Trie

A guardian agent that follows you from Cursor to CI/CD and everything in between. Trie watches your codebases, remembers what broke before, and warns you before you ship something risky.

Download the Trie workspace: https://www.trie.dev
Follow me on X: https://x.com/louiskishfy

Why Trie Exists

I shipped consumer apps that gained traction quickly with Cursor and Claude Code—real users, paying customers. AI-generated code helped me move fast, but it became a nightmare to maintain as one person. I'd fix something and forget why. The same bugs came back. My codebase grew faster than my memory of it. I burned through tokens like no tomorrow.

I realized I needed something to watch over my projects so I could maintain them alone. A guardian that remembers what broke, warns me before I ship something risky, and doesn't require me to re-explain context every time I switch tools.

I use Cursor, CLI, GitHub Actions—sometimes all in the same hour. It seemed ridiculous that my context couldn't follow me. Every tool had its own silo. I'd teach one thing to my IDE and lose it when I pushed to CI.

So I built Trie with a few principles:

Memory that travels with git. The .trie/ directory commits to your repo. Same incident history, same patterns, same risk scores—whether you're in Cursor, VS Code, CLI, or CI/CD. No external service. No re-explaining. Your context is yours.

One guardian, not a committee. Skills, on their own, have no unified view. Trie has 26 specialized skills, but they all feed into one guardian agent that knows the full picture. One brain that watches, learns, and warns. You can also add skills from any repo you find online.

Fast enough for git hooks. I chose a trie data structure because I needed O(m) lookups that don't slow down my workflow. File paths as tree branches. Hot zones light up where problems cluster. Under 10ms for pattern matching, under 500ms for pre-push checks.

Plain English. When I'm tired at 2am and a user reports a bug, I don't want to parse cryptic linter output. Trie speaks like a teammate: "This file broke twice last month. The auth changes look risky. Maybe add a test before pushing."

Trie is the guardian I wished I had when my apps took off and I was alone trying to keep them running in the middle of the night. I hope this helps you! @ me on X for feedback and requests.

Key Capabilities

Memory that travels:

• .trie/ directory committed to git = your project's incident history, patterns, and risk scores
• Same context in Cursor, Claude Code, VS Code, CLI, and GitHub Actions
• Cross-project learning: patterns discovered across all your projects inform each new one
• No re-explaining. Trie knows what broke before, everywhere you work.

Autonomous guardian:

• Watches: Git hooks, file watchers, proactive nudging—acts without being asked
• Remembers: trie tell "users can't log in" builds a searchable memory tree
• Learns: After 3+ incidents, discovers patterns automatically. Confidence adjusts with feedback.
• Warns: trie check runs < 500ms before push, no LLM calls in hooks
• Speaks plain English: Non-technical founders understand every warning

Technical foundation:

• Trie data structure for O(m) lookups, prefix search, hot zone detection—all under 10ms
• SQLite for detailed incident history and relationships
• BM25 search for intelligent memory queries
• Bayesian confidence updates for continuous improvement

Trie's memory is a tree. The more incidents you report, the smarter the tree gets. Hot paths = risky areas.

At a Glance

• Context that travels: .trie/ directory = single source of truth. Cursor → CLI → CI/CD → back to Cursor. Same memory everywhere.
• Cross-project learning: Patterns discovered across all your projects. Fix a SQL injection in Project A, Trie warns about similar patterns in Project B.
• Core commands: trie init (bootstrap + hooks), trie check (risk review before push), trie tell "<incident>" (build memory), trie ok/trie bad (feedback), trie status (health score).
• Guardian agent: ONE agent that watches, learns, and warns. It has goals, observes changes, reasons about risk, and nudges you in plain English.
• Built-in skills: 26 specialized analyzers (security, privacy, SOC2, accessibility, etc.) that the guardian uses when appropriate.
• MCP integration: trie_scan, trie_check, trie_tell, trie_fix, trie_explain, trie_memory, trie_context—all return plain English.
• Memory structure: Prefix tree (trie) for O(m) file lookups + SQLite for detailed history. Fast enough for git hooks (< 500ms).
• Learning loop: Confidence updates, pattern discovery, co-occurrence detection—all powered by trie traversal (< 10ms).

What's New

Guardian Agent

• Autonomous observation: Git hooks (pre-commit, pre-push), file watchers, proactive nudging
• Memory tree: Trie data structure for O(m) file lookups + SQLite for detailed incident history
• Learning loop: Bayesian confidence updates, automatic pattern discovery (3+ incidents), co-occurrence detection
• Plain English warnings: Comprehensive glossary (690 lines, 200+ terms), context-aware explanations
• Fast hooks: trie check completes in < 500ms (no LLM calls in git hooks)
• Feedback system: trie ok/trie bad for thumbs up/down, adjusts confidence in real-time

Core Workflow

# Report an incident
$ trie tell "users can't log in after my push"
📝 Got it. Linked to auth/login.ts. Next time you change this file, I'll warn you.

# Before pushing
$ git push
🛡️ Trie: Hold on...
   
   You're changing auth/login.ts
   This file has broken 2 times before.
   
   Last time (Jan 15): 3 users couldn't log in for 2 hours
   
   My suggestion: Test the login flow before pushing.
   
   Risk: HIGH

# Give feedback
$ trie ok    # Warning was helpful
$ trie bad   # Warning was not helpful

Built-in Skills (Terminology Update)

• Built-in analyzers now live in src/skills/built-in/ and extend BaseSkill
• The guardian agent (singular) decides when to invoke skills based on risk and context
• Skills provide specialized analysis; the agent provides autonomous behavior

Table of Contents

• Why Trie
• At a Glance
• What's New
• The Guardian Architecture
• Features
• Quick Start
• The Guardian Workflow
• Common Questions
• What Each Skill Does
• MCP Tools
• CLI Commands
• Built-in Skills
  • Accessibility Skill (v2.0)
  • Moneybags Skill
  • Legal Skill (v2.0)
  • Design Engineer Skill (v2.0)
• Special Skills
• Custom Skills
• External Skills
• Bootstrap System
• Issue Memory
• Project Info Registry
• AI-Enhanced Mode
• VS Code Extension
• CI/CD Integration
• Configuration
• License

The Guardian Architecture

Trie is truly agentic—it's not just a collection of linters. Here's what makes it an agent:

| Property | How It Works | Why It's Agentic | |----------|--------------|------------------| | Goals | "Keep the app safe", "Prevent incidents" | Pursues objectives without step-by-step direction | | Observation | Git hooks, file watchers, CI events | Acts proactively, not just when asked | | Reasoning | Queries context graph for history/patterns, calculates risk | Uses memory to understand situations | | Action | Warns, explains, suggests, blocks, escalates | Takes action autonomously in plain English | | Learning | Tracks outcomes, adjusts confidence, discovers patterns | Improves from experience |

The Memory Tree

src/
  auth/
    login.ts → [3 incidents, confidence: 85%, last: Jan 15]
    session.ts → [1 incident, confidence: 45%, last: Dec 20]
  payment/
    checkout.ts → [5 incidents, confidence: 92%, last: Jan 10]
    stripe.ts → [2 incidents, confidence: 60%, last: Jan 8]

