DACIP DACIP

Quickstart

DACIP runs against any public GitHub repo clone with no sign-up and no license. Analysis happens entirely on your machine; your source never leaves it.

Run it without installing

Pick whichever launcher you already have:

uvx dacip investigate "api contract audit"
# or
npx dacip investigate "api contract audit"

Both are small MIT launchers that download the DACIP engine binary for your platform, verify its SHA256, cache it, and run it. Subsequent runs on public repos are fully offline.

Or install the binary

curl -fsSL https://dacip.dev/install.sh | sh

The installer detects your platform, downloads the trial binary, verifies its SHA256 against the published checksum (and refuses to run it on a mismatch), and installs to ~/.local/bin/dacip.

It also provisions the TypeScript analyzer once via dacip toolchain install-ts. This needs Node.js: without it, TypeScript/JavaScript call extraction is unavailable and cross-stack findings lose the frontend side. DACIP will say so in its output rather than pass silently — the run emits a TS_ANALYZER_UNAVAILABLE diagnostic instead of pretending the frontend was checked.

Your first finding

Clone any public GitHub repo (or use one you already have), then:

cd <public repo clone>
dacip investigate "api contract audit"

A cold run takes seconds on a mid-size repo — 2s on redash, ~15s median across the nine repos on the proof dashboard, ~131s on the posthog monorepo (25k files), all re-measured nightly. Install-to-first-real-finding on a cold redash clone: about 30 seconds total. The result is JSON on stdout:

{
  "report": ".dacip/runs/<id>/report.md",
  "baselined": 0,
  "defects_new": 1,
  "recurring": 0,
  "resolved": 0,
  "observations": 4,
  "coverage": { "...": "..." }
}
  • defects_new is the count of asserted defects — things DACIP claims are broken, each with the exact call site and, where possible, a runnable repro.
  • The full report lands at .dacip/runs/<id>/report.md, alongside findings.json, evidence.json, coverage.json, and generated repro files. The <id> is deterministic per objective and repo, so re-runs overwrite in place.
  • Exit code is 1 when new or recurring defects exist, 0 otherwise — usable directly in CI.

Read the coverage block. It lists what DACIP could not resolve, not just what it checked — silence is never presented as safety. See Coverage for how to read it, and Boundaries for what the 22 analyzers actually check.

Private repos

Public repos are free forever. One private repo is free after sign-in:

dacip login

This runs a GitHub device flow (open a URL, enter a code). The only data that leaves your machine is your GitHub username and an opaque hash of the repo's origin URL — never source, file names, or findings. Details in Licensing; team pricing ($15 per active contributor) is on the landing page.

If a public repo asks you to log in

Public-repo detection requires that your clone's HEAD commit exists in the public remote — this stops the gate being fooled by pointing origin at an unrelated public repo. A stale checkout, or local commits you haven't pushed, will get the login prompt. git pull, or check out a pushed commit, and run again. With DACIP_OFFLINE=1 the check is skipped entirely and the repo is treated as private (the safe default).

Platform support

Platform Status
macOS arm64 supported
Linux x86_64 supported
anything else not yet — email [email protected]

Next steps