lintai Documentation

Rule Guide

Browse rules and presets with less guesswork.

Start with the quiet `recommended` default, then opt into `preview` or explicit sidecar lanes like `threat-review`, `compat`, `governance`, and `supply-chain` only when you want broader review.

Rule ReferenceBrowse every shipped rule with a short name, summary, severity, and scope.

Preset ReferenceSee which rules each preset enables and how overlay presets change behavior.

Start Here

• Open recommended preset if you want the main default most teams should start with.
• Open Rule Reference to browse checks by provider and rule code.
• Open Preset Reference to understand activation defaults, overlays, and sidecar lanes.

Featured Rules

If you only look at a few rules first, start with these:

• SEC340 for Claude hooks that launch external packages dynamically at runtime.
• SEC329 for committed mcp.json entries that launch external packages dynamically at runtime.
• SEC352 for unscoped Bash grants in AI-native frontmatter. Treat this as a strong governance least-privilege sidecar control, not as part of the quiet default story.
• SEC324 for unpinned third-party GitHub Actions in committed CI. Treat this as a strong sidecar supply-chain control, not as the main quiet-default story.

What You Will Find

• Short, readable rule names for faster scanning in the catalog and sidebar.
• Clear rule pages with summary, severity, lifecycle, and preset membership.
• Preset pages that show the rules they enable and what they are meant for.

How To Read Lanes

• recommended - quiet practical default findings most teams should start with
• preview - broader contextual review outside the quiet default
• threat-review - explicit malicious, secret-bearing, or spyware-like review
• supply-chain - reproducibility, provenance, and dependency hardening review
• compat - config, schema, and policy contract review
• governance - shared authority and workflow policy review
• guidance - advice-oriented guidance and maintainability review
• advisory - installed-package advisory review

How To Read Categories

• security - strong exploit, secret, or unsafe-execution signal
• hardening - least-privilege, provenance, or operational hygiene signal
• quality - contract, schema, or config correctness signal
• audit - heuristic or triage-oriented review signal

Project References

Most readers can stop at the rule and preset reference. If you need release or project-level detail, the main supporting docs are:

• SECURITY_RULES.md
• POSITIONING_AND_SCOPE.md
• EXTERNAL_VALIDATION_PLAN.md
• EXTERNAL_VALIDATION_FIELD_UPDATE_2026-03-30.md
• SIGNAL_QUALITY_AUDIT_2026-04-02.md
• SEC352_STABLE_CANDIDATE_TRACK.md - historical promotion packet retained for reference
• EXTERNAL_VALIDATION_REPORT.md
• EXTERNAL_VALIDATION_TOOL_JSON_REPORT.md
• EXTERNAL_VALIDATION_SERVER_JSON_REPORT.md
• EXTERNAL_VALIDATION_GITHUB_ACTIONS_REPORT.md
• EXTERNAL_VALIDATION_AI_NATIVE_DISCOVERY_REPORT.md
• PUBLIC_RELEASE.md
• PUBLIC_RELEASE_SHIPPING_CHECKLIST.md
• V0_1_TO_1_0_ROADMAP.md

The v0.1.0 public release ships through GitHub Release assets plus the lintai-cli npm wrapper. The quick install paths are curl to the GitHub Release installer asset or npx lintai-cli scan .; both resolve to the release binaries.