This enables:

• O(m) lookups: Check if auth/login.ts is risky in < 1ms
• Prefix matching: Find all incidents in auth/* in < 5ms
• Hot zone detection: Identify risky directories in < 10ms
• Pattern discovery: Walk the tree, find patterns naturally in < 10ms
• Auto-complete: trie tell "auth" → suggests files instantly

Performance

| Operation | Target | Why It Matters | |-----------|--------|----------------| | trie check (pre-push hook) | < 500ms | Developers won't bypass slow hooks | | File risk lookup | < 1ms | Real-time feedback while coding | | Directory incident count | < 5ms | Instant hot zone detection | | Pattern discovery | < 10ms | Continuous learning without blocking |

What Makes This Different

Most "agents" are just prompt chains. Trie is different because:

1. Autonomous behavior: Watches your changes continuously via hooks, not just when asked
2. Persistent memory that travels: .trie/ directory follows your code. Same context in Cursor, CLI, CI/CD, VS Code—no re-explaining
3. Cross-project learning: Fix a pattern in one project, Trie warns about it in all future projects
4. Proactive guidance: Warns before you push, nudges during editing, explains in plain English
5. Continuous learning: Gets noticeably better after 10 incidents. Confidence adjusts with every trie ok/trie bad
6. Instant lookups: Trie data structure + SQLite = O(m) file lookups (< 1ms), pattern discovery (< 10ms)

Trie's job is to be your guardian angel—watching over your shoulder, warning you about danger, and getting smarter every time something goes wrong.

Context That Travels

The .trie/ directory is your project's memory:

your-project/
├── .trie/
│   ├── memory/
│   │   ├── issues.json        # All incidents with BM25 search
│   │   ├── patterns.json      # Discovered patterns (3+ incidents)
│   │   └── 2024-01-15.md      # Daily logs
│   ├── context.db             # SQLite graph (files, changes, incidents)
│   └── config.json            # Guardian configuration
├── .git/
└── src/

This directory is committed to git, which means:

| Scenario | What Happens | |----------|--------------| | Work in Cursor | Report incident with trie tell, memory updates | | Switch to CLI | Run trie check → same memory, same patterns | | Push to GitHub | CI reads .trie/ → focused checks on known problem areas | | Teammate pulls | Gets your incident history, patterns, risk scores | | Clone on laptop | Full context restored from .trie/ directory | | Open in VS Code | Same guardian, same warnings, same memory |

Cross-project learning:

~/.trie/memory/global-patterns.json

Trie tracks patterns across ALL your projects. When you fix a SQL injection in Project A, Trie remembers. When you start Project B, it warns about similar patterns immediately—even if Project B has never seen that specific issue.

Features

Core Capabilities

| Feature | Description | |---------|-------------| | Context That Travels | .trie/ directory committed to git = same memory in Cursor, CLI, CI/CD, VS Code. No re-explaining. | | Cross-Project Learning | Global pattern tracking. Fix SQL injection in Project A → Trie warns in Project B. | | 26 Built-in Skills | Security, Privacy, SOC 2, Legal, Architecture, Performance, E2E, Visual QA, Data Flow, Moneybags, Production Ready, and more | | Autonomous Observation | Git hooks, file watchers, proactive nudging—acts without being asked | | Learning Loop | Bayesian confidence updates, automatic pattern discovery (3+ incidents), trie ok/trie bad feedback | | Instant Performance | Trie data structure: < 1ms file lookups, < 10ms pattern discovery, < 500ms git hooks |

Performance & Execution

| Feature | Description | |---------|-------------| | Parallel Execution | True parallel execution with worker threads—3-5x faster scans | | Result Caching | File-based caching with SHA256 hashing—70% faster repeated scans | | Smart Triaging | Activates skills based on code context, issue history, and memory patterns | | Streaming Progress | Real-time progress updates as skills complete |

Developer Experience

| Feature | Description | |---------|-------------| | Plain English | 690-line glossary translates jargon. Non-technical founders understand every warning. | | Watch Mode | Proactive nudging while you code (optional) | | Custom Skills | Create skills from PDFs, docs, or style guides | | External Skills | Install capabilities from Vercel, Anthropic, Expo, Stripe, 150+ skills across 12 categories | | Works Everywhere | Cursor, Claude Code, OpenCode, VS Code, CLI, CI/CD—adapts output automatically | | AI-Enhanced Mode | Optional deeper analysis with ANTHROPIC_API_KEY |

Integrations

| Feature | Description | |---------|-------------| | MCP Protocol | Native integration with Cursor, Claude Code, and all MCP-compatible tools | | CI/CD Integration | GitHub Actions, pre-commit hooks, SARIF output for GitHub Security tab | | VS Code Extension | Inline diagnostics, quick-fix code actions, scan on save |

Quick Start

Step 1: Install Node.js (if you don't have it)

Trie requires Node.js. Check if you have it by opening Terminal (Mac) or Command Prompt (Windows):

node --version

If you see a version number (like v18.0.0), skip to Step 2. If not:

• Mac: Download from nodejs.org or run brew install node
• Windows: Download from nodejs.org

Step 2: Set Up Trie in Your AI Coding Tool

Pick the tool you use:

1. Open Cursor
2. Press Cmd+Shift+P (Mac) or Ctrl+Shift+P (Windows)
3. Type "settings" and select Cursor Settings
4. Click MCP in the left sidebar
5. Click Add MCP Server
6. Paste this configuration:

{
  "mcpServers": {
    "Trie": {
      "command": "npx",
      "args": ["@triedotdev/mcp"]
    }
  }
}

7. Restart Cursor (Cmd+Q and reopen, or Ctrl+Q on Windows)

That's it! Trie is now connected.

1. Open Claude Code
2. Open the terminal inside Claude Code
3. Run this command:

claude mcp add Trie --scope user -- npx @triedotdev/mcp

4. Restart Claude Code

That's it! Trie is now connected.

Most MCP-compatible tools have a settings page for MCP servers. Add:

• Command: npx
• Arguments: @triedotdev/mcp

Or in JSON format:

{
  "command": "npx",
  "args": ["@triedotdev/mcp"]
}

Step 3: Run Your First Scan

Open your project in Cursor or Claude Code and type in the chat:

Scan my code with Trie

Trie will:

1. Analyze your entire codebase
2. Pick the right checks based on what your code does (payments, auth, user data, etc.)
3. Show you a prioritized list of issues

Example output:

🔺 Trie Agent Scan Complete

Scanned: 5 agents | Time: 12.3s | Risk: MEDIUM

🎯 3 Issues Found

🔴 Critical (1)
---
Missing authentication on payment endpoint

📍 src/api/checkout.ts:47

Fix: Add auth middleware before processing payment

Step 4: Fix Issues

For each issue, you can:

Option A: Ask your AI to fix it

Fix the authentication issue in checkout.ts that Trie found

Option B: Use Trie's auto-fix (for high-confidence fixes)

Run trie_fix to apply safe fixes

Option C: Get more details first

Explain the checkout.ts security issue

The Guardian Workflow

Trie is ONE agent with autonomous behavior. Here's how it works day-to-day.

