npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

codejaguar-cli

v0.1.1

Published

Local-first AI Code Review and DevSecOps CLI

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

calistuscalistus

Keywords

code-reviewsecurityaidevsecopscli

Readme

🐆 CodeJaguar

Local-first AI Code Review & DevSecOps CLI Local-first · BYOK · No SaaS · No Cloud · No Database · No Telemetry

CodeJaguar is a production-grade AI code reviewer and security auditor that runs entirely on your machine. Bring your own API key for any AI provider — there is no hosted backend, no account, and no telemetry. It acts as a personal senior engineer and security auditor embedded directly in your git workflow.

Table of Contents

  1. What is CodeJaguar
  2. Installation
  3. Quick Start
  4. Commands
  5. Provider Setup
  6. Repository Memory
  7. Project Rules
  8. Consensus Mode
  9. Git Protection
  10. How It Works
  11. FAQ
  12. License

What is CodeJaguar

CodeJaguar reviews your code, scans for security issues, analyzes your architecture, and writes pull-request summaries — all powered by the AI provider of your choice (OpenAI, Anthropic, Gemini, DeepSeek, or any OpenAI-compatible endpoint). Your code never leaves your machine except to go directly to the AI provider you configured.

| Principle | What it means | |-----------|---------------| | Local-first | All processing happens on your machine | | BYOK | You supply your own provider API keys | | No SaaS | No hosted backend; only calls go to your AI provider | | No database | File-based state only (memory.json, rules.md) | | No accounts | No login, no billing, no telemetry |

Installation

npm install -g codejaguar-cli
# or
bun install -g codejaguar-cli

This installs the jaguar command globally.

Requirements:

  • Node.js ≥ 18 (or Bun ≥ 1.0)
  • Python ≥ 3.10 — the local backend runs on FastAPI. On first run, CodeJaguar starts the backend automatically on 127.0.0.1 (loopback only).
  • git available on your PATH

See docs/getting-started.md for a step-by-step setup walkthrough.

Quick Start

Three commands to your first review:

# 1. Store a provider key (input is hidden, never echoed or logged)
jaguar key add openai

# 2. Make some code changes, then review them
jaguar review

# 3. Open the generated report
cat review.md

That's it. Reviews, security scans, architecture analysis, and PR summaries are written to Markdown files in your project root — not dumped to the terminal — so you can read, commit, or share them.

Commands

| Command | Description | Output file | |---------|-------------|-------------| | jaguar key | Manage provider API keys (BYOK) | — | | jaguar review | Review code changes for bugs, smells, performance | review.md | | jaguar security | Scan source, deps, Docker, Actions, secrets | security-*.md | | jaguar architecture | Analyze repository structure | architecture.md | | jaguar summary | Generate a GitHub-ready PR summary | pr-summary.md | | jaguar memory | Manage repository memory | .jaguar/memory.json | | jaguar rules | Manage project rules | .jaguar/rules.md | | jaguar protect | Install a pre-commit secret-scanning hook | — |

A full reference with every flag lives in docs/commands.md.

Common examples

jaguar review --provider anthropic            # Use a specific provider
jaguar review --model gpt-4o                  # Pick a model
jaguar review --file src/auth.ts              # Review a single file
jaguar review --consensus                     # Agree across multiple providers

jaguar security                               # Full security scan
jaguar security --only secrets                # Secrets only
jaguar security --only deps --provider openai # Dependencies only

jaguar architecture --depth 5                 # Deeper directory analysis
jaguar summary --base develop --copy          # PR summary vs develop + clipboard

Provider Setup

CodeJaguar works with any AI provider. Built-in providers need only a key; OpenAI-compatible providers also take a base URL.

jaguar key add openai        # built-in
jaguar key add anthropic     # built-in
jaguar key add gemini        # built-in
jaguar key add deepseek      # built-in
jaguar key add groq          # generic — prompts for a base URL

jaguar key list              # show configured providers (names only)
jaguar key test openai       # verify the key works
jaguar key remove openai     # delete a key

Keys are stored in your OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service) — never in a file, never in terminal output, never logged.

See docs/providers.md for the full provider guide, including Ollama, Together AI, Groq, Mistral, and other OpenAI-compatible endpoints.

Repository Memory

Make every review context-aware by describing your codebase once in .jaguar/memory.json. CodeJaguar injects it into every AI prompt.

jaguar memory init                       # create a template
jaguar memory set framework FastAPI      # set a field
jaguar memory set patterns "Repository Pattern,Dependency Injection"
jaguar memory show

Details in docs/advanced.md.

Project Rules

Enforce project-specific engineering rules by listing them in .jaguar/rules.md. They are appended to the system prompt of every AI call.

jaguar rules init    # create a template
jaguar rules edit    # open in $EDITOR
jaguar rules show

Details in docs/advanced.md.

Consensus Mode

Reduce false positives by running a review across multiple configured providers and keeping only the findings they agree on.

jaguar review --consensus

Requires at least two providers configured. With only one, it falls back to a single-provider review and warns you. Output is written to review-consensus.md. Details in docs/advanced.md.

Git Protection

Install a pre-commit hook that scans staged files for secrets and blocks commits that would leak credentials.

jaguar protect            # install the hook
jaguar protect --status   # check whether it's installed
jaguar protect --remove   # uninstall

The scan is local, fast, and AI-free. Bypass in an emergency with git commit --no-verify. Details in docs/advanced.md.

How It Works

User Terminal
     │
     ▼
TypeScript CLI (Commander.js)  ── gathers git context, reads key from keychain
     │  HTTP POST to 127.0.0.1
     ▼
FastAPI Backend (localhost only)  ── injects memory + rules, enforces token budget
     │
     ▼
Provider Abstraction Layer  ──►  OpenAI · Anthropic · Gemini · DeepSeek · Generic
  1. You run a command.
  2. The CLI gathers context (git diff, file tree, lock files, etc.).
  3. The CLI reads your API key from the OS keychain.
  4. The CLI sends a structured request to the local FastAPI backend.
  5. The backend injects memory + rules, enforces the token budget, and calls your AI provider.
  6. The response is parsed and written to a Markdown report.

The backend binds only to 127.0.0.1 and is started automatically on first use.

FAQ

Does my code get sent anywhere? Only to the AI provider whose key you configured, and only the relevant context (diffs, changed files). There is no CodeJaguar server.

Where are my API keys stored? In your operating system's native keychain — never in a project file, log, or terminal output.

Which providers are supported? OpenAI, Anthropic, Gemini, and DeepSeek out of the box, plus any OpenAI-compatible endpoint (Ollama, Groq, Together AI, Mistral, LM Studio, vLLM, etc.) via a custom base URL.

Why is there a Python backend? The provider abstraction, security scanners, and prompt assembly run in Python. It runs locally on loopback only and is started automatically.

How are oversized prompts handled? The backend enforces a per-provider token budget and safely truncates input that would exceed the model's context window.

License

MIT