k files), all re-measured nightly. Install-to-first-real-finding on a cold redash clone: about 30 seconds total. The result is JSON on stdout:
{
"report": ".dacip/runs/<id>/report.md",
"baselined": 0,
"defects_new": 1,
"recurring": 0,
"resolved": 0,
"observations": 4,
"coverage": { "...": "..." }
}
defects_newis the count of asserted defects — things DACIP claims are broken, each with the exact call site and, where possible, a runnable repro.- The full report lands at
.dacip/runs/<id>/report.md, alongsidefindings.json,evidence.json,coverage.json, and generated repro files. The<id>is deterministic per objective and repo, so re-runs overwrite in place. - Exit code is
1when new or recurring defects exist,0otherwise — usable directly in CI.
Read the coverage block. It lists what DACIP could not resolve, not just what it checked — silence is never presented as safety. See Coverage for how to read it, and Boundaries for what the 22 analyzers actually check.
Private repos
Public repos are free forever. One private repo is free after sign-in:
dacip login
This runs a GitHub device flow (open a URL, enter a code). The only data that leaves your machine is your GitHub username and an opaque hash of the repo's origin URL — never source, file names, or findings. Details in Licensing; team pricing ($15 per active contributor) is on the landing page.
If a public repo asks you to log in
Public-repo detection requires that your clone's HEAD commit exists in the public remote — this stops the gate being fooled by pointing origin at an unrelated public repo. A stale checkout, or local commits you haven't pushed, will get the login prompt. git pull, or check out a pushed commit, and run again. With DACIP_OFFLINE=1 the check is skipped entirely and the repo is treated as private (the safe default).
Platform support
| Platform | Status |
|---|---|
| macOS arm64 | supported |
| Linux x86_64 | supported |
| anything else | not yet — email [email protected] |
Next steps
- Gate pull requests: GitHub App
- Guard AI-agent edits before they land: Claude Code integration
- Every command and flag: CLI reference
- Why you can trust the verdict: Determinism and the proof dashboard