Teaching the Guardian

When something breaks, tell Trie:

$ trie tell "users can't log in after my last push"

📝 Got it. I'll remember that changes to auth/ caused this.
   Next time you change those files, I'll warn you.

The guardian:

1. Links the incident to recent changes (git history)
2. Adds the incident to its memory tree (trie data structure)
3. Updates file risk scores
4. Discovers patterns after 3+ similar incidents

Before You Push

$ git push

🛡️ Trie: Hold on...

   You're changing auth/login.ts
   📊 This file has broken 2 times before.
   
   Last time (Jan 15): 3 users couldn't log in for 2 hours
   
   🌳 Pattern: auth/ is becoming a hot zone
   
   My suggestion: Test login AND session behavior
   (These files often break together)
   
   Risk: HIGH
   
   [Continue] [Cancel]

The check runs in < 500ms:

1. Trie lookup (< 1ms): Finds file incident history
2. Prefix search (< 1ms): Checks directory-level patterns
3. Hot zone detection (< 5ms): Identifies risky areas
4. Co-occurrence check (< 10ms): Files that break together
5. Generate warning (< 50ms): Plain English explanation

Giving Feedback

# Warning was helpful
$ trie ok

# Warning was not helpful (false positive)
$ trie bad

This updates pattern confidence immediately. The agent gets smarter.

Checking Health

$ trie status

🌳 Your codebase memory tree:

Hot zones (3+ incidents):
  🔥 auth/ (3 incidents across 2 files)
     ├─ login.ts (2 incidents)
     └─ session.ts (1 incident)

Files that break together:
  🔗 auth/login.ts ↔ auth/session.ts (67% co-occurrence)

Safest areas (0 incidents):
  ✅ components/
  ✅ utils/
  ✅ api/

The Memory Tree

Trie's memory is a prefix tree of your codebase's failure patterns:

src/
  auth/
    login.ts → [3 incidents, confidence: 85%, last: Jan 15]
    session.ts → [1 incident, confidence: 45%, last: Dec 20]
  payment/
    checkout.ts → [5 incidents, confidence: 92%, last: Jan 10]

This makes lookups instant (O(m) where m = path length) and enables:

• Prefix matching: "Find all incidents in auth/*" → < 1ms
• Hot zone detection: "Which directories have 3+ incidents?" → < 10ms
• Auto-complete: trie tell "auth" → suggests auth/login.ts, auth/session.ts
• Pattern discovery: Walk the tree, find hot paths naturally → < 10ms

Common Questions

Trie uses Bayesian confidence updates. When you report an incident (trie tell), it:

1. Links the incident to recent changes (git history)
2. Adds it to the memory tree (trie data structure)
3. Updates file risk scores
4. After 3+ similar incidents, discovers patterns automatically

When you give feedback (trie ok / trie bad), confidence adjusts immediately. False positives decrease a pattern's confidence; true positives increase it.

No. Trie scans and suggests—it never edits code on its own. You stay in control.

What Trie does:

• Warn about risky changes
• Explain past incidents
• Suggest what to test
• Flag security issues

What about trie_fix?

trie_fix generates fix prompts that guide your AI assistant (Claude, Cursor) to apply changes. The AI does the editing, not Trie. You review and approve every change through your normal workflow.

What Trie doesn't do:

• Edit files directly
• Create pull requests automatically
• Run arbitrary commands
• Make changes without your review

Ask for an explanation:

$ trie explain

🛡️ Detailed Explanation

You changed: auth/login.ts

History:
• Jan 15, 2024: 3 users couldn't log in for 2 hours
  - You changed session timeout logic
  - Users got logged out unexpectedly  
  - Had to roll back

• Dec 20, 2023: Login button stopped working
  - Missing null check on user object
  - 5 users affected

Pattern: auth/ directory has 3 total incidents
Files that break together: login.ts ↔ session.ts (67% of the time)

My suggestion: Test both login AND session behavior together

Everything is in plain English. No jargon.

Yes. The core guardian works entirely offline:

• trie check in git hooks (< 500ms, no network)
• Pattern matching and risk scoring (local database)
• Memory queries (trie + SQLite, all local)

The built-in skills can optionally use AI for deeper analysis when you have an API key, but it's not required.

Add this file to your repo at .github/workflows/trie.yml:

name: Trie Guardian
on: [push, pull_request]

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Need history for incident context
      
      - uses: triedotdev/trie-action@v1
        with:
          # Fast check on every push
          command: check
          fail-on: critical

The guardian reads your project's .trie/ directory (incidents, patterns, memory) and uses that context in CI.

What Each Skill Does (Plain English)

| When You Ask | What It Checks | Why It Matters | |--------------|----------------|----------------| | "Run security scan" | Login/password handling, data exposure, hack vulnerabilities | Prevents your app from being hacked | | "Run privacy scan" | User data handling, GDPR/CCPA compliance | Avoids fines up to $10,000+ per violation | | "Run bugs scan" | Logic errors, edge cases, crash points | Prevents app crashes for users | | "Run performance scan" | Slow queries, memory leaks, scaling issues | App stays fast with 1000+ users | | "Run legal scan" | Terms of service, license compliance, regulations | Avoids lawsuits | | "Run design scan" | UI patterns, accessibility, UX issues | Better user experience | | "Run accessibility scan" | WCAG 2.1 AA compliance, screen reader support | Makes your app usable by everyone | | "Run production-ready scan" | Health endpoints, graceful shutdown, security headers | Confirms you're ready to ship | | "Run moneybags scan" | Dollar cost of bugs at your user scale | Shows ROI of fixing issues now vs later |

MCP Tools

These tools are available when using Trie via MCP (Cursor, Claude Code, etc.).

Scanning & Analysis

| Tool | Description | |------|-------------| | trie_scan | Full scan with intelligent skill selection | | trie_watch | Watch mode—proactive nudging as you code | | trie_check | Quick risk check before push (< 500ms, no LLM) | | trie_fix | Generate fix recommendations for detected issues | | trie_explain | Explain code, issues, or changes in plain language |

Memory & Learning

| Tool | Description | |------|-------------| | trie_tell | Report an incident to build the agent's memory | | trie_feedback | Give thumbs up/down on warnings (updates confidence) | | trie_memory | Search and manage issue memory across projects | | trie_context | Read full context (memory + patterns + history) | | trie_checkpoint | Quick save context without running a full scan |

Project & Configuration

| Tool | Description | |------|-------------| | trie_init | Initialize bootstrap files, detect stack, suggest skills | | trie_project | View and manage project info (.trie/PROJECT.md) | | trie_reconcile | Sync from context.json after rebases or multi-device edits |

Security & Compliance Skills

| Tool | What It Analyzes | |------|------------------| | trie_security | SQL injection, XSS, hardcoded secrets, auth bypasses, OWASP Top 10 | | trie_privacy | GDPR/CCPA/PCI-DSS compliance, PII exposure, logging sensitive data | | trie_soc2 | Access control gaps, missing audit logs, encryption issues | | trie_legal | Licensing, ToS, accessibility, IP, GDPR/CCPA, e-commerce, marketing, COPPA |

