lintai docs

Appearance

lintai v0.1.0

Initial public release of lintai.

Install

Recommended install path:

bash
curl -fsSL https://github.com/777genius/lintai/releases/latest/download/lintai-installer.sh | sh
"$HOME/.local/bin/lintai" scan .

The installer fetches the tagged archive plus SHA256SUMS, verifies the checksum, and installs into a user-level bin directory. After ~/.local/bin is on PATH, use lintai scan . directly.

Optional npm / npx path:

bash
npx lintai-cli scan .

The npm package is a thin wrapper over the same GitHub Release assets. It downloads the matching native archive, verifies SHA256SUMS, caches the binary, and forwards arguments to lintai.

Manual archive extraction remains available as the fallback path.

What It Is

lintai is an offline-first, precision-first security scanner for repository-local AI agent artifacts: skills, MCP configs, Cursor rules, and Cursor Plugin surfaces.

Who Should Try It

  • teams running security checks in CI on repository-local agent artifacts
  • maintainers who want deterministic findings, stable rule ids, and SARIF output
  • early users who prefer narrow high-signal coverage over broad noisy heuristics

What Is Stable In This Beta

  • current v0.1 supported surfaces
  • current CLI contract
  • JSON schema_version = 1
  • SARIF fingerprinting based on stable_key
  • Stable rules as the release-quality baseline

What Remains Intentionally Narrow

  • no broad multi-platform or registry scanning story
  • no Homebrew or cargo install CLI distribution promise in this release
  • npm is intentionally a thin wrapper; the native binaries still resolve to GitHub Release assets with checksum validation
  • no claim of 1.0 ecosystem breadth
  • no broad heuristic expansion beyond the current precision-first rule set

External Validation Summary

For the current checked-in cohort metrics, see ../EXTERNAL_VALIDATION_REPORT.md.

Wave 2 external validation on 24 pinned public repositories produced:

  • 0 stable findings
  • 0 preview findings
  • 0 runtime parser errors
  • 2 recoverable diagnostics

The Phase 1 follow-up issues improved in wave 2:

  • Datadog SEC105 preview noise disappeared
  • cursor/plugins invalid frontmatter moved from runtime error to recoverable diagnostic
  • Emmraan/agent-skills invalid frontmatter moved from runtime error to recoverable diagnostic

Canonical current evidence lives in ../EXTERNAL_VALIDATION_REPORT.md.