lintai v0.1.0-beta.1

First public beta release of lintai.

Install

Recommended install path in this beta:

• download lintai-installer.sh or lintai-installer.ps1 from this GitHub Release
• run the script locally
• let it fetch the tagged archive plus SHA256SUMS, verify the checksum, and install into a user-level bin directory

Manual archive extraction remains available as the fallback path.

What It Is

lintai is an offline-first, precision-first security scanner for repository-local AI agent artifacts: skills, MCP configs, Cursor rules, and Cursor Plugin surfaces.

Who Should Try It

• teams running security checks in CI on repository-local agent artifacts
• maintainers who want deterministic findings, stable rule ids, and SARIF output
• early adopters who prefer narrow high-signal coverage over broad noisy heuristics

What Is Stable In This Beta

• current v0.1 supported surfaces
• current CLI contract
• JSON schema_version = 1
• SARIF fingerprinting based on stable_key
• Stable rules as the release-quality baseline

What Remains Intentionally Narrow

• no broad multi-platform or registry scanning story
• no Homebrew, npm, or cargo install CLI distribution promise in this beta
• no curl | sh install contract; install scripts are downloaded first and then run locally
• no claim of 1.0 ecosystem breadth
• no broad heuristic expansion beyond the current precision-first rule set

External Validation Summary

Wave 2 external validation on 24 pinned public repositories produced:

• 0 stable findings
• 0 preview findings
• 0 runtime parser errors
• 2 recoverable diagnostics

The Phase 1 follow-up issues improved in wave 2:

• Datadog SEC105 preview noise disappeared
• cursor/plugins invalid frontmatter moved from runtime error to recoverable diagnostic
• Emmraan/agent-skills invalid frontmatter moved from runtime error to recoverable diagnostic

Canonical evidence lives in ../EXTERNAL_VALIDATION_REPORT.md.