Code Quality Skills

| Tool | What It Analyzes | |------|------------------| | trie_bugs | Null safety, edge cases, async issues, race conditions | | trie_types | Type errors, missing annotations, null checks | | trie_architecture | Code organization, SOLID principles, N+1 queries, scalability | | trie_performance | Memory leaks, inefficient algorithms, bundle size | | trie_test | Missing test coverage, test quality, edge case coverage | | trie_clean | Clean up AI-generated "vibe code": find common mistakes and quick fixes |

UI/UX Skills

| Tool | What It Analyzes | |------|------------------| | trie_accessibility | WCAG 2.1 AA: icon-only buttons, touch targets, heading levels, ARIA validation, 20+ checks | | trie_design | AI slop detection, verified token systems, contrast validation, design health scoring | | trie_ux | User testing simulations: happy path, security tester, confused user, impatient user | | trie_visual_qa | Visual regression, responsive design, cross-browser issues | | trie_e2e | End-to-end test coverage, user flow validation |

Operations Skills

| Tool | What It Analyzes | |------|------------------| | trie_devops | Config issues, logging, environment variables, deployment patterns | | trie_data_flow | Data flow analysis, state management, API contracts | | trie_production_ready | Production gate: health endpoints, graceful shutdown, security headers, rate limiting | | trie_moneybags | 💰 Estimates dollar cost of bugs scaled to your user count | | trie_comprehension | Plain language explanations for non-technical stakeholders |

Special Skills (Manually Invoked)

| Tool | Description | |------|-------------| | trie_super_reviewer | Interactive PR reviews: walks through changes file-by-file with AI guidance | | trie_agent_smith | Ultimate AI code enforcer—43 specialized hunters targeting AI-generated anti-patterns |

Custom & External Skills

| Tool | Description | |------|-------------| | trie_create_skill | Create a custom skill from a PDF, TXT, or MD document | | trie_save_skill | Save a custom skill configuration | | trie_list_skills | List all installed skills (external and custom) | | trie_skill_review | Apply installed external/custom skills to code review |

CLI Commands

# Bootstrap (installs git hooks, detects stack, suggests skills)
trie init

# Report an incident (builds memory)
trie tell "users can't log in after my push"

# Quick check before pushing (< 500ms, no LLM)
trie check

# Give feedback on last warning
trie ok      # Helpful - increases confidence
trie bad     # Not helpful - decreases confidence

# Pause warnings for 1 hour
trie quiet

# View memory tree, patterns, and health
trie status

# Full scan with intelligent skill selection
trie scan

# Scan specific directory
trie scan --dir ./src

# Scan with specific skills
trie scan --skills security,privacy,bugs

# Watch mode (proactive nudging while you code)
trie watch

# Output JSON report
trie scan --format json --output report.json

# Quick save (checkpoint without full scan)
trie checkpoint "finished auth flow"

# Search issue memory
trie memory search "SQL injection"

# View cross-project patterns
trie memory global patterns

# List available skills
trie skills list

# Browse skill categories (150+ skills across 12 categories)
trie skills list categories

# Install an external skill
trie skills add vercel-labs/agent-skills vercel-react-best-practices

CLI vs MCP Tools

| Use Case | Tool | When to Use | |----------|------|-------------| | Interactive coding | MCP tools (trie_scan, trie_check, trie_tell) | Working inside Cursor/Claude Code | | Terminal/CI | CLI (trie scan, trie check, trie tell) | Running from terminal, CI pipelines, scripts | | VS Code | VS Code extension | Using VS Code (not Cursor/Claude Code) |

Built-in Skills

Trie has ONE guardian agent that decides when to invoke these specialized analyzers (skills).

Security & Compliance (4 skills)

| Skill | Description | |-------|-------------| | Security | SQL injection, XSS, hardcoded secrets, auth bypasses, OWASP Top 10 | | Privacy | GDPR/CCPA/PCI-DSS compliance, PII exposure, data encryption | | SOC 2 | Access control gaps, missing audit logs, encryption, secrets management | | Legal | Comprehensive app legal: licensing, ToS, accessibility, IP, GDPR/CCPA, e-commerce, COPPA, marketing compliance |

Code Quality (6 skills)

| Skill | Description | |-------|-------------| | TypeCheck | Type errors, missing annotations, null checks | | Bug Finding | Null safety, edge cases, async issues, race conditions | | Software Architect | Code organization, SOLID principles, N+1 queries, scalability | | Test | Missing test coverage, test quality, edge case coverage | | Performance | Memory leaks, inefficient algorithms, bundle size | | Trie Clean | Clean up AI-generated "vibe code": find common mistakes and quick fixes |

UI/UX (5 skills)

| Skill | Description | |-------|-------------| | Accessibility | WCAG 2.1 AA compliance: icon-only buttons, touch targets, heading levels, ARIA validation, color-only indicators, keyboard nav, focus management, 20+ checks | | Design Engineer | AI slop detection, verified token systems, contrast validation, design health scoring, domain-aware recommendations | | User Testing | Simulate happy path, security tester, confused user, impatient user | | Visual QA | Visual regression, responsive design, cross-browser issues | | E2E | End-to-end test coverage, user flow validation |

Operations (6 skills)

| Skill | Description | |-------|-------------| | DevOps | Config issues, logging, environment variables, deployment patterns | | Data Flow | Data flow analysis, state management, API contracts | | Comprehension | Plain language explanations for non-technical stakeholders | | Moneybags | 💰 Estimates dollar cost of bugs scaled to your user count (default: 250). Use --users to configure | | Production Ready | 🚀 Production gate: health endpoints, graceful shutdown, connection pooling, security headers, rate limiting, monitoring | | Skill Review | Applies external and custom skills to code review |

Accessibility Skill (v2.0)

The Accessibility Skill has been completely rebuilt to provide comprehensive WCAG 2.1 AA compliance checking—matching and exceeding tools like rams.ai, axe-core, and Lighthouse.

Severity Levels

| Level | Description | Examples | |-------|-------------|----------| | Critical | Blocks access entirely | Images without alt, icon-only buttons without labels, empty links | | Serious | Significantly impairs access | Focus outline removed, positive tabIndex, missing ARIA attributes | | Moderate | Creates barriers | Skipped headings, color-only indicators, small touch targets | | Low | Best practices | Missing semantic elements, external link warnings |

What It Detects

Critical Issues

| Issue | WCAG | Description | |-------|------|-------------| | Images without alt text | 1.1.1 | Screen readers cannot describe the image | | Icon-only buttons missing aria-label | 4.1.2 | Screen readers announce "button" with no purpose | | Non-semantic click handlers | 2.1.1 | div onClick without keyboard support blocks keyboard users | | Empty links | 2.4.4 | Links with no text content are unusable | | Links without href | 2.4.4 | Anchor elements must have destinations |

Serious Issues

| Issue | WCAG | Description | |-------|------|-------------| | Focus outline removed | 2.4.7 | outline: none without replacement hides keyboard focus | | Positive tabIndex values | 2.4.3 | tabIndex={5} disrupts natural tab order | | Role without required ARIA | 4.1.2 | role="slider" needs aria-valuenow, aria-valuemin, aria-valuemax | | Form inputs without labels | 1.3.1 | Inputs must have associated labels or aria-label | | Color-only status indicators | 1.4.1 | Red/green for error/success excludes colorblind users | | Placeholder as only label | 3.3.2 | Placeholder disappears when user types | | Modal without Escape key | 2.1.2 | Keyboard users may be trapped in modal |

Moderate Issues

| Issue | WCAG | Description | |-------|------|-------------| | Skipped heading levels | 2.4.6 | h1 → h3 confuses screen reader navigation | | First heading not h1 | 2.4.6 | Pages should start with h1 | | Touch targets under 24px | 2.5.8 | Minimum 24×24px for WCAG AA | | Missing autocomplete | 1.3.5 | Helps users fill forms faster | | Generic link text | 2.4.4 | "Click here" is meaningless out of context | | Missing prefers-reduced-motion | 2.3.3 | Animations can trigger vestibular disorders | | Status messages without aria-live | 4.1.3 | Toasts/alerts not announced to screen readers |

Low Issues

| Issue | WCAG | Description | |-------|------|-------------| | Touch targets under 44px | 2.5.5 | Recommended 44×44px for AAA | | Missing semantic elements | 1.3.1 | <div class="nav"> should be <nav> | | External links without warning | 3.2.5 | target="_blank" should indicate new window | | Disabled elements without explanation | — | Users need to know why action is unavailable |

ARIA Validation

The agent validates that ARIA roles have their required attributes:

| Role | Required Attributes | |------|---------------------| | checkbox | aria-checked | | slider | aria-valuenow, aria-valuemin, aria-valuemax | | combobox | aria-expanded, aria-controls | | progressbar | aria-valuenow, aria-valuemin, aria-valuemax | | tab | aria-selected | | switch | aria-checked |

Accessibility Score

Each scan produces an Accessibility Score (0-100) based on issue severity:

═══════════════════════════════════════════════════
ACCESSIBILITY REVIEW: src/components/
═══════════════════════════════════════════════════

CRITICAL (2 issues)
───────────────────
[A11Y] Line 24: Icon-only button missing accessible name
  <button><CloseIcon /></button>
  Fix: Add aria-label="Close"
  WCAG: 4.1.2 Name, Role, Value

SERIOUS (1 issue)
─────────────────
[A11Y] Line 48: Focus outline removed without replacement
  className="outline-none"
  Fix: Add focus-visible:ring-2 focus-visible:ring-offset-2
  WCAG: 2.4.7 Focus Visible

MODERATE (2 issues)
───────────────────
[A11Y] Line 67: Skipped heading level: h1 to h3
  <h3>Features</h3>
  Fix: Use h2 after h1
  WCAG: 2.4.6 Headings and Labels

═══════════════════════════════════════════════════
SUMMARY: 2 critical, 1 serious, 2 moderate
Score: 55/100
═══════════════════════════════════════════════════

Usage

# Run accessibility scan
trie scan --agents accessibility

# Full UI scan (accessibility + design)
trie scan --agents accessibility,design-engineer

# MCP usage
trie_accessibility

Moneybags Skill

The Moneybags skill answers the question every CFO asks: "How much will this bug cost us?"

Built on industry research from IBM, NIST, Ponemon Institute, and Gartner, it calculates the actual dollar cost of each issue—both the cost to fix now and the cost if it reaches production. Costs scale based on your user count.

User Count Scaling

Costs are scaled based on your app's user count (default: 250 users). Use the --users flag to match your scale:

# Default (250 users - early stage app)
trie scan

# Scale for your app size
trie scan --users 1000      # Growing app
trie scan --users 10000     # Traction
trie scan --users 100000    # Growth stage
trie scan -u 1000000        # Enterprise

| User Count | Multiplier | Stage | |------------|------------|-------| | 50 | 0.3x | MVP | | 250 | 1x | Early stage (default) | | 1,000 | 2x | Growing | | 5,000 | 4x | Traction | | 25,000 | 8x | Scale-up | | 100,000 | 15x | Growth | | 1,000,000+ | 40x | Enterprise |

Cost Model

| Severity | Fix Now | If Production | Multiplier | |----------|---------|---------------|------------| | Critical | $5,000 | $150,000+ | 30x | | Serious | $2,000 | $40,000+ | 20x | | Moderate | $500 | $5,000+ | 10x | | Low | $100 | $500+ | 5x |

Category Multipliers

| Category | Multiplier | Why | |----------|------------|-----| | Payment Bugs | 25x | Direct financial loss, fraud exposure | | Data Loss | 20x | Irrecoverable, legally actionable | | Secrets Exposed | 15x | Immediate rotation + audit required | | SQL Injection | 12x | Full system compromise possible | | Privacy Violations | 10x | GDPR fines up to 4% of revenue | | Auth Bypass | 10x | Complete security failure | | Crashes | 8x | $5,600/minute average downtime |

What It Detects

• Floating-point arithmetic for money (use integer cents!)
• Rounding errors in financial calculations
• Dangerous DELETE/TRUNCATE statements
• Empty catch blocks swallowing errors
• Assignment in conditions (= instead of ===)

Example Output

💰 COST ANALYSIS REPORT
═══════════════════════════════════════
👥 User Scale: 250 users (Early stage)
   └─ Costs scaled 1x from 250 baseline

💵 COST IMPACT
   ├─ Fix now: $3.2k
   ├─ If production: $28k
   └─ Savings by fixing now: $24.8k ⚡

💡 Default: 250 users. Scale with: trie scan --users 10000

Research Sources

• IBM Systems Sciences Institute: Production bugs cost 30x more to fix
• NIST: $15k average production bug fix vs $500 in development
• Ponemon Institute 2023: $4.45M average data breach cost
• Gartner: $5,600/minute average downtime cost

Legal Skill (v2.0)

The Legal Skill has been completely rebuilt to be the most comprehensive legal compliance scanner for app development—covering everything from open source licensing to international data protection.

What It Covers (21 Categories)

License & Open Source

| Issue | Description | |-------|-------------| | GPL/Copyleft Detection | Flags GPL/AGPL code that may require your project to be open-sourced | | AGPL Network Use | Critical warning for AGPL's SaaS/network copyleft provisions | | License Headers | Missing SPDX identifiers in source files | | Dependency Audit | Recommends license-checker tools for third-party packages | | Attribution Requirements | MIT/BSD/Apache attribution obligations |

Terms & Legal Documents

| Issue | Description | |-------|-------------| | Missing ToS | User registration without Terms of Service reference | | Pre-checked Consent | ToS acceptance boxes that are pre-checked (unenforceable) | | Privacy Policy | Data collection without privacy policy disclosure | | CalOPPA | California Online Privacy Protection Act requirements |

Third-Party & API Compliance

| Issue | Description | |-------|-------------| | API Terms | Detects OpenAI, Stripe, Meta, Google, Twilio, AWS, YouTube usage | | Font Licensing | Flags font files that may require commercial licenses | | Stock Assets | Attribution requirements for Unsplash, Pexels, etc. |

Intellectual Property

| Issue | Description | |-------|-------------| | Code Attribution | Stack Overflow code (CC BY-SA), copied code comments | | Trademark Usage | Apple, Google, Microsoft, Amazon brand guideline compliance |

Accessibility (Legal)

| Issue | Description | |-------|-------------| | ADA/Section 508 | Images without alt text, keyboard accessibility | | WCAG Violations | Color-only indicators, missing video captions |

Data Protection

| Issue | Description | |-------|-------------| | GDPR/CCPA | Consent management, data portability, right to erasure | | Analytics Consent | Tracking scripts without cookie consent | | Data Retention | Missing retention policies and deletion procedures |

E-Commerce & Payments

| Issue | Description | |-------|-------------| | PCI DSS | Direct card handling instead of tokenization (Stripe, etc.) | | Price Transparency | Hidden taxes/fees before checkout | | Subscription Cancellation | FTC Click-to-Cancel Rule compliance | | Refund Policy | Missing return/refund policy disclosure |

Marketing & Advertising

| Issue | Description | |-------|-------------| | CAN-SPAM | Marketing emails without unsubscribe mechanism | | TCPA | SMS marketing without express written consent | | FTC Disclosure | Affiliate links, sponsored content without disclosure | | Fake Reviews | Synthetic/AI-generated testimonials |

Age & Child Safety

| Issue | Description | |-------|-------------| | COPPA | Child-directed content without parental consent | | Age Verification | Alcohol, gambling, adult content without age gates |

Export & International

| Issue | Description | |-------|-------------| | Export Controls (EAR) | Strong encryption with international distribution | | OFAC Sanctions | Missing sanctions screening for international users | | GDPR (EU) | EU market without GDPR compliance | | LGPD (Brazil) | Brazil market without LGPD compliance | | Cross-Border Transfers | International data transfers without SCCs |

User Content & Moderation

| Issue | Description | |-------|-------------| | Content Moderation | User-generated content without moderation system | | DMCA Safe Harbor | File uploads without takedown procedures |

Contracts & Liability

| Issue | Description | |-------|-------------| | Clickwrap Enforceability | Agreement acceptance without scroll/read verification | | Consent Recording | Terms acceptance without timestamp/version logging | | Warranty Disclaimers | Missing "AS IS" and limitation of liability | | Security Disclosure | Missing security.txt or vulnerability disclosure process |

Severity Levels

| Level | Examples | |-------|----------| | Critical | AGPL in SaaS, PCI violations, TCPA SMS marketing, fake reviews | | Serious | Missing ToS, no consent management, CAN-SPAM violations, COPPA | | Moderate | Missing data portability, license attribution, content moderation | | Low | License headers, security.txt, warranty disclaimers |

Design Engineer Skill (v2.0)

The Design Engineer skill has been rebuilt with a comprehensive 5-layer design intelligence architecture to detect "AI slop" and enforce professional design standards.

What It Detects

| Issue | Description | |-------|-------------| | Surface Hierarchy | Dark-on-dark surfaces with <8% lightness delta | | Neon Colors | Oversaturated colors (>80% saturation) that look amateur | | Purple Overuse | >40% violet/purple palette (common AI tell) | | Accent Rainbow | Multiple accent hue families (>1) in same view | | Typography Uniformity | Single font-weight usage lacking hierarchy | | Missing Modern Fonts | System-only font stacks without Inter/Geist | | Magic Numbers | Spacing values not on 4px grid | | Low Contrast | Text failing WCAG AA (4.5:1 ratio) |

Design Health Score

Each scan produces a Design Health Score (0-100) with breakdown:

• Token adoption %
• Contrast compliance %
• Spacing consistency %
• Typography system %
• Surface hierarchy %

Domain-Aware Recommendations

The agent detects your product type and provides tailored guidance:

| Domain | Default Mode | Accent Suggestions | Reference | |--------|--------------|-------------------|-----------| | Fitness | Dark | Orange, Tomato, Amber | Strava, Peloton | | Fintech | Light | Sky, Teal, Grass | Mercury, Stripe | | Creative Tools | Dark | Violet, Pink, Sky | Figma, Linear | | E-commerce | Light | Tomato, Pink, Amber | Shopify, Glossier | | Dashboard | Light | Blue, Indigo, Cyan | Vercel, Linear |

Verified Token Sources

Instead of hardcoding colors, the agent references external sources:

• Radix Colors — radix-ui.com/colors (contrast-guaranteed)
• Tailwind CSS — tailwindcss.com/docs (zinc/slate scales)
• shadcn/ui — ui.shadcn.com (production themes)

Exported Constants

Design tokens are exported for use in other tools:

import {
  DESIGN_TOKEN_SOURCES,
  TYPOGRAPHY_TOKENS,
  SPACING_TOKENS,
  MOTION_DESIGN_TOKENS,
  DOMAIN_DESIGN_RULES,
} from '@triedotdev/mcp/agents/design-engineer';

Special Skills

These skills are manually invoked—they don't run during regular guardian checks.

Super Reviewer

Interactive PR reviews: walks through changes file-by-file with AI guidance.

Run trie_super_reviewer on this PR

Agent Smith

The ultimate AI code enforcer—43 specialized hunters targeting AI-generated anti-patterns. Runs a swarm of sub-agents to find "vibe-coded" patterns.

Run trie_agent_smith on this codebase

Custom Skills

Create your own skills from PDFs, style guides, or documentation. Custom skills are portable review rules that travel with your project—they work in Cursor, Claude Code, CI/CD, and everywhere in between.

Create a Custom Skill

Create a custom skill from my-style-guide.pdf called "brand_guidelines"

Or use the MCP tool directly:

trie_create_skill with filePath: "./docs/style-guide.pdf", skillName: "brand_guidelines"

How It Works

1. Parse — Trie extracts text from your document (PDF, TXT, MD)
2. Compress — AI distills the document into actionable rules
3. Register — The skill is saved to .trie/skills/custom/ and runs automatically during scans

List Custom Skills

trie_list_skills

Custom skills are stored in .trie/skills/custom/ in your project directory.

External Skills

Install reusable capabilities from Vercel, Anthropic, Expo, Stripe, Supabase, or any GitHub repository. Skills are knowledge/instructions that agents apply during code review.

Key Concept: Agents vs Skills

| | Agent (Brain) | Skill (Knowledge) | |---|---------------|-------------------| | Decides when to run | Yes | No - invoked by agent | | Has its own logic | Yes | No - detection patterns | | Makes decisions | Yes | No - follows rules | | Examples | SecurityAgent, TriagerAgent | react-best-practices, brand_guidelines |

Two types of skills:

• External Skills — Installed from GitHub repos (e.g., vercel-labs/agent-skills)
• Custom Skills — Created from your documents (PDFs, style guides, books)

Both skill types are applied by the skill-review agent during scans and travel with your project.

Install a Skill

CLI:

# From Vercel's skills repository
trie-agent skills add vercel-labs/agent-skills vercel-react-best-practices

# From Anthropic's skills
trie-agent skills add anthropics/skills frontend-design

# From any GitHub repo with a SKILL.md
trie-agent skills add myorg/internal-standards code-style

Using MCP (Cursor/Claude Code):

Install the vercel-react-best-practices skill from vercel-labs/agent-skills

Browse Available Skills

Trie includes 150+ skills organized into 12 categories:

# List all categories
trie-agent skills list categories

# Browse skills by category
trie-agent skills list marketing      # 23 skills (SEO, copywriting, CRO, etc.)
trie-agent skills list development    # 25 skills (TDD, debugging, code review, etc.)
trie-agent skills list security       # 10 skills (semgrep, codeql, Trail of Bits, etc.)
trie-agent skills list design         # 9 skills (canvas, brand, UI/UX, etc.)
trie-agent skills list documents      # 5 skills (pdf, xlsx, pptx, docx, etc.)
trie-agent skills list productivity   # 17 skills (meetings, diagrams, READMEs, etc.)

List Installed Skills

trie-agent skills list

Output:

Installed Skills (2):

  vercel-react-best-practices (applied 12x)
    React and Next.js performance optimization
    Source: vercel-labs/agent-skills

  web-design-guidelines (applied 8x)
    Modern web design patterns and accessibility
    Source: vercel-labs/agent-skills

These skills are applied by the skill-review agent during scans.

Explore more: trie skills list categories

How It Works

1. Install - Skills are cloned from GitHub to .trie/skills/
2. Load - The skill-review agent loads installed skills on startup
3. Apply - During scans, the agent applies skill knowledge to code review
4. Track - Usage is recorded in your project context

Remove a Skill

trie-agent skills remove react-best-practices

Skill Format

Skills follow the Agent Skills specification:

skill-name/
  SKILL.md          # Required: YAML frontmatter + instructions
  scripts/          # Optional: executable code
  references/       # Optional: additional docs
  assets/           # Optional: templates, data

Example SKILL.md:

---
name: react-best-practices
description: React and Next.js performance optimization
---

# React Best Practices

## Guidelines
1. Avoid creating components inside render
2. Use React.memo for expensive components
3. Prefer useCallback for event handlers
...

MCP Resource

Access installed skills via MCP:

Read trie://skills

Skill Sources

Skills can come from any GitHub repository with a SKILL.md file:

| Source | Examples | |--------|----------| | Vercel | vercel-react-best-practices, web-design-guidelines | | Anthropic | frontend-design, webapp-testing, mcp-builder, pdf, xlsx, docx | | Expo | building-native-ui, upgrading-expo, expo-deployment (9 skills) | | Stripe | stripe-best-practices | | Better Auth | better-auth-best-practices, create-auth-skill | | Remotion | remotion-best-practices | | Callstack | react-native-best-practices | | Supabase | supabase-postgres-best-practices | | Trail of Bits | semgrep, codeql, secure-workflow-guide (10 skills) | | Vue/Nuxt | vue-best-practices, pinia-best-practices | | Three.js | threejs-fundamentals, threejs-animation (10 skills) | | obra/superpowers | test-driven-development, systematic-debugging (14 skills) | | Marketing | seo-audit, copywriting, pricing-strategy (23 skills) | | Your org | Internal standards, style guides, compliance docs |

Auto-Suggested Skills

When you run trie init, Trie automatically detects your dependencies and suggests relevant skills:

| Dependency | Skills Suggested | |------------|------------------| | next, react | vercel-react-best-practices, web-design-guidelines, frontend-design | | vue, nuxt | vue-best-practices, pinia-best-practices, nuxt skills | | expo | 9 Expo skills (building-native-ui, upgrading-expo, etc.) | | three | 10 Three.js skills (fundamentals, animation, shaders, etc.) | | @supabase/supabase-js | supabase-postgres-best-practices | | stripe | stripe-best-practices | | better-auth | better-auth-best-practices | | playwright | webapp-testing, e2e-testing-patterns | | tailwindcss | tailwind-design-system, responsive-design | | typescript | typescript-advanced-types | | And 20+ more... | Run trie init to see suggestions for your stack |

Skill Gating

Skills can declare requirements in their frontmatter. Only skills whose requirements are met are loaded.

Simple (backwards compatible):

---
name: react-best-practices
description: React and Next.js optimization
requires: [react, next]
---

Extended requirements:

---
name: docker-deploy-skill
description: Docker deployment best practices
requirements:
  deps: [docker-compose]          # npm deps (all required)
  anyDeps: [react, vue, svelte]   # At least one required
  env: [DOCKER_HOST, CI]          # Environment variables
  bins: [docker, kubectl]         # Binaries in PATH
  configFiles: [Dockerfile]       # Files that must exist
---

| Check | What It Does | |-------|--------------| | deps | All listed npm packages must be in package.json | | anyDeps | At least one must be present (OR condition) | | env | Environment variables must be set | | bins | Binaries must be available in PATH | | configFiles | Files must exist in project root |

When you install skills, they're automatically filtered based on your project:

• A React skill with requires: [react] only loads in React projects
• A Docker skill with requirements.bins: [docker] only loads when Docker is installed
• Skills without requirements always load

This prevents irrelevant skills from cluttering your scans.

Bootstrap System

Trie works out of the box - no setup required. Run trie init to optionally create context files for customization.

Files (all optional)

| File | Purpose | |------|---------| | .trie/RULES.md | Your coding standards (edit to customize) | | .trie/TEAM.md | Team ownership and escalation paths | | .trie/PROJECT.md | Project overview and conventions | | .trie/BOOTSTRAP.md | First-run checklist (auto-deleted when complete) |

Initialize

CLI:

trie init

MCP:

trie_init

This auto-detects your stack and suggests relevant skills:

Detected Stack:
  Framework: Next.js 14.0.0
  Language: TypeScript
  Database: Supabase
  Auth: Better Auth

Suggested Skills (based on your stack):
  trie skills add vercel-labs/agent-skills vercel-react-best-practices
  trie skills add vercel-labs/agent-skills web-design-guidelines
  trie skills add supabase/agent-skills supabase-postgres-best-practices
  trie skills add better-auth/skills better-auth-best-practices
  trie skills add wshobson/agents typescript-advanced-types

Explore skill categories:
  trie skills list documents        # 5 skills
  trie skills list marketing        # 23 skills
  trie skills list development      # 25 skills
  trie skills list security         # 10 skills
  trie skills list productivity     # 17 skills
  trie skills list categories       # see all 12 categories

Browse all skills: https://skills.sh

Commands

# Initialize bootstrap files
trie init

# Check bootstrap status
trie init status

# Mark bootstrap complete (deletes BOOTSTRAP.md)
trie init complete

MCP Resources

trie://bootstrap    # Bootstrap status
trie://rules        # User-defined coding standards
trie://team         # Team ownership info

Issue Memory

Trie stores all detected incidents for search, pattern discovery, and cross-project learning. Uses BM25 ranking (same algorithm as Elasticsearch) for intelligent search.

Local Memory (.trie/memory/)

Incidents from each trie tell command are stored locally:

• issues.json - Searchable incident index with BM25 ranking
• patterns.json - Discovered patterns (3+ incidents with confidence scores)
• YYYY-MM-DD.md - Daily incident logs (human-readable)

Search Incidents

CLI:

# Search by keyword
trie memory search "SQL injection"

# View recent incidents
trie memory recent

# Show statistics
trie memory stats

MCP:

trie_memory action="search" query="SQL injection"
trie_memory action="stats"
trie_memory action="recent" limit=10

Cross-Project Memory (~/.trie/memory/)

Patterns are tracked across all your projects:

# View patterns across projects
trie memory global patterns

# List tracked projects
trie memory global projects

# Search global patterns
trie memory global search "authentication"

How It Works

1. BM25 Search: Uses term frequency, inverse document frequency, and document length normalization for ranking
2. Pattern Detection: After 3+ incidents in same area, pattern is automatically created with confidence score
3. Cross-Project Tracking: Same pattern in multiple projects is tracked globally
4. Confidence Updates: trie ok / trie bad feedback adjusts pattern confidence immediately
5. Trie-Powered Discovery: Hot path detection via tree traversal completes in < 10ms

Memory Structure

.trie/memory/
├── issues.json           # All incidents with metadata
├── patterns.json         # Discovered patterns
├── 2024-01-15.md         # Daily log
└── 2024-01-16.md

~/.trie/memory/
├── global-patterns.json  # Cross-project patterns
└── projects.json         # Tracked project list

Project Info Registry

Store important project-specific information in .trie/PROJECT.md that's automatically available to all AI tools.

Why Project Info?

When you work across multiple tools (Cursor, Claude Code, GitHub Actions, CLI), context gets lost. The Project Info Registry solves this by providing a single source of truth for:

• Project description and purpose
• Technology stack and frameworks
• Architecture decisions and patterns
• Coding conventions and style guidelines
• Environment info (URLs, API endpoints)
• Team ownership and contacts
• Compliance requirements
• Custom instructions for AI assistants

Create PROJECT.md

Using CLI:

trie-agent project init

Using MCP (Cursor/Claude Code):

trie_project action="init"

This creates a template at .trie/PROJECT.md with sections ready to fill in.

View Project Info

CLI:

trie-agent project

MCP:

trie_project action="view"

MCP Resource:

Read trie://project

Update Sections

MCP:

trie_project action="update" section="Technology Stack" content="- **Language:** TypeScript\n- **Framework:** Next.js 14\n- **Database:** PostgreSQL"

How It Works

your-project/
├── .trie/
│   └── PROJECT.md    ← Your project context
├── src/
└── package.json

The PROJECT.md file is:

• Committed to git — context travels with your code
• Available via trie://project — AI tools can read it directly
• Integrated into trie://context — included in overall project context
• Per-project — each project has its own file

Template Sections

| Section | What to Include | |---------|-----------------| | Project Overview | What does this project do? Who is it for? | | Technology Stack | Languages, frameworks, databases, cloud services | | Architecture | Key patterns, system design, important decisions | | Coding Conventions | Style rules, naming conventions, patterns to follow | | Environment | Dev/staging/prod URLs, API endpoints | | Team | Who owns what, contact info | | Compliance | GDPR, SOC2, HIPAA requirements | | AI Instructions | Special instructions for AI assistants |

Example PROJECT.md

## Project Overview

E-commerce platform for sustainable products. 
Focus on fast checkout and mobile-first UX.

## Technology Stack

- **Language:** TypeScript
- **Framework:** Next.js 14 (App Router)
- **Database:** PostgreSQL with Prisma ORM
- **Hosting:** Vercel + Supabase

## Architecture

- Server Components by default, Client Components only when needed
- tRPC for type-safe API calls
- Zustand for client state

## Coding Conventions

- Use `pnpm` for package management
- Prefer named exports over default exports
- Use Tailwind CSS, no inline styles
- Tests required for payment-related code

## AI Instructions

When working on this project:
1. Always use Server Components unless client interactivity is needed
2. Check for accessibility issues (we target WCAG AA)
3. Payment code must be reviewed by security agent before commit

Multi-Project Support

Each project has its own .trie/PROJECT.md:

~/projects/
├── project-a/.trie/PROJECT.md  ← Project A's context
├── project-b/.trie/PROJECT.md  ← Project B's context  
└── project-c/.trie/PROJECT.md  ← Project C's context

When you open Project A in Cursor, it reads Project A's context. Switch to Project B, and it reads Project B's context. No configuration needed.

AI-Enhanced Mode

Trie works in two modes:

| Mode | Description | |------|-------------| | Pattern-Only (default) | Fast regex matching for specific patterns (exposed secrets, async forEach, etc.). Limited coverage. | | AI-Enhanced | Full analysis: pattern detection + AI validation + deeper issue discovery. Recommended. |

Enable AI Mode

For MCP usage (Cursor/Claude Code):

Add the API key to your MCP configuration:

{
  "mcpServers": {
    "Trie": {
      "command": "npx",
      "args": ["@triedotdev/mcp"],
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}

For CLI usage (terminal/CI):

Add the API key to your project's .env.local file:

echo 'ANTHROPIC_API_KEY=sk-ant-...' >> .env.local

Then load it before running CLI commands:

set -a; source .env.local; set +a
trie-agent scan

Important: MCP config only applies to the MCP server. CLI commands need the key in your shell environment.

When AI is enabled, you'll see:

• AI-powered analysis enabled in output
• [AI VALIDATED] and [AI FOUND] tags on issues
• Richer fix recommendations

CI/CD Integration

The guardian agent works in CI/CD by reading your project's .trie/ directory—the same memory, patterns, and incident history you've built locally.

GitHub Actions

Add to .github/workflows/trie.yml:

name: Trie Guardian
on: [push, pull_request]

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Need git history for incident context
      
      - name: Guardian Check
        run: |
          npx @triedotdev/mcp check --fail-on=critical

What Happens in CI

1. Reads memory: Loads .trie/memory/ (incidents, patterns)
2. Checks changes: Analyzes files in current commit
3. Risk assessment: Uses incident history + patterns for scoring
4. Plain English: Reports warnings just like locally
5. Fails build: If critical issues detected (configurable)

Full Skill Scan

For deeper analysis (security, privacy, etc.), add a weekly/nightly job:

name: Weekly Guardian Scan
on:
  schedule:
    - cron: '0 2 * * 1'  # Monday 2am

jobs:
  full-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run full scan
        run: |
          npx @triedotdev/mcp scan --skills security,privacy,soc2

Configuration

Scan Options

| Option | Description | Default | |--------|-------------|---------| | parallel | Run agents in parallel | true | | cache | Enable result caching | true | | maxConcurrency | Max parallel agents | 4 | | timeoutMs | Agent timeout in milliseconds | 120000 | | streaming | Stream progress updates | true | | workers | Use worker threads | true |

Example

trie_scan with parallel: true, cache: true, maxConcurrency: 8

License

MIT